Bug 889336
Summary: | Glance: glance-manage db_sync as root makes glance-registry not start | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Dan Prince <dprince> | ||||
Component: | openstack-glance | Assignee: | John Bresnahan <jbresnah> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Yaniv Kaul <ykaul> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 3.0 | CC: | abaron, eglynn, jbresnah, jkt | ||||
Target Milestone: | async | Keywords: | Triaged | ||||
Target Release: | 2.1 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-04-24 23:09:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Dan Prince
2012-12-20 20:46:57 UTC
Yes, seems like we could use a ExecStartPre= directive in: https://github.com/fedora-openstack/openstack-glance/blob/master/openstack-glance-registry.service to chmod the log if necessary. To chmod/chown the file on start up we would have to figure out where the log file is. We cannot really assume that the file is in /var/log/glance because the user could have changed the location in various ways. Perhaps the solution here is to just have a friendly log message. The RHOS product instructions do not have a user run glance-manage db_sync. If a user is doing this they are either misguided or doing something more complicated. If it is the latter then it is fair to assume that they may have modified the configuration files and thus maybe logging some place besides the default location. Therefore simply changing the ownership of the default file is only a partial solution. In order to truly solve this we would need one of two things: 1) a utility that tracked down all of the files to which the services were going to write, and correct their permissions where possible. 2) a means to capture stderr from the init scripts and report it to the user. Right now that output is just directed to /dev/null Created attachment 732948 [details]
A patch to the init files.
Comment on attachment 732948 [details]
A patch to the init files.
not sure about this.
The issue isn't specific to glance.
Also this doesn't handle the Fedora side of things.
Also the user shouldn't be running db sync as root.
Also this doesn't handle different logging locatations.
...
Maybe an upstream oslo patch to logging to move unwriteable files
out of the way would be better, and would fix it everywhere.
Isn't the error message for this edge case fairly obvious?
I never wasted any time with this issue at least,
but maybe the error message could be improved.
thanks
Because the user should not run db_sync as root I think this should be a WONT_FIX. We cannot effectively prevent misuse with root level access. |