2bd15db036
Problem: libvirt password/key injection uses libguestfs to mount the guest filesystem. libguestfs uses a supermin appliance, and in order to create this appliance, libguestfs (running as nova user) must read the host's kernel. Unfortunately, Ubuntu sets file permissions which make compressed kernels non-readable to non-root users, and this breaks libvirt password/key injection on compute hosts running Ubuntu. Solution: When compute hosts are running Ubuntu AND the deployer has enabled libvirt password or SSH key injection, do the following: - Run `dpkg-statoverride` to set file permissions on compressed kernel (/boot/vmlinuz-*), readable to group 'nova' - Install a script which does same for each new kernel installed via system updates in the future Related-Bug: #1507915 Change-Id: Ic96b69bb80ce11001b2ee5d63324a12b0f68456d
21 lines
694 B
Bash
21 lines
694 B
Bash
#/bin/sh
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -e
|
|
version="$1"
|
|
if [ -z "$version" ]; then
|
|
exit 0
|
|
fi
|
|
exec dpkg-statoverride --update --add root nova 0640 "/boot/vmlinuz-${version}"
|