Mistral's ansible action writes files to tmp

Bug #1719783 reported by Flavio Percoco on 2017-09-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Luke Hinds

Bug Description

Mistral's ansible action (in tripleo_common) writes inventory files, keys and playbooks to `/tmp`. Writing files to `/tmp` has caused several CVEs in the past and it'd be better for us to not use it at all.

To fix this issue, we should write these files to a different location (/var/tmp? /home/{{undercloud_user}}/?) but for that we'll have to provide permissions (privsep? rootwrap?) to the mistral user for accessing these paths.

I'm filing this bug to keep track of this issue and, hopefully, work on a solution as soon as possible.

Changed in tripleo:
importance: Undecided → Medium
milestone: none → queens-2
tags: added: tech-debt
Aizuddin Zali (mymzbe) on 2017-09-27
Changed in tripleo:
assignee: nobody → Aizuddin Zali (mymzbe)
assignee: Aizuddin Zali (mymzbe) → nobody
Changed in tripleo:
importance: Medium → High
status: New → Triaged
tags: added: security-hardening
Changed in tripleo:
milestone: queens-2 → queens-3
Changed in tripleo:
milestone: queens-3 → queens-rc1
Changed in tripleo:
milestone: queens-rc1 → rocky-1
Luke Hinds (lhinds) on 2018-03-07
Changed in tripleo:
assignee: nobody → Luke Hinds (lhinds)
Changed in tripleo:
milestone: rocky-1 → rocky-2
Changed in tripleo:
milestone: rocky-2 → rocky-3
Changed in tripleo:
milestone: rocky-3 → rocky-rc1
Changed in tripleo:
milestone: rocky-rc1 → stein-1
Changed in tripleo:
milestone: stein-1 → stein-2
Changed in tripleo:
milestone: stein-2 → stein-3

This is no longer the case.

Changed in tripleo:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers