StarlingX

Backup and Restore does not include all the content under /etc

Bug #1981082 reported by Virginia Martins Perozim
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Virginia Martins Perozim

Bug Description

Brief Description
-----------------
Backup and restore does not include the configuration required to enable a secure openldap. The configuration is created in "/etc/openldap" directory. It's expected that B&R includes all the data under /etc

Severity
--------
Major

Steps to Reproduce
------------------
Create an openldap certificate.
CertMon will detect the new certificate and will trigger the secure openldap configuration updates as follows:

1. store certificate and key files in "/etc/openldap/certs", e.g.:

controller-0:/etc/openldap/certs# ls -al
total 116
drwxr-xr-x. 2 root root 4096 May 3 20:13 .
drwxr-----. 6 root root 4096 May 3 20:16 ..
-rw-r--r--. 1 root root 65536 May 3 17:22 cert8.db
-rw-r--r--. 1 root root 16384 May 3 17:22 key3.db
-rw-r--r-- 1 ldap ldap 1090 May 3 20:16 openldap-cert.crt
-rw-r--r-- 1 ldap ldap 1679 May 3 20:16 openldap-cert.key
-r--r-----. 1 root ldap 45 May 3 17:21 password
-rw-r--r--. 1 root root 16384 May 3 17:21 secmod.db
-rw-r--r--. 1 root root 0 May 3 17:22 .slapd-leave

2. update /etc/openldap/schema/cn=config.ldif" with the paths of certificate and key files

controller-0:/etc/openldap/schema# vi cn=config.ldif

AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
CRC32 2a03daf9
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/schema/
----------------------------------------------------
entryUUID: 3effb13f-07b9-4bca-b865-9e87c993de26
creatorsName: cn=config
createTimestamp: 20220503174350Z
olcTLSCertificateKeyFile: /etc/openldap/certs/openldap-cert.key
olcTLSCertificateFile: /etc/openldap/certs/openldap-cert.crt
entryCSN: 20220503201653.462498Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20220503201653Z

3. add ldaps configuration to slapd in "/etc/rc.d/init.d/openldap"

controller-0:/etc/openldap/schema/cn=config# ps -ef|grep slapd
root 93790 1 0 22:31 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -F /etc/openldap/schema/
root 146195 121213 0 22:40 ttyS0 00:00:00 grep --color=auto slapd

Expected Behavior
------------------
After a system backup and restore, steps 1 to 3 are not executed.

Actual Behavior
----------------
The secure openldap configuration (steps 1 to 3) is missing.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
AIO-SX

Branch/Pull Time/Commit
-----------------------
Starlingx master

Last Pass
---------
-

Timestamp/Logs
--------------
-

Test Activity
-------------
Backup and Restore with openldap feature configured

Workaround
----------
Manually update missing configuration

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/849146

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/849146
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/2f147cbd6633baa7a5b8da050b07f0f9f660c3ea
Submitter: "Zuul (22348)"
Branch: master

commit 2f147cbd6633baa7a5b8da050b07f0f9f660c3ea
Author: Virginia Martins Perozim <email address hidden>
Date: Fri Jul 8 16:01:07 2022 -0400

    Restore /etc/openldap in CentOS

    Directory /etc/openldap was not included in the restore process.
    All the files that appear inside this directory after
    restore come from the iso installation or are generated
    based on default configuration.
    So, the fix was to include the entire directory in the restore
    playbook.
    This fix covers only ldap service on CentOS.

    Test Plan:

    PASSED: test the fix for CentOS
            Backup with openldap configured
            --> /etc/openldap restored according to backup

    PASSED: negative test
            Backup without openldap configured
            --> /etc/openldap restored according to backup

    PASSED: negative test on Debian
            --> openldap service skipped

    Closes-Bug: 1981082
    Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/843430
    Signed-off-by: Virginia Martins Perozim <email address hidden>
    Change-Id: I1d7441f333fd0aa8ae570551ea261e06cb664540

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Virginia Martins Perozim (vmperozim)
tags: added: stx.7.0 stx.update
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.