Bug 958911
| Summary: | packstack sets wrong permission bits on log dirs for cinder, nova, keystone, quantum | ||
|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Giulio Fidente <gfidente> |
| Component: | openstack-packstack | Assignee: | Martin Magr <mmagr> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Giulio Fidente <gfidente> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | aortega, bsettle, derekh, gfidente, kchamart, lars, mmagr, rfujita |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-18 14:35:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
for cinder (and probably for the other components too) the issue seems to have been fixed in puppet-cinder at https://github.com/stackforge/puppet-cinder/tree/master/manifests where things look to be changed a lot keystone doesn't start for a permission error with openstack-packstack-2013.1.1-0.3.dev527.fc19.
--- init.pp.old 2013-06-27 22:05:49.000000000 +0900
+++ init.pp 2013-06-27 22:06:06.000000000 +0900
@@ -114,6 +114,11 @@
mode => '0600',
}
+ file { '/var/log/keystone/keystone.log':
+ owner => 'keystone',
+ group => 'keystone',
+ }
+
# default config
keystone_config {
'DEFAULT/admin_token': value => $admin_token;
We don't use puppetlabs-cinder module for a long time. Instead we use puppet-cinder from stackforge [1]. Class "cinder::base" is deprecated according to source and in class "cinder" there isn't code which was modifying /var/log/permission. Will have to investigate more to find out reason of removal. [1] https://github.com/stackforge/puppet-cinder/blob/master/manifests/base.pp Going through RDO bugs here. I just tested on an OpenStack setup with this version -- openstack-packstack-2014.1.1-0.19.dev1102.el7ost.noarch, and Cinder has 750 permissions. Also, posted drwxr-x---. 2 cinder root 98 Jun 3 02:27 cinder drwxr-xr-x. 2 neutron neutron 4.0K Jun 3 02:39 neutron drwxr-x---. 2 nova nova 4.0K Jun 3 02:35 nova drwxr-x---. 2 keystone keystone 25 Jun 3 02:24 keystone So, seems like it's fixed in the current version. Can you confirm this Giulio? hi Kashayp, seeing your same results using openstack-packstack-2014.1.1-0.20.dev1109.el7ost.noarch still three other components continue to have 755: neutron, ceilometer and heat; I'm not sure though how important is this and if this is at all a bug The problem originally described in this report has been corrected. I don't believe that mode 755 permissions on log directories is itself a problem unless we are inadvertently exposing secrets. If that is the case, please open a new bug with specific examples. Thanks! |
Description of problem: base.pp class from the linked cinder submodule sets default permissions to 644, see: > https://github.com/packstack/puppetlabs-cinder/blob/d9f9efac3db5749c2130a8b74c511ffd1161bec2/manifests/base.pp#L31 That in turn makes puppet to set permissions to 755 on /var/log/cinder and /var/lib/cinder Version-Release number of selected component (if applicable): openstack-packstack-2013.1.1-0.5.dev538.el6.noarch Steps to Reproduce: 1. install openstack-cinder, check permissions for /var/log/cinder 2. run packstack, check permissions for /var/log/cinder Expected results: permissions aren't changed