a694b9e5ad
Python ignores SIGPIPE on startup, because it prefers to check every write and raise an IOError exception rather than taking the signal. Most Unix subprocesses don't expect to work this way. This patch (adapted from Colin Watson's post at http://tinyurl.com/2a7mzh5) sets SIGPIPE back to the default action for nova.utils.execute and nova-rootwrap created subprocesses. Fixes bug 1053364 Change-Id: I17e1629bb4ef4268515c6734ddb6e12746739c52
95 lines
3.2 KiB
Python
Executable File
95 lines
3.2 KiB
Python
Executable File
#!/usr/bin/env python
|
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright (c) 2011 OpenStack, LLC.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Root wrapper for Nova
|
|
|
|
Filters which commands nova is allowed to run as another user.
|
|
|
|
To use this, you should set the following in nova.conf:
|
|
rootwrap_config=/etc/nova/rootwrap.conf
|
|
|
|
You also need to let the nova user run nova-rootwrap as root in sudoers:
|
|
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *
|
|
|
|
To make allowed commands node-specific, your packaging should only
|
|
install {compute,network,volume}.filters respectively on compute, network
|
|
and volume nodes (i.e. nova-api nodes should not have any of those files
|
|
installed).
|
|
"""
|
|
|
|
import ConfigParser
|
|
import os
|
|
import signal
|
|
import subprocess
|
|
import sys
|
|
|
|
|
|
RC_UNAUTHORIZED = 99
|
|
RC_NOCOMMAND = 98
|
|
RC_BADCONFIG = 97
|
|
|
|
|
|
def _subprocess_setup():
|
|
# Python installs a SIGPIPE handler by default. This is usually not what
|
|
# non-Python subprocesses expect.
|
|
signal.signal(signal.SIGPIPE, signal.SIG_DFL)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
# Split arguments, require at least a command
|
|
execname = sys.argv.pop(0)
|
|
if len(sys.argv) < 2:
|
|
print "%s: %s" % (execname, "No command specified")
|
|
sys.exit(RC_NOCOMMAND)
|
|
|
|
configfile = sys.argv.pop(0)
|
|
userargs = sys.argv[:]
|
|
|
|
# Load configuration
|
|
config = ConfigParser.RawConfigParser()
|
|
config.read(configfile)
|
|
try:
|
|
filters_path = config.get("DEFAULT", "filters_path").split(",")
|
|
except ConfigParser.Error:
|
|
print "%s: Incorrect configuration file: %s" % (execname, configfile)
|
|
sys.exit(RC_BADCONFIG)
|
|
|
|
# Add ../ to sys.path to allow running from branch
|
|
possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname),
|
|
os.pardir, os.pardir))
|
|
if os.path.exists(os.path.join(possible_topdir, "nova", "__init__.py")):
|
|
sys.path.insert(0, possible_topdir)
|
|
|
|
from nova.rootwrap import wrapper
|
|
|
|
# Execute command if it matches any of the loaded filters
|
|
filters = wrapper.load_filters(filters_path)
|
|
filtermatch = wrapper.match_filter(filters, userargs)
|
|
if filtermatch:
|
|
obj = subprocess.Popen(filtermatch.get_command(userargs),
|
|
stdin=sys.stdin,
|
|
stdout=sys.stdout,
|
|
stderr=sys.stderr,
|
|
preexec_fn=_subprocess_setup,
|
|
env=filtermatch.get_environment(userargs))
|
|
obj.wait()
|
|
sys.exit(obj.returncode)
|
|
|
|
print "Unauthorized command: %s" % ' '.join(userargs)
|
|
sys.exit(RC_UNAUTHORIZED)
|