Prohibit write to the mount directory

This change makes the root user, instead of the swift user, own the mount path where the data disk is mounted. This allows us to prevent the swift processes from writing files. This follows the current installation doc(eg. [1]) which suggests chown AFTER mounting the disk device. [1] https://docs.openstack.org/swift/latest/install/storage-install-rdo.html Change-Id: I1a612fcf658da8ed0cb1dc51fa5e534dc0341241
2022-10-20 10:28:12 +09:00
parent b39a938a62
commit 41ca173193
1 changed files with 18 additions and 5 deletions
--- a/manifests/storage/mount.pp
+++ b/manifests/storage/mount.pp
@@ -43,16 +43,22 @@ define swift::storage::mount(
    $fsoptions = 'user_xattr'
  }

-  # the directory that represents the mount point
-  # needs to exist
+  # The directory that represents the mount point needs to exist.
  file { "${mnt_base_dir}/${name}":
    ensure  => directory,
-    owner   => $::swift::params::user,
-    group   => $::swift::params::group,
    require => Anchor['swift::config::begin'],
    before  => Anchor['swift::config::end'],
  }

+  # Make root own the mount point to prevent swift processes from writing files
+  # when the disk device is not mounted
+  exec { "fix_mountpoint_permissions_${name}":
+    command => "chown -R root:root ${mnt_base_dir}/${name}",
+    path    => ['/usr/sbin', '/bin'],
+    before  => Anchor['swift::config::end'],
+    unless  => "grep ${mnt_base_dir}/${name} /etc/mtab",
+  }
+
  mount { "${mnt_base_dir}/${name}":
    ensure  => present,
    device  => $device,
@@ -70,8 +76,11 @@ define swift::storage::mount(
    before    => Anchor['swift::config::end'],
  }

+  $user = $::swift::params::user
+  $group = $::swift::params::group
+
  exec { "fix_mount_permissions_${name}":
-    command     => "chown -R swift:swift ${mnt_base_dir}/${name}",
+    command     => "chown -R ${user}:${group} ${mnt_base_dir}/${name}",
    path        => ['/usr/sbin', '/bin'],
    refreshonly => true,
    before      => Anchor['swift::config::end'],
@@ -92,6 +101,10 @@ define swift::storage::mount(
      refreshonly => true,
    }

+  File<| title == "${mnt_base_dir}/${name}" |>
+  ~> Exec<| title == "fix_mountpoint_permissions_${name}" |>
+  -> Exec<| title == "mount_${name}" |>
+
  File<| title == "${mnt_base_dir}/${name}" |>
  ~> Mount<| title == "${mnt_base_dir}/${name}" |>
  ~> Exec<| title == "mount_${name}" |>