Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

<fix>[conf]: Isolating ansible with python venv #1347

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

<fix>[conf]: Isolating ansible with python venv #1347

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce67d5f
<fix>[conf]: Isolating ansible with python venv
littleya Jun 13, 2023
d004f7a
Merge branch 'master' into test-feature1/test1
MatheMatrix Dec 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions conf/tools/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,60 @@ elif [ $tool = 'zstack-ctl' ]; then
chmod +x /usr/bin/zstack-ctl
python $CTL_VIRENV_PATH/lib/python2.7/site-packages/zstackctl/generate_zstackctl_bash_completion.py

elif [ $tool = 'zstack-sys' ]; then
SYS_VIRENV_PATH=/var/lib/zstack/virtualenv/zstacksys
NEED_INSTALL=false
if [ -d $SYS_VIRENV_PATH ]; then
. $SYS_VIRENV_PATH/bin/activate
if ! ansible --version | grep -q 'core 2.11.12.3'; then
deactivate
NEED_INSTALL=true
fi
else
NEED_INSTALL=true
fi
if $NEED_INSTALL; then
rm -rf $SYS_VIRENV_PATH && virtualenv $SYS_VIRENV_PATH --python=python2.7 || exit 1
Copy link

@coderabbitai coderabbitai bot Dec 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

脚本使用 rm -rf 来删除现有的虚拟环境,这是一个破坏性操作,如果路径中包含错误或变量未设置,可能会非常危险。建议在执行此操作之前添加更多的检查,以确保路径是正确的,并且变量已经设置。

脚本使用了 virtualenv --python=python2.7,这表明它依赖于 Python 2.7。由于 Python 2.7 已经达到生命周期的终点,这可能是一个潜在的问题。如果可能,建议将脚本迁移到 Python 3,以确保长期的兼容性和安全性。

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

删除之前检查什么呢

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MatheMatrix 在执行删除操作之前,应该检查 SYS_VIRENV_PATH 变量确实已经被设置,并且不是指向根目录(/)或用户的主目录(~)。这可以通过添加一些条件语句来实现,例如:

if [ -n "$SYS_VIRENV_PATH" ] && [ "$SYS_VIRENV_PATH" != "/" ] && [ "$SYS_VIRENV_PATH" != "~" ]; then
    rm -rf $SYS_VIRENV_PATH
else
    echo "Dangerous SYS_VIRENV_PATH set: '$SYS_VIRENV_PATH'. Aborting."
    exit 1
fi

这样可以防止脚本在变量为空或指向关键系统目录时执行危险的删除操作。

. $SYS_VIRENV_PATH/bin/activate
cd $cwd
pip install -i $pypi_path --trusted-host localhost --ignore-installed setuptools==39.2.0 || exit 1
pip install -i $pypi_path --trusted-host localhost --ignore-installed ansible==4.10.0 || exit 1

cat > /usr/bin/ansible << EOF
#! /bin/sh
VIRTUAL_ENV=/var/lib/zstack/virtualenv/zstacksys
if [ ! -d $VIRTUAL_ENV ]; then
echo "Need to install zstacksys before using it"
exit 1
fi

LANG=en_US.UTF-8
LC_ALL=en_US.utf8
export LANG LC_ALL
. ${VIRTUAL_ENV}/bin/activate

ansible \$@
EOF
chmod +x /usr/bin/ansible

cat > /usr/bin/ansible-playbook << EOF
#! /bin/sh
VIRTUAL_ENV=/var/lib/zstack/virtualenv/zstacksys
if [ ! -d $VIRTUAL_ENV ]; then
echo "Need to install zstacksys before using it"
exit 1
fi

LANG=en_US.UTF-8
LC_ALL=en_US.utf8
export LANG LC_ALL
. ${VIRTUAL_ENV}/bin/activate

ansible-playbook \$@
EOF
chmod +x /usr/bin/ansible-playbook
fi
Comment on lines +85 to +137
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

在安装 Ansible 时,脚本直接写入 /usr/bin,这可能需要 root 权限。如果脚本没有以适当的权限运行,这可能会导致安全问题或失败。建议检查脚本是否以 root 权限运行,或者提供一个更安全的方式来创建这些可执行脚本,例如使用系统的包管理器或将它们放在非全局路径中。


elif [ $tool = 'zstack-dashboard' ]; then
UI_VIRENV_PATH=/var/lib/zstack/virtualenv/zstack-dashboard
[ ! -z $force ] && rm -rf $UI_VIRENV_PATH
Expand Down
30 changes: 19 additions & 11 deletions core/src/main/java/org/zstack/core/ansible/AnsibleFacadeImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,15 +131,23 @@ void init() {
placePip703();
placeAnsible196();

