diff options
author | Steve Baker <sbaker@redhat.com> | 2021-11-17 14:46:02 +1300 |
---|---|---|
committer | Steve Baker <sbaker@redhat.com> | 2021-11-22 08:52:31 +1300 |
commit | 53c01e48a3b5800f6be79f0f78d00b478bc682d1 (patch) | |
tree | 0628bd9515c6d8fb035c014b66c7998a5bbf2272 | |
parent | be7cff6508c0aad1d2e2b30b726328c404329fee (diff) | |
download | ironic-53c01e48a3b5800f6be79f0f78d00b478bc682d1.tar.gz |
Fix redfish-virtual-media file permission
When not using swift with the redfish virtual media boot interface,
in other words local file storage, the file permissions for the
/httpboot/redfish folder was incorrect upon initially being created,
and new file ISOs were being created with permissions based upon the
conductor process umask value which is OS environment dependent.
Change-Id: I038ca335efa9b5443469ab8c8af12863deea0e38
(cherry picked from commit af6cd1093d7b4be25a8bfbbdf1fb13226f6bfa7e)
(cherry picked from commit b1c8976d4bed3ab818fa7dd5b16e24a7507333aa)
-rw-r--r-- | ironic/conf/redfish.py | 8 | ||||
-rw-r--r-- | ironic/drivers/modules/redfish/boot.py | 4 | ||||
-rw-r--r-- | ironic/tests/unit/drivers/modules/redfish/test_boot.py | 13 | ||||
-rw-r--r-- | releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml | 25 |
4 files changed, 45 insertions, 5 deletions
diff --git a/ironic/conf/redfish.py b/ironic/conf/redfish.py index b67f51315..4ef2aa42e 100644 --- a/ironic/conf/redfish.py +++ b/ironic/conf/redfish.py @@ -64,6 +64,14 @@ opts = [ default='nofb nomodeset vga=normal', help=_('Additional kernel parameters for baremetal ' 'Virtual Media boot.')), + cfg.IntOpt('file_permission', + default=0o644, + help=_('File permission for swift-less image hosting with the ' + 'octal permission representation of file access ' + 'permissions. This setting defaults to ``644``, ' + 'or as the octal number ``0o644`` in Python. ' + 'This setting must be set to the octal number ' + 'representation, meaning starting with ``0o``.')), ] diff --git a/ironic/drivers/modules/redfish/boot.py b/ironic/drivers/modules/redfish/boot.py index 755f91bd6..75b04564f 100644 --- a/ironic/drivers/modules/redfish/boot.py +++ b/ironic/drivers/modules/redfish/boot.py @@ -266,12 +266,13 @@ class RedfishVirtualMediaBoot(base.BootInterface): public_dir = os.path.join(CONF.deploy.http_root, cls.IMAGE_SUBDIR) if not os.path.exists(public_dir): - os.mkdir(public_dir, 0x755) + os.mkdir(public_dir, 0o755) published_file = os.path.join(public_dir, object_name) try: os.link(image_file, published_file) + os.chmod(image_file, CONF.redfish.file_permission) except OSError as exc: LOG.debug( @@ -282,6 +283,7 @@ class RedfishVirtualMediaBoot(base.BootInterface): 'error': exc}) shutil.copyfile(image_file, published_file) + os.chmod(published_file, CONF.redfish.file_permission) image_url = os.path.join( CONF.deploy.http_url, cls.IMAGE_SUBDIR, object_name) diff --git a/ironic/tests/unit/drivers/modules/redfish/test_boot.py b/ironic/tests/unit/drivers/modules/redfish/test_boot.py index 09d294041..25717ef01 100644 --- a/ironic/tests/unit/drivers/modules/redfish/test_boot.py +++ b/ironic/tests/unit/drivers/modules/redfish/test_boot.py @@ -235,11 +235,12 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase): mock_swift_api.delete_object.assert_called_once_with( 'ironic_redfish_container', object_name) + @mock.patch.object(os, 'chmod', autospec=True) @mock.patch.object(redfish_boot, 'shutil', autospec=True) @mock.patch.object(os, 'link', autospec=True) @mock.patch.object(os, 'mkdir', autospec=True) def test__publish_image_local_link( - self, mock_mkdir, mock_link, mock_shutil): + self, mock_mkdir, mock_link, mock_shutil, mock_chmod): self.config(use_swift=False, group='redfish') self.config(http_url='http://localhost', group='deploy') @@ -251,15 +252,17 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase): self.assertEqual( 'http://localhost/redfish/boot.iso?filename=file.iso', url) - mock_mkdir.assert_called_once_with('/httpboot/redfish', 0x755) + mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755) mock_link.assert_called_once_with( 'file.iso', '/httpboot/redfish/boot.iso') + mock_chmod.assert_called_once_with('file.iso', 0o644) + @mock.patch.object(os, 'chmod', autospec=True) @mock.patch.object(redfish_boot, 'shutil', autospec=True) @mock.patch.object(os, 'link', autospec=True) @mock.patch.object(os, 'mkdir', autospec=True) def test__publish_image_local_copy( - self, mock_mkdir, mock_link, mock_shutil): + self, mock_mkdir, mock_link, mock_shutil, mock_chmod): self.config(use_swift=False, group='redfish') self.config(http_url='http://localhost', group='deploy') @@ -273,10 +276,12 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase): self.assertEqual( 'http://localhost/redfish/boot.iso?filename=file.iso', url) - mock_mkdir.assert_called_once_with('/httpboot/redfish', 0x755) + mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755) mock_shutil.copyfile.assert_called_once_with( 'file.iso', '/httpboot/redfish/boot.iso') + mock_chmod.assert_called_once_with('/httpboot/redfish/boot.iso', + 0o644) @mock.patch.object(redfish_boot, 'ironic_utils', autospec=True) def test__unpublish_image_local(self, mock_ironic_utils): diff --git a/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml b/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml new file mode 100644 index 000000000..6e0afab9b --- /dev/null +++ b/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml @@ -0,0 +1,25 @@ +--- +upgrade: + - | + Operators may need to check their ``/httpboot/redfish`` folder permissions + if using ``redfish-virtual-media``. The conductor was previously creating + the folder with incorrect permissions. + - | + A permission setting has been added for ``redfish-virtual-media`` boot + interface, which allows for explicit file permission setting when the + driver is being used. The default for the new ``[redfish]file_permission + setting is ``0u644``, or 644 if manually changed using ``chmod`` on the + command line. Operators MAY need to adjust this if they were running the + conductor with a specific ``umask`` to work around the permission setting + defect. +fixes: + - | + Fixes the ``redfish-virtual-media`` and related based drivers to utilize + an explicit file permission instead of rely upon the ironic-conductor + umask, which may be incorrect. This can be tuned with the + ``[redfish]file_permission`` setting. + - | + Fixes an issue where the default folder permission for the + ``redfish-virtual-media`` driver where the folder permissions for the + ``/httpboot/redfish`` folder was being created with incorrect + permissions. |