nova: Use cinder user for Ceph

markgoddard · markgoddard · commit d22e3e995ca2 · 2021-08-09T08:54:57.000Z
In Ussuri, nova stopped using separate Ceph keys for the volumes and vms pools by default. Instead, we set ceph_nova_keyring to the value of ceph_cinder_keyring by default, which is ceph.client.cinder.keyring. This is in line with the Ceph OpenStack integration guide [1]. However, the user used by nova to access the vms pool (ceph_nova_user) defaults to nova, meaning that nova will still try to use a ceph.client.nova.keyring, which probably does not exist. We did not see this issue in CI, because we set ceph_nova_user to cinder. This change fixes the issue by setting ceph_nova_user to the value of ceph_cinder_user by default, which is cinder. Closes-Bug: #1934145 Related-Bug: #1928690 [1] https://docs.ceph.com/en/latest/rbd/rbd-openstack/ Change-Id: I6aa8db2214e07906f1f3e035411fc80ba911a274
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -1048,7 +1048,7 @@ ceph_cinder_user: "cinder"
 ceph_glance_user: "glance"
 ceph_gnocchi_user: "gnocchi"
 ceph_manila_user: "manila"
-ceph_nova_user: "nova"
+ceph_nova_user: "{{ ceph_cinder_user }}"
 
 # External Ceph keyrings
 ceph_cinder_keyring: "ceph.client.cinder.keyring"
diff --git a/doc/source/reference/storage/external-ceph-guide.rst b/doc/source/reference/storage/external-ceph-guide.rst
@@ -144,20 +144,19 @@ Configuring Nova for Ceph includes following steps:
 
    * ``ceph_nova_keyring`` (by default it's the same as
      ``ceph_cinder_keyring``)
-   * ``ceph_nova_user`` (default: ``nova``)
+   * ``ceph_nova_user`` (by default it's the same as ``ceph_cinder_user``)
    * ``ceph_nova_pool_name`` (default: ``vms``)
 
 #. Copy Ceph configuration file to ``/etc/kolla/config/nova/ceph.conf``
 #. Copy Ceph keyring file(s) to:
 
-   * ``/etc/kolla/config/nova/<ceph_nova_keyring>`` (if your Ceph deployment
-     created one)
+   * ``/etc/kolla/config/nova/<ceph_nova_keyring>``
 
-   .. warning::
+   .. note::
 
-      If you are using ceph-ansible or another deployment tool that doesn't
-      create separate key for Nova just copy the Cinder key and configure
-      ``ceph_nova_user`` to the same value as ``ceph_cinder_user``.
+      If you are using a Ceph deployment tool that generates separate Ceph
+      keys for Cinder and Nova, you will need to override
+      ``ceph_nova_keyring`` and ``ceph_nova_user`` to match.
 
 Gnocchi
 -------
diff --git a/releasenotes/notes/nova-ceph-user-53670f9ccc546225.yaml b/releasenotes/notes/nova-ceph-user-53670f9ccc546225.yaml
@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    Fixes an issue with default Nova configuration for Ceph where the RBD user
+    is set to ``nova``, but only a ``cinder`` keyring is copied. The default
+    value of ``ceph_nova_user`` is changed to the value of
+    ``ceph_cinder_user``, in line with the default for ``ceph_nova_keyring``.
+    `LP#1934145 <https://bugs.launchpad.net/kolla-ansible/+bug/1934145>`__
+upgrade:
+  - |
+    Modifies the default value of ``ceph_nova_user`` from ``nova`` to
+    the value of ``ceph_cinder_user``, in line with the default for
+    ``ceph_nova_keyring``.  Users who have overridden ``ceph_nova_keyring`` to
+    use separate keyrings for Nova and Cinder should also override
+    ``ceph_nova_user`` to match the Nova keyring. `LP#1934145
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1934145>`__
