Ubuntu Repository Cache Charm

juju add-unit fails relation-joined hook due to permissions issues

Bug #1770071 reported by Paul Gear on 2018-05-09

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Charm Helpers	Fix Released	High	Haw Loeung
	Ubuntu Repository Cache Charm	Won't Fix	Undecided	Unassigned

Bug Description

On adding a new juju unit, the www-sync user's ssh directory is created with apparently wrong permissions:

# ls -la /home/www-sync/.ssh/
total 24
drwxr-xr-x 2 www-sync root 4096 May 9 04:34 .
drwxr-xr-x 3 www-sync www-data 4096 May 9 04:34 ..
-rw-r--r-- 1 root root 396 May 9 04:34 authorized_keys
-rw------- 1 www-sync root 1679 May 9 04:34 id_rsa
-rw-r--r-- 1 www-sync root 396 May 9 04:34 id_rsa.pub
-rw-r--r-- 1 root root 659 May 9 04:34 known_hosts

This causes the initial sync of metadata to fail, preventing the relation hook from completing: https://pastebin.canonical.com/p/pQp4zb9HCp/

Workaround: chown -R www-sync /home/www-sync/.ssh/

Tags:

Related branches

lp:~hloeung/ubuntu-repository-cache/fix-ssh-files-ownership

Merged into lp:ubuntu-repository-cache at revision 279

Tom Haddon: Approve on 2020-07-10

Canonical IS Reviewers: Pending requested 2020-07-09

Revision history for this message

Paul Gear (paulgear) wrote on 2018-05-09:

This is related to, but not the same as, lp:1680860

tags:

added: canonical-is

Revision history for this message

Barry Price (barryprice) wrote on 2019-05-03:

There's a little more to this - charmhelpers.contrib.unison does the initial setup which drops (root-owned) authorized_keys and known_hosts onto each unit.

Those files are *supposed* to already contain the appropriate values, the root ownership may even be an intentional security measure to avoid the 'www-sync' user from connecting to anywhere it's not supposed to.

Retargetting to charm-helpers for clarity, but that probably needs a Github issue...

https://github.com/juju/charm-helpers/blob/master/charmhelpers/contrib/unison/__init__.py

Revision history for this message

Paul Collins (pjdc) wrote on 2019-05-27:

I ran into this today adding a unit to aws ap-southeast-2. The IP being ssh'd to was not mentioned in known_hosts, so if the idea is that Juju maintains the file correctly, it's failing to do so here.

Revision history for this message

Haw Loeung (hloeung) wrote on 2020-07-09:

https://github.com/juju/charm-helpers/issues/487

Haw Loeung (hloeung) on 2020-07-09

Changed in charm-helpers:
status:	New → Confirmed
assignee:	nobody → Haw Loeung (hloeung)
status:	Confirmed → In Progress
Changed in ubuntu-repository-cache:
status:	New → Won't Fix
Changed in charm-helpers:
importance:	Undecided → High

Haw Loeung (hloeung) on 2020-07-10

Changed in charm-helpers:
status:	In Progress → Fix Committed

Haw Loeung (hloeung) on 2020-09-15

Changed in charm-helpers:
status:	Fix Committed → In Progress

Haw Loeung (hloeung) on 2020-09-15

Changed in charm-helpers:
status:	In Progress → Fix Committed

Revision history for this message

Haw Loeung (hloeung) wrote on 2020-11-02:

Released in charm-helpers 0.20.18

Changed in charm-helpers:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-juju-charm-helpers #487
[closed] Edit

Bug watches keep track of this bug in other bug trackers.