From 169d424cf88594f15e7e66baa705df6b727aa807 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Tue, 4 Jun 2019 16:24:16 -0500 Subject: [PATCH 1/4] Log: pacemaker-remoted: use different default log if pid 1 When pacemaker-remoted runs as pid 1 inside a container, there may not be a /var/log/pacemaker directory. To get around this, use a default log of /var/log/pcmk-init.log when running as pid 1. This was chosen over alternatives (creating the /var/log/pacemaker directory, or passing the log location as an environment variable when creating the implicit container resource) because it both avoids forcing a restart of active bundles due to configuration change (as well as preserving regression test output) and allows users to configure an explicit log location via the container image or the bundle's extra arguments. --- daemons/execd/pacemaker-execd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/daemons/execd/pacemaker-execd.c b/daemons/execd/pacemaker-execd.c index e2fdfca..cfa5500 100644 --- a/daemons/execd/pacemaker-execd.c +++ b/daemons/execd/pacemaker-execd.c @@ -429,6 +429,14 @@ static void spawn_pidone(int argc, char **argv, char **envp) return; } + /* Containers can be expected to have /var/log, but they may not have + * /var/log/pacemaker, so use a different default if no value has been + * explicitly configured in the container's environment. + */ + if (daemon_option("logfile") == NULL) { + set_daemon_option("logfile", "/var/log/pcmk-init.log"); + } + sigfillset(&set); sigprocmask(SIG_BLOCK, &set, 0); -- 1.8.3.1 From 7e362387a092b5617b36a69961115f7703e4d801 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Fri, 17 May 2019 12:39:43 -0500 Subject: [PATCH 2/4] Refactor: libpe_status: add enum for bundle mount flags More readable than 0 or 1 --- lib/pengine/bundle.c | 17 +++++++++-------- lib/pengine/variant.h | 9 ++++++++- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/lib/pengine/bundle.c b/lib/pengine/bundle.c index 3b32f04..b223f03 100644 --- a/lib/pengine/bundle.c +++ b/lib/pengine/bundle.c @@ -228,7 +228,7 @@ create_docker_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data, for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) { pe__bundle_mount_t *mount = pIter->data; - if(mount->flags) { + if (is_set(mount->flags, pe__bundle_mount_subdir)) { char *source = crm_strdup_printf( "%s/%s-%d", mount->source, data->prefix, replica->offset); @@ -396,7 +396,7 @@ create_podman_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data, for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) { pe__bundle_mount_t *mount = pIter->data; - if(mount->flags) { + if (is_set(mount->flags, pe__bundle_mount_subdir)) { char *source = crm_strdup_printf( "%s/%s-%d", mount->source, data->prefix, replica->offset); @@ -562,7 +562,7 @@ create_rkt_resource(pe_resource_t *parent, pe__bundle_variant_data_t *data, for(GListPtr pIter = data->mounts; pIter != NULL; pIter = pIter->next) { pe__bundle_mount_t *mount = pIter->data; - if(mount->flags) { + if (is_set(mount->flags, pe__bundle_mount_subdir)) { char *source = crm_strdup_printf( "%s/%s-%d", mount->source, data->prefix, replica->offset); @@ -894,7 +894,7 @@ create_container(pe_resource_t *parent, pe__bundle_variant_data_t *data, static void mount_add(pe__bundle_variant_data_t *bundle_data, const char *source, - const char *target, const char *options, int flags) + const char *target, const char *options, uint32_t flags) { pe__bundle_mount_t *mount = calloc(1, sizeof(pe__bundle_mount_t)); @@ -1142,11 +1142,11 @@ pe__unpack_bundle(pe_resource_t *rsc, pe_working_set_t *data_set) const char *source = crm_element_value(xml_child, "source-dir"); const char *target = crm_element_value(xml_child, "target-dir"); const