dind: Fix config permissions

openshift · Oct 11, 2016 · 185dfa9 · 185dfa9
1 parent 3322d5b
commit 185dfa9
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 20 deletions.
diff --git a/images/dind/master/openshift-generate-master-config.sh b/images/dind/master/openshift-generate-master-config.sh
@@ -32,9 +32,11 @@ function ensure-master-config() {
     --master="https://${ip_addr}:8443" \
     --network-plugin="${OPENSHIFT_NETWORK_PLUGIN}"
 
-  # ensure the configuration is readable outside of the container
-  find "${config_path}" -exec chmod ga+rw {} \;
-  find "${config_path}" -type d -exec chmod ga+x {} \;
+  # ensure the configuration can be used outside of the container
+  chmod ga+rx "${config_path}"
+  chmod ga+rx "${master_path}"
+  chmod ga+r "${master_path}"/*
+  chmod ga+w "${master_path}/admin.kubeconfig"
 }
 
 ensure-master-config
diff --git a/images/dind/node/openshift-generate-node-config.sh b/images/dind/node/openshift-generate-node-config.sh
@@ -8,14 +8,6 @@ source /usr/local/bin/openshift-dind-lib.sh
 # Should set OPENSHIFT_NETWORK_PLUGIN
 source /data/network-plugin
 
-function os::dind::lock() {
-  local config_path=$1
-
-  exec 200>"${config_path}"/.openshift-generate-node-config.exclusivelock
-
-  flock -n 200
-}
-
 function ensure-node-config() {
   local deployed_config_path="/var/lib/origin/openshift.local.config/node"
   local deployed_config_file="${deployed_config_path}/node-config.yaml"
@@ -32,28 +24,32 @@ function ensure-node-config() {
     host="${host}-node"
   fi
   local node_config_path="${config_path}/node-${host}"
-  local config_file="${node_config_path}/node-config.yaml"
+  local node_config_file="${node_config_path}/node-config.yaml"
 
   # If the node config has not been generated
-  if [[ ! -f "${config_file}" ]]; then
+  if [[ ! -f "${node_config_file}" ]]; then
     local master_config_path="${config_path}/master"
+    local master_config_file="${master_config_path}/admin.kubeconfig"
 
     # Wait for the master to generate its config
-    local condition="test -f ${master_config_path}/admin.kubeconfig"
+    local condition="test -f ${master_config_file}"
     os::util::wait-for-condition "admin config" "${condition}" "${OS_WAIT_FOREVER}"
 
     local master_host
-    master_host="$(grep server "${master_config_path}/admin.kubeconfig" | grep -v localhost | awk '{print $2}')"
+    master_host="$(grep server "${master_config_file}" | grep -v localhost | awk '{print $2}')"
 
     local ip_addr
     ip_addr="$(ip addr | grep inet | grep eth0 | awk '{print $2}' | sed -e 's+/.*++')"
 
-    # Wait for the node cert gen lock to be held
-    local condition="os::dind::lock ${config_path}"
-    os::util::wait-for-condition "cert gen lock" "${condition}" "${OS_WAIT_FOREVER}"
+    # Hold a lock on the shared volume to ensure cert generation is
+    # performed serially.  Cert generation is not compatible with
+    # concurrent execution since the file passed to --signer-serial
+    # needs to be incremented by each invocation.
+    exec 200>"${config_path}"/.openshift-generate-node-config.exclusivelock
+    flock 200
 
     /usr/local/bin/openshift admin create-node-config \
-      --node-dir="${config_path}" \
+      --node-dir="${node_config_path}" \
       --node="${host}" \
       --master="${master_host}" \
       --hostnames="${host},${ip_addr}" \
@@ -63,11 +59,18 @@ function ensure-node-config() {
       --signer-cert="${master_config_path}/ca.crt" \
       --signer-key="${master_config_path}/ca.key" \
       --signer-serial="${master_config_path}/ca.serial.txt"
+
+    # Release the lock
+    flock -o
   fi
 
+  # ensure the configuration is readable outside of the container
+  chmod ga+rx "${node_config_path}"
+  chmod ga+r "${node_config_path}"/*
+
   # Deploy the node config
   mkdir -p "${deployed_config_path}"
-  cp -r "${config_path}"/* "${deployed_config_path}"
+  cp -r "${node_config_path}"/* "${deployed_config_path}/"
 }
 
 ensure-node-config