Greg Padgett has uploaded a new change for review. Change subject: agent, broker: run daemons as vdsm:kvm ......................................................................
agent, broker: run daemons as vdsm:kvm Run the daemons as the vdsm user and kvm group in order to avoid permissions issues writing to nfs shares. Change-Id: Ib031ea5e0ffe365af3fdd323e303c1bdbc2d1ce9 Signed-off-by: Greg Padgett <[email protected]> --- M Makefile.am M configure.ac M ovirt-hosted-engine-ha.spec.in M ovirt_hosted_engine_ha/agent/agent.py M ovirt_hosted_engine_ha/agent/constants.py.in M ovirt_hosted_engine_ha/broker/broker.py M ovirt_hosted_engine_ha/broker/constants.py.in A sudoers/Makefile.am A sudoers/sudoers.in 9 files changed, 103 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-hosted-engine-ha refs/changes/00/17800/1 diff --git a/Makefile.am b/Makefile.am index f451d55..e231b81 100644 --- a/Makefile.am +++ b/Makefile.am @@ -50,6 +50,7 @@ initscripts \ build \ ovirt_hosted_engine_ha \ + sudoers \ $(NULL) dist_noinst_DATA = \ diff --git a/configure.ac b/configure.ac index 31f7961..ed845c0 100644 --- a/configure.ac +++ b/configure.ac @@ -59,6 +59,12 @@ AM_PATH_PYTHON([2.6],, [AC_MSG_ERROR([Cannot find python])]) +AC_PATH_PROG([SERVICE_PATH], [service], [/sbin/service]) + +# User/group must match those in vdsm package +AC_SUBST([VDSM_USER], [vdsm]) +AC_SUBST([VDSM_GROUP], [kvm]) + AC_SUBST([engine_ha_bindir], ['${pkgdatadir}']) AC_SUBST([engine_ha_confdir], ['${sysconfdir}/${PACKAGE_NAME}']) AC_SUBST([engine_ha_libdir], ['${pythondir}/ovirt_hosted_engine_ha']) @@ -78,5 +84,6 @@ ovirt_hosted_engine_ha/broker/Makefile ovirt_hosted_engine_ha/broker/submonitors/Makefile ovirt_hosted_engine_ha/lib/Makefile + sudoers/Makefile ]) AC_OUTPUT diff --git a/ovirt-hosted-engine-ha.spec.in b/ovirt-hosted-engine-ha.spec.in index 8c62e76..0036d94 100644 --- a/ovirt-hosted-engine-ha.spec.in +++ b/ovirt-hosted-engine-ha.spec.in @@ -25,6 +25,9 @@ %global engine_ha_logdir @ENGINE_HA_LOGDIR@ %global engine_ha_rundir @ENGINE_HA_RUNDIR@ +%global vdsm_user @VDSM_USER@ +%global vdsm_group @VDSM_GROUP@ + %if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 %global with_systemd 1 %endif @@ -88,15 +91,14 @@ install -Dm 0755 initscripts/ovirt-ha-broker.init %{buildroot}%{_initrddir}/ovirt-ha-broker %endif +install -dDm 0750 %{buildroot}%{_sysconfdir}/sudoers.d +install -Dm 0440 sudoers/sudoers %{buildroot}%{_sysconfdir}/sudoers.d/60_ovirt-ha + %files %defattr(-, root, root, -) %doc COPYING %doc README - -%dir %{engine_ha_logdir} - -%ghost %dir %{engine_ha_rundir} %dir %{engine_ha_confdir} %config %{engine_ha_confdir}/agent-log.conf @@ -119,6 +121,13 @@ %{_initrddir}/ovirt-ha-broker %endif +%{_sysconfdir}/sudoers.d/60_ovirt-ha + + +%defattr(-, %{vdsm_user}, %{vdsm_group}, -) +%dir %{engine_ha_logdir} +%ghost %dir %{engine_ha_rundir} + %post %if 0%{?with_systemd} diff --git a/ovirt_hosted_engine_ha/agent/agent.py b/ovirt_hosted_engine_ha/agent/agent.py index 71a7c40..387d72e 100644 --- a/ovirt_hosted_engine_ha/agent/agent.py +++ b/ovirt_hosted_engine_ha/agent/agent.py @@ -21,10 +21,12 @@ import ConfigParser import daemon +import grp import logging import logging.config from optparse import OptionParser import os +import pwd import signal import sys @@ -54,13 +56,23 @@ if os.geteuid() != 0: raise Exception("This program must be run as root") + vdsm_uid = pwd.getpwnam(constants.VDSM_USER).pw_uid + vdsm_gid = grp.getgrnam(constants.VDSM_GROUP).gr_gid + self._log.debug("Writing pid file") util.mkdir_recursive(os.path.dirname(constants.PID_FILE)) + os.chown(os.path.dirname(constants.PID_FILE), vdsm_uid, vdsm_gid) with open(constants.PID_FILE, 'w') as f: f.write(str(os.getpid()) + "\n") # FIXME exit if another ha-agent instance is already running... # can use python-lockfile since it's already available + + self._log.debug("Running as %s:%s (%d:%d)", + constants.VDSM_USER, constants.VDSM_GROUP, + vdsm_uid, vdsm_gid) + os.setgid(vdsm_gid) + os.setuid(vdsm_uid) if options.daemon: self._log.debug("Running agent as