From 0f506f4f0a2eb000c25275df242b4e851a2e3bdf Mon Sep 17 00:00:00 2001
From: Guillaume Abrioux <gabrioux@redhat.com>
Date: Mon, 11 Sep 2017 10:54:03 +0200
Subject: [PATCH] Docker: split the task 'copy ceph configs&keys'

All keys are copied to all nodes.
This commit split that task in each roles so keys are copied to their
respective nodes.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1488999

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
---
 roles/ceph-docker-common/tasks/main.yml       | 14 -----
 roles/ceph-docker-common/tasks/selinux.yml    |  9 ---
 roles/ceph-mds/tasks/docker/copy_configs.yml  | 38 ++++++++++++
 roles/ceph-mds/tasks/docker/main.yml          |  1 +
 roles/ceph-mgr/tasks/docker/copy_configs.yml  | 52 ++++++++++++++++
 roles/ceph-mgr/tasks/docker/main.yml          | 17 ++++++
 roles/ceph-mon/tasks/docker/copy_configs.yml  | 61 +++++++++++++++++--
 roles/ceph-mon/tasks/docker/fetch_configs.yml | 10 +++
 roles/ceph-mon/tasks/docker/main.yml          |  7 ++-
 roles/ceph-nfs/tasks/docker/copy_configs.yml  |  9 +++
 .../tasks/docker/copy_ganesha_configs.yml     | 37 +++++++++++
 roles/ceph-nfs/tasks/docker/main.yml          |  3 +
 roles/ceph-osd/tasks/copy_configs.yml         | 39 ++++++++++++
 roles/ceph-osd/tasks/main.yml                 |  5 ++
 .../tasks/docker/copy_configs.yml             | 43 +++++++++++++
 roles/ceph-rbd-mirror/tasks/docker/main.yml   |  1 +
 .../tasks/docker/copy_configs.yml             | 37 +++++++++++
 roles/ceph-restapi/tasks/docker/main.yml      |  1 +
 roles/ceph-rgw/tasks/docker/copy_configs.yml  | 50 +++++++--------
 .../tasks/docker/copy_rgw_configs.yml         | 38 ++++++++++++
 roles/ceph-rgw/tasks/docker/main.yml          |  3 +-
 21 files changed, 418 insertions(+), 57 deletions(-)
 create mode 100644 roles/ceph-mds/tasks/docker/copy_configs.yml
 create mode 100644 roles/ceph-mgr/tasks/docker/copy_configs.yml
 create mode 100644 roles/ceph-mon/tasks/docker/fetch_configs.yml
 create mode 100644 roles/ceph-nfs/tasks/docker/copy_ganesha_configs.yml
 create mode 100644 roles/ceph-osd/tasks/copy_configs.yml
 create mode 100644 roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml
 create mode 100644 roles/ceph-restapi/tasks/docker/copy_configs.yml
 create mode 100644 roles/ceph-rgw/tasks/docker/copy_rgw_configs.yml

diff --git a/roles/ceph-docker-common/tasks/main.yml b/roles/ceph-docker-common/tasks/main.yml
index 73003ed87..24f76b2a7 100644
--- a/roles/ceph-docker-common/tasks/main.yml
+++ b/roles/ceph-docker-common/tasks/main.yml
@@ -89,19 +89,5 @@
 
