Bug 1839894 (OCPRHV-81-4.5)

Summary: Docs: Add chmod/perm information for CA cert
Product: OpenShift Container Platform Reporter: Douglas Schilling Landgraf <dougsland>
Component: InstallerAssignee: Rolfe Dlugy-Hegwer <rdlugyhe>
Installer sub component: OpenShift on RHV QA Contact: Guilherme Santos <gdeolive>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: medium    
Priority: medium CC: hpopal
Version: 4.5Keywords: Documentation
Target Milestone: ---Flags: rdlugyhe: needinfo-
rdlugyhe: needinfo-
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
URL: https://issues.redhat.com/browse/OCPRHV-81
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: OCPRHV-81-4.6 (view as bug list) Environment:
Last Closed: 2020-06-05 15:53:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1841384    
Bug Blocks:    

Description Douglas Schilling Landgraf 2020-05-25 21:05:02 UTC 
Description of problem:
------------------------------
The OCP on RHV can be executed by rootless user. However, we must make sure the CA file contain the right permissions. 


Bad scenario example:
--------------------------
    User imported the CA /etc/pki/ca-trust/source/anchors/${MYCA}.pem and kept only owner as read/write. 

Example:
    rw-------. root:root  /etc/pki/ca-trust/source/anchors/ca.pem


In that case, root can read the list of CA trusted with command trust list but ordinary can't read ca.pem.


What's expected ?
--------------------------

In OCP RHV documentation, we should recommend or make a note about the right permissions.


$ sudo chmod 0644 /etc/pki/ca-trust/source/anchors/ca.pem       


Example:
-------------
# cd /etc/pki/ca-trust/source/anchors
# ls -la engine-medogz-home.pem 
-rw-------. 1 root root 1355 May 25 13:24 engine-medogz-home.pem

# trust list | grep engine
    label: engine.medogz.home.52705

^^^^^^^ as root - all good

# sudo su douglas
$ trust list | grep engine
$                             <--------- None, bad



How to fix?
---------------------
$ sudo su -
# cd /etc/pki/ca-trust/source/anchors
# chmod 0644 engine-medogz-home.pem 


How can affect the OCP installer RHV?
---------------------------------------
If CA cert file perm is wrong... rootless user won't be able to use it to communicate with Engine.
Comment 9 Rolfe Dlugy-Hegwer 2020-06-05 14:35:36 UTC 
*** Bug 1841384 has been marked as a duplicate of this bug. ***
Comment 10 Rolfe Dlugy-Hegwer 2020-06-05 15:53:07 UTC 
https://docs.openshift.com/container-platform/4.4/installing/installing_rhv/installing-rhv-default.html#installing-rhv-setting-up-ca-certificate_installing-rhv-default