Bug 2116872

Summary: tripleo-container-image-prepare - umask influencing permissions for image-serve manifest directories
Product: Red Hat OpenStack Reporter: Matt Flusche <mflusche>
Component: documentationAssignee: RHOS Documentation Team <rhos-docs>
Status: NEW --- QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: astillma, cjeanner, mburns, slinaber
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: Custom umask may break rights on the deployed systems Consequence: deploy and subsequent actions may be blocked Workaround (if any): don't set any custom umask on the hosts Result: not setting custom umask will ensure no weird rights are set on the system, allowing all services to work as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Flusche 2022-08-09 13:22:57 UTC 
Description of problem:
The user apache needs read access to all files under /var/lib/image-serve/ for undercloud container registry to operate properly.

Although the image-serve code attempts to set file & dir permissions, a system umask settings seems to take priority.

# rpm -qa |grep tripleo-common
python3-tripleo-common-11.7.1-2.20211218004850.173edba.el8ost.noarch
openstack-tripleo-common-11.7.1-2.20211218004850.173edba.el8ost.noarch

Example of setting umask and manually running tripleo-container-image-prepare:

# umask 0027

# /usr/bin/python3 -s /usr/bin/tripleo-container-image-prepare --roles-file /tmp/ansible.1byheh6p-role-data --environment-file /tmp/ansible.obyg7dz8-prepare-param --cleanup partial --log-file /var/log/tripleo-container-image-prepare.log

# ls -l /var/lib/image-serve/v2/rhosp-rhel8/openstack-rsyslog/manifests/
total 4
-rw-r-----. 1 root root 167 Aug  8 18:07 16.2.type-map
drwxr-x---. 2 root root  41 Aug  8 18:07 sha256:941e05e3d08d3bb607cdd5d1ced4cd287c874e9212939aad732cdfcf369230a2

Permissions should be at least: 755 for dirs and 644 for files.

In this specific deployment the umask setting causing issues was in /etc/bashrc


Version-Release number of selected component (if applicable):
16.2


How reproducible:
100%

Steps to Reproduce:
1. See above
2.
3.
Comment 1 Cédric Jeanneret 2022-08-18 14:28:23 UTC 
Moving to Doc.

Custom umask may cause more issues than "just" the image-serve, so we probably should document that umask should be kept to its default value. We can add a note that running "chmod" recursively may take a long time to ensure files/directories are with the correct rights, so we want to avoid that.