Explicitly set permissions on /httpboot contents
Ansible versions 2.9.12 and 2.8.14 change default behavior in regards to applying umask to ansible-created files. Due to this, newly created files may have overly restrictive permissions, causing issues in use cases where files need to be world-readable such as contents of /httpboot folder in Ironic. This patch adds explicit setting of permissions to ensure Ironic network boot continues to work correctly. Change-Id: If617a305d4efc09335f675f1ec68e07cf81970c6
This commit is contained in:
parent
3bf9631ae5
commit
1f37c41413
@ -355,6 +355,9 @@
|
||||
get_url:
|
||||
url: "{{ cirros_deploy_image_upstream_url }}"
|
||||
dest: "{{ deploy_image }}"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
when: use_cirros | bool == true
|
||||
- name: "Create a checksum file for cirros"
|
||||
shell: md5sum {{ deploy_image_filename }} > {{ deploy_image_filename }}.CHECKSUMS
|
||||
|
@ -40,24 +40,32 @@
|
||||
when: download_ipxe | bool == true
|
||||
|
||||
- name: "Copy iPXE image into place"
|
||||
copy: src={{ ipxe_dir }}/undionly.kpxe dest=/tftpboot/ remote_src=true
|
||||
copy:
|
||||
src: "{{ ipxe_dir }}/undionly.kpxe"
|
||||
dest: /tftpboot/
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
remote_src: true
|
||||
|
||||
# NOTE(TheJulia): Copy full iPXE chain loader images in case they are required.
|
||||
- name: "Copy full iPXE image into {{ http_boot_folder }}/"
|
||||
copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest={{ http_boot_folder }}/ remote_src=true
|
||||
|
||||
- name: "Copy full iPXE image into /tftpboot"
|
||||
copy: src={{ ipxe_dir }}/{{ ipxe_full_binary }} dest=/tftpboot/ remote_src=true
|
||||
|
||||
- name: Make boot files owned by ironic and world-readable
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
mode: 0644
|
||||
copy:
|
||||
src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}"
|
||||
dest: "{{ http_boot_folder }}/"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
loop:
|
||||
- /tftpboot/undionly.kpxe
|
||||
- "/tftpboot/{{ ipxe_full_binary }}"
|
||||
mode: 0644
|
||||
remote_src: true
|
||||
|
||||
- name: "Copy full iPXE image into /tftpboot"
|
||||
copy:
|
||||
src: "{{ ipxe_dir }}/{{ ipxe_full_binary }}"
|
||||
dest: /tftpboot/
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
remote_src: true
|
||||
|
||||
- name: "Set up iPXE for EFI booting"
|
||||
block:
|
||||
@ -78,20 +86,23 @@
|
||||
- test_ipxe_efi_binary_path.stat.exists | bool == false
|
||||
|
||||
- name: "Copy iPXE EFI image into {{ http_boot_folder }}/"
|
||||
copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest={{ http_boot_folder }}/ remote_src=true
|
||||
|
||||
- name: "Copy iPXE EFI image into /tftpboot"
|
||||
copy: src={{ ipxe_dir }}/{{ ipxe_efi_binary }} dest=/tftpboot/ remote_src=true
|
||||
|
||||
- name: Make UEFI boot files owned by ironic and world-readable
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
mode: 0644
|
||||
copy:
|
||||
src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}"
|
||||
dest: "{{ http_boot_folder }}/"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
loop:
|
||||
- "/tftpboot/{{ ipxe_efi_binary }}"
|
||||
- "{{ http_boot_folder }}/{{ ipxe_efi_binary }}"
|
||||
mode: 0644
|
||||
remote_src: true
|
||||
|
||||
- name: "Copy iPXE EFI image into /tftpboot"
|
||||
copy:
|
||||
src: "{{ ipxe_dir }}/{{ ipxe_efi_binary }}"
