Skip to content

Commit

Permalink
Merge "Fix selinux context of published image hardlink"
Browse files Browse the repository at this point in the history
  • Loading branch information
Zuul authored and openstack-gerrit committed Jan 17, 2023
2 parents b11067c + c05c09f commit a48af6b
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 12 deletions.
10 changes: 10 additions & 0 deletions ironic/drivers/modules/image_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,16 @@ def publish_image(self, image_file, object_name, node_http_url=None):
try:
os.link(image_file, published_file)
os.chmod(image_file, self._file_permission)
try:
utils.execute(
'/usr/sbin/restorecon', '-i', '-R', 'v', public_dir)
except FileNotFoundError as exc:
LOG.debug(
"Could not restore SELinux context on "
"%(public_dir)s, restorecon command not found.\n"
"Error: %(error)s",
{'public_dir': public_dir,
'error': exc})

except OSError as exc:
LOG.debug(
Expand Down
47 changes: 35 additions & 12 deletions ironic/tests/unit/drivers/modules/test_image_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -105,73 +105,96 @@ def test_unpublish_image_swift(self, mock_swift):
mock_swift_api.delete_object.assert_called_once_with(
'ironic_redfish_container', object_name)

@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_local_link(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost', group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)

url = img_handler_obj.publish_image('file.iso', 'boot.iso')

self.assertEqual(
'http://localhost/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')

@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_local_link_no_restorecon(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost', group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
url = img_handler_obj.publish_image('file.iso', 'boot.iso')
self.assertEqual(
'http://localhost/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.return_value = FileNotFoundError
mock_shutil.assert_not_called()

@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_external_ip(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost',
external_http_url='http://non-local.host',
group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)

url = img_handler_obj.publish_image('file.iso', 'boot.iso')

self.assertEqual(
'http://non-local.host/redfish/boot.iso', url)

mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')

@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_external_ip_node_override(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost',
external_http_url='http://non-local.host',
group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
self.node.driver_info["external_http_url"] = "http://node.override.url"

override_url = self.node.driver_info.get("external_http_url")

url = img_handler_obj.publish_image('file.iso', 'boot.iso',
override_url)

self.assertEqual(
'http://node.override.url/redfish/boot.iso', url)

mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')

@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
fixes:
- |
Fixes an issue where if selinux is enabled and enforcing, and
the published image is a hardlink, the source selinux context
is preserved, causing access denied when retrieving the image
using hardlink URL.

0 comments on commit a48af6b

Please sign in to comment.