ACLs are not visible inside container images

Bug #1709683 reported by Giulio Fidente on 2017-08-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Emilien Macchi

Bug Description

We are setting some ACLs on the Ceph keyrings but these aren't copied by kolla and aren't available inside the containers.

Even if we made kolla copy the ACLs, it'd be complicated to match the users UID before knowing which image is used for the container.

It would be best to be able to set a mode on the keyrings via ceph-ansible instead.

Changed in tripleo:
importance: Critical → High
Changed in tripleo:
assignee: nobody → John Fulton (jfulton-org)
John Fulton (jfulton-org) wrote :

Working on this in ceph-ansible https://github.com/ceph/ceph-ansible/issues/1755

John Fulton (jfulton-org) wrote :

Waiting on PR sent to ceph-ansible https://github.com/ceph/ceph-ansible/pull/1756

Fix proposed to branch: master
Review: https://review.openstack.org/492303

Changed in tripleo:
status: Triaged → In Progress
John Fulton (jfulton-org) wrote :

ceph-ansible change to support new param has merged [1]. Waiting on merge for new param in tht [2] and new RPM in centos-storage-sig with ceph-ansible change.

[1] https://github.com/ceph/ceph-ansible/pull/1756
[2] https://review.openstack.org/492303

John Fulton (jfulton-org) wrote :

Second ceph-ansible change to support new param has merged [1]. Waiting on merge for new param in tht [2] and new RPM in centos-storage-sig with ceph-ansible change.

[1] https://github.com/ceph/ceph-ansible/pull/1759
[2] https://review.openstack.org/492303

Changed in tripleo:
assignee: John Fulton (jfulton-org) → Emilien Macchi (emilienm)

Reviewed: https://review.openstack.org/492303
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=6d1c06c6b8cbc1f183fe4de794d30d3000218237
Submitter: Jenkins
Branch: master

commit 6d1c06c6b8cbc1f183fe4de794d30d3000218237
Author: John Fulton <email address hidden>
Date: Wed Aug 9 17:07:40 2017 -0400

    Set file mode permission of Ceph keyrings

    Pass mode parameter to ceph-ansible in place of ACLs parameter
    because ACLs are not for same UID in container as container host
    and because ACLs are not passed by kolla_config.

    Change-Id: I7e3433eab8e2a62963b623531f223d5abd301d16
    Closes-Bug: #1709683

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.