From 48fd886a03b8d8249b6ea539b76bbd50e081a85e Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Wed, 16 Jun 2021 06:35:03 -0700
Subject: [PATCH] Distribute iscsid.conf to all containers using iscsi

This patch updates the way files related to iscsi are distributed
to the cinder, glance and nova containers that use the protocol.

Previously it was thought that only the iscsid container needs
access to /etc/iscsi/iscsid.conf, but the LP bug reveals the client
side also reads the file in order to determine the list of chap
algorithms to offer when initiating an iscsi connection.

The bug was exposed when testing a secure environment that uses a
non-default list of chap algorithms. The iscsid container was using
the customized list, but the client containers (e.g. nova) were
using the default list, which caused iscsid to reject connections.

Closes-Bug: #1932181
Change-Id: Iad255451726867dc172404513fdac4ad0599c4c0
---
 deployment/cinder/cinder-common-container-puppet.yaml | 4 ++--
 deployment/glance/glance-api-container-puppet.yaml    | 6 +++++-
 deployment/nova/nova-compute-container-puppet.yaml    | 2 +-
 deployment/nova/nova-ironic-container-puppet.yaml     | 2 +-
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml
index 2cefbf69b5..c100712fcb 100644
--- a/deployment/cinder/cinder-common-container-puppet.yaml
+++ b/deployment/cinder/cinder-common-container-puppet.yaml
@@ -300,7 +300,7 @@ outputs:
         - *cinder_common_volumes
         - {get_param: CinderVolumeOptVolumes}
         - - /var/lib/kolla/config_files/cinder_volume.json:/var/lib/kolla/config_files/config.json:ro
-          - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+          - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
           - list_join:
             - ':'
             - - {get_param: CephConfigPath}
@@ -339,7 +339,7 @@ outputs:
         - {get_param: CinderBackupOptVolumes}
         -
           - /var/lib/kolla/config_files/cinder_backup.json:/var/lib/kolla/config_files/config.json:ro
-          - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+          - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
           - list_join:
             - ':'
             - - {get_param: CephConfigPath}
diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml
index c795f15fd4..eefe8510b4 100644
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@@ -638,6 +638,10 @@ outputs:
               dest: "/etc/ceph/"
               merge: true
               preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-iscsid/*"
+              dest: "/etc/iscsi/"
+              merge: true
+              preserve_properties: true
           permissions:
             list_concat:
               - - path: /var/lib/glance
@@ -711,11 +715,11 @@ outputs:
                     - - {get_param: CephConfigPath}
                     - - '/var/lib/kolla/config_files/src-ceph'
                     - - 'ro'
+                  - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
                   - /var/lib/glance:/var/lib/glance:slave
                 - if:
                     - cinder_backend_enabled
                     - - /dev:/dev
-                      - /etc/iscsi:/etc/iscsi
                       - /var/lib/iscsi:/var/lib/iscsi:z
                 - if:
                     - cinder_multipathd_enabled
diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml
index 79710d7fd6..d3cbc88a9f 100644
--- a/deployment/nova/nova-compute-container-puppet.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@@ -1338,7 +1338,7 @@ outputs:
                     - - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
                       - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
                       - /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
-                      - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+                      - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
                       - list_join:
                         - ':'
                         - - {get_param: CephConfigPath}
diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml
index 24668795b1..7d79b64a2d 100644
--- a/deployment/nova/nova-ironic-container-puppet.yaml
+++ b/deployment/nova/nova-ironic-container-puppet.yaml
@@ -169,7 +169,7 @@ outputs:
                 - {get_attr: [ContainersCommon, volumes]}
                 - - /var/lib/kolla/config_files/nova_ironic.json:/var/lib/kolla/config_files/config.json:ro
                   - /var/lib/config-data/puppet-generated/nova:/var/lib/kolla/config_files/src:ro
-                  - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
+                  - /var/lib/config-data/puppet-generated/iscsid/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
                   - /run:/run
                   - /dev:/dev
                   - /var/lib/iscsi:/var/lib/iscsi:z