Commit 91bbf90d authored by Benoît Knecht's avatar Benoît Knecht Committed by Guillaume Abrioux
Browse files

ceph-mon: Don't set monitor directory mode recursively



After rolling updates performed with
`infrastructure-playbooks/rolling_updates.yml`, files located in
`/var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}` had mode 0755 (including
the keyring), making them world-readable.

This commit separates the task that configured permissions recursively on
`/var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}` into two separate tasks:

1. Set the ownership and mode of the directory itself;
2. Recursively set ownership in the directory, but don't modify the mode.
Signed-off-by: default avatarBenoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit 0d76826b)
(cherry picked from commit 4a718669)
parent 3455b764
......@@ -50,13 +50,25 @@
changed_when: false
when: containerized_deployment | bool
- name: create (and fix ownership of) monitor directory
- name: create monitor directory
file:
path: /var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}
state: directory
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}"
mode: "{{ ceph_directories_mode | default('0755') }}"
# We don't do the recursion in the task above to avoid setting `mode` (which
# defaults to 0755) on files.
#
# This is only needed when upgrading from older versions of Ceph that used to
# run as `root` (https://github.com/ceph/ceph-ansible/issues/1635).
- name: recursively fix ownership of monitor directory
file:
path: /var/lib/ceph/mon/{{ cluster }}-{{ monitor_name }}
state: directory
owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}"
recurse: true
- name: create custom admin keyring
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment