From a6bbe528973976b95a5ce39647f0176b8f1c84a3 Mon Sep 17 00:00:00 2001 From: Zhu Sheng Li Date: Tue, 11 Aug 2020 17:10:23 +0800 Subject: [PATCH] Ensure image files are readable to apache If the umask on undercloud is set as something like `077`, the image files created with `sudo` will not be readable to `others` including `apache`, which will cause 403 forbidden during image pulling on overcloud. So set the permission explicitly just like we already did for `make_dir` function. Change-Id: I0f44b21be981f230abdf9baee4eab747a9a46114 --- tripleo_common/image/image_export.py | 4 +++- tripleo_common/tests/image/test_image_export.py | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/tripleo_common/image/image_export.py b/tripleo_common/image/image_export.py index 135e4a8e2..93c4b2859 100644 --- a/tripleo_common/image/image_export.py +++ b/tripleo_common/image/image_export.py @@ -110,7 +110,9 @@ def export_stream(target_url, layer, layer_stream, verify_digest=True): (image, blob_path)) try: - with open(blob_path, 'wb') as f: + fd = os.open(blob_path, os.O_WRONLY | os.O_CREAT) + os.fchmod(fd, 0o0644) + with open(fd, 'wb') as f: count = 0 for chunk in layer_stream: count += 1 diff --git a/tripleo_common/tests/image/test_image_export.py b/tripleo_common/tests/image/test_image_export.py index d3e689b2b..0cee92df1 100644 --- a/tripleo_common/tests/image/test_image_export.py +++ b/tripleo_common/tests/image/test_image_export.py @@ -90,6 +90,7 @@ class TestImageExport(base.TestCase): } calc_digest = hashlib.sha256() layer_stream = io.BytesIO(blob_compressed) + mask = os.umask(0o077) layer_digest, _ = image_export.export_stream( target_url, layer, layer_stream, verify_digest=False ) @@ -106,6 +107,10 @@ class TestImageExport(base.TestCase): with open(blob_path, 'rb') as f: self.assertEqual(blob_compressed, f.read()) + os.umask(mask) + blob_mode = oct(os.stat(blob_path).st_mode) + self.assertEqual('644', blob_mode[-3:]) + @mock.patch('tripleo_common.image.image_export.open', side_effect=MemoryError()) def test_export_stream_memory_error(self, mock_open):