From df6c3f4f727d2d7ac24c9ccbb36e0e747b5d566b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Han?= <seb@redhat.com>
Date: Fri, 1 Apr 2016 11:18:40 +0200
Subject: [PATCH] ceph-docker: fix permissions on directories
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fixing the can't open /var/lib/ceph/bootstrap-osd/ceph.keyring: can't
open /var/lib/ceph/bootstrap-osd/ceph.keyring: (13) Permission denied

Signed-off-by: Sébastien Han <seb@redhat.com>
---
 .../tasks/docker/dirs_permissions.yml         | 43 +++++++++++++++++
 roles/ceph-mds/tasks/docker/main.yml          |  4 +-
 roles/ceph-mds/tasks/docker/pre_requisite.yml |  8 ----
 .../tasks/docker/dirs_permissions.yml         | 47 +++++++++++++++++++
 roles/ceph-mon/tasks/docker/main.yml          |  8 ++--
 roles/ceph-mon/tasks/docker/pre_requisite.yml | 10 ----
 .../tasks/docker/start_docker_monitor.yml     |  5 +-
 .../tasks/docker/dirs_permissions.yml         | 43 +++++++++++++++++
 roles/ceph-osd/tasks/docker/main.yml          |  8 ++--
 roles/ceph-osd/tasks/docker/pre_requisite.yml |  8 ----
 .../tasks/docker/start_docker_osd.yml         |  7 +--
 .../tasks/docker/dirs_permissions.yml         | 45 ++++++++++++++++++
 roles/ceph-restapi/tasks/docker/main.yml      |  1 +
 .../tasks/docker/dirs_permissions.yml         | 43 +++++++++++++++++
 roles/ceph-rgw/tasks/docker/main.yml          |  4 +-
 roles/ceph-rgw/tasks/docker/pre_requisite.yml |  8 ----
 .../tasks/docker/start_docker_rgw.yml         |  3 --
 17 files changed, 242 insertions(+), 53 deletions(-)
 create mode 100644 roles/ceph-mds/tasks/docker/dirs_permissions.yml
 create mode 100644 roles/ceph-mon/tasks/docker/dirs_permissions.yml
 create mode 100644 roles/ceph-osd/tasks/docker/dirs_permissions.yml
 create mode 100644 roles/ceph-restapi/tasks/docker/dirs_permissions.yml
 create mode 100644 roles/ceph-rgw/tasks/docker/dirs_permissions.yml

diff --git a/roles/ceph-mds/tasks/docker/dirs_permissions.yml b/roles/ceph-mds/tasks/docker/dirs_permissions.yml
new file mode 100644
index 000000000..ba5818294
--- /dev/null
+++ b/roles/ceph-mds/tasks/docker/dirs_permissions.yml
@@ -0,0 +1,43 @@
+---
+- name: pull ceph daemon image
+  shell: "docker pull {{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }}"
+  changed_when: false
+  failed_when: false
+
+# NOTE (leseb): we can not use docker inspect with 'format filed' because of
+# https://github.com/ansible/ansible/issues/10156
+- name: inspect ceph version
+  shell: docker inspect docker.io/ceph/daemon | awk -F '=' '/CEPH_VERSION/ { gsub ("\",", "", $2); print $2 }' | uniq
+  changed_when: false
+  failed_when: false
+  run_once: true
+  register: ceph_version
+
+- set_fact:
+    after_hamer=True
+  when:
+    ceph_version.stdout not in ['firefly','giant', 'hammer']
+
+- name: create bootstrap directories (for or before hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-mds
+  when: not after_hamer
+
+- name: create bootstrap directories (after hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "64045"
+    group: "64045"
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-mds
+  when: after_hamer
diff --git a/roles/ceph-mds/tasks/docker/main.yml b/roles/ceph-mds/tasks/docker/main.yml
index 1c92d4845..8750a8259 100644
--- a/roles/ceph-mds/tasks/docker/main.yml
+++ b/roles/ceph-mds/tasks/docker/main.yml
@@ -9,8 +9,10 @@
   when: ceph_health.rc != 0
 
 - include: pre_requisite.yml
+- include: fetch_configs.yml
+- include: dirs_permissions.yml
+
 - include: selinux.yml
   when: ansible_os_family == 'RedHat'
 
