From e2853bf2d0a2e63d53d0f2d0cb21fd406f6289b0 Mon Sep 17 00:00:00 2001 From: melanie witt Date: Wed, 13 Mar 2019 13:16:51 +0000 Subject: [PATCH] Set ownership of /etc/pki/ files for TLS OpenSSL 1.0.2 generates key files with default permissions: 644 and the files are copied to the /etc/pki/* directories with sudo. When the default CI node Ubuntu version was changed from Xenial => Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0 generates key files with default permissions: 600. When we copy the key file to /etc/pki/* using sudo, it becomes owned by root and then the console-related users are unable to read it. This sets the ownership of the /etc/pki/ files to the user:group intended to read them. Closes-Bug: #1819794 Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641 --- lib/nova | 16 ++++++++++++++++ lib/nova_plugins/functions-libvirt | 8 +++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/nova b/lib/nova index 033ebf3697..137a249c65 100644 --- a/lib/nova +++ b/lib/nova @@ -665,6 +665,22 @@ function configure_console_proxies { sudo mkdir -p /etc/pki/nova-novnc deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem + # OpenSSL 1.1.0 generates the key file with permissions: 600, by + # default, and the deploy_int* methods use 'sudo cp' to copy the + # files, making them owned by root:root. + # Change ownership of everything under /etc/pki/nova-novnc to + # $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read + # the key file. + sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc + # This is needed to enable TLS in the proxy itself, example log: + # WebSocket server settings: + # - Listen on 0.0.0.0:6080 + # - Flash security policy server + # - Web server (no directory listings). Web root: /usr/share/novnc + # - SSL/TLS support + # - proxying from 0.0.0.0:6080 to None:None + iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem" + iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem" fi fi diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt index fcb4777997..463986944f 100644 --- a/lib/nova_plugins/functions-libvirt +++ b/lib/nova_plugins/functions-libvirt @@ -155,9 +155,15 @@ EOF echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF sudo mkdir -p /etc/pki/libvirt-vnc - sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem + # OpenSSL 1.1.0 generates the key file with permissions: 600, by + # default and the deploy_int* methods use 'sudo cp' to copy the + # files, making them owned by root:root. + # Change ownership of everything under /etc/pki/libvirt-vnc to + # libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key + # file. + sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc fi fi