 - include: create_configs.yml
 
-# Only include 'fetch_configs.yml' when:
-# - we are deploying containers without kv AND host is either a mon OR a nfs OR an osd
-# OR
-# - host is either a mdss OR mgrs OR rgws
-- include: fetch_configs.yml
-  when:
-    - (not containerized_deployment_with_kv and
-        ((inventory_hostname in groups.get(mon_group_name, [])) or
-          (inventory_hostname in groups.get(nfs_group_name, [])) or
-          (inventory_hostname in groups.get(osd_group_name, [])))) or
-      (inventory_hostname in groups.get('mdss', [])) or
-      (inventory_hostname in groups.get('mgrs', [])) or
-      (inventory_hostname in groups.get('rgws', []))
-
 - include: selinux.yml
   when: ansible_os_family == 'RedHat'
diff --git a/roles/ceph-docker-common/tasks/selinux.yml b/roles/ceph-docker-common/tasks/selinux.yml
index 648d9e7ad..8e74a6375 100644
--- a/roles/ceph-docker-common/tasks/selinux.yml
+++ b/roles/ceph-docker-common/tasks/selinux.yml
@@ -4,12 +4,3 @@
   register: sestatus
   changed_when: false
   always_run: true
-
-- name: set selinux permissions
-  shell: |
-    chcon -Rt svirt_sandbox_file_t {{ item }}
-  with_items:
-    - "{{ ceph_conf_key_directory }}"
-    - /var/lib/ceph
-  changed_when: false
-  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-mds/tasks/docker/copy_configs.yml b/roles/ceph-mds/tasks/docker/copy_configs.yml
new file mode 100644
index 000000000..074f8781b
--- /dev/null
+++ b/roles/ceph-mds/tasks/docker/copy_configs.yml
@@ -0,0 +1,38 @@
+---
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /etc/ceph/{{ cluster }}.client.admin.keyring
+      - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+
+- name: try to fetch ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_together:
+    - "{{ ceph_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-mds/tasks/docker/main.yml b/roles/ceph-mds/tasks/docker/main.yml
index a7faad24d..4a45f03d4 100644
--- a/roles/ceph-mds/tasks/docker/main.yml
+++ b/roles/ceph-mds/tasks/docker/main.yml
@@ -3,5 +3,6 @@
   set_fact:
     docker_exec_cmd: "docker exec ceph-mds-{{ ansible_hostname }}"
 
+- include: copy_configs.yml
 - include: start_docker_mds.yml
 - include: enable_multimds.yml
diff --git a/roles/ceph-mgr/tasks/docker/copy_configs.yml b/roles/ceph-mgr/tasks/docker/copy_configs.yml
new file mode 100644
index 000000000..0d3822c03
--- /dev/null
+++ b/roles/ceph-mgr/tasks/docker/copy_configs.yml
@@ -0,0 +1,52 @@
+---
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+
+- name: try to fetch ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_together:
+    - "{{ ceph_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == true
+
+- name: "copy mgr key to /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
+  command: cp /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring
+  changed_when: false
+  always_run: true
+  with_items: "{{ statconfig.results }}"
+  when: item.stat.exists == true
+
+- name: set ceph mgr key permission
+  file:
+    path: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
+    owner: "{{ bootstrap_dirs_owner }}"
+    group: "{{ bootstrap_dirs_group }}"
+    mode: "0600"
+  when: cephx
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-mgr/tasks/docker/main.yml b/roles/ceph-mgr/tasks/docker/main.yml
index 1f72d3635..81590ce01 100644
--- a/roles/ceph-mgr/tasks/docker/main.yml
+++ b/roles/ceph-mgr/tasks/docker/main.yml
@@ -1,2 +1,19 @@
 ---
+- name: create mgr directory
+  file:
+    path: /var/lib/ceph/mgr/
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- name: create mgr directory
+  file:
+    path: /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- include: copy_configs.yml
 - include: start_docker_mgr.yml
diff --git a/roles/ceph-mon/tasks/docker/copy_configs.yml b/roles/ceph-mon/tasks/docker/copy_configs.yml
index 53076e859..4121743c4 100644
--- a/roles/ceph-mon/tasks/docker/copy_configs.yml
+++ b/roles/ceph-mon/tasks/docker/copy_configs.yml
@@ -1,10 +1,59 @@
 ---
-- name: push ceph files to the ansible server
-  fetch:
-    src: "{{ item.0 }}"
-    dest: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
-    flat: yes
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /etc/ceph/{{ cluster }}.client.admin.keyring
+      - /etc/ceph/monmap-{{ cluster }}
+      - /etc/ceph/{{ cluster }}.mon.keyring
+      - /var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring
+      - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring
+      - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring
+
+- name: add mgr keys to config and keys paths
+  set_fact:
+    tmp_ceph_mgr_keys: /etc/ceph/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring
+  with_items: "{{ groups.get(mgr_group_name, []) }}"
+  register: tmp_ceph_mgr_keys_result
+  when: "{{ groups.get(mgr_group_name, []) | length > 0 }}"
+
+- name: convert mgr keys to an array
+  set_fact:
+    ceph_mgr_keys: "{{ tmp_ceph_mgr_keys_result.results | map(attribute='ansible_facts.tmp_ceph_mgr_keys') | list }}"
+  when: "{{ groups.get(mgr_group_name, []) | length > 0 }}"
+
+- name: merge mgr keys to config and keys paths
+  set_fact:
+    ceph_config_keys: "{{ ceph_config_keys + ceph_mgr_keys }}"
+  when: "{{ groups.get(mgr_group_name, []) | length > 0 }}"
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  register: statconfig
+  always_run: true
+
+- name: try to copy ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
   with_together:
     - "{{ ceph_config_keys }}"
     - "{{ statconfig.results }}"
-  when: item.1.stat.exists == false
+  when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-mon/tasks/docker/fetch_configs.yml b/roles/ceph-mon/tasks/docker/fetch_configs.yml
new file mode 100644
index 000000000..53076e859
--- /dev/null
+++ b/roles/ceph-mon/tasks/docker/fetch_configs.yml
@@ -0,0 +1,10 @@
+---
+- name: push ceph files to the ansible server
+  fetch:
+    src: "{{ item.0 }}"
+    dest: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    flat: yes
+  with_together:
+    - "{{ ceph_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == false
diff --git a/roles/ceph-mon/tasks/docker/main.yml b/roles/ceph-mon/tasks/docker/main.yml
index b3c46f55c..ac9314663 100644
--- a/roles/ceph-mon/tasks/docker/main.yml
+++ b/roles/ceph-mon/tasks/docker/main.yml
@@ -1,4 +1,7 @@
 ---
+- include: copy_configs.yml
+  when: not containerized_deployment_with_kv
+
 - include: start_docker_monitor.yml
 
