We should make the following changes to the published image:
Make sure ~/.st2/config file which contains credentials is only readable by the owner (and also make sure that the owner user is correct, in vagrant case that should be vagrant user)
Delete ~/.st2/st2admin-token file which contains cached admin auth token. It seems like that file is generated during the CI process and it's owned by root which means vagrant user can't read / write to it. We should delete it before generating the final artifact.
From Slack:
@kami yes, seen that before. It's indeed created during the CI runs.
It happens because we do `sudo st2 ...` somewhere and so token is saved with `root` permissions.
I even thought about submitting a PR for st2 so the dir `/home/${USERNAME}/.st2/` is created by StackStorm client with `setgid` flag, meaning token will take the folder's owner group.
But we were pretty time limited on this OVA work.
Can you create an issue in https://github.com/stackstorm/packer-st2 ?
Another issue I noticed during that work, - `.st2/config` has read-all permissions and so everyone can read st2 username:password.
This is bug by our `curl|bash` installer:
```$ ls -la ~/.st2/config
-rw-r--r-- 1 vagrant vagrant 54 May 23 14:09 /home/vagrant/.st2/config
We should make the following changes to the published image:
~/.st2/config
file which contains credentials is only readable by the owner (and also make sure that the owner user is correct, in vagrant case that should bevagrant
user)~/.st2/st2admin-token
file which contains cached admin auth token. It seems like that file is generated during the CI process and it's owned by root which meansvagrant
user can't read / write to it. We should delete it before generating the final artifact.From Slack: