Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

app-admin/etcd-wrapper: Adjust data dir permissions, Bump to 3.3.24 #536

Merged
merged 2 commits into from
Aug 19, 2020

Conversation

sayanchowdhury
Copy link
Contributor

@sayanchowdhury sayanchowdhury commented Aug 19, 2020

app-admin/etcd-wrapper: Adjust data dir permissions

From version 3.3.23, the permission of the data-dir is checked,
and should be 700 in Linux

Backports PR: #524

Should be merged after rebasing the changes from #535

How to use

emerge-amd64-usr app-admin/etcd-wrapper

Testing done

Not tested yet.

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
From version 3.3.23, the persmission of the data dir are checked,
and should be 700 in Linux

Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
@pothos pothos changed the title app-admin/etcd-wrapper: Adjust data dir permissions app-admin/etcd-wrapper: Adjust data dir permissions, Bump to 3.3.24 Aug 19, 2020
@sayanchowdhury sayanchowdhury marked this pull request as ready for review August 19, 2020 11:02
@sayanchowdhury sayanchowdhury merged commit 322a671 into flatcar-2513 Aug 19, 2020
@sayanchowdhury sayanchowdhury deleted the sayan/fix-data-dir branch August 19, 2020 11:03
sayanchowdhury added a commit that referenced this pull request Aug 19, 2020
app-admin/etcd-wrapper: Adjust data dir permissions, Bump to 3.3.24 by sayanchowdhury
@llamahunter
Copy link

This REALLY should have been staged through the alpha and beta channels. Our stable channel nodes are now unable to run etcd until we fix this.

@pothos
Copy link
Contributor

pothos commented Aug 21, 2020

Hello, that's unfortunate, sorry for that!
Did you specify a particular etcd version? The problem is that the 3.3.24 etcd requirest the restricted permissions and being a systemd tmpfile directive it's only possible for users of a recent version to have it work if they would ship their own tmpfile directive.
The coupling makes the troubles; actually etcd-wrapper should have never been part of the base OS. Yes, you are expected to set the version you want because otherwise cluster compatibility is on risk if some node updates but still there can be other breaking changes besides etcd code, like the tmpfile directive as experienced now…

@llamahunter
Copy link

We have alpha and beta canary deployments of flatcar to detect breaking changes in our configuration. Something like this, that wasn't a critical CVE security update, should probably be rolled out over a few weeks via alpha->beta->stable.

@pothos
Copy link
Contributor

pothos commented Aug 22, 2020

Good to hear that you have Alpha and Beta nodes running for that. Yes, it could have been rolled out slowly but it was also blocking users to update their etcd in response to the CVEs. Whether they were critical is up for discussion https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants