Set ownership of /etc/pki/<console> files for TLS

melwitt · melwitt · commit e2853bf2d0a2 · 2019-03-25T03:42:18.000Z
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.

When the default CI node Ubuntu version was changed from Xenial =&gt;
Bionic we changed from OpenSSL 1.0.2 =&gt; 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.

This sets the ownership of the /etc/pki/&lt;console&gt; files to the
user:group intended to read them.

Closes-Bug: #1819794

Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
diff --git a/lib/nova b/lib/nova
@@ -665,6 +665,22 @@ function configure_console_proxies {
             sudo mkdir -p /etc/pki/nova-novnc
             deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
             deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
+            # OpenSSL 1.1.0 generates the key file with permissions: 600, by
+            # default, and the deploy_int* methods use 'sudo cp' to copy the
+            # files, making them owned by root:root.
+            # Change ownership of everything under /etc/pki/nova-novnc to
+            # $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read
+            # the key file.
+            sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc
+            # This is needed to enable TLS in the proxy itself, example log:
+            # WebSocket server settings:
+            #   - Listen on 0.0.0.0:6080
+            #   - Flash security policy server
+            #   - Web server (no directory listings). Web root: /usr/share/novnc
+            #   - SSL/TLS support
+            #   - proxying from 0.0.0.0:6080 to None:None
+            iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem"
+            iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem"
         fi
     fi
 
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
@@ -155,9 +155,15 @@ EOF
             echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
 
             sudo mkdir -p /etc/pki/libvirt-vnc
-            sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
             deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
             deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+            # OpenSSL 1.1.0 generates the key file with permissions: 600, by
+            # default and the deploy_int* methods use 'sudo cp' to copy the
+            # files, making them owned by root:root.
+            # Change ownership of everything under /etc/pki/libvirt-vnc to
+            # libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key
+            # file.
+            sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
         fi
     fi
 
