Save the HAProxy state outside of its systemd unit
By default, SELinux prevents HAProxy context (haproxy_t) to execute shell context (shell_exec_t) for security reasons. This prevents HAProxy to actually reload properly, since SELinux will deny its call to a shell to save its state to a file. In order to avoid opening a potential security hole in the load-balancer image, the best way is to generate the state file before the actual reload. There are more details about the SELinux denials in the associated Red Hat Bugzilla. Resolves: rhbz#2073491 Change-Id: I6b9a5e1e3bafe77ad9f9506b8c0995d8c2a00081
This commit is contained in:
parent
bf007ec4a8
commit
21d74c373b
@ -29,6 +29,7 @@ from werkzeug import exceptions
|
||||
|
||||
from octavia.amphorae.backends.agent.api_server import haproxy_compatibility
|
||||
from octavia.amphorae.backends.agent.api_server import util
|
||||
from octavia.amphorae.backends.utils import haproxy_query
|
||||
from octavia.common import constants as consts
|
||||
from octavia.common import utils as octavia_utils
|
||||
|
||||
@ -244,6 +245,17 @@ class Loadbalancer(object):
|
||||
if action == consts.AMP_ACTION_RELOAD:
|
||||
if consts.OFFLINE == self._check_haproxy_status(lb_id):
|
||||
action = consts.AMP_ACTION_START
|
||||
else:
|
||||
# We first have to save the state when we reload
|
||||
haproxy_state_file = util.state_file_path(lb_id)
|
||||
stat_sock_file = util.haproxy_sock_path(lb_id)
|
||||
|
||||
lb_query = haproxy_query.HAProxyQuery(stat_sock_file)
|
||||
if not lb_query.save_state(haproxy_state_file):
|
||||
# We accept to reload haproxy even if the state_file is
|
||||
# not generated, but we probably want to know about that
|
||||
# failure!
|
||||
LOG.warning('Failed to save haproxy-%s state!', lb_id)
|
||||
|
||||
cmd = ("/usr/sbin/service haproxy-{lb_id} {action}".format(
|
||||
lb_id=lb_id, action=action))
|
||||
|
@ -13,7 +13,6 @@ Environment="CONFIG={{ haproxy_cfg }}" "USERCONFIG={{ haproxy_user_group_cfg }}"
|
||||
|
||||
ExecStartPre={{ haproxy_cmd }} -f $CONFIG -f $USERCONFIG -c -q -L {{ peer_name }}
|
||||
|
||||
ExecReload=/bin/sh -c "echo 'show servers state' | socat stdio unix-connect:{{ haproxy_socket }} > {{ haproxy_state_file }}"
|
||||
ExecReload={{ haproxy_cmd }} -c -f $CONFIG -f $USERCONFIG -L {{ peer_name }}
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
|
||||
|
@ -15,10 +15,14 @@
|
||||
import csv
|
||||
import socket
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from octavia.common import constants as consts
|
||||
from octavia.common import utils as octavia_utils
|
||||
from octavia.i18n import _
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class HAProxyQuery(object):
|
||||
"""Class used for querying the HAProxy statistics socket.
|
||||
@ -29,9 +33,9 @@ class HAProxyQuery(object):
|
||||
"""
|
||||
|
||||
def __init__(self, stats_socket):
|
||||
"""stats_socket
|
||||
"""Initialize the class
|
||||
|
||||
Path to the HAProxy statistics socket file.
|
||||
:param stats_socket: Path to the HAProxy statistics socket file.
|
||||
"""
|
||||
|
||||
self.socket = stats_socket
|
||||
@ -143,3 +147,24 @@ class HAProxyQuery(object):
|
||||
final_results[line['pxname']]['members'][line['svname']] = (
|
||||
line['status'])
|
||||
return final_results
|
||||
|
||||
def save_state(self, state_file_path):
|
||||
"""Save haproxy connection state to a file.
|
||||
|
||||
:param state_file_path: Absolute path to the state file
|
||||
|
||||
:returns: bool (True if success, False otherwise)
|
||||
"""
|
||||
|
||||
try:
|
||||
result = self._query('show servers state')
|
||||
# No need for binary mode, the _query converts bytes to ascii.
|
||||
with open(state_file_path, 'w', encoding='utf-8') as fh:
|
||||
fh.write(result)
|
||||
return True
|
||||
except Exception as e:
|
||||
# Catch any exception - may be socket issue, or write permission
|
||||
# issue as well.
|
||||
LOG.warning("Unable to save state: %(err)s %(output)s",
|
||||
{'err': e, 'output': e.output})
|
||||
return False
|
||||
|
@ -353,8 +353,10 @@ class TestServerTestCase(base.TestCase):
|
||||
@mock.patch('octavia.amphorae.backends.agent.api_server.loadbalancer.'
|
||||
'Loadbalancer._check_haproxy_status')
|
||||
@mock.patch('subprocess.check_output')
|
||||
def _test_reload(self, distro, mock_subprocess, mock_haproxy_status,
|
||||
mock_vrrp, mock_exists, mock_listdir):
|
||||
@mock.patch('octavia.amphorae.backends.utils.haproxy_query.HAProxyQuery')
|
||||
def _test_reload(self, distro, mock_haproxy_query, mock_subprocess,
|
||||
mock_haproxy_status, mock_vrrp, mock_exists,
|
||||
mock_listdir):
|
||||
|
||||
self.assertIn(distro, [consts.UBUNTU, consts.CENTOS])
|
||||
|
||||
|
@ -64,8 +64,9 @@ class ListenerTestCase(base.TestCase):
|
||||
@mock.patch('octavia.amphorae.backends.agent.api_server.loadbalancer.'
|
||||
'Loadbalancer._check_lb_exists')
|
||||
@mock.patch('subprocess.check_output')
|
||||
def test_start_stop_lb(self, mock_check_output, mock_lb_exists,
|
||||
mock_path_exists, mock_vrrp_update,
|
||||
@mock.patch('octavia.amphorae.backends.utils.haproxy_query.HAProxyQuery')
|
||||
def test_start_stop_lb(self, mock_haproxy_query, mock_check_output,
|
||||
mock_lb_exists, mock_path_exists, mock_vrrp_update,
|
||||
mock_check_status):
|
||||
listener_id = uuidutils.generate_uuid()
|
||||
|
||||
|
@ -143,3 +143,19 @@ class QueryTestCase(base.TestCase):
|
||||
'description': '', 'Release_date': '2014/07/25'},
|
||||
self.q.show_info()
|
||||
)
|
||||
|
||||
def test_save_state(self):
|
||||
filename = 'state_file'
|
||||
|
||||
query_mock = mock.Mock()
|
||||
query_mock.return_value = 'DATA'
|
||||
|
||||
self.q._query = query_mock
|
||||
|
||||
with mock.patch('builtins.open') as mock_open:
|
||||
mock_fh = mock.MagicMock()
|
||||
mock_open().__enter__.return_value = mock_fh
|
||||
|
||||
self.q.save_state(filename)
|
||||
|
||||
mock_fh.write.assert_called_once_with('DATA')
|
||||
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
issues:
|
||||
- |
|
||||
When using a distribution with a recent SELinux release such as CentOS 8
|
||||
Stream, PING health-monitor does not work as shell_exec_t calls are denied
|
||||
by SELinux.
|
Loading…
x
Reference in New Issue
Block a user