Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2236085

Summary: [17.1] Applying OpenStackDeploy results in ssh permission errors when pulling from git repository
Product: Red Hat OpenStack Reporter: Joseph Salibi <jsalibi>
Component: osp-director-operator-containerAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: jschluet, mschuppe, owalsh
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: osp-director-operator-container-1.3.1-12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2237993 (view as bug list) Environment:
Last Closed: 2024-01-16 16:25:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2237993    

Description Joseph Salibi 2023-08-30 09:47:49 UTC 
Description of problem:
Execution / Re-execution / updates of deployments via applying an OpenStackDeploy results in permission error on config file in ~/.ssh directory for cloud-admin user:
```---
Cloning into '/home/cloud-admin/work/n5cbh54ch697h57bh56h664h648hbdh696h5ddh94h8fh67h59fh685h594hdbh65h57bh5f7h68dh559hb6hddh5bh588h75h695h5d7h5f4hch56q/playbooks'...
Bad owner or permissions on /home/cloud-admin/.ssh/config

fatal: Could not read from remote repository.
---```

viewing files shows that write permissions were added to the contents of the ~/.ssh directory for user cloud-admin:

```---
-rw-rw-r--.  1 cloud-admin cloud-admin   56 Jul 16 23:33 config
---```

Version-Release number of selected component (if applicable):
director operator bundle 1.13.0-17

How reproducible:
Not certain but likely every post run after initial OpenStackDeploy, however most noted after a failed OpenStackDeploy and fresh OpenStackDeploy is created. 

Steps to Reproduce:
1.Create an OpenStackDeploy
2.Update OpenStackConfigGenerator and apply it (may or may not need to inject a failure into the config)
3.Apply OpenStackDeploy with updated config hash
4. Error seen in OpenStackDeploy log

Actual results:
```---
I0824 05:03:45.169456       1 deploy.go:323] Running deploy command.
sudo: unable to send audit message: Operation not permitted
sudo: unable to send audit message: Operation not permitted
Cloning into '/home/cloud-admin/work/n5cbh54ch697h57bh56h664h648hbdh696h5ddh94h8fh67h59fh685h594hdbh65h57bh5f7h68dh559hb6hddh5bh588h75h695h5d7h5f4hch56q/playbooks'...
Bad owner or permissions on /home/cloud-admin/.ssh/config

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
panic: command terminated with exit code 128
---```

Write permissions on group were added to the contents of the ~/.ssh directory for user cloud-admin:

```---
sh-4.4$ ls -lah
total 24K
drwxrwsr-x.  2 cloud-admin cloud-admin 4.0K Jul 11 15:09 .
drwxrwsr-x. 12 root        cloud-admin 4.0K Jul 18 10:15 ..
-rw-rw-r--.  1 cloud-admin cloud-admin   56 Jul 16 23:33 config
-rw-------.  1 cloud-admin cloud-admin 3.2K Jul 16 23:33 id_rsa
-rw-rw-r--.  1 cloud-admin cloud-admin  725 Jul 16 23:33 id_rsa.pub
-rw-rw-r--.  1 cloud-admin cloud-admin  744 Jul 11 15:24 known_hosts
sh-4.4$
---```

Expected results:
Completion of OpenStackDeploy and NO write permissions on group were added to the contents of the ~/.ssh directory for user cloud-admin:

```---
sh-4.4$ ls -lah
total 24K
drwxrwsr-x.  2 cloud-admin cloud-admin 4.0K Jul 11 15:09 .
drwxrwsr-x. 12 root        cloud-admin 4.0K Jul 18 10:15 ..
-rw-r--r--.  1 cloud-admin cloud-admin   56 Jul 16 23:33 config
-rw-------.  1 cloud-admin cloud-admin 3.2K Jul 16 23:33 id_rsa
-rw-r--r--.  1 cloud-admin cloud-admin  725 Jul 16 23:33 id_rsa.pub
-rw-r--r--.  1 cloud-admin cloud-admin  744 Jul 11 15:24 known_hosts
sh-4.4$
---```


Additional info:
Devs noted the following kubernetes behaviour may be culprit:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
Comment 8 errata-xmlrpc 2024-01-16 16:25:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Updated Red Hat OpenStack Platform 17.1.2 director Operator container images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:0263