From ce7b65f443d38a6627631f53cb22336338e97d30 Mon Sep 17 00:00:00 2001 From: John Fulton Date: Mon, 2 Oct 2017 15:22:08 -0400 Subject: [PATCH] Set file mode permission for Ceph keyrings in containers Pass mode parameter to ceph-ansible for Ceph keyrings on container host. Pass mode and ownership parameter to each Ceph client container using kolla_config. ACLs are set for Cinder if it is not running in containers. Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30 Partial-Bug: #1720787 --- docker/services/ceph-ansible/ceph-base.yaml | 7 ++++--- docker/services/cinder-backup.yaml | 10 ++++++++++ docker/services/cinder-volume.yaml | 10 ++++++++++ docker/services/glance-api.yaml | 10 ++++++++++ docker/services/gnocchi-api.yaml | 10 ++++++++++ docker/services/gnocchi-metricd.yaml | 10 ++++++++++ docker/services/gnocchi-statsd.yaml | 10 ++++++++++ docker/services/manila-share.yaml | 10 ++++++++++ docker/services/nova-compute.yaml | 10 ++++++++++ docker/services/nova-libvirt.yaml | 11 +++++++++++ 10 files changed, 95 insertions(+), 3 deletions(-) diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index 3ef4754bbe..1c48babbac 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -253,7 +253,8 @@ outputs: - {get_param: GnocchiRbdPoolName} # CinderRbdExtraPools is a list (do not indent further) - {get_param: CinderRbdExtraPools} - mode: "0644" + mode: "0600" + acls: ["u:165:r"] # uid of cinder user - name: list_join: - '.' @@ -263,7 +264,7 @@ outputs: mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"' mds_cap: "allow *" osd_cap: "allow rw" - mode: "0644" + mode: "0600" - name: list_join: - '.' @@ -272,7 +273,7 @@ outputs: key: {get_param: CephRgwKey} mon_cap: "allow rw" osd_cap: "allow rwx" - mode: "0644" + mode: "0600" keys: *openstack_keys pools: [] ceph_conf_overrides: diff --git a/docker/services/cinder-backup.yaml b/docker/services/cinder-backup.yaml index d29bb0bc19..990e837df5 100644 --- a/docker/services/cinder-backup.yaml +++ b/docker/services/cinder-backup.yaml @@ -40,6 +40,9 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + CephClientUserName: + default: openstack + type: string resources: @@ -102,6 +105,13 @@ outputs: - path: /var/log/cinder owner: cinder:cinder recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: cinder:cinder + perm: '0600' docker_config: step_3: cinder_backup_init_logs: diff --git a/docker/services/cinder-volume.yaml b/docker/services/cinder-volume.yaml index 4019b872f9..9b30c34013 100644 --- a/docker/services/cinder-volume.yaml +++ b/docker/services/cinder-volume.yaml @@ -49,6 +49,9 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + CephClientUserName: + default: openstack + type: string resources: @@ -112,6 +115,13 @@ outputs: - path: /var/log/cinder owner: cinder:cinder recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: cinder:cinder + perm: '0600' docker_config: step_3: cinder_volume_init_logs: diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index 8264b5c5e2..d4be869ea8 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -65,6 +65,9 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + CephClientUserName: + default: openstack + type: string conditions: @@ -134,6 +137,13 @@ outputs: - path: /var/lib/glance owner: glance:glance recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: glance:glance + perm: '0600' /var/lib/kolla/config_files/glance_api_tls_proxy.json: command: /usr/sbin/httpd -DFOREGROUND config_files: diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 96f6ab9858..30b87735f1 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -43,6 +43,9 @@ parameters: default: 128 description: Number of storage sacks to create. type: number + CephClientUserName: + default: openstack + type: string conditions: @@ -98,6 +101,13 @@ outputs: - path: /var/log/gnocchi owner: gnocchi:gnocchi recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: gnocchi:gnocchi + perm: '0600' docker_config: # db sync runs before permissions set by kolla_config step_2: diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index b966fa6822..58b5e08339 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -36,6 +36,9 @@ parameters: default: {} description: Parameters specific to the role type: json + CephClientUserName: + default: openstack + type: string resources: @@ -91,6 +94,13 @@ outputs: - path: /var/log/gnocchi owner: gnocchi:gnocchi recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: gnocchi:gnocchi + perm: '0600' docker_config: step_5: gnocchi_metricd: diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 0ebc83f6ce..00759e820d 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -36,6 +36,9 @@ parameters: default: {} description: Parameters specific to the role type: json + CephClientUserName: + default: openstack + type: string resources: @@ -91,6 +94,13 @@ outputs: - path: /var/log/gnocchi owner: gnocchi:gnocchi recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: gnocchi:gnocchi + perm: '0600' docker_config: step_5: gnocchi_statsd: diff --git a/docker/services/manila-share.yaml b/docker/services/manila-share.yaml index cf3303c3c6..cf0e125d10 100644 --- a/docker/services/manila-share.yaml +++ b/docker/services/manila-share.yaml @@ -36,6 +36,9 @@ parameters: default: {} description: Parameters specific to the role type: json + ManilaCephClientUserName: + default: manila + type: string resources: @@ -91,6 +94,13 @@ outputs: - path: /var/log/manila owner: manila:manila recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: ManilaCephClientUserName} + owner: manila:manila + perm: '0600' docker_config: step_4: manila_share: diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index 6339f9f636..4dbda689a9 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -49,6 +49,9 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + CephClientUserName: + default: openstack + type: string resources: @@ -123,6 +126,13 @@ outputs: - path: /var/lib/nova owner: nova:nova recurse: true + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: nova:nova + perm: '0600' docker_config: step_4: nova_compute: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 551cc9c016..3d99c39f63 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -67,6 +67,9 @@ parameters: CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID. + CephClientUserName: + default: openstack + type: string conditions: @@ -144,6 +147,14 @@ outputs: dest: "/etc/ceph/" merge: true preserve_properties: true + permissions: + - path: + str_replace: + template: /etc/ceph/ceph.client.USER.keyring + params: + USER: {get_param: CephClientUserName} + owner: nova:nova + perm: '0600' /var/lib/kolla/config_files/nova_virtlogd.json: command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf config_files: