Bug 887334

Summary: a comprehensive nova.conf file should be included in the RPMS(s)
Product: Red Hat OpenStack Reporter: Dan Yocum <dyocum>
Component: openstack-novaAssignee: Nikola Dipanov <ndipanov>
Status: CLOSED ERRATA QA Contact: Nir Magnezi <nmagnezi>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0 (Essex)CC: apevec, eglynn, eharney, markmc, rbryant
Target Milestone: snapshot2Keywords: Triaged
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-2012.2.2-9.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 887804 887811 887815 887818 887822 (view as bug list) Environment:
Last Closed: 2013-02-14 13:23:26 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Dan Yocum 2012-12-14 12:19:17 EST
Description of problem:

A nova.conf file with a comprehensive set of configuration options should be shipped various nova services.  Here is a good example to work from:

https://github.com/yocum137/nova.conf/blob/master/nova.conf
Comment 1 Dan Yocum 2012-12-14 12:22:34 EST
This one looks like it's more up-to-date:

https://github.com/openstack/nova/blob/master/etc/nova/nova.conf.sample
Comment 2 Russell Bryant 2013-01-02 15:20:17 EST
should grab the one from stable/folsom ...

https://github.com/openstack/nova/blob/stable/folsom/etc/nova/nova.conf.sample
Comment 3 Russell Bryant 2013-01-02 15:23:00 EST
I think we should package up this nova.conf.sample as-is and put it in /usr/share/doc/ or whatever is appropriate.

Additionally, I think it's worth adding more meat to the default /etc/nova/nova.conf.
Comment 4 Mark McLoughlin 2013-01-10 11:45:57 EST
Ok, so after some discussion ... what we're thinking is:

  1) Take our current nova.conf with our distribution specific defaults and
     put that in /usr/share/nova/nova-dist.conf

     The systemd units and init scripts will need to be updated to do:

       --config-file=/usr/share/nova/nova-dist.conf --config-file=/etc/nova/nova.conf

     This means that users can start with an empty /etc/nova/nova.conf file
     and still be using the distribution defaults

     This file should not be marked as %config(noreplace) since it is not
     intended to be user-editable

  2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf

     This means the default user-editable config file contains nothing but
     comments explaining what options are available

  3) The sample nova.conf file should use the new format that we've switched
     to in Grizzly: https://review.openstack.org/19292

  4) Our "vanilla" packages (e.g. in Fedora or EPEL) should just use the stock
     upstream nova.conf.sample with the exception that we should update the
     default values in the sample file to reflect our distribution defaults

  5) In the productized packages, we should strip the sample nova.conf to only
     include options we recommend using and perhaps improve the descriptions.
Comment 5 Mark McLoughlin 2013-01-16 07:51:28 EST
In our default /etc/nova/nova.conf we should also document the [keystone_authtoken] section, but the keystone_authtoken defaults should live in /usr/share/nova/nova-dist.conf
Comment 6 Russell Bryant 2013-01-16 08:45:46 EST
It may also be worth including a note at the top of /etc/nova/nova.conf indicating where distribution provided defaults can be found (.../nova-dist.conf).
Comment 7 Alan Pevec 2013-01-17 13:59:20 EST
One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t while files under /usr/share/nova/ get usr_t
Comment 13 Yaniv Kaul 2013-02-07 16:08:53 EST
(In reply to comment #4)
snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) :

> Ok, so after some discussion ... what we're thinking is:
> 
>   1) Take our current nova.conf with our distribution specific defaults and
>      put that in /usr/share/nova/nova-dist.conf

Exists.

> 
>      The systemd units and init scripts will need to be updated to do:
> 
>        --config-file=/usr/share/nova/nova-dist.conf
> --config-file=/etc/nova/nova.conf

Exists.
> 
>      This means that users can start with an empty /etc/nova/nova.conf file
>      and still be using the distribution defaults
> 
>      This file should not be marked as %config(noreplace) since it is not
>      intended to be user-editable
> 
>   2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf
> 
>      This means the default user-editable config file contains nothing but
>      comments explaining what options are available

Does not exist.
[root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample
[root@cougar10 init.d]#

> 
>   3) The sample nova.conf file should use the new format that we've switched
>      to in Grizzly: https://review.openstack.org/19292
> 
>   4) Our "vanilla" packages (e.g. in Fedora or EPEL) should just use the
> stock
>      upstream nova.conf.sample with the exception that we should update the
>      default values in the sample file to reflect our distribution defaults
> 
>   5) In the productized packages, we should strip the sample nova.conf to
> only
>      include options we recommend using and perhaps improve the descriptions.
Comment 14 Yaniv Kaul 2013-02-07 16:10:13 EST
(In reply to comment #6)
> It may also be worth including a note at the top of /etc/nova/nova.conf
> indicating where distribution provided defaults can be found
> (.../nova-dist.conf).

Wasn't implemented?
Comment 15 Yaniv Kaul 2013-02-07 16:12:31 EST
(In reply to comment #5)
> In our default /etc/nova/nova.conf we should also document the
> [keystone_authtoken] section, but the keystone_authtoken defaults should
> live in /usr/share/nova/nova-dist.conf

/etc/nova/nova.conf :
[keystone_authtoken]

#
# Options to be passed to keystoneclient.auth_token middleware
# NOTE: These options are not defined in nova but in the
#       keystoneclient package
#

# the name of the admin tenant (string value)
#admin_tenant_name = %SERVICE_TENANT_NAME%

# the keystone admin username (string value)
#admin_user = %SERVICE_USER%

# the keystone admin password (string value)
#admin_password = %SERVICE_PASSWORD%

# the keystone host (string value)
#auth_host = 127.0.0.1

# the keystone port (integer value)
#auth_port = 35357

# protocol to be used for auth requests http/https (string value)
#auth_protocol = http


/usr/share/nova/nova-dist.conf:
[keystone_authtoken]
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http


Not sure that's good enough.

(Note: this was an upgrade, not a clean install and not via packstack. Will also repeat via packstack).
Comment 16 Yaniv Kaul 2013-02-07 16:14:48 EST
(In reply to comment #7)
> One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t
> while files under /usr/share/nova/ get usr_t

[root@cougar10 nova]# ls -Z /etc/nova/nova.conf /usr/share/nova/nova-dist.conf 
-rw-r-----. nova nova system_u:object_r:etc_t:s0       /etc/nova/nova.conf
-rw-r-----. root nova system_u:object_r:usr_t:s0       /usr/share/nova/nova-dist.conf


Not sure why /usr/share/nova/nova-dist.conf belongs to root?
Comment 17 Yaniv Kaul 2013-02-07 16:16:10 EST
Setting NEEDINFO for assignee for comment 13 , comment 14 , comment 15 , comment 16 (not sure the fix is good enough, though didn't see any real blocker)
Comment 18 Russell Bryant 2013-02-11 14:19:32 EST
(In reply to comment #13)
> (In reply to comment #4)
> snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) :
> 
> >   2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf
> > 
> >      This means the default user-editable config file contains nothing but
> >      comments explaining what options are available
> 
> Does not exist.
> [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample
> [root@cougar10 init.d]#

In later output, you show the SELinux context on the nova.conf file, so it does exist.  Are the contents not what you expect?  What's wrong with it?
Comment 19 Russell Bryant 2013-02-11 14:21:55 EST
(In reply to comment #16)
> (In reply to comment #7)
> > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t
> > while files under /usr/share/nova/ get usr_t
> 
> [root@cougar10 nova]# ls -Z /etc/nova/nova.conf
> /usr/share/nova/nova-dist.conf 
> -rw-r-----. nova nova system_u:object_r:etc_t:s0       /etc/nova/nova.conf
> -rw-r-----. root nova system_u:object_r:usr_t:s0      
> /usr/share/nova/nova-dist.conf
> 
> 
> Not sure why /usr/share/nova/nova-dist.conf belongs to root?

It's a file that we install that the user should never modify, so the permissions seem reasonable to me.  Would you suggest something different?
Comment 20 Yaniv Kaul 2013-02-12 08:27:57 EST
(In reply to comment #19)
> (In reply to comment #16)
> > (In reply to comment #7)
> > > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t
> > > while files under /usr/share/nova/ get usr_t
> > 
> > [root@cougar10 nova]# ls -Z /etc/nova/nova.conf
> > /usr/share/nova/nova-dist.conf 
> > -rw-r-----. nova nova system_u:object_r:etc_t:s0       /etc/nova/nova.conf
> > -rw-r-----. root nova system_u:object_r:usr_t:s0      
> > /usr/share/nova/nova-dist.conf
> > 
> > 
> > Not sure why /usr/share/nova/nova-dist.conf belongs to root?
> 
> It's a file that we install that the user should never modify, so the
> permissions seem reasonable to me.  Would you suggest something different?

nova:nova.
Comment 21 Yaniv Kaul 2013-02-12 08:28:53 EST
(In reply to comment #18)
> (In reply to comment #13)
> > (In reply to comment #4)
> > snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) :
> > 
> > >   2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf
> > > 
> > >      This means the default user-editable config file contains nothing but
> > >      comments explaining what options are available
> > 
> > Does not exist.
> > [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample
> > [root@cougar10 init.d]#
> 
> In later output, you show the SELinux context on the nova.conf file, so it
> does exist.  Are the contents not what you expect?  What's wrong with it?

Perhaps my misunderstanding: /usr/share/nova/nova-dist-conf is the upstream nova.conf.sample ?
Comment 22 Mark McLoughlin 2013-02-12 09:55:29 EST
(In reply to comment #21)
> (In reply to comment #18)
> > (In reply to comment #13)
> > > (In reply to comment #4)
> > > snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) :
> > > 
> > > >   2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf
> > > > 
> > > >      This means the default user-editable config file contains nothing but
> > > >      comments explaining what options are available
> > > 
> > > Does not exist.
> > > [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample
> > > [root@cougar10 init.d]#
> > 
> > In later output, you show the SELinux context on the nova.conf file, so it
> > does exist.  Are the contents not what you expect?  What's wrong with it?
> 
> Perhaps my misunderstanding: /usr/share/nova/nova-dist-conf is the upstream
> nova.conf.sample ?

We wake upstream nova.conf.sample and install it as /etc/nova/nova.conf
Comment 23 Mark McLoughlin 2013-02-12 10:03:39 EST
(In reply to comment #20)
> (In reply to comment #19)
> > (In reply to comment #16)
> > > (In reply to comment #7)
> > > > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t
> > > > while files under /usr/share/nova/ get usr_t
> > > 
> > > [root@cougar10 nova]# ls -Z /etc/nova/nova.conf
> > > /usr/share/nova/nova-dist.conf 
> > > -rw-r-----. nova nova system_u:object_r:etc_t:s0       /etc/nova/nova.conf
> > > -rw-r-----. root nova system_u:object_r:usr_t:s0      
> > > /usr/share/nova/nova-dist.conf
> > > 
> > > 
> > > Not sure why /usr/share/nova/nova-dist.conf belongs to root?
> > 
> > It's a file that we install that the user should never modify, so the
> > permissions seem reasonable to me.  Would you suggest something different?
> 
> nova:nova.

I'd be inclined to say nova-dist.conf should be root:root and 755

It doesn't contain anything which shouldn't be world-readable and you don't want it to be writable by nova

Current perms aren't a blocker though
Comment 24 Mark McLoughlin 2013-02-12 10:06:04 EST
(In reply to comment #15)
> (In reply to comment #5)
> > In our default /etc/nova/nova.conf we should also document the
> > [keystone_authtoken] section, but the keystone_authtoken defaults should
> > live in /usr/share/nova/nova-dist.conf
> 
> /etc/nova/nova.conf :
> [keystone_authtoken]
... 

> /usr/share/nova/nova-dist.conf:
> [keystone_authtoken]
.. 
> 
> Not sure that's good enough.

What do you think is missing? Docs in nova-dist.conf

The important thing is that we document the options in nova.conf - that's the only file users should modify

We could also document in nova-dist.conf why we've chosen these defaults, but that's probably not relevant in the keystone_auththoken case

Looks fine to me
Comment 25 Yaniv Kaul 2013-02-13 14:48:29 EST
Moving to VERIFIED based on above comments.
Comment 27 errata-xmlrpc 2013-02-14 13:23:26 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0260.html