openstack/bifrost
Code Issues Proposed changes

Explicitly set permissions on /httpboot contents

Browse Source 
Ansible versions 2.9.12 and 2.8.14 change default behavior
in regards to applying umask to ansible-created files. Due to
this, newly created files may have overly restrictive permissions,
causing issues in use cases where files need to be world-readable
such as contents of /httpboot folder in Ironic. This patch adds
explicit setting of permissions to ensure Ironic network boot
continues to work correctly.

Change-Id: If617a305d4efc09335f675f1ec68e07cf81970c6
This commit is contained in:
Jacob Anders 2020-08-25 14:10:31 +10:00
parent 3bf9631ae5
commit 1f37c41413
5 changed files with 75 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
View File

@ -355,6 +355,9 @@
get_url: get_url:
url: "{{ cirros_deploy_image_upstream_url }}" url: "{{ cirros_deploy_image_upstream_url }}"
dest: "{{ deploy_image }}" dest: "{{ deploy_image }}"
owner: ironic
group: ironic
mode: 0644
when: use_cirros | bool == true when: use_cirros | bool == true
- name: "Create a checksum file for cirros" - name: "Create a checksum file for cirros"
shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS

70
playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
View File

@ -40,24 +40,32 @@
when: download_ipxe | bool == true when: download_ipxe | bool == true
- name: "Copy iPXE image into place" - name: "Copy iPXE image into place"
copy: src={{ ipxe_dir }}/undionly.kpxe dest=/tftpboot/ remote_src=true copy:
src: "{{ ipxe_dir }}/undionly.kpxe"
dest: /tftpboot/
owner: ironic
group: ironic
mode: 0644
remote_src: true
# NOTE(TheJulia): Copy full iPXE chain loader images in case they are required. # NOTE(TheJulia): Copy full iPXE chain loader images in case they are required.
- name: "Copy full iPXE image into {{ http_boot_folder }}/" - name: "Copy full iPXE image into {{ http_boot_folder }}/"
copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest={{ http_boot_folder }}/ remote_src=true copy:
src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}"
- name: "Copy full iPXE image into /tftpboot" dest: "{{ http_boot_folder }}/"
copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest=/tftpboot/ remote_src=true
- name: Make boot files owned by ironic and world-readable
file:
path: "{{ item }}"
mode: 0644
owner: ironic owner: ironic
group: ironic group: ironic
loop: mode: 0644
- /tftpboot/undionly.kpxe remote_src: true
- "/tftpboot/{{ ipxe_full_binary }}"
- name: "Copy full iPXE image into /tftpboot"
copy:
src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}"
dest: /tftpboot/
owner: ironic
group: ironic
mode: 0644
remote_src: true
- name: "Set up iPXE for EFI booting" - name: "Set up iPXE for EFI booting"
block: block:
@ -78,20 +86,23 @@
- test_ipxe_efi_binary_path.stat.exists | bool == false - test_ipxe_efi_binary_path.stat.exists | bool == false
- name: "Copy iPXE EFI image into {{ http_boot_folder }}/" - name: "Copy iPXE EFI image into {{ http_boot_folder }}/"
copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest={{ http_boot_folder }}/ remote_src=true copy:
src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}"
- name: "Copy iPXE EFI image into /tftpboot" dest: "{{ http_boot_folder }}/"
copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest=/tftpboot/ remote_src=true
- name: Make UEFI boot files owned by ironic and world-readable
file:
path: "{{ item }}"
mode: 0644
owner: ironic owner: ironic
group: ironic group: ironic
loop: mode: 0644
- "/tftpboot/{{ ipxe_efi_binary }}" remote_src: true
- "{{ http_boot_folder }}/{{ ipxe_efi_binary }}"
- name: "Copy iPXE EFI image into /tftpboot"
copy:
src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}"
dest: /tftpboot/
owner: ironic
group: ironic
mode: 0644
remote_src: true
when: enable_uefi_ipxe | bool == true when: enable_uefi_ipxe | bool == true
# Similar logic to below can be utilized to retrieve files # Similar logic to below can be utilized to retrieve files
@ -107,8 +118,9 @@
# For now, we need to use it, but we can patch that. # For now, we need to use it, but we can patch that.
- name: "Inspector - Place default tftp boot file in {{ http_boot_folder}}/pxelinux.cfg/" - name: "Inspector - Place default tftp boot file in {{ http_boot_folder}}/pxelinux.cfg/"
template: template:
src=inspector-default-boot-ipxe.j2 src: inspector-default-boot-ipxe.j2
dest="{{ http_boot_folder }}/pxelinux.cfg/default" dest: "{{ http_boot_folder }}/pxelinux.cfg/default"
owner=ironic owner: ironic
group=ironic group: ironic
mode: 0644
when: enable_inspector | bool == true when: enable_inspector | bool == true

