2116872 – tripleo-container-image-prepare - umask influencing permissions for image-serve manifest directories

Bug 2116872 - tripleo-container-image-prepare - umask influencing permissions for image-serve manifest directories

Summary: tripleo-container-image-prepare - umask influencing permissions for image-ser...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	documentation
Sub Component:
Version:	16.2 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Documentation Team
QA Contact:	RHOS Documentation Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-09 13:22 UTC by Matt Flusche
Modified:	2022-11-29 21:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Cause: Custom umask may break rights on the deployed systems Consequence: deploy and subsequent actions may be blocked Workaround (if any): don't set any custom umask on the hosts Result: not setting custom umask will ensure no weird rights are set on the system, allowing all services to work as expected.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-18128	0	None	None	None	2022-08-09 14:27:57 UTC

Description Matt Flusche 2022-08-09 13:22:57 UTC

Description of problem:
The user apache needs read access to all files under /var/lib/image-serve/ for undercloud container registry to operate properly.

Although the image-serve code attempts to set file & dir permissions, a system umask settings seems to take priority.

# rpm -qa |grep tripleo-common
python3-tripleo-common-11.7.1-2.20211218004850.173edba.el8ost.noarch
openstack-tripleo-common-11.7.1-2.20211218004850.173edba.el8ost.noarch

Example of setting umask and manually running tripleo-container-image-prepare:

# umask 0027

# /usr/bin/python3 -s /usr/bin/tripleo-container-image-prepare --roles-file /tmp/ansible.1byheh6p-role-data --environment-file /tmp/ansible.obyg7dz8-prepare-param --cleanup partial --log-file /var/log/tripleo-container-image-prepare.log

# ls -l /var/lib/image-serve/v2/rhosp-rhel8/openstack-rsyslog/manifests/
total 4
-rw-r-----. 1 root root 167 Aug  8 18:07 16.2.type-map
drwxr-x---. 2 root root  41 Aug  8 18:07 sha256:941e05e3d08d3bb607cdd5d1ced4cd287c874e9212939aad732cdfcf369230a2

Permissions should be at least: 755 for dirs and 644 for files.

In this specific deployment the umask setting causing issues was in /etc/bashrc


Version-Release number of selected component (if applicable):
16.2


How reproducible:
100%

Steps to Reproduce:
1. See above
2.
3.

Comment 1 Cédric Jeanneret 2022-08-18 14:28:23 UTC

Moving to Doc.

Custom umask may cause more issues than "just" the image-serve, so we probably should document that umask should be kept to its default value. We can add a note that running "chmod" recursively may take a long time to ensure files/directories are with the correct rights, so we want to avoid that.

Note You need to log in before you can comment on or make changes to this bug.