nfs mount not permitted in lxc-openstack aa profile

[BjoernT]

The lxc-openstack profile does not allow nfs mounts, that prevents cinder-volume from mounting as NFS storage backend

[cloudnull]

To use NFS you will need to change the profile to "unconfined". This is not a default setup though is totally configurable. This can be modified using the RPC user config in the cinder section under the container vars area.

[BjoernT]

I have already a commit to add

mount fstype=nfs* -> /var/lib/cinder/mnt/**,

in the profile. I make a pull request

[cloudnull]

We need to revisit this PR and modify the allowable NFS mounts to anything from within the container. IE: potentially glance would be using NFS. From a supportability standpoint we need

mount fstype=nfs* -> /var/lib/cinder/mnt/**,

To be

mount fstype=nfs* -> /**,

[BjoernT]

@cloudnull
Glance most likely would be a bind mount from a host mounted NFS ? What do you think

[cloudnull]

@BjoernT - I think the user should be able to have the option to either bind mount the path into the container and then modifying the mounts in lxc config to make it persistent, or have the option to be able to simply perform an NFS mount in the container. At present I know of at least 1 deployment where the container profile was changed to "unconfined" to allow for NFS to be used within the glance / cinder containers and it would be better to have a little more liberal NFS policy in containers than to simply set them as unconfined.

[cloudnull]

Related review from QE when backporting: https://github.com/rcbops/ansible-lxc-rpc/pull/557/files

[BjoernT]

Yes we can add /var/lib/glance/images in the profile. I personally would keep the profiles as precise as possible.

[mancdaz]

@cloudnull @BjoernT so we need a new PR that adds /var/lib/glance/images/\ to the profile, rather than /**, since we want to be as controlled as possible?

[cloudnull]

That sounds like a plan to me.

[BjoernT]

I just added this directory with a pull request