OpenStack Nova Compute Charm

Missing 'allow class-read object_prefix rbd_children' with restrict-ceph-pools is enabled

Bug #1696073 reported by Ante Karamatić
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ceph Monitor Charm
Fix Released
High
Liam Young
Ceph Monitor Charm 18.02
OpenStack Cinder Charm
Fix Released
High
Liam Young
OpenStack Cinder Charm 18.02
OpenStack Cinder-Ceph charm
Fix Released
High
Liam Young
OpenStack Cinder-Ceph charm 18.02
OpenStack Glance Charm
Fix Released
High
Liam Young
OpenStack Glance Charm 18.02
OpenStack Nova Compute Charm
Fix Released
High
Unassigned
OpenStack Nova Compute Charm 18.08

Bug Description

When restrict-ceph-pools is set to True, once cannot delete images uploaded to glance. It seems that glance also needs, at least, read access for cinder-ceph pool. So, this works:

client.glance
 key: nothingtoseehere
 caps: [mon] allow r
 caps: [osd] allow r pool=cinder-ceph; allow rwx pool=glance

Read-only access for cinder-ceph is enough for creating volumes from images. Obviously, this permissions need to be set on relation with cinder-ceph.

Ante Karamatić (ivoks)
tags: added: adrastea
Revision history for this message
Gábor Mészáros (gabor.meszaros) wrote :

For me caps: [osd] allow class-read object_prefix rbd_children, allow rwx pool=glance
was needed. This is the ceph suggested way os using cephx authentication.
http://docs.ceph.com/docs/master/rbd/rbd-openstack/#setup-ceph-client-authentication

tags: added: 4010
James Page (james-page)
Changed in charm-glance:
status: New → Triaged
importance: Undecided → High
summary: - Can't delete glance images with restrict-ceph-pools set to True
+ Missing 'allow class-read object_prefix rbd_children' with restrict-
+ ceph-pools is enabled
Changed in charm-nova-compute:
status: New → Triaged
Changed in charm-cinder-ceph:
status: New → Triaged
Changed in charm-cinder:
status: New → Triaged
importance: Undecided → High
Changed in charm-cinder-ceph:
importance: Undecided → High
Changed in charm-nova-compute:
importance: Undecided → High
Changed in charm-cinder:
milestone: none → 18.02
Changed in charm-cinder-ceph:
milestone: none → 18.02
Changed in charm-glance:
milestone: none → 18.02
Changed in charm-nova-compute:
milestone: none → 18.02
Liam Young (gnuoy)
Changed in charm-cinder:
assignee: nobody → Liam Young (gnuoy)
Changed in charm-cinder-ceph:
assignee: nobody → Liam Young (gnuoy)
Changed in charm-glance:
assignee: nobody → Liam Young (gnuoy)
Changed in charm-nova-compute:
assignee: nobody → Liam Young (gnuoy)
Revision history for this message
Liam Young (gnuoy) wrote :

Waiting for the following to land:

https://review.openstack.org/#/c/527690/
https://github.com/juju/charm-helpers/pull/76

Once they have landed ceph-osd and ceph-mon will need a charms.ceph sync.
cinder, cinder-ceph, nova-compute & glance will need a charmhelper sync and will need their add_op_request_access_to_group call updated to set rbd_children object perm. For glance this will be mean changing:

rq.add_op_request_access_to_group(
    name="images",
    permission='rwx')

to

rq.add_op_request_access_to_group(
    name="images",
    object_prefix_permissions={'class-read': ['rbd_children']},
    permission='rwx')

Ante Karamatić (ivoks)
tags: added: cpe-onsite
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/527971

Changed in charm-glance:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-cinder-ceph (master)

Fix proposed to branch: master
Review: https://review.openstack.org/528173

Changed in charm-cinder-ceph:
status: Triaged → In Progress
Changed in charm-cinder:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/528175

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-cinder-ceph (master)

Reviewed: https://review.openstack.org/528173
Committed: https://git.openstack.org/cgit/openstack/charm-cinder-ceph/commit/?id=d9b4bf4923bf9e02e289700aded0df9384e7f036
Submitter: Zuul
Branch: master

commit d9b4bf4923bf9e02e289700aded0df9384e7f036
Author: Liam Young <email address hidden>
Date: Fri Dec 15 07:11:53 2017 +0000

    Request class-read object_prefix rbd_children perm

    When using ceph as a backend request the additional privilege
    class-read on rbd_children. This fixes bug 1696073.

