OpenStack-Ansible

ceph_client: client commands should be executed by non-root user

Bug #1773925 reported by Juha Kosonen on 2018-05-29

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Wishlist	Dmitriy Rabotyagov

Bug Description

When root login is disabled in target host, one should use non-root sudo user in login and execution of following task in tasks/ceph_get_mon_host.yml:

# look for 1 ceph monitor host that is up
- name: Verify Ceph monitors are up
  local_action: >
    command ssh
    -o ConnectTimeout=6
    -o UserKnownHostsFile=/dev/null
    -o StrictHostKeyChecking=no
    {{ item }}
    exit
  with_items: "{{ ceph_mons }}"
  changed_when: false
  failed_when: false
  register: ceph_mon_upcheck

Revision history for this message

Kevin Carter (kevin-carter) wrote on 2018-05-29:

Hi Juha, Were you able to resolve this issue? if so how? Looks like we need to do some work in the ceph client role to remove root assumptions. Given that this is a known requirement of the playbooks we're marking this as wishlist however if there's something we can do to help this along please report the steps to resovle here or join the OSA channel and let us know how best to assist.

Changed in openstack-ansible:
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Juha Kosonen (juha-kosonen) wrote on 2018-05-31:

Hi Kevin, thank you for the response and taking this into wishlist. I resolved this simply by setting

become_user: '{{ansible_env.SUDO_USER}}'

but knowing the overall root assumption not sure if this is the generic way to handle the case.

Revision history for this message

Dmitriy Rabotyagov (noonedeadpunk) wrote on 2018-06-14:

I have an addition to this post. Playbook fails, if you are using non-standart SSH ports for all of your resources.

So I would like to offer adding -p key to the command. As a port value I offer to use "{{ ansible_port }}" which would be defined anyway. And overriding this variable during setup_openstack.yml launch will result in no error whether you are using non standart SSH port.

So playbook launch will look like this:
openstack-ansible setup_openstack.yml -e ansible_port=1022

And command itself:
# look for 1 ceph monitor host that is up
- name: Verify Ceph monitors are up
  local_action: >
    command ssh
    -o ConnectTimeout=6
    -o UserKnownHostsFile=/dev/null
    -o StrictHostKeyChecking=no
    -p "{{ ansible_port }}"
    {{ item }}
    exit
  with_items: "{{ ceph_mons }}"
  changed_when: false
  failed_when: false
  register: ceph_mon_upcheck

Please consider adding support for non-standart SSH port, as only this role fails from all openstack-ansible project when you are using non-standart ssh port.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-19: Related fix proposed to openstack-ansible-ceph_client (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/583943

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-19: Change abandoned on openstack-ansible-ceph_client (master)

Change abandoned by Dmitriy R. (<email address hidden>) on branch: master
Review: https://review.openstack.org/583943

Dmitriy Rabotyagov (noonedeadpunk) on 2018-08-17

Changed in openstack-ansible:
assignee:	nobody → Dmitriy Rabotjagov (noonedeadpunk)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-19: Related fix merged to openstack-ansible-ceph_client (master)

Reviewed: https://review.openstack.org/583943
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-ceph_client/commit/?id=58ac4da336810e9aca4f0bafc2e9116dc997653b
Submitter: Zuul
Branch: master

commit 58ac4da336810e9aca4f0bafc2e9116dc997653b
Author: Dmitriy R <email address hidden>
Date: Thu Jul 19 15:04:30 2018 +0300

Added possibility to specify ssh username and port for ceph mons.

    Now SSH port relies on ansible_port variable. On case of using
    non-standard SSH ports on all infrastructure, only this role fails on
    connection to CEPH monitors.
    Added ceph_mon_user variable to defaults. This may be usefull, as ceph
    recommends to do all actions with non-root users, so ability to override
    user is pretty usefull.

Change-Id: I01f42287f50dbeb2c6a7f8912e08d21aca2d24b9
Related-Bug: 1773925

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Related fix proposed to openstack-ansible-ceph_client (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.openstack.org/593538

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Related fix proposed to openstack-ansible-ceph_client (stable/queens)

#10

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/593539

Dmitriy Rabotyagov (noonedeadpunk) on 2018-08-20

Changed in openstack-ansible:
status:	Confirmed → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Related fix proposed to openstack-ansible-ceph_client (master)

#11

Related fix proposed to branch: master
Review: https://review.openstack.org/593577

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Related fix merged to openstack-ansible-ceph_client (master)

#12

Reviewed: https://review.openstack.org/593577
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-ceph_client/commit/?id=8ec0e6c7931497deae21b2b8919243c12df9673f
Submitter: Zuul
Branch: master

commit 8ec0e6c7931497deae21b2b8919243c12df9673f
Author: Dmitriy Rabotjagov <email address hidden>
Date: Mon Aug 20 13:46:06 2018 +0300

Setting default port if ansible_port is not defined

Change-Id: I84cfe21587ba859923d3308b17dd012e2b5bfa9b
Related-Bug: 1773925

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Change abandoned on openstack-ansible-ceph_client (stable/rocky)

#13

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/593538

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Change abandoned on openstack-ansible-ceph_client (stable/queens)

#14

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/593539

Dmitriy Rabotyagov (noonedeadpunk) on 2018-08-20

Changed in openstack-ansible:
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-28: Related fix proposed to openstack-ansible-ceph_client (master)

#15

Related fix proposed to branch: master
Review: https://review.openstack.org/597129

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-29: Change abandoned on openstack-ansible-ceph_client (master)

#16

Change abandoned by Dmitriy Rabotjagov (noonedeadpunk) (<email address hidden>) on branch: master
Review: https://review.openstack.org/597129

Revision history for this message

Dmitriy Rabotyagov (noonedeadpunk) wrote on 2021-01-21:

#17

This has been covered with https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/504094

Changed in openstack-ansible:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.