Distribute iscsid.conf to all containers using iscsi

This patch updates the way files related to iscsi are distributed
to the cinder, glance and nova containers that use the protocol.

Previously it was thought that only the iscsid container needs
access to /etc/iscsi/iscsid.conf, but the LP bug reveals the client
side also reads the file in order to determine the list of chap
algorithms to offer when initiating an iscsi connection.

The bug was exposed when testing a secure environment that uses a
non-default list of chap algorithms. The iscsid container was using
the customized list, but the client containers (e.g. nova) were
using the default list, which caused iscsid to reject connections.

Closes-Bug: #1932181
Change-Id: Iad255451726867dc172404513fdac4ad0599c4c0
This commit is contained in:
Alan Bishop 2021-06-16 06:35:03 -07:00
parent 5fade4ae00
commit 48fd886a03
4 changed files with 9 additions and 5 deletions

View File

@ -300,7 +300,7 @@ outputs:
- *cinder_common_volumes
- {get_param: CinderVolumeOptVolumes}
- - /var/lib/kolla/config_files/cinder_volume.json:/var/lib/kolla/config_files/config.json:ro
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- list_join:
- ':'
- - {get_param: CephConfigPath}
@ -339,7 +339,7 @@ outputs:
- {get_param: CinderBackupOptVolumes}
-
- /var/lib/kolla/config_files/cinder_backup.json:/var/lib/kolla/config_files/config.json:ro
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- list_join:
- ':'
- - {get_param: CephConfigPath}

View File

@ -638,6 +638,10 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-iscsid/*"
dest: "/etc/iscsi/"
merge: true
preserve_properties: true
permissions:
list_concat:
- - path: /var/lib/glance
@ -711,11 +715,11 @@ outputs:
- - {get_param: CephConfigPath}
- - '/var/lib/kolla/config_files/src-ceph'
- - 'ro'
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/glance:/var/lib/glance:slave
- if:
- cinder_backend_enabled
- - /dev:/dev
- /etc/iscsi:/etc/iscsi
- /var/lib/iscsi:/var/lib/iscsi:z
- if:
- cinder_multipathd_enabled

View File

@ -1338,7 +1338,7 @@ outputs:
- - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
- /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- list_join:
- ':'
- - {get_param: CephConfigPath}

View File

@ -169,7 +169,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/nova_ironic.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /run:/run
- /dev:/dev
- /var/lib/iscsi:/var/lib/iscsi:z