    Change-Id: I0f17fc9cf321171cadf9da129d94c9fef70dba78
    Partial-Bug: #1696073

James Page (james-page)
Changed in charm-ceph-mon:
status: New → In Progress
importance: Undecided → High
assignee: nobody → James Page (james-page)
milestone: none → 18.02
assignee: James Page (james-page) → Liam Young (gnuoy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-cinder-ceph (master)

Fix proposed to branch: master
Review: https://review.openstack.org/528230

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-ceph-mon (master)

Reviewed: https://review.openstack.org/527967
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-mon/commit/?id=4e411761bfeda4b8ffaccd4450054c65ca658f72
Submitter: Zuul
Branch: master

commit 4e411761bfeda4b8ffaccd4450054c65ca658f72
Author: Liam Young <email address hidden>
Date: Thu Dec 14 14:11:02 2017 +0000

    ch-sync and ceph-sync to pickup 1696073 fixes

    Sync charmhelpers and charms.ceph code to pickup fixes for
    Bug #1696073

    Change-Id: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59
    Closes-Bug: #1696073

Changed in charm-ceph-mon:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-glance (master)

Reviewed: https://review.openstack.org/527971
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=4b9e5c393b7f5374492fdf832c5147ed4c78793c
Submitter: Zuul
Branch: master

commit 4b9e5c393b7f5374492fdf832c5147ed4c78793c
Author: Liam Young <email address hidden>
Date: Thu Dec 14 14:15:32 2017 +0000

    Request class-read object_prefix rbd_children perm

    When using ceph as a backend request the additional privilege
    class-read on rbd_children. This fixes bug 1696073.

    Change-Id: Ie4341eb834ae6fe02424c75e31f16f1cf5411f21
    Closes-Bug: #1696073
    Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59

Changed in charm-glance:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-cinder-ceph (master)

Reviewed: https://review.openstack.org/528230
Committed: https://git.openstack.org/cgit/openstack/charm-cinder-ceph/commit/?id=194b9274a63eee61b7d2aa23b632d2b294cd71eb
Submitter: Zuul
Branch: master

commit 194b9274a63eee61b7d2aa23b632d2b294cd71eb
Author: Liam Young <email address hidden>
Date: Fri Dec 15 07:11:53 2017 +0000

    Request class-read object_prefix rbd_children perm

    When using ceph as a backend request the additional privilege
    class-read on rbd_children. This fixes bug 1696073.

    Change-Id: I023781e01c1e314cb2755e7867cdf588432791fc
    Closes-Bug: #1696073
    Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59

Changed in charm-cinder-ceph:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-cinder (master)

Reviewed: https://review.openstack.org/528175
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=a956c6b9d87ee43c769b2669569b46efbaa23df1
Submitter: Zuul
Branch: master

commit a956c6b9d87ee43c769b2669569b46efbaa23df1
Author: Liam Young <email address hidden>
Date: Fri Dec 15 07:16:52 2017 +0000

    Request class-read object_prefix rbd_children perm

    When using ceph as a backend request the additional privilege
    class-read on rbd_children. This fixes bug 1696073.

    Change-Id: Ia5f092255f1ff75796fc24a8bbd94dd1831e6807
    Closes-Bug: #1696073
    Depends-On: Icf844ec7d33f2e558dee7935fe5fa3d7f08e0d59

Changed in charm-cinder:
status: In Progress → Fix Committed
Ryan Beisner (1chb1n)
Changed in charm-nova-compute:
milestone: 18.02 → 18.05
Ryan Beisner (1chb1n)
Changed in charm-glance:
status: Fix Committed → Fix Released
Changed in charm-cinder:
status: Fix Committed → Fix Released
Changed in charm-cinder-ceph:
status: Fix Committed → Fix Released
Changed in charm-ceph-mon:
status: Fix Committed → Fix Released
Liam Young (gnuoy)
Changed in charm-nova-compute:
assignee: Liam Young (gnuoy) → nobody
David Ames (thedac)
Changed in charm-nova-compute:
milestone: 18.05 → 18.08
James Page (james-page)
Changed in charm-nova-compute:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/571509
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=d8de6b66428845093538e7e156f48c4ec0b54d63
Submitter: Zuul
Branch: master

commit d8de6b66428845093538e7e156f48c4ec0b54d63
Author: Marian Gasparovic <email address hidden>
Date: Thu May 31 17:04:33 2018 +0200

    Request class-read object_prefix rbd_children perm

    When using ceph as a backend request the additional privilege
    class-read on rbd_children. This fixes bug 1696073.

    Change-Id: I468cfb5026751b96feba013b4e6ae74ff8da38ca
    Closes-Bug: #1696073

Changed in charm-nova-compute:
status: In Progress → Fix Committed
David Ames (thedac)
Changed in charm-nova-compute:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.