Madhuvishy has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/360779 )
Change subject: tools: Fix maintain-kubeusers
......................................................................
tools: Fix maintain-kubeusers
Multiple errors were introduced in aedd882 when the chattr call was
added for each tool's $HOME/.kube/config file. The most egregious is
that this script runs on a host where the tool directories are mounted
via NFS which does not support `chattr +i` operations. For the chattr to
be applied it would need to be run on the NFS master.
Bug: T165875
Change-Id: I7a146d0a724d75d982125e35e64bc0044caa4dca
---
M modules/toollabs/files/maintain-kubeusers
1 file changed, 3 insertions(+), 5 deletions(-)
Approvals:
Madhuvishy: Verified; Looks good to me, approved
BryanDavis: Looks good to me, but someone else must approve
diff --git a/modules/toollabs/files/maintain-kubeusers
b/modules/toollabs/files/maintain-kubeusers
index c3d0203..acb86ec 100755
--- a/modules/toollabs/files/maintain-kubeusers
+++ b/modules/toollabs/files/maintain-kubeusers
@@ -255,18 +255,16 @@
path = os.path.join(dirpath, 'config')
# exist_ok=True is fine here, and not a security issue (Famous last
words?).
os.makedirs(dirpath, mode=0o775, exist_ok=True)
- os.fchown(f, int(user.id), int(user.id))
+ os.chown(dirpath, int(user.id), int(user.id))
f = os.open(path, os.O_CREAT | os.O_WRONLY | os.O_NOFOLLOW)
try:
os.write(f, json.dumps(config, indent=4,
sort_keys=True).encode('utf-8'))
# uid == gid
os.fchown(f, int(user.id), int(user.id))
os.fchmod(f, 0o400)
- # Prevent removal or modification of the credentials file by users
- subprocess.check_output(['/usr/bin/chattr', '+i', file_path])
- logging.info('Write config in %s', path)
+ logging.info('Wrote config in %s', path)
except:
- logging.exception()
+ logging.exception('Error creating %s', path)
raise
finally:
os.close(f)
--
To view, visit https://gerrit.wikimedia.org/r/360779
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7a146d0a724d75d982125e35e64bc0044caa4dca
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Coren <[email protected]>
Gerrit-Reviewer: Madhuvishy <[email protected]>
Gerrit-Reviewer: Merlijn van Deen <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
