Feature #14282
Blacklisted services to prevent accidental restarts
| Status: | Accepted | Start date: | 05/02/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Richard Clamp | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Keywords: | Affected mCollective version: | |||
| Branch: | ||||
Description
By default, you will be prompted if you were to execute a service action on all the nodes. Even so, it may be wise to add an option to read a file that contains a list of blacklisted services (e.g. KVM guests).
(I am tempted to write a patch myself and submit it, but I don’t think that my code would be acceptable anyway.) :)
History
#1
Updated by R.I. Pienaar about 1 year ago
Such a file would need to be on the nodes and not the client and being prompted on the client would be pretty hard – but you could fail on the node and have the failure propagate back.
In the action you’d just do something like:
blacklistfile = config.pluginconf["service.blacklistfile"]
reply.fail!("Blacklisted service, refusing to restart") if File.exist?(blacklistfile) && File.readlines(blacklistfile).map{|s| s.chomp}.include?(request[:service])
You can then configure the path to the blacklist file as
plugin.service.blacklistfile=/some/file
in server.cfg or in /etc/mcollective/plugin.d/service.cfg just put
blacklistfile=/some/file
now any service request to a blacklisted service will fail and the security of this is on the node so that even if someone use a different RPC client they cannot bypass your blacklist.
#2
Updated by R.I. Pienaar 16 days ago
- Status changed from Unreviewed to Accepted
- Assignee set to Richard Clamp