-- include: fetch_configs.yml
 - include: start_docker_mds.yml
diff --git a/roles/ceph-mds/tasks/docker/pre_requisite.yml b/roles/ceph-mds/tasks/docker/pre_requisite.yml
index 69801ef77..bfa8d7a72 100644
--- a/roles/ceph-mds/tasks/docker/pre_requisite.yml
+++ b/roles/ceph-mds/tasks/docker/pre_requisite.yml
@@ -1,12 +1,4 @@
 ---
-- name: create mds bootstrap directory
-  file:
-    path: "{{ item }}"
-    state: directory
-  with_items:
-    - /etc/ceph/
-    - /var/lib/ceph/bootstrap-mds
-
 - name: install pip and docker on ubuntu
   apt:
     name: "{{ item }}"
diff --git a/roles/ceph-mon/tasks/docker/dirs_permissions.yml b/roles/ceph-mon/tasks/docker/dirs_permissions.yml
new file mode 100644
index 000000000..a33a38edf
--- /dev/null
+++ b/roles/ceph-mon/tasks/docker/dirs_permissions.yml
@@ -0,0 +1,47 @@
+---
+- name: pull ceph daemon image
+  shell: "docker pull {{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }}"
+  changed_when: false
+  failed_when: false
+
+# NOTE (leseb): we can not use docker inspect with 'format filed' because of
+# https://github.com/ansible/ansible/issues/10156
+- name: inspect ceph version
+  shell: docker inspect docker.io/ceph/daemon | awk -F '=' '/CEPH_VERSION/ { gsub ("\",", "", $2); print $2 }' | uniq
+  changed_when: false
+  failed_when: false
+  run_once: true
+  register: ceph_version
+
+- set_fact:
+    after_hamer=True
+  when:
+    ceph_version.stdout not in ['firefly','giant', 'hammer']
+
+- name: create bootstrap directories (for or before hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+    - /var/lib/ceph/bootstrap-mds
+    - /var/lib/ceph/bootstrap-rgw
+  when: not after_hamer
+
+- name: create bootstrap directories (after hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "64045"
+    group: "64045"
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+    - /var/lib/ceph/bootstrap-mds
+    - /var/lib/ceph/bootstrap-rgw
+  when: after_hamer
diff --git a/roles/ceph-mon/tasks/docker/main.yml b/roles/ceph-mon/tasks/docker/main.yml
index ea69c32c3..960581b7e 100644
--- a/roles/ceph-mon/tasks/docker/main.yml
+++ b/roles/ceph-mon/tasks/docker/main.yml
@@ -20,9 +20,6 @@
 
 - include: pre_requisite.yml
 
-- include: selinux.yml
-  when: ansible_os_family == 'RedHat'
-
 # let the first mon create configs and keyrings
 - include: create_configs.yml
   when:
@@ -32,6 +29,11 @@
 - include: fetch_configs.yml
   when: not mon_containerized_deployment_with_kv
 
+- include: dirs_permissions.yml
+
+- include: selinux.yml
+  when: ansible_os_family == 'RedHat'
+
 - include: start_docker_monitor.yml
 
 - include: copy_configs.yml
diff --git a/roles/ceph-mon/tasks/docker/pre_requisite.yml b/roles/ceph-mon/tasks/docker/pre_requisite.yml
index f09655f64..4459aa5b3 100644
--- a/roles/ceph-mon/tasks/docker/pre_requisite.yml
+++ b/roles/ceph-mon/tasks/docker/pre_requisite.yml
@@ -1,14 +1,4 @@
 ---
-- name: create bootstrap directories
-  file:
-    path: "{{ item }}"
-    state: directory
-  with_items:
-    - /etc/ceph/
-    - /var/lib/ceph/bootstrap-osd
-    - /var/lib/ceph/bootstrap-mds
-    - /var/lib/ceph/bootstrap-rgw
-
 - name: install pip and docker on ubuntu
   apt:
     name: "{{ item }}"
diff --git a/roles/ceph-mon/tasks/docker/start_docker_monitor.yml b/roles/ceph-mon/tasks/docker/start_docker_monitor.yml
index 713f9bfec..908894ad9 100644
--- a/roles/ceph-mon/tasks/docker/start_docker_monitor.yml
+++ b/roles/ceph-mon/tasks/docker/start_docker_monitor.yml
@@ -1,7 +1,4 @@
 ---
-- name: pull ceph daemon image
-  shell: "docker pull {{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }}"
-
 - name: populate kv_store with default ceph.conf
   docker:
     name: populate-kv-store
@@ -75,6 +72,8 @@
 
