- No parameters may be passed
- No absolute or relative path may be passed, only a filename
-- Executable must reside in ``/etc/ganeti/remote-commands``, which must
+- Executable must reside in ``/etc/ganeti/restricted-commands``, which must
be owned by root:root and have mode 0755 or stricter
- Must be regular files or symlinks
- Must be executable by root:root
released with a delay of several seconds, after which the generic error
message will be returned to the caller.
-At first, remote commands will not be made available through the
+At first, restricted commands will not be made available through the
:doc:`remote API <rapi>`, though that could be done at a later point
(with a separate password).
#
#
-# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Google Inc.
+# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
_MASTER_START = "start"
_MASTER_STOP = "stop"
-#: Maximum file permissions for remote command directory and executables
+#: Maximum file permissions for restricted command directory and executables
_RCMD_MAX_MODE = (stat.S_IRWXU |
stat.S_IRGRP | stat.S_IXGRP |
stat.S_IROTH | stat.S_IXOTH)
-#: Delay before returning an error for remote commands
+#: Delay before returning an error for restricted commands
_RCMD_INVALID_DELAY = 10
-#: How long to wait to acquire lock for remote commands (shorter than
+#: How long to wait to acquire lock for restricted commands (shorter than
#: L{_RCMD_INVALID_DELAY}) to reduce blockage of noded forks when many
#: command requests arrive
_RCMD_LOCK_TIMEOUT = _RCMD_INVALID_DELAY * 0.8
def _VerifyRestrictedCmdName(cmd):
- """Verifies a remote command name.
+ """Verifies a restricted command name.
@type cmd: string
@param cmd: Command name
def _CommonRestrictedCmdCheck(path, owner):
- """Common checks for remote command file system directories and files.
+ """Common checks for restricted command file system directories and files.
@type path: string
@param path: Path to check
def _VerifyRestrictedCmdDirectory(path, _owner=None):
- """Verifies remote command directory.
+ """Verifies restricted command directory.
@type path: string
@param path: Path to check
def _VerifyRestrictedCmd(path, cmd, _owner=None):
- """Verifies a whole remote command and returns its executable filename.
+ """Verifies a whole restricted command and returns its executable filename.
@type path: string
- @param path: Directory containing remote commands
+ @param path: Directory containing restricted commands
@type cmd: string
@param cmd: Command name
@rtype: tuple; (boolean, string)
_verify_dir=_VerifyRestrictedCmdDirectory,
_verify_name=_VerifyRestrictedCmdName,
_verify_cmd=_VerifyRestrictedCmd):
- """Performs a number of tests on a remote command.
+ """Performs a number of tests on a restricted command.
@type path: string
- @param path: Directory containing remote commands
+ @param path: Directory containing restricted commands
@type cmd: string
@param cmd: Command name
@return: Same as L{_VerifyRestrictedCmd}
_prepare_fn=_PrepareRestrictedCmd,
_runcmd_fn=utils.RunCmd,
_enabled=constants.ENABLE_RESTRICTED_COMMANDS):
- """Executes a remote command after performing strict tests.
+ """Executes a restricted command after performing strict tests.
@type cmd: string
@param cmd: Command name
@raise RPCFail: In case of an error
"""
- logging.info("Preparing to run remote command '%s'", cmd)
+ logging.info("Preparing to run restricted command '%s'", cmd)
if not _enabled:
- _Fail("Remote commands disabled at configure time")
+ _Fail("Restricted commands disabled at configure time")
lock = None
try:
# Do not include original error message in returned error
_Fail("Executing command '%s' failed" % cmd)
elif cmdresult.failed or cmdresult.fail_reason:
- _Fail("Remote command '%s' failed: %s; output: %s",
+ _Fail("Restricted command '%s' failed: %s; output: %s",
cmd, cmdresult.fail_reason, cmdresult.output)
else:
return cmdresult.output
#!/usr/bin/python
#
-# Copyright (C) 2010 Google Inc.
+# Copyright (C) 2010, 2013 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
_sleep_fn=sleep_fn, _prepare_fn=prepare_fn,
_enabled=True)
except backend.RPCFail, err:
- self.assertTrue(str(err).startswith("Remote command 'test3079' failed:"))
+ self.assertTrue(str(err).startswith("Restricted command 'test3079'"
+ " failed:"))
self.assertTrue("stderr406328567" in str(err),
msg="Error did not include output")
else:
_runcmd_fn=NotImplemented,
_enabled=False)
except backend.RPCFail, err:
- self.assertEqual(str(err), "Remote commands disabled at configure time")
+ self.assertEqual(str(err),
+ "Restricted commands disabled at configure time")
else:
self.fail("Did not raise exception")