PKI role permissions change may cause deployment failures
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The following change in the PKI role has adjusted the default user/group which CA keys are created with from the current user to 'root'.
https:/
In cases where OSA playbooks are run as root this isn't a problem, but in our case we use a non-root user. As a result, the CA key we already have is owned by that user/group and not root. When the certificate-
TASK [pki : Generate CA private key for OctaviaServerRoot] *******
fatal: [infra1_
b'/etc/
m", "size": 3326, "state": "file", "uid": 3014}
Unfortunately the variables which allow us to override this user/group also require us to override the entire octavia_
Ideally the default would be reverted to the current user, but it would also perhaps be useful to have a more global user/group (and mode) in ansible-role-pki for files which are created on the deploy host so that they can be set consistently rather than on an individual basis.
Changed in openstack-ansible: | |
status: | New → Fix Released |
Related fix proposed to branch: master /review. opendev. org/c/openstack /ansible- role-pki/ +/890793
Review: https:/