 - name: reload systemd unit files
   shell: systemctl daemon-reload
+  changed_when: false
+  failed_when: false
   when:
     is_atomic or
     ansible_os_family == 'CoreOS'
diff --git a/roles/ceph-osd/tasks/docker/dirs_permissions.yml b/roles/ceph-osd/tasks/docker/dirs_permissions.yml
new file mode 100644
index 000000000..d0c49cf9c
--- /dev/null
+++ b/roles/ceph-osd/tasks/docker/dirs_permissions.yml
@@ -0,0 +1,43 @@
+---
+- name: pull ceph daemon image
+  shell: "docker pull {{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }}"
+  changed_when: false
+  failed_when: false
+
+# NOTE (leseb): we can not use docker inspect with 'format filed' because of
+# https://github.com/ansible/ansible/issues/10156
+- name: inspect ceph version
+  shell: docker inspect docker.io/ceph/daemon | awk -F '=' '/CEPH_VERSION/ { gsub ("\",", "", $2); print $2 }' | uniq
+  changed_when: false
+  failed_when: false
+  run_once: true
+  register: ceph_version
+
+- set_fact:
+    after_hamer=True
+  when:
+    ceph_version.stdout not in ['firefly','giant', 'hammer']
+
+- name: create bootstrap directories (for or before hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+  when: not after_hamer
+
+- name: create bootstrap directories (after hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "64045"
+    group: "64045"
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+  when: after_hamer
diff --git a/roles/ceph-osd/tasks/docker/main.yml b/roles/ceph-osd/tasks/docker/main.yml
index b00d95138..7da6129bb 100644
--- a/roles/ceph-osd/tasks/docker/main.yml
+++ b/roles/ceph-osd/tasks/docker/main.yml
@@ -20,10 +20,12 @@
 
 - include: pre_requisite.yml
 
-- include: selinux.yml
-  when: ansible_os_family == 'RedHat'
-
 - include: fetch_configs.yml
   when: not osd_containerized_deployment_with_kv
 
+- include: dirs_permissions.yml
+
+- include: selinux.yml
+  when: ansible_os_family == 'RedHat'
+
 - include: start_docker_osd.yml
diff --git a/roles/ceph-osd/tasks/docker/pre_requisite.yml b/roles/ceph-osd/tasks/docker/pre_requisite.yml
index a4837f11f..4459aa5b3 100644
--- a/roles/ceph-osd/tasks/docker/pre_requisite.yml
+++ b/roles/ceph-osd/tasks/docker/pre_requisite.yml
@@ -1,12 +1,4 @@
 ---
-- name: create osd bootstrap directory
-  file:
-    path: "{{ item }}"
-    state: directory
-  with_items:
-    - /etc/ceph/
-    - /var/lib/ceph/bootstrap-osd
-
 - name: install pip and docker on ubuntu
   apt:
     name: "{{ item }}"
diff --git a/roles/ceph-osd/tasks/docker/start_docker_osd.yml b/roles/ceph-osd/tasks/docker/start_docker_osd.yml
index 41c2acf63..c10313cf8 100644
--- a/roles/ceph-osd/tasks/docker/start_docker_osd.yml
+++ b/roles/ceph-osd/tasks/docker/start_docker_osd.yml
@@ -9,10 +9,6 @@
     state: unmounted
   when: ceph_docker_on_openstack
 
-# (rootfs) for reasons I haven't figured out, docker pull and run will fail.
-- name: pull ceph daemon image
-  shell: "docker pull {{ ceph_osd_docker_username }}/{{ ceph_osd_docker_imagename }}"
-
 - name: prepare ceph osd disk
   docker:
     image: "{{ ceph_osd_docker_username }}/{{ ceph_osd_docker_imagename }}"
@@ -76,6 +72,8 @@
 
 - name: reload systemd unit files
   shell: systemctl daemon-reload
+  changed_when: false
+  failed_when: false
   when:
     is_atomic or
     ansible_os_family == 'CoreOS'
@@ -107,7 +105,6 @@
     ansible_os_family != 'CoreOS' and
     not osd_containerized_deployment_with_kv
 
-
 - name: run the ceph osd docker image with kv
   docker:
     image: "{{ ceph_osd_docker_username }}/{{ ceph_osd_docker_imagename }}"
diff --git a/roles/ceph-restapi/tasks/docker/dirs_permissions.yml b/roles/ceph-restapi/tasks/docker/dirs_permissions.yml
new file mode 100644
index 000000000..99dbe4094
--- /dev/null
+++ b/roles/ceph-restapi/tasks/docker/dirs_permissions.yml
@@ -0,0 +1,45 @@
+---
+- name: inspect ceph version
+  shell: "docker inspect --format '{{ index (index .Config.Env) 3 }}' docker.io/{{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }} | cut -d '=' -f '2'"
+  changed_when: false
+  failed_when: false
+  run_once: true
+  register: ceph_version
+
+- set_fact:
+    after_hamer=True
+  when:
+    ceph_version not in (firefly or giant or hammer)
+
+- set_fact:
+    after_hamer=False
+  when:
+    ceph_version in (firefly or giant or hammer)
+
+- name: create bootstrap directories (for or before hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+    - /var/lib/ceph/bootstrap-mds
+    - /var/lib/ceph/bootstrap-rgw
+  when: not after_hamer
+
+- name: create bootstrap directories (after hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: ceph
+    group: ceph
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-osd
+    - /var/lib/ceph/bootstrap-mds
+    - /var/lib/ceph/bootstrap-rgw
+  when: not after_hamer
diff --git a/roles/ceph-restapi/tasks/docker/main.yml b/roles/ceph-restapi/tasks/docker/main.yml
index 7210a3f5b..b54b12b5a 100644
--- a/roles/ceph-restapi/tasks/docker/main.yml
+++ b/roles/ceph-restapi/tasks/docker/main.yml
@@ -1,4 +1,5 @@
 ---
 - include: pre_requisite.yml
 - include: fetch_configs.yml
+- include: dirs_permissions.yml
 - include: start_docker_restapi.yml
diff --git a/roles/ceph-rgw/tasks/docker/dirs_permissions.yml b/roles/ceph-rgw/tasks/docker/dirs_permissions.yml
new file mode 100644
index 000000000..d4046e616
--- /dev/null
+++ b/roles/ceph-rgw/tasks/docker/dirs_permissions.yml
@@ -0,0 +1,43 @@
+---
+- name: pull ceph daemon image
+  shell: "docker pull {{ ceph_mon_docker_username }}/{{ ceph_mon_docker_imagename }}"
+  changed_when: false
+  failed_when: false
+
+# NOTE (leseb): we can not use docker inspect with 'format filed' because of
+# https://github.com/ansible/ansible/issues/10156
+- name: inspect ceph version
+  shell: docker inspect docker.io/ceph/daemon | awk -F '=' '/CEPH_VERSION/ { gsub ("\",", "", $2); print $2 }' | uniq
+  changed_when: false
+  failed_when: false
+  run_once: true
+  register: ceph_version
+
+- set_fact:
+    after_hamer=True
+  when:
+    ceph_version.stdout not in ['firefly','giant', 'hammer']
+
+- name: create bootstrap directories (for or before hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-rgw
+  when: not after_hamer
+
+- name: create bootstrap directories (after hammer)
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "64045"
+    group: "64045"
+    mode: "0755"
+  with_items:
+    - /etc/ceph/
+    - /var/lib/ceph/bootstrap-rgw
+  when: after_hamer
diff --git a/roles/ceph-rgw/tasks/docker/main.yml b/roles/ceph-rgw/tasks/docker/main.yml
index ffd5db2e6..11b85d558 100644
--- a/roles/ceph-rgw/tasks/docker/main.yml
+++ b/roles/ceph-rgw/tasks/docker/main.yml
@@ -9,8 +9,10 @@
   when: ceph_health.rc != 0
 
 - include: pre_requisite.yml
+- include: fetch_configs.yml
+- include: dirs_permissions.yml
+
 - include: selinux.yml
   when: ansible_os_family == 'RedHat'
 
-- include: fetch_configs.yml
 - include: start_docker_rgw.yml
diff --git a/roles/ceph-rgw/tasks/docker/pre_requisite.yml b/roles/ceph-rgw/tasks/docker/pre_requisite.yml
index d288e6f58..f2d9ecd70 100644
--- a/roles/ceph-rgw/tasks/docker/pre_requisite.yml
+++ b/roles/ceph-rgw/tasks/docker/pre_requisite.yml
@@ -1,12 +1,4 @@
 ---
-- name: create rgw bootstrap directory
-  file:
-    path: "{{ item }}"
-    state: directory
-  with_items:
-    - /etc/ceph/
-    - /var/lib/ceph/bootstrap-rgw
-
 - name: install pip and docker on ubuntu
   apt:
     name: "{{ item }}"
diff --git a/roles/ceph-rgw/tasks/docker/start_docker_rgw.yml b/roles/ceph-rgw/tasks/docker/start_docker_rgw.yml
index ce551848a..f4fa89a6d 100644
--- a/roles/ceph-rgw/tasks/docker/start_docker_rgw.yml
+++ b/roles/ceph-rgw/tasks/docker/start_docker_rgw.yml
@@ -1,7 +1,4 @@
 ---
-- name: pull ceph daemon image
-  shell: "docker pull {{ ceph_rgw_docker_username }}/{{ ceph_rgw_docker_imagename }}"
-
 - name: run the rados gateway docker image
   docker:
     image: "{{ ceph_rgw_docker_username }}/{{ ceph_rgw_docker_imagename }}"