From 4a7186697ece863e6b1cab0ba3fc554df837ea72 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Beno=C3=AEt=20Knecht?= Date: Wed, 28 Oct 2020 16:09:58 +0100 Subject: [PATCH] ceph-mon: Don't set monitor directory mode recursively MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit After rolling updates performed with `infrastructure-playbooks/rolling_updates.yml`, files located in `/var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}` had mode 0755 (including the keyring), making them world-readable. This commit separates the task that configured permissions recursively on `/var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}` into two separate tasks: 1. Set the ownership and mode of the directory itself; 2. Recursively set ownership in the directory, but don't modify the mode. Signed-off-by: Benoît Knecht (cherry picked from commit 0d76826bbb7b0b9303583c31147ebad9e5c420f9) --- roles/ceph-mon/tasks/deploy_monitors.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml index 308ead5c2..10c9357f3 100644 --- a/roles/ceph-mon/tasks/deploy_monitors.yml +++ b/roles/ceph-mon/tasks/deploy_monitors.yml @@ -51,13 +51,25 @@ changed_when: false when: containerized_deployment | bool -- name: create (and fix ownership of) monitor directory +- name: create monitor directory file: path: /var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }} state: directory - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "{{ ceph_directories_mode | default('0755') }}" + +# We don't do the recursion in the task above to avoid setting `mode` (which +# defaults to 0755) on files. +# +# This is only needed when upgrading from older versions of Ceph that used to +# run as `root` (https://github.com/ceph/ceph-ansible/issues/1635). +- name: recursively fix ownership of monitor directory + file: + path: /var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }} + state: directory + owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" recurse: true - name: create custom admin keyring -- 2.47.3