char *options = crm_element_value(xml_child, "options"); - int flags = 0; + int flags = pe__bundle_mount_none; if (source == NULL) { source = crm_element_value(xml_child, "source-dir-root"); - flags = 1; + set_bit(flags, pe__bundle_mount_subdir); } if (source && target) { @@ -1251,9 +1251,10 @@ pe__unpack_bundle(pe_resource_t *rsc, pe_working_set_t *data_set) * reasonable. */ mount_add(bundle_data, DEFAULT_REMOTE_KEY_LOCATION, - DEFAULT_REMOTE_KEY_LOCATION, NULL, 0); + DEFAULT_REMOTE_KEY_LOCATION, NULL, pe__bundle_mount_none); - mount_add(bundle_data, CRM_BUNDLE_DIR, "/var/log", NULL, 1); + mount_add(bundle_data, CRM_BUNDLE_DIR, "/var/log", NULL, + pe__bundle_mount_subdir); port = calloc(1, sizeof(pe__bundle_port_t)); if(bundle_data->control_port) { diff --git a/lib/pengine/variant.h b/lib/pengine/variant.h index f46aa11..7f77eef 100644 --- a/lib/pengine/variant.h +++ b/lib/pengine/variant.h @@ -51,11 +51,18 @@ typedef struct { pe_resource_t *remote; } pe__bundle_replica_t; +enum pe__bundle_mount_flags { + pe__bundle_mount_none = 0x00, + + // mount instance-specific subdirectory rather than source directly + pe__bundle_mount_subdir = 0x01 +}; + typedef struct { char *source; char *target; char *options; - int flags; + uint32_t flags; // bitmask of pe__bundle_mount_flags } pe__bundle_mount_t; typedef struct { -- 1.8.3.1 From 87eac95868930ffda4d964c2b6bd9960b6893cc9 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Fri, 17 May 2019 14:13:54 -0500 Subject: [PATCH 3/4] Fix: controller: don't check join status after remote node appears Only cluster nodes have join state --- daemons/controld/controld_callbacks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/controld/controld_callbacks.c b/daemons/controld/controld_callbacks.c index 06ffb9d..3ce7470 100644 --- a/daemons/controld/controld_callbacks.c +++ b/daemons/controld/controld_callbacks.c @@ -228,7 +228,7 @@ peer_update_callback(enum crm_status_type type, crm_node_t * node, const void *d crm_trace("Alive=%d, appeared=%d, down=%d", alive, appeared, (down? down->id : -1)); - if (appeared && (alive > 0)) { + if (appeared && (alive > 0) && !is_remote) { register_fsa_input_before(C_FSA_INTERNAL, I_NODE_JOIN, NULL); } -- 1.8.3.1 From 5755b63850a17cd91bca28e83c39119378fe1887 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Sat, 18 May 2019 21:59:00 -0500 Subject: [PATCH 4/4] Doc: Pacemaker Explained: document effect of SELinux on bundle storage --- doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt b/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt index e431626..4a181df 100644 --- a/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt +++ b/doc/Pacemaker_Explained/en-US/Ch-Advanced-Resources.txt @@ -999,11 +999,11 @@ association with Docker, Inc. is implied.] + options="rw,Z"/> + options="rw,Z"/> @@ -1293,7 +1293,8 @@ indexterm:[bundle,storage,storage-mapping] |options | -|File system mount options to use when mapping the storage +|A comma-separated list of file system mount options to use when mapping the + storage indexterm:[options,storage-mapping] indexterm:[storage-mapping,Property,options] @@ -1322,6 +1323,14 @@ The +PCMK_authkey_location+ environment variable must not be set to anything other than the default of `/etc/pacemaker/authkey` on any node in the cluster. ==== +[IMPORTANT] +==== +If SELinux is used in enforcing mode on the host, you must ensure the container +is allowed to use any storage you mount into it. For Docker and podman bundles, +adding "Z" to the mount options will create a container-specific label for the +mount that allows the container access. +==== + === Bundle Primitive === A bundle may optionally contain one ++ resource -- 1.8.3.1