Bug 1994930

Summary: [gss][ceph-ansible][iscsigw]ceph-ansible automatically appending trusted_ip_list=192.168.122.1 in iscsi-gateway.cfg
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Geo Jose <gjose>
Component: Ceph-AnsibleAssignee: Guillaume Abrioux <gabrioux>
Status: CLOSED ERRATA QA Contact: Ameena Suhani S H <amsyedha>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2CC: aschoen, ceph-eng-bugs, dsavinea, gabrioux, gmeno, lithomas, nthomas, pdhange, rmandyam, tserlin, vereddy, ykaul
Target Milestone: ---   
Target Release: 4.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-ansible-4.0.65-1.el8cp, ceph-ansible-4.0.65-1.el7cp Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-05 07:53:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geo Jose 2021-08-18 08:09:23 UTC 
Description of problem:
 ceph-ansible automatically appending trusted_ip_list=192.168.122.1 in iscsi-gateway.cfg

Version-Release number of selected component (if applicable):
 RHCS 4


How reproducible:
 Install the Ceph iSCSI gateway using ceph-ansible.

Steps to Reproduce:
1. Install Ceph iSCSI gateway using ceph-ansible [a].
2. Check iscsi-gateway.cfg
 
Actual results:
By default, ceph-ansible is adding "trusted_ip_list=192.168.122.1" even though, it isn't mention "trusted_ip_list" in iscsigws.yml

Expected results:
ceph-ansible shouldn't add any template ip's like: 192.168.122.1.
ceph-ansible should add the ip list from "trusted_ip_list" in iscsigws.yml

Additional info:
[a]. https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/block_device_guide/the-ceph-iscsi-gateway
Comment 1 Geo Jose 2021-08-18 08:18:17 UTC 
 - As per roles/ceph-iscsi-gw, this is the template file which is creating iscsi-gateway.cfg:

$ cat  templates/iscsi-gateway.cfg.j2
# This is seed configuration used by the ceph_iscsi_config modules
# when handling configuration tasks for iscsi gateway(s)
#
# {{ ansible_managed }}

[config]
cluster_name = {{ cluster }}

# API settings.
# The API supports a number of options that allow you to tailor it to your
# local environment. If you want to run the API under https, you will need to
# create cert/key files that are compatible for each iSCSI gateway node, that is
# not locked to a specific node. SSL cert and key files *must* be called
# 'iscsi-gateway.crt' and 'iscsi-gateway.key' and placed in the '/etc/ceph/' directory
# on *each* gateway node. With the SSL files in place, you can use 'api_secure = true'
# to switch to https mode.

# To support the API, the bear minimum settings are:
api_secure = {{ api_secure }}

# Optional settings related to the CLI/API service
api_user = {{ api_user }}
api_password = {{ api_password }}
api_port = {{ api_port }}
loop_delay = {{ loop_delay }}
trusted_ip_list = {{ trusted_ip_list }}                                                                 <<===

$ grep 'trusted' /usr/share/ceph-ansible/group_vars/iscsigws.yml
#trusted_ip_list: 192.168.122.1
Comment 2 Geo Jose 2021-08-18 08:29:02 UTC 
- From /usr/share/ceph-ansible/roles/ceph-iscsi-gw/defaults/main.yml

##################
# RBD-TARGET-API #
##################
# Optional settings related to the CLI/API service
api_user: admin
api_password: admin
api_port: 5000
api_secure: false
loop_delay: 1
trusted_ip_list: 192.168.122.1                   <<===
Comment 13 errata-xmlrpc 2022-05-05 07:53:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 4.3 Security and Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1716