From 2ff01d7826a481ee216a78c5b048c7f3b401ba8b Mon Sep 17 00:00:00 2001
From: Michael Hanselmann <hansmi@google.com>
Date: Fri, 12 Oct 2012 15:53:35 +0200
Subject: [PATCH] Design for remote command execution via RPC

This is a first design for executing commands via RPC.

Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>
---
 Makefile.am                    |  1 +
 doc/design-draft.rst           |  1 +
 doc/design-remote-commands.rst | 60 ++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 doc/design-remote-commands.rst

diff --git a/Makefile.am b/Makefile.am
index 66a8b3736..00a272f3b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -360,6 +360,7 @@ docrst = \
 	doc/design-partitioned.rst \
 	doc/design-query-splitting.rst \
 	doc/design-query2.rst \
+	doc/design-remote-commands.rst \
 	doc/design-resource-model.rst \
 	doc/design-shared-storage.rst \
 	doc/design-ssh-setup.rst \
diff --git a/doc/design-draft.rst b/doc/design-draft.rst
index 5836fe3b4..36dba73fd 100644
--- a/doc/design-draft.rst
+++ b/doc/design-draft.rst
@@ -16,6 +16,7 @@ Design document drafts
    design-autorepair.rst
    design-partitioned.rst
    design-ssh-setup.rst
+   design-remote-commands.rst
 
 .. vim: set textwidth=72 :
 .. Local Variables:
diff --git a/doc/design-remote-commands.rst b/doc/design-remote-commands.rst
new file mode 100644
index 000000000..27524ffbc
--- /dev/null
+++ b/doc/design-remote-commands.rst
@@ -0,0 +1,60 @@
+Design for executing commands via RPC
+=====================================
+
+.. contents:: :depth: 3
+
+
+Current state and shortcomings
+------------------------------
+
+We have encountered situations where a node was no longer responding to
+attempts at connecting via SSH or SSH became unavailable through other
+means. Quite often the node daemon is still available, even in
+situations where there's little free memory. The latter is due to the
+node daemon being locked into main memory using ``mlock(2)``.
+
+Since the node daemon does not allow the execution of arbitrary
+commands, quite often the only solution left was either to attempt a
+powercycle request via said node daemon or to physically reset the node.
+
+
+Proposed changes
+----------------
+
+The goal of this design is to allow the execution of non-arbitrary
+commands via RPC requests. Since this can be dangerous in case the
+cluster certificate (``server.pem``) is leaked, some precautions need to
+be taken:
+
+- No parameters may be passed
+- No absolute or relative path may be passed, only a filename
+- Executable must reside in ``/etc/ganeti/remote-commands``, which must
+  be owned by root:root and have mode 0755 or stricter
+  - Must be regular files or symlinks
+  - Must be executable by root:root
+
+There shall be no way to list available commands or to retrieve an
+executable's contents. The result from a request to execute a specific
+command will either be its output and exit code, or a generic error
+message. Only the receiving node's log files shall contain information
+as to why executing the command failed.
+
+To slow down dictionary attacks on command names in case an attacker
+manages to obtain a copy of ``server.pem``, a system-wide, file-based
+lock is acquired before verifying the command name and its executable.
+If a command can not be executed for some reason, the lock is only
+released with a delay of several seconds, after which the generic error
+message will be returned to the caller.
+
+At first, remote commands will not be made available through the
+:doc:`remote API <rapi>`, though that could be done at a later point
+(with a separate password).
+
+On the command line, a new sub-command will be added to the ``gnt-node``
+script.
+
+.. vim: set textwidth=72 :
+.. Local Variables:
+.. mode: rst
+.. fill-column: 72
+.. End:
-- 
GitLab