openstack/fuel-library
Code Issues Proposed changes

Merge "Apply PAM security limits by running daemons through su"

Browse Source
This commit is contained in:
Jenkins 2016-02-03 09:12:41 +00:00 committed by Gerrit Code Review
commit e90940fcff
5 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deployment/puppet/openstack/files/limits.conf
View File

@ -1,3 +1,5 @@
# Raising open file limit for OpenStack services # Raising open file limit for OpenStack services
root soft nofile 102400
root hard nofile 112640
* soft nofile 102400 * soft nofile 102400
* hard nofile 112640 * hard nofile 112640

2
files/fuel-ha-utils/ocf/ns_dns
View File

@ -201,7 +201,7 @@ dnsmasq_start()
fi fi
# run the dnsmasq binary # run the dnsmasq binary
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}" ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ocf_log err "Error. dnsmasq daemon returned error $?." ocf_log err "Error. dnsmasq daemon returned error $?."
return $OCF_ERR_GENERIC return $OCF_ERR_GENERIC

4
files/fuel-ha-utils/ocf/ns_haproxy
View File

@ -440,7 +440,7 @@ haproxy_start()
fi fi
# run the haproxy binary # run the haproxy binary
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ocf_log err "Error. haproxy daemon returned error $?." ocf_log err "Error. haproxy daemon returned error $?."
return $OCF_ERR_GENERIC return $OCF_ERR_GENERIC
@ -472,7 +472,7 @@ haproxy_reload()
ocf_log warn "Cannot block all SYN for the Haproxy reload operation!" ocf_log warn "Cannot block all SYN for the Haproxy reload operation!"
fi fi
# reload haproxy binary replacing the old process # reload haproxy binary replacing the old process
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}" ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
rc=$? rc=$?
unblock_client_access unblock_client_access
ocf_log info "Unblocked all SYN for the Haproxy reload operation" ocf_log info "Unblocked all SYN for the Haproxy reload operation"

2
files/fuel-ha-utils/ocf/ns_ntp
View File

@ -191,7 +191,7 @@ ntp_start()
fi fi
# run the ntp binary # run the ntp binary
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}" ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
if [ "${?}" -ne "0" ]; then if [ "${?}" -ne "0" ]; then
ocf_log err "Error. ntp daemon returned error $?." ocf_log err "Error. ntp daemon returned error $?."
return "${OCF_ERR_GENERIC}" return "${OCF_ERR_GENERIC}"

16
files/fuel-ha-utils/ocf/ocf-fuel-funcs
View File

@ -179,3 +179,19 @@ proc_stop()
ocf_log info "${LH} Stopped ${service_name}" ocf_log info "${LH} Stopped ${service_name}"
return "${OCF_SUCCESS}" return "${OCF_SUCCESS}"
} }
###########################################################
# Runs a process as root via su to get the whole PAM stack
# executed.
#
# Globals:
# none
# Arguments:
# $* - ocf_run arguments
# Returns:
# Return code of the ocf_run invocation.
###########################################################
ocf_run_as_root()
{
ocf_run su - root -c "$(printf '%q ' "$@")"
}