Bug 1285946

Summary: fence_compute only controls compute nodes
Product: Red Hat Enterprise Linux 7 Reporter: Andrew Beekhof <abeekhof>
Component: fence-agentsAssignee: Marek Grac <mgrac>
Status: CLOSED NOTABUG QA Contact: cluster-qe <cluster-qe>
Severity: high Docs Contact:
Priority: medium    
Version: 7.2CC: cfeist, cluster-maint, fdinitto
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-01 03:24:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1185030    

Description Andrew Beekhof 2015-11-27 02:56:01 UTC 
Description of problem:

fence_compute currently claims to be able to fence control nodes.
This is quite dangerous.


Version-Release number of selected component (if applicable):

fence-agents-all-4.0.11-27.el7.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Deploy openstack
2. Deploy instance HA using the instructions at https://access.redhat.com/articles/1544823
3. Run:

   fence_compute -l admin -p ${pass} -t admin --record-only -k http://${ip}:5000/v2.0/ -o status -n overcloud-controller-0; echo $?

Results without patch:

0  

Results with patch:

1

Additional info:

--- /sbin/fence_compute.orig	2015-11-26 20:09:12.165071987 -0500
+++ /sbin/fence_compute	2015-11-26 21:53:20.724927251 -0500
@@ -7,6 +7,7 @@
 import requests.exceptions
 
 sys.path.append("/usr/share/fence")
+from subprocess import *
 from fencing import *
 from fencing import fail_usage, is_executable, run_command, run_delay
 
@@ -222,9 +223,15 @@
 			set_attrd_status(options["--plug"], "yes", options)
 			sys.exit(0)
 
-		elif options["--action"] in ["status", "monitor"]:
+		elif options["--action"] == "monitor":
 			sys.exit(0)
 
+		elif options["--action"] == "status":
+			role=Popen(['crm_attribute', '-N', options["--plug"], '-n', 'osprole', '-d', 'unknown', '-q'], stdout=PIPE).communicate()[0].strip()
+			if role == "compute":
+				sys.exit(0)
+			sys.exit(1)
+
 	# The first argument is the Nova client version
 	nova = nova_client.Client('2',
 		options["--username"],
Comment 1 Andrew Beekhof 2015-12-01 03:24:02 UTC 
Not an issue if the fencing device points at the overcloud instead of the undercloud.
Control nodes wont even be in the list.