tripleo

ACLs are not visible inside container images

Bug #1709683 reported by Giulio Fidente
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Emilien Macchi
tripleo pike-rc1

Bug Description

We are setting some ACLs on the Ceph keyrings but these aren't copied by kolla and aren't available inside the containers.

Even if we made kolla copy the ACLs, it'd be complicated to match the users UID before knowing which image is used for the container.

It would be best to be able to set a mode on the keyrings via ceph-ansible instead.

Giulio Fidente (gfidente)
Changed in tripleo:
importance: Critical → High
John Fulton (jfulton-org)
Changed in tripleo:
assignee: nobody → John Fulton (jfulton-org)
Revision history for this message
John Fulton (jfulton-org) wrote :

Working on this in ceph-ansible https://github.com/ceph/ceph-ansible/issues/1755

Revision history for this message
John Fulton (jfulton-org) wrote :

Waiting on PR sent to ceph-ansible https://github.com/ceph/ceph-ansible/pull/1756

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/492303

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
John Fulton (jfulton-org) wrote :

ceph-ansible change to support new param has merged [1]. Waiting on merge for new param in tht [2] and new RPM in centos-storage-sig with ceph-ansible change.

[1] https://github.com/ceph/ceph-ansible/pull/1756
[2] https://review.openstack.org/492303

Revision history for this message
John Fulton (jfulton-org) wrote :

I spoke too soon: https://github.com/ceph/ceph-ansible/pull/1759

Revision history for this message
John Fulton (jfulton-org) wrote :

Second ceph-ansible change to support new param has merged [1]. Waiting on merge for new param in tht [2] and new RPM in centos-storage-sig with ceph-ansible change.

[1] https://github.com/ceph/ceph-ansible/pull/1759
[2] https://review.openstack.org/492303

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: John Fulton (jfulton-org) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/492303
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=6d1c06c6b8cbc1f183fe4de794d30d3000218237
Submitter: Jenkins
Branch: master

commit 6d1c06c6b8cbc1f183fe4de794d30d3000218237
Author: John Fulton <email address hidden>
Date: Wed Aug 9 17:07:40 2017 -0400

    Set file mode permission of Ceph keyrings

    Pass mode parameter to ceph-ansible in place of ACLs parameter
    because ACLs are not for same UID in container as container host
    and because ACLs are not passed by kolla_config.

    Change-Id: I7e3433eab8e2a62963b623531f223d5abd301d16
    Closes-Bug: #1709683

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.