[node-devel] Using yum in Node

Perry Myers pmyers at redhat.com
Mon May 21 14:29:37 UTC 2012 

On 05/21/2012 09:30 AM, Andrew Cathrow wrote:
> 
> 
> ----- Original Message -----
>> From: "Mike Burns" <mburns at redhat.com>
>> To: "Andrew Cathrow" <acathrow at redhat.com>
>> Cc: node-devel at ovirt.org
>> Sent: Monday, May 21, 2012 9:26:38 AM
>> Subject: Re: [node-devel] Using yum in Node
>>
>> On Mon, 2012-05-21 at 09:06 -0400, Andrew Cathrow wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Mike Burns" <mburns at redhat.com>
>>>> To: "Fabian Deutsch" <fabiand at redhat.com>
>>>> Cc: node-devel at ovirt.org
>>>> Sent: Monday, May 21, 2012 8:56:27 AM
>>>> Subject: Re: [node-devel] Using yum in Node
>>>>
>>>> On Mon, 2012-05-21 at 09:50 +0200, Fabian Deutsch wrote:
>>>>> Hey,
>>>>>
>>>>> yum landed in node quite recently - not in the official build,
>>>>> but
>>>>> in
>>>>> gerrit [0].
>>>>> It's somewhat tricky to get it working, I added a small section
>>>>> to
>>>>> the
>>>>> Node troubleshooting wiki page [1] to give other a better
>>>>> start.
>>>>
>>>> Just for clarity, this is being done to support plugins.  It will
>>>> only
>>>> be supported offline when using the edit-node functionality.
>>>>
>>>
>>> Obviously the reason for this is not for users to have yum
>>> available for use on the node when it's deployed but it's going to
>>> cause confusion with users that they have utilities like yum and
>>> rpm and can't use them, or if they try to things fail in strange
>>> ways.
>>>
>>> If we don't want or support runtime use of rpm and yum then having
>>> them in the node and available to be called is asking for trouble.
>>> Having docs that explain why it failed and why they shouldn't be
>>> doing it isn't enough.
>>
>> The plan to mitigate this issue is that the yum binary will be
>> relocated
>> to either a non-standard place that isn't in the path (/usr/libexec)
>> or
>> renamed to something else non-standard (ovirt-yum or something).
>> The /usr/bin/yum executable will instead print a message/warning to
>> the
>> user that says the running yum in unsupported on a running host.  The
>> offline edit-node process will call the renamed or relocated yum
>> script
>> correctly.
> 
> Great.

We could also solve this (and many other issues around folks trying to
do things in oVirt Node that should not be done) by making it harder to
get a shell.

Doing things like disabling root ssh access completely (which is
presently only blocked by vdsm needing to use root ssh for registration)
and making the admin shell harder to enter would further enforce the
firmware like nature of oVirt Node

Perry

More information about the node-devel mailing list