From 1f37c414130d58e64ba6d9d2fc9cc9f7e690453f Mon Sep 17 00:00:00 2001 From: Jacob Anders Date: Tue, 25 Aug 2020 14:10:31 +1000 Subject: [PATCH] Explicitly set permissions on /httpboot contents Ansible versions 2.9.12 and 2.8.14 change default behavior in regards to applying umask to ansible-created files. Due to this, newly created files may have overly restrictive permissions, causing issues in use cases where files need to be world-readable such as contents of /httpboot folder in Ironic. This patch adds explicit setting of permissions to ensure Ironic network boot continues to work correctly. Change-Id: If617a305d4efc09335f675f1ec68e07cf81970c6 --- .../tasks/bootstrap.yml | 3 + .../tasks/create_tftpboot.yml | 70 +++++++++++-------- .../tasks/download_ipa_image.yml | 12 ++++ .../bifrost-ironic-install/tasks/get_ipxe.yml | 6 ++ .../notes/releasenote-341a5eebe6168aea.yaml | 13 ++++ 5 files changed, 75 insertions(+), 29 deletions(-) create mode 100644 releasenotes/notes/releasenote-341a5eebe6168aea.yaml diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index d05c57d04..e3c3175a2 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -355,6 +355,9 @@ get_url: url: "{{ cirros_deploy_image_upstream_url }}" dest: "{{ deploy_image }}" + owner: ironic + group: ironic + mode: 0644 when: use_cirros | bool == true - name: "Create a checksum file for cirros" shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS diff --git a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml index 3ef022186..cd4d9c4c5 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml @@ -40,24 +40,32 @@ when: download_ipxe | bool == true - name: "Copy iPXE image into place" - copy: src={{ ipxe_dir }}/undionly.kpxe dest=/tftpboot/ remote_src=true + copy: + src: "{{ ipxe_dir }}/undionly.kpxe" + dest: /tftpboot/ + owner: ironic + group: ironic + mode: 0644 + remote_src: true # NOTE(TheJulia): Copy full iPXE chain loader images in case they are required. - name: "Copy full iPXE image into {{ http_boot_folder }}/" - copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest={{ http_boot_folder }}/ remote_src=true - -- name: "Copy full iPXE image into /tftpboot" - copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest=/tftpboot/ remote_src=true - -- name: Make boot files owned by ironic and world-readable - file: - path: "{{ item }}" - mode: 0644 + copy: + src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}" + dest: "{{ http_boot_folder }}/" owner: ironic group: ironic - loop: - - /tftpboot/undionly.kpxe - - "/tftpboot/{{ ipxe_full_binary }}" + mode: 0644 + remote_src: true + +- name: "Copy full iPXE image into /tftpboot" + copy: + src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}" + dest: /tftpboot/ + owner: ironic + group: ironic + mode: 0644 + remote_src: true - name: "Set up iPXE for EFI booting" block: @@ -78,20 +86,23 @@ - test_ipxe_efi_binary_path.stat.exists | bool == false - name: "Copy iPXE EFI image into {{ http_boot_folder }}/" - copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest={{ http_boot_folder }}/ remote_src=true - - - name: "Copy iPXE EFI image into /tftpboot" - copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest=/tftpboot/ remote_src=true - - - name: Make UEFI boot files owned by ironic and world-readable - file: - path: "{{ item }}" - mode: 0644 + copy: + src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}" + dest: "{{ http_boot_folder }}/" owner: ironic group: ironic - loop: - - "/tftpboot/{{ ipxe_efi_binary }}" - - "{{ http_boot_folder }}/{{ ipxe_efi_binary }}" + mode: 0644 + remote_src: true + + - name: "Copy iPXE EFI image into /tftpboot" + copy: + src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}" + dest: /tftpboot/ + owner: ironic + group: ironic + mode: 0644 + remote_src: true + when: enable_uefi_ipxe | bool == true # Similar logic to below can be utilized to retrieve files @@ -107,8 +118,9 @@ # For now, we need to use it, but we can patch that. - name: "Inspector - Place default tftp boot file in {{ http_boot_folder}}/pxelinux.cfg/" template: - src=inspector-default-boot-ipxe.j2 - dest="{{ http_boot_folder }}/pxelinux.cfg/default" - owner=ironic - group=ironic + src: inspector-default-boot-ipxe.j2 + dest: "{{ http_boot_folder }}/pxelinux.cfg/default" + owner: ironic + group: ironic + mode: 0644 when: enable_inspector | bool == true diff --git a/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml b/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml index 2181639f2..fb4fbcc9a 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml @@ -25,6 +25,9 @@ url: "{{ ipa_kernel_upstream_checksum_url }}" dest: "{{ ipa_kernel }}.{{ ipa_kernel_upstream_checksum_algo }}" timeout: 300 + owner: ironic + group: ironic + mode: 0644 register: ipa_kernel_checksum_result ignore_errors: yes - debug: @@ -58,6 +61,9 @@ get_url: url: "{{ ipa_kernel_upstream_url }}" dest: "{{ ipa_kernel }}" + owner: ironic + group: ironic + mode: 0644 checksum: "{{ ipa_kernel_checksum | default(omit) }}" timeout: 300 # Keep downloading it until we get a good copy @@ -79,6 +85,9 @@ url: "{{ ipa_ramdisk_upstream_checksum_url }}" dest: "{{ ipa_ramdisk }}.{{ ipa_ramdisk_upstream_checksum_algo }}" timeout: 300 + owner: ironic + group: ironic + mode: 0644 register: ipa_ramdisk_checksum_result ignore_errors: yes - debug: @@ -112,6 +121,9 @@ get_url: url: "{{ ipa_ramdisk_upstream_url }}" dest: "{{ ipa_ramdisk }}" + owner: ironic + group: ironic + mode: 0644 checksum: "{{ ipa_ramdisk_checksum | default(omit) }}" timeout: 300 # Keep downloading it until we get a good copy diff --git a/playbooks/roles/bifrost-ironic-install/tasks/get_ipxe.yml b/playbooks/roles/bifrost-ironic-install/tasks/get_ipxe.yml index bcffcccdb..fd0a027eb 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/get_ipxe.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/get_ipxe.yml @@ -26,6 +26,9 @@ url: "https://boot.ipxe.org/{{ item }}" dest: "{{ ipxe_dir }}/{{ item }}" force: yes + owner: ironic + group: ironic + mode: 0644 register: ipxe_files_download_done until: ipxe_files_download_done is succeeded retries: 5 @@ -39,6 +42,9 @@ url: "https://boot.ipxe.org/{{ item }}" dest: "{{ ipxe_dir }}/{{ item }}" force: yes + owner: ironic + group: ironic + mode: 0644 register: ipxe_efi_binary_download_done until: ipxe_efi_binary_download_done is succeeded retries: 5 diff --git a/releasenotes/notes/releasenote-341a5eebe6168aea.yaml b/releasenotes/notes/releasenote-341a5eebe6168aea.yaml new file mode 100644 index 000000000..b82674c9b --- /dev/null +++ b/releasenotes/notes/releasenote-341a5eebe6168aea.yaml @@ -0,0 +1,13 @@ +--- +upgrade: + - | + Adds the explicit setting of file access permissions to get_url calls in + bifrost ansible playbooks to ensure that the contents of "/httpboot" are + world-readable independently of which Ansible version is in use. +fixes: + - | + Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit + setting of file permissions on files downloaded with get_url calls results + in overly restrictive permissions. This leads to access denied while + attempting to read the contents of "/httpboot" and results in failed + deployments.