[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] [PATCH node] The node now passes in the mac address and iface names during identify.



On Fri, Sep 19, 2008 at 04:35:37PM -0400, Darryl L. Pierce wrote:
> This works with the patch for the server the generates a configuration file
> for the node based on the interface names passed in with each mac address.
> 
> Additionally, the node will pull down the configuration and process it as a
> script. Since the configuration will be composed of two separate parts:
> 
> 1. a script to load one or more kernel modules
> 2. a configuration file to pass to augtool
> 
> The script is downloaded to a temp directory and then passed to bash. If
> either of the two expected files is produced then it is further processed to
> configure the node.
> 
> Signed-off-by: Darryl L. Pierce <dpierce redhat com>
> ---
>  scripts/ovirt-early |   18 +++++++++++++++---
>  1 files changed, 15 insertions(+), 3 deletions(-)
> 
> diff --git a/scripts/ovirt-early b/scripts/ovirt-early
> index 8024b3b..f890f9a 100755
> --- a/scripts/ovirt-early
> +++ b/scripts/ovirt-early
> @@ -13,6 +13,11 @@
>  # size of the oVirt partition in megabytes
>  OVIRT_SIZE=64
>  
> +get_mac_addresses() {
> +    macs=$(ifconfig | awk '/HWaddr/ { print $5"="$1 }' \
> +                    | tr '\n' ' ' | sed 's/ /%2C/g;s/:/%3A/g')
> +}
> +
>  configure_from_network() {
>      DEVICE=$1
>      if [ -n "$DEVICE" ]; then
> @@ -31,12 +36,19 @@ configure_from_network() {
>                  if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
>                      printf .
>                      cfgdb=$(mktemp)
> +                    get_mac_addresses
>                      wget -q -O $cfgdb \
> -                      "http://$SRV_HOST:$SRV_PORT/ovirt/cfgdb/$(hostname)"
> +                      "http://$SRV_HOST:$SRV_PORT/ovirt/managed_node/config?host=$(hostname)&macs=$macs"
>                      if [ $? -eq 0 ]; then
>                          printf .
> -                        echo "save" >> $cfgdb
> -                        augtool < $cfgdb > /dev/null 2>&1
> +                        bash $cfgdb

NACK.  We cannot download & execute arbitrary shell scripts. It blows a 
hole in the security of the node host OS. If there are shell scripts 
needed they must be built into the node image, and merely the configuration
data to be fed to them should be downloaded.

That said, even the original code was kinda suspect - downloading an 
entire augtool control file basically allows any change whatsoever
to be made.  

Really we should download data such as the interface name, and config
options, and then use a local pre-existing script to make the changes
and/or call augtool - ie the augtool rules should already be on the
managed node, with placeholders where you fit in the validated config
parameters.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]