New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-22995: Tighten the permissions on whereabouts.conf #2106
OCPBUGS-22995: Tighten the permissions on whereabouts.conf #2106
Conversation
CI errors seem suspicious:
I wonder if setting 600 is causing something to break because it can't read the |
/test e2e-azure-ovn-dualstack |
cc @dougbtv |
/lgtm |
/approve |
Due to the low risk of a widespread systematic impact of this change, I think we can /label acknowledge-critical-fixes-only |
@dougbtv do you know if the various e2e failures are transient? The traces looked like they were related to the network operator failing to come up, but I'm not 100% sure. |
According to CIS benchmark guidance, all files according to networking configuration should only be read/writeable to the owner (600). This commit updates the installation script that lays down the whereabouts.conf file to use permissions 600 instead of 644.
8e4561c
to
8d0535b
Compare
Rebased to freshen up the test results. |
/retest-required |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dougbtv, rhmdnd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Looks like e2e-metal-ipi-ovn-ipv6 failed because one of the API servers didn't come up. |
/test e2e-metal-ipi-ovn-ipv6 |
/retest-required |
@rhmdnd: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
@dougbtv looks like we have a clean run. Should be ready for another look. |
@rhmdnd: This pull request references Jira Issue OCPBUGS-22995, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@kyrtapz: This pull request references Jira Issue OCPBUGS-22995, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
e9ab6a9
into
openshift:master
@rhmdnd: Jira Issue OCPBUGS-22995: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-22995 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-network-operator-container-v4.16.0-202403261946.p0.ge9ab6a9.assembly.stream.el9 for distgit cluster-network-operator. |
/cherry-pick release-4.15 |
@rhmdnd: new pull request created: #2324 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fix included in accepted release 4.16.0-0.nightly-2024-03-28-223620 |
According to CIS benchmark guidance, all files according to networking configuration should only be read/writeable to the owner (600).
This commit updates the installation script that lays down the whereabouts.conf file to use permissions 600 instead of 644.