Commit 8b72b05c authored by René Nussbaumer's avatar René Nussbaumer

Let ganeti-rapi run under a different user/group

Signed-off-by: default avatarRené Nussbaumer <rn@google.com>
Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
parent 743b53d4
......@@ -514,6 +514,9 @@ lib/_autoconf.py: Makefile stamp-directories
echo "PKGLIBDIR = '$(pkglibdir)'"; \
echo "DRBD_BARRIERS = $(DRBD_BARRIERS)"; \
echo "SYSLOG_USAGE = '$(SYSLOG_USAGE)'"; \
echo "DAEMONS_GROUP = '$(DAEMONS_GROUP)'"; \
echo "MASTERD_USER = '$(MASTERD_USER)'"; \
echo "RAPI_USER = '$(RAPI_USER)'"; \
} > $@
$(REPLACE_VARS_SED): Makefile
......
......@@ -214,21 +214,23 @@ def CheckRapi(options, args):
ssconf.CheckMaster(options.debug)
# Read SSL certificate (this is a little hackish to read the cert as root)
if options.ssl:
options.ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
ssl_cert_path=options.ssl_cert)
else:
options.ssl_params = None
def ExecRapi(options, _):
"""Main remote API function, executed with the PID file held.
"""
# Read SSL certificate
if options.ssl:
ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
ssl_cert_path=options.ssl_cert)
else:
ssl_params = None
mainloop = daemon.Mainloop()
server = RemoteApiHttpServer(mainloop, options.bind_address, options.port,
ssl_params=ssl_params, ssl_verify_peer=False,
ssl_params=options.ssl_params,
ssl_verify_peer=False,
request_executor_class=JsonErrorRequestExecutor)
# pylint: disable-msg=E1101
# it seems pylint doesn't see the second parent class there
......@@ -251,7 +253,8 @@ def main():
dirs.append((constants.LOG_OS_DIR, 0750))
daemon.GenericMain(constants.RAPI, parser, dirs, CheckRapi, ExecRapi,
default_ssl_cert=constants.RAPI_CERT_FILE,
default_ssl_key=constants.RAPI_CERT_FILE)
default_ssl_key=constants.RAPI_CERT_FILE,
user=constants.RAPI_USER, group=constants.DAEMONS_GROUP)
if __name__ == "__main__":
......
......@@ -82,16 +82,21 @@ CONFIG_MINOR = int(_autoconf.VERSION_MINOR)
CONFIG_REVISION = 0
CONFIG_VERSION = BuildVersion(CONFIG_MAJOR, CONFIG_MINOR, CONFIG_REVISION)
# user separation
DAEMONS_GROUP = _autoconf.DAEMONS_GROUP
MASTERD_USER = _autoconf.MASTERD_USER
RAPI_USER = _autoconf.RAPI_USER
# file paths
DATA_DIR = _autoconf.LOCALSTATEDIR + "/lib/ganeti"
RUN_DIR = _autoconf.LOCALSTATEDIR + "/run"
RUN_GANETI_DIR = RUN_DIR + "/ganeti"
BDEV_CACHE_DIR = RUN_GANETI_DIR + "/bdev-cache"
DISK_LINKS_DIR = RUN_GANETI_DIR + "/instance-disks"
RUN_DIRS_MODE = 0755
RUN_DIRS_MODE = 0775
SOCKET_DIR = RUN_GANETI_DIR + "/socket"
SECURE_DIR_MODE = 0700
SOCKET_DIR_MODE = SECURE_DIR_MODE
SOCKET_DIR_MODE = 0750
CRYPTO_KEYS_DIR = RUN_GANETI_DIR + "/crypto"
CRYPTO_KEYS_DIR_MODE = SECURE_DIR_MODE
IMPORT_EXPORT_DIR = RUN_GANETI_DIR + "/import-export"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment