kolla-ansible

glance-api does not support iscsi cinder backend

Bug #1855695 reported by Danny Webb
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Radosław Piliszek
kolla-ansible 10.0.0 "ussuri"
Stein
Fix Released
Medium
Mark Goddard
kolla-ansible 8.1.0 "Stein"
Train
Fix Released
Medium
Mark Goddard
kolla-ansible 9.0.1 "Train"
Ussuri
Fix Released
Medium
Radosław Piliszek
kolla-ansible 10.0.0 "ussuri"

Bug Description

There are currently 2 issues stopping glance from being able to use an iscsi backend for cinder:

1) The glance_api container is setup as an unprivileged container which means glance can't use an iscsi cinder backend as it's store.
2) the glance api container is missing mounts for /dev/:/dev/ and iscsi_info:/etc/iscsi which it needs to be able use iscsi

It would be simple enough to add to the volumes:

      - "{{ 'iscsi_info:/etc/iscsi' if enable_cinder | bool and enable_cinder_backend_iscsi | bool }} "
      - "{{ '/dev/:/dev/' if enable_cinder | bool and enable_cinder_backend_iscsi | bool }}"

and to the glance-api service:

  privileged: "{{ True if enable_cinder | bool and enable_cinder_backend_iscsi | bool | else False}}"

** https://bugzilla.redhat.com/show_bug.cgi?id=1658367

See original description
Danny Webb (dannyswebb)
description: updated
description: updated
Mark Goddard (mgoddard)
Changed in kolla-ansible:
status: New → Triaged
importance: Undecided → Medium
Radosław Piliszek (yoctozepto)
summary: - Allow Privileged=True for glance-api to support isci cinder backend
+ glance-api does not support iscsi cinder backend
Revision history for this message
Danny Webb (dannyswebb) wrote :

worth mentioning that although the redhat triple-o setup has an additional mount (/var/lib/iscsi) I've tested with only /dev/ and iscsi_info and it works fine

**https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/docker/services/glance-api.yaml#L201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/699910

Changed in kolla-ansible:
assignee: nobody → Chason Chan (chen-xing)
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Chason Chan (chen-xing) → Dincer Celik (osmanlicilegi)
Dincer Celik (dincercelik)
Changed in kolla-ansible:
milestone: none → 10.0.0
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Dincer Celik (osmanlicilegi) → Radosław Piliszek (yoctozepto)
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Radosław Piliszek (yoctozepto) → Dincer Celik (osmanlicilegi)
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Dincer Celik (osmanlicilegi) → Radosław Piliszek (yoctozepto)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/699910
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=fa49b2692de1b38bfdf47e1468296770d5dfff89
Submitter: Zuul
Branch: master

commit fa49b2692de1b38bfdf47e1468296770d5dfff89
Author: chenxing <email address hidden>
Date: Thu Dec 19 12:03:54 2019 +0800

    Enable Glance to use Cinder iSCSI backend

    To use an iSCSI Cinder backend as its store, glance_api must run
    privileged and have /dev and /etc/iscsi properly mounted

    Co-authored-by: Radosław Piliszek <email address hidden>
    Change-Id: I988d3c9d0564483440ae17203ad88a8049abbea4
    Closes-Bug: #1855695

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/704607

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/704608

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/704608
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=be4daa5b4ee968f23083023f4840ac9838391993
Submitter: Zuul
Branch: stable/stein

commit be4daa5b4ee968f23083023f4840ac9838391993
Author: chenxing <email address hidden>
Date: Thu Dec 19 12:03:54 2019 +0800

    Enable Glance to use Cinder iSCSI backend

    To use an iSCSI Cinder backend as its store, glance_api must run
    privileged and have /dev and /etc/iscsi properly mounted

    Co-authored-by: Radosław Piliszek <email address hidden>
    Change-Id: I988d3c9d0564483440ae17203ad88a8049abbea4
    Closes-Bug: #1855695
    (cherry picked from commit fa49b2692de1b38bfdf47e1468296770d5dfff89)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/704607
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=7c60631e0b46b20ea9462912f23a02a78688aa1b
Submitter: Zuul
Branch: stable/train

commit 7c60631e0b46b20ea9462912f23a02a78688aa1b
Author: chenxing <email address hidden>
Date: Thu Dec 19 12:03:54 2019 +0800

    Enable Glance to use Cinder iSCSI backend

    To use an iSCSI Cinder backend as its store, glance_api must run
    privileged and have /dev and /etc/iscsi properly mounted

    Co-authored-by: Radosław Piliszek <email address hidden>
    Change-Id: I988d3c9d0564483440ae17203ad88a8049abbea4
    Closes-Bug: #1855695
    (cherry picked from commit fa49b2692de1b38bfdf47e1468296770d5dfff89)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 8.1.0

This issue was fixed in the openstack/kolla-ansible 8.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 9.0.1

This issue was fixed in the openstack/kolla-ansible 9.0.1 release.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Glance still cannot do this:

2020-03-25 17:45:30.418 20 INFO oslo.privsep.daemon [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] Running privsep helper: ['sudo', 'glance-rootwrap', '/etc/glance/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/glance/glance-api.conf', '--privsep_context', 'os_brick.privileged.default', '--privsep_sock_path', '/tmp/tmp2c0ocddc/privsep.sock']
2020-03-25 17:45:30.430 20 WARNING oslo.privsep.daemon [-] privsep log: sudo: no tty present and no askpass program specified
2020-03-25 17:45:30.434 20 CRITICAL oslo.privsep.daemon [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] privsep helper command exited non-zero (1)
2020-03-25 17:45:30.435 20 DEBUG os_brick.utils [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] <== get_connector_properties: exception (17ms) FailedToDropPrivileges('privsep helper command exited non-zero (1)',) trace_logging_wrapper /var/lib/kolla/venv/lib/python3.6/site-packages/os_brick/utils.py:156
2020-03-25 17:45:30.435 20 ERROR glance_store._drivers.cinder [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] Failed to write to volume 305f97f2-3a52-4810-87ba-71df7834617e.: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2020-03-25 17:45:35.641 20 ERROR glance.api.v2.image_data [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] Failed to upload image data due to internal error: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2020-03-25 17:45:35.685 20 ERROR glance.common.wsgi [req-e2d4f418-0012-4db5-a7dc-3f65eeb07054 609684595a074556be10f586f5e52fbc 15daa19f9fd742948eda9651dbccd3b4 - default default] Caught error: privsep helper command exited non-zero (1): oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)

will open new bug.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

reported: https://bugs.launchpad.net/kolla-ansible/+bug/1869072

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.