diff options
author | Andrew Moss <1043609+amoss@users.noreply.github.com> | 2020-03-31 13:07:24 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-31 13:07:24 +0200 |
commit | fe722cb2a48c074eb7e2739c5052a28d4aa97d56 (patch) | |
tree | 3e302830f3343346fcf2a7a0a979bab9ded34754 | |
parent | cf948d42c22093db5d5085b3b453f7bcc2d52ae3 (diff) |
Improve the behavior of claiming (#8516)
The default cloud url has been updated to app.netdata.cloud ready for the release. The claiming process now checks the current user executing claiming and refuses to perform the claim for the wrong user. If the current UID is 0 then claiming proceeds but the file ownership is adjusted to be the correct netdata user. The default expected user is `netdata` unless the script can identify the user from the current configuration. After the claiming script is executed the CLI is used to reload the claiming state.
-rw-r--r-- | aclk/agent_cloud_link.c | 2 | ||||
-rw-r--r-- | claim/README.md | 2 | ||||
-rw-r--r-- | claim/claim.c | 4 | ||||
-rwxr-xr-x | claim/netdata-claim.sh.in | 36 | ||||
-rw-r--r-- | daemon/commands.c | 4 | ||||
-rwxr-xr-x | health/notifications/alarm-notify.sh.in | 2 | ||||
-rw-r--r-- | libnetdata/libnetdata.h | 3 | ||||
-rw-r--r-- | packaging/docker/Dockerfile | 1 | ||||
-rw-r--r-- | registry/registry_init.c | 2 | ||||
-rw-r--r-- | tests/alarm_repetition/netdata.conf_with_repetition | 2 | ||||
-rw-r--r-- | tests/alarm_repetition/netdata.conf_without_repetition | 2 |
11 files changed, 47 insertions, 13 deletions
diff --git a/aclk/agent_cloud_link.c b/aclk/agent_cloud_link.c index f6223da571..39e07a309c 100644 --- a/aclk/agent_cloud_link.c +++ b/aclk/agent_cloud_link.c @@ -1321,7 +1321,7 @@ void *aclk_main(void *ptr) char *aclk_hostname = NULL; // Initializers are over-written but prevent gcc complaining about clobbering. char *aclk_port = NULL; uint32_t port_num = 0; - char *cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", "https://netdata.cloud"); + char *cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", DEFAULT_CLOUD_BASE_URL); if (aclk_decode_base_url(cloud_base_url, &aclk_hostname, &aclk_port)) { error("Configuration error - cannot use agent cloud link"); return NULL; diff --git a/claim/README.md b/claim/README.md index 29c5eb6a4e..e5688ecd23 100644 --- a/claim/README.md +++ b/claim/README.md @@ -26,7 +26,7 @@ following arguments: -rooms=ROOM1,ROOM2,... where ROOMX is the workspace war-room to join. This list is optional. -url=URL_BASE - where URL_BASE is the Netdata Cloud endpoint base URL. By default, this is https://netdata.cloud. + where URL_BASE is the Netdata Cloud endpoint base URL. By default, this is https://app.netdata.cloud. -id=AGENT_ID where AGENT_ID is the unique identifier of the agent. This is the agent's MACHINE_GUID by default. -hostname=HOSTNAME diff --git a/claim/claim.c b/claim/claim.c index 5d17ae9075..aabcc18a23 100644 --- a/claim/claim.c +++ b/claim/claim.c @@ -53,7 +53,7 @@ void claim_agent(char *claiming_arguments) char *cloud_base_hostname = NULL; // Initializers are over-written but prevent gcc complaining about clobbering. char *cloud_base_port = NULL; - char *cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", "https://netdata.cloud"); + char *cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", DEFAULT_CLOUD_BASE_URL); if( aclk_decode_base_url(cloud_base_url, &cloud_base_hostname, &cloud_base_port)) { error("Configuration error - cannot decode \"cloud base url\""); @@ -71,7 +71,7 @@ void claim_agent(char *claiming_arguments) snprintfz(command_buffer, CLAIMING_COMMAND_LENGTH, - "exec netdata-claim.sh %s -hostname=%s -id=%s -url=%s %s", + "exec netdata-claim.sh %s -hostname=%s -id=%s -url=%s -noreload %s", proxy_flag, netdata_configured_hostname, diff --git a/claim/netdata-claim.sh.in b/claim/netdata-claim.sh.in index aef8de4b63..c2c9bb64e0 100755 --- a/claim/netdata-claim.sh.in +++ b/claim/netdata-claim.sh.in @@ -10,6 +10,8 @@ # Exit code: 3 - Missing dependencies # Exit code: 4 - Failure to connect to endpoint # Exit code: 5 - Unknown HTTP error message +# Exit code: 6 - The CLI didn't work +# Exit code: 7 - Wrong user # # OK: Agent claimed successfully # HTTP Status code: 204 @@ -96,13 +98,22 @@ fi MACHINE_GUID_FILE="@registrydir_POST@/netdata.public.unique.id" CLAIMING_DIR="${NETDATA_USER_CONFIG_DIR}/claim.d" TOKEN="unknown" -URL_BASE="https://netdata.cloud" +URL_BASE="https://app.netdata.cloud" ID="unknown" ROOMS="" HOSTNAME=$(hostname) CLOUD_CERTIFICATE_FILE="${CLAIMING_DIR}/cloud_fullchain.pem" VERBOSE=0 INSECURE=0 +RELOAD=1 +NETDATA_USER=netdata +[ -z "$EUID" ] && EUID="$(id -u)" + +CONF_USER=$(grep '^[^#]*run as user[ \t]*=' "${NETDATA_USER_CONFIG_DIR}/netdata.conf" 2>/dev/null) +if [ -n "$CONF_USER" ]; then + NETDATA_USER=$(echo "$CONF_USER" | sed 's/^[^=]*=[ \t]*//' | sed 's/[ \t]*$//') +fi + # get the MACHINE_GUID by default if [ -r "${MACHINE_GUID_FILE}" ]; then @@ -131,12 +142,19 @@ do -insecure) INSECURE=1 ;; -proxy=*) PROXY=${arg:7} ;; -noproxy) NOPROXY=yes ;; + -noreload) RELOAD=0 ;; + -user=*) NETDATA_USER=${arg:6} ;; *) echo >&2 "Unknown argument ${arg}" exit 1 ;; esac shift 1 done +if [ "$EUID" != "0" ] && [ "$(whoami)" != "$NETDATA_USER" ]; then + echo >&2 "This script must be run by the $NETDATA_USER user account" + exit 7 +fi + # if curl not installed give warning SOCKS can't be used if [[ "${URLTOOL}" != "curl" && "${PROXY:0:5}" = socks ]] ; then echo >&2 "wget doesn't support SOCKS. Please install curl or disable SOCKS proxy." @@ -149,6 +167,7 @@ echo >&2 "Id: $ID" echo >&2 "Rooms: $ROOMS" echo >&2 "Hostname: $HOSTNAME" echo >&2 "Proxy: $PROXY" +echo >&2 "Netdata user: $NETDATA_USER" # create the claiming directory for this user if [ ! -d "${CLAIMING_DIR}" ] ; then @@ -264,10 +283,17 @@ HTTP_STATUS_CODE=$(grep "HTTP" "${CLAIMING_DIR}/tmpout.txt" | awk -F " " '{print if [ "${HTTP_STATUS_CODE}" = "204" ] ; then rm -f "${CLAIMING_DIR}/tmpout.txt" - echo -n "${ID}" >"${CLAIMING_DIR}/claimed_id" - rm -f "${CLAIMING_DIR}/token" - echo >&2 "Node was successfully claimed." - exit 0 + echo -n "${ID}" >"${CLAIMING_DIR}/claimed_id" || (echo >&2 "Claiming failed"; set -e; exit 2) + rm -f "${CLAIMING_DIR}/token" || (echo >&2 "Claiming failed"; set -e; exit 2) + if [ "$EUID" == "0" ]; then + chown -R "${NETDATA_USER}:${NETDATA_USER}" ${CLAIMING_DIR} || (echo >&2 "Claiming failed"; set -e; exit 2) + fi + if [ "${RELOAD}" == "0" ] ; then + exit 0 + fi + netdatacli reload-claiming-state && echo >&2 "Node was successfully claimed." && exit 0 + echo "The claim was successful but the agent could not be notified ($?)