The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/5694
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
This is a preparation branch for the RBAC branch, makes things a bit more consistent internally and also puts a restriction in place on the internal API so that it may only be called over the UNIX socket or by another cluster member, but not by a random API client.
From 76a004266a4b3d962ae37245f48747edd4f1a978 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 23 Apr 2019 22:43:40 -0400
Subject: [PATCH 1/5] lxd/api: Rename serverResources to api10Resources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Making things consistent with existing commands.
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/api_1.0.go | 3 +--
lxd/resources.go | 6 +++---
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index 6f194d76f1..d3ea20ecb8 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -33,6 +33,7 @@ var api10 = []Command{
aliasCmd,
aliasesCmd,
api10Cmd,
+ api10ResourcesCmd,
certificateFingerprintCmd,
certificatesCmd,
clusterCmd,
@@ -71,8 +72,6 @@ var api10 = []Command{
profilesCmd,
projectCmd,
projectsCmd,
- serverResourceCmd,
- serverResourceCmd,
storagePoolCmd,
storagePoolResourcesCmd,
storagePoolsCmd,
diff --git a/lxd/resources.go b/lxd/resources.go
index 5d9916d162..161dbcc91a 100644
--- a/lxd/resources.go
+++ b/lxd/resources.go
@@ -10,9 +10,9 @@ import (
"github.com/lxc/lxd/shared/api"
)
-var serverResourceCmd = Command{
+var api10ResourcesCmd = Command{
name: "resources",
- get: serverResourcesGet,
+ get: api10ResourcesGet,
}
var storagePoolResourcesCmd = Command{
@@ -22,7 +22,7 @@ var storagePoolResourcesCmd = Command{
// /1.0/resources
// Get system resources
-func serverResourcesGet(d *Daemon, r *http.Request) Response {
+func api10ResourcesGet(d *Daemon, r *http.Request) Response {
// If a target was specified, forward the request to the relevant node.
response := ForwardedResponseIfTargetIsRemote(d, r)
if response != nil {
From 0f8bb153682bf63b70a2cf5c63167eaf4e2ba813 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 23 Apr 2019 22:44:14 -0400
Subject: [PATCH 2/5] lxd/api: Sort API commands list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/api_1.0.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index d3ea20ecb8..0e34ebbb8e 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -76,12 +76,12 @@ var api10 = []Command{
storagePoolResourcesCmd,
storagePoolsCmd,
storagePoolVolumesCmd,
+ storagePoolVolumeSnapshotsTypeCmd,
+ storagePoolVolumeSnapshotTypeCmd,
storagePoolVolumesTypeCmd,
storagePoolVolumeTypeContainerCmd,
storagePoolVolumeTypeCustomCmd,
storagePoolVolumeTypeImageCmd,
- storagePoolVolumeSnapshotsTypeCmd,
- storagePoolVolumeSnapshotTypeCmd,
}
func api10Get(d *Daemon, r *http.Request) Response {
From ca022cbf401dd46fcec9320a99b89ef31fc71b0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 23 Apr 2019 22:45:59 -0400
Subject: [PATCH 3/5] lxd/api: Rename snapshotHandler to
containerSnapshotHandler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/container_snapshot.go | 2 +-
lxd/containers.go | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/lxd/container_snapshot.go b/lxd/container_snapshot.go
index 0d3fde4f76..bcc77a984b 100644
--- a/lxd/container_snapshot.go
+++ b/lxd/container_snapshot.go
@@ -170,7 +170,7 @@ func containerSnapshotsPost(d *Daemon, r *http.Request)
Response {
return OperationResponse(op)
}
-func snapshotHandler(d *Daemon, r *http.Request) Response {
+func containerSnapshotHandler(d *Daemon, r *http.Request) Response {
project := projectParam(r)
containerName := mux.Vars(r)["name"]
snapshotName := mux.Vars(r)["snapshotName"]
diff --git a/lxd/containers.go b/lxd/containers.go
index 271be1afb7..30aa2b6c63 100644
--- a/lxd/containers.go
+++ b/lxd/containers.go
@@ -52,10 +52,10 @@ var containerSnapshotsCmd = Command{
var containerSnapshotCmd = Command{
name: "containers/{name}/snapshots/{snapshotName}",
- get: snapshotHandler,
- post: snapshotHandler,
- delete: snapshotHandler,
- put: snapshotHandler,
+ get: containerSnapshotHandler,
+ post: containerSnapshotHandler,
+ delete: containerSnapshotHandler,
+ put: containerSnapshotHandler,
}
var containerConsoleCmd = Command{
From 573e419cac25c5c96e19d9e02434b9c08a36eb91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 23 Apr 2019 22:49:21 -0400
Subject: [PATCH 4/5] lxd/api: Rename operation functions for consistency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/operations.go | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/lxd/operations.go b/lxd/operations.go
index 8737a7aeae..dc096c617c 100644
--- a/lxd/operations.go
+++ b/lxd/operations.go
@@ -25,24 +25,24 @@ import (
var operationCmd = Command{
name: "operations/{id}",
- get: operationAPIGet,
- delete: operationAPIDelete,
+ get: operationGet,
+ delete: operationDelete,
}
var operationsCmd = Command{
name: "operations",
- get: operationsAPIGet,
+ get: operationsGet,
}
var operationWait = Command{
name: "operations/{id}/wait",
- get: operationAPIWaitGet,
+ get: operationWaitGet,
}
var operationWebsocket = Command{
name: "operations/{id}/websocket",
untrustedGet: true,
- get: operationAPIWebsocketGet,
+ get: operationWebsocketGet,
}
var operationsLock sync.Mutex
@@ -472,7 +472,7 @@ func operationCreate(cluster *db.Cluster, project string,
opClass operationClass
return &op, nil
}
-func operationGet(id string) (*operation, error) {
+func operationGetInternal(id string) (*operation, error) {
operationsLock.Lock()
op, ok := operations[id]
operationsLock.Unlock()
@@ -485,13 +485,13 @@ func operationGet(id string) (*operation, error) {
}
// API functions
-func operationAPIGet(d *Daemon, r *http.Request) Response {
+func operationGet(d *Daemon, r *http.Request) Response {
id := mux.Vars(r)["id"]
var body *api.Operation
// First check if the query is for a local operation from this node
- op, err := operationGet(id)
+ op, err := operationGetInternal(id)
if err == nil {
_, body, err = op.Render()
if err != nil {
@@ -530,11 +530,11 @@ func operationAPIGet(d *Daemon, r *http.Request) Response
{
return SyncResponse(true, body)
}
-func operationAPIDelete(d *Daemon, r *http.Request) Response {
+func operationDelete(d *Daemon, r *http.Request) Response {
id := mux.Vars(r)["id"]
// First check if the query is for a local operation from this node
- op, err := operationGet(id)
+ op, err := operationGetInternal(id)
if err == nil {
_, err = op.Cancel()
if err != nil {
@@ -573,7 +573,7 @@ func operationAPIDelete(d *Daemon, r *http.Request)
Response {
return EmptySyncResponse
}
-func operationsAPIGet(d *Daemon, r *http.Request) Response {
+func operationsGet(d *Daemon, r *http.Request) Response {
project := projectParam(r)
recursion := util.IsRecursionRequest(r)
@@ -745,7 +745,7 @@ func operationsAPIGet(d *Daemon, r *http.Request) Response {
return SyncResponse(true, md)
}
-func operationAPIWaitGet(d *Daemon, r *http.Request) Response {
+func operationWaitGet(d *Daemon, r *http.Request) Response {
id := mux.Vars(r)["id"]
timeout, err := shared.AtoiEmptyDefault(r.FormValue("timeout"), -1)
@@ -754,7 +754,7 @@ func operationAPIWaitGet(d *Daemon, r *http.Request)
Response {
}
// First check if the query is for a local operation from this node
- op, err := operationGet(id)
+ op, err := operationGetInternal(id)
if err == nil {
_, err = op.WaitFinal(timeout)
if err != nil {
@@ -841,11 +841,11 @@ func (r *forwardedOperationWebSocket) String() string {
return r.id
}
-func operationAPIWebsocketGet(d *Daemon, r *http.Request) Response {
+func operationWebsocketGet(d *Daemon, r *http.Request) Response {
id := mux.Vars(r)["id"]
// First check if the query is for a local operation from this node
- op, err := operationGet(id)
+ op, err := operationGetInternal(id)
if err == nil {
return &operationWebSocket{r, op}
}
From c44c87aa9c1bcc0c676914338be496d357dc260b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Tue, 23 Apr 2019 22:32:09 -0400
Subject: [PATCH 5/5] lxd: Don't allow remote access to internal API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/daemon.go | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 96a373869d..f15293b033 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -308,6 +308,13 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version
string, c Command) {
restAPI.HandleFunc(uri, func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
+ // Reject internal queries to remote, non-cluster, clients
+ if version == "internal" && (r.RemoteAddr != "@" &&
!isClusterNotification(r)) {
+ logger.Warn("Rejecting remote internal API request",
log.Ctx{"ip": r.RemoteAddr})
+ Forbidden(nil).Render(w)
+ return
+ }
+
// Block public API requests until we're done with basic
// initialization tasks, such setting up the cluster database.
select {
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
