From 94c7752cfae64d96124a32bc36ccd6ec7b4df4a7 Mon Sep 17 00:00:00 2001 From: Steven Hardy Date: Mon, 4 Sep 2017 13:53:04 +0100 Subject: [PATCH] Set mode for ansible written files Use a more restrictive mode for these files, as some may contain sensitive data which shouldn't be world readable Closes-Bug: #1714986 Change-Id: Ib1e79b1d4e25d6e329938402b1ca776bdab81bdd --- common/deploy-steps-tasks.yaml | 2 +- common/deploy-steps.j2 | 14 +++++++------- docker/docker-puppet.py | 1 + 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/common/deploy-steps-tasks.yaml b/common/deploy-steps-tasks.yaml index f072942559..73d3036cf4 100644 --- a/common/deploy-steps-tasks.yaml +++ b/common/deploy-steps-tasks.yaml @@ -5,7 +5,7 @@ # Per step puppet configuration of the baremetal host ##################################################### - name: Write the config_step hieradata - copy: content="{{dict(step=step|int)|to_json}}" dest=/etc/puppet/hieradata/config_step.json force=true + copy: content="{{dict(step=step|int)|to_json}}" dest=/etc/puppet/hieradata/config_step.json force=true mode=0600 - name: Run puppet host configuration for step {{step}} command: >- puppet apply diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index 3af48464f1..1119fb6080 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -190,29 +190,29 @@ resources: - name: Create /var/lib/tripleo-config directory file: path=/var/lib/tripleo-config state=directory - name: Write the puppet step_config manifest - copy: content="{{puppet_step_config}}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes + copy: content="{{puppet_step_config}}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600 # this creates a JSON config file for our docker-puppet.py script - name: Create /var/lib/docker-puppet file: path=/var/lib/docker-puppet state=directory - name: Write docker-puppet-tasks json files - copy: content="{{puppet_config | to_json}}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes + copy: content="{{puppet_config | to_json}}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600 # FIXME: can we move docker-puppet somewhere so it's installed via a package? - name: Write docker-puppet.py - copy: content="{{docker_puppet_script}}" dest=/var/lib/docker-puppet/docker-puppet.py force=yes + copy: content="{{docker_puppet_script}}" dest=/var/lib/docker-puppet/docker-puppet.py force=yes mode=0600 # Here we are dumping all the docker container startup configuration data # so that we can have access to how they are started outside of heat # and docker-cmd. This lets us create command line tools to test containers. # FIXME do we need the docker-container-startup-configs.json or is the new per-step # data consumed by paunch enough? - name: Write docker-container-startup-configs - copy: content="{{docker_startup_configs | to_json}}" dest=/var/lib/docker-container-startup-configs.json force=yes + copy: content="{{docker_startup_configs | to_json}}" dest=/var/lib/docker-container-startup-configs.json force=yes mode=0600 - name: Write per-step docker-container-startup-configs - copy: content="{{item.value|to_json}}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{item.key}}.json" force=yes + copy: content="{{item.value|to_json}}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{item.key}}.json" force=yes mode=0600 with_dict: "{{docker_startup_configs}}" - name: Create /var/lib/kolla/config_files directory file: path=/var/lib/kolla/config_files state=directory - name: Write kolla config json files - copy: content="{{item.value|to_json}}" dest="{{item.key}}" force=yes + copy: content="{{item.value|to_json}}" dest="{{item.key}}" force=yes mode=0600 with_dict: "{{kolla_config}}" ######################################################## # Bootstrap tasks, only performed on bootstrap_server_id @@ -225,7 +225,7 @@ resources: - /var/lib/docker-puppet/docker-puppet-tasks*.json when: deploy_server_id == bootstrap_server_id - name: Write docker-puppet-tasks json files - copy: content="{{item.value|to_json}}" dest=/var/lib/docker-puppet/docker-puppet-tasks{{item.key.replace("step_", "")}}.json force=yes + copy: content="{{item.value|to_json}}" dest=/var/lib/docker-puppet/docker-puppet-tasks{{item.key.replace("step_", "")}}.json force=yes mode=0600 with_dict: "{{docker_puppet_tasks}}" when: deploy_server_id == bootstrap_server_id {%- endraw %} diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 4659cf53d3..a9d4ad2165 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -366,6 +366,7 @@ for infile in infiles: outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile)) with open(outfile, 'w') as out_f: + os.chmod(out_f.name, 0600) json.dump(infile_data, out_f) if not success: