Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61313

ABI sets /var/lib/etcd/member permissions to 0755 while deploying a SNO

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
       Before this update, the `agent-based-installer` set the permissions for the etcd directory `/var/lib/etcd/member` as 0755 when using Single Node Openshift (SNO) deployment instead of 0700, which is correctly set on a multi-node deployment. With this release, the etcd directory `/var/lib/etcd/member` permissions are set to 0700 for SNO deployments. (link:https://issues.redhat.com/browse/OCPBUGS-61313[OCPBUGS-61313])
      Show
       Before this update, the `agent-based-installer` set the permissions for the etcd directory `/var/lib/etcd/member` as 0755 when using Single Node Openshift (SNO) deployment instead of 0700, which is correctly set on a multi-node deployment. With this release, the etcd directory `/var/lib/etcd/member` permissions are set to 0700 for SNO deployments. (link: https://issues.redhat.com/browse/OCPBUGS-61313 [ OCPBUGS-61313 ])
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-57021. The following is the description of the original issue:

      Description of problem:

      Deploying a SNO using Agent Based Installer sets permissions for the ETCD Data directory, found under /var/lib/etcd/member, as 0755 when multi-node deployment with ABI or SNO using IPI sets the same directory with 700 permissions.
      This was detected while running Compliance Operator CIS benchmark scans and getting different results for rule xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir.

      Version-Release number of selected component (if applicable):

      Agent Based Installer for OCP 4.18 and OCP 4.16

      How reproducible:

      Deploy a SNO using ABI

      Steps to Reproduce:

          1. Deploy a SNO using ABI
          2. Check the permissions for /var/lib/etcd/member
          3. Compare with other deployments
          

      Actual results:

      $ ls -al /var/lib/etcd
      total 8
      drwxr-xr-x.  3 root root   41 Jun  3 12:51 .
      drwxr-xr-x. 36 root root 4096 Jun  3 12:49 ..
      drwxr-xr-x.  4 root root   29 Jun  3 12:50 member
      -rw-r--r--.  1 root root  157 Jun  3 12:51 revision.json

      Expected results:

      $ ls -al /var/lib/etcd
      total 8
      drwxr-xr-x.  3 root root   41 Jun  3 12:02 .
      drwxr-xr-x. 37 root root 4096 Jun  3 12:01 ..
      drwx------.  4 root root   29 Jun  3 12:02 member
      -rw-r--r--.  1 root root  193 Jun  3 12:02 revision.json

      Additional info:

      Sosreports, must-gather, scan reports and ABI deployment files attached to the linked case.

              bfournie@redhat.com Robert Fournier
              rhn-support-jveiraca1 Joaquin Veira
              None
              None
              Douglas Hensel Douglas Hensel
              Shane Lovern Shane Lovern
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: