Re: [Cluster-devel] [PATCH 6/6] gmanager: ra2rng.xsl: script-file: try to prevent cluster's services
Please scratch this one, was correcting a typo in the subject and this is all I got :-/ "rgmanager" one is correct... -- Jan
[Cluster-devel] [resource-agents][PATCH 0/6] rgmanager: ra2rng.xsl: build up param datatyping infra
This changeset initiates the work on more tight check of cluster schema primarily by the means of RA parameters datatyping incl. other restrictions/facets as allowed by XML Schema Datatypes and, in turn, by Relax NG schemas. Last step demonstrates how easy is now to add such additional metainformation per specific parameter of specific agent. Alternative would be to track this piece of information separately per each agent, but it would be more complicated and the metadata format is not ready for that anyway (even though some more selective approach to the type of parameters has been voiced recently). Similar infrastructure can be applied to FA as well... Jan Pokorný (6): rgmanager: ra2rng.xsl: extend infrastructure for XML rgmanager: ra2rng.xsl: make common params reuse XML pretty-print rgmanager: ra2rng.xsl: common params: prevent misleading combination rgmanager: ra2rng.xsl: control flow branches common business merge rgmanager: ra2rng.xsl: infra for param value datatyping/restriction rgmanager: ra2rng.xsl: script-file: try to prevent cluster's services rgmanager/src/resources/ra2rng.xsl | 443 + 1 file changed, 297 insertions(+), 146 deletions(-) -- 1.8.1.4
[Cluster-devel] [PATCH 5/6] rgmanager: ra2rng.xsl: infra for param value datatyping/restriction
Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 11 +++ 1 file changed, 11 insertions(+) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index 6c66ee3..b4944e7 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -69,6 +69,10 @@ + + + + @@ -361,6 +365,13 @@ 'name=',$Q, @name, $Q, $SP, 'rha:description=', $Q, normalize-space(shortdesc), $Q)"/> + -- 1.8.1.4
[Cluster-devel] [PATCH 4/6] rgmanager: ra2rng.xsl: control flow branches common business merge
... two branches of non-/optional RA-specific parameter under single branch parametrized by the depth of indentation and conditionally decorated with the respective additional tag. Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 84 +++--- 1 file changed, 41 insertions(+), 43 deletions(-) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index 5addc47..6c66ee3 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -328,48 +328,46 @@ - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - + @@ -381,8 +379,8 @@ $global-indent)"/> - - + + -- 1.8.1.4
[Cluster-devel] [PATCH 3/6] rgmanager: ra2rng.xsl: common params: prevent misleading combination
...both @__max_restarts and @__restart_expire_time have "nonzero" values, otherwise, otherwise if either of the parameter is present, it has to have "zero" value. Every other occurrence of these two interconnected parameters for particular resource is a configuration defect, as it could lead to false assumption that one will take effect even without the other defined and nonzero. Reference: > if (restart_expire_time == 0 || max_restarts == 0) > return; > goto out_assign; [https://git.fedorahosted.org/cgit/cluster.git/tree/rgmanager/src/daemons/restree.c?h=RHEL64#n538] Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 47 +- 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index 27105a0..5addc47 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -26,12 +26,47 @@ - - - - - - +http://www.w3.org/2001/XMLSchema-datatypes";> + + + + +0 + + + + +.*[1-9][0-9]*([SsMmHhDdWwYy].*|) + + + + + + + + +0 + + + + + + + + +.*[1-9][0-9]*([SsMmHhDdWwYy].*|) + + + + + + + -- 1.8.1.4
[Cluster-devel] [PATCH 6/6] rgmanager: ra2rng.xsl: script-file: try to prevent cluster's services
Note that, AFAIK, "file" parameter to "script" can be arbitrary string with a logical limitation to be something (builtins, aliases, etc. not excluded) that will run when pasted verbatim to the bash prompt (with no quotes added) followed by the desired action and when fired it will eventually proceed something. Hence any leading/trailing whitespace really does not matter. The restriction being added establishes this automatically by using "token" datatype, but unfortunately libxml2 currently contains a bug leading to not dropping such whitespace correctly before applying additional facet checking (here: pattern) [1]. Until libxml2 is fixed, the restriction will miss cases where "file" starts/ends with balast whitespace. Also note that this restriction can be easily bypassed by, e.g., using ":; /etc/init.d/cman", but it's purpose is to prevent from random mis-writing "cman" instead of the desired service. [1] https://mail.gnome.org/archives/xml/2013-November/msg00024.html Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 13 + 1 file changed, 13 insertions(+) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index b4944e7..e64ac06 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -71,6 +71,19 @@ + + + + + + + +/etc/(rc\.d/)?init\.d/(cman|modclusterd|rgmanager|ricci)(\s.*|) + + + + + -- 1.8.1.4
