Bug 1539090 - Cinder backups fail when running in a container (non-HA)
Summary: Cinder backups fail when running in a container (non-HA)
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: 12.0 (Pike)
Assignee: Alan Bishop
QA Contact: Avi Avraham
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-26 15:48 UTC by Alan Bishop
Modified: 2018-03-28 17:17 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.9-1
Doc Type: Bug Fix
Doc Text:
Previously, the cinder-backup container was configured to execute without any special privileges, and this prevented the cinder-backup service from creating iSCSI connections which are necessary for the backup operations to work. As a result, the cinder backup operations would fail. With this update, the privileges for the cinder-backup container have been increased to allow the cinder-backup to create iSCSI connections. As a result, the backup operations now work.
Clone Of:
Last Closed: 2018-03-28 17:16:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0602 None None None 2018-03-28 17:17:11 UTC
OpenStack gerrit 538272 None None None 2018-01-26 15:52:12 UTC
OpenStack gerrit 538925 None None None 2018-01-29 13:46:24 UTC
Launchpad 1745628 None None None 2018-01-26 15:49:17 UTC

Description Alan Bishop 2018-01-26 15:48:12 UTC
Description of problem:

Cinder backups fail when the service is running in a non-HA container. This is because the cinder_backup container doesn't have sufficient privileges to create iSCSI connections.

How reproducible: always

Steps to Reproduce:
1. Deploy overcloud with cinder in containers, non-HA (deploy the docker/services/cinder-backup.yaml THT)
2. Create a volume, then create a backup of the volume

Actual results:

The backup fail (status=ERROR) and the cinder-backup.log will show errors occurred due to privsep permission problems.

Expected results:

Backups are successful

Comment 11 Tzach Shefi 2018-03-13 16:32:53 UTC
Verified on:

Cinder running in docker on none HA controller
After much help from Alan, thanks! 

[root@controller-0 ~]# docker ps | grep cinder
f967912a2119        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1                "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_api_cron
65073ef4a19d        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-scheduler:2018-03-10.1          "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_scheduler
8ea118a1efd7        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-volume:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_volume
baffb8ed776e        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-backup:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_backup
1fb16ef3a58c        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1 

1. cinder create 1 

(overcloud) [stack@undercloud-0 ~]$ cinder list
| ID                                   | Status    | Name | Size | Volume Type | Bootable | Attached to |
| 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | -           | false    |             |

Create a backup

cinder backup-create 0312c517-6b20-48ae-b7bb-0c88dbd45b08
| Property  | Value                                |
| id        | a4484b29-2859-4b43-8a13-0d7888648ece |
| name      | None                                 |
| volume_id | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 |

After a short while

(overcloud) [stack@undercloud-0 ~]$ cinder backup-list
| ID                                   | Volume ID                            | Status    | Name | Size | Object Count | Container     |
| a4484b29-2859-4b43-8a13-0d7888648ece | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | 22           | volumebackups |

Backup and volume are both available.

Comment 14 errata-xmlrpc 2018-03-28 17:16:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.