tripleo

Default file path in OctaviaAmphoraSshKeyFile may not be readable

Bug #1770641 reported by Carlos Goncalves
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Carlos Goncalves
tripleo rocky-2

Bug Description

The Octavia public key configuration is run by Mistral meaning under the 'mistral' user. The default file path value in OctaviaAmphoraSshKeyFile is /home/stack/.ssh/id_rsa.pub which may not be readable or not accessible because the of lack of permissions from its parent directory leading to permission denied and hence failure to deploy overcloud. It would be safer to not default to a file path but to use the existing 'default' keypair from the undercloud which anyway is the public key of the 'stack' user. Users can should still be able to specify a file path but will need to ensure it is readable.

Carlos Goncalves (cgoncalves)
tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/568022

Changed in tripleo:
assignee: nobody → Carlos Goncalves (cgoncalves)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Carlos Goncalves (cgoncalves) → Nir Magnezi (nmagnezi)
Emilien Macchi (emilienm)
Changed in tripleo:
importance: Undecided → Medium
milestone: none → rocky-2
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Nir Magnezi (nmagnezi) → Carlos Goncalves (cgoncalves)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/568022
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0e87e640c88c316a8bc8d75974c8ac79aca868be
Submitter: Zuul
Branch: master

commit 0e87e640c88c316a8bc8d75974c8ac79aca868be
Author: Carlos Goncalves <email address hidden>
Date: Fri May 11 08:22:29 2018 +0200

    Default Octavia SSH pub key to UC default keypair

    The Octavia public key configuration is run by Mistral meaning under the
    'mistral' user. The previously default /home/stack/.ssh/id_rsa.pub file
    may not be readable or not accessible because the of lack of permissions
    from its parent directory leading to permission denied and hence failure
    to deploy overcloud. It is safer to not default to a file path but to
    use the existing 'default' keypair from the undercloud which anyway is
    the public key of the 'stack' user. Users can still specify a file path
    but will need to ensure it is readable.

    Related-Bug: #1770641
    Change-Id: I1dea4a8d5bb3c5a64ee7fb8995b837909bc1cafe

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/567205
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=8a69b692c4bdf3b5b7b32907ea8f117c194058b3
Submitter: Zuul
Branch: master

commit 8a69b692c4bdf3b5b7b32907ea8f117c194058b3
Author: Carlos Goncalves <email address hidden>
Date: Wed May 9 14:06:22 2018 +0200

    Check pub key file perms and default to pub key data

    The previously default /home/stack/.ssh/id_rsa.pub file may not exist or
    be readable; exit with explicit error message. Users can still specify a
    file path but will need to ensure it is readable. Should a file path not
    be specified, default to amp_ssh_key_data. The value is passed by THT
    with the public key of the 'default' keypair from the undercloud which
    anyway is the public key of the 'stack' user.

    This patch also fixes a syntax error in octavia-undercloud role.

    Closes-Bug: #1770153
    Closes-Bug: #1770641

    Depends-On: https://review.openstack.org/568022
    Change-Id: I0026343d90b84572c3002fa21001cfb09c742391

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/568394

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/568395

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/568395
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b94d3b404362f567da020417571abea89b97007d
Submitter: Zuul
Branch: stable/queens

commit b94d3b404362f567da020417571abea89b97007d
Author: Carlos Goncalves <email address hidden>
Date: Fri May 11 08:22:29 2018 +0200

    Default Octavia SSH pub key to UC default keypair

    The Octavia public key configuration is run by Mistral meaning under the
    'mistral' user. The previously default /home/stack/.ssh/id_rsa.pub file
    may not be readable or not accessible because the of lack of permissions
    from its parent directory leading to permission denied and hence failure
    to deploy overcloud. It is safer to not default to a file path but to
    use the existing 'default' keypair from the undercloud which anyway is
    the public key of the 'stack' user. Users can still specify a file path
    but will need to ensure it is readable.

    Related-Bug: #1770641
    Change-Id: I1dea4a8d5bb3c5a64ee7fb8995b837909bc1cafe
    (cherry picked from commit 0e87e640c88c316a8bc8d75974c8ac79aca868be)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/queens)

Reviewed: https://review.openstack.org/568394
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=a2a55395795e3ac67c778c4f8e81b964ea509f43
Submitter: Zuul
Branch: stable/queens

commit a2a55395795e3ac67c778c4f8e81b964ea509f43
Author: Carlos Goncalves <email address hidden>
Date: Wed May 9 14:06:22 2018 +0200

    Check pub key file perms and default to pub key data

    The previously default /home/stack/.ssh/id_rsa.pub file may not exist or
    be readable; exit with explicit error message. Users can still specify a
    file path but will need to ensure it is readable. Should a file path not
    be specified, default to amp_ssh_key_data. The value is passed by THT
    with the public key of the 'default' keypair from the undercloud which
    anyway is the public key of the 'stack' user.

    This patch also fixes a syntax error in octavia-undercloud role.

    Closes-Bug: #1770153
    Closes-Bug: #1770641

    Depends-On: https://review.openstack.org/568022
    Change-Id: I0026343d90b84572c3002fa21001cfb09c742391
    (cherry picked from commit 8a69b692c4bdf3b5b7b32907ea8f117c194058b3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 8.6.2

This issue was fixed in the openstack/tripleo-common 8.6.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 9.1.0

This issue was fixed in the openstack/tripleo-common 9.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.