|
||||
dest: /tftpboot/
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
remote_src: true
|
||||
|
||||
when: enable_uefi_ipxe | bool == true
|
||||
|
||||
# Similar logic to below can be utilized to retrieve files
|
||||
@ -107,8 +118,9 @@
|
||||
# For now, we need to use it, but we can patch that.
|
||||
- name: "Inspector - Place default tftp boot file in {{ http_boot_folder}}/pxelinux.cfg/"
|
||||
template:
|
||||
src=inspector-default-boot-ipxe.j2
|
||||
dest="{{ http_boot_folder }}/pxelinux.cfg/default"
|
||||
owner=ironic
|
||||
group=ironic
|
||||
src: inspector-default-boot-ipxe.j2
|
||||
dest: "{{ http_boot_folder }}/pxelinux.cfg/default"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
when: enable_inspector | bool == true
|
||||
|
@ -25,6 +25,9 @@
|
||||
url: "{{ ipa_kernel_upstream_checksum_url }}"
|
||||
dest: "{{ ipa_kernel }}.{{ ipa_kernel_upstream_checksum_algo }}"
|
||||
timeout: 300
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
register: ipa_kernel_checksum_result
|
||||
ignore_errors: yes
|
||||
- debug:
|
||||
@ -58,6 +61,9 @@
|
||||
get_url:
|
||||
url: "{{ ipa_kernel_upstream_url }}"
|
||||
dest: "{{ ipa_kernel }}"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
checksum: "{{ ipa_kernel_checksum | default(omit) }}"
|
||||
timeout: 300
|
||||
# Keep downloading it until we get a good copy
|
||||
@ -79,6 +85,9 @@
|
||||
url: "{{ ipa_ramdisk_upstream_checksum_url }}"
|
||||
dest: "{{ ipa_ramdisk }}.{{ ipa_ramdisk_upstream_checksum_algo }}"
|
||||
timeout: 300
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
register: ipa_ramdisk_checksum_result
|
||||
ignore_errors: yes
|
||||
- debug:
|
||||
@ -112,6 +121,9 @@
|
||||
get_url:
|
||||
url: "{{ ipa_ramdisk_upstream_url }}"
|
||||
dest: "{{ ipa_ramdisk }}"
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
checksum: "{{ ipa_ramdisk_checksum | default(omit) }}"
|
||||
timeout: 300
|
||||
# Keep downloading it until we get a good copy
|
||||
|
@ -26,6 +26,9 @@
|
||||
url: "https://boot.ipxe.org/{{ item }}"
|
||||
dest: "{{ ipxe_dir }}/{{ item }}"
|
||||
force: yes
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
register: ipxe_files_download_done
|
||||
until: ipxe_files_download_done is succeeded
|
||||
retries: 5
|
||||
@ -39,6 +42,9 @@
|
||||
url: "https://boot.ipxe.org/{{ item }}"
|
||||
dest: "{{ ipxe_dir }}/{{ item }}"
|
||||
force: yes
|
||||
owner: ironic
|
||||
group: ironic
|
||||
mode: 0644
|
||||
register: ipxe_efi_binary_download_done
|
||||
until: ipxe_efi_binary_download_done is succeeded
|
||||
retries: 5
|
||||
|
13
releasenotes/notes/releasenote-341a5eebe6168aea.yaml
Normal file
13
releasenotes/notes/releasenote-341a5eebe6168aea.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
Adds the explicit setting of file access permissions to get_url calls in
|
||||
bifrost ansible playbooks to ensure that the contents of "/httpboot" are
|
||||
world-readable independently of which Ansible version is in use.
|
||||
fixes:
|
||||
- |
|
||||
Resolves the issue with ansible versions 2.9.12 and 2.8.14 where implicit
|
||||
setting of file permissions on files downloaded with get_url calls results
|
||||
in overly restrictive permissions. This leads to access denied while
|
||||
attempting to read the contents of "/httpboot" and results in failed
|
||||
deployments.
|
Loading…
x
Reference in New Issue
Block a user