tripleo

fernet key rotation playbook sets wrong ownership for fernet keys

Bug #1726727 reported by Juan Antonio Osorio Robles on 2017-10-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Juan Antonio Osorio Robles	tripleo queens-2

Bug Description

In containerized environments, the fernet key rotation playbook uses the host's keystone user and group. This is wrong, since that user differs in the container. This will result in errors due to wrong ownership.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/514543

Changed in tripleo:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	New → In Progress

Juan Antonio Osorio Robles (juan-osorio-robles) on 2017-10-24

Changed in tripleo:
importance:	Undecided → Critical
milestone:	none → queens-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Change abandoned on tripleo-common (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/514543
Reason: Clearing the gate now, see context on http://lists.openstack.org/pipermail/openstack-dev/2017-October/123979.html

I'll restore the patch once we're green. Apologizes in advance and don't worry for your patch, it will merge asap.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-26: Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/514543
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=6b039f4bbb3b117a8e26e6422bcf2a1f326c65fc
Submitter: Zuul
Branch: master

commit 6b039f4bbb3b117a8e26e6422bcf2a1f326c65fc
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Oct 24 10:11:40 2017 +0300

chown fernet keys to match container's keystone user and group

    We used to use the host's keystone user and group. This is wrong since
    we need to use the container's keystone user and group, which differs
    from the host. This fixes that.

Change-Id: I0a64843c94bb173bb9e418bfca26927c1e2a123f
Closes-Bug: #1726727

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-26: Fix proposed to tripleo-common (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/515369

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-27: Fix merged to tripleo-common (stable/pike)

Reviewed: https://review.openstack.org/515369
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=6444887b1f54b7335a65adc9670785bccef25031
Submitter: Zuul
Branch: stable/pike

commit 6444887b1f54b7335a65adc9670785bccef25031
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Oct 24 10:11:40 2017 +0300

chown fernet keys to match container's keystone user and group

    We used to use the host's keystone user and group. This is wrong since
    we need to use the container's keystone user and group, which differs
    from the host. This fixes that.

    Change-Id: I0a64843c94bb173bb9e418bfca26927c1e2a123f
    Closes-Bug: #1726727
    (cherry picked from commit 6b039f4bbb3b117a8e26e6422bcf2a1f326c65fc)