Bug #1369411 “nova.conf should not be readable from other users” : Bugs : OpenStack + Chef

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Change abandoned on cookbook-openstack-compute (master)

#1

Change abandoned by LeileiZhou (<email address hidden>) on branch: master
Review: https://review.openstack.org/121005

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Fix proposed to cookbook-openstack-compute (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/121453

LeileiZhou (leileiz) on 2014-09-15

Changed in openstack-chef:
assignee:	nobody → LeileiZhou (leileiz)
description:	updated

Revision history for this message

LeileiZhou (leileiz) wrote on 2014-09-16:

#3

Download full text (9.5 KiB)

With following conf with 0640, have did some basic testing

With following conf with 0640, have did some basic testing

[root@c582f1-n34-vm1 Downloads]# ls -la /etc/nova/nova.conf
-rw-r----- 1 nova nova 12520 Sep  5 02:19 /etc/nova/nova.conf
[root@c582f1-n34-vm1 Downloads]# ls -la /etc/neutron/neutron.conf
-rw-r----- 1 neutron neutron 18167 Sep  5 02:17 /etc/neutron/neutron.conf
[root@c582f1-n34-vm1 Downloads]# ls -la /etc/cinder/cinder.conf
-rw-r----- 1 cinder cinder 18940 Sep  5 02:32 /etc/cinder/cinder.conf
[root@c582f1-n34-vm1 Downloads]# ls -la /etc/keystone/keystone.conf
-rw-r----- 1 keystone keystone 45559 Sep  5 02:15 /etc/keystone/keystone.conf
[root@c582f1-n34-vm1 Downloads]# glance image-create --name ubuntu-12.04-amd64 --disk-format qcow2 --container-format bare --file ./ubuntu-12.04-server-cloudimg-amd64-disk1.img
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | e95b30903cad9a58390943aa98931581     |
| container_format | bare                                 |
| created_at       | 2014-09-16T05:58:38.779889           |
| deleted          | False                                |
| deleted_at       | None                                 |
| disk_format      | qcow2                                |
| id               | 58b1e6ac-1261-4588-99e2-0deb01b8deb4 |
| is_public        | False                                |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | ubuntu-12.04-amd64                   |
| owner            | 66f9e78ffcc24ebdbc66d77644920456     |
| protected        | False                                |
| size             | 261095936                            |
| status           | active                               |
| updated_at       | 2014-09-16T05:58:40.637377           |
| virtual_size     | None                                 |
+------------------+--------------------------------------+
[root@c582f1-n34-vm1 Downloads]# neutron net-create test
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | d22a5990-6b28-4333-be31-51caad995c8f |
| name                      | test                                 |
| provider:network_type     | local                                |
| provider:physical_network |                                      |
| provider:segmentation_id  |                                      |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | 66f9e78ffcc24ebdbc66d77644920456     |
+---------------------------+--------------------------------------+
[root@c582f1-n34-vm1 Downloads]# neutron subnet-create test 192.168.1.0/24
Created a new subnet:
+-------------------+--------------------------------------------------+
| Field             | Value                                            |
+-------------------+--------------------------------------------------+
| allocation_pools  | {"start": "192.168.1.2", "end": "192.168.1.254"} |
| cidr              | 192.168.1.0/24                                   |
| dns_nameservers   |                                                  |
| enable_dhcp       | True                                             |
| gateway_ip        | 192.168.1.1                                      |
| host_routes       |                                                  |
| id                | 8eaffbe0-08e8-4c59-a9f1-fbeeee86a54a             |
| ip_version        | 4                                                |
| ipv6_address_mode |                                                  |
| ipv6_ra_mode      |                                                  |
| name              |                                                  |
| network_id        | d22a5990-6b28-4333-be31-51caad995c8f             |
| tenant_id         | 66f9e78ffcc24ebdbc66d77644920456                 |
+-------------------+--------------------------------------------------+
[root@c582f1-n34-vm1 Downloads]# nova boot --flavor 11 --image 58b1e6ac-1261-4588-99e2-0deb01b8deb4 vm1
+--------------------------------------+-----------------------------------------------------------+
| Property                             | Value                                                     |
+--------------------------------------+-----------------------------------------------------------+
| OS-DCF:diskConfig                    | MANUAL                                                    |
| OS-EXT-AZ:availability_zone          | nova                                                      |
| OS-EXT-SRV-ATTR:host                 | -                                                         |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | -                                                         |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000001                                         |