daemon") @@ -70,6 +82,7 @@ logs.extend([x.socket for x in logging.getLogger().handlers if hasattr(x, "socket")]) self._log.debug("Preserving {0}".format(logs)) + with daemon.DaemonContext(signal_map=self._get_signal_map(), files_preserve=logs): self._run_agent() diff --git a/ovirt_hosted_engine_ha/agent/constants.py.in b/ovirt_hosted_engine_ha/agent/constants.py.in index ecc05fe..fe7717e 100644 --- a/ovirt_hosted_engine_ha/agent/constants.py.in +++ b/ovirt_hosted_engine_ha/agent/constants.py.in @@ -39,6 +39,9 @@ INTERMITTENT_LOG_INTERVAL_SECS = 900 MAX_VDSM_WAIT_SECS = 15 +VDSM_USER = '@VDSM_USER@' +VDSM_GROUP = '@VDSM_GROUP@' + # See http://www.gnu.org/software/automake/manual/html_node/Scripts.html LOG_CONF_FILE = '@ENGINE_HA_CONFDIR@/agent-log.conf' LOG_FILE = '@ENGINE_HA_LOGDIR@/agent.log' diff --git a/ovirt_hosted_engine_ha/broker/broker.py b/ovirt_hosted_engine_ha/broker/broker.py index 4316274..69eeec4 100644 --- a/ovirt_hosted_engine_ha/broker/broker.py +++ b/ovirt_hosted_engine_ha/broker/broker.py @@ -22,10 +22,12 @@ import ConfigParser import daemon import errno +import grp import logging import logging.config from optparse import OptionParser import os +import pwd import select import signal import sys @@ -61,13 +63,23 @@ if os.geteuid() != 0: raise Exception("This program must be run as root") + vdsm_uid = pwd.getpwnam(constants.VDSM_USER).pw_uid + vdsm_gid = grp.getgrnam(constants.VDSM_GROUP).gr_gid + self._log.debug("Writing pid file") util.mkdir_recursive(os.path.dirname(constants.PID_FILE)) + os.chown(os.path.dirname(constants.PID_FILE), vdsm_uid, vdsm_gid) with open(constants.PID_FILE, 'w') as f: f.write(str(os.getpid()) + "\n") # FIXME exit if another ha-broker instance is already running... # can use python-lockfile since it's already available + + self._log.debug("Running as %s:%s (%d:%d)", + constants.VDSM_USER, constants.VDSM_GROUP, + vdsm_uid, vdsm_gid) + os.setgid(vdsm_gid) + os.setuid(vdsm_uid) if options.daemon: self._log.debug("Running broker as daemon") @@ -77,6 +89,7 @@ logs.extend([x.socket for x in logging.getLogger().handlers if hasattr(x, "socket")]) self._log.debug("Preserving {0}".format(logs)) + with daemon.DaemonContext(signal_map=self._get_signal_map(), files_preserve=logs): self._run_server() diff --git a/ovirt_hosted_engine_ha/broker/constants.py.in b/ovirt_hosted_engine_ha/broker/constants.py.in index 196b8be..5de6b0b 100644 --- a/ovirt_hosted_engine_ha/broker/constants.py.in +++ b/ovirt_hosted_engine_ha/broker/constants.py.in @@ -31,6 +31,9 @@ PID_FILE = '@ENGINE_HA_RUNDIR@/broker.pid' SOCKET_FILE = '@ENGINE_HA_RUNDIR@/broker.socket' +VDSM_USER = '@VDSM_USER@' +VDSM_GROUP = '@VDSM_GROUP@' + HOSTED_ENGINE_BINARY = '@ENGINE_SETUP_BINDIR@/hosted-engine' VDS_CLIENT_DIR = '/usr/share/vdsm' VDS_CLIENT_SSL = True diff --git a/sudoers/Makefile.am b/sudoers/Makefile.am new file mode 100644 index 0000000..4e4e2ba --- /dev/null +++ b/sudoers/Makefile.am @@ -0,0 +1,45 @@ +# +# ovirt-hosted-engine-ha -- ovirt hosted engine high availability +# Copyright (C) 2012-2013 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# + +include $(top_srcdir)/build/var_subst.inc + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in \ + $(NULL) +DISTCLEANFILES = \ + config.log \ + $(NULL) +CLEANFILES = \ + sudoers \ + $(NULL) + +nodist_noinst_DATA = \ + sudoers \ + $(NULL) + +EXTRA_DIST = \ + sudoers \ + $(NULL) + +clean-local: \ + $(NULL) + +all-local: \ + $(DISTFILES) \ + $(NULL) diff --git a/sudoers/sudoers.in b/sudoers/sudoers.in new file mode 100644 index 0000000..528b8a6 --- /dev/null +++ b/sudoers/sudoers.in @@ -0,0 +1,5 @@ +Cmnd_Alias OVIRT_HA = \ + @SERVICE_PATH@ vdsmd *, \ + @SERVICE_PATH@ sanlock * + +@VDSM_USER@ ALL=(ALL) NOPASSWD: OVIRT_HA -- To view, visit http://gerrit.ovirt.org/17800 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib031ea5e0ffe365af3fdd323e303c1bdbc2d1ce9 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-hosted-engine-ha Gerrit-Branch: master Gerrit-Owner: Greg Padgett <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
