[openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts

Markus Zoeller mzoeller at linux.vnet.ibm.com
Tue Jul 25 13:36:36 UTC 2017

On 17.07.2017 23:13, Major Hayden wrote:
> On 07/04/2017 03:54 AM, Markus Zoeller wrote:
>> How do you deal with hosts which have a restrictive umask of 077
>> *before* openstack-ansible starts the setup? Do you start with the
>> default umask of 022 and opt-in later to that security hardening[1]?
> We don't test for that in the OpenStack-Ansible gates since those settings from openstack-ansible-security/ansible-hardening are disabled by default. It's possible to start with 022 and switch to 077 later, but that could cause additional problems.
>> What's the development policy of openstack-ansible regarding setting
>> file or directory permissions in tasks?
>> * is a umask value of 022 assumed for tasks to work?
> Yes.
>> * should tasks always explicitly set the file/dir mode?
> They certainly should, and if they don't, we should adjust those tasks. I'd rather be as explicit as possible to reduce the chances of problems down the road if distribution defaults change.

A short grep in 'openstack-ansible' shows that the file permissions are
often not set. I used these commands:

$ grep -n -R "template:" --include \*.yml -A 5
$ grep -n -R "copy:" --include \*.yml -A 5

IIUC, we're using 'ansible-lint' for style checks. Does it make sense to
add a new rule which warns/enforces to set the mode (or group/user)?

Regards, Markus Zoeller (markus_z)

> --
> Major Hayden
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list