| 2017-03-09 10:29:57 |
James Page |
bug |
|
|
added bug |
| 2017-03-09 10:30:10 |
James Page |
bug task added |
|
charm-cinder-ceph |
|
| 2017-03-09 10:30:16 |
James Page |
charm-cinder-ceph: importance |
Undecided |
Critical |
|
| 2017-03-09 10:30:17 |
James Page |
charm-nova-compute: importance |
Undecided |
Critical |
|
| 2017-03-09 10:30:20 |
James Page |
charm-cinder-ceph: status |
New |
Triaged |
|
| 2017-03-09 10:30:22 |
James Page |
charm-nova-compute: status |
New |
Triaged |
|
| 2017-03-09 10:30:30 |
James Page |
summary |
nova/cinder/ceph rbd integration broken on Ocata |
charms: nova/cinder/ceph rbd integration broken on Ocata |
|
| 2017-03-09 10:35:22 |
James Page |
description |
https://github.com/openstack/nova/commit/b89efa3ef611a1932df0c2d6e6f30315b5111a57 introduced a change in Ocata where any data provided by cinder for rbd block devices is preferred over any local libvirt sectional configuration for rbd (which was used in preference in the past).
As a result, its not possible to attach ceph block devices in instances in Ocata; the secret_uuid configuration is not populated in the cinder configuration file, and in any case the username on the compute units won't match the username for ceph being used on the cinder units (as compute and cinder units get different keys created) so I don't think the key created on the compute units will actually work with the username provided from cinder.
I'm not 100% convinced this is a great change in behaviour; the cinder and nova keys have much the same permissions for correct operation (rwx on images, volumes and vms groups) however it does mean that the nova-compute units have to have the same keys as the cinder units. A key disclosure/compromise on a cinder unit would require revoke and re-issue across a large number of units (as compute units at likely to be 100-1000's whereas the number of cinder units will be minimal. |
https://github.com/openstack/nova/commit/b89efa3ef611a1932df0c2d6e6f30315b5111a57 introduced a change in Ocata where any data provided by cinder for rbd block devices is preferred over any local libvirt sectional configuration for rbd (which was used in preference in the past).
As a result, its not possible to attach ceph block devices in instances in Ocata; the secret_uuid configuration is not populated in the cinder configuration file, and in any case the username on the compute units won't match the username for ceph being used on the cinder units (as compute and cinder units get different keys created) so I don't think the key created on the compute units will actually work with the username provided from cinder.
I'm not 100% convinced this is a great change in behaviour; the cinder and nova keys have much the same permissions for correct operation (rwx on images, volumes and vms groups) however it does mean that the nova-compute units have to have the same keys as the cinder units. A key disclosure/compromise on a cinder unit would require revoke and re-issue across a large number of units (as compute units are likely to be 100-1000's whereas the number of cinder units will be minimal. |
|
| 2017-03-09 10:48:18 |
James Page |
bug task added |
|
nova |
|
| 2017-03-09 11:21:22 |
James Page |
description |
https://github.com/openstack/nova/commit/b89efa3ef611a1932df0c2d6e6f30315b5111a57 introduced a change in Ocata where any data provided by cinder for rbd block devices is preferred over any local libvirt sectional configuration for rbd (which was used in preference in the past).
As a result, its not possible to attach ceph block devices in instances in Ocata; the secret_uuid configuration is not populated in the cinder configuration file, and in any case the username on the compute units won't match the username for ceph being used on the cinder units (as compute and cinder units get different keys created) so I don't think the key created on the compute units will actually work with the username provided from cinder.
I'm not 100% convinced this is a great change in behaviour; the cinder and nova keys have much the same permissions for correct operation (rwx on images, volumes and vms groups) however it does mean that the nova-compute units have to have the same keys as the cinder units. A key disclosure/compromise on a cinder unit would require revoke and re-issue across a large number of units (as compute units are likely to be 100-1000's whereas the number of cinder units will be minimal. |
https://github.com/openstack/nova/commit/b89efa3ef611a1932df0c2d6e6f30315b5111a57 introduced a change in Ocata where any data provided by cinder for rbd block devices is preferred over any local libvirt sectional configuration for rbd (which was used in preference in the past).
As a result, its not possible to attach ceph block devices in instances in a charm deployed Ocata; the secret_uuid configuration is not populated in the cinder configuration file, and in any case the username on the compute units won't match the username for ceph being used on the cinder units (as compute and cinder units get different keys created) so I don't think the key created on the compute units will actually work with the username provided from cinder.
