Various permission fixes for osdeploy initialize

Fix a few scenarios where certain ordering of initialize creates unworkable permissions.
2025-02-16 10:39:23 +00:00 · 2023-11-13 15:43:11 -05:00 · 2023-11-13 15:43:11 -05:00 · f475d58955
commit f475d58955
parent ec023831a5
3 changed files with 51 additions and 28 deletions
--- a/confluent_server/bin/osdeploy
+++ b/confluent_server/bin/osdeploy
@ -373,9 +373,14 @@ def initialize(cmdset):
        for rsp in c.read('/uuid'):
            uuid = rsp.get('uuid', {}).get('value', None)
            if uuid:
-                with open('confluent_uuid', 'w') as uuidout:
-                    uuidout.write(uuid)
-                    uuidout.write('\n')
+                oum = os.umask(0o11)
+                try:
+                    with open('confluent_uuid', 'w') as uuidout:
+                        uuidout.write(uuid)
+                        uuidout.write('\n')
+                    os.chmod('confluent_uuid', 0o644)
+                finally:
+                    os.umask(oum)
    totar.append('confluent_uuid')
    topack.append('confluent_uuid')
    if os.path.exists('ssh'):
@ -403,7 +408,17 @@ def initialize(cmdset):
        if res:
            sys.stderr.write('Error occurred while packing site initramfs')
            sys.exit(1)
-    os.rename(tmpname, '/var/lib/confluent/public/site/initramfs.cpio')
+    oum = os.umask(0o22)
+    try:
+        os.rename(tmpname, '/var/lib/confluent/public/site/initramfs.cpio')
+        os.chown('/var/lib/confluent/public/site/initramfs.cpio', 0o644)
+    finally:
+        os.umask(oum)
+    oum = os.umask(0o22)
+    try:
+        os.chown('/var/lib/confluent/public/site/initramfs.cpio', 0o644)
+    finally:
+        os.umask(oum)
    if cmdset.g:
        updateboot('genesis-x86_64')
    if totar:
@ -411,6 +426,11 @@ def initialize(cmdset):
        tarcmd = ['tar', '-czf', tmptarname] + totar
        subprocess.check_call(tarcmd)
        os.rename(tmptarname, '/var/lib/confluent/public/site/initramfs.tgz')
+        oum = os.umask(0o22)
+        try:
+            os.chown('/var/lib/confluent/public/site/initramfs.tgz', 0o644)
+        finally:
+            os.umask(0o22)
    os.chdir(opath)
    print('Site initramfs content packed successfully')

--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@ -95,27 +95,29 @@ def assure_tls_ca():
        os.makedirs(os.path.dirname(fname))
    except OSError as e:
        if e.errno != 17:
+            os.seteuid(ouid)
            raise
+    try:
+        shutil.copy2('/etc/confluent/tls/cacert.pem', fname)
+        hv, _ = util.run(
+            ['openssl', 'x509', '-in', '/etc/confluent/tls/cacert.pem', '-hash', '-noout'])
+        if not isinstance(hv, str):
+            hv = hv.decode('utf8')
+        hv = hv.strip()
+        hashname = '/var/lib/confluent/public/site/tls/{0}.0'.format(hv)
+        certname = '{0}.pem'.format(collective.get_myname())
+        for currname in os.listdir('/var/lib/confluent/public/site/tls/'):
+            currname = os.path.join('/var/lib/confluent/public/site/tls/', currname)
+            if currname.endswith('.0'):
+                try:
+                    realname = os.readlink(currname)
+                    if realname == certname:
+                        os.unlink(currname)
+                except OSError:
+                    pass
+        os.symlink(certname, hashname)
    finally:
        os.seteuid(ouid)
-    shutil.copy2('/etc/confluent/tls/cacert.pem', fname)
-    hv, _ = util.run(
-        ['openssl', 'x509', '-in', '/etc/confluent/tls/cacert.pem', '-hash', '-noout'])
-    if not isinstance(hv, str):
-        hv = hv.decode('utf8')
-    hv = hv.strip()
-    hashname = '/var/lib/confluent/public/site/tls/{0}.0'.format(hv)
-    certname = '{0}.pem'.format(collective.get_myname())
-    for currname in os.listdir('/var/lib/confluent/public/site/tls/'):
-        currname = os.path.join('/var/lib/confluent/public/site/tls/', currname)
-        if currname.endswith('.0'):
-            try:
-                realname = os.readlink(currname)
-                if realname == certname:
-                    os.unlink(currname)
-            except OSError:
-                pass
-    os.symlink(certname, hashname)

 def substitute_cfg(setting, key, val, newval, cfgfile, line):
    if key.strip() == setting:
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -98,14 +98,15 @@ def initialize_ca():
         preexec_fn=normalize_uid)
    ouid = normalize_uid()
    try:
-        os.makedirs('/var/lib/confluent/public/site/ssh/', mode=0o755)
-    except OSError as e:
-        if e.errno != 17:
-            raise
+        try:
+            os.makedirs('/var/lib/confluent/public/site/ssh/', mode=0o755)
+        except OSError as e:
+            if e.errno != 17:
+                raise
+        cafilename = '/var/lib/confluent/public/site/ssh/{0}.ca'.format(myname)
+        shutil.copy('/etc/confluent/ssh/ca.pub', cafilename)
    finally:
        os.seteuid(ouid)
-    cafilename = '/var/lib/confluent/public/site/ssh/{0}.ca'.format(myname)
-    shutil.copy('/etc/confluent/ssh/ca.pub', cafilename)
    #    newent = '@cert-authority * ' + capub.read()