[Bug 1904580] Re: Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Rodrigo Barbieri 1904580 at bugs.launchpad.net
Mon Jun 27 18:32:22 UTC 2022 

does yoga need to be validated separately as UCA given jammy has already
been validated?

same question for focal and impish, given that xena and ussuri UCAs have
been validated

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1904580

Title:
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Focal:
  Fix Committed
Status in nova source package in Impish:
  Fix Committed
Status in nova source package in Jammy:
  Fix Committed
Status in nova source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri

  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).

  This was preventing nova resizing:

  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4

  Manually setting to 0600 fixed the issue.

  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.

  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.

  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1904580/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list