RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 958911 - packstack sets wrong permission bits on log dirs for cinder, nova, keystone, quantum
Summary: packstack sets wrong permission bits on log dirs for cinder, nova, keystone, ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-packstack
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Martin Magr
QA Contact: Giulio Fidente
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-02 16:03 UTC by Giulio Fidente
Modified: 2015-03-18 14:35 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-18 14:35:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Giulio Fidente 2013-05-02 16:03:24 UTC 
Description of problem:
base.pp class from the linked cinder submodule sets default permissions to 644, see:
> https://github.com/packstack/puppetlabs-cinder/blob/d9f9efac3db5749c2130a8b74c511ffd1161bec2/manifests/base.pp#L31

That in turn makes puppet to set permissions to 755 on /var/log/cinder and /var/lib/cinder


Version-Release number of selected component (if applicable):
openstack-packstack-2013.1.1-0.5.dev538.el6.noarch


Steps to Reproduce:
1. install openstack-cinder, check permissions for /var/log/cinder
2. run packstack, check permissions for /var/log/cinder

  
Expected results:
permissions aren't changed
Comment 1 Giulio Fidente 2013-05-02 16:44:54 UTC 
for cinder (and probably for the other components too) the issue seems to have been fixed in puppet-cinder at https://github.com/stackforge/puppet-cinder/tree/master/manifests where things look to be changed a lot
Comment 2 ryo fujita 2013-06-27 13:14:10 UTC 
keystone doesn't start for a permission error with openstack-packstack-2013.1.1-0.3.dev527.fc19.

--- init.pp.old	2013-06-27 22:05:49.000000000 +0900
+++ init.pp	2013-06-27 22:06:06.000000000 +0900
@@ -114,6 +114,11 @@
     mode    => '0600',
   }
 
+  file { '/var/log/keystone/keystone.log':
+    owner    => 'keystone',
+    group    => 'keystone',
+  }
+
   # default config
   keystone_config {
     'DEFAULT/admin_token':  value => $admin_token;
Comment 3 Martin Magr 2014-01-15 11:31:20 UTC 
We don't use puppetlabs-cinder module for a long time. Instead we use puppet-cinder from stackforge [1]. Class "cinder::base" is deprecated according to source and in class "cinder" there isn't code which was modifying /var/log/permission. Will have to investigate more to find out reason of removal. 


[1] https://github.com/stackforge/puppet-cinder/blob/master/manifests/base.pp
Comment 4 Kashyap Chamarthy 2014-06-06 12:02:51 UTC 
Going through RDO bugs here. 

I just tested on an OpenStack setup with this version -- openstack-packstack-2014.1.1-0.19.dev1102.el7ost.noarch, and Cinder has 750 permissions. Also, posted 

drwxr-x---.  2 cinder     root       98 Jun  3 02:27 cinder
drwxr-xr-x.  2 neutron    neutron  4.0K Jun  3 02:39 neutron
drwxr-x---.  2 nova       nova     4.0K Jun  3 02:35 nova
drwxr-x---.  2 keystone   keystone   25 Jun  3 02:24 keystone


So, seems like it's fixed in the current version. Can you confirm this Giulio?
Comment 5 Giulio Fidente 2014-06-06 15:16:42 UTC 
hi Kashayp, seeing your same results using openstack-packstack-2014.1.1-0.20.dev1109.el7ost.noarch

still three other components continue to have 755: neutron, ceilometer and heat; I'm not sure though how important is this and if this is at all a bug
Comment 6 Lars Kellogg-Stedman 2015-03-18 14:35:58 UTC 
The problem originally described in this report has been corrected.  I don't believe that mode 755 permissions on log directories is itself a problem unless we are inadvertently exposing secrets.  If that is the case, please open a new bug with specific examples.  Thanks!
Note You need to log in before you can comment on or make changes to this bug.