Apply PAM security limits by running daemons through su

Daemons launched from OCF scripts inherit default resource limits. It could confuse users and cause resource allocation fail under heavy load. We should run daemons requiring root privileges through su - root -c, so limits from limits.conf would be enforced. To make it easier to implement, a new wrapper "ocf_run_as_root" is implemented in ocf-fuel-funcs. Change-Id: Iea56e4d08a2c1f92500129210d79e4b1fe04e3fd Closes-Bug: #1429553
2016-01-21 12:07:59 +03:00 · 2016-01-21 12:07:59 +03:00 · 65eca54760
commit 65eca54760
parent ebf68b7ab0
5 changed files with 23 additions and 5 deletions
--- a/deployment/puppet/openstack/files/limits.conf
+++ b/deployment/puppet/openstack/files/limits.conf
@ -1,3 +1,5 @@
-# Raising open file limit for OpenStack services 
+# Raising open file limit for OpenStack services
+root      soft    nofile          102400
+root      hard    nofile          112640
 *         soft    nofile          102400
 *         hard    nofile          112640
--- a/files/fuel-ha-utils/ocf/ns_dns
+++ b/files/fuel-ha-utils/ocf/ns_dns
@ -201,7 +201,7 @@ dnsmasq_start()
  fi

  # run the dnsmasq binary
-        ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
  if [ $? -ne 0 ]; then
    ocf_log err "Error. dnsmasq daemon returned error $?."
    return $OCF_ERR_GENERIC
--- a/files/fuel-ha-utils/ocf/ns_haproxy
+++ b/files/fuel-ha-utils/ocf/ns_haproxy
@ -440,7 +440,7 @@ haproxy_start()
 	fi

 	# run the haproxy binary
-	ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
+	ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
 	if [ $? -ne 0 ]; then
 		ocf_log err "Error. haproxy daemon returned error $?."
 		return $OCF_ERR_GENERIC
@ -472,7 +472,7 @@ haproxy_reload()
          ocf_log warn "Cannot block all SYN for the Haproxy reload operation!"
      fi
      # reload haproxy binary replacing the old process
-      ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
+      ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
      rc=$?
      unblock_client_access
      ocf_log info "Unblocked all SYN for the Haproxy reload operation"
--- a/files/fuel-ha-utils/ocf/ns_ntp
+++ b/files/fuel-ha-utils/ocf/ns_ntp
@ -191,7 +191,7 @@ ntp_start()
  fi

  # run the ntp binary
-  ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
+  ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
  if [ "${?}" -ne "0" ]; then
    ocf_log err "Error. ntp daemon returned error $?."
    return "${OCF_ERR_GENERIC}"
--- a/files/fuel-ha-utils/ocf/ocf-fuel-funcs
+++ b/files/fuel-ha-utils/ocf/ocf-fuel-funcs
@ -179,3 +179,19 @@ proc_stop()
    ocf_log info "${LH} Stopped ${service_name}"
    return "${OCF_SUCCESS}"
 }
+
+###########################################################
+# Runs a process as root via su to get the whole PAM stack
+# executed.
+#
+# Globals:
+#   none
+# Arguments:
+#   $* - ocf_run arguments
+# Returns:
+#   Return code of the ocf_run invocation.
+###########################################################
+ocf_run_as_root()
+{
+    ocf_run su - root -c "$(printf '%q ' "$@")"
+}