Set ownership of /etc/pki/<console> files for TLS
OpenSSL 1.0.2 generates key files with default permissions: 644 and the
files are copied to the /etc/pki/* directories with sudo.
When the default CI node Ubuntu version was changed from Xenial =>
Bionic we changed from OpenSSL 1.0.2 => 1.1.0. And OpenSSL 1.1.0
generates key files with default permissions: 600. When we copy the key
file to /etc/pki/* using sudo, it becomes owned by root and then the
console-related users are unable to read it.
This sets the ownership of the /etc/pki/<console> files to the
user:group intended to read them.
Closes-Bug: #1819794
Change-Id: I437a46c875cf633272e8cad0811e5557f2ac3641
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index fcb4777..4639869 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -155,9 +155,15 @@
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
sudo mkdir -p /etc/pki/libvirt-vnc
- sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+ # OpenSSL 1.1.0 generates the key file with permissions: 600, by
+ # default and the deploy_int* methods use 'sudo cp' to copy the
+ # files, making them owned by root:root.
+ # Change ownership of everything under /etc/pki/libvirt-vnc to
+ # libvirt-qemu:libvirt-qemu so that libvirt-qemu can read the key
+ # file.
+ sudo chown -R libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
fi
fi