app-admin/etcd-wrapper: Adjust data dir permissions, Bump to 3.3.24

[sayanchowdhury]

app-admin/etcd-wrapper: Adjust data dir permissions

From version 3.3.23, the permission of the data-dir is checked,
and should be 700 in Linux

Backports PR: #524

Should be merged after rebasing the changes from #535

How to use

emerge-amd64-usr app-admin/etcd-wrapper

Testing done

Not tested yet.

[llamahunter]

This REALLY should have been staged through the alpha and beta channels. Our stable channel nodes are now unable to run etcd until we fix this.

[pothos]

Hello, that's unfortunate, sorry for that!
Did you specify a particular etcd version? The problem is that the 3.3.24 etcd requirest the restricted permissions and being a systemd tmpfile directive it's only possible for users of a recent version to have it work if they would ship their own tmpfile directive.
The coupling makes the troubles; actually etcd-wrapper should have never been part of the base OS. Yes, you are expected to set the version you want because otherwise cluster compatibility is on risk if some node updates but still there can be other breaking changes besides etcd code, like the tmpfile directive as experienced now…

[llamahunter]

We have alpha and beta canary deployments of flatcar to detect breaking changes in our configuration. Something like this, that wasn't a critical CVE security update, should probably be rolled out over a few weeks via alpha->beta->stable.

[pothos]

Good to hear that you have Alpha and Beta nodes running for that. Yes, it could have been rolled out slowly but it was also blocking users to update their etcd in response to the CVEs. Whether they were critical is up for discussion https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf