kolla-ansible

Chrony container permission denied in Debian/Ubuntu if chrony installed on host

  1. Series ussuri
  2. Bug #1882513
Bug #1882513 reported by Michal Arbet
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Michal Arbet
kolla-ansible 11.0.0 "victoria"
Stein
Fix Committed
Medium
Radosław Piliszek
Train
Fix Committed
Medium
Radosław Piliszek
Ussuri
Fix Committed
Medium
Radosław Piliszek
Victoria
Fix Released
Medium
Michal Arbet
kolla-ansible 11.0.0 "victoria"

Bug Description

Hi,

Deploy of chrony container (binary debian ussuri) is broken via kolla-ansible.
Container is still restarting, check below docker logs chrony :

+ sudo -E kolla_set_configs
INFO:__main__:Loading config file at /var/lib/kolla/config_files/config.json
INFO:__main__:Validating config file
INFO:__main__:Kolla config strategy set to: COPY_ALWAYS
INFO:__main__:Copying service configuration files
INFO:__main__:Deleting /etc/chrony/chrony.conf
INFO:__main__:Copying /var/lib/kolla/config_files/chrony.conf to /etc/chrony/chrony.conf
INFO:__main__:Setting permission for /etc/chrony/chrony.conf
INFO:__main__:Writing out command to execute
INFO:__main__:Setting permission for /var/log/kolla/chrony
INFO:__main__:Setting permission for /var/lib/chrony
INFO:__main__:Setting permission for /var/lib/chrony/202.28.93.5.dat
INFO:__main__:Setting permission for /var/lib/chrony/185.159.125.100.dat
INFO:__main__:Setting permission for /var/lib/chrony/82.161.247.86.dat
INFO:__main__:Setting permission for /var/lib/chrony/149.210.142.45.dat
INFO:__main__:Setting permission for /var/lib/chrony/37.252.127.156.dat
INFO:__main__:Setting permission for /var/lib/chrony/79.142.192.4.dat
INFO:__main__:Setting permission for /var/lib/chrony/37.44.185.42.dat
INFO:__main__:Setting permission for /var/lib/chrony/174.138.9.187.dat
INFO:__main__:Setting permission for /var/lib/chrony/chrony.drift
INFO:__main__:Setting permission for /var/lib/chrony/195.113.20.2.dat
INFO:__main__:Setting permission for /var/lib/chrony/31.14.136.69.dat
INFO:__main__:Setting permission for /var/lib/chrony/94.228.143.152.dat
INFO:__main__:Setting permission for /var/lib/chrony/192.168.205.254.dat
INFO:__main__:Setting permission for /var/lib/chrony/91.192.36.161.dat
INFO:__main__:Setting permission for /var/lib/chrony/37.97.195.195.dat
INFO:__main__:Setting permission for /var/lib/chrony/81.2.248.189.dat
INFO:__main__:Setting permission for /var/lib/chrony/185.120.34.123.dat
INFO:__main__:Setting permission for /var/lib/chrony/146.185.170.220.dat
INFO:__main__:Setting permission for /var/lib/chrony/185.244.195.159.dat
INFO:__main__:Setting permission for /var/lib/chrony/92.111.231.58.dat
INFO:__main__:Setting permission for /var/lib/chrony/213.136.0.252.dat
INFO:__main__:Setting permission for /var/lib/chrony/162.159.200.123.dat
INFO:__main__:Setting permission for /var/lib/chrony/185.51.192.34.dat
INFO:__main__:Setting permission for /var/lib/chrony/88.99.76.254.dat
INFO:__main__:Setting permission for /var/lib/chrony/45.14.224.157.dat
INFO:__main__:Setting permission for /var/lib/chrony/213.192.54.227.dat
INFO:__main__:Setting permission for /var/lib/chrony/80.127.152.30.dat
INFO:__main__:Setting permission for /var/lib/chrony/87.253.148.92.dat
INFO:__main__:Setting permission for /var/lib/chrony/147.231.100.5.dat
++ cat /run_command
+ CMD='/usr/sbin/chronyd -d -f /etc/chrony/chrony.conf'
+ ARGS=
+ sudo kolla_copy_cacerts
+ [[ ! -n '' ]]
+ . kolla_extend_start
++ rm -f /var/run/chronyd.pid
++ CHRONY_LOG_DIR=/var/log/kolla/chrony
++ [[ ! -d /var/log/kolla/chrony ]]
+++ stat -c %a /var/log/kolla/chrony
++ [[ 755 != \7\5\5 ]]
+++ stat -c %U:%G /var/log/kolla/chrony
++ [[ chrony:kolla != \c\h\r\o\n\y\:\c\h\r\o\n\y ]]
++ chown chrony:chrony /var/log/kolla/chrony
+ echo 'Running command: '\''/usr/sbin/chronyd -d -f /etc/chrony/chrony.conf'\'''
+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
Running command: '/usr/sbin/chronyd -d -f /etc/chrony/chrony.conf'
2020-06-08T11:02:48Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T11:02:48Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied
+ sudo -E kolla_set_configs

This could be fixed by permission change from 0600 to 0644 in kolla-ansible, ansible/roles/chrony/templates/chrony.json.j2 .

OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: nobody → Michal Arbet (michalarbet)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Michal Arbet (michalarbet) → Radosław Piliszek (yoctozepto)
Mark Goddard (mgoddard)
summary: - Broken chrony container
+ Chrony container permission denied in Debian/Ubuntu
Changed in kolla-ansible:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Radosław Piliszek (yoctozepto) → Michal Arbet (michalarbet)
Mark Goddard (mgoddard)
summary: - Chrony container permission denied in Debian/Ubuntu
+ Chrony container permission denied in Debian/Ubuntu if chrony installed
+ on host
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/734042
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=3d747b720051ed053f2e36b5679862b92265443b
Submitter: Zuul
Branch: master

commit 3d747b720051ed053f2e36b5679862b92265443b
Author: Michal Arbet <email address hidden>
Date: Mon Jun 8 11:12:19 2020 +0200

    Remove chrony package if containerized chrony is enabled

    This patch is removing chrony package
    from docker host when containerized chrony is enabled.
    It is also fixing issue with chrony container running
    under Ubuntu docker host as noted below.

    + exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
    2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
    2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

    Added also removal apparmor profile for ubuntu when
    containerized chrony is enabled, as chrony's package
    is not removing apparmor profile, and therefore
    containerized chrony is not working.

    Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
    Closes-Bug: #1882513

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/735663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/735664

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/735665

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/735663
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=59b8b07e5fde7af359d3eb87aee5c28575e702a4
Submitter: Zuul
Branch: stable/ussuri

commit 59b8b07e5fde7af359d3eb87aee5c28575e702a4
Author: Michal Arbet <email address hidden>
Date: Mon Jun 8 11:12:19 2020 +0200

    Remove chrony package if containerized chrony is enabled

    This patch is removing chrony package
    from docker host when containerized chrony is enabled.
    It is also fixing issue with chrony container running
    under Ubuntu docker host as noted below.

    + exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
    2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
    2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

    Added also removal apparmor profile for ubuntu when
    containerized chrony is enabled, as chrony's package
    is not removing apparmor profile, and therefore
    containerized chrony is not working.

    Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
    Closes-Bug: #1882513
    (cherry picked from commit 3d747b720051ed053f2e36b5679862b92265443b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/735664
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=fda520f825329e3d9199481c3f8de8f7d5730366
Submitter: Zuul
Branch: stable/train

commit fda520f825329e3d9199481c3f8de8f7d5730366
Author: Michal Arbet <email address hidden>
Date: Mon Jun 8 11:12:19 2020 +0200

    Remove chrony package if containerized chrony is enabled

    This patch is removing chrony package
    from docker host when containerized chrony is enabled.
    It is also fixing issue with chrony container running
    under Ubuntu docker host as noted below.

    + exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
    2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
    2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

    Added also removal apparmor profile for ubuntu when
    containerized chrony is enabled, as chrony's package
    is not removing apparmor profile, and therefore
    containerized chrony is not working.

    Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
    Closes-Bug: #1882513
    (cherry picked from commit 3d747b720051ed053f2e36b5679862b92265443b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/735665
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=89e6f9aba92427fb270d7c7928d691e68d77164e
Submitter: Zuul
Branch: stable/stein

commit 89e6f9aba92427fb270d7c7928d691e68d77164e
Author: Michal Arbet <email address hidden>
Date: Mon Jun 8 11:12:19 2020 +0200

    Remove chrony package if containerized chrony is enabled

    This patch is removing chrony package
    from docker host when containerized chrony is enabled.
    It is also fixing issue with chrony container running
    under Ubuntu docker host as noted below.

    + exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
    2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
    2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

    Added also removal apparmor profile for ubuntu when
    containerized chrony is enabled, as chrony's package
    is not removing apparmor profile, and therefore
    containerized chrony is not working.

    Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
    Closes-Bug: #1882513
    (cherry picked from commit 3d747b720051ed053f2e36b5679862b92265443b)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.