Issues still persist where sometimes instances fail to start due to a failure with os.utime to read the file path. This could be some bad race condition between qemu/nova while copying images on the NFS. This patch adds more ports to open in firewall, and changes initial directory owner to nfsnobody. Also, includes a patch to fix an apparent race condition when nova sends a remote call to the privsep helper daemon to modify the time of the base file owned by qemu: Includes another fix for patching container images where the docker image was not being detected correctly because the full gerrit project name including 'openstack/' prefix was being used to search tripleo docker images. Additionally, there were more bugs around patching openstack python containers where the patch was not being applied correctly. JIRA: APEX-654 Change-Id: I1d011035486298d5906038922e69d478c383c3f7 Signed-off-by: Tim Rozet <>
diff --git a/apex/overcloud/ b/apex/overcloud/
index a4a9691..708a662 100644
--- a/apex/overcloud/
+++ b/apex/overcloud/
@@ -448,6 +448,9 @@ def prep_image(ds, ns, img, tmp_dir, root_pw=None, docker_tag=None,
{con.VIRT_RUN_CMD: "chmod 777 /glance"},
{con.VIRT_RUN_CMD: "chmod 777 /cinder"},
{con.VIRT_RUN_CMD: "chmod 777 /nova"},
+ {con.VIRT_RUN_CMD: "chown nfsnobody:nfsnobody /glance"},
+ {con.VIRT_RUN_CMD: "chown nfsnobody:nfsnobody /cinder"},
+ {con.VIRT_RUN_CMD: "chown nfsnobody:nfsnobody /nova"},
{con.VIRT_RUN_CMD: "echo '/glance *(rw,sync,"
"no_root_squash,no_acl)' > /etc/exports"},
{con.VIRT_RUN_CMD: "echo '/cinder *(rw,sync,"