=== cpaelzer_ is now known as cpaelzer
=== jrm2 is now known as jrm
meenahttps://bugs.launchpad.net/cloud-init/+bug/1853470 i think this can be closed15:17
-ubottu:#cloud-init- Launchpad bug 1853470 in cloud-init "parse_timestamp_from_date requires GNU coreutils' date" [Undecided, Triaged]15:17
MazoriusHi, I use cloud-init to generate my host-key provided by Terraform. I have an issue that the access rights getting changed from 0644 to 0600. Is this intended or a bug?18:24
meenaMazorius: how are you writing this file?18:58
Mazoriusmeena I setting it up via the cloud.init sshd module:19:01
Mazoriusdisable_root: true19:01
Mazoriusssh_deletekeys: true19:02
Mazoriusssh_genkeytypes: []19:02
Mazorius  ed25519_private: |19:02
Mazorius    ${indent(4, host_key.private_key_openssh)}19:02
Mazorius  ed25519_public: ${host_key.public_key_openssh}19:02
Mazoriusit is a Terraform template19:02
meenaprivate key.19:04
meenaprivate key, 0644. sounds very wrong19:04
waldiMazorius: please be more specific. what are you seeing and why do you think it is not correct?19:06
minimalMazorius: why are you creating a host key in Terraform? cloud-init can create that itself. Normally a host private key should be created on-device and never leave the device19:09
Mazoriusminimal for a git remote installation you need to provide a fixed host key and can not simply use always a new generated. So that is not possible in this case.19:10
Mazoriuswaldi the git server is not able to read the Host-key as it is only readable by root (0600) when I change it to (0644) which is ne normal case everything works as expected.19:11
waldiMazorius: the host key is supposed to be not readable19:12
Mazoriusmeena for a private key you are completely right. Sorry. It is only about the public key19:12
waldisorry, but this is a xy-problem, not a cloud-init problem19:12
minimalgenerally speaking a host's SSH private key should only be readable by the SSH server19:13
Mazoriusof course but not the public key and this is also 0600 instead of 0644 which would be correct.19:13
MazoriusSorry for the mistake with the private key.;)19:13
waldiwell, it is because the cloud-init is told to do that:19:17
waldi            f"{k}_private": (KEY_FILE_TPL % k, 0o600),19:17
waldi            f"{k}_public": (f"{KEY_FILE_TPL % k}.pub", 0o600),19:17
waldinothing wrong with that, nothing apart sshd needs to read even the public key19:17
minimalMazorius: what software on your host needs access to the host public key?19:19
Mazoriusminimal GitLab19:26
Mazoriusso it is intended and is not possible to be changed in anyway? waldi19:26
minimalas a workaround you could use a "runcmd:" entry to change the permissions19:29
MazoriusI did that but want to be sure if this is the only solution. Thanks all of you.19:31
minimalnot being familiar with Gitlab installation I still do not see why a specific priv/pub host key set have to be provided rather than using an autogenerated set19:31
minimalMazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR19:33
minimalactually looking on a cloud-init configured VM here I see the public host key *IS* -rw-r--r--19:35
waldiminimal: you did not supply the key, but let cloud-init generate it?19:38
minimalyes that's cloud-init generated19:38
waldithat's the difference19:38
minimalok, I still understand why Mazorius cannot use a c-i generated key during his gitlab installation - no info has been provided as to why that won't work19:39
minimalwaldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L28219:42
meenaMazorius: what group does Gitlab run under? you can change the group, and give the group read access to the key: 064019:44
waldimeena: no, he can't, as cloud-init sets the permission to 060019:45
minimalbut if he uses the autogenerated public key then every user on the system has read access to it......19:46
meenaor use install / chmod + chgrp in runcmd19:49
Mazoriusmeena it runs by default under the gitlab_rails group which is generated by the package installation20:03
meenaMazorius: which runs well after cloud-init? does it have a fixed GID?20:05
Mazoriusinteresting is that cloud-init seems to generate a pub key if provided with 0600: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L19020:07
Mazoriusbut if not provided and simply generate it by itself with 0644: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L28220:07
MazoriusAnd the private key with 0600 if provided and if not 0640 … so it somehow inconsistent in cloud-init or I am wrong?20:07
MazoriusDo not know that inside of the omnibus installation meena20:08
minimalwe already discussed this difference in permissions20:08
Mazoriuswere was this discussed? As all tools I know use 0600 for private and 0644 for public:20:11
Mazoriuse.g.: https://www.tenable.com/audits/items/CIS_Google_Container_Optimized_OS_v1.0.0_L1_Server.audit:7f016cd406100a1ee2ad94834111f00520:11
minimalMazorius: 30 minutes ago here when I said:20:12
minimal> "waldi: ah, here's where it is set for autogenerated public key: https://github.com/canonical/cloud-init/blob/9c7502a801763520639c66125eb373123d1e4f44/cloudinit/config/cc_ssh.py#L282"20:12
Mazoriusah you mean this:)  If it is only changing this line I can of course create a PR for that.20:13
minimaland also 40 mins ago when I said:20:14
minimal"Mazorius: well it may well make sense to change cc_ssh.py to use 644 rather than 600 for the *public* host key, the way to (potentially) change that would be for someone to submit a PR"20:14
Mazoriusminimal the PR: https://github.com/canonical/cloud-init/pull/197120:34
-ubottu:#cloud-init- Pull 1971 in canonical/cloud-init "Fix permission of SSH host keys" [Open]20:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!