add systemd unit file, add mini auth protocol to local connector #995
Conversation
Add systemd unit file that starts a broker for the system instance, broker.rundir to /var/run/flux. Runs broker as user "flux" with initial program "sleep inf".
Codecov Report
@@ Coverage Diff @@
## master #995 +/- ##
==========================================
+ Coverage 75.9% 76.13% +0.23%
==========================================
Files 152 151 -1
Lines 25923 25989 +66
==========================================
+ Hits 19676 19788 +112
+ Misses 6247 6201 -46
Continue to review full report at Codecov.
|
|
It isn't clear from the new autoconf macro if systemd is enabled by default and the (verbose) BTW, not that I'm suggest we switch to it, but a quick search turned up this alternate implementation of a Sorry if you already researched this topic and arrived at the current macro as the best choice. |
|
Ah, that one does look well thought out and complete. I'll go ahead and switch - the one I proposed is just one I have used before on other projects, and I think I used it because Fedora packaging guidelines led me there (by what route I don't recall). |
|
Oh, ok, perhaps the long name is required by some RPM macros or something. Sorry about the diversion. |
|
The long name mirrors the name of a directory in systemd.pc On ubuntu 16.04 LTS, daemon(7), under Installing Systemd Service Files recommends similar m4:
I'm thinking maybe it is OK as proposed after all? |
|
Yes sorry about that |
Problem: local connector allows connect to succeed, then drops the connection abrubtly when authentication fails. On the client end, flux_open() succeeds but the next operation such as a flux_send() will fail with EPIPE. This error is not particularly helpful for the user. Add a single byte authentication result to the local wire protocol. Return 0 on success or errno on auth failure, so that on failure, the client flux_open() will get EPERM.
Switch the one json-c user over to flux_request_decodef() and drop the shortjson.h include.
Problem: messages with decoding problems are forwarded to the broker. If a request cannot be decoded, drop it and log the error. Clean up the error paths in the internal request handling code.
Problem: module calls functions that exit on error like xstrdup, xasprintf, xzmalloc, and oom. When module is a broker thread, the broker exits unnecessarily on these errors. Rework error paths to aovid exit on error idiom.
|
I added some cleanup in the connector-local module, and a test to make sure the local connector auth failure returns EPERM to the user. To make that work without requiring the ability to sudo to another user, I added a way to get/set an integer's worth of debug flags in modules (the need for something along these lines was discussed briefly in #813). There's a command So to test the auth failure, the test calls In the auth code there's a check that looks like this: int *debug_flags = flux_aux_get (h, "flux::debug_flags");
if (debug_flags && (*debug_flags & 1)) {
flux_log (h, LOG_ERR, "connect by uid=%d pid=%d denied by debug flag",
c->ucred.uid, (int)c->ucred.pid);
*debug_flags &= ~1; // one shot
errno = EPERM;
goto error;
}I'm not sure if this will be useful in all cases but it seemed like a fairly unobtrusive way to implement this test and establish a simple way for similar tests to be added in other places. |
Add a new builtin service method that can manipulate integer flags stored in the handle under the "flux::debug_flags" key with flux_aux_set(). Modules may access the value with flux_aux_get(). This provides a simple way for any module to implement test flags that can be enabled during testing, e.g. to cover error paths.
|
That's nice! Did you consider making |
|
Hmm, flux-module might be a better fit. Good idea. |
|
Rebased with flux-debug folded into flux-module as I also converted flux-module to use liboptparse, and folded in flux-comms-stats as Still todo: update flux-module(1) and add test coverage for |
|
I think this might be ready for merge. Just added coverage for I feel OK about the level of testing here - I was dinged by coveralls on having no test coverage for the changes to connector-local to handle ENOMEM, but that's a hard case... |
|
Oh except I need a flux-module(1) update. Stand by. |
Yeah, we don't have a viable way to test error conditions so I usually take that into account when reviewing code coverage results. I'll take a more detailed peek at this but looks good to me so far. |
Problem: flux comms-stats is a client for builtin comms module services. It should really be part of flux module. Add flux module stats subcommand, remove flux-comms-stats, and update sharness test users.
Add support for manipulating module debug_flags via messages.
If debug_flags bit 1 is set, simulate one auth failure. A test can set this bit and then attempt to connect to verify that EPERM is returned to flux_open().
Problem: the $rundir/broker.pid file written out by the broker is necessarily flawed as a mechanism for checking if a broker is running and is no longer used by anything. Don't create the broker pid file.
Eliminate dead code for constructing path to broker.pid file.
Eliminate code to create broker.pid file as the local connector no longer expects it and it serves no other purpose.
|
This looks good to me, is it ready now? |
|
Sure. |
This work was peeled off of #980. It adds a prototype systemd unit file and build logic for configuring its install location, which gets us part way to #967. With this it's possible to
Then flux commands like
sudo -u flux flux dmesgwork (as instance owner) but trying that as another user gets you something likeThere's a small tweak to the local connector here to return a single byte response on the wire indicating success or failure of authentication so the client, which probably sends a request first thing, gets a sensible error instead of EPIPE for the unceremonious broker side close.
Finally, ensure that the local connector socket is mode 777 so anyone can attempt to connect.