[Cluster-devel] [PATCH 1/6] rgmanager: ra2rng.xsl: extend infrastructure for XML
+ tag-self named template (originally for "self-closed") renamed just to tag as now it's able to recursively dump also the nested >forrest< as passed with fill-with parameter, i.e., the resulting output tag is not necessarily self-closed + tag-end named template doesn't take attrs parameter (apparently no used for that, was just copy-paste of tag-start) + normalize-space at certain places so as to canonicalize the output The infrastructure itself was started with commit 008c3f6: rgmanager: ra2rng.xsl: parametrize and make more flexible Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 267 - 1 file changed, 201 insertions(+), 66 deletions(-) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index e53595e..046371e 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -4,12 +4,12 @@ exclude-result-prefixes="int"> - - + + @@ -59,53 +59,144 @@ - - - + + + + - + + + + + + + + + + + - - - + + + + - + - - - - + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -142,22 +233,27 @@ - + - + - + @@ -166,37 +262,47 @@ rgmanager specific stuff - + - + - + - + - + @@ -204,13 +310,16 @@ - + - + @@ -218,28 +327,37 @@ - + - + - + -
[Cluster-devel] [PATCH 6/6] gmanager: ra2rng.xsl: script-file: try to prevent cluster's services
Note that, AFAIK, "file" parameter to "script" can be arbitrary string with a logical limitation to be something (builtins, aliases, etc. not excluded) that will run when pasted verbatim to the bash prompt (with no quotes added) followed by the desired action and when fired it will eventually proceed something. Hence any leading/trailing whitespace really does not matter. The restriction being added establishes this automatically by using "token" datatype, but unfortunately libxml2 currently contains a bug leading to not dropping such whitespace correctly before applying additional facet checking (here: pattern) [1]. Until libxml2 is fixed, the restriction will miss cases where "file" starts/ends with balast whitespace. Also note that this restriction can be easily bypassed by, e.g., using ":; /etc/init.d/cman", but it's purpose is to prevent from random mis-writing "cman" instead of the desired service. [1] https://mail.gnome.org/archives/xml/2013-November/msg00024.html Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 13 + 1 file changed, 13 insertions(+) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index b4944e7..e64ac06 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -71,6 +71,19 @@ + + + + + + + +/etc/(rc\.d/)?init\.d/(cman|modclusterd|rgmanager|ricci)(\s.*|) + + + + + -- 1.8.1.4
[Cluster-devel] [PATCH 2/6] rgmanager: ra2rng.xsl: make common params reuse XML pretty-print
Signed-off-by: Jan Pokorný --- rgmanager/src/resources/ra2rng.xsl | 91 +++--- 1 file changed, 25 insertions(+), 66 deletions(-) diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl index 046371e..27105a0 100644 --- a/rgmanager/src/resources/ra2rng.xsl +++ b/rgmanager/src/resources/ra2rng.xsl @@ -1,6 +1,7 @@ http://www.w3.org/1999/XSL/Transform"; xmlns:int="__internal__" + xmlns:rha="http://redhat.com/~pkennedy/annotation_namespace/cluster_conf_annot_namespace"; exclude-result-prefixes="int"> @@ -13,39 +14,24 @@ --> - - -Treat this and all children as an independent subtree. - - - - -Consider a timeout for operations as fatal. - - - - -Maximum number of failures before returning a failure to -a status check. - - - - -Amount of time before a failure is forgotten. - - - - -Maximum number restarts for an independent subtree before -giving up. - - - - -Amount of time before a failure is forgotten for -an independent subtree. - - + + + + + + + + + + + + + + + + + + @@ -381,40 +367,13 @@ select="concat($global-init-indent, $global-indent)"/> - - - - - - - - - - - - - - - - - - - - - - - - + + + + + -- 1.8.1.4
[Cluster-devel] [PATCH 1/2] fence_ipmilan: port to fencing library
Port of fence_ipmilan to fencing library.
