[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Use /etc/origin/master/files without sudo



Or is it permitted to perform this commands as sudo user in production?


From: dencowboy hotmail com
To: jliggitt redhat com
CC: users lists openshift redhat com
Subject: RE: Use /etc/origin/master/files without sudo
Date: Mon, 15 Feb 2016 09:21:42 +0000

I understand, but than I'm unable to perform a command like this:
oadm ca create-server-cert --signer-cert=ca.crt \
    --signer-key=ca.key --signer-serial=ca.serial.txt \
    --hostnames="docker-registry.default.svc.cluster.local,${RESULT}" \
    --cert=registry.crt --key=registry.key

Because it's not permitted to read/use the ca.crt etc.


From: jliggitt redhat com
Date: Tue, 9 Feb 2016 11:45:37 -0500
Subject: Re: Use /etc/origin/master/files without sudo
To: dencowboy hotmail com

Depends on what you're using these files for... for dev, 755 is fine. For production, you should be guarding the keys closely, and probably requiring sudo access to read/write/sign certs.

On Tue, Feb 9, 2016 at 10:18 AM, Den Cowboy <dencowboy hotmail com> wrote:
Thanks. Is there a recommended chmod-command to perform on the the files in /master. Because chmod 755 +R worked but is unsave I think


From: jliggitt redhat com
Date: Tue, 9 Feb 2016 10:15:19 -0500

Subject: Re: Use /etc/origin/master/files without sudo
To: dencowboy hotmail com

sure, or write the initial config without using sudo and just run the server with sudo

On Tue, Feb 9, 2016 at 10:09 AM, Den Cowboy <dencowboy hotmail com> wrote:
Thanks. And is it a right approach to set permissions on the files in the /master? (when you don't use your own certs)


From: jliggitt redhat com
Date: Tue, 9 Feb 2016 09:57:15 -0500
Subject: Re: Use /etc/origin/master/files without sudo
To: dencowboy hotmail com
CC: users lists openshift redhat com


Generating a certificate requires write permissions on the ca.serial.txt file to record the fact that another certificate was signed using the CA.

On Tue, Feb 9, 2016 at 9:54 AM, Den Cowboy <dencowboy hotmail com> wrote:
What's the best way to use this files without using sudo?
I performed a chmod + r on it.

But when I try the following without sudo:
$ oadm ca create-server-cert --signer-cert=ca.crt \
>     --signer-key=ca.key --signer-serial=ca.serial.txt \
>     --hostnames='docker-registry.default.svc.cluster.local,172.30.21.34' \
>     --cert=registry.crt --key=registry.key
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0xcf747c]

goroutine 1 [running]:
github.com/openshift/origin/pkg/cmd/server/crypto.encodeCertificates(0xc2084a84c0, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:467 +0x2bc
github.com/openshift/origin/pkg/cmd/server/crypto.writeCertificates(0x7fff9db9d68e, 0xc, 0xc2084a84c0, 0x2, 0x2, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:501 +0xdf
github.com/openshift/origin/pkg/cmd/server/crypto.(*TLSCertificateConfig).writeCertConfig(0xc2083c0690, 0x7fff9db9d68e, 0xc, 0x7fff9db9d6a1, 0xc, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:71 +0x67
github.com/openshift/origin/pkg/cmd/server/crypto.(*CA).MakeServerCert(0xc2083c0750, 0x7fff9db9d68e, 0xc, 0x7fff9db9d6a1, 0xc, 0xc2083c0780, 0x1, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:258 +0x5b2
github.com/openshift/origin/pkg/cmd/server/admin.CreateServerCertOptions.CreateServerCert(0xc20847fcc0, 0x7fff9db9d68e, 0xc, 0x7fff9db9d6a1, 0xc, 0xc2084e6060, 0x2, 0x2, 0x1, 0x7f6276ae9530, ...)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:116 +0x224
github.com/openshift/origin/pkg/cmd/server/admin.func·015(0xc2084c7e00, 0xc2081d3c20, 0x0, 0x6)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:59 +0x139
github.com/spf13/cobra.(*Command).execute(0xc2084c7e00, 0xc2081d3b60, 0x6, 0x6, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_thirdpartyhacks/src/github.com/spf13/cobra/command.go:572 +0x82f
github.com/spf13/cobra.(*Command).ExecuteC(0xc2084a2200, 0xc2084c7e00, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_thirdpartyhacks/src/github.com/spf13/cobra/command.go:662 +0x4db
github.com/spf13/cobra.(*Command).Execute(0xc2084a2200, 0x0, 0x0)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_thirdpartyhacks/src/github.com/spf13/cobra/command.go:618 +0x3a
main.main()
    /builddir/build/BUILD/origin-git-0.ce0e67f/_build/src/github.com/openshift/origin/cmd/openshift/openshift.go:22 +0x175

goroutine 5 [syscall]:
os/signal.loop()
    /usr/lib/golang/src/os/signal/signal_unix.go:21 +0x1f
created by os/signal.init·1
    /usr/lib/golang/src/os/signal/signal_unix.go:27 +0x35

goroutine 10 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x4c5e680)
    /builddir/build/BUILD/origin-git-0.ce0e67f/_thirdpartyhacks/src/github.com/golang/glog/glog.go:879 +0x78
created by github.com/golang/glog.init·1
    /builddir/build/BUILD/origin-git-0.ce0e67f/_thirdpartyhacks/src/github.com/golang/glog/glog.go:410 +0x2a7

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
    /usr/lib/golang/src/runtime/asm_amd64.s:2232 +0x1

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]