File pacemaker-crm_mon-crm_system_name-no-longer-influenced-with-argv.patch of Package pacemaker.8397
commit e438181c0e88879a32c63ae892d07d2c33ebc6f9
Author: Jan Pokorný <jpokorny@redhat.com>
Date: Tue Jul 4 15:52:34 2017 +0200
Med: crm_mon: overcome crm_system_name no longer influenced with argv
This fixes a condition meant to automatically use CGI mode. Generic
support for running crm_mon in the role of CGI handler was added with
789936866, and from the beginning, when run as "crm_mon.cgi", that
mode was to be applied. This, however, only worked until fc1fbd03a
that hardcoded what is to become value of crm_system_name variable,
no longer taking argv into account, which effectively made the branch
in question a dead code. To solve this discrepancy, we restore the
significance of argv[0] for that a bit generalized decision (only .cgi
extension is needed) with a direct check.
Alternative would be to
- revert to prior usage of "crm_log_init*(NULL, ..., argc, argv, ...)"
- switch to CGI mode based on inspection of variables of the environment
(such as SCRIPT_NAME, prone to undesirable false positives)
Example integration with httpd (NOTE: this is NOT intended for the
environment with potential attack or even high volume usage exposure;
for instance, there's a substantially greater risk of DDoS as opposed
to serving a periodically refreshed HTML + you should rather make sure
at least the previous crm_mon/CGI patch is applied as well):
- first group deals with SELinux and can be skipped or adapted to other
equivalent labels:
# >allow_crm_mon_cgi.te cat <<-EOF
module allow_crm_mon_cgi 1.0;
require {
type cluster_tmpfs_t;
type cluster_t;
type httpd_t;
type tmpfs_t;
class unix_stream_socket connectto;
class unix_dgram_socket sendto;
class dir write;
class file { open read write };
}
#============= httpd_t ==============
allow httpd_t cluster_t:unix_dgram_socket sendto;
allow httpd_t cluster_t:unix_stream_socket connectto;
allow httpd_t cluster_tmpfs_t:file { open read write };
allow httpd_t tmpfs_t:dir write;
EOF
# checkmodule -M -m -o allow_crm_mon_cgi.{mod,te}
# semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod
# semodule -i allow_crm_mon_cgi.pp
- next we add "apache" (or what's the default user for httpd
deployment) to "haclient" group (or what's the default group
for pacemaker deployment) and, for good measure, restrict this
user the access to CIB further with ACL pacemaker built-in
mechanism (write access can be completely forbidden for this
use case) that also needs to be explicitly enabled (using pcs
here, but that's not a locked down option):
# usermod -G haclient apache
# pcs cluster cib tmp-cib.xml
# pcs -f tmp-cib.xml acl role create apache-ro read xpath /
# pcs -f tmp-cib.xml acl user create apache apache-ro
# pcs -f tmp-cib.xml property set enable-acl=true
# pcs cluster cib-push tmp-cib.xml --config
- then we create a dedicated subdir of the designated main ScriptAlias
dir (again, adapt as fits), with the intention to enable symlinks only
there (there will be reason why they are usually not enabled for that
main dir)
# mkdir -p /var/www/cgi-bin/diag
# >/etc/httpd/conf.d/cgi_cgi.conf cat <<-EOF
ScriptAlias "/howdoyou/" "/var/www/cgi-bin/diag/"
<Directory "/var/www/cgi-bin/diag">
Options +FollowSymLinks
</Directory>
EOF
- now, we are ready to symlink crm_mon with '.cgi' extension
# ln -s /usr/sbin/crm_mon /var/www/cgi-bin/diag/cluster.cgi
- finally, reload and test
# systemctl reload httpd
# curl http://localhost/howdoyou/cluster.cgi
<html>
<head>
<title>Cluster status</title>
[...]
- the URL can request some of the crm_mon options:
# curl http://localhost/howdoyou/cluster.cgi?-AL+-i30+-r
- as an excercise, you can make this whole monitoring HA :)
(but first, reread the NOTE above)
Less favoured alternatives of integration:
* >/var/www/cgi-bin/howdoyoucluster.cgi cat <<-EOF
#!/bin/bash
# note: -a not POSIX-shell-compliant
exec -a crm_mon.cgi /usr/sbin/crm_mon
EOF
- adds unnecessary indirection execution-wise
* cp /usr/sbin/crm_mon /var/www/cgi-bin/crm_mon.cgi
- this would keep the copy without possibly critical updates, avoid
Index: pacemaker/tools/crm_mon.c
===================================================================
--- pacemaker.orig/tools/crm_mon.c
+++ pacemaker/tools/crm_mon.c
@@ -36,10 +36,10 @@
#include <crm/msg_xml.h>
#include <crm/services.h>
#include <crm/lrmd.h>
-#include <crm/common/util.h>
-#include <crm/common/xml.h>
#include <crm/common/ipc.h>
#include <crm/common/mainloop.h>
+#include <crm/common/util.h>
+#include <crm/common/xml.h>
#include <crm/cib/internal.h>
#include <crm/pengine/status.h>
@@ -360,7 +360,7 @@ static struct crm_option long_options[]
{"-spacer-", 1, 0, '-', "\nModes (mutually exclusive):"},
{"as-html", 1, 0, 'h', "\tWrite cluster status to the named html file"},
{"as-xml", 0, 0, 'X', "\t\tWrite cluster status as xml to stdout. This will enable one-shot mode."},
- {"web-cgi", 0, 0, 'w', "\t\tWeb mode with output suitable for cgi"},
+ {"web-cgi", 0, 0, 'w', "\t\tWeb mode with output suitable for CGI (preselected when run as *.cgi)"},
{"simple-status", 0, 0, 's', "\tDisplay the cluster status once as a simple one line output (suitable for nagios)"},
{"snmp-traps", 1, 0, 'S', "\tSend SNMP traps to this station", !ENABLE_SNMP},
{"snmp-community", 1, 0, 'C', "Specify community for SNMP traps(default is NULL)", !ENABLE_SNMP},
@@ -554,7 +554,7 @@ main(int argc, char **argv)
signal(SIGCLD, SIG_IGN);
#endif
- if (strcmp(crm_system_name, "crm_mon.cgi") == 0) {
+ if (strstr(argv[0], ".cgi")) {
output_format = mon_output_cgi;
one_shot = TRUE;
}
