[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Rdo-list] Tripleo Liberty Cinder permission denied



Hi,

Yes many thanks, I simply had the same IP for the NetApp server name as the NetApp vServer name which meant the API was trying to use the data path not mgmt path.
Fixed

Charles

On 29/04/2016 14:55, Christopher Brown wrote:
Hi Charles,

On Fri, 2016-04-29 at 14:32 +0100, Charles Short wrote:
ok applying specific uid/gid 165 to the NetApp volume solved the
permission error.
Cinder now successfully writes .cinderSecureEnvIndicator to the
export.
Great stuff.

But I have a new error now and the service is still down...

/var/log/cinder/volume.log:2016-04-29 13:20:24.004 3902 ERROR
cinder.volume.manager [req-a4544310-84c6-4602-a944-7efaee5ff90f - - -
-
-] Failed to initialize driver.
...
/var/log/cinder/volume.log:2016-04-29 13:20:24.004 3902 ERROR
cinder.volume.manager     raise NaApiError('Unexpected error')
/var/log/cinder/volume.log:2016-04-29 13:20:24.004 3902 ERROR
cinder.volume.manager NaApiError: NetApp API failed. Reason -
Unexpected
error:unknown

Have you seen this one?
No but maybe the conf might be pointing to the mgmt IP rather than the
data IP? Are you using 7 mode or ontap? Feel free to post the conf file
(redacting security stuff obviously) if you like. Also check
authentication perhaps.

Charles


On 29/04/2016 12:40, Charles Short wrote:
Hi,

Thanks for this.

1) Yes unlikely as root can write to it.

2) Already set to permissive.

3) When we set up our previous OSP6 (Juno) environment using the
same
NetApp storage system, only root had permission to write to the
NetApp
volume and all worked fine. When our storage team set up this
volume,
it was also as root (same settings as the last setup). I suspect
that
Cinder uid usage is now enforced. I will get the storage team to
make
the changes and see if this helps

Regards

Charles


On 29/04/2016 11:49, Christopher Brown wrote:
Hi Charles,

I had similar problems with a netapp deployment. Three
possibilities to
check:

1. Security on the export shipped by default with a missing
netmask on
the export so 0.0.0.0 should be 0.0.0.0/24 or whatever you want
to
restrict to. Though as you can write with sudo probably not the
issue.

2. SELinux - I wonder if you try temporarily running setenforce 0
and
re-mounting if it has the same problem?

3. Cinder and Glance exports should be created with their
respective
UIDs as owner. I blogged about it here:

https://chruz.wordpress.com/2016/03/31/openstack-and-clustered-da
ta-ont
ap/

Hope some of this is helpful but if not would be glad to hear of
outcome.

Regards

On Fri, 2016-04-29 at 11:30 +0100, Charles Short wrote:
Hi,

Deployed Tripleo Liberty stable on baremetal, but NetApp NFS
Cinder
backend is not working.

It is auto-mounting no problem, and I can write to it with
sudo, but
the
'tripleo_netapp' backend is enabled with state 'down' as it
cannot
write
to the mount point.

    cinder service-list | grep tripleo_netapp
   cinder-volume   | hostgroup tripleo_netapp | nova | enabled
| down
[heat-admin overcloud-controller-0 ~]$ mount | grep cinder
[ip addr]:/[mount] on
/var/lib/cinder/mnt/3fb6f6744c383eacbe46593911aa4b0f type nfs4
(rw,relatime,vers=4.1,rsize=65536,wsize=65536,namlen=255,hard,p
roto=t
cp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=[ip
addr],local_lock=none,addr=[ip addr])

I can write to it -

[heat-admin overcloud-controller-0 ~]$ sudo touch
/var/lib/cinder/mnt/3fb6f6744c383eacbe46593911aa4b0f/test
[heat-admin overcloud-controller-0 ~]$

But Cinder cannot -

/var/log/cinder/volume.log:2016-04-29 09:43:49.870 56696 ERROR
cinder.volume.drivers.remotefs [req-99928048-2446-4967-99ba-
0e85c2ba5712
- - - - -] Failed to created Cinder secure environment
indicator
file:
[Errno 13] Permission denied:
'/var/lib/cinder/mnt/3fb6f6744c383eacbe46593911aa4b0f/.cinderSe
cureEn
vIndicator'

So this look like an issue with the user that Cinder is using
to
write
to the export (cinder?)?

I have tried setting this option in cinder.conf, but it makes
no
difference

nas_secure_file_operations = False

"Allow network-attached storage systems to operate in a secure
environment where root level access is not permitted. If set to
False,
access is as the root user and insecure. If set to True, access
is
not
as root. If set to auto, a check is done to determine if this
is a
new
installation: True is used if so, otherwise False. Default is
auto"

Any help appreciated

Thanks

Charles

--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205

_______________________________________________
Rdo-list mailing list
Rdo-list redhat com
https://www.redhat.com/mailman/listinfo/rdo-list

To unsubscribe: rdo-list-unsubscribe redhat com
--
Regards,

Christopher Brown
OpenStack Engineer
OCF plc

Tel: +44 (0)114 257 2200
Web: www.ocf.co.uk
Blog: blog.ocf.co.uk
Twitter: @ocfplc

Please note, any emails relating to an OCF Support request must
always
be sent to support ocf co uk for a ticket number to be generated
or
existing support ticket to be updated. Should this not be done
then OCF

cannot be held responsible for requests not dealt with in a
timely
manner.

OCF plc is a company registered in England and Wales. Registered
number

4132533, VAT number GB 780 6803 14. Registered office address:
OCF plc,

5 Rotunda Business Centre, Thorncliffe Park, Chapeltown,
Sheffield S35
2PG.

If you have received this message in error, please notify us
immediately and remove it from your system.
--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205

--
Regards,

Christopher Brown
OpenStack Engineer
OCF plc

Tel: +44 (0)114 257 2200
Web: www.ocf.co.uk
Blog: blog.ocf.co.uk
Twitter: @ocfplc

Please note, any emails relating to an OCF Support request must always
be sent to support ocf co uk for a ticket number to be generated or
existing support ticket to be updated. Should this not be done then OCF

cannot be held responsible for requests not dealt with in a timely
manner.

OCF plc is a company registered in England and Wales. Registered number

4132533, VAT number GB 780 6803 14. Registered office address: OCF plc,

5 Rotunda Business Centre, Thorncliffe Park, Chapeltown, Sheffield S35
2PG.

If you have received this message in error, please notify us
immediately and remove it from your system.

--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]