From 961e368116aa02301916eb58bded4d3dbeb770ea Mon Sep 17 00:00:00 2001 From: Tino Vazquez Date: Fri, 9 Mar 2012 17:13:42 +0100 Subject: [PATCH 1/4] TM shared drivers compatibility with VMware --- src/mad/sh/scripts_common.sh | 1 + src/tm_mad/common/context | 3 ++ src/tm_mad/shared/ln | 39 +++++++++++++++++---- src/tm_mad/tm_common.sh | 15 ++++++++ src/vmm/LibVirtDriverVMware.cc | 6 ++-- src/vmm_mad/exec/vmm_exec_vmware.conf | 9 ++--- src/vmm_mad/remotes/vmware/vmware_driver.rb | 3 +- 7 files changed, 61 insertions(+), 15 deletions(-) diff --git a/src/mad/sh/scripts_common.sh b/src/mad/sh/scripts_common.sh index 1296f3c65a..7e6bb04ce8 100755 --- a/src/mad/sh/scripts_common.sh +++ b/src/mad/sh/scripts_common.sh @@ -27,6 +27,7 @@ ISCSIADM=iscsiadm LVCREATE=lvcreate LVREMOVE=lvremove LVS=lvs +LN=ln MD5SUM=md5sum MKFS=mkfs MKISOFS=mkisofs diff --git a/src/tm_mad/common/context b/src/tm_mad/common/context index a36c2e5699..d519110140 100755 --- a/src/tm_mad/common/context +++ b/src/tm_mad/common/context @@ -73,6 +73,9 @@ exec_and_log "$MKISOFS -o $ISO_FILE -J -R $ISO_DIR" "Error creating iso fs" exec_and_log "$SCP $ISO_FILE $DST" "Error copying context ISO to $DST" +# Creates symbolic link to add a .iso suffix, needed for VMware CDROMs +ssh_exec_and_log $DST_HOST "$LN -s $DST_PATH $DST_PATH.iso" "Error creating ISO symbolic link" + rm -rf $ISO_DIR > /dev/null 2>&1 exit 0 diff --git a/src/tm_mad/shared/ln b/src/tm_mad/shared/ln index 4ecb76e42b..2a9395d484 100755 --- a/src/tm_mad/shared/ln +++ b/src/tm_mad/shared/ln @@ -16,7 +16,7 @@ # limitations under the License. # #--------------------------------------------------------------------------- # -# ln fe:SOURCE host:remote_system_ds/disk.i size +# ln fe:SOURCE host:remote_system_ds/disk.i # - fe is the front-end hostname # - SOURCE is the path of the disk image in the form DS_BASE_PATH/disk # - host is the target host to deploy the VM @@ -43,16 +43,41 @@ DST_PATH=`arg_path $DST` DST_HOST=`arg_host $DST` DST_DIR=`dirname $DST_PATH` -ssh_make_path $DST_HOST $DST_DIR - #------------------------------------------------------------------------------- # Link (ln) SRC into DST #------------------------------------------------------------------------------- -log "Linking $SRC_PATH in $DST" +# Is it a file or a folder (VMware)? +if [ -d `arg_path $SRC` ]; then + ssh_make_path $DST_HOST $DST_PATH + + # It's a folder, make links for all elements + SRC_FOLDER_NAME=`basename $SRC_PATH` + SRC_WITH_NO_FOLDER=`dirname $SRC_PATH` + SRC_DS_NAME=`basename $SRC_WITH_NO_FOLDER` + REL_SRC_PATH="../../../$SRC_DS_NAME/$SRC_FOLDER_NAME" + + log "Link all files in $SRC_PATH to $DST_PATH" + +LINK_SCRIPT=$(cat <" << endl; file << "\t\t\tget_oid() - << "/images/disk." << i << "'/>" << endl; + << "/disk." << i << "'/>" << endl; } else if ( type == "CDROM" ) { file << "\t\t" << endl; file << "\t\t\tget_oid() - << "/images/disk." << i << ".iso'/>" << endl; + << "/disk." << i << ".iso'/>" << endl; } else { file << "\t\t" << endl << "\t\t\t" << endl; + << "/disk." << i << "/disk.vmdk'/>" << endl; } file << "\t\t\t e OpenNebula.log_error("Cannot open checkpoint #{e.message}") exit -1 From a9d7a9b072367cf64bd8566d77020662b8c7a7d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Fri, 9 Mar 2012 17:32:54 +0100 Subject: [PATCH 2/4] Bug #1159: Move restricted attribute checks to RM. Do not check restricted attributes when a template owned by oneadmin is instantiated --- include/RequestManagerAllocate.h | 4 +++ src/image/Image.cc | 20 ------------ src/rm/RequestManagerAllocate.cc | 52 ++++++++++++++++++++++++++++++ src/rm/RequestManagerVMTemplate.cc | 21 ++++++++++++ src/vm/VirtualMachine.cc | 28 ++-------------- 5 files changed, 80 insertions(+), 45 deletions(-) diff --git a/include/RequestManagerAllocate.h b/include/RequestManagerAllocate.h index 8b3497b418..faceccd4db 100644 --- a/include/RequestManagerAllocate.h +++ b/include/RequestManagerAllocate.h @@ -205,6 +205,10 @@ public: void request_execute(xmlrpc_c::paramList const& _paramList, RequestAttributes& att); + + bool allocate_authorization(Template * obj_template, + RequestAttributes& att, + PoolObjectAuth * cluster_perms); }; /* ------------------------------------------------------------------------- */ diff --git a/src/image/Image.cc b/src/image/Image.cc index dfa867ee24..e05c4b8ffd 100644 --- a/src/image/Image.cc +++ b/src/image/Image.cc @@ -95,25 +95,10 @@ int Image::insert(SqlDB *db, string& error_str) string persistent_attr; string dev_prefix; string source_attr; - string aname; string saved_id; ostringstream oss; - // ------------------------------------------------------------------------ - // Check template for restricted attributes - // ------------------------------------------------------------------------ - - if ( uid != 0 && gid != GroupPool::ONEADMIN_ID ) - { - ImageTemplate *img_template = static_cast(obj_template); - - if (img_template->check(aname)) - { - goto error_restricted; - } - } - // --------------------------------------------------------------------- // Check default image attributes // --------------------------------------------------------------------- @@ -242,11 +227,6 @@ error_path_and_source: error_str = "Template malformed, PATH and SOURCE are mutually exclusive."; goto error_common; -error_restricted: - oss << "Template includes a restricted attribute " << aname << "."; - error_str = oss.str(); - goto error_common; - error_common: NebulaLog::log("IMG", Log::ERROR, error_str); return -1; diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index 5342d9efd8..e5c70bda4a 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -76,9 +76,28 @@ bool VirtualMachineAllocate::allocate_authorization( AuthRequest ar(att.uid, att.gid); string t64; + string aname; VirtualMachineTemplate * ttmpl = static_cast(tmpl); + // Check template for restricted attributes + + if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID ) + { + if (ttmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + } + ar.add_create_auth(auth_object, tmpl->to_xml(t64)); VirtualMachine::set_auth_request(att.uid, ar, ttmpl); @@ -98,6 +117,39 @@ bool VirtualMachineAllocate::allocate_authorization( /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +bool ImageAllocate::allocate_authorization( + Template * tmpl, + RequestAttributes& att, + PoolObjectAuth * cluster_perms) +{ + string aname; + + ImageTemplate * itmpl = static_cast(tmpl); + + // Check template for restricted attributes + + if ( att.uid != 0 && att.gid != GroupPool::ONEADMIN_ID ) + { + if (itmpl->check(aname)) + { + ostringstream oss; + + oss << "Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + return false; + } + } + + return RequestManagerAllocate::allocate_authorization(tmpl, att, cluster_perms); +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params, RequestAttributes& att) { diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index a62aa2f56d..d354d5a037 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -39,6 +39,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList VMTemplate * rtmpl; string error_str; + string aname; rtmpl = tpool->get(id,true); @@ -57,6 +58,26 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList rtmpl->unlock(); + // Check template for restricted attributes, but only if the Template owner + // is not oneadmin + + if ( perms.uid != 0 && perms.gid != GroupPool::ONEADMIN_ID ) + { + if (tmpl->check(aname)) + { + ostringstream oss; + + oss << "VM Template includes a restricted attribute " << aname; + + failure_response(AUTHORIZATION, + authorization_error(oss.str(), att), + att); + + delete tmpl; + return; + } + } + tmpl->erase("NAME"); tmpl->set(new SingleAttribute("NAME",name)); diff --git a/src/vm/VirtualMachine.cc b/src/vm/VirtualMachine.cc index 38fd4100f0..f11f91ac70 100644 --- a/src/vm/VirtualMachine.cc +++ b/src/vm/VirtualMachine.cc @@ -198,26 +198,9 @@ int VirtualMachine::insert(SqlDB * db, string& error_str) int rc; string name; - SingleAttribute * attr; - string aname; - string value; - - ostringstream oss; - - // ------------------------------------------------------------------------ - // Check template for restricted attributes - // ------------------------------------------------------------------------ - - if ( uid != 0 && gid != GroupPool::ONEADMIN_ID ) - { - VirtualMachineTemplate *vt = - static_cast(obj_template); - - if (vt->check(aname)) - { - goto error_restricted; - } - } + SingleAttribute * attr; + string value; + ostringstream oss; // ------------------------------------------------------------------------ // Set a name if the VM has not got one and VM_ID @@ -327,11 +310,6 @@ error_leases_rollback: release_network_leases(); goto error_common; -error_restricted: - oss << "VM Template includes a restricted attribute " << aname << "."; - error_str = oss.str(); - goto error_common; - error_name_length: oss << "NAME is too long; max length is 128 chars."; error_str = oss.str(); From c88fdb617afbc2d6118e8c3f0870d48871b5424a Mon Sep 17 00:00:00 2001 From: Tino Vazquez Date: Fri, 9 Mar 2012 18:11:53 +0100 Subject: [PATCH 3/4] SSH TM drivers compatibility with VMware --- src/tm_mad/ssh/clone | 2 +- src/tm_mad/ssh/mvds | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tm_mad/ssh/clone b/src/tm_mad/ssh/clone index 87a95357fb..8a81d9b95d 100755 --- a/src/tm_mad/ssh/clone +++ b/src/tm_mad/ssh/clone @@ -58,6 +58,6 @@ http://*) *) log "Cloning $SRC in $DST_PATH" - exec_and_log "$SCP $SRC $DST" "Error copying $SRC to $DST" + exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST" ;; esac diff --git a/src/tm_mad/ssh/mvds b/src/tm_mad/ssh/mvds index 74bb8cc8cf..47c66b6b41 100755 --- a/src/tm_mad/ssh/mvds +++ b/src/tm_mad/ssh/mvds @@ -49,6 +49,6 @@ SRC_HOST=`arg_host $SRC` # Move the image back to the datastore #------------------------------------------------------------------------------- log "Moving $SRC_PATH to datastore as $DST_PATH" -exec_and_log "$SCP $SRC $DST" "Error copying $SRC to $DST" +exec_and_log "$SCP -r $SRC $DST" "Error copying $SRC to $DST" exit 0 From 94088ad0797e3f57d6d98cccf25feef148432a97 Mon Sep 17 00:00:00 2001 From: Tino Vazquez Date: Fri, 9 Mar 2012 18:15:53 +0100 Subject: [PATCH 4/4] change bash ssh wrapper to sh to ensure vSphere 5.x compatibility --- src/mad/sh/scripts_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mad/sh/scripts_common.sh b/src/mad/sh/scripts_common.sh index 7e6bb04ce8..204b87eb38 100755 --- a/src/mad/sh/scripts_common.sh +++ b/src/mad/sh/scripts_common.sh @@ -212,7 +212,7 @@ function mkfs_command { #This function executes $2 at $1 host and report error $3 function ssh_exec_and_log { - SSH_EXEC_ERR=`$SSH $1 bash -s 2>&1 1>/dev/null <&1 1>/dev/null <&1 1>/dev/null <&1 1>/dev/null <