ceph_client: client commands should be executed by non-root user

Bug #1773925 reported by Juha Kosonen on 2018-05-29
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
Wishlist
Dmitriy Rabotyagov

Bug Description

When root login is disabled in target host, one should use non-root sudo user in login and execution of following task in tasks/ceph_get_mon_host.yml:

# look for 1 ceph monitor host that is up
- name: Verify Ceph monitors are up
  local_action: >
    command ssh
    -o ConnectTimeout=6
    -o UserKnownHostsFile=/dev/null
    -o StrictHostKeyChecking=no
    {{ item }}
    exit
  with_items: "{{ ceph_mons }}"
  changed_when: false
  failed_when: false
  register: ceph_mon_upcheck

Kevin Carter (kevin-carter) wrote :

Hi Juha, Were you able to resolve this issue? if so how? Looks like we need to do some work in the ceph client role to remove root assumptions. Given that this is a known requirement of the playbooks we're marking this as wishlist however if there's something we can do to help this along please report the steps to resovle here or join the OSA channel and let us know how best to assist.

Changed in openstack-ansible:
importance: Undecided → Wishlist
status: New → Confirmed
Juha Kosonen (juha-kosonen) wrote :

Hi Kevin, thank you for the response and taking this into wishlist. I resolved this simply by setting

become_user: '{{ansible_env.SUDO_USER}}'

but knowing the overall root assumption not sure if this is the generic way to handle the case.

I have an addition to this post. Playbook fails, if you are using non-standart SSH ports for all of your resources.

So I would like to offer adding -p key to the command. As a port value I offer to use "{{ ansible_port }}" which would be defined anyway. And overriding this variable during setup_openstack.yml launch will result in no error whether you are using non standart SSH port.

So playbook launch will look like this:
openstack-ansible setup_openstack.yml -e ansible_port=1022

And command itself:
# look for 1 ceph monitor host that is up
- name: Verify Ceph monitors are up
  local_action: >
    command ssh
    -o ConnectTimeout=6
    -o UserKnownHostsFile=/dev/null
    -o StrictHostKeyChecking=no
    -p "{{ ansible_port }}"
    {{ item }}
    exit
  with_items: "{{ ceph_mons }}"
  changed_when: false
  failed_when: false
  register: ceph_mon_upcheck

Please consider adding support for non-standart SSH port, as only this role fails from all openstack-ansible project when you are using non-standart ssh port.

Change abandoned by Dmitriy R. (<email address hidden>) on branch: master
Review: https://review.openstack.org/583943

Changed in openstack-ansible:
assignee: nobody → Dmitriy Rabotjagov (noonedeadpunk)

Reviewed: https://review.openstack.org/583943
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-ceph_client/commit/?id=58ac4da336810e9aca4f0bafc2e9116dc997653b
Submitter: Zuul
Branch: master

commit 58ac4da336810e9aca4f0bafc2e9116dc997653b
Author: Dmitriy R <email address hidden>
Date: Thu Jul 19 15:04:30 2018 +0300

    Added possibility to specify ssh username and port for ceph mons.

    Now SSH port relies on ansible_port variable. On case of using
    non-standard SSH ports on all infrastructure, only this role fails on
    connection to CEPH monitors.
    Added ceph_mon_user variable to defaults. This may be usefull, as ceph
    recommends to do all actions with non-root users, so ability to override
    user is pretty usefull.

    Change-Id: I01f42287f50dbeb2c6a7f8912e08d21aca2d24b9
    Related-Bug: 1773925

Changed in openstack-ansible:
status: Confirmed → Fix Committed

Reviewed: https://review.openstack.org/593577
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-ceph_client/commit/?id=8ec0e6c7931497deae21b2b8919243c12df9673f
Submitter: Zuul
Branch: master

commit 8ec0e6c7931497deae21b2b8919243c12df9673f
Author: Dmitriy Rabotjagov <email address hidden>
Date: Mon Aug 20 13:46:06 2018 +0300

    Setting default port if ansible_port is not defined

    Change-Id: I84cfe21587ba859923d3308b17dd012e2b5bfa9b
    Related-Bug: 1773925

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/593538

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/593539

Changed in openstack-ansible:
status: Fix Committed → In Progress

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: master
Review: https://review.openstack.org/597129

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers