Run hb_report under hacluster #742
Conversation
liangxin1300
force-pushed
the
20210205_hb_report
branch
3 times, most recently
from
3ce64f9
to
6e5b30e
Compare
liangxin1300
force-pushed
the
20210205_hb_report
branch
from
1e7f618
to
4666e31
Compare
liangxin1300
force-pushed
the
20210205_hb_report
branch
from
4666e31
to
c967970
Compare
There was a problem hiding this comment.
@liangxin1300 Added some comments about the code.
About the purpose of the changes, I cannot really judge without knowing what are the consequences of changing the hacluster user bash option
crmsh/bootstrap.py
Outdated
| private_key = "{}/.ssh/id_rsa".format(home_dir) | ||
| public_key = "{}/.ssh/id_rsa.pub".format(home_dir) | ||
| authorized_file = "{}/.ssh/authorized_keys".format(home_dir) | ||
| return private_key, public_key, authorized_file |
There was a problem hiding this comment.
I wouldn't return a 3 elements list here. This is a potential issue if for some reason you check the return data, as you will need to change all the places where the method is used.
Better to return a dictionary or specific object, so you can use just the needed elements
There was a problem hiding this comment.
Thanks @arbulu89 , already changed!
crmsh/bootstrap.py
Outdated
| @@ -1134,22 +1133,59 @@ def init_ssh(): | |||
| Configure passwordless SSH. | |||
| """ | |||
| utils.start_service("sshd.service", enable=True) | |||
| configure_local_ssh_key() | |||
| for user in ["root", "hacluster"]: | |||
There was a problem hiding this comment.
This ["root", "hacluster"] list looks something that should go in a constant, as it is repeated later
crmsh/bootstrap.py
Outdated
| if not os.path.exists(private_key): | ||
| status("Generating SSH key for {}".format(user)) | ||
| cmd = "ssh-keygen -q -f {} -C 'Cluster Internal on {}' -N ''".format(private_key, utils.this_node()) | ||
| if user != "root": |
There was a problem hiding this comment.
Maybe adding the next code in a method is a good idea:
if user != "root":
cmd = utils.add_su(cmd, user)
It is reused in different places
There was a problem hiding this comment.
Already put it into add_su function
liangxin1300
force-pushed
the
20210205_hb_report
branch
2 times, most recently
from
c5acd09
to
01e3bbc
Compare
There was a problem hiding this comment.
It generally looks good to me. Thanks for the nice work, @liangxin1300!
Only one nitpick.
Probably it could be a further improvement. To make it as friendly as possible, given that there's an existing cluster, it'd be great to only require running such an
Also to make it as easy as possible for users, I'm thinking probably |
Good suggestion! Thanks @gao-yan
I agree that will be more convenient for this whole issue. |
liangxin1300
force-pushed
the
20210205_hb_report
branch
from
7e96d03
to
3804c75
Compare
Technically, no :-) As we can see, the "breaking" changes of hawk will bring users much inconvenience requiring them to re-run ssh stage. I was thinking combing this into ssh stage would make their lives a bit easier :-) But of course, we could either add this step also into update note / TID ... |
@arbulu89 , How do you think about this? |
@gao-yan After estimating, I think this change might be big and might break compatibility and bring regression. |
There was a problem hiding this comment.
@liangxin1300
I see correct the code changes. But I'm talking about python code itself.
As commented, I don't have that much context about the change, so I would wait until @gao-yan approval to move forward
crmsh/bootstrap.py
Outdated
| return re.search("{}:.*:/sbin/nologin".format(user), f.read()) | ||
|
|
||
|
|
||
| def configure_local_ssh_key(user="root"): |
There was a problem hiding this comment.
I think this configure_local_ssh_key method has become too big and complex.
We could split the logic in different submethods
There was a problem hiding this comment.
Thanks @arbulu89
I moved the change shell codes into change_user_shell function
And I will adjust UT codes later
, bsc#1179999; CVE-2021-3020, bsc#1180571)
liangxin1300
force-pushed
the
20210205_hb_report
branch
from
ef4f3c1
to
52c0352
Compare
liangxin1300
force-pushed
the
20210205_hb_report
branch
from
52c0352
to
7f6f8d5
Compare
|
Loop #1033 here |
Problem
It didn't work if run hb_report or crm cluster copy under hacluster user, which was required from Hawk
Solution
Change function
bootstrap.configure_local_ssh_keyandbootstrap.swap_public_ssh_keyto accept non-root user parameter; That is, for common user, bootstrap process also setup password-less among cluster nodesAssign
/usr/bin/shto hacluster's login shell, otherwise, it's impossible to run command remotelyOn interactive mode, behavior about changing hacluster's login shell and setup ssh access will be asked for confirm
For
runtimeexisting cluster, need to usesshstage to setup password-less access for haclustercrm cluster init ssh -ycrm cluster join ssh -c <init node> -yFor
runtimeexisting cluster,/etc/corosync/corosync.confand/etc/sysconfig/sbdmight has 400 mod, which will causePermission deniedexceptions when running hb_report under hacluster, Dev: utils: change default file mod as 644 for str2file function #747 try to resolve this, but not works forruntimeexisting cluster, to avoid that, before running hb_report under hacluster:chmod 644 /etc/corosync/corosync.confchmod 644 /etc/sysconfig/sbdTest rpm link: https://build.opensuse.org/package/show/home:XinLiang:branches:crmsh_testing7/crmsh