Description of problem: A nova.conf file with a comprehensive set of configuration options should be shipped various nova services. Here is a good example to work from: https://github.com/yocum137/nova.conf/blob/master/nova.conf
This one looks like it's more up-to-date: https://github.com/openstack/nova/blob/master/etc/nova/nova.conf.sample
should grab the one from stable/folsom ... https://github.com/openstack/nova/blob/stable/folsom/etc/nova/nova.conf.sample
I think we should package up this nova.conf.sample as-is and put it in /usr/share/doc/ or whatever is appropriate. Additionally, I think it's worth adding more meat to the default /etc/nova/nova.conf.
Ok, so after some discussion ... what we're thinking is: 1) Take our current nova.conf with our distribution specific defaults and put that in /usr/share/nova/nova-dist.conf The systemd units and init scripts will need to be updated to do: --config-file=/usr/share/nova/nova-dist.conf --config-file=/etc/nova/nova.conf This means that users can start with an empty /etc/nova/nova.conf file and still be using the distribution defaults This file should not be marked as %config(noreplace) since it is not intended to be user-editable 2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf This means the default user-editable config file contains nothing but comments explaining what options are available 3) The sample nova.conf file should use the new format that we've switched to in Grizzly: https://review.openstack.org/19292 4) Our "vanilla" packages (e.g. in Fedora or EPEL) should just use the stock upstream nova.conf.sample with the exception that we should update the default values in the sample file to reflect our distribution defaults 5) In the productized packages, we should strip the sample nova.conf to only include options we recommend using and perhaps improve the descriptions.
In our default /etc/nova/nova.conf we should also document the [keystone_authtoken] section, but the keystone_authtoken defaults should live in /usr/share/nova/nova-dist.conf
It may also be worth including a note at the top of /etc/nova/nova.conf indicating where distribution provided defaults can be found (.../nova-dist.conf).
One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t while files under /usr/share/nova/ get usr_t
(In reply to comment #4) snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) : > Ok, so after some discussion ... what we're thinking is: > > 1) Take our current nova.conf with our distribution specific defaults and > put that in /usr/share/nova/nova-dist.conf Exists. > > The systemd units and init scripts will need to be updated to do: > > --config-file=/usr/share/nova/nova-dist.conf > --config-file=/etc/nova/nova.conf Exists. > > This means that users can start with an empty /etc/nova/nova.conf file > and still be using the distribution defaults > > This file should not be marked as %config(noreplace) since it is not > intended to be user-editable > > 2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf > > This means the default user-editable config file contains nothing but > comments explaining what options are available Does not exist. [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample [root@cougar10 init.d]# > > 3) The sample nova.conf file should use the new format that we've switched > to in Grizzly: https://review.openstack.org/19292 > > 4) Our "vanilla" packages (e.g. in Fedora or EPEL) should just use the > stock > upstream nova.conf.sample with the exception that we should update the > default values in the sample file to reflect our distribution defaults > > 5) In the productized packages, we should strip the sample nova.conf to > only > include options we recommend using and perhaps improve the descriptions.
(In reply to comment #6) > It may also be worth including a note at the top of /etc/nova/nova.conf > indicating where distribution provided defaults can be found > (.../nova-dist.conf). Wasn't implemented?
(In reply to comment #5) > In our default /etc/nova/nova.conf we should also document the > [keystone_authtoken] section, but the keystone_authtoken defaults should > live in /usr/share/nova/nova-dist.conf /etc/nova/nova.conf : [keystone_authtoken] # # Options to be passed to keystoneclient.auth_token middleware # NOTE: These options are not defined in nova but in the # keystoneclient package # # the name of the admin tenant (string value) #admin_tenant_name = %SERVICE_TENANT_NAME% # the keystone admin username (string value) #admin_user = %SERVICE_USER% # the keystone admin password (string value) #admin_password = %SERVICE_PASSWORD% # the keystone host (string value) #auth_host = 127.0.0.1 # the keystone port (integer value) #auth_port = 35357 # protocol to be used for auth requests http/https (string value) #auth_protocol = http /usr/share/nova/nova-dist.conf: [keystone_authtoken] admin_tenant_name = %SERVICE_TENANT_NAME% admin_user = %SERVICE_USER% admin_password = %SERVICE_PASSWORD% auth_host = 127.0.0.1 auth_port = 35357 auth_protocol = http Not sure that's good enough. (Note: this was an upgrade, not a clean install and not via packstack. Will also repeat via packstack).
(In reply to comment #7) > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t > while files under /usr/share/nova/ get usr_t [root@cougar10 nova]# ls -Z /etc/nova/nova.conf /usr/share/nova/nova-dist.conf -rw-r-----. nova nova system_u:object_r:etc_t:s0 /etc/nova/nova.conf -rw-r-----. root nova system_u:object_r:usr_t:s0 /usr/share/nova/nova-dist.conf Not sure why /usr/share/nova/nova-dist.conf belongs to root?
