Add setfacl statements for neutron metadata proxy
Statements to setfacl on fast forward upgrade were added for the l3
agent container and the neutron dhcp container. But they are missing
from the metadata proxy container, which can lead to this sort of thing
after an FFU upgrade - but not immediately, waiting for the metadata
container to restart. After restarting neutron_metadata_agent, the permission will be changed as follows.
[root@overcloud-controller-0 neutron]# ll
total 24
drwxrwxr-x+ 2 42435 42435 6 Jun 18 08:57 dhcp
-rwxrwxr-x+ 1 42435 42435 998 Jun 18 08:43 dhcp_haproxy_wrapper
-rwxrwxr-x+ 1 42435 42435 1099 Jun 18 08:43 dibbler_wrapper
-rwxrwxr-x+ 1 42435 42435 995 Jun 18 08:43 dnsmasq_wrapper
drwxrwxr-x+ 2 42435 42435 6 Jun 18 08:59 ha_confs
srwxrwxr-x+ 1 42435 42435 0 Jun 20 02:23 keepalived-state-change
-rwxrwxr-x+ 1 42435 42435 1035 Jun 18 08:43 keepalived_state_change_wrapper
-rwxrwxr-x+ 1 42435 42435 1076 Jun 18 08:43 keepalived_wrapper
-rwxrwxr-x+ 1 42435 42435 996 Jun 18 08:43 l3_haproxy_wrapper
srw-rwxr--+ 1 42435 42435 0 Jun 20 02:24 metadata_proxy
[root@overcloud-controller-0 neutron]# getfacl metadata_proxy
# file: metadata_proxy
# owner: 42435
# group: 42435
user::rw-
user:neutron:rwx
group::r-x
mask::rwx
other::r--
[root@overcloud-controller-0 neutron]# docker restart neutron_metadata_agent
neutron_metadata_agent
[root@overcloud-controller-0 neutron]# ll
total 24
drwxrwxr-x+ 2 42435 42435 6 Jun 18 08:57 dhcp
-rwxrwxr-x+ 1 42435 42435 998 Jun 18 08:43 dhcp_haproxy_wrapper
-rwxrwxr-x+ 1 42435 42435 1099 Jun 18 08:43 dibbler_wrapper
-rwxrwxr-x+ 1 42435 42435 995 Jun 18 08:43 dnsmasq_wrapper
drwxrwxr-x+ 2 42435 42435 6 Jun 18 08:59 ha_confs
srwxrwxr-x+ 1 42435 42435 0 Jun 20 02:23 keepalived-state-change
-rwxrwxr-x+ 1 42435 42435 1035 Jun 18 08:43 keepalived_state_change_wrapper
-rwxrwxr-x+ 1 42435 42435 1076 Jun 18 08:43 keepalived_wrapper
-rwxrwxr-x+ 1 42435 42435 996 Jun 18 08:43 l3_haproxy_wrapper
srw-r--r--+ 1 42435 42435 0 Jun 20 02:29 metadata_proxy
[root@overcloud-controller-0 neutron]# getfacl metadata_proxy
# file: metadata_proxy
# owner: 42435
# group: 42435
user::rw-
user:neutron:rwx #effective:r--
group::r-x #effective:r--
mask::r--
other::r--
Change-Id: Idec372ae008cab9b27bd1ddc79b6b50c1de98563
(cherry picked from commit 107efc1f5e
)
This commit is contained in:
parent
0b4c02c516
commit
ae4e79a198
|
@ -237,3 +237,34 @@ outputs:
|
|||
- step|int == 1
|
||||
- release == 'ocata'
|
||||
- neutron_metadata_agent_enabled|bool
|
||||
post_upgrade_tasks:
|
||||
- name: Check for neutron user
|
||||
getent:
|
||||
database: passwd
|
||||
key: neutron
|
||||
ignore_errors: True
|
||||
- name: Set neutron_user_avail
|
||||
set_fact:
|
||||
neutron_user_avail: "{{ getent_passwd is defined }}"
|
||||
- when:
|
||||
- step|int == 2
|
||||
- neutron_user_avail|bool
|
||||
block:
|
||||
- name: Ensure r/w access for existing files after upgrade
|
||||
become: true
|
||||
shell: |
|
||||
umask 0002
|
||||
setfacl -d -R -m u:neutron:rwx /var/lib/neutron
|
||||
setfacl -R -m u:neutron:rw /var/lib/neutron
|
||||
find /var/lib/neutron -type d -exec setfacl -m u:neutron:rwx '{}' \;
|
||||
- name: Provide access to domain sockets
|
||||
become: true
|
||||
shell: |
|
||||
umask 0002
|
||||
setfacl -m u:neutron:rwx "{{ item }}"
|
||||
with_items:
|
||||
- /var/lib/neutron/metadata_proxy
|
||||
- /var/lib/neutron/keepalived-state-change
|
||||
- /var/lib/neutron
|
||||
# These files are not necessarily present
|
||||
ignore_errors: True
|
||||
|
|
Loading…
Reference in New Issue