---
fence/agents/ipmilan/fence_ipmilan.py | 207 ++
1 file changed, 207 insertions(+)
create mode 100644 fence/agents/ipmilan/fence_ipmilan.py
diff --git a/fence/agents/ipmilan/fence_ipmilan.py
b/fence/agents/ipmilan/fence_ipmilan.py
new file mode 100644
index 000..1cb26d0
--- /dev/null
+++ b/fence/agents/ipmilan/fence_ipmilan.py
@@ -0,0 +1,207 @@
+#!/usr/bin/python
+
+import sys, shlex, stat, subprocess, re, os
+from pipes import quote
+sys.path.append("@FENCEAGENTSLIBDIR@")
+from fencing import *
+
+#BEGIN_VERSION_GENERATION
+RELEASE_VERSION=""
+REDHAT_COPYRIGHT=""
+BUILD_DATE=""
+#END_VERSION_GENERATION
+
+def get_power_status(_, options):
+
+cmd = create_command(options, "status")
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+try:
+process = subprocess.Popen(shlex.split(cmd), stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
+except OSError:
+fail_usage("Ipmitool not found or not accessible")
+
+process.wait()
+
+out = process.communicate()
+process.stdout.close()
+
+match = re.search('[Cc]hassis [Pp]ower is [\\s]*([a-zA-Z]{2,3})', str(out))
+status = match.group(1) if match else None
+
+return status
+
+def set_power_status(_, options):
+
+cmd = create_command(options, options["--action"])
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+null = open('/dev/null', 'w')
+try:
+process = subprocess.Popen(shlex.split(cmd), stdout=null, stderr=null)
+except OSError:
+null.close()
+fail_usage("Ipmitool not found or not accessible")
+
+process.wait()
+null.close()
+
+return
+
+def reboot_cycle(_, options):
+cmd = create_command(options, "cycle")
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+try:
+process = subprocess.Popen(shlex.split(cmd), stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
+except OSError:
+fail_usage("Ipmitool not found or not accessible")
+
+process.wait()
+
+out = process.communicate()
+process.stdout.close()
+
+return bool(re.search('chassis power control: cycle', str(out).lower()))
+
+def is_executable(path):
+ if os.path.exists(path):
+ stats = os.stat(path)
+ if stat.S_ISREG(stats.st_mode) and os.access(path, os.X_OK):
+ return True
+ return False
+
+def create_command(options, action):
+cmd = options["--ipmitool-path"]
+
+# --lanplus / -L
+if options.has_key("--lanplus") and options["--lanplus"] in ["", "1"]:
+cmd += " -I lanplus"
+else:
+cmd += " -I lan"
+# --ip / -a
+cmd += " -H " + options["--ip"]
+
+# --username / -l
+if options.has_key("--username") and len(options["--username"]) != 0:
+cmd += " -U " + quote(options["--username"])
+
+# --auth / -A
+if options.has_key("--auth"):
+cmd += " -A " + options["--auth"]
+
+# --password / -p
+if options.has_key("--password"):
+cmd += " -P " + quote(options["--password"])
+
+# --cipher / -C
+cmd += " -C " + options["--cipher"]
+
+# --port / -n
+if options.has_key("--ipport"):
+cmd += " -p " + options["--ipport"]
+
+if options.has_key("--privlvl"):
+cmd += " -L " + options["--privlvl"]
+
+# --action / -o
+cmd += " chassis power " + action
+
+ # --use-sudo / -d
+if options.has_key("--use-sudo"):
+cmd = SUDO_PATH + " " + cmd
+
+return cmd
+
+def define_new_opts():
