When deploying overcloud by Director, it was found that ceph client keyring is created as world-readable potentially allowing local attackers to read or modify data of guests. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1462657
Acknowledgments: Name: Katuya Kawakami (NEC)
Mitigation: To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes: key=/etc/ceph/ceph.client.openstack.keyring chown root:root $key chmod 600 $key setfacl -m u:glance:r $key setfacl -m u:cinder:r $key setfacl -m u:nova:r $key setfacl -m u: gnocchi:r $key If not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node, Warning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/advanced_overcloud_customization/#sect-Customizing_Overcloud_PostConfiguration_All
Created openstack-tripleo-heat-templates tracking bugs for this issue: Affects: openstack-rdo [bug 1493311]
Upstream: https://bugs.launchpad.net/tripleo/+bug/1720787 puppet-tripleo https://review.openstack.org/519531 tripleo-heat-templates https://review.openstack.org/508975 https://review.openstack.org/522024
In reply to comment 13: I reformatted the security part of the erratum to meet the new criteria. Thanks for the heads up.
Thanks Jason. Will do, and will pass on to the team. Thanks!
This issue has been addressed in the following products: Red Hat OpenStack Platform 12.0 (Pike) Via RHSA-2018:0602 https://access.redhat.com/errata/RHSA-2018:0602
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2018:1593 https://access.redhat.com/errata/RHSA-2018:1593
This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2018:1627 https://access.redhat.com/errata/RHSA-2018:1627