I'm not 100% convinced this is a great change in behaviour; the cinder and nova keys have much the same permissions for correct operation (rwx on images, volumes and vms groups) however it does mean that the nova-compute units have to have the same keys as the cinder units. A key disclosure/compromise on a cinder unit would require revoke and re-issue across a large number of units (as compute units are likely to be 100-1000's whereas the number of cinder units will be minimal. |
|
| 2017-03-09 11:21:50 |
James Page |
charm-cinder-ceph: milestone |
|
17.05 |
|
| 2017-03-09 11:21:53 |
James Page |
charm-nova-compute: milestone |
|
17.05 |
|
| 2017-03-09 12:20:45 |
James Page |
charm-cinder-ceph: assignee |
|
James Page (james-page) |
|
| 2017-03-09 12:20:47 |
James Page |
charm-nova-compute: assignee |
|
James Page (james-page) |
|
| 2017-03-09 12:20:49 |
James Page |
charm-cinder-ceph: status |
Triaged |
In Progress |
|
| 2017-03-09 12:20:55 |
James Page |
charm-nova-compute: status |
Triaged |
In Progress |
|
| 2017-03-09 18:44:31 |
OpenStack Infra |
charm-nova-compute: status |
In Progress |
Fix Committed |
|
| 2017-03-14 08:28:49 |
James Page |
bug task added |
|
charm-guide |
|
| 2017-03-14 08:28:59 |
James Page |
charm-guide: status |
New |
In Progress |
|
| 2017-03-14 08:29:02 |
James Page |
charm-guide: importance |
Undecided |
High |
|
| 2017-03-14 08:29:05 |
James Page |
charm-guide: assignee |
|
James Page (james-page) |
|
| 2017-03-14 08:29:07 |
James Page |
charm-guide: milestone |
|
17.05 |
|
| 2017-03-14 09:20:11 |
OpenStack Infra |
charm-cinder-ceph: status |
In Progress |
Fix Committed |
|
| 2017-03-15 09:42:06 |
OpenStack Infra |
charm-guide: status |
In Progress |
Fix Released |
|
| 2017-03-15 09:51:34 |
James Page |
charm-cinder-ceph: status |
Fix Committed |
Fix Released |
|
| 2017-03-15 09:51:37 |
James Page |
charm-nova-compute: status |
Fix Committed |
Fix Released |
|
| 2017-03-22 18:54:33 |
Ryan Beisner |
bug |
|
|
added subscriber Ryan Beisner |
| 2017-04-17 13:05:03 |
Sean Dague |
bug task deleted |
nova |
|
|
| 2017-07-05 18:45:09 |
Ryan Beisner |
bug task added |
|
charm-cinder |
|
| 2017-07-05 21:22:39 |
Darin Arrick |
bug |
|
|
added subscriber Darin Arrick |
| 2017-08-17 13:32:30 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
| 2017-08-18 06:51:13 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
| 2017-09-21 15:44:24 |
James Page |
charm-cinder: status |
New |
Won't Fix |
|
| 2018-12-20 17:10:04 |
Chris Sanders |
bug |
|
|
added subscriber Canonical Field Critical |
| 2018-12-20 21:46:25 |
David Ames |
charm-cinder: status |
Won't Fix |
Confirmed |
|
| 2018-12-20 21:46:28 |
David Ames |
charm-cinder: importance |
Undecided |
Critical |
|
| 2018-12-20 21:46:30 |
David Ames |
charm-cinder: assignee |
|
David Ames (thedac) |
|
| 2018-12-20 21:46:34 |
David Ames |
charm-cinder: milestone |
|
19.04 |
|
| 2018-12-22 00:37:22 |
David Ames |
charm-cinder: assignee |
David Ames (thedac) |
|
|
| 2018-12-22 21:33:07 |
Xav Paice |
bug |
|
|
added subscriber Canonical IS BootStack |
| 2018-12-22 21:33:12 |
Xav Paice |
tags |
|
canonical-bootstack |
|
| 2019-01-21 10:53:24 |
Liam Young |
charm-cinder: assignee |
|
Liam Young (gnuoy) |
|
| 2019-01-24 19:28:06 |
Liam Young |
charm-cinder: status |
Confirmed |
Invalid |
|
| 2019-01-25 07:42:47 |
Liam Young |
removed subscriber Canonical Field Critical |
|
|
|
