tripleo

files created by undercloud installer are owned by root in a user's folder

Bug #1761595 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Cédric Jeanneret
tripleo rocky-3

Bug Description

The files created by the containerized undercloud install are owned by root in the user's directory. They should be locked down, but to the user running the command.

Example (user == centos):

drwx------. 3 root root 22 Apr 5 20:02 tripleoclient-iDUS5S
-rw-------. 1 root root 9382 Apr 5 20:02 tripleo-undercloud-passwords.yaml
drwx------. 5 root root 4096 Apr 5 20:17 tripleo-x9EqDI-config
-rw-r--r--. 1 centos centos 11271 Apr 5 20:02 undercloud.conf
-rw-------. 1 root root 1943 Apr 5 20:02 undercloud-passwords.conf

Tags: containers
Emilien Macchi (emilienm)
Changed in tripleo:
assignee: nobody → Emilien Macchi (emilienm)
milestone: rocky-2 → rocky-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/559265

Changed in tripleo:
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Mike Fedosin (mfedosin)
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Mike Fedosin (mfedosin) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-tripleoclient (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/559265
Reason: in favor of https://review.openstack.org/#/c/560578

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: rocky-1 → rocky-2
Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

fun fact: `openstack' command wants a non-root user; but the undercloud deploy actually runs with a global sudo call - partly because of things done in python directly (like symlinks in /etc tree).

A way to avoid that would be to use ansible instead of python for the deploy part, even its preparation... Might be the longest path, but at least it will be the safest one.

Having a nice "stack" sudoers listing only some "yum install/update" things and, possibly, some tiny more bits, is probably better than the dreadful "NOPASSWD:ALL" we currently see in the doc.

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: rocky-2 → rocky-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/559265
Reason: it seems that it doesn't fit with the plans.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/580354

Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Cédric Jeanneret (cjeanner)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/580354
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=d32cfff375a318b83d962c43407784e757a77ef5
Submitter: Zuul
Branch: master

commit d32cfff375a318b83d962c43407784e757a77ef5
Author: Cédric Jeanneret <email address hidden>
Date: Thu Jul 5 13:55:36 2018 +0200

    Quick'n'dirty way to at least protect and correct rights on files

    Currently the rights on some files are wrong due to wild "sudo" calls
    in the deploy process.

    The right way would be to get a proper privileges escalation using
    oslo.privsep, but as this spec is for Stein, we still need some
    corrections for the previous versions.

    Please keep in mind this is a quick fix, NOT a final nor proper
    solution.

    Based on a previously abandonned (unmergeable) proposal.

    Change-Id: I418d41c91d008283360ffaaa7b3a38354e405423
    Closes-Bug: #1761595
    Co-Authored-By: Emilien Macchi <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-tripleoclient 10.4.0

This issue was fixed in the openstack/python-tripleoclient 10.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.