-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run hb_report under hacluster #742
Run hb_report under hacluster #742
Conversation
3ce64f9
to
6e5b30e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems good to me but not familiar with crmsh codebase
1e7f618
to
4666e31
Compare
4666e31
to
c967970
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liangxin1300 Added some comments about the code.
About the purpose of the changes, I cannot really judge without knowing what are the consequences of changing the hacluster
user bash option
crmsh/bootstrap.py
Outdated
private_key = "{}/.ssh/id_rsa".format(home_dir) | ||
public_key = "{}/.ssh/id_rsa.pub".format(home_dir) | ||
authorized_file = "{}/.ssh/authorized_keys".format(home_dir) | ||
return private_key, public_key, authorized_file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't return a 3 elements list here. This is a potential issue if for some reason you check the return data, as you will need to change all the places where the method is used.
Better to return a dictionary or specific object, so you can use just the needed elements
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yop valid point
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @arbulu89 , already changed!
crmsh/bootstrap.py
Outdated
@@ -1134,22 +1133,59 @@ def init_ssh(): | |||
Configure passwordless SSH. | |||
""" | |||
utils.start_service("sshd.service", enable=True) | |||
configure_local_ssh_key() | |||
for user in ["root", "hacluster"]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ["root", "hacluster"]
list looks something that should go in a constant, as it is repeated later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed
crmsh/bootstrap.py
Outdated
if not os.path.exists(private_key): | ||
status("Generating SSH key for {}".format(user)) | ||
cmd = "ssh-keygen -q -f {} -C 'Cluster Internal on {}' -N ''".format(private_key, utils.this_node()) | ||
if user != "root": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe adding the next code in a method is a good idea:
if user != "root":
cmd = utils.add_su(cmd, user)
It is reused in different places
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already put it into add_su
function
c5acd09
to
01e3bbc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It generally looks good to me. Thanks for the nice work, @liangxin1300!
Only one nitpick.
Probably it could be a further improvement. To make it as friendly as possible, given that there's an existing cluster, it'd be great to only require running such an
Also to make it as easy as possible for users, I'm thinking probably |
Good suggestion! Thanks @gao-yan
I agree that will be more convenient for this whole issue. |
7e96d03
to
3804c75
Compare
Technically, no :-) As we can see, the "breaking" changes of hawk will bring users much inconvenience requiring them to re-run ssh stage. I was thinking combing this into ssh stage would make their lives a bit easier :-) But of course, we could either add this step also into update note / TID ... |
@arbulu89 , How do you think about this? |
@gao-yan After estimating, I think this change might be big and might break compatibility and bring regression. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liangxin1300
I see correct the code changes. But I'm talking about python code itself.
As commented, I don't have that much context about the change, so I would wait until @gao-yan approval to move forward
crmsh/bootstrap.py
Outdated
return re.search("{}:.*:/sbin/nologin".format(user), f.read()) | ||
|
||
|
||
def configure_local_ssh_key(user="root"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this configure_local_ssh_key
method has become too big and complex.
We could split the logic in different submethods
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @arbulu89
I moved the change shell codes into change_user_shell
function
And I will adjust UT codes later
, bsc#1179999; CVE-2021-3020, bsc#1180571)
ef4f3c1
to
52c0352
Compare
52c0352
to
7f6f8d5
Compare
Loop #1033 here |
Problem
It didn't work if run hb_report or crm cluster copy under hacluster user, which was required from Hawk
Solution
Change function
bootstrap.configure_local_ssh_key
andbootstrap.swap_public_ssh_key
to accept non-root user parameter; That is, for common user, bootstrap process also setup password-less among cluster nodesAssign
/usr/bin/sh
to hacluster's login shell, otherwise, it's impossible to run command remotelyOn interactive mode, behavior about changing hacluster's login shell and setup ssh access will be asked for confirm
For
runtime
existing cluster, need to usessh
stage to setup password-less access for haclustercrm cluster init ssh -y
crm cluster join ssh -c <init node> -y
For
runtime
existing cluster,/etc/corosync/corosync.conf
and/etc/sysconfig/sbd
might has 400 mod, which will causePermission denied
exceptions when running hb_report under hacluster, Dev: utils: change default file mod as 644 for str2file function #747 try to resolve this, but not works forruntime
existing cluster, to avoid that, before running hb_report under hacluster:chmod 644 /etc/corosync/corosync.conf
chmod 644 /etc/sysconfig/sbd
Test rpm link: https://build.opensuse.org/package/show/home:XinLiang:branches:crmsh_testing7/crmsh