Fix: proper permissions for systemvm template registrations on hardened systems

[artem-sidorenko]

Description

Related to #10029 (comment)

We have umask 0077 (via /etc/login.defs) on our hardened systems, so cloud-install-sys-tmplt is creating by default paths like below

$ ls -l /mnt/secondary/template/tmpl/
total 16
drwx------. 3 root root 4096 Nov 19 13:58 1
drwxrwxrwx. 7 root root 4096 Oct 31 09:42 2
drwxrwxrwx. 3 root root 4096 Oct 30 15:59 4
drwxr-xr-x. 2 root root 4096 Oct 31 10:21 5
$ ls -l /mnt/secondary/template/tmpl/1/
total 4
drwx------. 2 root root 4096 Nov 19 13:59 3
$ ls -l /mnt/secondary/template/tmpl/1/3/
total 549848
-rw-------. 1 root root 563032576 Nov 19 13:59 d23a1e19-c563-4f69-85ca-8721cf02082c.qcow2
-rw-------. 1 root root       287 Nov 19 13:59 template.properties

This results to the permissions problems later on, when trying to access the image.

setup-sysvm-tmplt needs that change most likely too, as this script is called by cloudstack java code for systemvm image deployment

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

I changed the files on my test deployment, removed everything on the secondary storage and reimported the systemvmimage

How did you try to break this feature and the system with this change?

It shouldn't break something, as umask 0022 is the common default umask and here it's valid only for the scope of executed script

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions.
  Apache CloudStack is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: [email protected] (https://cloudstack.apache.org/mailing-lists.html)
  Slack: https://apachecloudstack.slack.com/

[DaanHoogland]

clgtm, but of course some people may be caught out by this. not sure what testing we need.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 16.18%. Comparing base (028dd86) to head (1db260f).

Additional details and impacted files

@@            Coverage Diff            @@
##               4.20   #12098   +/-   ##
=========================================
  Coverage     16.18%   16.18%           
- Complexity    13298    13300    +2     
=========================================
  Files          5657     5657           
  Lines        498470   498470           
  Branches      60493    60493           
=========================================
+ Hits          80660    80665    +5     
+ Misses       408830   408825    -5     
  Partials       8980     8980           

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	17.03% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15806