Med: crm_mon: overcome crm_system_name no longer influenced with argv
This fixes a condition meant to automatically use CGI mode. Generic
support for running crm_mon in the role of CGI handler was added with
789936866, and from the beginning, when run as "crm_mon.cgi", that
mode was to be applied. This, however, only worked until fc1fbd03a
that hardcoded what is to become value of crm_system_name variable,
no longer taking argv into account, which effectively made the branch
in question a dead code. To solve this discrepancy, we restore the
significance of argv[0] for that a bit generalized decision (only .cgi
extension is needed) with a direct check.
Alternative would be to
- revert to prior usage of "crm_log_init*(NULL, ..., argc, argv, ...)"
- switch to CGI mode based on inspection of variables of the environment (such as SCRIPT_NAME, prone to undesirable false positives)
Example integration with httpd (NOTE: this is NOT intended for the
environment with potential attack or even high volume usage exposure;
for instance, there's a substantially greater risk of DDoS as opposed
to serving a periodically refreshed HTML + you should rather make sure
at least the previous crm_mon/CGI patch is applied as well):
- first group deals with SELinux and can be skipped or adapted to other equivalent labels:
- >allow_crm_mon_cgi.te cat <<-EOF module allow_crm_mon_cgi 1.0;
require { type cluster_tmpfs_t; type cluster_t; type httpd_t; type tmpfs_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class dir write; class file { open read write }; }
#============= httpd_t ============== allow httpd_t cluster_t:unix_dgram_socket sendto; allow httpd_t cluster_t:unix_stream_socket connectto; allow httpd_t cluster_tmpfs_t:file { open read write }; allow httpd_t tmpfs_t:dir write; EOF - checkmodule -M -m -o allow_crm_mon_cgi.{mod,te}
- semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod
- semodule -i allow_crm_mon_cgi.pp
- >allow_crm_mon_cgi.te cat <<-EOF module allow_crm_mon_cgi 1.0;
- next we add "apache" (or what's the default user for httpd deployment) to "haclient" group (or what's the default group for pacemaker deployment) and, for good measure, restrict this user the access to CIB further with ACL pacemaker built-in mechanism (write access can be completely forbidden for this use case) that also needs to be explicitly enabled (using pcs here, but that's not a locked down option):
- usermod -G haclient apache
- pcs cluster cib tmp-cib.xml
- pcs -f tmp-cib.xml acl role create apache-ro read xpath /
- pcs -f tmp-cib.xml acl user create apache apache-ro
- pcs -f tmp-cib.xml property set enable-acl=true
- pcs cluster cib-push tmp-cib.xml --config
- then we create a dedicated subdir of the designated main ScriptAlias dir (again, adapt as fits), with the intention to enable symlinks only there (there will be reason why they are usually not enabled for that main dir)
- mkdir -p /var/www/cgi-bin/diag
- >/etc/httpd/conf.d/cgi_cgi.conf cat <<-EOF ScriptAlias "/howdoyou/" "/var/www/cgi-bin/diag/" <Directory "/var/www/cgi-bin/diag"> Options +FollowSymLinks </Directory> EOF
- now, we are ready to symlink crm_mon with '.cgi' extension
- ln -s /usr/sbin/crm_mon /var/www/cgi-bin/diag/cluster.cgi
- finally, reload and test
- systemctl reload httpd
- curl http://localhost/howdoyou/cluster.cgi <html> <head> <title>Cluster status</title> [...]
- the URL can request some of the crm_mon options:
- as an excercise, you can make this whole monitoring HA :) (but first, reread the NOTE above)
Less favoured alternatives of integration:
- >/var/www/cgi-bin/howdoyoucluster.cgi cat <<-EOF #!/bin/bash
- note: -a not POSIX-shell-compliant exec -a crm_mon.cgi /usr/sbin/crm_mon EOF
- adds unnecessary indirection execution-wise
- cp /usr/sbin/crm_mon /var/www/cgi-bin/crm_mon.cgi
- this would keep the copy without possibly critical updates, avoid