Description of problem: in a containerized deployment of Ceph the permissions are set wrong, enabling all users in the OS to read ceph.mgr keyrings: -rw-------. 1 ceph ceph 161 Jul 18 19:04 ceph.client.admin.keyring -rw-------. 1 ceph ceph 268 Jul 18 19:12 ceph.client.manila.keyring -rw-------. 1 ceph ceph 253 Jul 18 19:12 ceph.client.openstack.keyring -rw-------. 1 ceph ceph 134 Jul 18 19:12 ceph.client.radosgw.keyring -rw-r--r--. 1 root root 1546 Jul 18 19:04 ceph.conf -rw-r--r--. 1 root root 67 Jul 18 19:05 ceph.mgr.controller-0.keyring -rw-r--r--. 1 root root 67 Jul 18 19:05 ceph.mgr.controller-1.keyring -rw-r--r--. 1 root root 67 Jul 18 19:04 ceph.mgr.controller-2.keyring -rw-------. 1 ceph ceph 690 Jul 18 19:04 ceph.mon.keyring -rw-r--r--. 1 root root 92 Aug 3 2018 rbdmap With a non containerized deployment the permissions are different: -rw-------. 1 ceph ceph 63 Jul 17 11:50 ceph.client.admin.keyring -rw-r--r--. 1 ceph ceph 997 Jul 17 11:49 ceph.conf -rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver1.keyring -rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver2.keyring -rw-------. 1 ceph ceph 139 Jul 18 12:22 ceph.mgr.cephserver3.keyring -rw-r--r--. 1 root root 92 Apr 25 17:34 rbdmap Version-Release number of selected component (if applicable): ceph-ansible-3.2.15-1.el7cp.noarch How reproducible: unknown Steps to Reproduce: 1. Deploy containerized ceph with TripleO in the Overcloud Actual results: The permissions are too permissive Expected results: The permissions should be only rw to the ceph user Additional info:
Created attachment 1635197 [details] Ansible logs Hi, I tried with ceph-ansible-3.2.34-1.el7cp.noarch. The issue is still seen. #ls -la /etc/ceph/ -rw-r--r--. 1 root root 447 Nov 11 16:12 ceph.conf -rw-r--r--. 1 root root 139 Nov 12 05:14 ceph.mgr.magna124.keyring -rw-r--r--. 1 root root 139 Nov 12 05:14 ceph.mgr.magna125.keyring -rw-r--r--. 1 root root 139 Nov 12 05:14 ceph.mgr.magna126.keyring -rw-------. 1 167 167 690 Nov 11 16:12 ceph.mon.keyring
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:4353