[Bug 1904580] Re: Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Brian Murray 1904580 at bugs.launchpad.net
Tue May 17 17:52:21 UTC 2022 

As I understand it this patch will stop the permissions from being
changed to 0644 going forward but it doesn't do anything to change the
permission from 0644 to 0600. Shouldn't that also be fixed?

** Changed in: nova (Ubuntu Impish)
       Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-impish

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1904580

Title:
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Triaged
Status in Ubuntu Cloud Archive ussuri series:
  Triaged
Status in Ubuntu Cloud Archive victoria series:
  Triaged
Status in Ubuntu Cloud Archive wallaby series:
  Triaged
Status in Ubuntu Cloud Archive xena series:
  Triaged
Status in Ubuntu Cloud Archive yoga series:
  Triaged
Status in Ubuntu Cloud Archive zed series:
  Triaged
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Focal:
  Fix Committed
Status in nova source package in Impish:
  Fix Committed
Status in nova source package in Jammy:
  Fix Committed
Status in nova source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri

  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).

  This was preventing nova resizing:

  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4

  Manually setting to 0600 fixed the issue.

  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.

  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.

  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1904580/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list