1400955 – Puppet does not ensure /etc/glance/glance-swift.conf permissions.

Bug 1400955 - Puppet does not ensure /etc/glance/glance-swift.conf permissions.

Summary: Puppet does not ensure /etc/glance/glance-swift.conf permissions.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-glance
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	Upstream M2
Target Release:	12.0 (Pike)
Assignee:	Cyril Roelandt
QA Contact:	Avi Avraham
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-02 12:06 UTC by Rafal Szmigiel
Modified:	2018-10-08 13:56 UTC (History)
CC List:	14 users (show)
Fixed In Version:	openstack-glance-15.0.0-0.20170707130633.e1cf21d.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 20:54:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
RDO	6187	0	None	None	None	2017-05-29 14:27:03 UTC
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Rafal Szmigiel 2016-12-02 12:06:05 UTC

Description of problem:

In the case of more restrictive system-wide umask settings, /etc/glance/glance-swift.conf file is not readable by glance user. As a result glance is not able to configure swift backend for storage and deployment is failing.

[root@director9 ~]# umask
0077
[root@director9 ~]# ls -la /etc/glance/glance-swift.conf
-rw-------. 1 root root 182 Nov 28 05:44 /etc/glance/glance-swift.conf



2016-11-28 07:43:37.201 31209 DEBUG glance.api.v1.images [req-3d0e0bf5-b98f-400c-b999-9787352ef54c 8cda5e428dfa4387b6f45109c915fc95 75bbe862c09c4b26b401f007fbced0b1 - - -] Uploading image da
ta for image 9beb6381-764b-49c1-8ab0-6066a7ba9730 to swift store _upload /usr/lib/python2.7/site-packages/glance/api/v1/images.py:677
2016-11-28 07:43:37.201 31209 DEBUG oslo_messaging._drivers.amqpdriver [req-3d0e0bf5-b98f-400c-b999-9787352ef54c 8cda5e428dfa4387b6f45109c915fc95 75bbe862c09c4b26b401f007fbced0b1 - - -] CAST
 unique_id: 6cf41ce08f394534812a2db43e572db5 NOTIFY exchange 'glance' topic 'notifications.info' _send /usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py:438
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils [req-3d0e0bf5-b98f-400c-b999-9787352ef54c 8cda5e428dfa4387b6f45109c915fc95 75bbe862c09c4b26b401f007fbced0b1 - - -] Error in sto
re configuration. Adding images to store is disabled.
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils Traceback (most recent call last):
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/api/v1/upload_utils.py", line 110, in upload_data_to_store
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils     context=req.context)
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance_store/backend.py", line 344, in store_add_to_backend
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils     verifier=verifier)
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance_store/capabilities.py", line 224, in op_checker
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils     raise op_exec_map[op](**kwargs)
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils StoreAddDisabled: Configuration for store failed. Adding images to this store is disabled.
2016-11-28 07:43:37.294 31209 ERROR glance.api.v1.upload_utils 



Version-Release number of selected component (if applicable):
openstack-puppet-modules-8.1.8-3.el7ost.noarch


How reproducible:
Set system-wide umask to 077, follow official RH OSP9 deployment guide.

Steps to Reproduce:
1. Set system-wide umask to 077
2. Deploy OSP following official RH OSP9 deployment guide.
3. Try to upload overcloud images to glance, observe error. 

Actual results:
Overcloud images upload fails.

Expected results:
Overcloud images are successfully uploaded to glance.


Additional info:
Similar to https://bugzilla.redhat.com/show_bug.cgi?id=1399146

Comment 1 Alex Schultz 2017-02-08 17:13:32 UTC

It should be noted that we try not to do permissions in puppet and this probably should be solved by having the file (or an empty one) provided via packaging.

Comment 2 Paul Grist 2017-04-06 02:03:48 UTC

Over to glance to triage and follow up on whether this should be a packaging fix or goes back to some type of TripleO fix. Setting to OSP12 for now.

Comment 3 Red Hat Bugzilla Rules Engine 2017-04-06 02:03:56 UTC

This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 5 Cyril Roelandt 2017-05-29 14:27:03 UTC

I was looking at the spec file, and apparently, Christian already posted a patch for this :)

Comment 6 Cyril Roelandt 2017-07-17 16:01:12 UTC

Could QA verify this?

Comment 8 Tzach Shefi 2017-07-20 10:38:08 UTC

Verified on:
openstack-glance-15.0.0-0.20170707130633.e1cf21d.el7ost.noarch

On a running undercloud
deleted glance images
Changed umask 077
Successfully Uploaded images as expected. 

Permissions look fine as well
[stack@undercloud-0 ~]$ ll -a /etc/glance/
total 416
..
-rw-r--r--.   1 root glance    810 יול 17 07:18 glance-swift.conf

Comment 11 errata-xmlrpc 2017-12-13 20:54:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.