Skip to content

Commit

Permalink
Merge pull request #956 from signal18/os-user-scoping
Browse files Browse the repository at this point in the history
Limit privileges after starting the API and HTTP listener
  • Loading branch information
caffeinated92 authored Nov 14, 2024
2 parents 152d946 + 0342c1d commit 00d79a4
Show file tree
Hide file tree
Showing 7 changed files with 148 additions and 55 deletions.
2 changes: 1 addition & 1 deletion cluster/cluster_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,7 @@ func (cluster *Cluster) keyToFile(filename string, key *rsa.PrivateKey) {

file, err := os.Create(filename)
if err != nil {
cluster.LogModulePrintf(cluster.Conf.Verbose, config.ConstLogModConfigLoad, config.LvlInfo, "Failed to generate file: %s", err)
cluster.LogModulePrintf(cluster.Conf.Verbose, config.ConstLogModConfigLoad, config.LvlInfo, "Failed to generate file %s: %s", filename, err)
}
defer file.Close()
b := x509.MarshalPKCS1PrivateKey(key)
Expand Down
5 changes: 1 addition & 4 deletions cluster/cluster_topo.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,7 @@ func (cluster *Cluster) newServerList() error {
if cluster.Conf.Hosts != "" {
for k, url := range cluster.hostList {
// Source name will equal to cluster name
cluster.Servers[k], err = cluster.newServerMonitor(url, cluster.GetDbUser(), cluster.GetDbPass(), false, cluster.GetDomain(), cluster.Name)
if err != nil {
cluster.LogModulePrintf(cluster.Conf.Verbose, config.ConstLogModTopology, config.LvlErr, "Could not open connection to server %s : %s", cluster.Servers[k].URL, err)
}
cluster.Servers[k], _ = cluster.newServerMonitor(url, cluster.GetDbUser(), cluster.GetDbPass(), false, cluster.GetDomain(), cluster.Name)
cluster.Servers[k].SetPlacement(k, cluster.Conf.ProvAgents, cluster.Conf.SlapOSDBPartitions, cluster.Conf.SchedulerReceiverPorts)

if cluster.Conf.Verbose {
Expand Down
54 changes: 23 additions & 31 deletions graphite/carbonapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ import (

"github.com/signal18/replication-manager/config"
pb "github.com/signal18/replication-manager/graphite/carbonzipper/carbonzipperpb"
"github.com/signal18/replication-manager/graphite/carbonzipper/mlog"
"github.com/signal18/replication-manager/graphite/carbonzipper/mstats"
"github.com/signal18/replication-manager/graphite/expr"
clog "github.com/sirupsen/logrus"

"github.com/bradfitz/gomemcache/memcache"
ecache "github.com/dgryski/go-expirecache"
Expand Down Expand Up @@ -64,7 +64,7 @@ var findCache bytesCache

var defaultTimeZone = time.Local

var logger mlog.Level
var LogApi = clog.New()

// Zipper is API entry to carbonzipper
var Zipper zipper
Expand Down Expand Up @@ -290,7 +290,7 @@ func renderHandler(w http.ResponseWriter, r *http.Request, stats *renderStats) {
if tstr := r.FormValue("cacheTimeout"); tstr != "" {
t, err := strconv.Atoi(tstr)
if err != nil {
logger.Logf("failed to parse cacheTimeout: %v: %v", tstr, err)
LogApi.Warnf("failed to parse cacheTimeout: %v: %v", tstr, err)
} else {
cacheTimeout = int32(t)
}
Expand Down Expand Up @@ -364,7 +364,7 @@ func renderHandler(w http.ResponseWriter, r *http.Request, stats *renderStats) {
stats.zipperRequests++
glob, err = Zipper.Find(m.Metric)
if err != nil {
logger.Logf("Find: %v: %v", m.Metric, err)
LogApi.Warnf("Find: %v: %v", m.Metric, err)
continue
}
b, err := glob.Marshal()
Expand All @@ -391,7 +391,7 @@ func renderHandler(w http.ResponseWriter, r *http.Request, stats *renderStats) {
if err == nil {
rptr = &r
} else {
logger.Logf("Render: %v: %v", m.GetPath(), err)
LogApi.Warnf("Render: %v: %v", m.GetPath(), err)
}
rch <- rptr
Limiter.leave()
Expand All @@ -414,7 +414,7 @@ func renderHandler(w http.ResponseWriter, r *http.Request, stats *renderStats) {
if r := recover(); r != nil {
var buf [1024]byte
runtime.Stack(buf[:], false)
logger.Logf("panic during eval: %s: %s\n%s\n", cacheKey, r, string(buf[:]))
LogApi.Errorf("panic during eval: %s: %s\n%s\n", cacheKey, r, string(buf[:]))
}
}()
exprs, err := expr.EvalExpr(exp, from32, until32, metricMap)
Expand Down Expand Up @@ -667,34 +667,26 @@ func RunCarbonApi(conf *config.Config) {
var memsize int = 200
var cpus int = 0
var tz string = ""
var logdir string = conf.WorkingDir

interval := 60 * time.Second
graphiteHost := ""
logtostdout := false
idleconns := 10
pidFile := ""

if logdir == "" {
mlog.SetRawStream(os.Stdout)
} else {
mlog.SetOutput(logdir, "carbonapi", logtostdout)
}

expvar.NewString("BuildVersion").Set(BuildVersion)
logger.Logln("starting carbonapi", BuildVersion)
LogApi.Println("starting carbonapi", BuildVersion)

Limiter = newLimiter(l)

if z == "" {
logger.Fatalln("no zipper provided")
LogApi.Fatalln("no zipper provided")
}

if _, err := url.Parse(z); err != nil {
logger.Fatalln("unable to parze zipper:", err)
LogApi.Fatalln("unable to parze zipper:", err)
}

logger.Logln("using zipper", z)
LogApi.Println("using zipper", z)
Zipper = zipper{
z: z,
client: &http.Client{
Expand All @@ -707,11 +699,11 @@ func RunCarbonApi(conf *config.Config) {
switch cacheType {
case "memcache":
if mc == "" {
logger.Fatalln("memcache cache requested but no memcache servers provided")
LogApi.Fatalln("memcache cache requested but no memcache servers provided")
}

servers := strings.Split(mc, ",")
logger.Logln("using memcache servers:", servers)
LogApi.Println("using memcache servers:", servers)
queryCache = &memcachedCache{client: memcache.New(servers...)}
findCache = &memcachedCache{client: memcache.New(servers...)}

Expand Down Expand Up @@ -741,21 +733,21 @@ func RunCarbonApi(conf *config.Config) {
if tz != "" {
fields := strings.Split(tz, ",")
if len(fields) != 2 {
logger.Fatalf("expected two fields for tz,seconds, got %d", len(fields))
LogApi.Fatalf("expected two fields for tz,seconds, got %d", len(fields))
}

var err error
offs, err := strconv.Atoi(fields[1])
if err != nil {
logger.Fatalf("unable to parse seconds: %s: %s", fields[1], err)
LogApi.Fatalf("unable to parse seconds: %s: %s", fields[1], err)
}

defaultTimeZone = time.FixedZone(fields[0], offs)
logger.Logf("using fixed timezone %s, offset %d ", defaultTimeZone.String(), offs)
LogApi.Infof("using fixed timezone %s, offset %d ", defaultTimeZone.String(), offs)
}

if cpus != 0 {
logger.Logln("using GOMAXPROCS", cpus)
LogApi.Println("using GOMAXPROCS", cpus)
runtime.GOMAXPROCS(cpus)
}

Expand All @@ -772,9 +764,9 @@ func RunCarbonApi(conf *config.Config) {
host = graphiteHost
}

logger.Logln("Using graphite host", host)
LogApi.Println("Using graphite host", host)

logger.Logln("setting stats interval to", interval)
LogApi.Println("setting stats interval to", interval)

// register our metrics with graphite
graphite := g2g.NewGraphite(host, interval, 10*time.Second)
Expand Down Expand Up @@ -811,14 +803,14 @@ func RunCarbonApi(conf *config.Config) {
t0 := time.Now()
renderHandler(w, r, &stats)
since := time.Since(t0)
logger.Logln(r.RequestURI, since.Nanoseconds()/int64(time.Millisecond), stats.zipperRequests)
LogApi.Infoln(r.RequestURI, since.Nanoseconds()/int64(time.Millisecond), stats.zipperRequests)
}

if pidFile != "" {
pidfile.SetPidfilePath(pidFile)
err := pidfile.Write()
if err != nil {
logger.Fatalln("error during pidfile.Write():", err)
LogApi.Fatalln("error during pidfile.Write():", err)
}
}

Expand All @@ -839,17 +831,17 @@ func RunCarbonApi(conf *config.Config) {
r.HandleFunc("/lb_check", lbcheckHandler)
r.HandleFunc("/", usageHandler)

logger.Logln("listening on port", port)
LogApi.Println("listening on port", port)
handler := handlers.CompressHandler(r)
handler = handlers.CORS()(handler)
handler = handlers.CombinedLoggingHandler(mlog.GetOutput(), handler)
handler = handlers.CombinedLoggingHandler(LogApi.Out, handler)

err := gracehttp.Serve(&http.Server{
Addr: ":" + strconv.Itoa(port),
Handler: handler,
})

if err != nil {
logger.Fatalln(err)
LogApi.Fatalln(err)
}
}
6 changes: 5 additions & 1 deletion graphite/graphite.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"net"
"net/http"
"os"
"os/exec"
"os/signal"
"os/user"
"path/filepath"
Expand All @@ -23,6 +24,7 @@ import (
)

var Log = logrus.New()
var User, _ = user.Current()

// Graphite is a struct that defines the relevant properties of a graphite
// connection
Expand Down Expand Up @@ -245,6 +247,8 @@ func RunCarbon(conf *config.Config) error {
os.Exit(1)
}

exec.Command("chown", fmt.Sprintf("%s:%s", User.Uid, User.Gid), conf.WorkingDir+"/carbon.conf").Run()

carbon.Log = Log
app := carbon.New(conf.WorkingDir + "/carbon.conf")

Expand All @@ -253,7 +257,7 @@ func RunCarbon(conf *config.Config) error {
}

app.Config.Common.Logfile = conf.WorkingDir + "/carbon.log"
// log.Fatal(app.Config.Whisper.SchemasFilename)
app.Config.Common.User = User.Username
cfg := app.Config

var runAsUser *user.User
Expand Down
Loading

0 comments on commit 00d79a4

Please sign in to comment.