Description of problem: ceph-ansible automatically appending trusted_ip_list=192.168.122.1 in iscsi-gateway.cfg Version-Release number of selected component (if applicable): RHCS 4 How reproducible: Install the Ceph iSCSI gateway using ceph-ansible. Steps to Reproduce: 1. Install Ceph iSCSI gateway using ceph-ansible [a]. 2. Check iscsi-gateway.cfg Actual results: By default, ceph-ansible is adding "trusted_ip_list=192.168.122.1" even though, it isn't mention "trusted_ip_list" in iscsigws.yml Expected results: ceph-ansible shouldn't add any template ip's like: 192.168.122.1. ceph-ansible should add the ip list from "trusted_ip_list" in iscsigws.yml Additional info: [a]. https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/block_device_guide/the-ceph-iscsi-gateway
- As per roles/ceph-iscsi-gw, this is the template file which is creating iscsi-gateway.cfg: $ cat templates/iscsi-gateway.cfg.j2 # This is seed configuration used by the ceph_iscsi_config modules # when handling configuration tasks for iscsi gateway(s) # # {{ ansible_managed }} [config] cluster_name = {{ cluster }} # API settings. # The API supports a number of options that allow you to tailor it to your # local environment. If you want to run the API under https, you will need to # create cert/key files that are compatible for each iSCSI gateway node, that is # not locked to a specific node. SSL cert and key files *must* be called # 'iscsi-gateway.crt' and 'iscsi-gateway.key' and placed in the '/etc/ceph/' directory # on *each* gateway node. With the SSL files in place, you can use 'api_secure = true' # to switch to https mode. # To support the API, the bear minimum settings are: api_secure = {{ api_secure }} # Optional settings related to the CLI/API service api_user = {{ api_user }} api_password = {{ api_password }} api_port = {{ api_port }} loop_delay = {{ loop_delay }} trusted_ip_list = {{ trusted_ip_list }} <<=== $ grep 'trusted' /usr/share/ceph-ansible/group_vars/iscsigws.yml #trusted_ip_list: 192.168.122.1
- From /usr/share/ceph-ansible/roles/ceph-iscsi-gw/defaults/main.yml ################## # RBD-TARGET-API # ################## # Optional settings related to the CLI/API service api_user: admin api_password: admin api_port: 5000 api_secure: false loop_delay: 1 trusted_ip_list: 192.168.122.1 <<===
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Ceph Storage 4.3 Security and Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1716