[Bug 1904580] Re: Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Corey Bryant 1904580 at bugs.launchpad.net
Mon May 16 16:56:31 UTC 2022 

** Description changed:

+ [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri
  
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).
  
  This was preventing nova resizing:
  
  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4
  
  Manually setting to 0600 fixed the issue.
+ 
+ Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
+ files contained in that directory are not created by the package.
+ Therefore the package should avoid changing permissions for this
+ directory.
+ 
+ [Test Case]
+ Install a previous version of the nova-common package.
+ Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly.
+ Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.
+ 
+ [Regression Potential]
+ This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause a regression.

** Description changed:

  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri
  
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).
  
  This was preventing nova resizing:
  
  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4
  
  Manually setting to 0600 fixed the issue.
  
  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.
  
  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly.
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.
  
  [Regression Potential]
- This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause a regression.
+ This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

** Description changed:

  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri
  
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).
  
  This was preventing nova resizing:
  
  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4
  
  Manually setting to 0600 fixed the issue.
  
  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.
  
  [Test Case]
  Install a previous version of the nova-common package.
- Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly.
+ Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.
  
  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

** Also affects: nova (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Kinetic)
   Importance: Undecided
     Assignee: Rodrigo Barbieri (rodrigo-barbieri2010)
       Status: Triaged

** Also affects: nova (Ubuntu Impish)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Changed in: nova (Ubuntu Focal)
       Status: New => Triaged

** Changed in: nova (Ubuntu Impish)
       Status: New => Triaged

** Changed in: nova (Ubuntu Jammy)
       Status: New => Triaged

** Changed in: nova (Ubuntu Kinetic)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Jammy)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Impish)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Focal)
   Importance: Undecided => High

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/xena
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/wallaby
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/victoria
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/ussuri
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/zed
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/yoga
   Importance: Undecided
       Status: New

** Changed in: cloud-archive/ussuri
   Importance: Undecided => High

** Changed in: cloud-archive/ussuri
       Status: New => Triaged

** Changed in: cloud-archive/victoria
   Importance: Undecided => High

** Changed in: cloud-archive/victoria
       Status: New => Triaged

** Changed in: cloud-archive/wallaby
   Importance: Undecided => High

** Changed in: cloud-archive/wallaby
       Status: New => Triaged

** Changed in: cloud-archive/xena
   Importance: Undecided => High

** Changed in: cloud-archive/xena
       Status: New => Triaged

** Changed in: cloud-archive/yoga
   Importance: Undecided => High

** Changed in: cloud-archive/yoga
       Status: New => Triaged

** Changed in: cloud-archive/zed
   Importance: Undecided => High

** Changed in: cloud-archive/zed
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1904580

Title:
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Triaged
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in Ubuntu Cloud Archive victoria series:
  Triaged
Status in Ubuntu Cloud Archive wallaby series:
  Triaged
Status in Ubuntu Cloud Archive xena series:
  Triaged
Status in Ubuntu Cloud Archive yoga series:
  Triaged
Status in Ubuntu Cloud Archive zed series:
  Triaged
Status in nova package in Ubuntu:
  Triaged
Status in nova source package in Focal:
  Triaged
Status in nova source package in Impish:
  Triaged
Status in nova source package in Jammy:
  Triaged
Status in nova source package in Kinetic:
  Triaged

Bug description:
  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri

  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).

  This was preventing nova resizing:

  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4

  Manually setting to 0600 fixed the issue.

  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.

  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.

  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1904580/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list