Bug 1328882
| Summary: | [cli] pcs command should launch Python interpreter with "sane" options | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pokorný [poki] <jpokorny> | ||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.2 | CC: | cfeist, cluster-maint, idevat, omular, rsteiger, tojeline | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcs-0.9.157-1.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
The user runs a pcs command.
Consequence:
Pcs crashes, because it loads a user code instead of pcs code, based on user's custom settings.
Fix:
Prevent pcs to load user specified code instead of its own.
Result:
Pcs works even if user has custom python modules matching pcs modules.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1600893 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-08-01 18:22:57 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1265359 [details]
proposed fix
Test:
Added -Es flags to shebang in pcs executable:
#!/usr/bin/python -Es
If I may suggest something, it's perhaps more forward-looking to use: > %{__python*} setup.py build --executable='%{__python*} -Es' unlike as with clufter which already uses setup.cfg heavily anyway. Note that this is also what Fedora's %py*_build packaging macros (also coming to RHEL 7.4, but it's likely not possible to use them, yet: [bug 1297522]) for Python utilize. (I would personally be interested in whether using this new form actually helps to overcome [bug 1353934] issue, see also [bug 1297522 comment 11].) After Fix: [vm-rhel72-1 ~] $ rpm -q pcs pcs-0.9.157-1.el7.x86_64 [vm-rhel72-3 ~] $ which pcs /usr/sbin/pcs [vm-rhel72-3 ~] $ head -n1 $(which pcs) #!/usr/bin/python -Es This change requires a test that the original reproducer does not cause the misbehavior and everything other works. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1958 |
Demonstration why this is strongly desired: $ LOCAL_PYLIB=~/.local/lib/python$(rpm -E '%{python_version}') $ mkdir -p "${LOCAL_PYLIB}/site-packages" $ touch "${LOCAL_PYLIB}/site-packages/commands.py" $ > "${LOCAL_PYLIB}/site-packages/commands_override.pth" cat <EOF import sys; sys.__plen = len(sys.path) . import sys; new=sys.path[sys.__plen:]; del sys.path[sys.__plen:]; p=getattr(sys,'__egginsert',0); sys.path[p:p]=new; sys.__egginsert = p+len(new) EOF $ pcs help > Traceback (most recent call last): > File "/usr/sbin/pcs", line 13, in <module> > import cluster > File "/usr/lib/python2.6/site-packages/pcs/cluster.py", line 21, in <module> > from subprocess import getstatusoutput > ImportError: cannot import name getstatusoutput This can be prevented with "-s" option to Python interpreter. Something similar can be achieved with PYTHONPATH et al. environment variable manipulation. This can be prevented with "-E" option to Python interpreter. Modified bits, regardless if on filesystem or in runtime (this case) are not supportable in principle, whether the modification is noticable or completely hidden (this case) --> make "pcs" run Python with "-Es" flags For inspiration see: https://pagure.io/clufter/91a2bd5d87952eabe767bb464c43ed2d40d80e33