Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1539090

Summary: Cinder backups fail when running in a container (non-HA)
Product: Red Hat OpenStack Reporter: Alan Bishop <abishop>
Component: openstack-tripleo-heat-templatesAssignee: Alan Bishop <abishop>
Status: CLOSED ERRATA QA Contact: Avi Avraham <aavraham>
Severity: medium Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: abishop, cschwede, dnavale, eharney, mburns, pgrist, rhel-osp-director-maint, tshefi
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-7.0.9-1 Doc Type: Bug Fix
Doc Text:
Previously, the cinder-backup container was configured to execute without any special privileges, and this prevented the cinder-backup service from creating iSCSI connections which are necessary for the backup operations to work. As a result, the cinder backup operations would fail. With this update, the privileges for the cinder-backup container have been increased to allow the cinder-backup to create iSCSI connections. As a result, the backup operations now work.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-28 17:16:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Bishop 2018-01-26 15:48:12 UTC 
Description of problem:

Cinder backups fail when the service is running in a non-HA container. This is because the cinder_backup container doesn't have sufficient privileges to create iSCSI connections.

How reproducible: always


Steps to Reproduce:
1. Deploy overcloud with cinder in containers, non-HA (deploy the docker/services/cinder-backup.yaml THT)
2. Create a volume, then create a backup of the volume

Actual results:

The backup fail (status=ERROR) and the cinder-backup.log will show errors occurred due to privsep permission problems.

Expected results:

Backups are successful
Comment 11 Tzach Shefi 2018-03-13 16:32:53 UTC 
Verified on:
openstack-tripleo-heat-templates-7.0.9-6.el7ost.noarch

Cinder running in docker on none HA controller
After much help from Alan, thanks! 

[root@controller-0 ~]# docker ps | grep cinder
f967912a2119        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1                "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_api_cron
65073ef4a19d        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-scheduler:2018-03-10.1          "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_scheduler
8ea118a1efd7        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-volume:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_volume
baffb8ed776e        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-backup:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_backup
1fb16ef3a58c        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1 


1. cinder create 1 

(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+------+------+-------------+----------+-------------+
| ID                                   | Status    | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+
| 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | -           | false    |             |

Create a backup

cinder backup-create 0312c517-6b20-48ae-b7bb-0c88dbd45b08
+-----------+--------------------------------------+
| Property  | Value                                |
+-----------+--------------------------------------+
| id        | a4484b29-2859-4b43-8a13-0d7888648ece |
| name      | None                                 |
| volume_id | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 |
+-----------+--------------------------------------+

After a short while

(overcloud) [stack@undercloud-0 ~]$ cinder backup-list
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+
| ID                                   | Volume ID                            | Status    | Name | Size | Object Count | Container     |
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+
| a4484b29-2859-4b43-8a13-0d7888648ece | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | 22           | volumebackups |
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+

Backup and volume are both available.
Comment 14 errata-xmlrpc 2018-03-28 17:16:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0602