Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1416494

Summary: glance-manage command failed to executed
Product: Red Hat OpenStack Reporter: Avi Avraham <aavraham>
Component: openstack-glanceAssignee: Cyril Roelandt <cyril>
Status: CLOSED NOTABUG QA Contact: Avi Avraham <aavraham>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 11.0 (Ocata)CC: aavraham, cschwede, egafford, eglynn, fpercoco, pgrist, srevivo
Target Milestone: ---Keywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-30 06:19:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396794    

Description Avi Avraham 2017-01-25 15:50:14 UTC 
Description of problem:
The following command failed while running 
glance-manage db purge --age_in_days 1

Version-Release number of selected component (if applicable):
openstack-glance-14.0.0-0.20170117185710.0bf9d80.el7ost.noarch
puppet-glance-10.1.0-0.20170114055802.2a57b21.el7ost.noarch
python-glanceclient-2.5.0-0.20161111191712.d419632.el7ost.noarch
python-glance-store-0.19.1-0.20170117151447.ee6840c.el7ost.noarch
python-glance-14.0.0-0.20170117185710.0bf9d80.el7ost.noarch

How reproducible:
A standard Triple O installation 1 controller + 1 compute of RHOS11

Steps to Reproduce:
run the following command: "glance-manage db_version" 

Actual results:

[stack@undercloud-0 ~]$ glance-manage db_version
Option "verbose" from group "DEFAULT" is deprecated for removal.  Its value may be silently ignored in the future.
Traceback (most recent call last):
  File "/bin/glance-manage", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/site-packages/glance/cmd/manage.py", line 323, in main
    config.parse_args(default_config_files=cfg_files)
  File "/usr/lib/python2.7/site-packages/glance/common/config.py", line 679, in parse_args
    default_config_files=default_config_files)
  File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2343, in __call__
    self._namespace._files_permission_denied)
oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/glance/glance-registry.conf,/etc/glance/glance-api.conf

Expected results:
Command successfully executed  

Additional info:
Comment 1 Cyril Roelandt 2017-01-26 13:05:04 UTC 
Hello Avi,

Could you run "ls -l /etc/glance" ?
Comment 2 Eric Harney 2017-02-01 14:41:18 UTC 
The glance config files contain credentials for the database, those have to be protected from unprivileged users.

So I think this is expected behavior of running glance-manage as a user other than root.
Comment 3 Avi Avraham 2017-02-14 08:46:52 UTC 
[root@undercloud-0 ~]# ls -l /etc/glance/
total 476
-rw-r-----. 1 root glance 150364 Feb 12 04:01 glance-api.conf
-rw-r-----. 1 root glance  76369 Feb 12 04:01 glance-cache.conf
-rw-r-----. 1 root glance  74846 Jan 20 12:13 glance-glare.conf
-rw-r-----. 1 root glance  75033 Feb 12 04:01 glance-registry.conf
-rw-r-----. 1 root glance  81013 Jan 20 12:13 glance-scrubber.conf
-rw-r--r--. 1 root root      178 Feb 12 03:56 glance-swift.conf
drwxr-xr-x. 2 root root     4096 Feb 12 03:56 metadefs
-rw-r-----. 1 root glance   1390 Jan 20 12:13 policy.json
drwxr-xr-x. 2 root root     4096 Feb 12 03:56 rootwrap.d
-rw-r-----. 1 root glance   1380 Jan 20 12:13 schema-image.json
Comment 4 Christian Schwede (cschwede) 2017-03-16 12:58:16 UTC 
I agree with Eric, this behaviour is intended and looks correct to me.

Both on the undercloud (as the "stack" user) and the overcloud (as "heat-admin") it is required to use sudo to execute these commands (or switch to the glance user, as described in our documentation: https://url.corp.redhat.com/2a338d4)

I think this BZ is not a bug therefore - can we close it please?
Comment 6 Christian Schwede (cschwede) 2017-03-30 06:19:49 UTC 
I deployed a Newton under- and overcloud; permissions look identically to me compared to the Ocata release:

[stack@undercloud ~]$ ls -lh /etc/glance/
total 452K
-rw-r-----. 1 root glance 139K Mar 16 15:12 glance-api.conf
-rw-r-----. 1 root glance  74K Mar 16 15:11 glance-cache.conf
-rw-r-----. 1 root glance  71K Sep 13  2016 glance-glare.conf
-rw-r-----. 1 root glance  66K Mar 16 15:12 glance-registry.conf
-rw-r-----. 1 root glance  78K Sep 13  2016 glance-scrubber.conf
-rw-r--r--. 1 root root    180 Mar 16 15:12 glance-swift.conf
drwxr-xr-x. 2 root root   4.0K Mar 11 08:47 metadefs
-rw-r-----. 1 root glance 1.4K Sep  5  2016 policy.json
-rw-r-----. 1 root glance 1.4K Sep  5  2016 schema-image.json

[heat-admin@overcloud-controller-0 ~]$ ls -lh /etc/glance/
total 452K
-rw-r-----. 1 root glance 139K Mar 16 15:59 glance-api.conf
-rw-r-----. 1 root glance  74K Mar 16 15:59 glance-cache.conf
-rw-r-----. 1 root glance  71K Sep 13  2016 glance-glare.conf
-rw-r-----. 1 root glance  66K Mar 16 15:59 glance-registry.conf
-rw-r-----. 1 root glance  78K Sep 13  2016 glance-scrubber.conf
-rw-r--r--. 1 root root    166 Mar 16 15:55 glance-swift.conf
drwxr-xr-x. 2 root root   4.0K Mar 11 08:47 metadefs
-rw-r-----. 1 root glance 1.4K Sep  5  2016 policy.json
-rw-r-----. 1 root glance 1.4K Sep  5  2016 schema-image.json

Permissions loook identically to the earlier posted permissions on Ocata; all files except glance-swift and metadefs require root user or glance group.

Closing this therefore, please feel free to re-open in case you see a regression.