Merge lp:~jtv/maas/bug-1042865 into lp:~maas-committers/maas/trunk
Status: | Merged |
---|---|
Approved by: | Jeroen T. Vermeulen |
Approved revision: | no longer in the source branch. |
Merged at revision: | 947 |
Proposed branch: | lp:~jtv/maas/bug-1042865 |
Merge into: | lp:~maas-committers/maas/trunk |
Diff against target: |
35 lines (+7/-4) 1 file modified
scripts/maas-import-ephemerals (+7/-4) |
To merge this branch: | bzr merge lp:~jtv/maas/bug-1042865 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Gavin Panella (community) | Approve | ||
Review via email: mp+121990@code.launchpad.net |
Commit message
Fix permissions for ephemeral ("commissioning") PXE image directory in TFTP.
Description of the change
If the import scripts run with an overly strict umask, maas-import-
The reason seems to be that the download code creates a temporary directory to download in, then sets a more permissive umask, and finally calls into maas-provision to install the new image — which copies the temporary directory including its permissions from the time with the stricter umask.
In this branch I address that in two ways:
1. The umask really didn't belong in the inner loop, since it affects global script state. I hoisted it up to a global level, so that the temporary directory is created with the new umask.
2. Before copying the image, I make it world-readable. The "X" flag on chmod pertains to the "search" permission. It sets the "x" bit on directories ("search") but not on files ("execute").
One open question is what happens to systems that had a non-world-readable directory created by an import script run from an older maas version. That might be worth fixing up in postinst for now. We don't need to carry it around forever: a permissions problem with the image go away as soon as the script downloads the first image update. (Also, chmod -R a+rX is much easier to do in shell than in python.)
Sadly, the ephemerals import script has not been made testable and is not tested. I can't even run it locally. We'll have to see in Q/A whether this really fixes the problem.
Jeroen
Nice.