Hi,
I divided a patch.
(2010/07/07 17:59), Dejan Muhamedagic wrote:
Hi,
On Tue, Jul 06, 2010 at 08:52:12PM +0200, Lars Ellenberg wrote:
On Tue, Jul 06, 2010 at 06:36:14PM +0200, Dejan Muhamedagic wrote:
Hi Yuusuke-san,
On Wed, Jun 30, 2010 at 08:00:18PM +0900, Yuusuke IIDA wrote:
Hi,
For anything RA, I revised it with some function addition.
The list of the change is as follows.
* I added the option which could choose whether you used a login shell to want
to let a command inherit an environment variable of Resource Agent.
OK, I assume that this may be useful at times. Though I'm not
very happy with the new parameter name, I couldn't come up with
another one. The big difference is, I guess, that the .profile
files are sourced. Perhaps to name it just "login_shell"?
the difference is that su - user clears the environment first
(and then re-populates it from where that user usually gets his environment),
su user (no dash) does not clear, but inherit the current environment.
OK.
* I revised it to handle an escape character in character string set by
cmdline_options such as follows adequately.
--- for example: ---
primitive AAAAA ocf:heartbeat:anything \
params \
binfile="XXXXX" \
cmdline_options="-V -c \"openssl des-ede3 -d -base64 -k 'yy y'\" -i" \
--- ---
Uh, this escaping gives me headache.
should this not be much easier by doing
- cmd="su -c \"$variables\""
+ cmd="su -c '$variables'"
?
no escaping by sed necessary,
except maybe (if you are paranoid)
escaping of ' itself:
sed -e "s/'/'\\\\''/"
Good, I'd really rather avoid trying to escape stuff in the user
data if possible. Yuusuke-san, can you please test and see if
this works for you. Then we can perhaps advise accordingly in the
meta-data.
I tested this processing.
There was not a problem.
Many thanks,
Yuusuke.
As long as we do cmd="su -c \"$variable\"", it is not sufficient to
escape \ (as the proposed patch by Yuusuke-san does), actually you'd
need to escape ` and $ and various other things as well.
Unless you consider it a feature that these would be
expanded already in the context of the eval running as root,
not in the context of the su $user nohup.
Which is (as it is now) a potential "root exploit",
once you start taking "cib admin != cluster root" serious.
which is not really sensible to do IMO, anyways. But I digres.
Hm. Maybe we should move the eval into that context, anyways?
sort of
cmd="eval '${supposedly_properly_escaped_variable}'"
su ... -c "$cmd" ?
Hmm, I hope that the users could skip the acrobatics and do the
processing elsewhere if absolutely needed.
But, for the record:
The line says:
+cmdline_options=`... | sed 's/\\\/\\\\\\\/g' | ...`
How does the left side expand? Shouldn't that be an even number
of backslashes? The right side also has 7 backslashes.
the first "stripping" of \ is done by the shell,
before feeding the whole thing to the `` subshell.
And the \ quoting within `` is subtle:
backslash retains its literal meaning except when followed by $, `, or \
so those \/ combinations could have been written as \\/ as well
(if only to reduce the headache of the reader, slightly)
but need not be. BTW, that is one of the differences between `` and $() ...
yep, its not pretty, but "correct", though not necessarily consistent
between various shells and versions :(
god, I hate it when I know these useless facts from the top of my head,
I wish I had done less shell coding ;-)
:)
Cheers,
Dejan
* Strip off the trailing clone marker.
- quotations from the following.
http://hg.clusterlabs.org/pacemaker/stable-1.0/file/94515b3503b5/extra/resources/Dummy#l143
OK.
Can you please split the patch in three parts, so that we have
unrelated changes in signel patches.
