Set file mode permission for Ceph keyrings in containers
Pass mode parameter to ceph-ansible for Ceph keyrings on container host. Pass mode and ownership parameter to each Ceph client container using kolla_config. ACLs are set for Cinder if it is not running in containers. Unclean cherry pick from ce7b65f443d38a6627631f53cb22336338e97d30 Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30 Partial-Bug: #1720787
This commit is contained in:
parent
74e40b21f0
commit
a18fd59077
@ -237,7 +237,8 @@ outputs:
|
||||
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
|
||||
GLANCE_POOL: {get_param: GlanceRbdPoolName}
|
||||
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
|
||||
mode: "0644"
|
||||
mode: "0600"
|
||||
acls: ["u:165:r"] # uid of cinder user
|
||||
- name:
|
||||
list_join:
|
||||
- '.'
|
||||
@ -247,7 +248,7 @@ outputs:
|
||||
mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
|
||||
mds_cap: "allow *"
|
||||
osd_cap: "allow rw"
|
||||
mode: "0644"
|
||||
mode: "0600"
|
||||
- name:
|
||||
list_join:
|
||||
- '.'
|
||||
@ -256,7 +257,7 @@ outputs:
|
||||
key: {get_param: CephRgwKey}
|
||||
mon_cap: "allow rw"
|
||||
osd_cap: "allow rwx"
|
||||
mode: "0644"
|
||||
mode: "0600"
|
||||
keys: *openstack_keys
|
||||
pools: []
|
||||
ceph_conf_overrides:
|
||||
|
@ -40,6 +40,9 @@ parameters:
|
||||
default: false
|
||||
description: Remove package if the service is being disabled during upgrade
|
||||
type: boolean
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -102,6 +105,13 @@ outputs:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_backup_init_logs:
|
||||
|
@ -49,6 +49,9 @@ parameters:
|
||||
default: false
|
||||
description: Remove package if the service is being disabled during upgrade
|
||||
type: boolean
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -112,6 +115,13 @@ outputs:
|
||||
- path: /var/log/cinder
|
||||
owner: cinder:cinder
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: cinder:cinder
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_3:
|
||||
cinder_volume_init_logs:
|
||||
|
@ -65,6 +65,9 @@ parameters:
|
||||
description: >
|
||||
NFS mount options for image storage (when GlanceNfsEnabled is true)
|
||||
type: string
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
conditions:
|
||||
|
||||
@ -130,6 +133,13 @@ outputs:
|
||||
- path: /var/lib/glance
|
||||
owner: glance:glance
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: glance:glance
|
||||
perm: '0600'
|
||||
/var/lib/kolla/config_files/glance_api_tls_proxy.json:
|
||||
command: /usr/sbin/httpd -DFOREGROUND
|
||||
config_files:
|
||||
|
@ -43,6 +43,9 @@ parameters:
|
||||
default: 128
|
||||
description: Number of storage sacks to create.
|
||||
type: number
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
conditions:
|
||||
|
||||
@ -98,6 +101,13 @@ outputs:
|
||||
- path: /var/log/gnocchi
|
||||
owner: gnocchi:gnocchi
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: gnocchi:gnocchi
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
# db sync runs before permissions set by kolla_config
|
||||
step_2:
|
||||
|
@ -36,6 +36,9 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -91,6 +94,13 @@ outputs:
|
||||
- path: /var/log/gnocchi
|
||||
owner: gnocchi:gnocchi
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: gnocchi:gnocchi
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_5:
|
||||
gnocchi_metricd:
|
||||
|
@ -36,6 +36,9 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -91,6 +94,13 @@ outputs:
|
||||
- path: /var/log/gnocchi
|
||||
owner: gnocchi:gnocchi
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: gnocchi:gnocchi
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_5:
|
||||
gnocchi_statsd:
|
||||
|
@ -36,6 +36,9 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
ManilaCephClientUserName:
|
||||
default: manila
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -91,6 +94,13 @@ outputs:
|
||||
- path: /var/log/manila
|
||||
owner: manila:manila
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: ManilaCephClientUserName}
|
||||
owner: manila:manila
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_4:
|
||||
manila_share:
|
||||
|
@ -49,6 +49,9 @@ parameters:
|
||||
default: false
|
||||
description: Remove package if the service is being disabled during upgrade
|
||||
type: boolean
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
@ -111,6 +114,13 @@ outputs:
|
||||
- path: /var/lib/nova
|
||||
owner: nova:nova
|
||||
recurse: true
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: nova:nova
|
||||
perm: '0600'
|
||||
docker_config:
|
||||
step_4:
|
||||
nova_compute:
|
||||
|
@ -68,6 +68,9 @@ parameters:
|
||||
CephClusterFSID:
|
||||
type: string
|
||||
description: The Ceph cluster FSID. Must be a UUID.
|
||||
CephClientUserName:
|
||||
default: openstack
|
||||
type: string
|
||||
|
||||
conditions:
|
||||
|
||||
@ -145,6 +148,14 @@ outputs:
|
||||
dest: "/etc/ceph/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
permissions:
|
||||
- path:
|
||||
str_replace:
|
||||
template: /etc/ceph/ceph.client.USER.keyring
|
||||
params:
|
||||
USER: {get_param: CephClientUserName}
|
||||
owner: nova:nova
|
||||
perm: '0600'
|
||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||
config_files:
|
||||
|
Loading…
x
Reference in New Issue
Block a user