 - name: wait for monitor socket to exist
@@ -68,7 +71,7 @@
     - hostvars[groups[mon_group_name][0]]['monitor_address_block'] is defined
     - hostvars[groups[mon_group_name][0]]['monitor_address_block'] | length > 0
 
-- include: copy_configs.yml
+- include: ./fetch_configs.yml
   when: not containerized_deployment_with_kv
 
 - name: create ceph rest api keyring when mon is containerized
@@ -116,7 +119,7 @@
     when:
       - "{{ groups.get(mgr_group_name, []) | length > 0 }}"
 
-  - name: push ceph mgr key(s)
+  - name: fetch ceph mgr key(s)
     fetch:
       src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item.item]['ansible_hostname'] }}.keyring"
       dest: "{{ fetch_directory }}/{{ fsid }}/{{ item.stat.path }}"
diff --git a/roles/ceph-nfs/tasks/docker/copy_configs.yml b/roles/ceph-nfs/tasks/docker/copy_configs.yml
index 21d2f86c2..ed69e2cb6 100644
--- a/roles/ceph-nfs/tasks/docker/copy_configs.yml
+++ b/roles/ceph-nfs/tasks/docker/copy_configs.yml
@@ -27,3 +27,12 @@
     - "{{ ceph_config_keys }}"
     - "{{ statconfig.results }}"
   when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-nfs/tasks/docker/copy_ganesha_configs.yml b/roles/ceph-nfs/tasks/docker/copy_ganesha_configs.yml
new file mode 100644
index 000000000..50de38e55
--- /dev/null
+++ b/roles/ceph-nfs/tasks/docker/copy_ganesha_configs.yml
@@ -0,0 +1,37 @@
+---
+- name: set config paths
+  set_fact:
+    nfs_config_keys:
+      - /etc/ganesha/ganesha.conf
+
+- name: stat for config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ nfs_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+
+- name: try to fetch config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_together:
+    - "{{ nfs_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == true
+
+- name: push ganesha files to the ansible server
+  fetch:
+    src: "{{ item.0 }}"
+    dest: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    flat: yes
+  with_together:
+    - "{{ nfs_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == false
diff --git a/roles/ceph-nfs/tasks/docker/main.yml b/roles/ceph-nfs/tasks/docker/main.yml
index 30da2f324..4bc05c95a 100644
--- a/roles/ceph-nfs/tasks/docker/main.yml
+++ b/roles/ceph-nfs/tasks/docker/main.yml
@@ -1,6 +1,9 @@
 ---
 # Copy Ceph configs to host
 - include: copy_configs.yml
+# Copy Ganesha Ceph configs to host
+- include: copy_ganesha_configs.yml
+  when: not containerized_deployment_with_kv
 
