Browse code
Set ownership of /etc/pki/<console> files for TLS
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.
When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.
This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.
Closes-Bug: #1819794
Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
melanie witt authored on 2019/03/13 22:16:51Showing 2 changed files
| ... | ... |
@@ -665,6 +665,22 @@ function configure_console_proxies {
|
| 665 | 665 |
sudo mkdir -p /etc/pki/nova-novnc |
| 666 | 666 |
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem |
| 667 | 667 |
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem |
| 668 |
+ # OpenSSL 1.1.0 generates the key file with permissions: 600, by |
|
| 669 |
+ # default, and the deploy_int* methods use 'sudo cp' to copy the |
|
| 670 |
+ # files, making them owned by root:root. |
|
| 671 |
+ # Change ownership of everything under /etc/pki/nova-novnc to |
|
| 672 |
+ # $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read
|
|
| 673 |
+ # the key file. |
|
| 674 |
+ sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc
|
|
| 675 |
+ # This is needed to enable TLS in the proxy itself, example log: |
|
| 676 |
+ # WebSocket server settings: |
|
| 677 |
+ # - Listen on 0.0.0.0:6080 |
|
| 678 |
+ # - Flash security policy server |
|
| 679 |
+ # - Web server (no directory listings). Web root: /usr/share/novnc |
|
| 680 |
+ # - SSL/TLS support |
|
| 681 |
+ # - proxying from 0.0.0.0:6080 to None:None |
|
| 682 |
+ iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem" |
|
| 683 |
+ iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem" |
|
| 668 | 684 |
fi |
| 669 | 685 |
fi |
| 670 | 686 |
|
| ... | ... |
@@ -155,9 +155,15 @@ EOF |
| 155 | 155 |
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF |
| 156 | 156 |
|
| 157 | 157 |
sudo mkdir -p /etc/pki/libvirt-vnc |
| 158 |
- sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc |
|
| 159 | 158 |
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem |
| 160 | 159 |
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem |
| 160 |
+ # OpenSSL 1.1.0 generates the key file with permissions: 600, by |
|
| 161 |
+ # default and the deploy_int* methods use 'sudo cp' to copy the |
|
| 162 |
+ # files, making them owned by root:root. |
|
| 163 |
+ # Change ownership of everything under /etc/pki/libvirt-vnc to |
|
| 164 |
+ # libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key |
|
| 165 |
+ # file. |
|
| 166 |
+ sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc |
|
| 161 | 167 |
fi |
| 162 | 168 |
fi |
| 163 | 169 |
|