Bug 1608295

Summary: ceph-nfs defaults to admin keyring, which is not available when distributed to a custom role
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-tripleo-heat-templatesAssignee: Giulio Fidente <gfidente>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: dschoenb, gfidente, lmarsh, mburns, rraja, tbarron
Target Milestone: z3Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.0.7-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-13 22:27:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Giulio Fidente 2018-07-25 09:24:45 UTC 
We should configure ceph-nfs to use a non-admin keyring (possibly manila)
Comment 2 Ram Raja 2018-08-01 14:58:52 UTC 
(In reply to Giulio Fidente from comment #0)
> We should configure ceph-nfs to use a non-admin keyring (possibly manila)

What are the cephx permissions/caps of this manila cephx ID?


We'll have to make changes here in the generated ganesha.conf,
https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/ceph.conf#L158

https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/ceph.conf#L174

Need to set those two config settings to 'manila'
Comment 3 Giulio Fidente 2018-08-01 15:22:04 UTC 
Thanks Ram for helping; the submission does change the two lines you pointed to in comment #2.

The permissions set for the 'manila' keyring are here [1]; please comment you believe those are not sufficient or that should be reviewed

1. https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/ceph-ansible/ceph-base.yaml#L282-L287
Comment 4 Ram Raja 2018-08-02 12:38:15 UTC 
(In reply to Giulio Fidente from comment #3)
> Thanks Ram for helping; the submission does change the two lines you pointed
> to in comment #2.

Missed seeing that. LGTM. Thanks, Giulio!

> 
> The permissions set for the 'manila' keyring are here [1]; please comment
> you believe those are not sufficient or that should be reviewed

The permissions should be sufficient.
> 
> 1.
> https://github.com/openstack/tripleo-heat-templates/blob/master/docker/
> services/ceph-ansible/ceph-base.yaml#L282-L287
Comment 13 errata-xmlrpc 2018-11-13 22:27:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587