Set ownership of /etc/pki/<console> files for TLS
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.
When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.
This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.
Closes-Bug: #1819794
Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
diff --git a/lib/nova b/lib/nova
index 033ebf3..137a249 100644
--- a/lib/nova
+++ b/lib/nova
@@ -665,6 +665,22 @@
sudo mkdir -p /etc/pki/nova-novnc
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
+ # OpenSSL 1.1.0 generates the key file with permissions: 600, by
+ # default, and the deploy_int* methods use 'sudo cp' to copy the
+ # files, making them owned by root:root.
+ # Change ownership of everything under /etc/pki/nova-novnc to
+ # $STACK_USER:$(id -g ${STACK_USER}) so that $STACK_USER can read
+ # the key file.
+ sudo chown -R $STACK_USER:$(id -g ${STACK_USER}) /etc/pki/nova-novnc
+ # This is needed to enable TLS in the proxy itself, example log:
+ # WebSocket server settings:
+ # - Listen on 0.0.0.0:6080
+ # - Flash security policy server
+ # - Web server (no directory listings). Web root: /usr/share/novnc
+ # - SSL/TLS support
+ # - proxying from 0.0.0.0:6080 to None:None
+ iniset $conf DEFAULT key "/etc/pki/nova-novnc/client-key.pem"
+ iniset $conf DEFAULT cert "/etc/pki/nova-novnc/client-cert.pem"
fi
fi