 - include: start_docker_nfs.yml
 
diff --git a/roles/ceph-osd/tasks/copy_configs.yml b/roles/ceph-osd/tasks/copy_configs.yml
new file mode 100644
index 000000000..29d365b8a
--- /dev/null
+++ b/roles/ceph-osd/tasks/copy_configs.yml
@@ -0,0 +1,39 @@
+---
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring
+
+- name: wait for ceph.conf and keys
+  local_action: wait_for path={{ fetch_directory }}/{{ fsid }}/{{ item.0 }}
+  become: false
+  with_items: "{{ ceph_config_keys }}"
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+
+- name: try to copy ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_items: "{{ ceph_config_keys }}"
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-osd/tasks/main.yml b/roles/ceph-osd/tasks/main.yml
index c74487dd2..d4f39c9d2 100644
--- a/roles/ceph-osd/tasks/main.yml
+++ b/roles/ceph-osd/tasks/main.yml
@@ -21,6 +21,11 @@
 
 - include: check_devices.yml
 
+- include: copy_configs.yml
+  when:
+    - containerized_deployment
+    - not containerized_deployment_with_kv
+
 - include: ./scenarios/collocated.yml
   when:
     - osd_scenario == 'collocated'
diff --git a/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml b/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml
new file mode 100644
index 000000000..2d81ce195
--- /dev/null
+++ b/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml
@@ -0,0 +1,43 @@
+---
+- name: register rbd bootstrap key
+  set_fact:
+    bootstrap_rbd_keyring: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring"
+  when: ceph_release_num.{{ ceph_release }} >= ceph_release_num.luminous
+
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /etc/ceph/{{ cluster }}.client.admin.keyring
+      - "{{ bootstrap_rbd_keyring | default([]) }}"
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+
+- name: try to fetch ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_together:
+    - "{{ ceph_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-rbd-mirror/tasks/docker/main.yml b/roles/ceph-rbd-mirror/tasks/docker/main.yml
index 04ef97017..fa221177e 100644
--- a/roles/ceph-rbd-mirror/tasks/docker/main.yml
+++ b/roles/ceph-rbd-mirror/tasks/docker/main.yml
@@ -1,2 +1,3 @@
 ---
+- include: copy_configs.yml
 - include: start_docker_rbd_mirror.yml
diff --git a/roles/ceph-restapi/tasks/docker/copy_configs.yml b/roles/ceph-restapi/tasks/docker/copy_configs.yml
new file mode 100644
index 000000000..8af83002c
--- /dev/null
+++ b/roles/ceph-restapi/tasks/docker/copy_configs.yml
@@ -0,0 +1,37 @@
+---
+- name: set config and keys paths
+  set_fact:
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /etc/ceph/{{ cluster }}.client.admin.keyring
+
+- name: stat for ceph config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ ceph_config_keys }}"
+  changed_when: false
+  become: false
+  ignore_errors: true
+  register: statconfig
+  always_run: true
+
+- name: try to fetch ceph config and keys
+  copy:
+    src: "{{ playbook_dir }}/{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
+  with_together:
+    - "{{ ceph_config_keys }}"
+    - "{{ statconfig.results }}"
+  when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-restapi/tasks/docker/main.yml b/roles/ceph-restapi/tasks/docker/main.yml
index 9a09e14a8..a571bbcc6 100644
--- a/roles/ceph-restapi/tasks/docker/main.yml
+++ b/roles/ceph-restapi/tasks/docker/main.yml
@@ -1,2 +1,3 @@
 ---
+- include: copy_configs.yml
 - include: start_docker_restapi.yml
diff --git a/roles/ceph-rgw/tasks/docker/copy_configs.yml b/roles/ceph-rgw/tasks/docker/copy_configs.yml
index fb5eee6ae..ef01f913d 100644
--- a/roles/ceph-rgw/tasks/docker/copy_configs.yml
+++ b/roles/ceph-rgw/tasks/docker/copy_configs.yml
@@ -1,37 +1,37 @@
 ---
 - name: set config and keys paths
   set_fact:
-    rgw_config_keys:
-      - "/var/lib/ceph/radosgw/{{ ansible_hostname }}/keyring"
-  when: nfs_obj_gw
+    ceph_config_keys:
+      - /etc/ceph/{{ cluster }}.conf
+      - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring
 
