Fix permissions for SSH private key for Ubuntu distro installations

Due to weird postinst logic of keystone-common package permissions for SSH private key that is used for fernet rotation are reset to 0640 which prevents SSH from further functioning. We add post-package installation task that will ensure private key permissions for Ubuntu distro installations specifically. Change-Id: I1ebee33e3cf52cc0a9c474423a4fd5fa7f1cbe81
2024-04-04 22:38:43 +02:00 · 2024-04-04 22:38:43 +02:00 · bc68c6877d
parent e79507f44e
commit bc68c6877d
1 changed files with 11 additions and 0 deletions
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@ -113,6 +113,17 @@
        value: "{{ keystone_venv_tag }}"
        mode: "0644"

+    # NOTE(noonedeadpunk): Ubuntu packages does recursively chmod all files
+    #                      for keystone user $HOME:
+    #                      https://bugs.launchpad.net/cloud-archive/+bug/2060235
+    - name: Ensure SSH keys has right permissions
+      file:
+        path: "{{ keystone_system_user_home }}/.ssh/id_rsa"
+        mode: "0600"
+      when:
+        - install_packages is changed
+        - ansible_facts['distribution'] | lower == 'ubuntu'
+
    - name: Initialise the upgrade facts
      ini_file:
        dest: "/etc/ansible/facts.d/openstack_ansible.fact"