7ca0cd0cb8
When generating or updating the passwords.yml file for kolla-ansible, kayobe writes out various stages of the process to temporary files in /tmp, in plain text. One of these files can be left in place if there are no changes to apply to the file. This change ensures that we always remove temporary files containing passwords. We also switch from shutil.copy2 to shutil.copyfile, to keep the permissions of the destination rather than applying those of the source, which are typically more open (644 vs 600). Depends-On: https://review.openstack.org/647858 Change-Id: Icb290fd22dc01567a4297a42f5e4d765e3b57d37 Story: 2005299 Task: 30187
26 lines
1.1 KiB
YAML
26 lines
1.1 KiB
YAML
---
|
|
security:
|
|
- |
|
|
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
|
|
where if the contents of the file have not changed, a plain text copy of the
|
|
file would be left in /tmp on the Ansible control host.
|
|
|
|
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
|
|
user that runs kayobe, with permissions 664 (rw-rw-r--).
|
|
|
|
It is recommended to check any systems on which Kayobe has been run for
|
|
copies of the passwords file in /tmp. A simple check for this is `grep -rn
|
|
database_password /tmp`.
|
|
fixes:
|
|
- |
|
|
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
|
|
where if the contents of the file have not changed, a plain text copy of the
|
|
file would be left in /tmp on the Ansible control host.
|
|
|
|
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
|
|
user that runs kayobe, with permissions 664 (rw-rw-r--).
|
|
|
|
It is recommended to check any systems on which Kayobe has been run for
|
|
copies of the passwords file in /tmp. A simple check for this is `grep -rn
|
|
database_password /tmp`.
|