openstack/bifrost
Code Issues Proposed changes

Merge "Tighten permissions for PXE directories"

Browse Source
This commit is contained in:
Zuul 2022-01-21 12:17:38 +00:00 committed by Gerrit Code Review
commit 01451c0bf7
6 changed files with 45 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
playbooks/roles/bifrost-ironic-install/defaults/main.yml
View File

@ -11,6 +11,7 @@ fast_track: true
tftp_boot_folder: /tftpboot tftp_boot_folder: /tftpboot
http_boot_folder: /var/lib/ironic/httpboot http_boot_folder: /var/lib/ironic/httpboot
boot_folder_permissions: "0750"
ironic_tftp_master_path: /var/lib/ironic/master_images ironic_tftp_master_path: /var/lib/ironic/master_images
staging_drivers_include: false staging_drivers_include: false
file_url_port: "8080" file_url_port: "8080"

22
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
View File

@ -102,10 +102,21 @@
- name: "Create an ironic service group" - name: "Create an ironic service group"
group: group:
name: "ironic" name: "ironic"
- name: "Create an ironic service user" - name: "Create an ironic service user"
user: user:
name: "ironic" name: "ironic"
group: "ironic" group: "ironic"
- name: "Add nginx and dnsmasq to the ironic group"
user:
name: "{{ item }}"
groups: "ironic"
append: yes
loop:
- "{{ nginx_user }}"
- dnsmasq
- name: "Ensure /etc/ironic exists" - name: "Ensure /etc/ironic exists"
file: file:
name: "/etc/ironic" name: "/etc/ironic"
@ -113,6 +124,7 @@
owner: "ironic" owner: "ironic"
group: "ironic" group: "ironic"
mode: 0755 mode: 0755
# Note(TheJulia): The rootwrap copies will need to be re-tooled # Note(TheJulia): The rootwrap copies will need to be re-tooled
# to possibly directly retreive current files if a source install # to possibly directly retreive current files if a source install
# is not utilized. # is not utilized.
@ -267,8 +279,8 @@
file: file:
path: "{{ dnsmasq_additional_hostsdir }}" path: "{{ dnsmasq_additional_hostsdir }}"
state: directory state: directory
owner: "root" owner: "dnsmasq"
group: "root" group: "ironic"
mode: 0755 mode: 0755
when: dnsmasq_additional_hostsdir is defined when: dnsmasq_additional_hostsdir is defined
@ -276,8 +288,8 @@
file: file:
path: "{{ dnsmasq_dhcp_hostsdir }}" path: "{{ dnsmasq_dhcp_hostsdir }}"
state: directory state: directory
owner: "root" owner: "dnsmasq"
group: "root" group: "ironic"
mode: 0755 mode: 0755
- name: "Retrieve interface IP informations" - name: "Retrieve interface IP informations"
@ -398,7 +410,7 @@
state: directory state: directory
mode: 0750 mode: 0750
owner: "ironic" owner: "ironic"
group: "{{ nginx_user }}" group: "ironic"
loop: loop:
- "/var/lib/ironic" - "/var/lib/ironic"
- "/var/lib/ironic/master_images" - "/var/lib/ironic/master_images"

20
playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
View File

@ -15,11 +15,27 @@
--- ---
# TODO(TheJulia): The pxelinux folder is statically coded in ironic. # TODO(TheJulia): The pxelinux folder is statically coded in ironic.
# For now, we need to use it, but we can patch that. # For now, we need to use it, but we can patch that.
- name: "Set up PXE and iPXE folders" - name: "Set up PXE folders"
file: name={{ item }} owner=ironic group=ironic state=directory mode=0755 file:
name: "{{ item }}"
owner: ironic
group: ironic
state: directory
# FIXME(dtantsur): dnsmasq cannot work if the files are not world readable
# or owned by it, I don't understand why.
mode: 0755
loop: loop:
- "{{ tftp_boot_folder }}" - "{{ tftp_boot_folder }}"
- "{{ tftp_boot_folder }}/pxelinux.cfg" - "{{ tftp_boot_folder }}/pxelinux.cfg"
- name: "Set up HTTP folders"
file:
name: "{{ item }}"
owner: ironic
group: ironic
state: directory
mode: "{{ boot_folder_permissions }}"
loop:
- "{{ http_boot_folder }}" - "{{ http_boot_folder }}"
- "{{ http_boot_folder }}/pxelinux.cfg" - "{{ http_boot_folder }}/pxelinux.cfg"

2
playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
View File

@ -117,7 +117,7 @@
dest=/etc/ironic-inspector/inspector.conf dest=/etc/ironic-inspector/inspector.conf
owner=ironic owner=ironic
group=ironic group=ironic
mode=0740 mode=0640
- name: "Inspector - Create the log directories (if requested)" - name: "Inspector - Create the log directories (if requested)"
file: file:
name: "{{ item }}" name: "{{ item }}"

5
releasenotes/notes/perm-8b4236c6eddf1f1f.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
The TFTP and HTTP directories are no longer world-readable by default.
Set ``boot_folder_permissions`` to override.

6
scripts/collect-test-info.sh
View File

@ -82,9 +82,9 @@ sudo journalctl -u uwsgi@keystone-public &> ${LOG_LOCATION}/keystone-public.log
# Copy PXE information # Copy PXE information
mkdir -p ${LOG_LOCATION}/pxe/ mkdir -p ${LOG_LOCATION}/pxe/
ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt sudo ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/ sudo bash -c "cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/"
cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/ sudo cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
# Copy baremetal information # Copy baremetal information
source $HOME/openrc bifrost source $HOME/openrc bifrost