+all_opt["lanplus"] = {
+"getopt" : "L",
+"longopt" : "lanplus",
+"help" : "-L, --lanplus Use Lanplus to improve
security of connection",
+"required" : "0",
+"default" : "0",
+"shortdesc" : "Use Lanplus to improve security of connection",
+"order": 1
+}
+all_opt["auth"] = {
+"getopt" : "A:",
+"longopt" : "auth",
+"help" : "-A, --auth=[auth] IPMI Lan Auth type
(md5|password|none)",
+"required" : "0",
+"shortdesc" : "IPMI Lan Auth type.",
+"default" : "none",
+"choices" : ["md5", "password", "none"],
+"order": 1
+}
+all_opt["cipher"] = {
+"getopt" : "C:",
+"longopt" : "cipher",
+"help" : "-C, --cipher=[cipher] Ciphersuite to use (same as
ipmitool -C parameter)",
+"required" : "0",
+"shortdesc" : "Ciphersuite to use (same as ipmitool -C parameter)",
+"default" : "0",
+"order": 1
+}
+all_opt["privlvl"] = {
+"getopt" : "P:",
+"longopt" : "privlvl",
+"help" : "-P, --privlvl=[level] Privilege level on IPMI
device (callback|user|operator|administrator)",
+"required" : "
[Cluster-devel] [PATCH 2/2] fence_amt: new fence agent for Intel AMT
New fence agent for Intel AMT.
---
fence/agents/amt/fence_amt.py | 161 ++
1 file changed, 161 insertions(+)
create mode 100755 fence/agents/amt/fence_amt.py
diff --git a/fence/agents/amt/fence_amt.py b/fence/agents/amt/fence_amt.py
new file mode 100755
index 000..6f00727
--- /dev/null
+++ b/fence/agents/amt/fence_amt.py
@@ -0,0 +1,161 @@
+#!/usr/bin/python
+
+import sys, subprocess, re, os, stat
+from pipes import quote
+sys.path.append("@FENCEAGENTSLIBDIR@")
+from fencing import *
+
+#BEGIN_VERSION_GENERATION
+RELEASE_VERSION="Fence agent for Intel AMT"
+REDHAT_COPYRIGHT=""
+BUILD_DATE=""
+#END_VERSION_GENERATION
+
+def get_power_status(_, options):
+
+cmd = create_command(options, "status")
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+try:
+process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
+except OSError:
+fail_usage("Amttool not found or not accessible")
+
+process.wait()
+
+output = process.communicate()
+process.stdout.close()
+
+match = re.search('Powerstate:[\\s]*(..)', str(output))
+status = match.group(1) if match else None
+
+if (status == None):
+return "fail"
+elif (status == "S0"): # SO = on; S3 = sleep; S5 = off
+return "on"
+else:
+return "off"
+
+def set_power_status(_, options):
+
+cmd = create_command(options, options["--action"])
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+null = open('/dev/null', 'w')
+try:
+process = subprocess.Popen(cmd, stdout=null, stderr=null, shell=True)
+except OSError:
+null.close()
+fail_usage("Amttool not found or not accessible")
+
+process.wait()
+null.close()
+
+return
+
+def reboot_cycle(_, options):
+cmd = create_command(options, "cycle")
+
+if options["log"] >= LOG_MODE_VERBOSE:
+options["debug_fh"].write("executing: " + cmd + "\n")
+
+null = open('/dev/null', 'w')
+try:
+process = subprocess.Popen(cmd, stdout=null, stderr=null, shell=True)
+except OSError:
+null.close()
+fail_usage("Amttool not found or not accessible")
+
+status = process.wait()
+null.close()
+
+return not bool(status)
+
+def is_executable(path):
+if os.path.exists(path):