- it requires a restart to connect to the cloud" + exit 6 fi ERROR_MESSAGE=$(grep "\"errorMsgKey\":" "${CLAIMING_DIR}/tmpout.txt" | awk -F "errorMsgKey\":\"" '{print $2}' | awk -F "\"" '{print $1}') diff --git a/daemon/commands.c b/daemon/commands.c index 71df5a4219..e4a33c91bc 100644 --- a/daemon/commands.c +++ b/daemon/commands.c @@ -190,6 +190,10 @@ static cmd_status_t cmd_reload_claiming_state_execute(char *args, char **message info("The claiming feature has been disabled"); return CMD_STATUS_FAILURE; #endif +#ifndef ENABLE_ACLK + info("Cloud functionality is not enabled because of missing dependencies at build-time."); + return CMD_STATUS_FAILURE; +#endif error_log_limit_unlimited(); info("COMMAND: Reloading Agent Claiming configuration."); diff --git a/health/notifications/alarm-notify.sh.in b/health/notifications/alarm-notify.sh.in index 8f0e14a27d..b8233a5c3e 100755 --- a/health/notifications/alarm-notify.sh.in +++ b/health/notifications/alarm-notify.sh.in @@ -193,7 +193,7 @@ fi [ -z "${NETDATA_STOCK_CONFIG_DIR}" ] && NETDATA_STOCK_CONFIG_DIR="@libconfigdir_POST@" [ -z "${NETDATA_CACHE_DIR}" ] && NETDATA_CACHE_DIR="@cachedir_POST@" [ -z "${NETDATA_REGISTRY_URL}" ] && NETDATA_REGISTRY_URL="https://registry.my-netdata.io" -[ -z "${NETDATA_REGISTRY_CLOUD_BASE_URL}" ] && NETDATA_REGISTRY_CLOUD_BASE_URL="https://netdata.cloud" +[ -z "${NETDATA_REGISTRY_CLOUD_BASE_URL}" ] && NETDATA_REGISTRY_CLOUD_BASE_URL="https://app.netdata.cloud" # ----------------------------------------------------------------------------- # parse command line parameters diff --git a/libnetdata/libnetdata.h b/libnetdata/libnetdata.h index a65a37e178..b7fa9d5aba 100644 --- a/libnetdata/libnetdata.h +++ b/libnetdata/libnetdata.h @@ -321,4 +321,7 @@ extern char *netdata_configured_host_prefix; #include "health/health.h" #include "string/utf8.h" +// BEWARE: Outside of the C code this also exists in alarm-notify.sh +#define DEFAULT_CLOUD_BASE_URL "https://app.netdata.cloud" + #endif // NETDATA_LIB_H diff --git a/packaging/docker/Dockerfile b/packaging/docker/Dockerfile index bcc3555eee..0252664ba7 100644 --- a/packaging/docker/Dockerfile +++ b/packaging/docker/Dockerfile @@ -47,6 +47,7 @@ RUN mkdir -p /app/usr/sbin/ \ mv /etc/netdata /app/etc/ && \ mv /usr/sbin/netdata /app/usr/sbin/ && \ mv /usr/sbin/netdata-claim.sh /app/usr/sbin/ && \ + mv /usr/sbin/netdatacli /app/usr/sbin/ && \ mv packaging/docker/run.sh /app/usr/sbin/ && \ cp -rp /deps/* /app/usr/local/ && \ chmod +x /app/usr/sbin/run.sh diff --git a/registry/registry_init.c b/registry/registry_init.c index e5e6668204..077fe845d1 100644 --- a/registry/registry_init.c +++ b/registry/registry_init.c @@ -41,7 +41,7 @@ int registry_init(void) { registry.verify_cookies_redirects = config_get_boolean(CONFIG_SECTION_REGISTRY, "verify browser cookies support", 1); // netdata.cloud configuration, if cloud_base_url == "", cloud functionality is disabled. - registry.cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", "https://netdata.cloud"); + registry.cloud_base_url = config_get(CONFIG_SECTION_CLOUD, "cloud base url", DEFAULT_CLOUD_BASE_URL); setenv("NETDATA_REGISTRY_CLOUD_BASE_URL", registry.cloud_base_url, 1); setenv("NETDATA_REGISTRY_HOSTNAME", registry.hostname, 1); diff --git a/tests/alarm_repetition/netdata.conf_with_repetition b/tests/alarm_repetition/netdata.conf_with_repetition index 5e02288dbf..d5d00f07da 100644 --- a/tests/alarm_repetition/netdata.conf_with_repetition +++ b/tests/alarm_repetition/netdata.conf_with_repetition @@ -54,4 +54,4 @@ allow from = * [cloud] - cloud base url = https://netdata.cloud + cloud base url = https://app.netdata.cloud diff --git a/tests/alarm_repetition/netdata.conf_without_repetition b/tests/alarm_repetition/netdata.conf_without_repetition index 80513ecb79..43518bdc00 100644 --- a/tests/alarm_repetition/netdata.conf_without_repetition +++ b/tests/alarm_repetition/netdata.conf_without_repetition @@ -54,4 +54,4 @@ allow from = * [cloud] - cloud base url = https://netdata.cloud + cloud base url = https://app.netdata.cloud |