-- name: wait for rgw keyring
-  wait_for: path="/var/lib/ceph/radosgw/{{ ansible_hostname }}/keyring"
-  when:
-    - nfs_obj_gw
-    - inventory_hostname == groups[rgw_group_name][0]
-
-- name: stat for config and keys
+- name: stat for ceph config and keys
   local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
-  with_items: "{{ rgw_config_keys }}"
+  with_items: "{{ ceph_config_keys }}"
   changed_when: false
   become: false
-  failed_when: false
+  ignore_errors: true
   always_run: true
   register: statconfig
-  when:
-    - nfs_obj_gw
-    - inventory_hostname == groups[rgw_group_name][0]
 
-- name: push ceph files to the ansible server
-  fetch:
-    src: "{{ item.0 }}"
-    dest: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/radosgw/keyring"
-    flat: yes
+- name: try to fetch ceph config and keys
+  copy:
+    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
+    dest: "{{ item.0 }}"
+    owner: root
+    group: root
+    mode: 0644
+  changed_when: false
   with_together:
-    - "{{ rgw_config_keys }}"
+    - "{{ ceph_config_keys }}"
     - "{{ statconfig.results }}"
-  when:
-    - nfs_obj_gw
-    - item.1.stat.exists == false
-    - inventory_hostname == groups[rgw_group_name][0]
+  when: item.1.stat.exists == true
+
+- name: set selinux permissions
+  shell: |
+    chcon -Rt svirt_sandbox_file_t {{ item }}
+  with_items:
+    - "{{ ceph_conf_key_directory }}"
+    - /var/lib/ceph
+  changed_when: false
+  when: sestatus.stdout != 'Disabled'
diff --git a/roles/ceph-rgw/tasks/docker/copy_rgw_configs.yml b/roles/ceph-rgw/tasks/docker/copy_rgw_configs.yml
new file mode 100644
index 000000000..f2124a1e0
--- /dev/null
+++ b/roles/ceph-rgw/tasks/docker/copy_rgw_configs.yml
@@ -0,0 +1,38 @@
+---
+- name: set config and keys paths
+  set_fact:
+    rgw_config_keys:
+      - "/var/lib/ceph/radosgw/{{ ansible_hostname }}/keyring"
+  when: nfs_obj_gw
+
+- name: wait for rgw keyring
+  wait_for:
+    path: "/var/lib/ceph/radosgw/{{ ansible_hostname }}/keyring"
+  when:
+    - nfs_obj_gw
+    - inventory_hostname == groups[rgw_group_name][0]
+
+- name: stat for config and keys
+  local_action: stat path={{ fetch_directory }}/{{ fsid }}/{{ item }}
+  with_items: "{{ rgw_config_keys }}"
+  changed_when: false
+  become: false
+  failed_when: false
+  always_run: true
+  register: statconfig
+  when:
+    - nfs_obj_gw
+    - inventory_hostname == groups[rgw_group_name][0]
+
+- name: push ceph files to the ansible server
+  fetch:
+    src: "{{ item.0 }}"
+    dest: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/radosgw/keyring"
+    flat: yes
+  with_together:
+    - "{{ rgw_config_keys }}"
+    - "{{ statconfig.results }}"
+  when:
+    - nfs_obj_gw
+    - item.1.stat.exists == false
+    - inventory_hostname == groups[rgw_group_name][0]
diff --git a/roles/ceph-rgw/tasks/docker/main.yml b/roles/ceph-rgw/tasks/docker/main.yml
index 71e2c652c..7012c42a8 100644
--- a/roles/ceph-rgw/tasks/docker/main.yml
+++ b/roles/ceph-rgw/tasks/docker/main.yml
@@ -1,4 +1,5 @@
 ---
+- include: copy_configs.yml
 - include: start_docker_rgw.yml
 
-- include: copy_configs.yml
+- include: copy_rgw_configs.yml