tripleo

TripleO should configure and validate server_certs_key_passphrase to be 32 chars long

Bug #1833942 reported by Nir Magnezi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Nir Magnezi

Bug Description

Description of problem:
Initially reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1723051

The following patches added support for Octavia configuration option named: server_certs_key_passphrase:

tripleo-heat-templates https://review.opendev.org/#/c/647467/
tripleo-common https://review.opendev.org/#/c/647413/
puppet-octavia https://review.opendev.org/#/c/647502/

with those, TripleO will auto-generate a passphrase to avoid from falling back to a non-secure default passphrase.

The mentioned passphrase is used for Fernet key and should be 32 characters long. see: https://bugzilla.redhat.com/show_bug.cgi?id=1723051#c3

We should:
1. Generate passphrase in that length.
2. Validate that operator-provided passphrase obeys the same rule.

See original description
Nir Magnezi (nmagnezi)
Changed in tripleo:
assignee: nobody → Nir Magnezi (nmagnezi)
Nir Magnezi (nmagnezi)
description: updated
description: updated
description: updated
OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/669657

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/669667

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/669670

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (master)

Reviewed: https://review.opendev.org/666971
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2
Submitter: Zuul
Branch: master

commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/669825

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/669829

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/669831

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/669848

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/669854

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/669856

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/stein)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/669657
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/queens)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669829
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/rocky)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669825
Reason: Temporarily abandoning this patch to merge https://review.opendev.org/#/c/666987/ into master. will restore afterwards.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/666987
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f
Submitter: Zuul
Branch: master

commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Closes-bug: #1833942

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/stein)

Reviewed: https://review.opendev.org/669657
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=94620dd5e67fa3a0775b2df1ae312533e392a7f9
Submitter: Zuul
Branch: stable/stein

commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/669667
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=cfb8e97867e2cd546efcb46303ae8583765d3876
Submitter: Zuul
Branch: stable/stein

commit cfb8e97867e2cd546efcb46303ae8583765d3876
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Closes-bug: #1833942

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/rocky)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669856

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/rocky)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/669825

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/queens)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669848

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/669141
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=1f3088c4aa2612a772e023f14fafc72c61c6cb07
Submitter: Zuul
Branch: master

commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
    Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    Depends-On: I886f2b8ac7092d9b3da38852e92a615d5666eea7

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.1.0

This issue was fixed in the openstack/tripleo-heat-templates 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/queens)

Change abandoned by Nir Magnezi (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/669854

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/rocky)

Reviewed: https://review.opendev.org/669825
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=35913d62664424075392dcaca6324164fb19380a
Submitter: Zuul
Branch: stable/rocky

commit 35913d62664424075392dcaca6324164fb19380a
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)
    (cherry picked from commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/669670
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=680f341f19060ffa42b6c832018874656a4f339a
Submitter: Zuul
Branch: stable/stein

commit 680f341f19060ffa42b6c832018874656a4f339a
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669653/
    Depends-On: https://review.opendev.org/#/c/669657/
    Depends-On: https://review.opendev.org/#/c/669667/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/669856
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=992ad5437cf21696958ca86f6675d23848f7c547
Submitter: Zuul
Branch: stable/rocky

commit 992ad5437cf21696958ca86f6675d23848f7c547
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Conflicts:
          deployment/octavia/octavia-base.yaml

    Closes-bug: #1833942

    Depends-On: https://review.opendev.org/#/c/669822/
    Depends-On: https://review.opendev.org/#/c/669825/
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
    (cherry picked from commit cfb8e97867e2cd546efcb46303ae8583765d3876)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/queens)

Reviewed: https://review.opendev.org/669829
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=32d7bb44ab61cb0fcca1a78dfa822511d1d640d4
Submitter: Zuul
Branch: stable/queens

commit 32d7bb44ab61cb0fcca1a78dfa822511d1d640d4
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 00:54:19 2019 +0300

    Ensure that OctaviaServerCertsKeyPassphrase is 32-byte long

    Conflicts:
          tripleo_common/utils/passwords.py

    Related-Bug: #1833942

    Change-Id: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
    (cherry picked from commit de2ab55824cf96a96ac0ba9ec2a1eaccbb0f6fa2)
    (cherry picked from commit 94620dd5e67fa3a0775b2df1ae312533e392a7f9)
    (cherry picked from commit 35913d62664424075392dcaca6324164fb19380a)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/669848
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b2065e2be485c756d4bdd868c9594e47d5b80373
Submitter: Zuul
Branch: stable/queens

commit b2065e2be485c756d4bdd868c9594e47d5b80373
Author: Nir Magnezi <email address hidden>
Date: Sun Jun 23 16:10:50 2019 +0300

    Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

    Conflicts:
          deployment/octavia/octavia-base.yaml

    Closes-bug: #1833942

    Depends-On: https://review.opendev.org/#/c/669824/
    Depends-On: https://review.opendev.org/#/c/669829/
    Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
    (cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
    (cherry picked from commit cfb8e97867e2cd546efcb46303ae8583765d3876)
    (cherry picked from commit 992ad5437cf21696958ca86f6675d23848f7c547)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/669831
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=31b9d601759a71670a8213bfd0550d9d059e34aa
Submitter: Zuul
Branch: stable/rocky

commit 31b9d601759a71670a8213bfd0550d9d059e34aa
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669822/
    Depends-On: https://review.opendev.org/#/c/669825/
    Depends-On: https://review.opendev.org/#/c/669856/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)
    (cherry picked from commit 680f341f19060ffa42b6c832018874656a4f339a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.6.1

This issue was fixed in the openstack/tripleo-heat-templates 10.6.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.4.1

This issue was fixed in the openstack/tripleo-heat-templates 9.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.1

This issue was fixed in the openstack/tripleo-heat-templates 8.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/669854
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a6e81dbfaf8f86ac316f41e92cb9ff3095570808
Submitter: Zuul
Branch: stable/queens

commit a6e81dbfaf8f86ac316f41e92cb9ff3095570808
Author: Nir Magnezi <email address hidden>
Date: Thu Jul 4 13:46:36 2019 +0300

    CI should auto-generate server_certs_key_passphrase

    Bug 1833942 showed that in a case that the generated value
    server_certs_key_passphrase is invalid, Octavia will fail to operate.

    In CI, we currently provide a pre-defined passphrase that might cover
    for potential breakages in the future. This patch removes the
    pre-defined passphrase so it will get generated on each run.

    Note that, TripleO will now[1] either auto-generate a valid passphrase
    or validate a pre-defined one.

    Related-Bug: #1833942

    [1] https://review.opendev.org/#/q/topic:OctaviaServerCertsKeyPassphrase-32chars

    Depends-On: https://review.opendev.org/#/c/669824/
    Depends-On: https://review.opendev.org/#/c/669829/
    Depends-On: https://review.opendev.org/#/c/669848/

    Change-Id: Ie596b04614c2ca9d961694f4012c1553a092aa3e
    (cherry picked from commit 1f3088c4aa2612a772e023f14fafc72c61c6cb07)
    (cherry picked from commit 680f341f19060ffa42b6c832018874656a4f339a)
    (cherry picked from commit 31b9d601759a71670a8213bfd0550d9d059e34aa)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.