ceph-ansible needs the ability to set the permissions and then the ACLs of a Ceph keyring file in order for OSP12 to be able to solve the following security CVE: https://access.redhat.com/security/cve/CVE-2017-12155 This issue is tracked in upstream ceph-ansible by: https://github.com/ceph/ceph-ansible/issues/2092 and solved by the following PR in upstream ceph-ansible: https://github.com/ceph/ceph-ansible/pull/2110 When the above PR is used in combination with the following tripleo heat templates: https://review.openstack.org/#/c/508975 this issue will be solved. This will be a blocker for OSP12 and will need to be backported to whatever version of ceph-ansible is shipped with OSP12.
Setting target release to 3.0 as this security issue will block OSP12 (assuming ceph-ansible 3.0 will ship with OSP12).
Upstream has merged, fix will be in 3.0.7, https://github.com/ceph/ceph-ansible/releases/tag/v3.0.7 Ken, please build a package :).
When the fixed-in version (ceph-ansible-3.0.7) is tested with OpenStack as trigged by OSPd (puddle for verson 12 10.31.1), the permissions and ACLs are set correctly.
Upstream merged: https://github.com/ceph/ceph-ansible/pull/2174#pullrequestreview-76695289
The following merged, moving to POST. https://github.com/ceph/ceph-ansible/pull/2189
cloned to osp12 , to be verify there, as it blocks deployment with ceph . https://bugzilla.redhat.com/show_bug.cgi?id=1514265
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3387