ShellUtils.run(String.format("if ! sudo ansible --version | grep -q 1.9.6; then " +
"if grep -i -s centos /etc/system-release; then " +
"sudo yum remove -y ansible; " +
"elif grep -i -s ubuntu /etc/issue; then " +
"sudo apt-get --assume-yes remove ansible; " +
"else echo \"Warning: can't remove ansible from unknown platform\"; " +
ShellUtils.run(String.format(
"NEED_INSTALL=false; " +
"if [ -d /var/lib/zstack/virtualenv/zstacksys ]; then " +
". /var/lib/zstack/virtualenv/zstacksys/bin/activate; " +
"if ! ansible --version | grep -q 'core 2.11.12'; then " +
"deactivate; " +
"NEED_INSTALL=true; " +
"fi; " +
"sudo pip install -i file://%s --trusted-host localhost -I ansible==1.9.6; " +
"fi", AnsibleConstant.PYPI_REPO), false);
"else " +
"NEED_INSTALL=true; "+
"fi; " +
"if $NEED_INSTALL; then " +
"sudo bash -c 'rm -rf /var/lib/zstack/virtualenv/zstacksys && virtualenv /var/lib/zstack/virtualenv/zstacksys --python=python2.7; "+
". /var/lib/zstack/virtualenv/zstacksys/bin/activate; "+
"pip install -i file://%s --trusted-host localhost -I setuptools==39.2.0; "+
"pip install -i file://%s --trusted-host localhost -I ansible==4.10.0'; "+
"fi" , AnsibleConstant.PYPI_REPO, AnsibleConstant.PYPI_REPO), false);

deployModule("ansible/zstacklib", "zstacklib.py");
} catch (IOException e) {
Expand Down Expand Up @@ -236,15 +244,15 @@ private void run(Completion completion) {
try {
String output;
if (AnsibleGlobalProperty.DEBUG_MODE2) {
output = ShellUtils.run(String.format("PYTHONPATH=%s timeout %d %s %s -i %s -vvvv --private-key %s -e '%s' | tee -a %s",
output = ShellUtils.run(String.format("bash -c '. /var/lib/zstack/virtualenv/zstacksys/bin/activate; PYTHONPATH=%s timeout %d %s %s -i %s -vvvv --private-key %s -e '\\''%s'\\' | tee -a %s",
AnsibleConstant.ZSTACKLIB_ROOT, timeout, executable, playBookPath, AnsibleConstant.INVENTORY_FILE, msg.getPrivateKeyFile(), JSONObjectUtil.dumpPretty(arguments), AnsibleConstant.LOG_PATH),
AnsibleConstant.ROOT_DIR);
} else if (AnsibleGlobalProperty.DEBUG_MODE) {
output = ShellUtils.run(String.format("PYTHONPATH=%s timeout %d %s %s -i %s -vvvv --private-key %s -e '%s'",
output = ShellUtils.run(String.format("bash -c '. /var/lib/zstack/virtualenv/zstacksys/bin/activate; PYTHONPATH=%s timeout %d %s %s -i %s -vvvv --private-key %s -e '\\''%s'\\'",
AnsibleConstant.ZSTACKLIB_ROOT, timeout, executable, playBookPath, AnsibleConstant.INVENTORY_FILE, msg.getPrivateKeyFile(), JSONObjectUtil.dumpPretty(arguments)),
AnsibleConstant.ROOT_DIR);
} else {
output = ShellUtils.run(String.format("PYTHONPATH=%s timeout %d %s %s -i %s --private-key %s -e '%s'",
output = ShellUtils.run(String.format("bash -c '. /var/lib/zstack/virtualenv/zstacksys/bin/activate; PYTHONPATH=%s timeout %d %s %s -i %s --private-key %s -e '\\''%s'\\'",
AnsibleConstant.ZSTACKLIB_ROOT, timeout, executable, playBookPath, AnsibleConstant.INVENTORY_FILE, msg.getPrivateKeyFile(), JSONObjectUtil.dumpPretty(arguments)),
AnsibleConstant.ROOT_DIR);
}
Expand Down