1. devstack
  2. Commit 8bdbf850967b90ebdca428247bb93ad2eb6478c0
Browse code

Merge "Set ownership of /etc/pki/<console> files for TLS"

Zuul authored on 2019/03/26 17:07:26
Showing 2 changed files
lib/nova
History View file @ 8bdbf85
... ... 
@@ -674,6 +674,22 @@ function configure_console_proxies {
674 674 
             sudo mkdir -p /etc/pki/nova-novnc
675 675 
             deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
676 676 
             deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
677 
+            # OpenSSL 1.1.0 generates the key file with permissions: 600, by
678 
+            # default, and the deploy_int* methods use 'sudo cp' to copy the
679 
+            # files, making them owned by root:root.
680 
+            # Change ownership of everything under /etc/pki/nova-novnc to
681 
+            # $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read
682 
+            # the key file.
683 
+            sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc
684 
+            # This is needed to enable TLS in the proxy itself, example log:
685 
+            # WebSocket server settings:
686 
+            #   - Listen on 0.0.0.0:6080
687 
+            #   - Flash security policy server
688 
+            #   - Web server (no directory listings). Web root: /usr/share/novnc
689 
+            #   - SSL/TLS support
690 
+            #   - proxying from 0.0.0.0:6080 to None:None
691 
+            iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem"
692 
+            iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem"
677 693 
         fi
678 694 
     fi
679 695
lib/nova_plugins/functions-libvirt
History View file @ 8bdbf85
... ... 
@@ -155,9 +155,15 @@ EOF
155 155 
             echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
156 156
157 157 
             sudo mkdir -p /etc/pki/libvirt-vnc
158 
-            sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
159 158 
             deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
160 159 
             deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
160 
+            # OpenSSL 1.1.0 generates the key file with permissions: 600, by
161 
+            # default and the deploy_int* methods use 'sudo cp' to copy the
162 
+            # files, making them owned by root:root.
163 
+            # Change ownership of everything under /etc/pki/libvirt-vnc to
164 
+            # libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key
165 
+            # file.
166 
+            sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
161 167 
         fi
162 168 
     fi
163 169