Fix up config file permissions on the host

Several config file permissions are incorrect on the host. In general, files should be 0660, and directories and executables 0770. Change-Id: Id276ac1864f280554e98b937f2845bb424d521de Closes-Bug: #1821579 (cherry picked from commit a4bb8567da)
2019-03-22 19:18:45 +00:00 · 2019-03-22 19:18:45 +00:00 · fc9384117d
parent c54b0c20d5
commit fc9384117d
29 changed files with 61 additions and 17 deletions
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@ -20,6 +20,7 @@
  file:
    path: /etc/sudoers.d/kolla-ansible-users
    state: touch
+    mode: "0640"
  become: True
  when: create_kolla_user_sudoers | bool

--- a/ansible/roles/ceilometer/tasks/config.yml
+++ b/ansible/roles/ceilometer/tasks/config.yml
@ -21,7 +21,7 @@
    src: "{{ node_custom_config }}/ceilometer/polling.yaml"
    dest: "{{ node_config_directory }}/{{ item.key }}/polling.yaml"
    force: True
-    mode: "0600"
+    mode: "0660"
  become: true
  register: ceilometer_polling_overwriting
  when:
@ -121,6 +121,7 @@
  template:
    src: "pipeline.yaml.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/pipeline.yaml"
+    mode: "0660"
  become: true
  register: ceilometer_pipelines
  when:
@ -161,6 +162,7 @@
  copy:
    src: "{{ node_custom_config }}/vmware_ca"
    dest: "{{ node_config_directory }}/ceilometer-compute/vmware_ca"
+    mode: "0660"
  register: vcenter_ca_file
  when:
    - nova_compute_virt_type == "vmware"
--- a/ansible/roles/ceph/tasks/start_mdss.yml
+++ b/ansible/roles/ceph/tasks/start_mdss.yml
@ -35,7 +35,7 @@
      [mds.{{ item.item }}]
          key = {{ item.keyring.key }}
    dest: "{{ node_config_directory }}/ceph-mds/ceph.mds.{{ inventory_hostname }}.keyring"
-    mode: 0600
+    mode: "0600"
  when:
    - inventory_hostname == item.item
  with_items: "{{ ceph_mds_auth.results }}"
--- a/ansible/roles/ceph/tasks/start_mgrs.yml
+++ b/ansible/roles/ceph/tasks/start_mgrs.yml
@ -15,7 +15,7 @@
      [mgr.{{ item.item }}]
          key = {{ item.keyring.key }}
    dest: "{{ node_config_directory }}/ceph-mgr/ceph.mgr.{{ inventory_hostname }}.keyring"
-    mode: 0600
+    mode: "0600"
  when:
    - inventory_hostname == item.item
  with_items: "{{ ceph_mgr_keyring.results }}"
--- a/ansible/roles/cinder/tasks/config.yml
+++ b/ansible/roles/cinder/tasks/config.yml
@ -68,6 +68,7 @@
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/cinder-api/cinder-wsgi.conf"
+    mode: "0660"
  with_first_found:
    - "{{ node_custom_config }}/cinder/{{ inventory_hostname }}/cinder-wsgi.conf"
    - "{{ node_custom_config }}/cinder/cinder-wsgi.conf"
@ -108,6 +109,7 @@
  template:
    src: "{{ cinder_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ cinder_policy_file }}"
+    mode: "0660"
  register: cinder_policy_overwriting
  when:
    - cinder_policy_file is defined
@ -124,6 +126,7 @@
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/cinder-volume/nfs_shares"
+    mode: "0660"
  with_first_found:
    - files:
        - "{{ node_custom_config }}/nfs_shares.j2"
--- a/ansible/roles/common/tasks/config.yml
+++ b/ansible/roles/common/tasks/config.yml
@ -16,7 +16,7 @@
  file:
    path: "{{ node_config_directory }}/{{ item }}"
    state: "directory"
-    recurse: yes
+    mode: "0770"
  become: true
  with_items:
    - "fluentd"
--- a/ansible/roles/designate/tasks/backend_external.yml
+++ b/ansible/roles/designate/tasks/backend_external.yml
@ -3,6 +3,7 @@
  template:
    src: "{{ node_custom_config }}/designate/rndc.conf"
    dest: "{{ node_config_directory }}/{{ item.key }}/rndc.conf"
+    mode: "0660"
  register: designate_rndc_conf
