Set file mode permission for Ceph keyrings in containers

Pass mode parameter to ceph-ansible for Ceph keyrings on container
host. Pass mode and ownership parameter to each Ceph client container
using kolla_config. ACLs are set for Cinder if it is not running in
containers.

Change-Id: I11618b3fd696739ad9b86618a1f3f96570c61a30
Partial-Bug: #1720787

docker/services/ceph-ansible/ceph-base.yaml

@@ -253,7 +253,8 @@ outputs:
                         - {get_param: GnocchiRbdPoolName}
                       # CinderRbdExtraPools is a list (do not indent further)
                       - {get_param: CinderRbdExtraPools}
-            mode: "0644"
+            mode: "0600"
+            acls: ["u:165:r"] # uid of cinder user
           - name:
               list_join:
               - '.'
@@ -263,7 +264,7 @@ outputs:
             mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
             mds_cap: "allow *"
             osd_cap: "allow rw"
-            mode: "0644"
+            mode: "0600"
           - name:
               list_join:
               - '.'
@@ -272,7 +273,7 @@ outputs:
             key: {get_param: CephRgwKey}
             mon_cap: "allow rw"
             osd_cap: "allow rwx"
-            mode: "0644"
+            mode: "0600"
           keys: *openstack_keys
           pools: []
           ceph_conf_overrides:

docker/services/cinder-backup.yaml

@@ -40,6 +40,9 @@ parameters:
     default: false
     description: Remove package if the service is being disabled during upgrade
     type: boolean
+  CephClientUserName:
+    default: openstack
+    type: string
 
 resources:
 
@@ -102,6 +105,13 @@ outputs:
             - path: /var/log/cinder
               owner: cinder:cinder
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: cinder:cinder
+              perm: '0600'
       docker_config:
         step_3:
           cinder_backup_init_logs:

docker/services/cinder-volume.yaml

@@ -49,6 +49,9 @@ parameters:
     default: false
     description: Remove package if the service is being disabled during upgrade
     type: boolean
+  CephClientUserName:
+    default: openstack
+    type: string
 
 resources:
 
@@ -112,6 +115,13 @@ outputs:
             - path: /var/log/cinder
               owner: cinder:cinder
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: cinder:cinder
+              perm: '0600'
       docker_config:
         step_3:
           cinder_volume_init_logs:

docker/services/glance-api.yaml

@@ -65,6 +65,9 @@ parameters:
     default: false
     description: Remove package if the service is being disabled during upgrade
     type: boolean
+  CephClientUserName:
+    default: openstack
+    type: string
 
 conditions:
 
@@ -134,6 +137,13 @@ outputs:
             - path: /var/lib/glance
               owner: glance:glance
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: glance:glance
+              perm: '0600'
         /var/lib/kolla/config_files/glance_api_tls_proxy.json:
           command: /usr/sbin/httpd -DFOREGROUND
           config_files:

docker/services/gnocchi-api.yaml

@@ -43,6 +43,9 @@ parameters:
     default: 128
     description: Number of storage sacks to create.
     type: number
+  CephClientUserName:
+    default: openstack
+    type: string
 
 conditions:
 
@@ -98,6 +101,13 @@ outputs:
             - path: /var/log/gnocchi
               owner: gnocchi:gnocchi
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: gnocchi:gnocchi
+              perm: '0600'
       docker_config:
         # db sync runs before permissions set by kolla_config
         step_2:

docker/services/gnocchi-metricd.yaml

@@ -36,6 +36,9 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  CephClientUserName:
+    default: openstack
+    type: string
 
 resources:
 
@@ -91,6 +94,13 @@ outputs:
             - path: /var/log/gnocchi
               owner: gnocchi:gnocchi
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: gnocchi:gnocchi
+              perm: '0600'
       docker_config:
         step_5:
           gnocchi_metricd:

docker/services/gnocchi-statsd.yaml

@@ -36,6 +36,9 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  CephClientUserName:
+    default: openstack
+    type: string
 
 resources:
 
@@ -91,6 +94,13 @@ outputs:
             - path: /var/log/gnocchi
               owner: gnocchi:gnocchi
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: gnocchi:gnocchi
+              perm: '0600'
       docker_config:
         step_5:
           gnocchi_statsd:

docker/services/manila-share.yaml

@@ -36,6 +36,9 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  ManilaCephClientUserName:
+    default: manila
+    type: string
 
 resources:
 
@@ -91,6 +94,13 @@ outputs:
             - path: /var/log/manila
               owner: manila:manila
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: ManilaCephClientUserName}
+              owner: manila:manila
+              perm: '0600'
       docker_config:
         step_4:
           manila_share:

docker/services/nova-compute.yaml

@@ -49,6 +49,9 @@ parameters:
     default: false
     description: Remove package if the service is being disabled during upgrade
     type: boolean
+  CephClientUserName:
+    default: openstack
+    type: string
 
 resources:
 
@@ -123,6 +126,13 @@ outputs:
             - path: /var/lib/nova
               owner: nova:nova
               recurse: true
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: nova:nova
+              perm: '0600'
       docker_config:
         step_4:
           nova_compute:

docker/services/nova-libvirt.yaml

@@ -67,6 +67,9 @@ parameters:
   CephClusterFSID:
     type: string
     description: The Ceph cluster FSID. Must be a UUID.
+  CephClientUserName:
+    default: openstack
+    type: string
 
 conditions:
 
@@ -144,6 +147,14 @@ outputs:
               dest: "/etc/ceph/"
               merge: true
               preserve_properties: true
+          permissions:
+            - path:
+                str_replace:
+                  template: /etc/ceph/ceph.client.USER.keyring
+                  params:
+                    USER: {get_param: CephClientUserName}
+              owner: nova:nova
+              perm: '0600'
         /var/lib/kolla/config_files/nova_virtlogd.json:
           command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
           config_files: