Set ownership of /etc/pki/<console> files for TLS
OpenSSL 1.0.2 generates key files with default permissions: 644 and the files are copied to the /etc/pki/* directories with sudo. When the default CI node Ubuntu version was changed from Xenial => Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0 generates key files with default permissions: 600. When we copy the key file to /etc/pki/* using sudo, it becomes owned by root and then the console-related users are unable to read it. This sets the ownership of the /etc/pki/<console> files to the user:group intended to read them. Closes-Bug: #1819794 Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
This commit is contained in:
parent
e86a6aa924
commit
e2853bf2d0
16
lib/nova
16
lib/nova
@ -665,6 +665,22 @@ function configure_console_proxies {
|
|||||||
sudo mkdir -p /etc/pki/nova-novnc
|
sudo mkdir -p /etc/pki/nova-novnc
|
||||||
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
|
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
|
||||||
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
|
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
|
||||||
|
# OpenSSL 1.1.0 generates the key file with permissions: 600, by
|
||||||
|
# default, and the deploy_int* methods use 'sudo cp' to copy the
|
||||||
|
# files, making them owned by root:root.
|
||||||
|
# Change ownership of everything under /etc/pki/nova-novnc to
|
||||||
|
# $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read
|
||||||
|
# the key file.
|
||||||
|
sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc
|
||||||
|
# This is needed to enable TLS in the proxy itself, example log:
|
||||||
|
# WebSocket server settings:
|
||||||
|
# - Listen on 0.0.0.0:6080
|
||||||
|
# - Flash security policy server
|
||||||
|
# - Web server (no directory listings). Web root: /usr/share/novnc
|
||||||
|
# - SSL/TLS support
|
||||||
|
# - proxying from 0.0.0.0:6080 to None:None
|
||||||
|
iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem"
|
||||||
|
iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -155,9 +155,15 @@ EOF
|
|||||||
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
|
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
|
||||||
|
|
||||||
sudo mkdir -p /etc/pki/libvirt-vnc
|
sudo mkdir -p /etc/pki/libvirt-vnc
|
||||||
sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
|
|
||||||
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
|
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
|
||||||
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
|
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
|
||||||
|
# OpenSSL 1.1.0 generates the key file with permissions: 600, by
|
||||||
|
# default and the deploy_int* methods use 'sudo cp' to copy the
|
||||||
|
# files, making them owned by root:root.
|
||||||
|
# Change ownership of everything under /etc/pki/libvirt-vnc to
|
||||||
|
# libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key
|
||||||
|
# file.
|
||||||
|
sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user