<div dir="ltr"><div>Hi;</div><div><br></div><div>I have managed to start the glance-api container in privileged mode, but I still have issues to get glance to use my cinder backend backed by nfs.</div><div><br></div><div>When I push an image, now I am getting :</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">Stderr: '/var/lib/kolla/venv/bin/glance-rootwrap: Unauthorized command: mount -t nfs 20.1.0.32:/kolla_nfs /var/lib/glance/mnt/nfs/f6f6b4ee42b4f3522a75f422887010ad2c47f8624</span><br>f97bf3623b13014f22186b7 (no filter matched)\n'</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">Any ideas on that?</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">PS : How did I managed to start the glance-api as privileged container <br></span></div><div><span style="font-family:monospace">1 - I edited this file and added this variable</span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">vim kollavenv/yogavenv/share/kolla-ansible/ansible/group_vars/all.yml</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(24,178,178);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">_privileged_container</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">"no"</span><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">2 - I edited this file</span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">vim kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/defaults/main.yml</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">---</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br><span style="color:rgb(24,178,178);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">_services</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">-api</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">container_name</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(0,0,0);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">_api
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">group</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(0,0,0);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">-api
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">host_in_groups</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">"{{ inventory_hostname in </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">_api_hosts }}"</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">enabled</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">true</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">image</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">"{{ </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">_api_image_full }}"</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">environment</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">"{{ </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,84)">glance</span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">_api_container_proxy }}"</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br> <b><span style="color:rgb(24,178,178);background-color:rgb(255,255,255)">privileged</span><span style="color:rgb(178,24,178);background-color:rgb(255,255,255)">:</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"> </span><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)">"{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool <u>or </u></span><u><span style="color:rgb(178,24,24);background-color:rgb(255,255,84)">glance</span></u><span style="color:rgb(178,24,24);background-color:rgb(255,255,255)"><u>_privileged_container | bool</u> }}"</span></b> <-------<br><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br><br></span></div><div><span style="font-family:monospace">3 - I added this configuration to my globals.yml<br></span></div><div><span style="font-family:monospace">vim /etc/yogakolla/globals.yml</span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">glance_privileged_container: "yes"</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"><br></span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">4 - Then I redeployed the glance service</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">kolla-ansible --configdir /etc/yogakolla -i multinode-yoga deploy --tags glance -v</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"><br></span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">5 - Verifying</span></span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">[root@controllerb ~]# docker inspect glance_api | grep -i pri
</span><br> "IpcMode": "<span style="font-weight:bold;color:rgb(255,84,84);background-color:rgb(255,255,255)">pri</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">vate",
</span><br> <b>"<span style="color:rgb(255,84,84);background-color:rgb(255,255,255)">Pri</span></b><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)"><b>vileged": true,</b>
</span><br> "Propagation": "r<span style="font-weight:bold;color:rgb(255,84,84);background-color:rgb(255,255,255)">pri</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">vate"
</span><br> "Propagation": "r<span style="font-weight:bold;color:rgb(255,84,84);background-color:rgb(255,255,255)">pri</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">vate"
</span><br> "PS1=$(tput bold)($(<span style="font-weight:bold;color:rgb(255,84,84);background-color:rgb(255,255,255)">pri</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">ntenv KOLLA_SERVICE_NAME))$(tput sgr0)[$(id -un)@$(hostname -s) $(pwd)]$ ",</span><br></span></div><div><span style="font-family:monospace"><br></span></div><div></div><div><br></div><div><br></div><div><br></div><div>Regards.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 14 avr. 2023 à 12:48, Sean Mooney <<a href="mailto:smooney@redhat.com">smooney@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 2023-04-14 at 12:46 +0100, Sean Mooney wrote:<br>
> given it appears to be replacing it directly instead of merging then you need to add the following to global.yaml instead<br>
> <br>
slight correction you will also need to include the glance-tls-proxy section<br>
<a href="https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L2-L66" rel="noreferrer" target="_blank">https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L2-L66</a><br>
since that is also under glance_services so copy all the highlighted section<br>
<br>
<br>
> glance_services:<br>
> glance-api:<br>
> container_name: glance_api<br>
> group: glance-api<br>
> host_in_groups: "{{ inventory_hostname in glance_api_hosts }}"<br>
> enabled: true<br>
> image: "{{ glance_api_image_full }}"<br>
> environment: "{{ glance_api_container_proxy }}"<br>
