[Bug 1904580] Update Released

Ɓukasz Zemczak 1904580 at bugs.launchpad.net
Mon Jul 4 08:45:06 UTC 2022 

The verification of the Stable Release Update for nova has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1904580

Title:
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Focal:
  Fix Committed
Status in nova source package in Impish:
  Fix Committed
Status in nova source package in Jammy:
  Fix Released
Status in nova source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri

  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).

  This was preventing nova resizing:

  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4

  Manually setting to 0600 fixed the issue.

  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.

  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.

  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1904580/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list