1539090 – Cinder backups fail when running in a container (non-HA)

Bug 1539090 - Cinder backups fail when running in a container (non-HA)

Summary: Cinder backups fail when running in a container (non-HA)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	z2
Target Release:	12.0 (Pike)
Assignee:	Alan Bishop
QA Contact:	Avi Avraham
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-26 15:48 UTC by Alan Bishop
Modified:	2022-07-09 10:17 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-7.0.9-1
Doc Type:	Bug Fix
Doc Text:	Previously, the cinder-backup container was configured to execute without any special privileges, and this prevented the cinder-backup service from creating iSCSI connections which are necessary for the backup operations to work. As a result, the cinder backup operations would fail. With this update, the privileges for the cinder-backup container have been increased to allow the cinder-backup to create iSCSI connections. As a result, the backup operations now work.
Clone Of:
Environment:
Last Closed:	2018-03-28 17:16:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1745628	None	None	None	2018-01-26 15:49:17 UTC
OpenStack gerrit	538272	None	None	None	2018-01-26 15:52:12 UTC
OpenStack gerrit	538925	None	None	None	2018-01-29 13:46:24 UTC
Red Hat Issue Tracker	OSP-17015	None	None	None	2022-07-09 10:17:16 UTC
Red Hat Product Errata	RHSA-2018:0602	None	None	None	2018-03-28 17:17:11 UTC

Description Alan Bishop 2018-01-26 15:48:12 UTC

Description of problem:

Cinder backups fail when the service is running in a non-HA container. This is because the cinder_backup container doesn't have sufficient privileges to create iSCSI connections.

How reproducible: always


Steps to Reproduce:
1. Deploy overcloud with cinder in containers, non-HA (deploy the docker/services/cinder-backup.yaml THT)
2. Create a volume, then create a backup of the volume

Actual results:

The backup fail (status=ERROR) and the cinder-backup.log will show errors occurred due to privsep permission problems.

Expected results:

Backups are successful

Comment 11 Tzach Shefi 2018-03-13 16:32:53 UTC

Verified on:
openstack-tripleo-heat-templates-7.0.9-6.el7ost.noarch

Cinder running in docker on none HA controller
After much help from Alan, thanks! 

[root@controller-0 ~]# docker ps | grep cinder
f967912a2119        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1                "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_api_cron
65073ef4a19d        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-scheduler:2018-03-10.1          "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_scheduler
8ea118a1efd7        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-volume:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_volume
baffb8ed776e        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-backup:2018-03-10.1             "kolla_start"            About an hour ago   Up About an hour (healthy)                       cinder_backup
1fb16ef3a58c        docker-registry.engineering.redhat.com/rhosp12/openstack-cinder-api:2018-03-10.1 


1. cinder create 1 

(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+------+------+-------------+----------+-------------+
| ID                                   | Status    | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------+------+-------------+----------+-------------+
| 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | -           | false    |             |

Create a backup

cinder backup-create 0312c517-6b20-48ae-b7bb-0c88dbd45b08
+-----------+--------------------------------------+
| Property  | Value                                |
+-----------+--------------------------------------+
| id        | a4484b29-2859-4b43-8a13-0d7888648ece |
| name      | None                                 |
| volume_id | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 |
+-----------+--------------------------------------+

After a short while

(overcloud) [stack@undercloud-0 ~]$ cinder backup-list
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+
| ID                                   | Volume ID                            | Status    | Name | Size | Object Count | Container     |
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+
| a4484b29-2859-4b43-8a13-0d7888648ece | 0312c517-6b20-48ae-b7bb-0c88dbd45b08 | available | -    | 1    | 22           | volumebackups |
+--------------------------------------+--------------------------------------+-----------+------+------+--------------+---------------+

Backup and volume are both available.

Comment 14 errata-xmlrpc 2018-03-28 17:16:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0602

Note You need to log in before you can comment on or make changes to this bug.