Also with some experimenting today, it seems that something other than the tls-client layer is manipulating the file permissions. After updating the tls-client layer with new permissions and logging the os.stat output (which shows as expected), the files are still the same as before:
```
swalladge@server:~$ juju debug-log -i etcd --replay | grep -i writ
...
unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Writing client certificate to /var/snap/etcd/common/client.crt
unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.crt, stat: os.stat_result(st_mode=33056, st_ino=1057374, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1443, st_atime=1674539493, st_mtime=1674539493, st_ctime=1674539493)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.client.certificate.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing client key to /var/snap/etcd/common/client.key
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.key, stat: os.stat_result(st_mode=33056, st_ino=1057392, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /var/snap/etcd/common/ca.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/ca.crt, stat: os.stat_result(st_mode=33056, st_ino=1057393, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.ca.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /usr/local/share/ca-certificates/etcd.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /usr/local/share/ca-certificates/etcd.crt, stat: os.stat_result(st_mode=33060, st_ino=805100, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server certificate to /var/snap/etcd/common/server.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/server.crt, stat: os.stat_result(st_mode=33056, st_ino=1057394, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1496, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.server.certificate.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server key to /var/snap/etcd/common/server.key
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/server.key, stat: os.stat_result(st_mode=33056, st_ino=1057395, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
...
swalladge@server:~$ juju ssh etcd/0 -- ls -hlsa /var/snap/etcd/common/
total 32K
4.0K drwxrwx--- 2 root ubuntu 4.0K Jan 24 05:51 .
4.0K drwxr-xr-x 4 root root 4.0K Jan 24 05:37 ..
4.0K -r--r----- 1 root ubuntu 1.3K Jan 24 05:51 ca.crt
4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 client.crt
4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 client.key
4.0K -r--r--r-- 1 root ubuntu 3.9K Jan 24 05:51 etcd.conf.yml
4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 server.crt
4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 server.key
Connection to 192.168.151.177 closed.
```
It's possible that these files being readable by the ubuntu user is by design. The environment is configured here so etcdctl can be run as the ubuntu user: https:/ /github. com/swalladge/ layer-etcd/ blob/60c755e568 67e7c2508c21559 193386ea6dc3ec6 /reactive/ etcd.py# L632-L645
Also with some experimenting today, it seems that something other than the tls-client layer is manipulating the file permissions. After updating the tls-client layer with new permissions and logging the os.stat output (which shows as expected), the files are still the same as before:
``` 0.juju- log certificates:70: Writing client certificate to /var/snap/ etcd/common/ client. crt 0.juju- log certificates:70: Written /var/snap/ etcd/common/ client. crt, stat: os.stat_ result( st_mode= 33056, st_ino=1057374, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1443, st_atime= 1674539493, st_mtime= 1674539493, st_ctime= 1674539493) 0.juju- log certificates:70: tracer: set flag tls_client. client. certificate. written 0.juju- log certificates:70: Writing client key to /var/snap/ etcd/common/ client. key 0.juju- log certificates:70: Written /var/snap/ etcd/common/ client. key, stat: os.stat_ result( st_mode= 33056, st_ino=1057392, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime= 1674539494, st_mtime= 1674539494, st_ctime= 1674539494) 0.juju- log certificates:70: Writing CA certificate to /var/snap/ etcd/common/ ca.crt 0.juju- log certificates:70: Written /var/snap/ etcd/common/ ca.crt, stat: os.stat_ result( st_mode= 33056, st_ino=1057393, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime= 1674539494, st_mtime= 1674539494, st_ctime= 1674539494) 0.juju- log certificates:70: tracer: set flag tls_client. ca.written 0.juju- log certificates:70: Writing CA certificate to /usr/local/ share/ca- certificates/ etcd.crt 0.juju- log certificates:70: Written /usr/local/ share/ca- certificates/ etcd.crt, stat: os.stat_ result( st_mode= 33060, st_ino=805100, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime= 1674539494, st_mtime= 1674539494, st_ctime= 1674539494) 0.juju- log certificates:70: Writing server certificate to /var/snap/ etcd/common/ server. crt 0.juju- log certificates:70: Written /var/snap/ etcd/common/ server. crt, stat: os.stat_ result( st_mode= 33056, st_ino=1057394, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1496, st_atime= 1674539494, st_mtime= 1674539494, st_ctime= 1674539494) 0.juju- log certificates:70: tracer: set flag tls_client. server. certificate. written 0.juju- log certificates:70: Writing server key to /var/snap/ etcd/common/ server. key 0.juju- log certificates:70: Written /var/snap/ etcd/common/ server. key, stat: os.stat_ result( st_mode= 33056, st_ino=1057395, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime= 1674539494, st_mtime= 1674539494, st_ctime= 1674539494)
swalladge@server:~$ juju debug-log -i etcd --replay | grep -i writ
...
unit-etcd-0: 05:51:33 INFO unit.etcd/
unit-etcd-0: 05:51:33 INFO unit.etcd/
unit-etcd-0: 05:51:34 DEBUG unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 DEBUG unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 DEBUG unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
unit-etcd-0: 05:51:34 INFO unit.etcd/
...
swalladge@server:~$ juju ssh etcd/0 -- ls -hlsa /var/snap/ etcd/common/
total 32K
4.0K drwxrwx--- 2 root ubuntu 4.0K Jan 24 05:51 .
4.0K drwxr-xr-x 4 root root 4.0K Jan 24 05:37 ..
4.0K -r--r----- 1 root ubuntu 1.3K Jan 24 05:51 ca.crt
4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 client.crt
4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 client.key
4.0K -r--r--r-- 1 root ubuntu 3.9K Jan 24 05:51 etcd.conf.yml
4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 server.crt
4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 server.key
Connection to 192.168.151.177 closed.
```