+stats = os.stat(path)
+if stat.S_ISREG(stats.st_mode) and os.access(path, os.X_OK):
+return True
+return False
+
+def create_command(options, action):
+
+# --password / -p
+cmd = "AMT_PASSWORD=" + quote(options["--password"])
+
+cmd += " " + options["--amttool-path"]
+
+# --ip / -a
+cmd += " " + options["--ip"]
+
+# --action / -o
+if action == "status":
+cmd += " info"
+elif action == "on":
+cmd = "echo \"y\"|" + cmd
+cmd += " powerup"
+elif action == "off":
+cmd = "echo \"y\"|" + cmd
+cmd += " powerdown"
+elif action == "cycle":
+cmd = "echo \"y\"|" + cmd
+cmd += " powercycle"
+if action in ["on", "off", "cycle"] and options.has_key("--boot-option"):
+cmd += options["--boot-option"]
+
+# --use-sudo / -d
+if options.has_key("--use-sudo"):
+cmd = SUDO_PATH + " " + cmd
+
+return cmd
+
+def define_new_opts():
+all_opt["boot_option"] = {
+"getopt" : "b:",
+"longopt" : "boot-option",
+"help" : "-b, --boot-option=[option] Change the default boot
behavior of the machine. (pxe|hd|hdsafe|cd|diag)",
+"required" : "0",
+"shortdesc" : "Change the default boot behavior of the machine.",
+"choices" : ["pxe", "hd", "hdsafe", "cd", "diag"],
+"order" : 1
+}
+all_opt["amttool_path"] = {
+"getopt" : "i:",
+"longopt" : "amttool-path",
+"help" : "--amttool-path=[path] Path to amttool binary",
+"required" : "0",
+"shortdesc" : "Path to amttool binary",
+"default" : "@AMTTOOL_PATH@",
+"order": 200
+}
+
+def main():
+
+atexit.register(atexit_handler)
+
+device_opt = [ "ipaddr", "no_login", "passwd", "boot_option", "no_port",
+ "sudo", "amttool_path", "method" ]
+
+define_new_opts()
+
+options = check_input(device_opt, process_input(device_opt))
+
+docs = { }
+docs["shortdesc"] = "Fence agent for AMT"
+docs["longdesc"] = "Fence agent for AMT"
+docs["vendorurl"] = "http://www.intel.com/";
+show_docs(options, docs)
+
+if not is_executable(options["--amttool-path"]):
+fail_usage("Amttool not found or not accessible")
+
+result = fence_action(None, options, set_power_status, get_power_status,
None, reboot_cycle)
+
+sys.exit(result)
+
+if __name__ == "__main__":
+main()
--
1.8.3.1
Re: [Cluster-devel] [PATCH 12/18] ocfs2: use generic posix ACL infrastructure
On Tue, Dec 03, 2013 at 12:00:07AM +0100, Jan Kara wrote: > Hum, this changes the cluster locking. Previously ocfs2_acl_get() used > from ocfs2_acl_chmod() grabbed cluster wide inode lock. Now getting of ACL > isn't protected by the inode lock. That being said the cluster locking > around setattr looks fishy anyway - if two processes on different > nodes are changing attributes of the same file, changing ACLs post fact > after dropping inode lock could cause interesting effects. Also I'm > wondering how inode_change_ok() can ever be safe without holding inode > lock... Until we grab that other node is free to change e.g. owner of the > inode thus leading even to security implications. But maybe I'm missing > something. Mark, Joel? Hmm, indeed. How does ocfs2_iop_get_acl get away without that lock? Btw, ocfs2 changes will need careful testing as I couldn't find any easy way to run xfstests on ocfs2 out of the box.
