[kolla-ansible][yoga] Glance backend cinder Privsep daemon failed to start operation not permitted

wodel youchi wodel.youchi at gmail.com
Thu Apr 13 14:23:37 UTC 2023 

Hi,

Adding those lines to globals.yml did produce errors, complaining about the
enabled line missing

> glance_services:
>   glance-api:
>     privileged: true
>

Then I tried this

> glance_services:
>   glance-api:
>     enabled: true
>     privileged: true
>

Gave these errors
fatal: [192.168.2.23]: FAILED! => {"msg": "The conditional check
'item.value.host_in_groups | bool' failed. The error was: error while
evaluating conditional (item.value.host_in_groups | bool): 'dict object'
has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact
syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
Ensuring config directories exist\n  ^ here\n"}
fatal: [192.168.2.27]: FAILED! => {"msg": "The conditional check
'item.value.host_in_groups | bool' failed. The error was: error while
evaluating conditional (item.value.host_in_groups | bool): 'dict object'
has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact
syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
Ensuring config directories exist\n  ^ here\n"}
fatal: [192.168.2.31]: FAILED! => {"msg": "The conditional check
'item.value.host_in_groups | bool' failed. The error was: error while
evaluating conditional (item.value.host_in_groups | bool): 'dict object'
has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact
syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
Ensuring config directories exist\n  ^ here\n"}


it seems, this configuration is discarding main.yml from
https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
not just replacing the needed variables.

Regards.

Le jeu. 13 avr. 2023 à 13:00, Sean Mooney <smooney at redhat.com> a écrit :

> On Thu, 2023-04-13 at 11:41 +0100, wodel youchi wrote:
> > Thanks for the help,
> >
> > I modified my glance-api.conf like this but no luck, I got the same
> problem
> > : Privsep daemon failed to start
> >
> > > [cinder]
> > > cinder_store_auth_address = https://dashint.example.com:5000/v3
> > > cinder_store_project_name = service
> > > cinder_volume_type = nfstype
> > > rootwrap_config = /etc/glance/rootwrap.conf
> > >
> > > *cinder_store_user_name = glancecinder_store_password =
> glance-password*
> > > cinder_catalog_info = volumev3:cinderv3:internalURL
> > >
> >
> > > *###cinder_store_user_name = cinder###cinder_store_password =
> > > cinder-password  *
> > >
> >
> >
> > I thought once cinder has the capability to read & write into the
> backend,
> > glance will just use it to upload the images!!
> >
> > Another thing, about the credentials, which ones should I use? Glance's
> or
> > cinder's I thought it should be cinder's !! but in your example @Sean you
> > used {{ glance_keystone_user }} and  {{ glance_keystone_password }}
>
> either would work but normally i woudl consider it bad partice for a
> service to have the username/password for a differnt users account
> so glance should alwasy use its user to talk to other services when its
> not using the keystone user token passed in to the api.
>
> >
> > Lastly I searched how to launch a privileged container in kolla but I
> > didn't find anything.
>
> i see the issue
>
> https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
> glace api is only privlaged if you use iscsi for the cinder backend.
> privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi |
> bool }}"
> you are using nfs.
>
> you can workaround this in your global.yaml by adding this i think
>
> glance_services:
>   glance-api:
>    privileged: true
>
> alternitivly you can do it via the inventory file by seting that as a
> host/group var.
> >
> > Regards.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230413/c1768644/attachment.htm>

More information about the openstack-discuss mailing list