From 6b039f4bbb3b117a8e26e6422bcf2a1f326c65fc Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 24 Oct 2017 10:11:40 +0300 Subject: [PATCH] chown fernet keys to match container's keystone user and group We used to use the host's keystone user and group. This is wrong since we need to use the container's keystone user and group, which differs from the host. This fixes that. Change-Id: I0a64843c94bb173bb9e418bfca26927c1e2a123f Closes-Bug: #1726727 --- playbooks/rotate-keys.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/playbooks/rotate-keys.yaml b/playbooks/rotate-keys.yaml index 8f4f2242a..0963fb4e2 100644 --- a/playbooks/rotate-keys.yaml +++ b/playbooks/rotate-keys.yaml @@ -11,6 +11,9 @@ - name: Rotate fernet keys for keystone container block: + - set_fact: + keystone_base: /var/lib/config-data/puppet-generated/keystone + - name: Remove previous fernet keys shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/* args: @@ -18,11 +21,14 @@ - name: Persist fernet keys to repository copy: - dest: "/var/lib/config-data/puppet-generated/keystone{{ item.key }}" + dest: "{{ keystone_base }}{{ item.key }}" content: "{{ item.value.content }}" mode: 0600 - owner: keystone - group: keystone + with_dict: "{{ fernet_keys }}" + no_log: true + + - name: Set permissions to match container's user + shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }} with_dict: "{{ fernet_keys }}" no_log: true