[openstack-dev] [TripleO] a need to assert user ownership in preserved state
Gregory Haynes
greg at greghaynes.net
Thu Oct 2 02:09:38 UTC 2014
Excerpts from Clint Byrum's message of 2014-10-02 01:50:33 +0000:
> Recently we've been testing image based updates using TripleO, and we've
> run into an interesting conundrum.
>
> Currently, our image build scripts create a user per service for the
> image. We don't, at this time, assert a UID, so it could get any UID in
> the /etc/passwd database of the image.
>
> However, if we add a service that happens to have its users created
> before a previously existing service, the UID's shift by one. When
> this new image is deployed, the username might be 'ceilometer', but
> /mnt/state/var/lib/ceilometer is now owned by 'cinder'.
Wow, nice find!
>
> Here are 3 approaches, which are not mutually exclusive to one another.
> There are likely others, and I'd be interested in hearing your ideas.
>
> * Static UID's for all state-preserving services. Basically we'd just
> allocate these UID's from a static pool and those are always the UIDs
> no matter what. This is the simplest solution, but does not help
> anybody who is already looking to update a TripleO cloud. Also, this
> would cause problems if TripleO wants to merge with any existing
> system that might also want to use similar UID's. This also provides
> no guard against non-static UID's storing things on the state
> partition.
+1 for this approach for the reasons mentioned.
>
> * Fix the UID's on image update. We can backup /etc/passwd and
> /etc/group to /mnt/state, and on bootup we can diff the two, and any
> UIDs that changed can be migrated. This could be very costly if the
> swift storage UID changed, with millions of files present on the
> system. This merge process is also not atomic and may not be
> reversible, so it is a bit scary to automate this.
If we really want to go with this type of aproach we could also just
copy the existing /etc/passwd into the image thats being built. Then
when users are added they should be added in after existing users.
I still prefer the first solution, though.
>
> * Assert ownership when registering state path. We could have any
> state-preserving elements register their desire for any important
> globs for the state drive to be owned by a particular symbolic
> username. This is just a different, more manual way to fix the UID's
> and carries the same cons.
>
> So, what do people think?
>
More information about the OpenStack-dev
mailing list