From b56c521e01d0a4b42f44f2d9d03f524a4dc60475 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 5 Jul 2019 12:15:03 +0200 Subject: [PATCH] Don't use the z flag in case NovaNfsEnabled is true Deployment with enabled NFS share for nova ephemeral storage fails. Podman fails to relable with mounted nfs in /var/lib/nova/instances and container fail to start with "operation not supported". This change only sets the z flag for the /var/lib/nova in case nfs is not enabled for the compute. Change-Id: I732c0c3e0b3eb1b52f0df58568ec3a42f3d6d1a1 Closes-Bug: #1835503 --- .../nova/nova-compute-container-puppet.yaml | 27 ++++++++++++-- .../nova/nova-ironic-container-puppet.yaml | 35 +++++++++++++++++-- .../nova/nova-libvirt-container-puppet.yaml | 29 +++++++++++++-- ...ova-migration-target-container-puppet.yaml | 22 +++++++++++- ...a_nfs_enabled_podman-a92ea12cd4cd92c8.yaml | 8 +++++ 5 files changed, 112 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/nova_nfs_enabled_podman-a92ea12cd4cd92c8.yaml diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index a4192a3377..ee443c2549 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -433,6 +433,13 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} + nova_nfs_enabled: + or: + - and: + - equals: [{get_param: NovaNfsEnabled}, true] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + outputs: role_data: description: Role data for the Nova Compute service. @@ -599,8 +606,16 @@ outputs: privileged: false detach: false volumes: - - /var/lib/nova:/var/lib/nova:shared,z - - /var/lib/container-config-scripts/:/container-config-scripts/:z + list_concat: + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + - + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z + - + - /var/lib/container-config-scripts/:/container-config-scripts/:z command: "/container-config-scripts/pyshim.sh /container-config-scripts/nova_statedir_ownership.py" environment: # NOTE: this should force this container to re-run on each @@ -663,10 +678,16 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/iscsi:/var/lib/iscsi:z - - /var/lib/nova:/var/lib/nova:shared,z - /var/lib/libvirt:/var/lib/libvirt:shared,z - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci + - + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z - if: - {equals: [{get_param: MultipathdEnable}, true]} diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml index 8b26495de5..16fc1dcce4 100644 --- a/deployment/nova/nova-ironic-container-puppet.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -44,6 +44,21 @@ parameters: default: false description: Whether to enable the multipath daemon type: boolean + NovaNfsEnabled: + default: false + description: Whether to enable or not the NFS backend for Nova + type: boolean + tags: + - role_specific + +conditions: + + nova_nfs_enabled: + or: + - and: + - equals: [{get_param: NovaNfsEnabled}, true] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] resources: @@ -127,8 +142,16 @@ outputs: privileged: false detach: false volumes: - - /var/lib/nova:/var/lib/nova:shared,z - - /var/lib/container-config-scripts/:/container-config-scripts/ + list_concat: + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + - + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z + - + - /var/lib/container-config-scripts/:/container-config-scripts/ command: "/container-config-scripts/pyshim.sh /container-config-scripts/nova_statedir_ownership.py" step_4: nova_compute: @@ -149,8 +172,14 @@ outputs: - /run:/run - /dev:/dev - /var/lib/iscsi:/var/lib/iscsi:z - - /var/lib/nova/:/var/lib/nova:shared,z - /var/log/containers/nova:/var/log/nova:z + - + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z - if: - {equals: [{get_param: MultipathdEnable}, true]} diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 68a793c9b3..8a885dbced 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -206,6 +206,12 @@ parameters: description: The password for the libvirt service when TLS is enabled type: string hidden: true + NovaNfsEnabled: + default: false + description: Whether to enable or not the NFS backend for Nova + type: boolean + tags: + - role_specific conditions: @@ -287,6 +293,13 @@ conditions: - {get_param: ContainerCli} - 'docker' + nova_nfs_enabled: + or: + - and: + - equals: [{get_param: NovaNfsEnabled}, true] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + resources: RoleParametersValue: type: OS::Heat::Value @@ -629,11 +642,17 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/lib/nova:/var/lib/nova:shared,z - /var/run/libvirt:/var/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /var/log/libvirt/qemu:/var/log/libvirt/qemu + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + - + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS nova_libvirt: @@ -660,13 +679,19 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/lib/nova:/var/lib/nova:shared,z - /etc/libvirt:/etc/libvirt - /var/run/libvirt:/var/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt:shared,z - /var/log/containers/libvirt:/var/log/libvirt:z - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/lib/vhost_sockets:/var/lib/vhost_sockets:z + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + - + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z - if: - docker_enabled diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 1c33227022..561d88fb73 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -54,6 +54,12 @@ parameters: default: 2022 description: Target port for migration over ssh type: number + NovaNfsEnabled: + default: false + description: Whether to enable or not the NFS backend for Nova + type: boolean + tags: + - role_specific resources: @@ -69,6 +75,14 @@ resources: RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} +conditions: + nova_nfs_enabled: + or: + - and: + - equals: [{get_param: NovaNfsEnabled}, true] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] + - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + outputs: role_data: description: Role data for the Nova Migration Target service. @@ -148,7 +162,13 @@ outputs: - /var/lib/config-data/puppet-generated/nova_libvirt/:/var/lib/kolla/config_files/src:ro - /etc/ssh/:/host-ssh/:ro - /run/libvirt:/run/libvirt - - /var/lib/nova:/var/lib/nova:shared + # podman fails to relable if nova_nfs_enabled where we have + # the nfs share mounted to /var/lib/nova/instances + - + if: + - nova_nfs_enabled + - - /var/lib/nova:/var/lib/nova:shared + - - /var/lib/nova:/var/lib/nova:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS post_upgrade_tasks: diff --git a/releasenotes/notes/nova_nfs_enabled_podman-a92ea12cd4cd92c8.yaml b/releasenotes/notes/nova_nfs_enabled_podman-a92ea12cd4cd92c8.yaml new file mode 100644 index 0000000000..7cbbf52749 --- /dev/null +++ b/releasenotes/notes/nova_nfs_enabled_podman-a92ea12cd4cd92c8.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Deployment with enabled NFS share for nova ephemeral storage fails. Podman + fails to relable with mounted nfs in /var/lib/nova/instances and container + fail to start with "operation not supported". + This change only sets the z flag for the /var/lib/nova in case nfs is not + enabled for the compute.