  when:
    - designate_backend_external == 'bind9'
@ -17,6 +18,7 @@
  template:
    src: "{{ node_custom_config }}/designate/rndc.key"
    dest: "{{ node_config_directory }}/{{ item.key }}/rndc.key"
+    mode: "0660"
  register: designate_rndc_key_file
  when:
    - designate_backend_external == 'bind9'
--- a/ansible/roles/designate/tasks/config.yml
+++ b/ansible/roles/designate/tasks/config.yml
@ -160,7 +160,7 @@
  template:
    src: "{{ designate_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ designate_policy_file }}"
-    mode: "0770"
+    mode: "0660"
  become: true
  register: designate_policy_overwriting
  when:
--- a/ansible/roles/freezer/tasks/config.yml
+++ b/ansible/roles/freezer/tasks/config.yml
@ -83,7 +83,7 @@
  template:
    src: "{{ freezer_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ freezer_policy_file }}"
-    mode: "0770"
+    mode: "0660"
  become: true
  register: freezer_policy_overwriting
  when:
--- a/ansible/roles/gnocchi/tasks/ceph.yml
+++ b/ansible/roles/gnocchi/tasks/ceph.yml
@ -6,6 +6,7 @@
      - "{{ node_custom_config }}/ceph.conf"
      - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf"
    dest: "{{ node_config_directory }}/{{ item }}/ceph.conf"
+    mode: "0660"
  become: true
  when: inventory_hostname in groups[item]
  with_items:
--- a/ansible/roles/gnocchi/tasks/config.yml
+++ b/ansible/roles/gnocchi/tasks/config.yml
@ -99,6 +99,7 @@
  template:
    src: "{{ gnocchi_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ gnocchi_policy_file }}"
+    mode: "0660"
  register: gnocchi_policy_overwriting
  when:
    - gnocchi_policy_file is defined
--- a/ansible/roles/gnocchi/tasks/external_ceph.yml
+++ b/ansible/roles/gnocchi/tasks/external_ceph.yml
@ -3,6 +3,7 @@
  template:
    src: "{{ node_custom_config }}/gnocchi/ceph.conf"
    dest: "{{ node_config_directory }}/{{ item }}/ceph.conf"
+    mode: "0660"
  become: true
  when: inventory_hostname in groups[item]
  with_items:
@ -18,6 +19,7 @@
  copy:
    src: "{{ node_custom_config }}/gnocchi/ceph.client.gnocchi.keyring"
    dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring"
+    mode: "0660"
  become: true
  when: inventory_hostname in groups[item]
  with_items:
--- a/ansible/roles/grafana/tasks/config.yml
+++ b/ansible/roles/grafana/tasks/config.yml
@ -73,6 +73,7 @@
  template:
    src: "{{ node_custom_config }}/grafana/grafana_home_dashboard.json"
    dest: "{{ node_config_directory }}/grafana/grafana_home_dashboard.json"
+    mode: "0660"
  register: grafana_home_dashboard
  when: grafana_custom_dashboard_file.stat.exists
  notify:
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@ -238,7 +238,7 @@
  template:
    src: "{{ ironic_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_policy_file }}"
-    mode: "0770"
+    mode: "0660"
  become: true
  register: ironic_policy_jsons
  when:
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@ -91,6 +91,7 @@
  file:
    dest: "{{ node_config_directory }}/keystone/domains/"
    state: "directory"
+    mode: "0770"
  become: true
  when:
    - inventory_hostname in groups[keystone.group]
--- a/ansible/roles/manila/tasks/config.yml
+++ b/ansible/roles/manila/tasks/config.yml
@ -110,6 +110,7 @@
  template:
    src: "{{ manila_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ manila_policy_file }}"
+    mode: "0660"
  register: manila_policy_overwriting
  when:
    - manila_policy_file is defined
--- a/ansible/roles/mariadb/tasks/recover_cluster.yml
+++ b/ansible/roles/mariadb/tasks/recover_cluster.yml
@ -4,12 +4,17 @@
  when: not has_cluster | bool

