root / doc / design-restricted-commands.rst @ 33c730a2
History | View | Annotate | Download (2.3 kB)
| 1 | 2ff01d78 | Michael Hanselmann | Design for executing commands via RPC |
|---|---|---|---|
| 2 | 2ff01d78 | Michael Hanselmann | ===================================== |
| 3 | 2ff01d78 | Michael Hanselmann | |
| 4 | 2ff01d78 | Michael Hanselmann | .. contents:: :depth: 3 |
| 5 | 2ff01d78 | Michael Hanselmann | |
| 6 | 2ff01d78 | Michael Hanselmann | |
| 7 | 2ff01d78 | Michael Hanselmann | Current state and shortcomings |
| 8 | 2ff01d78 | Michael Hanselmann | ------------------------------ |
| 9 | 2ff01d78 | Michael Hanselmann | |
| 10 | 2ff01d78 | Michael Hanselmann | We have encountered situations where a node was no longer responding to |
| 11 | 2ff01d78 | Michael Hanselmann | attempts at connecting via SSH or SSH became unavailable through other |
| 12 | 2ff01d78 | Michael Hanselmann | means. Quite often the node daemon is still available, even in |
| 13 | 2ff01d78 | Michael Hanselmann | situations where there's little free memory. The latter is due to the |
| 14 | 2ff01d78 | Michael Hanselmann | node daemon being locked into main memory using ``mlock(2)``. |
| 15 | 2ff01d78 | Michael Hanselmann | |
| 16 | 2ff01d78 | Michael Hanselmann | Since the node daemon does not allow the execution of arbitrary |
| 17 | 2ff01d78 | Michael Hanselmann | commands, quite often the only solution left was either to attempt a |
| 18 | 2ff01d78 | Michael Hanselmann | powercycle request via said node daemon or to physically reset the node. |
| 19 | 2ff01d78 | Michael Hanselmann | |
| 20 | 2ff01d78 | Michael Hanselmann | |
| 21 | 2ff01d78 | Michael Hanselmann | Proposed changes |
| 22 | 2ff01d78 | Michael Hanselmann | ---------------- |
| 23 | 2ff01d78 | Michael Hanselmann | |
| 24 | 2ff01d78 | Michael Hanselmann | The goal of this design is to allow the execution of non-arbitrary |
| 25 | 2ff01d78 | Michael Hanselmann | commands via RPC requests. Since this can be dangerous in case the |
| 26 | 2ff01d78 | Michael Hanselmann | cluster certificate (``server.pem``) is leaked, some precautions need to |
| 27 | 2ff01d78 | Michael Hanselmann | be taken: |
| 28 | 2ff01d78 | Michael Hanselmann | |
| 29 | 2ff01d78 | Michael Hanselmann | - No parameters may be passed |
| 30 | 2ff01d78 | Michael Hanselmann | - No absolute or relative path may be passed, only a filename |
| 31 | 45bc4635 | Iustin Pop | - Executable must reside in ``/etc/ganeti/restricted-commands``, which must |
| 32 | 2ff01d78 | Michael Hanselmann | be owned by root:root and have mode 0755 or stricter |
| 33 | 2ff01d78 | Michael Hanselmann | - Must be regular files or symlinks |
| 34 | 2ff01d78 | Michael Hanselmann | - Must be executable by root:root |
| 35 | 2ff01d78 | Michael Hanselmann | |
| 36 | 2ff01d78 | Michael Hanselmann | There shall be no way to list available commands or to retrieve an |
| 37 | 2ff01d78 | Michael Hanselmann | executable's contents. The result from a request to execute a specific |
| 38 | 2ff01d78 | Michael Hanselmann | command will either be its output and exit code, or a generic error |
| 39 | 2ff01d78 | Michael Hanselmann | message. Only the receiving node's log files shall contain information |
| 40 | 2ff01d78 | Michael Hanselmann | as to why executing the command failed. |
| 41 | 2ff01d78 | Michael Hanselmann | |
| 42 | 2ff01d78 | Michael Hanselmann | To slow down dictionary attacks on command names in case an attacker |
| 43 | 2ff01d78 | Michael Hanselmann | manages to obtain a copy of ``server.pem``, a system-wide, file-based |
| 44 | 2ff01d78 | Michael Hanselmann | lock is acquired before verifying the command name and its executable. |
| 45 | 2ff01d78 | Michael Hanselmann | If a command can not be executed for some reason, the lock is only |
| 46 | 2ff01d78 | Michael Hanselmann | released with a delay of several seconds, after which the generic error |
| 47 | 2ff01d78 | Michael Hanselmann | message will be returned to the caller. |
| 48 | 2ff01d78 | Michael Hanselmann | |
| 49 | 45bc4635 | Iustin Pop | At first, restricted commands will not be made available through the |
| 50 | 2ff01d78 | Michael Hanselmann | :doc:`remote API <rapi>`, though that could be done at a later point |
| 51 | 2ff01d78 | Michael Hanselmann | (with a separate password). |
| 52 | 2ff01d78 | Michael Hanselmann | |
| 53 | 2ff01d78 | Michael Hanselmann | On the command line, a new sub-command will be added to the ``gnt-node`` |
| 54 | 2ff01d78 | Michael Hanselmann | script. |
| 55 | 2ff01d78 | Michael Hanselmann | |
| 56 | 2ff01d78 | Michael Hanselmann | .. vim: set textwidth=72 : |
| 57 | 2ff01d78 | Michael Hanselmann | .. Local Variables: |
| 58 | 2ff01d78 | Michael Hanselmann | .. mode: rst |
| 59 | 2ff01d78 | Michael Hanselmann | .. fill-column: 72 |
| 60 | 2ff01d78 | Michael Hanselmann | .. End: |