StarlingX

Backup & Restore: During restore, multiple ca-certs create invalid symlink

Bug #1989150 reported by Joshua Kraitberg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joshua Kraitberg

Bug Description

Brief Description
-----------------
When extracting ca-certs during early restore, a symlink is created instead of extracting file from tar.

https://opendev.org/starlingx/ansible-playbooks/src/commit/7129e61df1524a0068b06d59532e5518f9ee4daa/playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/restore_prep_tasks.yml#L92

sysadmin@controller-0:~$ tar -xvf \
    /opt/platform-backup/localhost_platform_backup.tgz \
    -C /tmp \
    -p --transform=s,.*/,, \
    --wildcards '*/ca-cert.pem*'

opt/platform/config/22.12/ca-cert.pem
etc/ssl/certs/ca-cert.pem
tar: ca-cert.pem: time stamp 2022-09-08 20:21:42 is 26596.076405151 s in the

futuresysadmin@controller-0:~$ ls -al /tmp/
total 8
drwxrwxrwt 14 root root 320 Sep 8 12:58 .
drwxr-xr-x 14 root root 4096 Sep 7 20:23 ..
drwxr-xr-x 3 sysadmin sys_protected 60 Sep 8 12:24 .ansible-root
drwx------ 3 sysadmin sys_protected 60 Sep 8 12:22 .ansible-sysadmin
lrwxrwxrwx 1 sysadmin sys_protected 11 Sep 8 2022 ca-cert.pem -> ca-cert.crt

Severity
--------
Major

Steps to Reproduce
------------------
Perform backup and restore.

Expected Behavior
------------------
ca-cert.pem is extracted from tar.

Actual Behavior
----------------
A broken symlink is created.

Reproducibility
---------------
100%

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
Master

Last Pass
---------
Last week

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Developer Testing

Workaround
----------
Improve tar command

Joshua Kraitberg (jkraitbe-wr)
Changed in starlingx:
assignee: nobody → Joshua Kraitberg (jkraitbe-wr)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856845

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
tags: added: stx.8.0 stx.update
Changed in starlingx:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/856845
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/70c19c7c961d086f303623dcf5dca867a7b569d6
Submitter: "Zuul (22348)"
Branch: master

commit 70c19c7c961d086f303623dcf5dca867a7b569d6
Author: Joshua Kraitberg <email address hidden>
Date: Fri Sep 9 11:50:10 2022 -0400

    Refine ca-cert.pem extraction command

    During restore, the ca-cert.pem file is extracted from the backup tar.
    Because there are multiple ca-cert.pem files in the tar and
    both wildcard and transform options are used, the wrong
    one was being selected.

    The tar extract command has been narrowed to use an exact file path for
    the copy in platform config.

    By using the copy from /opt, backing up the ca-cert in /etc can be skipped.

    TEST PLAN
    PASS Create a backup (Debian SX/DX)
    PASS Restore from backup
    PASS Confirm that ca-cert was installed:
            source /etc/platform/openrc; system certificate-list
    PASS Confirm ca-certs all match:
            sha256sum /etc/ssl/certs/ca-cert.pem
            sha256sum /opt/platform/config/22.12/ca-cert.pem
            tar xfO ~/localhost_platform_backup.tgz \
                    opt/platform/config/22.12/ca-cert.pem | sha256sum

    Closes-Bug: 1989150
    Signed-off-by: Joshua Kraitberg <email address hidden>
    Change-Id: I451d49e52e32e78eff74643886ca8db6f9faff13

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.