 - name: Cleaning up temp file on mariadb hosts
-  file: path=/tmp/kolla_mariadb_grastate.dat state=absent
+  file:
+    path: /tmp/kolla_mariadb_grastate.dat
+    state: absent
  changed_when: false
  check_mode: no

 - name: Cleaning up temp file on localhost
-  local_action: file path=/tmp/kolla_mariadb_recover_inventory_name state=absent
+  local_action:
+    module: file
+    path: /tmp/kolla_mariadb_recover_inventory_name
+    state: absent
  changed_when: false
  check_mode: no
  run_once: true
@ -50,7 +55,9 @@
      register: wsrep_recovery_seqno

    - name: Removing MariaDB log file from /tmp
-      file: path=/tmp/mariadb_tmp.log state=absent
+      file:
+        path: /tmp/mariadb_tmp.log
+        state: absent
      changed_when: false
      check_mode: no

--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@ -36,7 +36,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
-    mode: "0770"
+    mode: "0660"
  register: neutron_config_jsons
  when:
    - item.value.enabled | bool
@ -93,6 +93,7 @@
      - "{{ node_custom_config }}/neutron/neutron_lbaas.conf"
      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron_lbaas.conf"
    dest: "{{ node_config_directory }}/{{ item.key }}/neutron_lbaas.conf"
+    mode: "0660"
  register: neutron_lbaas_confs
  when:
    - item.value.enabled | bool
@ -115,6 +116,7 @@
      - "{{ node_custom_config }}/neutron/neutron_vpnaas.conf"
      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron_vpnaas.conf"
    dest: "{{ node_config_directory }}/{{ item.key }}/neutron_vpnaas.conf"
+    mode: "0660"
  register: neutron_vpnaas_confs
  when:
    - item.value.enabled | bool
@ -184,6 +186,7 @@
      - "{{ node_custom_config }}/neutron/sriov_agent.ini"
      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/sriov_agent.ini"
    dest: "{{ node_config_directory }}/{{ service_name }}/sriov_agent.ini"
+    mode: "0660"
  register: neutron_sriov_agent_ini
  when:
    - neutron_sriov_agent.enabled | bool
@ -334,6 +337,7 @@
      - "{{ role_path }}/templates/bgp_dragent.ini.j2"
      - "{{ node_custom_config }}/neutron/bgp_dragent.ini"
    dest: "{{ node_config_directory }}/{{ service_name }}/bgp_dragent.ini"
+    mode: "0660"
  register: neutron_bgp_dragent_ini
  when:
    - neutron_bgp_dragent.enabled | bool
@ -356,6 +360,7 @@
      - "{{ node_custom_config }}/neutron/nsx.ini"
      - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/nsx.ini"
    dest: "{{ node_config_directory }}/{{ service_name }}/nsx.ini"
+    mode: "0660"
  register: nsx_ini
  when:
    - neutron_server.enabled | bool
@ -400,6 +405,7 @@
  template:
    src: neutron-l3-agent-wrapper.sh.j2
    dest: "{{ node_config_directory }}/{{ service_name }}/neutron-l3-agent-wrapper.sh"
+    mode: "0770"
  register: neutron_l3_agent_wrapper
  when:
    - service.enabled | bool
--- a/ansible/roles/nova/tasks/config-nova-fake.yml
+++ b/ansible/roles/nova/tasks/config-nova-fake.yml
@ -4,7 +4,7 @@
  file:
    path: "{{ node_config_directory }}/nova-compute-fake-{{ item }}"
    state: "directory"
-    recurse: yes
+    mode: "0770"
  with_sequence: start=1 end={{ num_nova_fake_per_node }}
  notify:
    - Restart nova-compute-fake containers
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@ -62,7 +62,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
-    mode: "0770"
+    mode: "0660"
  register: config_jsons
  when:
    - inventory_hostname in groups[item.value.group]
@ -125,6 +125,7 @@
  template:
    src: "placement-api-wsgi.conf.j2"
    dest: "{{ node_config_directory }}/placement-api/placement-api-wsgi.conf"
+    mode: "0660"
  register: placement_api_wsgi_conf
  when:
    - inventory_hostname in groups[service.group]
@ -158,6 +159,7 @@
  copy:
    src: "{{ node_custom_config }}/vmware_ca"
    dest: "{{ node_config_directory }}/nova-compute/vmware_ca"
+    mode: "0660"
  register: vcenter_ca_file
  when:
    - nova_compute_virt_type == "vmware"
@ -184,6 +186,7 @@
  template:
    src: "{{ nova_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ nova_policy_file }}"
+    mode: "0660"
  register: nova_policy_overwriting
  when:
    - inventory_hostname in groups[item.value.group]
--- a/ansible/roles/octavia/tasks/config.yml
+++ b/ansible/roles/octavia/tasks/config.yml
@ -72,6 +72,7 @@
  copy:
    src: "{{ node_custom_config }}/octavia/{{ item }}"
    dest: "{{ node_config_directory }}/octavia-housekeeping/{{ item }}"
+    mode: "0660"
  become: true
  register: octavia_housekeeping_certificate
  when:
@ -90,6 +91,7 @@
  copy:
    src: "{{ node_custom_config }}/octavia/{{ item }}"
    dest: "{{ node_config_directory }}/octavia-health-manager/{{ item }}"
+    mode: "0660"
  become: true
  register: octavia_health_manager_certificate
  when:
--- a/ansible/roles/opendaylight/tasks/config.yml
+++ b/ansible/roles/opendaylight/tasks/config.yml
@ -198,6 +198,7 @@
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/opendaylight/10-rest-connector.xml"
+    mode: "0660"
  become: true
  with_first_found:
    - "{{ node_custom_config }}/opendaylight/{{ inventory_hostname }}/10-rest-connector.xml"
--- a/ansible/roles/openvswitch/tasks/config.yml
+++ b/ansible/roles/openvswitch/tasks/config.yml
@ -17,7 +17,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
-    mode: "0770"
+    mode: "0660"
  register: openvswitch_config_jsons
  when:
    - item.value.enabled | bool
@ -33,6 +33,7 @@
  template:
    src: "{{ role_path }}/templates/start-ovs.j2"
    dest: "{{ node_config_directory }}/openvswitch-vswitchd/start-ovs"
+    mode: "0770"
  register: openvswitch_start_ovs
  when:
    - inventory_hostname in groups[service.group]
@ -47,6 +48,7 @@
  template:
    src: "{{ role_path }}/templates/start-ovsdb-server.j2"
    dest: "{{ node_config_directory }}/openvswitch-db-server/start-ovsdb-server"
+    mode: "0770"
  register: openvswitch_start_ovsdb_server
  when:
    - inventory_hostname in groups[service.group]
--- a/ansible/roles/ovs-dpdk/tasks/config.yml
+++ b/ansible/roles/ovs-dpdk/tasks/config.yml
@ -15,6 +15,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
  register: ovsdpdk_config_jsons
  when:
    - item.value.enabled | bool
@ -27,7 +28,7 @@
  copy:
    src: ../tools/ovs-dpdkctl.sh
    dest: "{{ node_config_directory }}/ovsdpdk-db/ovs-dpdkctl.sh"
-    mode: 0777
+    mode: "0770"