Yes, please ;-)
--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
--
----------------------------------------
METRO SYSTEMS CO., LTD
YuusukeIida
Mail: iiday...@intellilink.co.jp
----------------------------------------
diff -r 8cb5ba3e1d97 heartbeat/anything
--- a/heartbeat/anything Fri Jun 25 19:54:24 2010 +0200
+++ b/heartbeat/anything Wed Jul 07 14:42:44 2010 +0900
@@ -46,6 +46,7 @@
# does something and then exits.
# Initialization:
+: ${OCF_RESKEY_login_shell:="true"}
: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/resource.d/heartbeat}
. ${OCF_FUNCTIONS_DIR}/.ocf-shellfuncs
@@ -74,14 +75,14 @@
if [ -n "$logfile" -a -n "$errlogfile" ]
then
# We have logfile and errlogfile, so redirect STDOUT und STDERR to different files
- cmd="su - $user -c \"nohup $binfile $cmdline_options >> $logfile 2>> $errlogfile & \"'echo \$!' "
+ cmd="su $login_shell $user -c \"nohup $binfile $cmdline_options >> $logfile 2>> $errlogfile & \"'echo \$!' "
else if [ -n "$logfile" ]
then
# We only have logfile so redirect STDOUT and STDERR to the same file
- cmd="su - $user -c \"nohup $binfile $cmdline_options >> $logfile 2>&1 & \"'echo \$!' "
+ cmd="su $login_shell $user -c \"nohup $binfile $cmdline_options >> $logfile 2>&1 & \"'echo \$!' "
else
# We have neither logfile nor errlogfile, so we're not going to redirect anything
- cmd="su - $user -c \"nohup $binfile $cmdline_options & \"'echo \$!'"
+ cmd="su $login_shell $user -c \"nohup $binfile $cmdline_options & \"'echo \$!'"
fi
fi
ocf_log debug "Starting $process: $cmd"
@@ -174,6 +175,11 @@
logfile="$OCF_RESKEY_logfile"
errlogfile="$OCF_RESKEY_errlogfile"
user="$OCF_RESKEY_user"
+if ocf_is_true "$OCF_RESKEY_login_shell"; then
+ login_shell="-"
+else
+ login_shell=""
+fi
[ -z "$user" ] && user=root
anything_validate() {
@@ -268,6 +274,13 @@
<shortdesc lang="en">Seconds to wait after having sent SIGTERM before sending SIGKILL in stop operation</shortdesc>
<content type="string" default=""/>
</parameter>
+<parameter name="login_shell">
+<longdesc lang="en">
+It is setting to decide whether you use a login shell in a user carrying out a command.
+</longdesc>
+<shortdesc lang="en">Setting whether or not I use a login shell</shortdesc>
+<content type="string" default="true"/>
+</parameter>
</parameters>
<actions>
<action name="start" timeout="20s" />
diff -r 8cb5ba3e1d97 heartbeat/anything
--- a/heartbeat/anything Fri Jun 25 19:54:24 2010 +0200
+++ b/heartbeat/anything Wed Jul 07 14:45:45 2010 +0900
@@ -165,8 +165,14 @@
fi
}
-# FIXME: Attributes special meaning to the resource id
-process="$OCF_RESOURCE_INSTANCE"
+: ${OCF_RESKEY_CRM_meta_globally_unique:="true"}
+
+if [ ${OCF_RESKEY_CRM_meta_globally_unique} = "false" ]; then
+ # Strip off the trailing clone marker
+ process=`echo ${OCF_RESOURCE_INSTANCE} | sed s/:[0-9][0-9]//`
+else
+ process="$OCF_RESOURCE_INSTANCE"
+fi
binfile="$OCF_RESKEY_binfile"
cmdline_options="$OCF_RESKEY_cmdline_options"
pidfile="$OCF_RESKEY_pidfile"
diff -r 8cb5ba3e1d97 heartbeat/anything
--- a/heartbeat/anything Fri Jun 25 19:54:24 2010 +0200
+++ b/heartbeat/anything Wed Jul 07 19:02:39 2010 +0900
@@ -168,7 +168,7 @@
# FIXME: Attributes special meaning to the resource id
process="$OCF_RESOURCE_INSTANCE"
binfile="$OCF_RESKEY_binfile"
-cmdline_options="$OCF_RESKEY_cmdline_options"
+cmdline_options='$OCF_RESKEY_cmdline_options'
pidfile="$OCF_RESKEY_pidfile"
[ -z "$pidfile" ] && pidfile=${HA_VARRUN}/anything_${process}.pid
logfile="$OCF_RESKEY_logfile"
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
