Set file mode permission for Ceph keyrings in containers

Pass mode parameter to ceph-ansible for Ceph keyrings on container
host. Pass mode and ownership parameter to each Ceph client container
using kolla_config. ACLs are set for Cinder if it is not running in
containers.

Unclean cherry pick from ce7b65f443d38a6627631f53cb22336338e97d30

Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30
Partial-Bug: #1720787
This commit is contained in:
John Fulton 2017-10-02 15:22:08 -04:00
parent 74e40b21f0
commit a18fd59077
10 changed files with 95 additions and 3 deletions

View File

@ -237,7 +237,8 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
mode: "0644"
mode: "0600"
acls: ["u:165:r"] # uid of cinder user
- name:
list_join:
- '.'
@ -247,7 +248,7 @@ outputs:
mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
mds_cap: "allow *"
osd_cap: "allow rw"
mode: "0644"
mode: "0600"
- name:
list_join:
- '.'
@ -256,7 +257,7 @@ outputs:
key: {get_param: CephRgwKey}
mon_cap: "allow rw"
osd_cap: "allow rwx"
mode: "0644"
mode: "0600"
keys: *openstack_keys
pools: []
ceph_conf_overrides:

View File

@ -40,6 +40,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -102,6 +105,13 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config:
step_3:
cinder_backup_init_logs:

View File

@ -49,6 +49,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -112,6 +115,13 @@ outputs:
- path: /var/log/cinder
owner: cinder:cinder
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config:
step_3:
cinder_volume_init_logs:

View File

@ -65,6 +65,9 @@ parameters:
description: >
NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string
CephClientUserName:
default: openstack
type: string
conditions:
@ -130,6 +133,13 @@ outputs:
- path: /var/lib/glance
owner: glance:glance
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: glance:glance
perm: '0600'
/var/lib/kolla/config_files/glance_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:

View File

@ -43,6 +43,9 @@ parameters:
default: 128
description: Number of storage sacks to create.
type: number
CephClientUserName:
default: openstack
type: string
conditions:
@ -98,6 +101,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
# db sync runs before permissions set by kolla_config
step_2:

View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
CephClientUserName:
default: openstack
type: string
resources:
@ -91,6 +94,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
step_5:
gnocchi_metricd:

View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
CephClientUserName:
default: openstack
type: string
resources:
@ -91,6 +94,13 @@ outputs:
- path: /var/log/gnocchi
owner: gnocchi:gnocchi
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config:
step_5:
gnocchi_statsd:

View File

@ -36,6 +36,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
ManilaCephClientUserName:
default: manila
type: string
resources:
@ -91,6 +94,13 @@ outputs:
- path: /var/log/manila
owner: manila:manila
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: ManilaCephClientUserName}
owner: manila:manila
perm: '0600'
docker_config:
step_4:
manila_share:

View File

@ -49,6 +49,9 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
CephClientUserName:
default: openstack
type: string
resources:
@ -111,6 +114,13 @@ outputs:
- path: /var/lib/nova
owner: nova:nova
recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
docker_config:
step_4:
nova_compute:

View File

@ -68,6 +68,9 @@ parameters:
CephClusterFSID:
type: string
description: The Ceph cluster FSID. Must be a UUID.
CephClientUserName:
default: openstack
type: string
conditions:
@ -145,6 +148,14 @@ outputs:
dest: "/etc/ceph/"
merge: true
preserve_properties: true
permissions:
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files: