openstack/tripleo-heat-templates
Code Issues Proposed changes

Set file mode permission for Ceph keyrings in containers

Browse Source 
Pass mode parameter to ceph-ansible for Ceph keyrings on container
host. Pass mode and ownership parameter to each Ceph client container
using kolla_config. ACLs are set for Cinder if it is not running in
containers.

Unclean cherry pick from ce7b65f443

Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30
Partial-Bug: #1720787
This commit is contained in:
John Fulton
2017-10-02 15:22:08 -04:00
parent 74e40b21f0
commit a18fd59077
10 changed files with 95 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docker/services/ceph-ansible/ceph-base.yaml
View File

@@ -237,7 +237,8 @@ outputs:
CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName}
GLANCE_POOL: {get_param: GlanceRbdPoolName} GLANCE_POOL: {get_param: GlanceRbdPoolName}
GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
mode: "0644" mode: "0600"
acls: ["u:165:r"] # uid of cinder user
- name: - name:
list_join: list_join:
- '.' - '.'
@@ -247,7 +248,7 @@ outputs:
mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"' mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
mds_cap: "allow *" mds_cap: "allow *"
osd_cap: "allow rw" osd_cap: "allow rw"
mode: "0644" mode: "0600"
- name: - name:
list_join: list_join:
- '.' - '.'
@@ -256,7 +257,7 @@ outputs:
key: {get_param: CephRgwKey} key: {get_param: CephRgwKey}
mon_cap: "allow rw" mon_cap: "allow rw"
osd_cap: "allow rwx" osd_cap: "allow rwx"
mode: "0644" mode: "0600"
keys: *openstack_keys keys: *openstack_keys
pools: [] pools: []
ceph_conf_overrides: ceph_conf_overrides:

10
docker/services/cinder-backup.yaml
View File

@@ -40,6 +40,9 @@ parameters:
default: false default: false
description: Remove package if the service is being disabled during upgrade description: Remove package if the service is being disabled during upgrade
type: boolean type: boolean
CephClientUserName:
default: openstack
type: string
resources: resources:
@@ -102,6 +105,13 @@ outputs:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config: docker_config:
step_3: step_3:
cinder_backup_init_logs: cinder_backup_init_logs:

10
docker/services/cinder-volume.yaml
View File

@@ -49,6 +49,9 @@ parameters:
default: false default: false
description: Remove package if the service is being disabled during upgrade description: Remove package if the service is being disabled during upgrade
type: boolean type: boolean
CephClientUserName:
default: openstack
type: string
resources: resources:
@@ -112,6 +115,13 @@ outputs:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: cinder:cinder
perm: '0600'
docker_config: docker_config:
step_3: step_3:
cinder_volume_init_logs: cinder_volume_init_logs:

10
docker/services/glance-api.yaml
View File

@@ -65,6 +65,9 @@ parameters:
description: > description: >
NFS mount options for image storage (when GlanceNfsEnabled is true) NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string type: string
CephClientUserName:
default: openstack
type: string
conditions: conditions:
@@ -130,6 +133,13 @@ outputs:
- path: /var/lib/glance - path: /var/lib/glance
owner: glance:glance owner: glance:glance
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: glance:glance
perm: '0600'
/var/lib/kolla/config_files/glance_api_tls_proxy.json: /var/lib/kolla/config_files/glance_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND command: /usr/sbin/httpd -DFOREGROUND
config_files: config_files:

10
docker/services/gnocchi-api.yaml
View File

@@ -43,6 +43,9 @@ parameters:
default: 128 default: 128
description: Number of storage sacks to create. description: Number of storage sacks to create.
type: number type: number
CephClientUserName:
default: openstack
type: string
conditions: conditions:
@@ -98,6 +101,13 @@ outputs:
- path: /var/log/gnocchi - path: /var/log/gnocchi
owner: gnocchi:gnocchi owner: gnocchi:gnocchi
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config: docker_config:
# db sync runs before permissions set by kolla_config # db sync runs before permissions set by kolla_config
step_2: step_2:

10
docker/services/gnocchi-metricd.yaml
View File

@@ -36,6 +36,9 @@ parameters:
default: {} default: {}
description: Parameters specific to the role description: Parameters specific to the role
type: json type: json
CephClientUserName:
default: openstack
type: string
resources: resources:
@@ -91,6 +94,13 @@ outputs:
- path: /var/log/gnocchi - path: /var/log/gnocchi
owner: gnocchi:gnocchi owner: gnocchi:gnocchi
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config: docker_config:
step_5: step_5:
gnocchi_metricd: gnocchi_metricd:

10
docker/services/gnocchi-statsd.yaml
View File

@@ -36,6 +36,9 @@ parameters:
default: {} default: {}
description: Parameters specific to the role description: Parameters specific to the role
type: json type: json
CephClientUserName:
default: openstack
type: string
resources: resources:
@@ -91,6 +94,13 @@ outputs:
- path: /var/log/gnocchi - path: /var/log/gnocchi
owner: gnocchi:gnocchi owner: gnocchi:gnocchi
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: gnocchi:gnocchi
perm: '0600'
docker_config: docker_config:
step_5: step_5:
gnocchi_statsd: gnocchi_statsd:

10
docker/services/manila-share.yaml
View File

@@ -36,6 +36,9 @@ parameters:
default: {} default: {}
description: Parameters specific to the role description: Parameters specific to the role
type: json type: json
ManilaCephClientUserName:
default: manila
type: string
resources: resources:
@@ -91,6 +94,13 @@ outputs:
- path: /var/log/manila - path: /var/log/manila
owner: manila:manila owner: manila:manila
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: ManilaCephClientUserName}
owner: manila:manila
perm: '0600'
docker_config: docker_config:
step_4: step_4:
manila_share: manila_share:

10
docker/services/nova-compute.yaml
View File

@@ -49,6 +49,9 @@ parameters:
default: false default: false
description: Remove package if the service is being disabled during upgrade description: Remove package if the service is being disabled during upgrade
type: boolean type: boolean
CephClientUserName:
default: openstack
type: string
resources: resources:
@@ -111,6 +114,13 @@ outputs:
- path: /var/lib/nova - path: /var/lib/nova
owner: nova:nova owner: nova:nova
recurse: true recurse: true
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
docker_config: docker_config:
step_4: step_4:
nova_compute: nova_compute:

11
docker/services/nova-libvirt.yaml
View File

@@ -68,6 +68,9 @@ parameters:
CephClusterFSID: CephClusterFSID:
type: string type: string
description: The Ceph cluster FSID. Must be a UUID. description: The Ceph cluster FSID. Must be a UUID.
CephClientUserName:
default: openstack
type: string
conditions: conditions:
@@ -145,6 +148,14 @@ outputs:
dest: "/etc/ceph/" dest: "/etc/ceph/"
merge: true merge: true
preserve_properties: true preserve_properties: true
permissions:
- path:
str_replace:
template: /etc/ceph/ceph.client.USER.keyring
params:
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
/var/lib/kolla/config_files/nova_virtlogd.json: /var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files: config_files: