root / doc / design-restricted-commands.rst @ 33c730a2
History | View | Annotate | Download (2.3 kB)
1 |
Design for executing commands via RPC |
---|---|
2 |
===================================== |
3 |
|
4 |
.. contents:: :depth: 3 |
5 |
|
6 |
|
7 |
Current state and shortcomings |
8 |
------------------------------ |
9 |
|
10 |
We have encountered situations where a node was no longer responding to |
11 |
attempts at connecting via SSH or SSH became unavailable through other |
12 |
means. Quite often the node daemon is still available, even in |
13 |
situations where there's little free memory. The latter is due to the |
14 |
node daemon being locked into main memory using ``mlock(2)``. |
15 |
|
16 |
Since the node daemon does not allow the execution of arbitrary |
17 |
commands, quite often the only solution left was either to attempt a |
18 |
powercycle request via said node daemon or to physically reset the node. |
19 |
|
20 |
|
21 |
Proposed changes |
22 |
---------------- |
23 |
|
24 |
The goal of this design is to allow the execution of non-arbitrary |
25 |
commands via RPC requests. Since this can be dangerous in case the |
26 |
cluster certificate (``server.pem``) is leaked, some precautions need to |
27 |
be taken: |
28 |
|
29 |
- No parameters may be passed |
30 |
- No absolute or relative path may be passed, only a filename |
31 |
- Executable must reside in ``/etc/ganeti/restricted-commands``, which must |
32 |
be owned by root:root and have mode 0755 or stricter |
33 |
- Must be regular files or symlinks |
34 |
- Must be executable by root:root |
35 |
|
36 |
There shall be no way to list available commands or to retrieve an |
37 |
executable's contents. The result from a request to execute a specific |
38 |
command will either be its output and exit code, or a generic error |
39 |
message. Only the receiving node's log files shall contain information |
40 |
as to why executing the command failed. |
41 |
|
42 |
To slow down dictionary attacks on command names in case an attacker |
43 |
manages to obtain a copy of ``server.pem``, a system-wide, file-based |
44 |
lock is acquired before verifying the command name and its executable. |
45 |
If a command can not be executed for some reason, the lock is only |
46 |
released with a delay of several seconds, after which the generic error |
47 |
message will be returned to the caller. |
48 |
|
49 |
At first, restricted commands will not be made available through the |
50 |
:doc:`remote API <rapi>`, though that could be done at a later point |
51 |
(with a separate password). |
52 |
|
53 |
On the command line, a new sub-command will be added to the ``gnt-node`` |
54 |
script. |
55 |
|
56 |
.. vim: set textwidth=72 : |
57 |
.. Local Variables: |
58 |
.. mode: rst |
59 |
.. fill-column: 72 |
60 |
.. End: |