kolla-ansible

Bootstrap-servers sets owner and permissions recursively to kolla:kolla in /etc/kolla

Bug #1821599 reported by Mark Goddard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Mark Goddard
kolla-ansible 8.0.0 "Stein"
Pike
Fix Committed
Undecided
Unassigned
kolla-ansible 5.0.5 "pike"
Queens
Fix Committed
Undecided
Unassigned
kolla-ansible 6.2.0 "queens"
Rocky
Fix Committed
Undecided
Unassigned
kolla-ansible 7.1.0 "rocky"
Stein
Fix Released
High
Mark Goddard
kolla-ansible 8.0.0 "Stein"

Bug Description

When kolla-ansible bootstrap-servers is run, it executes one of the following two tasks:

- name: Ensure node_config_directory directory exists for user kolla
  file:
    path: "{{ node_config_directory }}"
    state: directory
    recurse: true
    owner: "{{ kolla_user }}"
    group: "{{ kolla_group }}"
    mode: "0755"
  become: True
  when: create_kolla_user | bool

- name: Ensure node_config_directory directory exists
  file:
    path: "{{ node_config_directory }}"
    state: directory
    recurse: true
    mode: "0755"
  become: True
  when: not create_kolla_user | bool

On the first run, normally node_config_directory (/etc/kolla/) doesn't exist, so it is created with kolla:kolla ownership and 0755 permissions.

If we then run 'kolla-ansible deploy', config files are created for containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions for those files should be set according to 'config_owner_user' and 'config_owner_group'.

If at some point we again run kolla-ansible bootstrap-servers, it will recursively set the ownership and permissions of all files in /etc/kolla to kolla:kolla / 0755.

The solution is to change bootstrap-servers to not set the owner and permissions recursively. It's also arguable that /etc/kolla should be owned by 'config_owner_user' and 'config_owner_group', rather than kolla:kolla, although that's a separate issue.

Mark Goddard (mgoddard)
Changed in kolla-ansible:
assignee: nobody → Mark Goddard (mgoddard)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/647514

Changed in kolla-ansible:
status: New → In Progress
Mark Goddard (mgoddard)
Changed in kolla-ansible:
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.openstack.org/647514
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=6b0be5c5bacd91bb94ec6b75715affb9777e568d
Submitter: Zuul
Branch: master

commit 6b0be5c5bacd91bb94ec6b75715affb9777e568d
Author: Mark Goddard <email address hidden>
Date: Mon Mar 25 14:16:45 2019 +0000

    Remove recurse: yes for owner/perms on /etc/kolla

    When kolla-ansible bootstrap-servers is run, it executes one of the
    following two tasks:

    - name: Ensure node_config_directory directory exists for user kolla
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        owner: "{{ kolla_user }}"
        group: "{{ kolla_group }}"
        mode: "0755"
      become: True
      when: create_kolla_user | bool

    - name: Ensure node_config_directory directory exists
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        mode: "0755"
      become: True
      when: not create_kolla_user | bool

    On the first run, normally node_config_directory (/etc/kolla/) doesn't
    exist, so it is created with kolla:kolla ownership and 0755 permissions.

    If we then run 'kolla-ansible deploy', config files are created for
    containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions
    for those files should be set according to 'config_owner_user' and
    'config_owner_group'.

    If at some point we again run kolla-ansible bootstrap-servers, it will
    recursively set the ownership and permissions of all files in /etc/kolla
    to kolla:kolla / 0755.

    The solution is to change bootstrap-servers to not set the owner and
    permissions recursively. It's also arguable that /etc/kolla should be
    owned by 'config_owner_user' and 'config_owner_group', rather than
    kolla:kolla, although that's a separate issue.

    Change-Id: I24668914a9cedc94d5a6cb835648740ce9ce6e39
    Closes-Bug: #1821599

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/rocky)

Reviewed: https://review.openstack.org/648958
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=79a976307b8dc1741f72788f88486b7289fdda34
Submitter: Zuul
Branch: stable/rocky

commit 79a976307b8dc1741f72788f88486b7289fdda34
Author: Mark Goddard <email address hidden>
Date: Mon Mar 25 14:16:45 2019 +0000

    Remove recurse: yes for owner/perms on /etc/kolla

    When kolla-ansible bootstrap-servers is run, it executes one of the
    following two tasks:

    - name: Ensure node_config_directory directory exists for user kolla
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        owner: "{{ kolla_user }}"
        group: "{{ kolla_group }}"
        mode: "0755"
      become: True
      when: create_kolla_user | bool

    - name: Ensure node_config_directory directory exists
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        mode: "0755"
      become: True
      when: not create_kolla_user | bool

    On the first run, normally node_config_directory (/etc/kolla/) doesn't
    exist, so it is created with kolla:kolla ownership and 0755 permissions.

    If we then run 'kolla-ansible deploy', config files are created for
    containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions
    for those files should be set according to 'config_owner_user' and
    'config_owner_group'.

    If at some point we again run kolla-ansible bootstrap-servers, it will
    recursively set the ownership and permissions of all files in /etc/kolla
    to kolla:kolla / 0755.

    The solution is to change bootstrap-servers to not set the owner and
    permissions recursively. It's also arguable that /etc/kolla should be
    owned by 'config_owner_user' and 'config_owner_group', rather than
    kolla:kolla, although that's a separate issue.

    Change-Id: I24668914a9cedc94d5a6cb835648740ce9ce6e39
    Closes-Bug: #1821599
    (cherry picked from commit 6b0be5c5bacd91bb94ec6b75715affb9777e568d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/pike)

Reviewed: https://review.openstack.org/649172
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=404dd96343e3fb25590a29b504ef1c952650a54a
Submitter: Zuul
Branch: stable/pike

commit 404dd96343e3fb25590a29b504ef1c952650a54a
Author: Mark Goddard <email address hidden>
Date: Mon Mar 25 14:16:45 2019 +0000

    Remove recurse: yes for owner/perms on /etc/kolla

    When kolla-ansible bootstrap-servers is run, it executes one of the
    following two tasks:

    - name: Ensure node_config_directory directory exists for user kolla
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        owner: "{{ kolla_user }}"
        group: "{{ kolla_group }}"
        mode: "0755"
      become: True
      when: create_kolla_user | bool

    - name: Ensure node_config_directory directory exists
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        mode: "0755"
      become: True
      when: not create_kolla_user | bool

    On the first run, normally node_config_directory (/etc/kolla/) doesn't
    exist, so it is created with kolla:kolla ownership and 0755 permissions.

    If we then run 'kolla-ansible deploy', config files are created for
    containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions
    for those files should be set according to 'config_owner_user' and
    'config_owner_group'.

    If at some point we again run kolla-ansible bootstrap-servers, it will
    recursively set the ownership and permissions of all files in /etc/kolla
    to kolla:kolla / 0755.

    The solution is to change bootstrap-servers to not set the owner and
    permissions recursively. It's also arguable that /etc/kolla should be
    owned by 'config_owner_user' and 'config_owner_group', rather than
    kolla:kolla, although that's a separate issue.

    Change-Id: I24668914a9cedc94d5a6cb835648740ce9ce6e39
    Closes-Bug: #1821599
    (cherry picked from commit 6b0be5c5bacd91bb94ec6b75715affb9777e568d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/queens)

Reviewed: https://review.openstack.org/649171
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=ffd68d7cadf92e49dd753de40839a634aa98ad0d
Submitter: Zuul
Branch: stable/queens

commit ffd68d7cadf92e49dd753de40839a634aa98ad0d
Author: Mark Goddard <email address hidden>
Date: Mon Mar 25 14:16:45 2019 +0000

    Remove recurse: yes for owner/perms on /etc/kolla

    When kolla-ansible bootstrap-servers is run, it executes one of the
    following two tasks:

    - name: Ensure node_config_directory directory exists for user kolla
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        owner: "{{ kolla_user }}"
        group: "{{ kolla_group }}"
        mode: "0755"
      become: True
      when: create_kolla_user | bool

    - name: Ensure node_config_directory directory exists
      file:
        path: "{{ node_config_directory }}"
        state: directory
        recurse: true
        mode: "0755"
      become: True
      when: not create_kolla_user | bool

    On the first run, normally node_config_directory (/etc/kolla/) doesn't
    exist, so it is created with kolla:kolla ownership and 0755 permissions.

    If we then run 'kolla-ansible deploy', config files are created for
    containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions
    for those files should be set according to 'config_owner_user' and
    'config_owner_group'.

    If at some point we again run kolla-ansible bootstrap-servers, it will
    recursively set the ownership and permissions of all files in /etc/kolla
    to kolla:kolla / 0755.

    The solution is to change bootstrap-servers to not set the owner and
    permissions recursively. It's also arguable that /etc/kolla should be
    owned by 'config_owner_user' and 'config_owner_group', rather than
    kolla:kolla, although that's a separate issue.

    Change-Id: I24668914a9cedc94d5a6cb835648740ce9ce6e39
    Closes-Bug: #1821599
    (cherry picked from commit 6b0be5c5bacd91bb94ec6b75715affb9777e568d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 8.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 8.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 5.0.5

This issue was fixed in the openstack/kolla-ansible 5.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 6.2.0

This issue was fixed in the openstack/kolla-ansible 6.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 7.1.0

This issue was fixed in the openstack/kolla-ansible 7.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.