From 45bc463555d1bc3440b0faa72d742f47a515b48e Mon Sep 17 00:00:00 2001 From: Iustin Pop Date: Fri, 8 Feb 2013 14:42:36 +0100 Subject: [PATCH] =?utf8?q?Finish=20the=20remote=E2=86=92restricted=20command?= =?utf8?q?s=20rename?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The documentation still points to /etc/ganeti/remote-commands, although the code is already using restricted-command. Update the documentation and a few docstrings accordingly. Signed-off-by: Iustin Pop Reviewed-by: Guido Trotter --- Makefile.am | 2 +- doc/design-2.7.rst | 2 +- ...commands.rst => design-restricted-commands.rst} | 4 +-- doc/index.rst | 2 +- lib/backend.py | 30 ++++++++++---------- test/py/ganeti.backend_unittest.py | 8 ++++-- 6 files changed, 25 insertions(+), 23 deletions(-) rename doc/{design-remote-commands.rst => design-restricted-commands.rst} (93%) diff --git a/Makefile.am b/Makefile.am index 996feff..e0f3e89 100644 --- a/Makefile.am +++ b/Makefile.am @@ -395,8 +395,8 @@ docinput = \ doc/design-partitioned.rst \ doc/design-query-splitting.rst \ doc/design-query2.rst \ - doc/design-remote-commands.rst \ doc/design-resource-model.rst \ + doc/design-restricted-commands.rst \ doc/design-shared-storage.rst \ doc/design-monitoring-agent.rst \ doc/design-virtual-clusters.rst \ diff --git a/doc/design-2.7.rst b/doc/design-2.7.rst index 848159e..1c27e24 100644 --- a/doc/design-2.7.rst +++ b/doc/design-2.7.rst @@ -6,7 +6,7 @@ The following design documents have been implemented in Ganeti 2.7: - :doc:`design-bulk-create` - :doc:`design-opportunistic-locking` -- :doc:`design-remote-commands` +- :doc:`design-restricted-commands` - :doc:`design-node-add` - :doc:`design-virtual-clusters` - :doc:`design-network` diff --git a/doc/design-remote-commands.rst b/doc/design-restricted-commands.rst similarity index 93% rename from doc/design-remote-commands.rst rename to doc/design-restricted-commands.rst index 27524ff..167c816 100644 --- a/doc/design-remote-commands.rst +++ b/doc/design-restricted-commands.rst @@ -28,7 +28,7 @@ be taken: - No parameters may be passed - No absolute or relative path may be passed, only a filename -- Executable must reside in ``/etc/ganeti/remote-commands``, which must +- Executable must reside in ``/etc/ganeti/restricted-commands``, which must be owned by root:root and have mode 0755 or stricter - Must be regular files or symlinks - Must be executable by root:root @@ -46,7 +46,7 @@ If a command can not be executed for some reason, the lock is only released with a delay of several seconds, after which the generic error message will be returned to the caller. -At first, remote commands will not be made available through the +At first, restricted commands will not be made available through the :doc:`remote API `, though that could be done at a later point (with a separate password). diff --git a/doc/index.rst b/doc/index.rst index 87bd2a1..c6963b0 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -51,7 +51,7 @@ Contents: design-opportunistic-locking.rst design-ovf-support.rst design-query2.rst - design-remote-commands.rst + design-restricted-commands.rst design-shared-storage.rst design-virtual-clusters.rst design-network.rst diff --git a/lib/backend.py b/lib/backend.py index b7dd2ab..cf28d4f 100644 --- a/lib/backend.py +++ b/lib/backend.py @@ -1,7 +1,7 @@ # # -# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Google Inc. +# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Google Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -88,15 +88,15 @@ _LVSLINE_REGEX = re.compile("^ *([^|]+)\|([^|]+)\|([0-9.]+)\|([^|]{6,})\|?$") _MASTER_START = "start" _MASTER_STOP = "stop" -#: Maximum file permissions for remote command directory and executables +#: Maximum file permissions for restricted command directory and executables _RCMD_MAX_MODE = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) -#: Delay before returning an error for remote commands +#: Delay before returning an error for restricted commands _RCMD_INVALID_DELAY = 10 -#: How long to wait to acquire lock for remote commands (shorter than +#: How long to wait to acquire lock for restricted commands (shorter than #: L{_RCMD_INVALID_DELAY}) to reduce blockage of noded forks when many #: command requests arrive _RCMD_LOCK_TIMEOUT = _RCMD_INVALID_DELAY * 0.8 @@ -3672,7 +3672,7 @@ def PowercycleNode(hypervisor_type): def _VerifyRestrictedCmdName(cmd): - """Verifies a remote command name. + """Verifies a restricted command name. @type cmd: string @param cmd: Command name @@ -3694,7 +3694,7 @@ def _VerifyRestrictedCmdName(cmd): def _CommonRestrictedCmdCheck(path, owner): - """Common checks for remote command file system directories and files. + """Common checks for restricted command file system directories and files. @type path: string @param path: Path to check @@ -3724,7 +3724,7 @@ def _CommonRestrictedCmdCheck(path, owner): def _VerifyRestrictedCmdDirectory(path, _owner=None): - """Verifies remote command directory. + """Verifies restricted command directory. @type path: string @param path: Path to check @@ -3745,10 +3745,10 @@ def _VerifyRestrictedCmdDirectory(path, _owner=None): def _VerifyRestrictedCmd(path, cmd, _owner=None): - """Verifies a whole remote command and returns its executable filename. + """Verifies a whole restricted command and returns its executable filename. @type path: string - @param path: Directory containing remote commands + @param path: Directory containing restricted commands @type cmd: string @param cmd: Command name @rtype: tuple; (boolean, string) @@ -3774,10 +3774,10 @@ def _PrepareRestrictedCmd(path, cmd, _verify_dir=_VerifyRestrictedCmdDirectory, _verify_name=_VerifyRestrictedCmdName, _verify_cmd=_VerifyRestrictedCmd): - """Performs a number of tests on a remote command. + """Performs a number of tests on a restricted command. @type path: string - @param path: Directory containing remote commands + @param path: Directory containing restricted commands @type cmd: string @param cmd: Command name @return: Same as L{_VerifyRestrictedCmd} @@ -3804,7 +3804,7 @@ def RunRestrictedCmd(cmd, _prepare_fn=_PrepareRestrictedCmd, _runcmd_fn=utils.RunCmd, _enabled=constants.ENABLE_RESTRICTED_COMMANDS): - """Executes a remote command after performing strict tests. + """Executes a restricted command after performing strict tests. @type cmd: string @param cmd: Command name @@ -3813,10 +3813,10 @@ def RunRestrictedCmd(cmd, @raise RPCFail: In case of an error """ - logging.info("Preparing to run remote command '%s'", cmd) + logging.info("Preparing to run restricted command '%s'", cmd) if not _enabled: - _Fail("Remote commands disabled at configure time") + _Fail("Restricted commands disabled at configure time") lock = None try: @@ -3844,7 +3844,7 @@ def RunRestrictedCmd(cmd, # Do not include original error message in returned error _Fail("Executing command '%s' failed" % cmd) elif cmdresult.failed or cmdresult.fail_reason: - _Fail("Remote command '%s' failed: %s; output: %s", + _Fail("Restricted command '%s' failed: %s; output: %s", cmd, cmdresult.fail_reason, cmdresult.output) else: return cmdresult.output diff --git a/test/py/ganeti.backend_unittest.py b/test/py/ganeti.backend_unittest.py index 74ae4e7..a84fbff 100755 --- a/test/py/ganeti.backend_unittest.py +++ b/test/py/ganeti.backend_unittest.py @@ -1,7 +1,7 @@ #!/usr/bin/python # -# Copyright (C) 2010 Google Inc. +# Copyright (C) 2010, 2013 Google Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -423,7 +423,8 @@ class TestRunRestrictedCmd(unittest.TestCase): _sleep_fn=sleep_fn, _prepare_fn=prepare_fn, _enabled=True) except backend.RPCFail, err: - self.assertTrue(str(err).startswith("Remote command 'test3079' failed:")) + self.assertTrue(str(err).startswith("Restricted command 'test3079'" + " failed:")) self.assertTrue("stderr406328567" in str(err), msg="Error did not include output") else: @@ -477,7 +478,8 @@ class TestRunRestrictedCmd(unittest.TestCase): _runcmd_fn=NotImplemented, _enabled=False) except backend.RPCFail, err: - self.assertEqual(str(err), "Remote commands disabled at configure time") + self.assertEqual(str(err), + "Restricted commands disabled at configure time") else: self.fail("Did not raise exception") -- 1.7.10.4