Fix keyring data migration in an upgrade

During an upgrade, keyring data migration does not preserve the group ownership of the keyring platform directory "/opt/platform/.keyring", from the previous release. This commit changes the group ownership from "root" to 'sys_protected' of "/opt/platform/.keyring" directory (including its subdirectories and files), to support access privileges for OpenLDAP/WAD users in the upgraded release. Test Plan: PASS: Verify upgrade procedure executed without errors in AIO-SX. PASS: Verify the group ownership change was recursively applied to directory "/opt/platform/.keyring", meaning all of its subdirectories and files belong to "sys_protected" group, in the upgraded release. PASS: After upgrade, verify that an openldap user that is part of the "sys_protected" group can execute the command: "source /etc/platform/openrc". PASS: After upgrade, verify that a WAD user that is part of the "sys_protected" group can execute the command: "source /etc/platform/openrc". Story: 2011180 Task: 51109 Change-Id: I4e2f9c85e0919db54a7acc52ce8f7eeea1068508 Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
2024-10-02 13:19:09 +00:00
parent fb6979102c
commit 9b9a1304cd
2 changed files with 17 additions and 2 deletions
--- a/software/software/utilities/constants.py
+++ b/software/software/utilities/constants.py
@@ -21,6 +21,7 @@ PUPPET_PATH = PLATFORM_PATH + "/puppet/" + SW_VERSION + "/"
 HIERADATA_PERMDIR = PUPPET_PATH + 'hieradata'

 KEYRING_WORKDIR = '/tmp/python_keyring'
+KEYRING_DIR_PATH = PLATFORM_PATH + "/.keyring"
 KEYRING_PATH = PLATFORM_PATH + "/.keyring/" + SW_VERSION
 KEYRING_PERMDIR = KEYRING_PATH

--- a/software/software/utilities/migrate.py
+++ b/software/software/utilities/migrate.py
@@ -54,10 +54,24 @@ def migrate_keyring_data(from_release, to_release):
    # First delete any keyring files for the to_release - they can be created
    # if release N+1 nodes are incorrectly left powered up when the release N
    # load is installed.
-    target_path = os.path.join(constants.PLATFORM_PATH, ".keyring", to_release)
+    target_path = os.path.join(constants.KEYRING_DIR_PATH, to_release)
    shutil.rmtree(target_path, ignore_errors=True)
-    shutil.copytree(os.path.join(constants.PLATFORM_PATH, ".keyring", from_release), target_path)
+    shutil.copytree(os.path.join(constants.KEYRING_DIR_PATH, from_release), target_path)

+    # change group ownership to sys_protected for keyring directory
+    if os.path.isdir(constants.KEYRING_DIR_PATH):
+        chgrp_cmd = 'chgrp -R sys_protected ' + constants.KEYRING_DIR_PATH
+        try:
+            LOG.info("Executing keyring migrate command: %s" % chgrp_cmd)
+            subprocess.check_call([chgrp_cmd],
+                    shell=True, stdout=sout, stderr=sout)
+        except subprocess.CalledProcessError as ex:
+            LOG.exception("Failed to execute command: '%s' during upgrade "
+                    "processing, return code: %d" % (chgrp_cmd, ex.returncode))
+            raise
+    else:
+        LOG.error("Directory %s does not exist" % constants.KEYRING_DIR_PATH)
+        raise Exception("keyring directory cannot be found")

 def migrate_pxeboot_config(from_release, to_release):
    """Migrates pxeboot configuration. """