Project

Profile

Help

Issue #2013

SSL certs are created at install time, but should be at setup runtime

Added by mhrivnak over 5 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Master
Platform Release:
2.13.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 17
Quarter:

Description

The report from Red Hatter Kurt Seifried is quoted below from the corresponding BZ and describes the issue well. We should probably have pulp-manage-db create the certs if they are missing. (And for that matter, we should probably rename it at some point to pulp-setup or something like that.)

Kurt pointed out this resource, which is a valuable guide on the general topic: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup

Version-Release number of selected component (if applicable):

pulp-2.4.1-0.7.beta.el7sat but latest upstream also has it.

How reproducible:

Always.

postinstal:
  openssl genrsa -out $KEY_PATH 2048 &> /dev/null
  openssl rsa -in $KEY_PATH -pubout > $KEY_PATH_PUB 2> /dev/null

Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.

Actual results:

All container and image instances share the same key/cert.
Expected results:

Each instance should receive a unique key/cert.

Additional info:

This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506

The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.

Associated revisions

Revision 7476b6cb View on GitHub
Added by jortel@redhat.com almost 5 years ago

RSA key pair and SSL CA certificate generation removed from pulp.spec. closes #2013

Revision 7476b6cb View on GitHub
Added by jortel@redhat.com almost 5 years ago

RSA key pair and SSL CA certificate generation removed from pulp.spec. closes #2013

History

#1 Updated by amacdona@redhat.com over 5 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 3. High
  • Triaged changed from No to Yes

#2 Updated by jcline@redhat.com over 5 years ago

Note that this probably applies to several subpackages and needs to be fixed in our spec files as well as Fedora's spec files after the keys are generated as part of the first-time setup.

#3 Updated by ipanova@redhat.com about 5 years ago

  • Sprint/Milestone set to 31

#4 Updated by jortel@redhat.com about 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#5 Updated by jortel@redhat.com about 5 years ago

As suggested, I considered the initial-service-setup [1] recommendation but the generated key pair and certificates are required by the pulp code running in httpd. So, there is no pulp service (systemd unit or upstart script) that can be used to hook this into service startup.

The proposal:

1. Move the RSA key pair generation script code out of pulp.spec into a new script named: pulp-gen-key-pair.
2. Remove call to pulp-gen-ca-certificate from pulp.spec.
3. Add new script named: pulp-setup that calls:

  • pulp-gen-key-pair
  • pulp-gen-ca-certificate
  • pulp-mange-db

and update installation documentation to run pulp-setup instead of pulp-manage-db.

4. Leave upgrade documentation referencing pulp-manage-db unchanged.

5. Ensure both pulp-gen-key-pair and pulp-gen-ca-certificate scripts are idempotent. When the generated files exist, they print an appropriate message and exit.

6. Ignore the pulp-gen-nodes-certificate that is called when nodes is installed by the RPM since Sat 6.2 no longer uses nodes and it has been deprecated upstream.

Questions:

1. Thinking of clustered pulp installations - is calling pulp-manage-db by pulp-setup still appropriate?

2. Better ideas?

[1] https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup

#6 Updated by bmbouter about 5 years ago

I really like this write up, thanks @jortel.

I like the idea of pulp-setup, but if all it does is call those 3 scripts I think having the user just call them one after another manually will be fine. My thinking is that it's not doing much at all and the user will get some understanding about pulp-manage-db that will be useful to them at upgrade time. -0 to keeping pulp-set.

Even though nodes is deprecated, I don't think we can knowingly break it until it is removed. To handle that aspect, consider adding documentation to the nodes setup indicating when and where they should call pulp-gen-nodes-certificate. That would be straightforward to do I think.

+1 to pulp-gen-key-pair and pulp-gen-ca-certificate scripts be idempotent and when the generated files exist, they print an appropriate message and exit.

For a clustered install which of these 3 scripts (pulp-gen-key-pair, pulp-gen-ca-certificate, pulp-mange-db) needs to run on all nodes, and which needs to run exactly once?

#7 Updated by bmbouter about 5 years ago

Also, we should consider having someone from product security review this PR

#8 Updated by jortel@redhat.com about 5 years ago

Thanks for the comments, @bmbouter.

bmbouter wrote:

Even though nodes is deprecated, I don't think we can knowingly break it until it is removed. To handle that aspect, consider adding documentation to the nodes setup indicating when and where they should call pulp-gen-nodes-certificate. That would be straightforward to do I think.

Agreed. Good suggestion.

I was not planning to break nodes .. just ignore it (and the problem) by leaving the pulp-gen-node-cert in the pulp.spec. But, I like your idea better :)

For a clustered install which of these 3 scripts (pulp-gen-key-pair, pulp-gen-ca-certificate, pulp-mange-db) needs to run on all nodes, and which needs to run exactly once?

It's my understanding that pulp-manage-db would only be run once for the cluster and pulp-gen-key-pair and pulp-gen-ca-certificate would be run on each node. Is this correct?

#9 Updated by jortel@redhat.com about 5 years ago

  • Status changed from ASSIGNED to POST

#10 Updated by dkliban@redhat.com almost 5 years ago

  • Sprint/Milestone changed from 31 to 32

#11 Updated by mhrivnak almost 5 years ago

  • Sprint/Milestone changed from 32 to 33

#12 Updated by mhrivnak almost 5 years ago

  • Sprint/Milestone changed from 33 to 34

#13 Updated by mhrivnak almost 5 years ago

  • Sprint/Milestone changed from 34 to 36

#14 Updated by jortel@redhat.com almost 5 years ago

  • Status changed from POST to MODIFIED

#15 Updated by pcreech almost 5 years ago

  • Platform Release set to 2.13.0

#16 Updated by pcreech almost 5 years ago

  • Status changed from MODIFIED to 5

#17 Updated by pcreech over 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#18 Updated by bmbouter almost 4 years ago

  • Sprint set to Sprint 17

#19 Updated by bmbouter almost 4 years ago

  • Sprint/Milestone deleted (36)

#20 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF