Revamp how etcd's cert and key are handled in containers

Use kolla_config to merge etcd's cert and key files into containers,
and set the ownership so the corresponding service can read the files.

Previously, etcd's cert and key files were directly bind mounted
in the etcd and cinder containers that need the files. An ACL was
added to ensure the corresponding services had read access to the
files on the host, which are owned by root. The ACL was cumbersome,
and required hardcoding the UID of each service.

Change-Id: Ic606e751cb046c34d33a94a2acd4313f4043441f
Depends-On: I0ea26253355a57b3721bfa6ceef3972eaabc5b1d
(cherry picked from commit 7bcdd2448b)
(cherry picked from commit 978c4e05de)
This commit is contained in:
Alan Bishop 2020-07-13 13:18:59 -07:00
parent 71acbd5351
commit a9e7a6fa92
8 changed files with 63 additions and 38 deletions

View File

@ -274,10 +274,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
/var/lib/kolla/config_files/cinder_api_cron.json: /var/lib/kolla/config_files/cinder_api_cron.json:
command: /usr/sbin/crond -n command: /usr/sbin/crond -n
config_files: config_files:

View File

@ -165,6 +165,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/cinder - path: /var/lib/cinder
owner: cinder:cinder owner: cinder:cinder
@ -180,6 +185,10 @@ outputs:
USER: {get_param: CephClientUserName} USER: {get_param: CephClientUserName}
owner: cinder:cinder owner: cinder:cinder
perm: '0600' perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_3: step_3:
cinder_backup_init_logs: cinder_backup_init_logs:

View File

@ -163,6 +163,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/cinder - path: /var/lib/cinder
owner: cinder:cinder owner: cinder:cinder
@ -170,6 +175,10 @@ outputs:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config: docker_config:
step_3: step_3:

View File

@ -114,8 +114,8 @@ outputs:
if: if:
- cvol_active_active_tls_enabled - cvol_active_active_tls_enabled
- -
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- [] - []
cinder_volume_host_prep_tasks: cinder_volume_host_prep_tasks:

View File

@ -101,10 +101,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_2: step_2:
cinder_scheduler_init_logs: cinder_scheduler_init_logs:

View File

@ -310,6 +310,11 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder
@ -322,6 +327,10 @@ outputs:
USER: {get_param: CephClientUserName} USER: {get_param: CephClientUserName}
owner: cinder:cinder owner: cinder:cinder
perm: '0600' perm: '0600'
- path: /etc/pki/tls/certs/etcd.crt
owner: cinder:cinder
- path: /etc/pki/tls/private/etcd.key
owner: cinder:cinder
docker_config: docker_config:
step_3: step_3:
cinder_volume_init_logs: cinder_volume_init_logs:
@ -345,20 +354,3 @@ outputs:
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]} volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]} environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]} host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
deploy_steps_tasks:
- name: ensure cinder can access etcd's tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42407 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
cvol_active_active_tls_enabled: {if: [cvol_active_active_tls_enabled, true, false]}
when:
- cvol_active_active_tls_enabled|bool
- step|int == 3

View File

@ -151,6 +151,10 @@ outputs:
dest: "/etc/iscsi/" dest: "/etc/iscsi/"
merge: true merge: true
preserve_properties: true preserve_properties: true
# NOTE(abishop): no need to copy any src-tls/* files or set ownership
# of etcd's TLS certificate and key. The etcd service is only used by
# cinder-volume when it's running active/active, and *not* when it's
# under pcmk control.
permissions: permissions:
- path: /var/log/cinder - path: /var/log/cinder
owner: cinder:cinder owner: cinder:cinder

View File

@ -131,6 +131,7 @@ outputs:
"%{hiera('NETWORK')}" "%{hiera('NETWORK')}"
params: params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
- -
@ -154,10 +155,19 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/lib/etcd - path: /var/lib/etcd
owner: etcd:etcd owner: etcd:etcd
recurse: true recurse: true
- path: /etc/pki/tls/certs/etcd.crt
owner: etcd:etcd
- path: /etc/pki/tls/private/etcd.key
owner: etcd:etcd
docker_config: docker_config:
step_2: step_2:
etcd: etcd:
@ -178,8 +188,8 @@ outputs:
if: if:
- internal_tls_enabled - internal_tls_enabled
- -
- /etc/pki/tls/certs/etcd.crt:/etc/pki/tls/certs/etcd.crt:ro - /etc/pki/tls/certs/etcd.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/etcd.crt:ro
- /etc/pki/tls/private/etcd.key:/etc/pki/tls/private/etcd.key:ro - /etc/pki/tls/private/etcd.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/etcd.key:ro
- null - null
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
@ -200,23 +210,6 @@ outputs:
path: /var/lib/etcd path: /var/lib/etcd
state: directory state: directory
setype: svirt_sandbox_file_t setype: svirt_sandbox_file_t
deploy_steps_tasks:
- name: ensure etcd can access its tls cert and key
become: true
acl:
path: "{{ item }}"
entity: "{{ 42413 | string }}"
etype: user
permissions: r
state: present
with_items:
- /etc/pki/tls/certs/etcd.crt
- /etc/pki/tls/private/etcd.key
vars:
internal_tls_enabled: {if: [internal_tls_enabled, true, false]}
when:
- internal_tls_enabled|bool
- step|int == 2
upgrade_tasks: [] upgrade_tasks: []
metadata_settings: metadata_settings:
if: if: