Bug 1956739 - Permission for authorized_keys for core user changes from core user to root when changed the pull secret
Summary: Permission for authorized_keys for core user changes from core user to root w...
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Yu Qi Zhang
QA Contact: Michael Nguyen
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-04 10:33 UTC by Praveen Kumar
Modified: 2021-05-05 07:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Praveen Kumar 2021-05-04 10:33:52 UTC
Description of problem:
I am testing the single node cluster on aws and as soon as I am making changes in the pull secret for openshiftt-config namespace, looks like the permission for authorized_keys for core user changes from core user to root 

Version-Release number of selected component (if applicable):

How reproducible:
$ oc get nodes
NAME                           STATUS   ROLES           AGE    VERSION
ip-10-0-161-106.ec2.internal   Ready    master,worker   154m   v1.21.0-rc.0+aa1dc1f
$ oc debug node/ip-10-0-161-106.ec2.internal
sh-4.4# ls -l /home/core/.ssh/
total 4
-rw-------. 1 core core 725 May  4 05:43 authorized_keys
$ cat p.yaml 
apiVersion: v1
  .dockerconfigjson: e30K
kind: Secret
  name: pull-secret
  namespace: openshift-config
type: kubernetes.io/dockerconfigjson

$ oc replace -f p.yaml

$ oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
00-worker                                          8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-master-container-runtime                        8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-master-kubelet                                  8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-worker-container-runtime                        8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-worker-kubelet                                  8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-master-generated-registries                     8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-master-ssh                                                                                 3.2.0             3h27m
99-worker-generated-registries                     8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-worker-ssh                                                                                 3.2.0             3h27m
rendered-master-5914224a56f3aa38bfbe78784bdb13cc   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
rendered-master-fa59496966475b73bfc3b3e23f72b6ea   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             18s
rendered-worker-5a4c0b565e51045a8d8c8269d0fd8189   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             18s
rendered-worker-fc49c662c5086568ed7c5e5743484ee1   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
$ oc debug node/ip-10-0-161-106.ec2.internal
sh-4.4# ls -l /home/core/.ssh/
total 4
-rw-r--r--. 1 root root 726 May  4 09:09 authorized_keys

Actual results:
Permission for `authorized_keys` changed to `root` from `core` user.

Expected results:
Permission should be same as before (for core user)

Comment 1 Sinny Kumari 2021-05-04 13:33:47 UTC
This problem is reproducible with any type of MachineConifg you apply. Need to look further whether this is some recent regression or has been there for a while.

Comment 2 Sinny Kumari 2021-05-04 14:48:34 UTC
Checked with 4.7.0-0.nightly-2021-05-01-081439 nightly and seeing same behavior.

Comment 3 Sinny Kumari 2021-05-04 15:11:44 UTC
After looking at code https://github.com/openshift/machine-config-operator/blob/master/pkg/daemon/update.go#L1696 , it seems MCO is writing authorize_key file with defaults value. As a result, original file permission is getting updated.

Instead of setting default file permission and ownership, it should first fetch authorized_keys(if exists) and then write the file.

This is good to fix asap but shouldn't be a release blocker.

Note You need to log in before you can comment on or make changes to this bug.