Bug 1416494 - glance-manage command failed to executed
Summary: glance-manage command failed to executed
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 12.0 (Pike)
Assignee: Cyril Roelandt
QA Contact: Avi Avraham
URL:
Whiteboard:
Depends On:
Blocks: 1396794
TreeView+ depends on / blocked
 
Reported: 2017-01-25 15:50 UTC by Avi Avraham
Modified: 2018-01-29 14:01 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-30 06:19:49 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Avi Avraham 2017-01-25 15:50:14 UTC
Description of problem:
The following command failed while running 
glance-manage db purge --age_in_days 1

Version-Release number of selected component (if applicable):
openstack-glance-14.0.0-0.20170117185710.0bf9d80.el7ost.noarch
puppet-glance-10.1.0-0.20170114055802.2a57b21.el7ost.noarch
python-glanceclient-2.5.0-0.20161111191712.d419632.el7ost.noarch
python-glance-store-0.19.1-0.20170117151447.ee6840c.el7ost.noarch
python-glance-14.0.0-0.20170117185710.0bf9d80.el7ost.noarch

How reproducible:
A standard Triple O installation 1 controller + 1 compute of RHOS11

Steps to Reproduce:
run the following command: "glance-manage db_version" 

Actual results:

[stack@undercloud-0 ~]$ glance-manage db_version
Option "verbose" from group "DEFAULT" is deprecated for removal.  Its value may be silently ignored in the future.
Traceback (most recent call last):
  File "/bin/glance-manage", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/site-packages/glance/cmd/manage.py", line 323, in main
    config.parse_args(default_config_files=cfg_files)
  File "/usr/lib/python2.7/site-packages/glance/common/config.py", line 679, in parse_args
    default_config_files=default_config_files)
  File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2343, in __call__
    self._namespace._files_permission_denied)
oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/glance/glance-registry.conf,/etc/glance/glance-api.conf

Expected results:
Command successfully executed  

Additional info:

Comment 1 Cyril Roelandt 2017-01-26 13:05:04 UTC
Hello Avi,

Could you run "ls -l /etc/glance" ?

Comment 2 Eric Harney 2017-02-01 14:41:18 UTC
The glance config files contain credentials for the database, those have to be protected from unprivileged users.

So I think this is expected behavior of running glance-manage as a user other than root.

Comment 3 Avi Avraham 2017-02-14 08:46:52 UTC
[root@undercloud-0 ~]# ls -l /etc/glance/
total 476
-rw-r-----. 1 root glance 150364 Feb 12 04:01 glance-api.conf
-rw-r-----. 1 root glance  76369 Feb 12 04:01 glance-cache.conf
-rw-r-----. 1 root glance  74846 Jan 20 12:13 glance-glare.conf
-rw-r-----. 1 root glance  75033 Feb 12 04:01 glance-registry.conf
-rw-r-----. 1 root glance  81013 Jan 20 12:13 glance-scrubber.conf
-rw-r--r--. 1 root root      178 Feb 12 03:56 glance-swift.conf
drwxr-xr-x. 2 root root     4096 Feb 12 03:56 metadefs
-rw-r-----. 1 root glance   1390 Jan 20 12:13 policy.json
drwxr-xr-x. 2 root root     4096 Feb 12 03:56 rootwrap.d
-rw-r-----. 1 root glance   1380 Jan 20 12:13 schema-image.json

Comment 4 Christian Schwede (cschwede) 2017-03-16 12:58:16 UTC
I agree with Eric, this behaviour is intended and looks correct to me.

Both on the undercloud (as the "stack" user) and the overcloud (as "heat-admin") it is required to use sudo to execute these commands (or switch to the glance user, as described in our documentation: https://url.corp.redhat.com/2a338d4)

I think this BZ is not a bug therefore - can we close it please?

Comment 6 Christian Schwede (cschwede) 2017-03-30 06:19:49 UTC
I deployed a Newton under- and overcloud; permissions look identically to me compared to the Ocata release:

[stack@undercloud ~]$ ls -lh /etc/glance/
total 452K
-rw-r-----. 1 root glance 139K Mar 16 15:12 glance-api.conf
-rw-r-----. 1 root glance  74K Mar 16 15:11 glance-cache.conf
-rw-r-----. 1 root glance  71K Sep 13  2016 glance-glare.conf
-rw-r-----. 1 root glance  66K Mar 16 15:12 glance-registry.conf
-rw-r-----. 1 root glance  78K Sep 13  2016 glance-scrubber.conf
-rw-r--r--. 1 root root    180 Mar 16 15:12 glance-swift.conf
drwxr-xr-x. 2 root root   4.0K Mar 11 08:47 metadefs
-rw-r-----. 1 root glance 1.4K Sep  5  2016 policy.json
-rw-r-----. 1 root glance 1.4K Sep  5  2016 schema-image.json

[heat-admin@overcloud-controller-0 ~]$ ls -lh /etc/glance/
total 452K
-rw-r-----. 1 root glance 139K Mar 16 15:59 glance-api.conf
-rw-r-----. 1 root glance  74K Mar 16 15:59 glance-cache.conf
-rw-r-----. 1 root glance  71K Sep 13  2016 glance-glare.conf
-rw-r-----. 1 root glance  66K Mar 16 15:59 glance-registry.conf
-rw-r-----. 1 root glance  78K Sep 13  2016 glance-scrubber.conf
-rw-r--r--. 1 root root    166 Mar 16 15:55 glance-swift.conf
drwxr-xr-x. 2 root root   4.0K Mar 11 08:47 metadefs
-rw-r-----. 1 root glance 1.4K Sep  5  2016 policy.json
-rw-r-----. 1 root glance 1.4K Sep  5  2016 schema-image.json

Permissions loook identically to the earlier posted permissions on Ocata; all files except glance-swift and metadefs require root user or glance group.

Closing this therefore, please feel free to re-open in case you see a regression.


Note You need to log in before you can comment on or make changes to this bug.