| OS-EXT-STS:power_state               | 0                                                         |
| OS-EXT-STS:task_state                | scheduling                                                |
| OS-EXT-STS:vm_state                  | building                                                  |
| OS-SRV-USG:launched_at               | -                                                         |
| OS-SRV-USG:terminated_at             | -                                                         |
| accessIPv4                           |                                                           |
| accessIPv6                           |                                                           |
| adminPass                            | hDAbJwuGL9KW                                              |
| config_drive                         |                                                           |
| created                              | 2014-09-16T06:02:40Z                                      |
| flavor                               | m11.small (11)                                            |
| hostId                               |                                                           |
| id                                   | a2a6408e-41e3-4cc4-a64e-a08caf2708ff                      |
| image                                | ubuntu-12.04-amd64 (58b1e6ac-1261-4588-99e2-0deb01b8deb4) |
| key_name                             | -                                                         |
| metadata                             | {}                                                        |
| name                                 | vm1                                                       |
| os-extended-volumes:volumes_attached | []                                                        |
| progress                             | 0                                                         |
| security_groups                      | default                                                   |
| status                               | BUILD                                                     |
| tenant_id                            | 66f9e78ffcc24ebdbc66d77644920456                          |
| updated                              | 2014-09-16T06:02:41Z                                      |
| user_id                              | 4161db327902476e82115f75fdd367f0                          |
+--------------------------------------+-----------------------------------------------------------+
[root@c582f1-n34-vm1 Downloads]# nova reboot vm1
[root@c582f1-n34-vm1 Downloads]# nova list
+--------------------------------------+------+--------+----------------+-------------+------------------+
| ID                                   | Name | Status | Task State     | Power State | Networks         |
+--------------------------------------+------+--------+----------------+-------------+------------------+
| a2a6408e-41e3-4cc4-a64e-a08caf2708ff | vm1  | REBOOT | reboot_started | Running     | test=192.168.1.2 |
+--------------------------------------+------+--------+----------------+-------------+------------------+
[root@c582f1-n34-vm1 Downloads]# nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID                                   | Name | Status | Task State | Power State | Networks         |
+--------------------------------------+------+--------+------------+-------------+------------------+
| a2a6408e-41e3-4cc4-a64e-a08caf2708ff | vm1  | ACTIVE | -          | Running     | test=192.168.1.2 |
+--------------------------------------+------+--------+------------+-------------+------------------+
[root@c582f1-n34-vm1 Downloads]# nova resize vm1 2
[root@c582f1-n34-vm1 Downloads]# nova list
+--------------------------------------+------+--------+---------------+-------------+------------------+
| ID                                   | Name | Status | Task State    | Power State | Networks         |
+--------------------------------------+------+--------+---------------+-------------+------------------+
| a2a6408e-41e3-4cc4-a64e-a08caf2708ff | vm1  | RESIZE | resize_finish | Running     | test=192.168.1.2 |
+--------------------------------------+------+--------+---------------+-------------+------------------+

Mark Vanderwiel (vanderwl) on 2014-09-16

Changed in openstack-chef:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-25: Fix merged to cookbook-openstack-compute (master)

#4

Reviewed: https://review.openstack.org/121453
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-compute/commit/?id=95982ca2265d50ebee49d86a69b54b84d0728309
Submitter: Jenkins
Branch: master

commit 95982ca2265d50ebee49d86a69b54b84d0728309
Author: leileiz <email address hidden>
Date: Mon Sep 15 02:50:12 2014 -0400

Update nova.conf permission

    contains password properties like:
    qpid_password=
    neutron_admin_password=
    To avoid unauthorized user to access it and decode the password, this file will be set as 640

Fix bug 1369411
Change-Id: I66c7d742ce814be7d39e61180e896a9d02ccb800

LeileiZhou (leileiz) on 2014-10-09

Changed in openstack-chef:
status:	Confirmed → Fix Committed

Mark Vanderwiel (vanderwl) on 2014-10-27

Changed in openstack-chef:
status:	Fix Committed → Fix Released

OpenStack + Chef

nova.conf should not be readable from other users

Bug Description

Other bug subscribers

Remote bug watches