From 7c1ab033326559f27a489bade083a14164908e2e Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Fri, 8 Nov 2019 13:35:43 -0800 Subject: [PATCH] Fix a potential race condition with certs-ramfs There is a potential race condition in the start order for the amphora-agent service and the certs-ramfs service. This patch configures an explict ordering for the services. Change-Id: I8e449b19af72d72f6effd52e0a2debb5754a19b3 Story: 2006823 Task: 37396 (cherry picked from commit 1900ee71a51c25d4c0fa1ee79447219cef05b5ef) --- .../amphora-agent.conf | 2 +- .../amphora-agent.init | 2 +- .../amphora-agent.service | 3 ++- .../init-scripts/systemd/certs-ramfs.service | 1 + .../fix-certs-ramfs-race-561f355d13fc6d14.yaml | 14 ++++++++++++++ 5 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml diff --git a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf index a84bbbb90a..addd3af681 100644 --- a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf +++ b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.conf @@ -1,6 +1,6 @@ description "Start up the Octavia Amphora Agent" -start on runlevel [2345] +start on started certs-ramfs stop on runlevel [!2345] respawn diff --git a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init index 01a8e27fea..793d59963d 100644 --- a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init +++ b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.init @@ -1,6 +1,6 @@ ### BEGIN INIT INFO # Provides: amphora-agent -# Required-Start: $remote_fs $syslog $network +# Required-Start: $remote_fs $syslog $network certs-ramfs # Required-Stop: $remote_fs $syslog $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 diff --git a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service index f3a027749b..f57a816d13 100644 --- a/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service +++ b/elements/amphora-agent/install.d/amphora-agent-source-install/amphora-agent.service @@ -1,6 +1,7 @@ [Unit] Description=OpenStack Octavia Amphora Agent -After=network.target syslog.service +After=network.target syslog.service certs-ramfs.service +Requires=certs-ramfs.service Wants=syslog.service [Service] diff --git a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service index 075067fe1c..b11eee7df6 100644 --- a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service +++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service @@ -1,5 +1,6 @@ [Unit] Description=Creates an encrypted ramfs for Octavia certs +Before=amphora-agent.service After=cloud-config.target [Service] diff --git a/releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml b/releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml new file mode 100644 index 0000000000..06d551a988 --- /dev/null +++ b/releasenotes/notes/fix-certs-ramfs-race-561f355d13fc6d14.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - | + A new amphora image is required to fix the potential certs-ramfs race + condition. +security: + - | + A race condition between the certs-ramfs and the amphora agent may lead + to tenant TLS content being stored on the amphora filesystem instead of + in the encrypted RAM filesystem. +fixes: + - | + Fixed a potential race condition with the certs-ramfs and amphora agent + services.