Description of problem: I am testing the single node cluster on aws and as soon as I am making changes in the pull secret for openshiftt-config namespace, looks like the permission for authorized_keys for core user changes from core user to root Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-04-30-201824 How reproducible: ``` $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-161-106.ec2.internal Ready master,worker 154m v1.21.0-rc.0+aa1dc1f $ oc debug node/ip-10-0-161-106.ec2.internal sh-4.4# ls -l /home/core/.ssh/ total 4 -rw-------. 1 core core 725 May 4 05:43 authorized_keys $ cat p.yaml apiVersion: v1 data: .dockerconfigjson: e30K kind: Secret metadata: name: pull-secret namespace: openshift-config type: kubernetes.io/dockerconfigjson $ oc replace -f p.yaml $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 00-worker 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 01-master-container-runtime 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 01-master-kubelet 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 01-worker-container-runtime 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 01-worker-kubelet 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 99-master-generated-registries 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 99-master-ssh 3.2.0 3h27m 99-worker-generated-registries 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m 99-worker-ssh 3.2.0 3h27m rendered-master-5914224a56f3aa38bfbe78784bdb13cc 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m rendered-master-fa59496966475b73bfc3b3e23f72b6ea 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 18s rendered-worker-5a4c0b565e51045a8d8c8269d0fd8189 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 18s rendered-worker-fc49c662c5086568ed7c5e5743484ee1 8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f 3.2.0 3h18m $ oc debug node/ip-10-0-161-106.ec2.internal sh-4.4# ls -l /home/core/.ssh/ total 4 -rw-r--r--. 1 root root 726 May 4 09:09 authorized_keys ``` Actual results: Permission for `authorized_keys` changed to `root` from `core` user. Expected results: Permission should be same as before (for core user)
This problem is reproducible with any type of MachineConifg you apply. Need to look further whether this is some recent regression or has been there for a while.
Checked with 4.7.0-0.nightly-2021-05-01-081439 nightly and seeing same behavior.
After looking at code https://github.com/openshift/machine-config-operator/blob/master/pkg/daemon/update.go#L1696 , it seems MCO is writing authorize_key file with defaults value. As a result, original file permission is getting updated. Instead of setting default file permission and ownership, it should first fetch authorized_keys(if exists) and then write the file. This is good to fix asap but shouldn't be a release blocker.
Fwiw, using `root.root` as the default permissions for /home/core/.ssh/authorized_keys seems unexpected? I'd expect files in /home/core to be owned by `core.core` by default. Or is this some kind of protection to try to prevent users from modifying this file directly?
Verified using image registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2021-10-30-025206 Before updating the pull-secret sh-4.4# ls -alrth /home/core/.ssh/authorized_keys -rw-------. 1 core core 405 Nov 3 10:13 /home/core/.ssh/authorized_keys After updating the pull-secret sh-4.4# ls -larth /home/core/.ssh/authorized_keys -rw-------. 1 core core 405 Nov 3 11:31 /home/core/.ssh/authorized_keys The authorized keys had the right user and permissions. Moved to VERIFIED status.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056