[openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts

Markus Zoeller mzoeller at linux.vnet.ibm.com
Tue Jul 4 08:54:09 UTC 2017


How do you deal with hosts which have a restrictive umask of 077
*before* openstack-ansible starts the setup? Do you start with the
default umask of 022 and opt-in later to that security hardening[1]?

What's the development policy of openstack-ansible regarding setting
file or directory permissions in tasks?

* is a umask value of 022 assumed for tasks to work?
* should tasks always explicitly set the file/dir mode?
* other options I'm not aware of?

Background
----------
The (internal) folks who gave me the target hosts for openstack-ansible
set the umask to 077 *before* I started the installation and I wasn't
aware of that setting. So I spent some time figuring out why the nginx
server in the repo container can't serve files like the requirements
file "requirements_absolute_requirements.txt"[2] because of file
permissions like this:

    -rw------- 1 root root [...] requirements_absolute_requirements.txt

This also affects the nginx config files (which, for example, set the
'autoindex' behavior, which is needed to serve the python wheels):

    cd /etc/nginx/sites-available/
    ll openstack-slushee.vhost
    -rw------- 1 root root [...] openstack-slushee.vhost

Not sure if that was also the root cause of [3].

References
----------
[1]
https://github.com/openstack/openstack-ansible-security/blob/40c744c86dd7e5e53e88a5ddd7389333a26f92d2/defaults/main.yml#L340-L363
[2]
https://github.com/openstack/openstack-ansible-repo_build/blob/fe3ae20f74a912925d5c78040984957a6d55f9de/tasks/repo_post_build.yml#L43-L46
[3]
https://stackoverflow.com/questions/42286765/using-repo-other-then-pypi-with-pip

-- 
Regards, Markus Zoeller (markus_z)




More information about the OpenStack-dev mailing list