Bug 172178 - clustat should not require root privileges
clustat should not require root privileges
Status: CLOSED ERRATA
Product: Red Hat Cluster Suite
Classification: Red Hat
Component: rgmanager (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Lon Hohberger
Cluster QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-31 23:09 EST by Jiho Hahm
Modified: 2009-04-16 16:18 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2006-0173
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-06 15:23:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fixed behavior (773 bytes, patch)
2005-11-01 09:59 EST, Lon Hohberger
no flags Details | Diff
Fixed behavior, try #2 (3.29 KB, patch)
2005-11-01 15:31 EST, Lon Hohberger
no flags Details | Diff

  None (edit)
Description Jiho Hahm 2005-10-31 23:09:51 EST
Description of problem:

In previous version (rgmanager-1.9.38-0) it wasn't necessary to be root to
invoke clustat.  Now, clustat hangs when invoked by non-root user, looping over
a bind call that fails with permission denied error.  strace shows:

rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({3, 0}, {3, 0})               = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(4, {sa_family=AF_INET6, sin6_port=htons(988), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
close(4)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(902),
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
close(4)                                = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(4, {sa_family=AF_INET6, sin6_port=htons(987), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
close(4)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(903),
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
close(4)                                = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({3, 0}, {3, 0})               = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 4
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(4, {sa_family=AF_INET6, sin6_port=htons(986), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
close(4)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(904),
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EACCES (Permission denied)
close(4)                                = 0
...


Version-Release number of selected component (if applicable):

    rgmanager-1.9.39-0


How reproducible:


Steps to Reproduce:
1. Run /usr/sbin/clustat as a non-root user.
Comment 1 Lon Hohberger 2005-11-01 09:40:27 EST
Connecting to ccs requires root privileges (as the configuration may contain
privileged information).  Thus, clustat requires root privileges.

   chmod +s /usr/sbin/clustat

...will allow non-root users to use clustat.

I will change it so that root privileges are not *required*, but you will lose
some functionality.  What it does currently (hangs) is certainly not correct
behavior.
Comment 2 Lon Hohberger 2005-11-01 09:59:19 EST
Created attachment 120604 [details]
Fixed behavior
Comment 3 Jiho Hahm 2005-11-01 13:26:22 EST
I confirm the patch works.  However, running as non-root shows every member is
Local, and XML output shows state="1" in <node> element, while root invocation
shows non-Local and state="0" for non-local hosts.  Is this the lack of
functionality you referred to?
Comment 4 Jiho Hahm 2005-11-01 14:15:42 EST
Actually, it seems like a bug that non-root invocation thinks every node is
local.  Node names are hostnames and any user can see what the local host is
called.  In fact, "cman_tool status" (which any user can run) has a Node name
line that identifies the local node.
Comment 5 Lon Hohberger 2005-11-01 14:56:50 EST
You are correct, it should only display *one* local node.  The lack of
functionality is that all "down" nodes will be absent from the output.
Comment 6 Lon Hohberger 2005-11-01 15:31:04 EST
Created attachment 120622 [details]
Fixed behavior, try #2

This adds all the info that a regular clustat would display for a given node to
the XML output.
Comment 7 Jiho Hahm 2005-11-01 18:03:50 EST
Thanks, the second patch works:

[user@node1 ~]$ /usr/sbin/clustat
Member Status: Quorate

  Member Name                              Status
  ------ ----                              ------
  node2.domain.com                         Online, rgmanager
  node3.domain.com                         Online, rgmanager
  node1.domain.com                         Online, Local, rgmanager

  Service Name         Owner (Last)                   State
  ------- ----         ----- ------                   -----
  svc1.domain.com      node1.domain.com               started
  svc2.domain.com      node2.domain.com               started
[user@node1 ~]$ /usr/sbin/clustat -x
<?xml version="1.0"?>
<clustat version="4.1">
  <quorum quorate="1" groupmember="1"/>
  <nodes>
    <node name="node2.domain.com" state="1" local="0" estranged="0"
rgmanager="1" nodeid="0x0000000000000003"/>
    <node name="node3.domain.com" state="1" local="0" estranged="0"
rgmanager="1" nodeid="0x0000000000000002"/>
    <node name="node1.domain.com" state="1" local="1" estranged="0"
rgmanager="1" nodeid="0x0000000000000001"/>
  </nodes>
  <groups>
    <group name="svc1.domain.com" state="112" state_str="started" 
owner="node1.domain.com" last_owner="node1.domain.com" restarts="0"/>
    <group name="svc2.domain.com" state="112" state_str="started" 
owner="node2.domain.com" last_owner="node3.domain.com" restarts="0"/>
  </groups>
</clustat>
Comment 8 Jiho Hahm 2005-11-01 19:34:13 EST
Regarding the lack of functionality to show down nodes when invoked as non-root,
note "cman_tool nodes" can return the data correctly.  (You can therefore argue
clustat's inability to do the same is not a big deal...)
Comment 9 Lon Hohberger 2005-11-22 15:02:54 EST
If CMAN is reporting nodes as down when we do a get-members query, clustat will
show the nodes as down.  If it only returns currently active members, then it
will not show the nodes :)

Yeah, not a big deal.
Comment 11 Red Hat Bugzilla 2006-01-06 15:23:19 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0173.html

Note You need to log in before you can comment on or make changes to this bug.