 - name: Install ovs-dpdkctl service and config
  become: True
--- a/ansible/roles/prometheus/tasks/config.yml
+++ b/ansible/roles/prometheus/tasks/config.yml
@ -16,6 +16,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
  register: prometheus_config_jsons
  when:
    - inventory_hostname in groups[item.value.group]
@ -30,6 +31,7 @@
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/prometheus-server/prometheus.yml"
+    mode: "0660"
  register: prometheus_confs
  when:
    - inventory_hostname in groups[service.group]
@ -47,6 +49,7 @@
  template:
    src: "{{ item }}"
    dest: "{{ node_config_directory }}/prometheus-alertmanager/prometheus-alertmanager.yml"
+    mode: "0660"
  register: prometheus_alertmanager_confs
  when:
    - inventory_hostname in groups[service.group]
@ -67,6 +70,7 @@
      - "{{ node_custom_config }}/prometheus-mysqld-exporter/my.cnf"
      - "{{ role_path }}/templates/my.cnf.j2"
    dest: "{{ node_config_directory }}/prometheus-mysqld-exporter/my.cnf"
+    mode: "0660"
  register: prometheus_conf_mycnf
  when:
    - inventory_hostname in groups[service.group]
--- a/ansible/roles/rabbitmq/tasks/config.yml
+++ b/ansible/roles/rabbitmq/tasks/config.yml
@ -16,7 +16,7 @@
  template:
    src: "{{ item.key }}.json.j2"
    dest: "{{ node_config_directory }}/{{ project_name }}/config.json"
-    mode: "0770"
+    mode: "0660"
  become: true
  register: rabbitmq_config_jsons
  when:
@ -32,7 +32,7 @@
  template:
    src: "{{ item }}.j2"
    dest: "{{ node_config_directory }}/{{ project_name }}/{{ item }}"
-    mode: "0770"
+    mode: "0660"
  become: true
  register: rabbitmq_confs
  when:
--- a/ansible/roles/swift/tasks/config.yml
+++ b/ansible/roles/swift/tasks/config.yml
@ -181,6 +181,7 @@
  template:
    src: "{{ node_custom_config }}/swift/policy.json"
    dest: "{{ node_config_directory }}/{{ item }}/policy.json"
+    mode: "0660"
  with_items:
    - "swift-account-auditor"
    - "swift-account-reaper"
--- a/ansible/roles/trove/tasks/config.yml
+++ b/ansible/roles/trove/tasks/config.yml
@ -92,6 +92,7 @@
  template:
    src: "{{ trove_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ trove_policy_file }}"
+    mode: "0660"
  register: trove_policy_overwriting
  when:
    - trove_policy_file is defined
--- a/ansible/roles/watcher/tasks/config.yml
+++ b/ansible/roles/watcher/tasks/config.yml
@ -70,6 +70,7 @@
  template:
    src: "{{ watcher_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ watcher_policy_file }}"
+    mode: "0660"
  register: watcher_policy_overwriting
  when:
    - watcher_policy_file is defined