puppet-swift

rsync with default chmod to 644

Bug #1433390 reported by David Moreau Simard
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
puppet-swift
Fix Released
High
Emilien Macchi
Icehouse
Fix Released
High
David Moreau Simard
puppet-swift 4.2.0 "4.2.0"
Juno
Fix Released
High
David Moreau Simard
puppet-swift 5.1.0 "5.1.0"
Kilo
Fix Released
High
David Moreau Simard
puppet-swift 6.0.0 "6.0.0"
Mitaka
Fix Released
High
Emilien Macchi

Bug Description

This seems like a nasty bug, I'm surprised no one's bumped into it yet - I might just be crazy though, in which case, do let me know :)

Here's a snippet off of the rsyncd.conf file on a storage server:
====
# This file is being maintained by Puppet.
# DO NOT EDIT

[ object ]
path = /data/swift
read only = false
write only = no
list = yes
uid = swift
gid = swift
incoming chmod = 0644
outgoing chmod = 0644
max connections = 200
lock file = /var/lock/object.lock
====

I'd like to bring to your attention the default chmod values in there, brought about by these:
- https://github.com/stackforge/puppet-swift/blob/master/manifests/storage/server.pp#L49-L56
- https://github.com/puppetlabs/puppetlabs-rsync/blob/master/manifests/server/module.pp#L50-L51

When I added some new devices today, I started seeing an anormal rise in the amount of permission denied errors for newly replicated partitions in the Swift logs (haven't quite noticed this before).
It turns out the files were in 644 (which is fine) but the folders were in 644 too, meaning the Swift user could not access them.

What we want for permissions is 755 for the folders and 644 for the files.
After doing some testing, what we want is the following incoming and outgoing chmod:
- incoming chmod = Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r
- outgoing chmod = Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r

David Moreau Simard (dmsimard)
Changed in puppet-swift:
assignee: nobody → David Moreau Simard (dmsimard)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-swift (master)

Fix proposed to branch: master
Review: https://review.openstack.org/165272

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-swift (master)

Reviewed: https://review.openstack.org/165272
Committed: https://git.openstack.org/cgit/stackforge/puppet-swift/commit/?id=2caba862a8609528f10c975d7a956b246f2ca477
Submitter: Jenkins
Branch: master

commit 2caba862a8609528f10c975d7a956b246f2ca477
Author: David Moreau Simard <email address hidden>
Date: Tue Mar 17 22:05:53 2015 -0400

    Provide a mean to change the default rsync chmod

    puppet-rsync provides a default chmod of 0644.
    puppet-swift, until this commit, did not provide a way
    to change that default chmod.
    According to the experience in bug #1433390, it
    seemed possible for folders to be created in 0644, thus
    denying access to the folders unless you were root.

    Backwards compatibility is maintained through the same
    defaults.. It looks like the default is broken in
    the context of Swift (unless it runs as root?), however.
    We should consider putting 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
    which translates to 755 for folders and 644 for files.

    Change-Id: I7fcef6e4cdf478e808de2895168165989ff098e4
    Closes-bug: #1433390

Changed in puppet-swift:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-swift (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/167306

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-swift (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/167307

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-swift (stable/juno)

Reviewed: https://review.openstack.org/167307
Committed: https://git.openstack.org/cgit/stackforge/puppet-swift/commit/?id=3a695cd7a0905773f58f7c4e347338d24841a47b
Submitter: Jenkins
Branch: stable/juno

commit 3a695cd7a0905773f58f7c4e347338d24841a47b
Author: David Moreau Simard <email address hidden>
Date: Tue Mar 17 22:05:53 2015 -0400

    Provide a mean to change the default rsync chmod

    puppet-rsync provides a default chmod of 0644.
    puppet-swift, until this commit, did not provide a way
    to change that default chmod.
    According to the experience in bug #1433390, it
    seemed possible for folders to be created in 0644, thus
    denying access to the folders unless you were root.

    Backwards compatibility is maintained through the same
    defaults.. It looks like the default is broken in
    the context of Swift (unless it runs as root?), however.
    We should consider putting 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
    which translates to 755 for folders and 644 for files.

    Change-Id: I7fcef6e4cdf478e808de2895168165989ff098e4
    Closes-bug: #1433390
    (cherry picked from commit 2caba862a8609528f10c975d7a956b246f2ca477)

tags: added: in-stable-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-swift (stable/icehouse)

Reviewed: https://review.openstack.org/167306
Committed: https://git.openstack.org/cgit/stackforge/puppet-swift/commit/?id=392ab49664f5852bef53ceac5683c0f2a48149cf
Submitter: Jenkins
Branch: stable/icehouse

commit 392ab49664f5852bef53ceac5683c0f2a48149cf
Author: David Moreau Simard <email address hidden>
Date: Tue Mar 17 22:05:53 2015 -0400

    Provide a mean to change the default rsync chmod

    puppet-rsync provides a default chmod of 0644.
    puppet-swift, until this commit, did not provide a way
    to change that default chmod.
    According to the experience in bug #1433390, it
    seemed possible for folders to be created in 0644, thus
    denying access to the folders unless you were root.

    Backwards compatibility is maintained through the same
    defaults.. It looks like the default is broken in
    the context of Swift (unless it runs as root?), however.
    We should consider putting 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
    which translates to 755 for folders and 644 for files.

    Change-Id: I7fcef6e4cdf478e808de2895168165989ff098e4
    Closes-bug: #1433390
    (cherry picked from commit 2caba862a8609528f10c975d7a956b246f2ca477)

tags: added: in-stable-icehouse
Mathieu Gagné (mgagne)
Changed in puppet-swift:
milestone: none → 6.0.0
Emilien Macchi (emilienm)
Changed in puppet-swift:
importance: Undecided → High
Mathieu Gagné (mgagne)
Changed in puppet-swift:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-swift (master)

Fix proposed to branch: master
Review: https://review.openstack.org/261327

Changed in puppet-swift:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-swift (master)

Reviewed: https://review.openstack.org/261327
Committed: https://git.openstack.org/cgit/openstack/puppet-swift/commit/?id=e52ebb053b62b61bfe26cdf338d71a2f47d2d0e9
Submitter: Jenkins
Branch: master

commit e52ebb053b62b61bfe26cdf338d71a2f47d2d0e9
Author: Emilien Macchi <email address hidden>
Date: Thu Dec 24 14:52:39 2015 +0100

    Change defaults fro incoming/outgoing chmod (rsync)

    In a previous release, we sent a warning about the default
    incoming/outgoing chmod that was configured for rsync.
    We mentionned it was risky and people should avoid using 0644 like it
    was by default. For backward compatibility, we kept this default and
    sent a warning.

    2 releases later, this patch aims to change the default and stop to send
    the warning.

    Change-Id: Ic3aaaec0eee4225bf2021937edf972528ea72e2c
    Closes-bug: #1433390

Changed in puppet-swift:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.