We should configure ceph-nfs to use a non-admin keyring (possibly manila)
(In reply to Giulio Fidente from comment #0) > We should configure ceph-nfs to use a non-admin keyring (possibly manila) What are the cephx permissions/caps of this manila cephx ID? We'll have to make changes here in the generated ganesha.conf, https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/ceph.conf#L158 https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/config_samples/ceph.conf#L174 Need to set those two config settings to 'manila'
Thanks Ram for helping; the submission does change the two lines you pointed to in comment #2. The permissions set for the 'manila' keyring are here [1]; please comment you believe those are not sufficient or that should be reviewed 1. https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/ceph-ansible/ceph-base.yaml#L282-L287
(In reply to Giulio Fidente from comment #3) > Thanks Ram for helping; the submission does change the two lines you pointed > to in comment #2. Missed seeing that. LGTM. Thanks, Giulio! > > The permissions set for the 'manila' keyring are here [1]; please comment > you believe those are not sufficient or that should be reviewed The permissions should be sufficient. > > 1. > https://github.com/openstack/tripleo-heat-templates/blob/master/docker/ > services/ceph-ansible/ceph-base.yaml#L282-L287
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3587