From d86e3fa479352c887d0c39234616d11ff12b1ecf Mon Sep 17 00:00:00 2001 From: Nishant Kumar Date: Mon, 28 Oct 2019 15:59:05 +0000 Subject: [PATCH] Support rotation for maas region secret More details on this bug - https://bugs.launchpad.net/maas/+bug/1850180 Change-Id: I52312ccec74a1973fdb7aebe3bfc6c0088004ad5 --- .../2.3_region_secret_rotate.patch | 20 +++++++++++++++++++ images/maas-region-controller/Dockerfile | 3 +++ 2 files changed, 23 insertions(+) create mode 100644 images/maas-region-controller/2.3_region_secret_rotate.patch diff --git a/images/maas-region-controller/2.3_region_secret_rotate.patch b/images/maas-region-controller/2.3_region_secret_rotate.patch new file mode 100644 index 0000000..d22c5f8 --- /dev/null +++ b/images/maas-region-controller/2.3_region_secret_rotate.patch @@ -0,0 +1,20 @@ +diff --git a/src/maasserver/security.py b/src/maasserver/security.py +index e931b89..44fad1a 100644 +--- a/src/maasserver/security.py ++++ b/src/maasserver/security.py +@@ -105,10 +105,11 @@ def get_shared_secret_txn(): + elif secret_in_db == secret_on_fs: + secret = secret_in_db # or secret_on_fs. + else: +- raise AssertionError( +- "The secret stored in the database does not match the secret " +- "stored on the filesystem at %s. Please investigate." % +- get_shared_secret_filesystem_path()) ++ # (nk613n): When we rotate secrets we only update the filesystem ++ # so if the secrets don't match we will default to the FS ++ # secret and set it in the database (set_config function) ++ secret = secret_on_fs ++ Config.objects.set_config("rpc_shared_secret", to_hex(secret)) + + return secret + diff --git a/images/maas-region-controller/Dockerfile b/images/maas-region-controller/Dockerfile index c4a2307..081b535 100644 --- a/images/maas-region-controller/Dockerfile +++ b/images/maas-region-controller/Dockerfile @@ -75,17 +75,20 @@ COPY 2.3_proxy_acl.patch /tmp/2.3_proxy_acl.patch # Patch to add retrying to MaaS BMC user setup, and improve exception handling copy 2.3_configure_ipmi_user.patch /tmp/2.3_configure_ipmi_user.patch COPY 2.3_secure_headers.patch /tmp/2.3_secure_headers.patch +COPY 2.3_region_secret_rotate.patch /tmp/2.3_region_secret_rotate.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.3_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.3_bios_grub_partition.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_storage.py < /tmp/2.3_bios_grub_preseed.patch +RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/2.3_region_secret_rotate.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_enlist.sh < /tmp/2.3_maas_enlist.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_ipmi_autodetect.py < /tmp/2.3_configure_ipmi_user.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch ipaddr.py < /tmp/2.3_mac_address.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/2.3_proxy_acl.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.3_secure_headers.patch + COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service RUN mkdir -p /etc/systemd/system/basic.target.wants ;\ ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service