From 818ad752f8b048217a0d5b76ea2c5f86714597f4 Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Thu, 10 May 2018 15:03:41 -0230 Subject: [PATCH] Add acl to paths that are shared among related neutron processes Neutron runs several processes to support features such as routers, dhcp, etc. Neutron monitors these processes through shared domain sockets, pids files, etc in /var/lib/neutron. When upgrading a node from a non-containerized deployment to containers, the user and group ids are updated to that of the container and the supporting processes are no longer able to access the shared files. This patch adds ACL to the shared files to resolve this. Note this only impacts upgraded nodes and only routers, networks, etc, that existed before the upgrade. Closes-Bug: #1772072 Change-Id: I8f28032488c30b5d38d8c7fa76872a2c3a642717 --- docker/services/neutron-dhcp.yaml | 31 +++++++++++++++++++++++++++++++ docker/services/neutron-l3.yaml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 51317c587d..5cf74fb21d 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -256,3 +256,34 @@ outputs: - step|int == 2 - release == 'ocata' - neutron_dhcp_agent_enabled|bool + post_upgrade_tasks: + - name: Check for neutron user + getent: + database: passwd + key: neutron + ignore_errors: True + - name: Set neutron_user_avail + set_fact: + neutron_user_avail: "{{ getent_passwd is defined }}" + - when: + - step|int == 2 + - neutron_user_avail|bool + block: + - name: Ensure read/write access for files created after upgrade + become: true + shell: | + umask 0002 + setfacl -d -R -m u:neutron:rwx /var/lib/neutron + setfacl -R -m u:neutron:rw /var/lib/neutron + find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \; + - name: Provide access for domain sockets + ignore_errors: True + become: true + shell: | + umask 0002 + setfacl -m u:neutron:rwx "{{ item }}" + with_items: + - /var/lib/neutron/metadata_proxy + - /var/lib/neutron + # These files are not necessarily present + ignore_errors: True diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index 5a16937186..3a49805759 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -254,3 +254,34 @@ outputs: - step|int == 1 - release == 'ocata' - neutron_l3_agent_enabled|bool + post_upgrade_tasks: + - name: Check for neutron user + getent: + database: passwd + key: neutron + ignore_errors: True + - name: Set neutron_user_avail + set_fact: + neutron_user_avail: "{{ getent_passwd is defined }}" + - when: + - step|int == 2 + - neutron_user_avail|bool + block: + - name: Ensure r/w access for existing files after upgrade + become: true + shell: | + umask 0002 + setfacl -d -R -m u:neutron:rwx /var/lib/neutron + setfacl -R -m u:neutron:rw /var/lib/neutron + find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \; + - name: Provide access to domain sockets + become: true + shell: | + umask 0002 + setfacl -m u:neutron:rwx "{{ item }}" + with_items: + - /var/lib/neutron/metadata_proxy + - /var/lib/neutron/keepalived-state-change + - /var/lib/neutron + # These files are not necessarily present + ignore_errors: True