ceph-radosgw bz#1683290 #3638
Merged
ceph-radosgw bz#1683290 #3638
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
volume avoiding to expose useless information. This bug is referred to the following bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1683290 Signed-off-by: fpantano <fpantano@redhat.com>
guits
approved these changes
Feb 27, 2019
dsavineau
suggested changes
Feb 27, 2019
There was a problem hiding this comment.
Because the BZ is very specific to TripleO and TripleO only supports CentOS/RHEL, I don't think we need to specify another distribution here.
Currently the CI is failing because we're running CentOS container on Ubuntu host so the volume mapping doesn't work.
Also we only need /etc/pki/ca-trust/extracted and not /etc/pki/ca-trust/source/anchors because when a CA certificate is added to the trusted CA bundle via the update-ca-trust, it gets the certificates from the source directory and generates the output in the extracted directory. At the end we don't need anymore the source directory.
Finally, you need to change the volume flag from ro to z otherwise you won't be able to do lookup in that directory from the container.
Referring to BZ#1683290, as dsavineau suggests, being this bug tripleO specific, removed the ubuntu section and removed useless mountpoints. Signed-off-by: fpantano <fpantano@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Jan 27, 2022
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Jan 27, 2022
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Jan 27, 2022
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag on that specific folder brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
asm0deuz
added a commit
to asm0deuz/ceph-ansible
that referenced
this pull request
Mar 7, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
guits
pushed a commit
that referenced
this pull request
Mar 8, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
mergify bot
pushed a commit
that referenced
this pull request
Mar 8, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
mergify bot
pushed a commit
that referenced
this pull request
Mar 8, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
mergify bot
pushed a commit
that referenced
this pull request
Mar 8, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
guits
pushed a commit
that referenced
this pull request
Mar 10, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
guits
pushed a commit
that referenced
this pull request
Mar 10, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
guits
pushed a commit
that referenced
this pull request
Mar 10, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25)
guits
pushed a commit
that referenced
this pull request
May 9, 2022
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - #3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com> (cherry picked from commit 7e8ce25) (cherry picked from commit cf44ad7)
stuartgrace-bbc
pushed a commit
to bbc/ceph-ansible
that referenced
this pull request
Jan 30, 2024
Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag (introduced to solve an OSP TripleO issue on RHEL - ceph#3638) but using this flag prevents local services (like sssd) running on the host from accessing the certificates/files in that folder. Signed-off-by: Teoman ONAY <tonay@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added to the ceph-radosgw service template the ca-trust volume avoiding to expose useless information.
This bug is referred to the following bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1683290
Signed-off-by: fpantano fpantano@redhat.com