kolla

kolla-ansible genconfig unprivileged

Bug #1594605 reported by Kevin Fox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Invalid
Wishlist
Unassigned

Bug Description

I'm trying to run:
kolla-ansible genconfig

On my machine as a non root user to generate configs that then are consumed by kolla-kubernetes.

I'm running it as a different user as I want to ensure it is not making changes to the system, as it should only be generating config files. But it seems to be trying.

It stops part way through complaining about not being able to change the following for haproxy:
net.ipv4.ip_nonlocal_bind=1
net.unix.max_dgram_qlen=128

Manually setting them on the node, gets it further. but then fails at:
[nova : Setting sysctl values]
trying to set:
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0

These in particular are worrying to me. Why is it trying to do this? There may be other things its trying to do too. Haven't gotten all the way to the end yet.

Revision history for this message
Kevin Fox (kevpn) wrote :

diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 9c285b5..10d5b5a 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -3,8 +3,8 @@
   sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
   with_items:
     - { name: "net.ipv4.ip_forward", value: 1}
- - { name: "net.ipv4.conf.all.rp_filter", value: 0}
- - { name: "net.ipv4.conf.default.rp_filter", value: 0}
+# - { name: "net.ipv4.conf.all.rp_filter", value: 0}
+# - { name: "net.ipv4.conf.default.rp_filter", value: 0}
   when:
     - set_sysctl | bool
     - inventory_hostname in groups['neutron-l3-agent']
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index 8841635..7bd998e 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -4,8 +4,8 @@
   with_items:
     - { name: "net.bridge.bridge-nf-call-iptables", value: 1}
     - { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
- - { name: "net.ipv4.conf.all.rp_filter", value: 0}
- - { name: "net.ipv4.conf.default.rp_filter", value: 0}
+# - { name: "net.ipv4.conf.all.rp_filter", value: 0}
+# - { name: "net.ipv4.conf.default.rp_filter", value: 0}
   when:
     - set_sysctl | bool
     - inventory_hostname in groups['compute']

With this, and the other haproxy stuff, it seems to generate configs now.

These checks/sets need to be disabled for genconfig.

zhubingbing (zhubingbing)
Changed in kolla:
status: New → Triaged
milestone: none → newton-rc2
zhubingbing (zhubingbing)
Changed in kolla:
status: Triaged → Confirmed
importance: Undecided → Critical
Revision history for this message
Kevin Fox (kevpn) wrote :

I didn't know ansible very well when I filed this bug report.

The following in globals.yaml lets it work as non root:
set_sysctl: "no"

See the following container source for how I've gotten it to work in an unprivileged container:
https://github.com/kfox1111/kolla-kubernetes-toolbox

I think this bug can be closed.

Revision history for this message
zhubingbing (zhubingbing) wrote :

kevin fox ,thanks you
i close this bug

Changed in kolla:
status: Confirmed → Invalid
importance: Critical → Wishlist
Revision history for this message
Chris Hoge (hoge) wrote :

I'm not sure this is a bug that should be closed. There's nothing in the kolla documentation that indicates that the deployment user should be root rather that a privileged user that can sudo, and I'm experiencing the same failures using the documentation provided in the startup guide. If these system values need to be set as a precondition to running kolla, or the ansible user on the target nodes needs to be root (a user disabled by default in ubuntu), this needs to be documented properly.

Christian Berendt (berendt)
Changed in kolla:
milestone: newton-rc2 → ocata-1
milestone: ocata-1 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.