Setting NEEDINFO for assignee for comment 13 , comment 14 , comment 15 , comment 16 (not sure the fix is good enough, though didn't see any real blocker)
(In reply to comment #13) > (In reply to comment #4) > snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) : > > > 2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf > > > > This means the default user-editable config file contains nothing but > > comments explaining what options are available > > Does not exist. > [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample > [root@cougar10 init.d]# In later output, you show the SELinux context on the nova.conf file, so it does exist. Are the contents not what you expect? What's wrong with it?
(In reply to comment #16) > (In reply to comment #7) > > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t > > while files under /usr/share/nova/ get usr_t > > [root@cougar10 nova]# ls -Z /etc/nova/nova.conf > /usr/share/nova/nova-dist.conf > -rw-r-----. nova nova system_u:object_r:etc_t:s0 /etc/nova/nova.conf > -rw-r-----. root nova system_u:object_r:usr_t:s0 > /usr/share/nova/nova-dist.conf > > > Not sure why /usr/share/nova/nova-dist.conf belongs to root? It's a file that we install that the user should never modify, so the permissions seem reasonable to me. Would you suggest something different?
(In reply to comment #19) > (In reply to comment #16) > > (In reply to comment #7) > > > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t > > > while files under /usr/share/nova/ get usr_t > > > > [root@cougar10 nova]# ls -Z /etc/nova/nova.conf > > /usr/share/nova/nova-dist.conf > > -rw-r-----. nova nova system_u:object_r:etc_t:s0 /etc/nova/nova.conf > > -rw-r-----. root nova system_u:object_r:usr_t:s0 > > /usr/share/nova/nova-dist.conf > > > > > > Not sure why /usr/share/nova/nova-dist.conf belongs to root? > > It's a file that we install that the user should never modify, so the > permissions seem reasonable to me. Would you suggest something different? nova:nova.
(In reply to comment #18) > (In reply to comment #13) > > (In reply to comment #4) > > snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) : > > > > > 2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf > > > > > > This means the default user-editable config file contains nothing but > > > comments explaining what options are available > > > > Does not exist. > > [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample > > [root@cougar10 init.d]# > > In later output, you show the SELinux context on the nova.conf file, so it > does exist. Are the contents not what you expect? What's wrong with it? Perhaps my misunderstanding: /usr/share/nova/nova-dist-conf is the upstream nova.conf.sample ?
(In reply to comment #21) > (In reply to comment #18) > > (In reply to comment #13) > > > (In reply to comment #4) > > > snap2 (openstack-nova-compute-2012.2.2-9.el6ost.noarch) : > > > > > > > 2) Take upstream nova.conf.sample and install it in /etc/nova/nova.conf > > > > > > > > This means the default user-editable config file contains nothing but > > > > comments explaining what options are available > > > > > > Does not exist. > > > [root@cougar10 init.d]# rpm -qa |grep nova |xargs rpm -ql |grep sample > > > [root@cougar10 init.d]# > > > > In later output, you show the SELinux context on the nova.conf file, so it > > does exist. Are the contents not what you expect? What's wrong with it? > > Perhaps my misunderstanding: /usr/share/nova/nova-dist-conf is the upstream > nova.conf.sample ? We wake upstream nova.conf.sample and install it as /etc/nova/nova.conf
(In reply to comment #20) > (In reply to comment #19) > > (In reply to comment #16) > > > (In reply to comment #7) > > > > One thing to verify is Nova selinux policy: /etc/nova/nova.conf is etc_t > > > > while files under /usr/share/nova/ get usr_t > > > > > > [root@cougar10 nova]# ls -Z /etc/nova/nova.conf > > > /usr/share/nova/nova-dist.conf > > > -rw-r-----. nova nova system_u:object_r:etc_t:s0 /etc/nova/nova.conf > > > -rw-r-----. root nova system_u:object_r:usr_t:s0 > > > /usr/share/nova/nova-dist.conf > > > > > > > > > Not sure why /usr/share/nova/nova-dist.conf belongs to root? > > > > It's a file that we install that the user should never modify, so the > > permissions seem reasonable to me. Would you suggest something different? > > nova:nova. I'd be inclined to say nova-dist.conf should be root:root and 755 It doesn't contain anything which shouldn't be world-readable and you don't want it to be writable by nova Current perms aren't a blocker though
(In reply to comment #15) > (In reply to comment #5) > > In our default /etc/nova/nova.conf we should also document the > > [keystone_authtoken] section, but the keystone_authtoken defaults should > > live in /usr/share/nova/nova-dist.conf > > /etc/nova/nova.conf : > [keystone_authtoken] ... > /usr/share/nova/nova-dist.conf: > [keystone_authtoken] .. > > Not sure that's good enough. What do you think is missing? Docs in nova-dist.conf The important thing is that we document the options in nova.conf - that's the only file users should modify We could also document in nova-dist.conf why we've chosen these defaults, but that's probably not relevant in the keystone_auththoken case Looks fine to me
Moving to VERIFIED based on above comments.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0260.html