Extend the functionality of ssh_pre_flight with ssh_pre_flight_args #61715
Conversation
There was a problem hiding this comment.
This will require a changelog and tests. One test I was hoping to add in addition to just ensuring the functionality works, was to ensure someone cannot pass shell injections when using ssh_pre_flight_args. For example piping another command or using ; to then run a different command.
Prevent shell injection via preflight script args
|
@Ch3LL there was a change from @meaksh with the injection prevention fix and additionally different types of tests for it as well as changelog entry. The only point left is the documentation for the new roster parameter. Could you please give a hint where the documentation regarding the roster file parameters shold be appended? |
|
doc/topics/ssh/roster.rst |
|
I just want to get another review on this one. Ping @dwoz can you review please? |
|
There are some test failures on windows that are related to this fix |
* Add salt-ssh support with venv-salt-minion * Add some comments and drop the commented line * Fix return in check_venv_hash_file * Convert all script parameters to strings * Reduce the size of minion response Minion response contains SSH_PY_CODE wrapped to base64. This fix reduces the size of the response in DEBUG logging * Make VENV_HASH_FILE global * Pass the context to roster modules * Avoid race condition on loading roster modules * Prevent simultaneous to salt-ssh minion * Make ssh session grace time configurable * Prevent possible segfault by GC * Revert "Avoid race condition on loading roster modules" This reverts commit 8ff822a162cc494d3528184aef983ad20e09f4e2. * Prevent deadlocks with importlib on using LazyLoader * Make logging on salt-ssh errors more informative * Add comments about using salt.loader.LOAD_LOCK * Fix test_loader test * Prevent deadlocks on using logging * Use collections.deque instead of list for salt-ssh Suggested by @agraul * Get proper exitstatus from salt.utils.vt.Terminal to prevent empty event returns due to improperly detecting the child process as failed * Do not run pre flight script for raw_shell BACKPORT-UPSTREAM=saltstack#61715 DOWNSTREAM-REF=openSUSE/salt#493 DOWNSTREAM-REF=openSUSE/salt#497
What does this PR do?
What issues does this PR fix or reference?
Make it possible to pass extra parameters to salt-ssh pre flight script with
ssh_pre_flight_argsfrom the roster.Previous Behavior
No way to pass any parameters to pre flight script.
New Behavior
Pre flight script can be executed with extra arguments specified in
ssh_pre_flight_argsMerge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
Yes/No
Please review Salt's Contributing Guide for best practices.
See GitHub's page on GPG signing for more information about signing commits with GPG.