openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Set file mode permission for Ceph keyrings in containers"

This commit is contained in:
Zuul 2017-11-21 01:00:07 +00:00 committed by Gerrit Code Review
parent 38d0525a5e ce7b65f443
commit 5da47d2e4f
10 changed files with 95 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docker/services/ceph-ansible/ceph-base.yaml
View File

@ -257,7 +257,8 @@ outputs:
- {get_param: GnocchiRbdPoolName}
# CinderRbdExtraPools is a list (do not indent further)
- {get_param: CinderRbdExtraPools}
mode: "0644"
mode: "0600"
acls: ["u:165:r"] # uid of cinder user
- name:
list_join:
- '.'
@ -267,7 +268,7 @@ outputs:
mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
mds_cap: "allow *"
osd_cap: "allow rw"
mode: "0644"
mode: "0600"
- name:
list_join:
- '.'
@ -276,7 +277,7 @@ outputs:
key: {get_param: CephRgwKey}
mon_cap: "allow rw"
osd_cap: "allow rwx"
mode: "0644"
mode: "0600"
keys: *openstack_keys
pools: []
ceph_conf_overrides:

10
docker/services/cinder-backup.yaml
View File

@ -40,6 +40,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -101,6 +104,13 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config:
step_3:
cinder_backup_init_logs:

10
docker/services/cinder-volume.yaml
View File

@ -49,6 +49,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -111,6 +114,13 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config:
step_3:
cinder_volume_init_logs:

10
docker/services/glance-api.yaml
View File

@ -65,6 +65,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
conditions:
@ -133,6 +136,13 @@ outputs:
- path: /var/lib/glance
owner: glance:glance
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: glance:glance
perm: '0600'
/var/lib/kolla/config_files/glance_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:

10
docker/services/gnocchi-api.yaml
View File

@ -43,6 +43,9 @@ parameters:
default: 128
description: Number of storage sacks to create.
type: number
CephClientUserName:
default: openstack
type: string
conditions:
@ -97,6 +100,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
# db sync runs before permissions set by kolla_config
step_2:

10
docker/services/gnocchi-metricd.yaml
View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
CephClientUserName:
default: openstack
type: string
resources:
@ -90,6 +93,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
step_5:
gnocchi_metricd:

10
docker/services/gnocchi-statsd.yaml
View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
CephClientUserName:
default: openstack
type: string
resources:
@ -90,6 +93,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
step_5:
gnocchi_statsd:

10
docker/services/manila-share.yaml
View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
ManilaCephClientUserName:
default: manila
type: string
resources:
@ -90,6 +93,13 @@ outputs:
- path: /var/log/manila
owner: manila:manila
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: ManilaCephClientUserName}
owner: manila:manila
perm: '0600'
docker_config:
step_4:
manila_share:

10
docker/services/nova-compute.yaml
View File

@ -49,6 +49,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -122,6 +125,13 @@ outputs:
- path: /var/lib/nova
owner: nova:nova
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
docker_config:
step_4:
nova_compute:

11
docker/services/nova-libvirt.yaml
View File

@ -68,6 +68,9 @@ parameters:
CephClusterFSID:
type: string
description: The Ceph cluster FSID. Must be a UUID.
CephClientUserName:
default: openstack
type: string
conditions:
@ -148,6 +151,14 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions:
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files: