Ceph client.cinder insufficient privileges for blacklist op
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Medium
|
Michal Nasiadka | ||
Train |
Fix Released
|
Medium
|
Michal Nasiadka |
Bug Description
Ceph luminous has new caps are needed for rbd access.
In particular
caps mon = "allow r, allow command "osd blacklist""
See also issue http://
Current setup creates nova with access
mon 'allow r'
osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_
This is fine in normal usage. However if you kill VM process with kill -9 or just hard reset the hypervisor. There will be a stale exclusive lock on the rbd. Then when VM is booted again, it will produce nasty IO errors, not being able to actually write anything to the device.
The correct approach for luminous as suggested in the issue is to use 'profile rbd' and 'profile rbd-real-only' for user which indends to access rbd volumes.
Such as
client.nova mon 'profile rbd' osd 'profile rbd pool={{ ceph_cinder_
description: | updated |
Changed in kolla: | |
assignee: | nobody → Gaëtan Trellu (goldyfruit) |
no longer affects: | kolla |
Changed in kolla-ansible: | |
status: | In Progress → Triaged |
importance: | Undecided → Medium |
milestone: | none → 9.0.0 |
Having the same issue, change client.nova auth caps only fix the vms that don't have attached volumes.
Need change client.cinder as well if there are attached volumes to vm