tripleo

virsh rbd secret setting assumes client.admin privileges

Bug #1439949 reported by Giulio Fidente
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-nova
Fix Released
Undecided
Giulio Fidente
tripleo
Fix Released
Medium
Jiří Stránský

Bug Description

One of the steps performed to set the cephx key for the virsh secret assumes we have client.admin privileges

The offending line is: https://github.com/stackforge/puppet-nova/blob/master/manifests/compute/rbd.pp#L79

To run $(ceph auth get-key) successfully we need access to client.admin, which shouldn't be needed on compute nodes.

In addition to that, it also assumes the ceph cluster is already up and running, which isn't necessarily the case during the first deployment of the ceph nodes.

One option would be to enforce passing the rbd_key as param but this would make it backward incompatible, another to extract the key from the rbd_keyring which also needs to be provided as param but we shouldn't make assumptions about there the keyring is located, as we don't know, its customizable in ceph.conf

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/170407

Changed in puppet-nova:
assignee: nobody → Giulio Fidente (gfidente)
status: New → In Progress
Revision history for this message
Jiří Stránský (jistr) wrote :

The tripleo bit: https://review.openstack.org/#/c/170518

Changed in tripleo:
status: New → In Progress
assignee: nobody → Jiří Stránský (jistr)
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (master)

Reviewed: https://review.openstack.org/170407
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=a8ba5a41cdbcbc5b4123cc97e0e46f4c7702b8fa
Submitter: Jenkins
Branch: master

commit a8ba5a41cdbcbc5b4123cc97e0e46f4c7702b8fa
Author: Giulio Fidente <email address hidden>
Date: Fri Apr 3 11:28:19 2015 +0200

    Allow libvirt secret key setting from param

    Currently the libvirt secret key is demanded to the ceph cluster
    via the $(ceph auth get-key ...) command which requires the ceph
    cluste to be already up and also assumes the computes are provisioned
    with the client.admin keyring.

    With this change we add a libvirt_rbd_secret_key parameter which,
    if passed, is used instead so that computes can be configured
    without the distribution of additional keys.

    Change-Id: I70da06159c0d3c6fa204b5f7a468909ffab4d633
    Closes-Bug: #1439949

Changed in puppet-nova:
status: In Progress → Fix Committed
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Jiří Stránský (jistr) → Giulio Fidente (gfidente)
Giulio Fidente (gfidente)
Changed in tripleo:
assignee: Giulio Fidente (gfidente) → Jiří Stránský (jistr)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/170518
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b529653d313c7fe23d870df6ea81e267c23373fe
Submitter: Jenkins
Branch: master

commit b529653d313c7fe23d870df6ea81e267c23373fe
Author: Jiri Stransky <email address hidden>
Date: Fri Apr 3 16:24:55 2015 +0200

    Pass in libvirt_rbd_secret_key for nova compute

    Passing the key explicitly into nova::compute::rbd means that Puppet
    will not attempt to fetch the key using `ceph auth get-key <keyring>`,
    having these effects:

    * One reason for compute node to have access to the client.admin key is
      gone (in current implementation it does have access to the key, but
      this change is a step towards removing it).

    * Ceph cluster doesn't have to be running at the time when Puppet runs
      on compute node, meaning we don't have to serialize things more than
      we do now.

    Also adding the ComputeCephDeployment as a dependency of
    ComputePostDeployment, otherwise the hiera file it creates might be
    created *after* Puppet configuration happens on compute nodes, and the
    values it provides would be missing during the Puppet run on the compute
    nodes.

    Change-Id: Id3166e6d5f01d18ec8a5033398bb511f4321a5e8
    Depends-On: I70da06159c0d3c6fa204b5f7a468909ffab4d633
    Partial-Bug: #1439949

Giulio Fidente (gfidente)
Changed in tripleo:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/179679

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/179681

Jay Dobies (jdob)
Changed in tripleo:
status: Fix Committed → Fix Released
Giulio Fidente (gfidente)
Changed in puppet-nova:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (stable/icehouse)

Reviewed: https://review.openstack.org/179681
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=7884938aff9724d440a61a5c2a1ef7f5622cc923
Submitter: Jenkins
Branch: stable/icehouse

commit 7884938aff9724d440a61a5c2a1ef7f5622cc923
Author: Giulio Fidente <email address hidden>
Date: Fri Apr 3 11:28:19 2015 +0200

    Allow libvirt secret key setting from param

    Currently the libvirt secret key is demanded to the ceph cluster
    via the $(ceph auth get-key ...) command which requires the ceph
    cluste to be already up and also assumes the computes are provisioned
    with the client.admin keyring.

    With this change we add a libvirt_rbd_secret_key parameter which,
    if passed, is used instead so that computes can be configured
    without the distribution of additional keys.

    Change-Id: I70da06159c0d3c6fa204b5f7a468909ffab4d633
    Closes-Bug: #1439949
    (cherry picked from commit a8ba5a41cdbcbc5b4123cc97e0e46f4c7702b8fa)

tags: added: in-stable-icehouse
tags: added: in-stable-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (stable/juno)

Reviewed: https://review.openstack.org/179679
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=47b6a017c4af3365debdd261c360d3698d670dbf
Submitter: Jenkins
Branch: stable/juno

commit 47b6a017c4af3365debdd261c360d3698d670dbf
Author: Giulio Fidente <email address hidden>
Date: Fri Apr 3 11:28:19 2015 +0200

    Allow libvirt secret key setting from param

    Currently the libvirt secret key is demanded to the ceph cluster
    via the $(ceph auth get-key ...) command which requires the ceph
    cluste to be already up and also assumes the computes are provisioned
    with the client.admin keyring.

    With this change we add a libvirt_rbd_secret_key parameter which,
    if passed, is used instead so that computes can be configured
    without the distribution of additional keys.

    Change-Id: I70da06159c0d3c6fa204b5f7a468909ffab4d633
    Closes-Bug: #1439949
    (cherry picked from commit a8ba5a41cdbcbc5b4123cc97e0e46f4c7702b8fa)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.