Hi; I have managed to start the glance-api container in privileged mode, but I still have issues to get glance to use my cinder backend backed by nfs. When I push an image, now I am getting : Stderr: '/var/lib/kolla/venv/bin/glance-rootwrap: Unauthorized command: mount -t nfs 20.1.0.32:/kolla_nfs /var/lib/glance/mnt/nfs/f6f6b4ee42b4f3522a75f422887010ad2c47f8624 f97bf3623b13014f22186b7 (no filter matched)\n' Any ideas on that? PS : How did I managed to start the glance-api as privileged container 1 - I edited this file and added this variable vim kollavenv/yogavenv/share/kolla-ansible/ansible/group_vars/all.yml glance_privileged_container: "no" 2 - I edited this file vim kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/defaults/main.yml --- glance_services: glance-api: container_name: glance_api group: glance-api host_in_groups: "{{ inventory_hostname in glance_api_hosts }}" enabled: true image: "{{ glance_api_image_full }}" environment: "{{ glance_api_container_proxy }}" *privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool or glance_privileged_container | bool }}"* <------- 3 - I added this configuration to my globals.yml vim /etc/yogakolla/globals.yml glance_privileged_container: "yes" 4 - Then I redeployed the glance service kolla-ansible --configdir /etc/yogakolla -i multinode-yoga deploy --tags glance -v 5 - Verifying [root@controllerb ~]# docker inspect glance_api | grep -i pri "IpcMode": "private", *"Pri**vileged": true,* "Propagation": "rprivate" "Propagation": "rprivate" "PS1=$(tput bold)($(printenv KOLLA_SERVICE_NAME))$(tput sgr0)[$(id -un)@$(hostname -s) $(pwd)]$ ", Regards. Le ven. 14 avr. 2023 à 12:48, Sean Mooney <smooney@redhat.com> a écrit :
On Fri, 2023-04-14 at 12:46 +0100, Sean Mooney wrote:
given it appears to be replacing it directly instead of merging then you need to add the following to global.yaml instead
slight correction you will also need to include the glance-tls-proxy section
https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/gl... since that is also under glance_services so copy all the highlighted section
glance_services: glance-api: container_name: glance_api group: glance-api host_in_groups: "{{ inventory_hostname in glance_api_hosts }}" enabled: true image: "{{ glance_api_image_full }}" environment: "{{ glance_api_container_proxy }}" privileged: true volumes: "{{ glance_api_default_volumes + glance_api_extra_volumes }}" dimensions: "{{ glance_api_dimensions }}" healthcheck: "{{ glance_api_healthcheck }}" haproxy: glance_api: enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}" mode: "http" external: false port: "{{ glance_api_port }}" frontend_http_extra: - "timeout client {{ haproxy_glance_api_client_timeout }}" backend_http_extra: - "timeout server {{ haproxy_glance_api_server_timeout }}" custom_member_list: "{{ haproxy_members.split(';') }}" glance_api_external: enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}" mode: "http" external: true port: "{{ glance_api_port }}" frontend_http_extra: - "timeout client {{ haproxy_glance_api_client_timeout }}" backend_http_extra: - "timeout server {{ haproxy_glance_api_server_timeout }}" custom_member_list: "{{ haproxy_members.split(';') }}"
basically copy the default with all teh templates and just update privileged to true
On Thu, 2023-04-13 at 15:23 +0100, wodel youchi wrote:
Hi,
Adding those lines to globals.yml did produce errors, complaining about the enabled line missing
glance_services: glance-api: privileged: true
Then I tried this
glance_services: glance-api: enabled: true privileged: true
Gave these errors fatal: [192.168.2.23]: FAILED! => {"msg": "The conditional check 'item.value.host_in_groups | bool' failed. The error was: error while evaluating conditional (item.value.host_in_groups | bool): 'dict object' has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensuring config directories exist\n ^ here\n"} fatal: [192.168.2.27]: FAILED! => {"msg": "The conditional check 'item.value.host_in_groups | bool' failed. The error was: error while evaluating conditional (item.value.host_in_groups | bool): 'dict object' has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensuring config directories exist\n ^ here\n"} fatal: [192.168.2.31]: FAILED! => {"msg": "The conditional check 'item.value.host_in_groups | bool' failed. The error was: error while evaluating conditional (item.value.host_in_groups | bool): 'dict object' has no attribute 'host_in_groups'\n\nThe error appears to be in
'/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':
line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensuring config directories exist\n ^ here\n"}
it seems, this configuration is discarding main.yml from
https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/gl...
not just replacing the needed variables.
Regards.
Le jeu. 13 avr. 2023 à 13:00, Sean Mooney <smooney@redhat.com> a écrit :
Thanks for the help,
I modified my glance-api.conf like this but no luck, I got the same
On Thu, 2023-04-13 at 11:41 +0100, wodel youchi wrote: problem
: Privsep daemon failed to start
[cinder] cinder_store_auth_address = https://dashint.example.com:5000/v3 cinder_store_project_name = service cinder_volume_type = nfstype rootwrap_config = /etc/glance/rootwrap.conf
*cinder_store_user_name = glancecinder_store_password = glance-password* cinder_catalog_info = volumev3:cinderv3:internalURL
*###cinder_store_user_name = cinder###cinder_store_password = cinder-password *
I thought once cinder has the capability to read & write into the backend, glance will just use it to upload the images!!
Another thing, about the credentials, which ones should I use? Glance's or cinder's I thought it should be cinder's !! but in your example @Sean you used {{ glance_keystone_user }} and {{ glance_keystone_password }}
either would work but normally i woudl consider it bad partice for a service to have the username/password for a differnt users account so glance should alwasy use its user to talk to other services when its not using the keystone user token passed in to the api.
Lastly I searched how to launch a privileged container in kolla
but I
didn't find anything.
i see the issue
https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/gl...
glace api is only privlaged if you use iscsi for the cinder backend. privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}" you are using nfs.
you can workaround this in your global.yaml by adding this i think
glance_services: glance-api: privileged: true
alternitivly you can do it via the inventory file by seting that as a host/group var.
Regards.