[openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts

Markus Zoeller mzoeller at linux.vnet.ibm.com
Tue Jul 4 08:54:09 UTC 2017

How do you deal with hosts which have a restrictive umask of 077
*before* openstack-ansible starts the setup? Do you start with the
default umask of 022 and opt-in later to that security hardening[1]?

What's the development policy of openstack-ansible regarding setting
file or directory permissions in tasks?

* is a umask value of 022 assumed for tasks to work?
* should tasks always explicitly set the file/dir mode?
* other options I'm not aware of?

The (internal) folks who gave me the target hosts for openstack-ansible
set the umask to 077 *before* I started the installation and I wasn't
aware of that setting. So I spent some time figuring out why the nginx
server in the repo container can't serve files like the requirements
file "requirements_absolute_requirements.txt"[2] because of file
permissions like this:

    -rw------- 1 root root [...] requirements_absolute_requirements.txt

This also affects the nginx config files (which, for example, set the
'autoindex' behavior, which is needed to serve the python wheels):

    cd /etc/nginx/sites-available/
    ll openstack-slushee.vhost
    -rw------- 1 root root [...] openstack-slushee.vhost

Not sure if that was also the root cause of [3].


Regards, Markus Zoeller (markus_z)

More information about the OpenStack-dev mailing list