From a720ccdbc88943be634091c79c3c084cbdca235f Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 26 Jul 2021 11:12:59 -0400 Subject: [PATCH] Set ownership/permissions of private section Fix confluent being unable to read, and make the permissions more consistent. --- imgutil/imgutil | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/imgutil/imgutil b/imgutil/imgutil index 8b24459d..6e13f1b2 100644 --- a/imgutil/imgutil +++ b/imgutil/imgutil @@ -173,6 +173,8 @@ def capture_remote(opts, args): mkdirp(os.path.join(privdir, 'pending')) subprocess.check_call(['rsync', '-a', '{0}:/run/imgutil/private.key'.format(targ), '{}/pending/rootimg.key'.format(privdir)]) os.umask(oum) + subprocess.check_call(['chown', '-R', 'confluent', privdir]) + subprocess.check_call(['chmod', 'og-rwx', '-R', privdir]) sys.stdout.write('Done\n') sys.stdout.flush() subprocess.check_call(['ssh', '-t', targ, 'python3', '/run/imgutil/capenv/imgutil', 'capturelocalcleanup']) @@ -771,7 +773,9 @@ def pack_image(opts, args): initrdname = os.path.join(args[0], 'boot/initramfs-{0}.img'.format(mostrecent)) if not os.path.exists(initrdname): initrdname = os.path.join(args[0], 'boot/initrd-{0}'.format(mostrecent)) + oum = os.umask(0o077) mkdirp(os.path.join(privdir, 'pending/')) + os.umask(oum) mkdirp(os.path.join(outdir, 'boot/efi/boot')) mkdirp(os.path.join(outdir, 'boot/initramfs')) profname = os.path.basename(outdir) @@ -809,6 +813,7 @@ def pack_image(opts, args): try: pwd.getpwnam('confluent') subprocess.check_call(['chown', '-R', 'confluent', outdir]) + subprocess.check_call(['chown', '-R', 'confluent', privdir]) if tryupdate: subprocess.check_call(['osdeploy', 'updateboot', profname]) except KeyError: