Fix permissions to /var/lib/nova/

Due to changes with the drop-root work, we lost the ability to write
to /var/lib/nova/*. This fixes those permissions and ensures cross
container talk works properly between nova_libvirt and nova_compute

Additionally, this fixes another issue introduced which saw that
nova-compute could not run sudo commands as it did not have a proper
sudoers entry

Testing from previous deploys means you need a fresh environment. You
have to remove all of the named volumes that kolla created in docker.
Check these with `docker volume ls`

Signed-off-by: Hui Kang <kangh@us.ibm.com>
Signed-off-by: Artur Zarzycki <azarzycki@mirantis.com>
Co-Authored-By: Sam Yaple <sam@yaple.net>
Co-Authored-By: Hui Kang <kangh@us.ibm.com>
Closes-Bug: #1533350
Change-Id: I7f864c448a2414e0b5d89f48337be411b891df35
This commit is contained in:
Artur Zarzycki 2016-01-13 17:28:53 +01:00 committed by SamYaple
parent 08f907a2cc
commit ef971bff51
8 changed files with 54 additions and 4 deletions

View File

@ -50,3 +50,32 @@
run_once: True run_once: True
delegate_to: "{{ groups['nova-api'][0] }}" delegate_to: "{{ groups['nova-api'][0] }}"
when: database_created when: database_created
- name: Creating nova-compute volume
kolla_docker:
action: "create_volume"
common_options: "{{ docker_common_options }}"
name: "nova_compute"
register: nova_compute_volume
when:
- inventory_hostname in groups['compute']
- not enable_nova_fake | bool
- name: Starting Nova compute bootstrap container
kolla_docker:
action: "start_container"
common_options: "{{ docker_common_options }}"
detach: False
environment:
KOLLA_BOOTSTRAP:
KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
image: "{{ nova_compute_image_full }}"
name: "bootstrap_nova_compute"
restart_policy: "never"
volumes:
- "{{ node_config_directory }}/nova-compute/:{{ container_config_directory }}/:ro"
- "nova_compute:/var/lib/nova/"
when:
- inventory_hostname in groups['compute']
- not enable_nova_fake | bool
- nova_compute_volume.changed

View File

@ -27,7 +27,8 @@
- inventory_hostname in groups['compute'] - inventory_hostname in groups['compute']
- include: bootstrap.yml - include: bootstrap.yml
when: inventory_hostname in groups['nova-api'] when: inventory_hostname in groups['nova-api'] or
inventory_hostname in groups['compute']
- include: start.yml - include: start.yml
when: inventory_hostname in groups['compute'] or when: inventory_hostname in groups['compute'] or

View File

@ -10,9 +10,8 @@
volumes: volumes:
- "{{ node_config_directory }}/nova-libvirt/:{{ container_config_directory }}/:ro" - "{{ node_config_directory }}/nova-libvirt/:{{ container_config_directory }}/:ro"
- "/lib/modules:/lib/modules:ro" - "/lib/modules:/lib/modules:ro"
- "/run:/run"
- "/sys/fs/cgroup:/sys/fs/cgroup" - "/sys/fs/cgroup:/sys/fs/cgroup"
- "nova_compute:/var/lib/nova/instances" - "nova_compute:/var/lib/nova/"
- "nova_libvirt:/var/lib/libvirt" - "nova_libvirt:/var/lib/libvirt"
when: inventory_hostname in groups['compute'] when: inventory_hostname in groups['compute']
@ -100,7 +99,7 @@
- "/lib/modules:/lib/modules:ro" - "/lib/modules:/lib/modules:ro"
- "/run:/run" - "/run:/run"
- "/var/lib/kolla/dev/log:/dev/log" - "/var/lib/kolla/dev/log:/dev/log"
- "nova_compute:/var/lib/nova/instances" - "nova_compute:/var/lib/nova/"
- "nova_libvirt:/var/lib/libvirt" - "nova_libvirt:/var/lib/libvirt"
when: when:
- inventory_hostname in groups['compute'] - inventory_hostname in groups['compute']

View File

@ -52,6 +52,10 @@ RUN ln -s nova-base-source/* nova \
&& cp -r /nova/etc/nova/* /etc/nova/ \ && cp -r /nova/etc/nova/* /etc/nova/ \
&& chown -R nova: /etc/nova /var/log/nova /home/nova /var/lib/nova && chown -R nova: /etc/nova /var/log/nova /home/nova /var/lib/nova
COPY nova_sudoers /etc/sudoers.d/nova_sudoers
RUN chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/nova_sudoers
{% endif %} {% endif %}
RUN usermod -a -G kolla nova RUN usermod -a -G kolla nova

View File

@ -0,0 +1 @@
nova ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/nova-rootwrap /etc/nova/rootwrap.conf *

View File

@ -50,6 +50,12 @@ RUN /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements
{% endif %} {% endif %}
COPY nova_compute_sudoers /etc/sudoers.d/nova_compute_sudoers
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start \
&& chmod 750 /etc/sudoers.d \
&& chmod 440 /etc/sudoers.d/nova_compute_sudoers
{{ include_footer }} {{ include_footer }}
USER nova USER nova

View File

@ -0,0 +1,9 @@
#!/bin/bash
# Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases
# of the KOLLA_BOOTSTRAP variable being set, including empty.
if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then
sudo chown nova: /var/lib/nova/
mkdir /var/lib/nova/instances
exit 0
fi

View File

@ -0,0 +1 @@
%kolla ALL=(root) NOPASSWD: /usr/bin/chown nova\: /var/lib/nova/, /bin/chown nova\: /var/lib/nova/