-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ceph-radosgw bz#1683290 #3638
ceph-radosgw bz#1683290 #3638
Conversation
volume avoiding to expose useless information. This bug is referred to the following bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1683290 Signed-off-by: fpantano <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because the BZ is very specific to TripleO and TripleO only supports CentOS/RHEL, I don't think we need to specify another distribution here.
Currently the CI is failing because we're running CentOS container on Ubuntu host so the volume mapping doesn't work.
Also we only need /etc/pki/ca-trust/extracted and not /etc/pki/ca-trust/source/anchors because when a CA certificate is added to the trusted CA bundle via the update-ca-trust, it gets the certificates from the source directory and generates the output in the extracted directory. At the end we don't need anymore the source directory.
Finally, you need to change the volume flag from ro to z otherwise you won't be able to do lookup in that directory from the container.
Referring to BZ#1683290, as dsavineau suggests, being this bug tripleO specific, removed the ubuntu section and removed useless mountpoints. Signed-off-by: fpantano <[email protected]>
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <[email protected]>
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <[email protected]>
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]> (cherry picked from commit 7e8ce25) (cherry picked from commit cf44ad7)
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <[email protected]>
Added to the ceph-radosgw service template the ca-trust volume avoiding to expose useless information.
This bug is referred to the following bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1683290
Signed-off-by: fpantano [email protected]