Merge "Apply PAM security limits by running daemons through su"

2016-01-28 09:40:22 +00:00 · 2016-01-28 09:40:22 +00:00 · 126e6841ca
parent 59b273b1d6 478fef32ce
commit 126e6841ca
5 changed files with 23 additions and 5 deletions
--- a/deployment/puppet/openstack/files/limits.conf
+++ b/deployment/puppet/openstack/files/limits.conf
@ -1,3 +1,5 @@
-# Raising open file limit for OpenStack services 
+# Raising open file limit for OpenStack services
+root      soft    nofile          102400
+root      hard    nofile          112640
 *         soft    nofile          102400
 *         hard    nofile          112640
--- a/files/fuel-ha-utils/ocf/ns_dns
+++ b/files/fuel-ha-utils/ocf/ns_dns
@ -201,7 +201,7 @@ dnsmasq_start()
  fi

  # run the dnsmasq binary
-        ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
  if [ $? -ne 0 ]; then
    ocf_log err "Error. dnsmasq daemon returned error $?."
    return $OCF_ERR_GENERIC
--- a/files/fuel-ha-utils/ocf/ns_haproxy
+++ b/files/fuel-ha-utils/ocf/ns_haproxy
@ -440,7 +440,7 @@ haproxy_start()
 	fi

 	# run the haproxy binary
-	ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
+	ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
 	if [ $? -ne 0 ]; then
 		ocf_log err "Error. haproxy daemon returned error $?."
 		return $OCF_ERR_GENERIC
@ -472,7 +472,7 @@ haproxy_reload()
          ocf_log warn "Cannot block all SYN for the Haproxy reload operation!"
      fi
      # reload haproxy binary replacing the old process
-      ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
+      ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
      rc=$?
      unblock_client_access
      ocf_log info "Unblocked all SYN for the Haproxy reload operation"
--- a/files/fuel-ha-utils/ocf/ns_ntp
+++ b/files/fuel-ha-utils/ocf/ns_ntp
@ -191,7 +191,7 @@ ntp_start()
  fi

  # run the ntp binary
-  ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
  if [ "${?}" -ne "0" ]; then
    ocf_log err "Error. ntp daemon returned error $?."
    return "${OCF_ERR_GENERIC}"
--- a/files/fuel-ha-utils/ocf/ocf-fuel-funcs
+++ b/files/fuel-ha-utils/ocf/ocf-fuel-funcs
@ -179,3 +179,19 @@ proc_stop()
    ocf_log info "${LH} Stopped ${service_name}"
    return "${OCF_SUCCESS}"
 }
+
+###########################################################
+# Runs a process as root via su to get the whole PAM stack
+# executed.
+#
+# Globals:
+#   none
+# Arguments:
+#   $* - ocf_run arguments
+# Returns:
+#   Return code of the ocf_run invocation.
+###########################################################
+ocf_run_as_root()
+{
+    ocf_run su - root -c "$(printf '%q ' "$@")"
+}