> privileged: true<br>
> volumes: "{{ glance_api_default_volumes + glance_api_extra_volumes }}"<br>
> dimensions: "{{ glance_api_dimensions }}"<br>
> healthcheck: "{{ glance_api_healthcheck }}"<br>
> haproxy:<br>
> glance_api:<br>
> enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}"<br>
> mode: "http"<br>
> external: false<br>
> port: "{{ glance_api_port }}"<br>
> frontend_http_extra:<br>
> - "timeout client {{ haproxy_glance_api_client_timeout }}"<br>
> backend_http_extra:<br>
> - "timeout server {{ haproxy_glance_api_server_timeout }}"<br>
> custom_member_list: "{{ haproxy_members.split(';') }}"<br>
> glance_api_external:<br>
> enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}"<br>
> mode: "http"<br>
> external: true<br>
> port: "{{ glance_api_port }}"<br>
> frontend_http_extra:<br>
> - "timeout client {{ haproxy_glance_api_client_timeout }}"<br>
> backend_http_extra:<br>
> - "timeout server {{ haproxy_glance_api_server_timeout }}"<br>
> custom_member_list: "{{ haproxy_members.split(';') }}"<br>
> <br>
> <br>
> <br>
> basically copy the default with all teh templates and just update privileged to true<br>
> <br>
> On Thu, 2023-04-13 at 15:23 +0100, wodel youchi wrote:<br>
> > Hi,<br>
> > <br>
> > Adding those lines to globals.yml did produce errors, complaining about the<br>
> > enabled line missing<br>
> > <br>
> > > glance_services:<br>
> > > glance-api:<br>
> > > privileged: true<br>
> > > <br>
> > <br>
> > Then I tried this<br>
> > <br>
> > > glance_services:<br>
> > > glance-api:<br>
> > > enabled: true<br>
> > > privileged: true<br>
> > > <br>
> > <br>
> > Gave these errors<br>
> > fatal: [192.168.2.23]: FAILED! => {"msg": "The conditional check<br>
> > 'item.value.host_in_groups | bool' failed. The error was: error while<br>
> > evaluating conditional (item.value.host_in_groups | bool): 'dict object'<br>
> > has no attribute 'host_in_groups'\n\nThe error appears to be in<br>
> > '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':<br>
> > line 2, column 3, but may\nbe elsewhere in the file depending on the exact<br>
> > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:<br>
> > Ensuring config directories exist\n ^ here\n"}<br>
> > fatal: [192.168.2.27]: FAILED! => {"msg": "The conditional check<br>
> > 'item.value.host_in_groups | bool' failed. The error was: error while<br>
> > evaluating conditional (item.value.host_in_groups | bool): 'dict object'<br>
> > has no attribute 'host_in_groups'\n\nThe error appears to be in<br>
> > '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':<br>
> > line 2, column 3, but may\nbe elsewhere in the file depending on the exact<br>
> > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:<br>
> > Ensuring config directories exist\n ^ here\n"}<br>
> > fatal: [192.168.2.31]: FAILED! => {"msg": "The conditional check<br>
> > 'item.value.host_in_groups | bool' failed. The error was: error while<br>
> > evaluating conditional (item.value.host_in_groups | bool): 'dict object'<br>
> > has no attribute 'host_in_groups'\n\nThe error appears to be in<br>
> > '/home/deployer/kollavenv/yogavenv/share/kolla-ansible/ansible/roles/glance/tasks/config.yml':<br>
> > line 2, column 3, but may\nbe elsewhere in the file depending on the exact<br>
> > syntax problem.\n\nThe offending line appears to be:\n\n---\n- name:<br>
> > Ensuring config directories exist\n ^ here\n"}<br>
> > <br>
> > <br>
> > it seems, this configuration is discarding main.yml from<br>
> > <a href="https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10" rel="noreferrer" target="_blank">https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10</a><br>
> > not just replacing the needed variables.<br>
> > <br>
> > Regards.<br>
> > <br>
> > Le jeu. 13 avr. 2023 à 13:00, Sean Mooney <<a href="mailto:smooney@redhat.com" target="_blank">smooney@redhat.com</a>> a écrit :<br>
> > <br>
> > > On Thu, 2023-04-13 at 11:41 +0100, wodel youchi wrote:<br>
> > > > Thanks for the help,<br>
> > > > <br>
> > > > I modified my glance-api.conf like this but no luck, I got the same<br>
> > > problem<br>
> > > > : Privsep daemon failed to start<br>
> > > > <br>
> > > > > [cinder]<br>
> > > > > cinder_store_auth_address = <a href="https://dashint.example.com:5000/v3" rel="noreferrer" target="_blank">https://dashint.example.com:5000/v3</a><br>
> > > > > cinder_store_project_name = service<br>
> > > > > cinder_volume_type = nfstype<br>
> > > > > rootwrap_config = /etc/glance/rootwrap.conf<br>
> > > > > <br>
> > > > > *cinder_store_user_name = glancecinder_store_password =<br>
> > > glance-password*<br>
> > > > > cinder_catalog_info = volumev3:cinderv3:internalURL<br>
> > > > > <br>
> > > > <br>
> > > > > *###cinder_store_user_name = cinder###cinder_store_password =<br>
> > > > > cinder-password *<br>
> > > > > <br>
> > > > <br>
> > > > <br>
> > > > I thought once cinder has the capability to read & write into the<br>
> > > backend,<br>
> > > > glance will just use it to upload the images!!<br>
> > > > <br>
> > > > Another thing, about the credentials, which ones should I use? Glance's<br>
> > > or<br>
> > > > cinder's I thought it should be cinder's !! but in your example @Sean you<br>
> > > > used {{ glance_keystone_user }} and {{ glance_keystone_password }}<br>
> > > <br>
> > > either would work but normally i woudl consider it bad partice for a<br>
> > > service to have the username/password for a differnt users account<br>
> > > so glance should alwasy use its user to talk to other services when its<br>
> > > not using the keystone user token passed in to the api.<br>
> > > <br>
> > > > <br>
> > > > Lastly I searched how to launch a privileged container in kolla but I<br>
> > > > didn't find anything.<br>
> > > <br>
> > > i see the issue<br>
> > > <br>
> > > <a href="https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10" rel="noreferrer" target="_blank">https://github.com/openstack/kolla-ansible/blob/stable/yoga/ansible/roles/glance/defaults/main.yml#L10</a><br>
> > > glace api is only privlaged if you use iscsi for the cinder backend.<br>
> > > privileged: "{{ enable_cinder | bool and enable_cinder_backend_iscsi |<br>
> > > bool }}"<br>
> > > you are using nfs.<br>
> > > <br>
> > > you can workaround this in your global.yaml by adding this i think<br>
> > > <br>
> > > glance_services:<br>
> > > glance-api:<br>
> > > privileged: true<br>
> > > <br>
> > > alternitivly you can do it via the inventory file by seting that as a<br>
> > > host/group var.<br>
> > > > <br>
> > > > Regards.<br>
> > > <br>
> > > <br>
> <br>
<br>
</blockquote></div>