Tighten permissions for PXE directories
Make the HTTP directory not world readable by default. Images may contain secrets, so regular users should not read them. Add nginx and dnsmasq to the ironic group so that they can read ironic files that are group accessible. Change-Id: Iaa8585fb48e5db6c0d5063dca0d84c9d2300f0c9
This commit is contained in:
parent
5fd6251f22
commit
3cb96f1b67
@ -11,6 +11,7 @@ fast_track: true
|
||||
|
||||
tftp_boot_folder: /tftpboot
|
||||
http_boot_folder: /var/lib/ironic/httpboot
|
||||
boot_folder_permissions: "0750"
|
||||
ironic_tftp_master_path: /var/lib/ironic/master_images
|
||||
staging_drivers_include: false
|
||||
file_url_port: "8080"
|
||||
|
@ -102,10 +102,21 @@
|
||||
- name: "Create an ironic service group"
|
||||
group:
|
||||
name: "ironic"
|
||||
|
||||
- name: "Create an ironic service user"
|
||||
user:
|
||||
name: "ironic"
|
||||
group: "ironic"
|
||||
|
||||
- name: "Add nginx and dnsmasq to the ironic group"
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
groups: "ironic"
|
||||
append: yes
|
||||
loop:
|
||||
- "{{ nginx_user }}"
|
||||
- dnsmasq
|
||||
|
||||
- name: "Ensure /etc/ironic exists"
|
||||
file:
|
||||
name: "/etc/ironic"
|
||||
@ -113,6 +124,7 @@
|
||||
owner: "ironic"
|
||||
group: "ironic"
|
||||
mode: 0755
|
||||
|
||||
# Note(TheJulia): The rootwrap copies will need to be re-tooled
|
||||
# to possibly directly retreive current files if a source install
|
||||
# is not utilized.
|
||||
@ -261,8 +273,8 @@
|
||||
file:
|
||||
path: "{{ dnsmasq_additional_hostsdir }}"
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
owner: "dnsmasq"
|
||||
group: "ironic"
|
||||
mode: 0755
|
||||
when: dnsmasq_additional_hostsdir is defined
|
||||
|
||||
@ -270,8 +282,8 @@
|
||||
file:
|
||||
path: "{{ dnsmasq_dhcp_hostsdir }}"
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
owner: "dnsmasq"
|
||||
group: "ironic"
|
||||
mode: 0755
|
||||
|
||||
- name: "Retrieve interface IP informations"
|
||||
@ -392,7 +404,7 @@
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "ironic"
|
||||
group: "{{ nginx_user }}"
|
||||
group: "ironic"
|
||||
loop:
|
||||
- "/var/lib/ironic"
|
||||
- "/var/lib/ironic/master_images"
|
||||
|
@ -15,11 +15,27 @@
|
||||
---
|
||||
# TODO(TheJulia): The pxelinux folder is statically coded in ironic.
|
||||
# For now, we need to use it, but we can patch that.
|
||||
- name: "Set up PXE and iPXE folders"
|
||||
file: name={{ item }} owner=ironic group=ironic state=directory mode=0755
|
||||
- name: "Set up PXE folders"
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
state: directory
|
||||
# FIXME(dtantsur): dnsmasq cannot work if the files are not world readable
|
||||
# or owned by it, I don't understand why.
|
||||
mode: 0755
|
||||
loop:
|
||||
- "{{ tftp_boot_folder }}"
|
||||
- "{{ tftp_boot_folder }}/pxelinux.cfg"
|
||||
|
||||
- name: "Set up HTTP folders"
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
state: directory
|
||||
mode: "{{ boot_folder_permissions }}"
|
||||
loop:
|
||||
- "{{ http_boot_folder }}"
|
||||
- "{{ http_boot_folder }}/pxelinux.cfg"
|
||||
|
||||
|
@ -111,7 +111,7 @@
|
||||
dest=/etc/ironic-inspector/inspector.conf
|
||||
owner=ironic
|
||||
group=ironic
|
||||
mode=0740
|
||||
mode=0640
|
||||
- name: "Inspector - Create the log directories (if requested)"
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
|
5
releasenotes/notes/perm-8b4236c6eddf1f1f.yaml
Normal file
5
releasenotes/notes/perm-8b4236c6eddf1f1f.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
The TFTP and HTTP directories are no longer world-readable by default.
|
||||
Set ``boot_folder_permissions`` to override.
|
@ -82,9 +82,9 @@ sudo journalctl -u uwsgi@keystone-public &> ${LOG_LOCATION}/keystone-public.log
|
||||
|
||||
# Copy PXE information
|
||||
mkdir -p ${LOG_LOCATION}/pxe/
|
||||
ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
|
||||
cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/
|
||||
cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
|
||||
sudo ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
|
||||
sudo bash -c "cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/"
|
||||
sudo cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
|
||||
|
||||
# Copy baremetal information
|
||||
source $HOME/openrc bifrost
|
||||
|
Loading…
x
Reference in New Issue
Block a user