Set mode for ansible written files

Use a more restrictive mode for these files, as some may contain sensitive data which shouldn't be world readable Closes-Bug: #1714986 Change-Id: Ib1e79b1d4e25d6e329938402b1ca776bdab81bdd
2017-09-04 13:53:04 +01:00 · 2017-09-04 13:53:04 +01:00 · 94c7752cfa
commit 94c7752cfa
parent 67f0f94dc7
3 changed files with 9 additions and 8 deletions
--- a/common/deploy-steps-tasks.yaml
+++ b/common/deploy-steps-tasks.yaml
@ -5,7 +5,7 @@
    # Per step puppet configuration of the baremetal host
    #####################################################
    - name: Write the config_step hieradata
-      copy: content="{{dict(step=step|int)|to_json}}" dest=/etc/puppet/hieradata/config_step.json force=true
+      copy: content="{{dict(step=step|int)|to_json}}" dest=/etc/puppet/hieradata/config_step.json force=true mode=0600
    - name: Run puppet host configuration for step {{step}}
      command: >-
        puppet apply
--- a/common/deploy-steps.j2
+++ b/common/deploy-steps.j2
@ -190,29 +190,29 @@ resources:
                      - name: Create /var/lib/tripleo-config directory
                        file: path=/var/lib/tripleo-config state=directory
                      - name: Write the puppet step_config manifest
-                        copy: content="{{puppet_step_config}}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes
+                        copy: content="{{puppet_step_config}}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600
                      # this creates a JSON config file for our docker-puppet.py script
                      - name: Create /var/lib/docker-puppet
                        file: path=/var/lib/docker-puppet state=directory
                      - name: Write docker-puppet-tasks json files
-                        copy: content="{{puppet_config | to_json}}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes
+                        copy: content="{{puppet_config | to_json}}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600
                      # FIXME: can we move docker-puppet somewhere so it's installed via a package?
                      - name: Write docker-puppet.py
-                        copy: content="{{docker_puppet_script}}" dest=/var/lib/docker-puppet/docker-puppet.py force=yes
+                        copy: content="{{docker_puppet_script}}" dest=/var/lib/docker-puppet/docker-puppet.py force=yes mode=0600
                      # Here we are dumping all the docker container startup configuration data
                      # so that we can have access to how they are started outside of heat
                      # and docker-cmd.  This lets us create command line tools to test containers.
                      # FIXME do we need the docker-container-startup-configs.json or is the new per-step
                      # data consumed by paunch enough?
                      - name: Write docker-container-startup-configs
-                        copy: content="{{docker_startup_configs | to_json}}" dest=/var/lib/docker-container-startup-configs.json force=yes
+                        copy: content="{{docker_startup_configs | to_json}}" dest=/var/lib/docker-container-startup-configs.json force=yes mode=0600
                      - name: Write per-step docker-container-startup-configs
-                        copy: content="{{item.value|to_json}}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{item.key}}.json" force=yes
+                        copy: content="{{item.value|to_json}}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{item.key}}.json" force=yes mode=0600
                        with_dict: "{{docker_startup_configs}}"
                      - name: Create /var/lib/kolla/config_files directory
                        file: path=/var/lib/kolla/config_files state=directory
                      - name: Write kolla config json files
-                        copy: content="{{item.value|to_json}}" dest="{{item.key}}" force=yes
+                        copy: content="{{item.value|to_json}}" dest="{{item.key}}" force=yes mode=0600
                        with_dict: "{{kolla_config}}"
                      ########################################################
                      # Bootstrap tasks, only performed on bootstrap_server_id
@ -225,7 +225,7 @@ resources:
                          - /var/lib/docker-puppet/docker-puppet-tasks*.json
                        when: deploy_server_id == bootstrap_server_id
                      - name: Write docker-puppet-tasks json files
-                        copy: content="{{item.value|to_json}}" dest=/var/lib/docker-puppet/docker-puppet-tasks{{item.key.replace("step_", "")}}.json force=yes
+                        copy: content="{{item.value|to_json}}" dest=/var/lib/docker-puppet/docker-puppet-tasks{{item.key.replace("step_", "")}}.json force=yes mode=0600
                        with_dict: "{{docker_puppet_tasks}}"
                        when: deploy_server_id == bootstrap_server_id
 {%- endraw %}
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@ -366,6 +366,7 @@ for infile in infiles:
    outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile))
    with open(outfile, 'w') as out_f:
        os.chmod(out_f.name, 0600)
        json.dump(infile_data, out_f)
 if not success: