[kolla-ansible][yoga] Glance backend cinder Privsep daemon failed to start operation not permitted

wodel youchi wodel.youchi at gmail.com
Sun Apr 16 05:25:01 UTC 2023 

Hi;

I have managed to start the glance-api container in privileged mode, but I
still have issues to get glance to use my cinder backend backed by nfs.

When I push an image, now I am getting :

Stderr: '/var/lib/kolla/venv/bin/glance-rootwrap: Unauthorized command:
mount -t nfs 20.1.0.32:/kolla_nfs
/var/lib/glance/mnt/nfs/f6f6b4ee42b4f3522a75f422887010ad2c47f8624
f97bf3623b13014f22186b7 (no filter matched)\n'

Any ideas on that?


PS : How did I managed to start the glance-api as privileged container
1 - I edited this file and added this variable
vim kollavenv/yogavenv/share/kolla-ansible/ansible/group_vars/all.yml
glance_privileged_container: "no"


2 - I edited this file
vim
kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/defaults/main.yml
---
glance_services:
 glance-api:
   container_name: glance_api
   group: glance-api
   host_in_groups: "{{ inventory_hostname in glance_api_hosts }}"
   enabled: true
   image: "{{ glance_api_image_full }}"
   environment: "{{ glance_api_container_proxy }}"
   *privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi |
bool or glance_privileged_container | bool }}"* <-------


3 - I added this configuration to my globals.yml
vim /etc/yogakolla/globals.yml
glance_privileged_container: "yes"

4 - Then I redeployed the glance service
kolla-ansible --configdir /etc/yogakolla -i multinode-yoga deploy --tags
glance -v

5 - Verifying
[root at controllerb ~]# docker inspect glance_api | grep -i pri
           "IpcMode": "private",
           *"Pri**vileged": true,*
               "Propagation": "rprivate"
               "Propagation": "rprivate"
               "PS1=$(tput bold)($(printenv KOLLA_SERVICE_NAME))$(tput
sgr0)[$(id -un)@$(hostname -s) $(pwd)]$ ",




Regards.

Le ven. 14 avr. 2023 à 12:48, Sean Mooney <smooney at redhat.com> a écrit :

> On Fri, 2023-04-14 at 12:46 +0100, Sean Mooney wrote:
> > given it appears to be replacing it directly instead of merging then you
> need to add the following to global.yaml instead
> >
> slight correction you will also need to include the glance-tls-proxy
> section
>
> https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L2-L66
> since that is also under glance_services so copy all the highlighted
> section
>
>
> > glance_services:
> >   glance-api:
> >     container_name: glance_api
> >     group: glance-api
> >     host_in_groups: "{{ inventory_hostname in glance_api_hosts }}"
> >     enabled: true
> >     image: "{{ glance_api_image_full }}"
> >     environment: "{{ glance_api_container_proxy }}"
> >     privileged: true
> >     volumes: "{{ glance_api_default_volumes + glance_api_extra_volumes
> }}"
> >     dimensions: "{{ glance_api_dimensions }}"
> >     healthcheck: "{{ glance_api_healthcheck }}"
> >     haproxy:
> >       glance_api:
> >         enabled: "{{ enable_glance | bool and not
> glance_enable_tls_backend | bool }}"
> >         mode: "http"
> >         external: false
> >         port: "{{ glance_api_port }}"
> >         frontend_http_extra:
> >           - "timeout client {{ haproxy_glance_api_client_timeout }}"
> >         backend_http_extra:
> >           - "timeout server {{ haproxy_glance_api_server_timeout }}"
> >         custom_member_list: "{{ haproxy_members.split(';') }}"
> >       glance_api_external:
> >         enabled: "{{ enable_glance | bool and not
> glance_enable_tls_backend | bool }}"
> >         mode: "http"
> >         external: true
> >         port: "{{ glance_api_port }}"
> >         frontend_http_extra:
> >           - "timeout client {{ haproxy_glance_api_client_timeout }}"
> >         backend_http_extra:
> >           - "timeout server {{ haproxy_glance_api_server_timeout }}"
> >         custom_member_list: "{{ haproxy_members.split(';') }}"
> >
> >
> >
> > basically copy the default with all teh templates and just update
> privileged to true
> >
> > On Thu, 2023-04-13 at 15:23 +0100, wodel youchi wrote:
> > > Hi,
> > >
> > > Adding those lines to globals.yml did produce errors, complaining
> about the
> > > enabled line missing
> > >
> > > > glance_services:
> > > >   glance-api:
> > > >     privileged: true
> > > >
> > >
> > > Then I tried this
> > >
> > > > glance_services:
> > > >   glance-api:
> > > >     enabled: true
> > > >     privileged: true
> > > >
> > >
> > > Gave these errors
> > > fatal: [192.168.2.23]: FAILED! => {"msg": "The conditional check
> > > 'item.value.host_in_groups | bool' failed. The error was: error while
> > > evaluating conditional (item.value.host_in_groups | bool): 'dict
> object'
> > > has no attribute 'host_in_groups'\n\nThe error appears to be in
> > >
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> > > line 2, column 3, but may\nbe elsewhere in the file depending on the
> exact
> > > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> > > Ensuring config directories exist\n  ^ here\n"}
> > > fatal: [192.168.2.27]: FAILED! => {"msg": "The conditional check
> > > 'item.value.host_in_groups | bool' failed. The error was: error while
> > > evaluating conditional (item.value.host_in_groups | bool): 'dict
> object'
> > > has no attribute 'host_in_groups'\n\nThe error appears to be in
> > >
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> > > line 2, column 3, but may\nbe elsewhere in the file depending on the
> exact
> > > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> > > Ensuring config directories exist\n  ^ here\n"}
> > > fatal: [192.168.2.31]: FAILED! => {"msg": "The conditional check
> > > 'item.value.host_in_groups | bool' failed. The error was: error while
> > > evaluating conditional (item.value.host_in_groups | bool): 'dict
> object'
> > > has no attribute 'host_in_groups'\n\nThe error appears to be in
> > >
> '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
> > > line 2, column 3, but may\nbe elsewhere in the file depending on the
> exact
> > > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:
> > > Ensuring config directories exist\n  ^ here\n"}
> > >
> > >
> > > it seems, this configuration is discarding main.yml from
> > >
> https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
> > > not just replacing the needed variables.
> > >
> > > Regards.
> > >
> > > Le jeu. 13 avr. 2023 à 13:00, Sean Mooney <smooney at redhat.com> a
> écrit :
> > >
> > > > On Thu, 2023-04-13 at 11:41 +0100, wodel youchi wrote:
> > > > > Thanks for the help,
> > > > >
> > > > > I modified my glance-api.conf like this but no luck, I got the same
> > > > problem
> > > > > : Privsep daemon failed to start
> > > > >
> > > > > > [cinder]
> > > > > > cinder_store_auth_address = https://dashint.example.com:5000/v3
> > > > > > cinder_store_project_name = service
> > > > > > cinder_volume_type = nfstype
> > > > > > rootwrap_config = /etc/glance/rootwrap.conf
> > > > > >
> > > > > > *cinder_store_user_name = glancecinder_store_password =
> > > > glance-password*
> > > > > > cinder_catalog_info = volumev3:cinderv3:internalURL
> > > > > >
> > > > >
> > > > > > *###cinder_store_user_name = cinder###cinder_store_password =
> > > > > > cinder-password  *
> > > > > >
> > > > >
> > > > >
> > > > > I thought once cinder has the capability to read & write into the
> > > > backend,
> > > > > glance will just use it to upload the images!!
> > > > >
> > > > > Another thing, about the credentials, which ones should I use?
> Glance's
> > > > or
> > > > > cinder's I thought it should be cinder's !! but in your example
> @Sean you
> > > > > used {{ glance_keystone_user }} and  {{ glance_keystone_password }}
> > > >
> > > > either would work but normally i woudl consider it bad partice for a
> > > > service to have the username/password for a differnt users account
> > > > so glance should alwasy use its user to talk to other services when
> its
> > > > not using the keystone user token passed in to the api.
> > > >
> > > > >
> > > > > Lastly I searched how to launch a privileged container in kolla
> but I
> > > > > didn't find anything.
> > > >
> > > > i see the issue
> > > >
> > > >
> https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10
> > > > glace api is only privlaged if you use iscsi for the cinder backend.
> > > > privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi
> |
> > > > bool }}"
> > > > you are using nfs.
> > > >
> > > > you can workaround this in your global.yaml by adding this i think
> > > >
> > > > glance_services:
> > > >   glance-api:
> > > >    privileged: true
> > > >
> > > > alternitivly you can do it via the inventory file by seting that as a
> > > > host/group var.
> > > > >
> > > > > Regards.
> > > >
> > > >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230416/63fa5dd7/attachment-0001.htm>

More information about the openstack-discuss mailing list