Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
pacemaker.13547
pacemaker-crm_mon-crm_system_name-no-longer-inf...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pacemaker-crm_mon-crm_system_name-no-longer-influenced-with-argv.patch of Package pacemaker.13547
commit e438181c0e88879a32c63ae892d07d2c33ebc6f9 Author: Jan Pokorný <jpokorny@redhat.com> Date: Tue Jul 4 15:52:34 2017 +0200 Med: crm_mon: overcome crm_system_name no longer influenced with argv This fixes a condition meant to automatically use CGI mode. Generic support for running crm_mon in the role of CGI handler was added with 789936866, and from the beginning, when run as "crm_mon.cgi", that mode was to be applied. This, however, only worked until fc1fbd03a that hardcoded what is to become value of crm_system_name variable, no longer taking argv into account, which effectively made the branch in question a dead code. To solve this discrepancy, we restore the significance of argv[0] for that a bit generalized decision (only .cgi extension is needed) with a direct check. Alternative would be to - revert to prior usage of "crm_log_init*(NULL, ..., argc, argv, ...)" - switch to CGI mode based on inspection of variables of the environment (such as SCRIPT_NAME, prone to undesirable false positives) Example integration with httpd (NOTE: this is NOT intended for the environment with potential attack or even high volume usage exposure; for instance, there's a substantially greater risk of DDoS as opposed to serving a periodically refreshed HTML + you should rather make sure at least the previous crm_mon/CGI patch is applied as well): - first group deals with SELinux and can be skipped or adapted to other equivalent labels: # >allow_crm_mon_cgi.te cat <<-EOF module allow_crm_mon_cgi 1.0; require { type cluster_tmpfs_t; type cluster_t; type httpd_t; type tmpfs_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class dir write; class file { open read write }; } #============= httpd_t ============== allow httpd_t cluster_t:unix_dgram_socket sendto; allow httpd_t cluster_t:unix_stream_socket connectto; allow httpd_t cluster_tmpfs_t:file { open read write }; allow httpd_t tmpfs_t:dir write; EOF # checkmodule -M -m -o allow_crm_mon_cgi.{mod,te} # semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod # semodule -i allow_crm_mon_cgi.pp - next we add "apache" (or what's the default user for httpd deployment) to "haclient" group (or what's the default group for pacemaker deployment) and, for good measure, restrict this user the access to CIB further with ACL pacemaker built-in mechanism (write access can be completely forbidden for this use case) that also needs to be explicitly enabled (using pcs here, but that's not a locked down option): # usermod -G haclient apache # pcs cluster cib tmp-cib.xml # pcs -f tmp-cib.xml acl role create apache-ro read xpath / # pcs -f tmp-cib.xml acl user create apache apache-ro # pcs -f tmp-cib.xml property set enable-acl=true # pcs cluster cib-push tmp-cib.xml --config - then we create a dedicated subdir of the designated main ScriptAlias dir (again, adapt as fits), with the intention to enable symlinks only there (there will be reason why they are usually not enabled for that main dir) # mkdir -p /var/www/cgi-bin/diag # >/etc/httpd/conf.d/cgi_cgi.conf cat <<-EOF ScriptAlias "/howdoyou/" "/var/www/cgi-bin/diag/" <Directory "/var/www/cgi-bin/diag"> Options +FollowSymLinks </Directory> EOF - now, we are ready to symlink crm_mon with '.cgi' extension # ln -s /usr/sbin/crm_mon /var/www/cgi-bin/diag/cluster.cgi - finally, reload and test # systemctl reload httpd # curl http://localhost/howdoyou/cluster.cgi <html> <head> <title>Cluster status</title> [...] - the URL can request some of the crm_mon options: # curl http://localhost/howdoyou/cluster.cgi?-AL+-i30+-r - as an excercise, you can make this whole monitoring HA :) (but first, reread the NOTE above) Less favoured alternatives of integration: * >/var/www/cgi-bin/howdoyoucluster.cgi cat <<-EOF #!/bin/bash # note: -a not POSIX-shell-compliant exec -a crm_mon.cgi /usr/sbin/crm_mon EOF - adds unnecessary indirection execution-wise * cp /usr/sbin/crm_mon /var/www/cgi-bin/crm_mon.cgi - this would keep the copy without possibly critical updates, avoid Index: pacemaker/tools/crm_mon.c =================================================================== --- pacemaker.orig/tools/crm_mon.c +++ pacemaker/tools/crm_mon.c @@ -36,10 +36,10 @@ #include <crm/msg_xml.h> #include <crm/services.h> #include <crm/lrmd.h> -#include <crm/common/util.h> -#include <crm/common/xml.h> #include <crm/common/ipc.h> #include <crm/common/mainloop.h> +#include <crm/common/util.h> +#include <crm/common/xml.h> #include <crm/cib/internal.h> #include <crm/pengine/status.h> @@ -360,7 +360,7 @@ static struct crm_option long_options[] {"-spacer-", 1, 0, '-', "\nModes (mutually exclusive):"}, {"as-html", 1, 0, 'h', "\tWrite cluster status to the named html file"}, {"as-xml", 0, 0, 'X', "\t\tWrite cluster status as xml to stdout. This will enable one-shot mode."}, - {"web-cgi", 0, 0, 'w', "\t\tWeb mode with output suitable for cgi"}, + {"web-cgi", 0, 0, 'w', "\t\tWeb mode with output suitable for CGI (preselected when run as *.cgi)"}, {"simple-status", 0, 0, 's', "\tDisplay the cluster status once as a simple one line output (suitable for nagios)"}, {"snmp-traps", 1, 0, 'S', "\tSend SNMP traps to this station", !ENABLE_SNMP}, {"snmp-community", 1, 0, 'C', "Specify community for SNMP traps(default is NULL)", !ENABLE_SNMP}, @@ -554,7 +554,7 @@ main(int argc, char **argv) signal(SIGCLD, SIG_IGN); #endif - if (strcmp(crm_system_name, "crm_mon.cgi") == 0) { + if (strstr(argv[0], ".cgi")) { output_format = mon_output_cgi; one_shot = TRUE; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor