How do you deal with hosts which have a restrictive umask of 077
*before* openstack-ansible starts the setup? Do you start with the
default umask of 022 and opt-in later to that security hardening[1]?
What's the development policy of openstack-ansible regarding setting
file or directory permissions in tasks?
* is a umask value of 022 assumed for tasks to work?
* should tasks always explicitly set the file/dir mode?
* other options I'm not aware of?
Background
----------
The (internal) folks who gave me the target hosts for openstack-ansible
set the umask to 077 *before* I started the installation and I wasn't
aware of that setting. So I spent some time figuring out why the nginx
server in the repo container can't serve files like the requirements
file "requirements_absolute_requirements.txt"[2] because of file
permissions like this:
-rw------- 1 root root [...] requirements_absolute_requirements.txt
This also affects the nginx config files (which, for example, set the
'autoindex' behavior, which is needed to serve the python wheels):
cd /etc/nginx/sites-available/
ll openstack-slushee.vhost
-rw------- 1 root root [...] openstack-slushee.vhost
Not sure if that was also the root cause of [3].
References
----------
[1]
https://github.com/openstack/openstack-ansible-security/blob/40c744c86dd7e5e53e88a5ddd7389333a26f92d2/defaults/main.yml#L340-L363
[2]
https://github.com/openstack/openstack-ansible-repo_build/blob/fe3ae20f74a912925d5c78040984957a6d55f9de/tasks/repo_post_build.yml#L43-L46
[3]
https://stackoverflow.com/questions/42286765/using-repo-other-then-pypi-with-pip
--
Regards, Markus Zoeller (markus_z)