[kolla-ansible][yoga] Glance backend cinder Privsep daemon failed to start operation not permitted
Sean Mooney
smooney at redhat.com
Fri Apr 14 11:46:09 UTC 2023
given it appears to be replacing it directly instead of merging then you need to add the following to global.yaml instead
glance_services:
glance-api:
container_name: glance_api
group: glance-api
host_in_groups: "{{ inventory_hostname in glance_api_hosts }}"
enabled: true
image: "{{ glance_api_image_full }}"
environment: "{{ glance_api_container_proxy }}"
privileged: true
volumes: "{{ glance_api_default_volumes + glance_api_extra_volumes }}"
dimensions: "{{ glance_api_dimensions }}"
healthcheck: "{{ glance_api_healthcheck }}"
haproxy:
glance_api:
enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}"
mode: "http"
external: false
port: "{{ glance_api_port }}"
frontend_http_extra:
- "timeout client {{ haproxy_glance_api_client_timeout }}"
backend_http_extra:
- "timeout server {{ haproxy_glance_api_server_timeout }}"
custom_member_list: "{{ haproxy_members.split(';') }}"
glance_api_external:
enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}"
mode: "http"
external: true
port: "{{ glance_api_port }}"
frontend_http_extra:
- "timeout client {{ haproxy_glance_api_client_timeout }}"
backend_http_extra:
- "timeout server {{ haproxy_glance_api_server_timeout }}"
custom_member_list: "{{ haproxy_members.split(';') }}"
basically copy the default with all teh templates and just update privileged to true
On Thu, 2023-04-13 at 15:23 +0100, wodel youchi wrote:
> Hi,
>
> Adding those lines to globals.yml did produce errors, complaining about the
> enabled line missing
>
> > glance_services:
> > glance-api:
> > privileged: true
> >
>
> Then I tried this
>
> > glance_services:
> > glance-api:
> > enabled: true
> > privileged: true
> >
>
> Gave these errors
> fatal: [192.168.2.23]: FAILED! => {"msg": "The conditional check
> 'item.value.host_in_groups | bool' failed. The error was: error while
> evaluating conditional (item.value.host_in_groups | bool): 'dict object'
> has no attribute 'host_in_groups'\n\nThe error appears to be in
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> line 2, column 3, but may\nbe elsewhere in the file depending on the exact
> syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> Ensuring config directories exist\n ^ here\n"}
> fatal: [192.168.2.27]: FAILED! => {"msg": "The conditional check
> 'item.value.host_in_groups | bool' failed. The error was: error while
> evaluating conditional (item.value.host_in_groups | bool): 'dict object'
> has no attribute 'host_in_groups'\n\nThe error appears to be in
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> line 2, column 3, but may\nbe elsewhere in the file depending on the exact
> syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> Ensuring config directories exist\n ^ here\n"}
> fatal: [192.168.2.31]: FAILED! => {"msg": "The conditional check
> 'item.value.host_in_groups | bool' failed. The error was: error while
> evaluating conditional (item.value.host_in_groups | bool): 'dict object'
> has no attribute 'host_in_groups'\n\nThe error appears to be in
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> line 2, column 3, but may\nbe elsewhere in the file depending on the exact
> syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> Ensuring config directories exist\n ^ here\n"}
>
>
> it seems, this configuration is discarding main.yml from
> https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
> not just replacing the needed variables.
>
> Regards.
>
> Le jeu. 13 avr. 2023 à 13:00, Sean Mooney <smooney at redhat.com> a écrit :
>
> > On Thu, 2023-04-13 at 11:41 +0100, wodel youchi wrote:
> > > Thanks for the help,
> > >
> > > I modified my glance-api.conf like this but no luck, I got the same
> > problem
> > > : Privsep daemon failed to start
> > >
> > > > [cinder]
> > > > cinder_store_auth_address = https://dashint.example.com:5000/v3
> > > > cinder_store_project_name = service
> > > > cinder_volume_type = nfstype
> > > > rootwrap_config = /etc/glance/rootwrap.conf
> > > >
> > > > *cinder_store_user_name = glancecinder_store_password =
> > glance-password*
> > > > cinder_catalog_info = volumev3:cinderv3:internalURL
> > > >
> > >
> > > > *###cinder_store_user_name = cinder###cinder_store_password =
> > > > cinder-password *
> > > >
> > >
> > >
> > > I thought once cinder has the capability to read & write into the
> > backend,
> > > glance will just use it to upload the images!!
> > >
> > > Another thing, about the credentials, which ones should I use? Glance's
> > or
> > > cinder's I thought it should be cinder's !! but in your example @Sean you
> > > used {{ glance_keystone_user }} and {{ glance_keystone_password }}
> >
> > either would work but normally i woudl consider it bad partice for a
> > service to have the username/password for a differnt users account
> > so glance should alwasy use its user to talk to other services when its
> > not using the keystone user token passed in to the api.
> >
> > >
> > > Lastly I searched how to launch a privileged container in kolla but I
> > > didn't find anything.
> >
> > i see the issue
> >
> > https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
> > glace api is only privlaged if you use iscsi for the cinder backend.
> > privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi |
> > bool }}"
> > you are using nfs.
> >
> > you can workaround this in your global.yaml by adding this i think
> >
> > glance_services:
> > glance-api:
> > privileged: true
> >
> > alternitivly you can do it via the inventory file by seting that as a
> > host/group var.
> > >
> > > Regards.
> >
> >
More information about the openstack-discuss
mailing list