12
playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml
View File

@ -25,6 +25,9 @@
url: "{{ ipa_kernel_upstream_checksum_url }}" url: "{{ ipa_kernel_upstream_checksum_url }}"
dest: "{{ ipa_kernel }}.{{ ipa_kernel_upstream_checksum_algo }}" dest: "{{ ipa_kernel }}.{{ ipa_kernel_upstream_checksum_algo }}"
timeout: 300 timeout: 300
owner: ironic
group: ironic
mode: 0644
register: ipa_kernel_checksum_result register: ipa_kernel_checksum_result
ignore_errors: yes ignore_errors: yes
- debug: - debug:
@ -58,6 +61,9 @@
get_url: get_url:
url: "{{ ipa_kernel_upstream_url }}" url: "{{ ipa_kernel_upstream_url }}"
dest: "{{ ipa_kernel }}" dest: "{{ ipa_kernel }}"
owner: ironic
group: ironic
mode: 0644
checksum: "{{ ipa_kernel_checksum | default(omit) }}" checksum: "{{ ipa_kernel_checksum | default(omit) }}"
timeout: 300 timeout: 300
# Keep downloading it until we get a good copy # Keep downloading it until we get a good copy
@ -79,6 +85,9 @@
url: "{{ ipa_ramdisk_upstream_checksum_url }}" url: "{{ ipa_ramdisk_upstream_checksum_url }}"
dest: "{{ ipa_ramdisk }}.{{ ipa_ramdisk_upstream_checksum_algo }}" dest: "{{ ipa_ramdisk }}.{{ ipa_ramdisk_upstream_checksum_algo }}"
timeout: 300 timeout: 300
owner: ironic
group: ironic
mode: 0644
register: ipa_ramdisk_checksum_result register: ipa_ramdisk_checksum_result
ignore_errors: yes ignore_errors: yes
- debug: - debug:
@ -112,6 +121,9 @@
get_url: get_url:
url: "{{ ipa_ramdisk_upstream_url }}" url: "{{ ipa_ramdisk_upstream_url }}"
dest: "{{ ipa_ramdisk }}" dest: "{{ ipa_ramdisk }}"
owner: ironic
group: ironic
mode: 0644
checksum: "{{ ipa_ramdisk_checksum | default(omit) }}" checksum: "{{ ipa_ramdisk_checksum | default(omit) }}"
timeout: 300 timeout: 300
# Keep downloading it until we get a good copy # Keep downloading it until we get a good copy

6
playbooks/roles/bifrost-ironic-install/tasks/get_ipxe.yml
View File

@ -26,6 +26,9 @@
url: "https://boot.ipxe.org/{{ item }}" url: "https://boot.ipxe.org/{{ item }}"
dest: "{{ ipxe_dir }}/{{ item }}" dest: "{{ ipxe_dir }}/{{ item }}"
force: yes force: yes
owner: ironic
group: ironic
mode: 0644
register: ipxe_files_download_done register: ipxe_files_download_done
until: ipxe_files_download_done is succeeded until: ipxe_files_download_done is succeeded
retries: 5 retries: 5
@ -39,6 +42,9 @@
url: "https://boot.ipxe.org/{{ item }}" url: "https://boot.ipxe.org/{{ item }}"
dest: "{{ ipxe_dir }}/{{ item }}" dest: "{{ ipxe_dir }}/{{ item }}"
force: yes force: yes
owner: ironic
group: ironic
mode: 0644
register: ipxe_efi_binary_download_done register: ipxe_efi_binary_download_done
until: ipxe_efi_binary_download_done is succeeded until: ipxe_efi_binary_download_done is succeeded
retries: 5 retries: 5

13
releasenotes/notes/releasenote-341a5eebe6168aea.yaml Normal file
View File

@ -0,0 +1,13 @@
---
upgrade:
- |
Adds the explicit setting of file access permissions to get_url calls in
bifrost ansible playbooks to ensure that the contents of "/httpboot" are
world-readable independently of which Ansible version is in use.
fixes:
- |
Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit
setting of file permissions on files downloaded with get_url calls results
in overly restrictive permissions. This leads to access denied while
attempting to read the contents of "/httpboot" and results in failed
deployments.