Browse Source

Merge "Fix a potential race condition with certs-ramfs"

changes/98/694698/1
Zuul 3 weeks ago
parent
commit
31139e61c8
5 changed files with 19 additions and 3 deletions
  1. +1
    -1
      elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf
  2. +1
    -1
      elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init
  3. +2
    -1
      elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service
  4. +1
    -0
      elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service
  5. +14
    -0
      releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml

+ 1
- 1
elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf View File

@@ -1,6 +1,6 @@
description "Start up the Octavia Amphora Agent"

start on runlevel [2345]
start on started certs-ramfs
stop on runlevel [!2345]

respawn

+ 1
- 1
elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init View File

@@ -1,6 +1,6 @@
### BEGIN INIT INFO
# Provides: amphora-agent
# Required-Start: $remote_fs $syslog $network
# Required-Start: $remote_fs $syslog $network certs-ramfs
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6

+ 2
- 1
elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service View File

@@ -1,6 +1,7 @@
[Unit]
Description=OpenStack Octavia Amphora Agent
After=network.target syslog.service
After=network.target syslog.service certs-ramfs.service
Requires=certs-ramfs.service
Wants=syslog.service

[Service]

+ 1
- 0
elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service View File

@@ -1,5 +1,6 @@
[Unit]
Description=Creates an encrypted ramfs for Octavia certs
Before=amphora-agent.service
After=cloud-config.target

[Service]

+ 14
- 0
releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml View File

@@ -0,0 +1,14 @@
---
upgrade:
- |
A new amphora image is required to fix the potential certs-ramfs race
condition.
security:
- |
A race condition between the certs-ramfs and the amphora agent may lead
to tenant TLS content being stored on the amphora filesystem instead of
in the encrypted RAM filesystem.
fixes:
- |
Fixed a potential race condition with the certs-ramfs and amphora agent
services.

Loading…
Cancel
Save