From c904c7555c28b2978e49655ef7dff40c97ea8fd9 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 23 Jun 2021 14:06:06 +0200 Subject: [PATCH] Explicit set qemu certificate group ownership While the certificates get requested with the appropriate group root:qemu [1] and copied to /etc/pki/qemu/ with -a it has seen that the group ownership is not correct on the target certificate files. Lets set explicit group ownership via the run_after script. Closes-Bug: #1933330 [1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/nova/nova-libvirt-container-puppet.yaml#L777-L779 Change-Id: I67698dafb3ade4239d8cee868c0333c5ec89472c --- deployment/nova/nova-libvirt-container-puppet.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 65c96d0158..0d9323be93 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -796,6 +796,7 @@ outputs: chmod 644 /etc/pki/qemu/ca-cert.pem cp -a /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem cp -a /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem + chgrp qemu /etc/pki/qemu/server-* chmod 0640 /etc/pki/qemu/server-cert.pem chmod 0640 /etc/pki/qemu/server-key.pem systemctl reload tripleo_nova_libvirt @@ -828,6 +829,7 @@ outputs: # Copy cert and key to qemu dir cp -a /etc/pki/tls/certs/qemu-client-cert.crt /etc/pki/qemu/client-cert.pem cp -a /etc/pki/tls/private/qemu-client-cert.key /etc/pki/qemu/client-key.pem + chgrp qemu /etc/pki/qemu/client-* chmod 0640 /etc/pki/qemu/client-cert.pem chmod 0640 /etc/pki/qemu/client-key.pem systemctl reload tripleo_nova_libvirt