Add SR blacklist where it is forbidden to download from binary cache

parent a77d47b2
...@@ -131,3 +131,8 @@ signature-certificate-list = ...@@ -131,3 +131,8 @@ signature-certificate-list =
Loe5mIHsjRVKvzB6SvIaFUYq/EzmHnqNdpIGkT/Mj7r/iUs61btTcGUCLsUiUeci Loe5mIHsjRVKvzB6SvIaFUYq/EzmHnqNdpIGkT/Mj7r/iUs61btTcGUCLsUiUeci
Vd0Ozh79JSRpkrdI8R/NRQ2XPHAo+29TT70= Vd0Ozh79JSRpkrdI8R/NRQ2XPHAo+29TT70=
-----END CERTIFICATE----- -----END CERTIFICATE-----
# List of URL(s) which shouldn't be installed from binary cache, separated by
# commas. Any URL beginning by a blacklisted URL will be blacklisted as well.
binary-cache-url-blacklist =
http://git.erp5.org/gitweb/slapos.git/blob_plain/HEAD
http://git.erp5.org/gitweb/slapos.core.git/blob_plain/refs/heads
...@@ -54,7 +54,8 @@ class Software(object): ...@@ -54,7 +54,8 @@ class Software(object):
upload_cache_url=None, upload_dir_url=None, shacache_cert_file=None, upload_cache_url=None, upload_dir_url=None, shacache_cert_file=None,
shacache_key_file=None, shadir_cert_file=None, shadir_key_file=None, shacache_key_file=None, shadir_cert_file=None, shadir_key_file=None,
download_binary_cache_url=None, upload_binary_cache_url=None, download_binary_cache_url=None, upload_binary_cache_url=None,
download_binary_dir_url=None, upload_binary_dir_url=None): download_binary_dir_url=None, upload_binary_dir_url=None,
binary_cache_url_blacklist = []):
"""Initialisation of class parameters """Initialisation of class parameters
""" """
self.url = url self.url = url
...@@ -77,14 +78,17 @@ class Software(object): ...@@ -77,14 +78,17 @@ class Software(object):
self.upload_binary_cache_url = upload_binary_cache_url self.upload_binary_cache_url = upload_binary_cache_url
self.download_binary_dir_url = download_binary_dir_url self.download_binary_dir_url = download_binary_dir_url
self.upload_binary_dir_url = upload_binary_dir_url self.upload_binary_dir_url = upload_binary_dir_url
self.binary_cache_url_blacklist = binary_cache_url_blacklist
def install(self): def install(self):
""" Fetches binary cache if possible. """ Fetches binary cache if possible.
Installs from buildout otherwise. Installs from buildout otherwise.
""" """
self.logger.info("Installing software release %s..." % self.url)
tarname = self.software_url_hash tarname = self.software_url_hash
cache_dir = tempfile.mkdtemp() cache_dir = tempfile.mkdtemp()
tarpath = os.path.join(cache_dir, tarname) tarpath = os.path.join(cache_dir, tarname)
# Check if we can download from cache
if (not os.path.exists(self.software_path)) \ if (not os.path.exists(self.software_path)) \
and download_network_cached( and download_network_cached(
self.download_binary_cache_url, self.download_binary_cache_url,
...@@ -92,7 +96,8 @@ class Software(object): ...@@ -92,7 +96,8 @@ class Software(object):
self.url, self.software_root, self.url, self.software_root,
self.software_url_hash, self.software_url_hash,
tarpath, self.logger, tarpath, self.logger,
self.signature_certificate_list): self.signature_certificate_list,
self.binary_cache_url_blacklist):
tar = tarfile.open(tarpath) tar = tarfile.open(tarpath)
try: try:
self.logger.info("Extracting archive of cached software release...") self.logger.info("Extracting archive of cached software release...")
...@@ -128,7 +133,6 @@ class Software(object): ...@@ -128,7 +133,6 @@ class Software(object):
""" Fetches buildout configuration from the server, run buildout with """ Fetches buildout configuration from the server, run buildout with
it. If it fails, we notify the server. it. If it fails, we notify the server.
""" """
self.logger.info("Installing software release %s..." % self.url)
root_stat_info = os.stat(self.software_root) root_stat_info = os.stat(self.software_root)
os.environ = utils.getCleanEnvironment(pwd.getpwuid(root_stat_info.st_uid os.environ = utils.getCleanEnvironment(pwd.getpwuid(root_stat_info.st_uid
).pw_dir) ).pw_dir)
......
...@@ -49,7 +49,8 @@ def fallback_call(function): ...@@ -49,7 +49,8 @@ def fallback_call(function):
@fallback_call @fallback_call
def download_network_cached(cache_url, dir_url, software_url, software_root, def download_network_cached(cache_url, dir_url, software_url, software_root,
key, path, logger, signature_certificate_list): key, path, logger, signature_certificate_list,
binary_cache_url_blacklist=None):
"""Downloads from a network cache provider """Downloads from a network cache provider
return True if download succeeded. return True if download succeeded.
...@@ -60,6 +61,10 @@ def download_network_cached(cache_url, dir_url, software_url, software_root, ...@@ -60,6 +61,10 @@ def download_network_cached(cache_url, dir_url, software_url, software_root,
if not(cache_url and dir_url and software_url and software_root): if not(cache_url and dir_url and software_url and software_root):
return False return False
for url in binary_cache_url_blacklist:
if software_url.startswith(url):
return False
# In order to call nc nicely. # In order to call nc nicely.
if len(signature_certificate_list) == 0: if len(signature_certificate_list) == 0:
signature_certificate_list = None signature_certificate_list = None
......
...@@ -234,6 +234,11 @@ def parseArgumentTupleAndReturnSlapgridObject(*argument_tuple): ...@@ -234,6 +234,11 @@ def parseArgumentTupleAndReturnSlapgridObject(*argument_tuple):
else: else:
signature_certificate_list = None signature_certificate_list = None
# Parse cache / binary options
option_dict["binary-cache-url-blacklist"] = [
url.strip() for url in option_dict.get("binary-cache-url-blacklist", ""
).split('\n') if url]
# Sleep for a random time to avoid SlapOS Master being DDOSed by an army of # Sleep for a random time to avoid SlapOS Master being DDOSed by an army of
# SlapOS Nodes configured with cron. # SlapOS Nodes configured with cron.
if option_dict["now"]: if option_dict["now"]:
...@@ -265,6 +270,8 @@ def parseArgumentTupleAndReturnSlapgridObject(*argument_tuple): ...@@ -265,6 +270,8 @@ def parseArgumentTupleAndReturnSlapgridObject(*argument_tuple):
option_dict.get('download-binary-cache-url', None), option_dict.get('download-binary-cache-url', None),
upload_binary_cache_url=\ upload_binary_cache_url=\
option_dict.get('upload-binary-cache-url', None), option_dict.get('upload-binary-cache-url', None),
binary_cache_url_blacklist=\
option_dict.get('binary-cache-url-blacklist', []),
upload_cache_url=option_dict.get('upload-cache-url', None), upload_cache_url=option_dict.get('upload-cache-url', None),
download_binary_dir_url=\ download_binary_dir_url=\
option_dict.get('download-binary-dir-url', None), option_dict.get('download-binary-dir-url', None),
...@@ -356,6 +363,7 @@ class Slapgrid(object): ...@@ -356,6 +363,7 @@ class Slapgrid(object):
signature_certificate_list=None, signature_certificate_list=None,
download_binary_cache_url=None, download_binary_cache_url=None,
upload_binary_cache_url=None, upload_binary_cache_url=None,
binary_cache_url_blacklist=None,
upload_cache_url=None, upload_cache_url=None,
download_binary_dir_url=None, download_binary_dir_url=None,
upload_binary_dir_url=None, upload_binary_dir_url=None,
...@@ -388,6 +396,7 @@ class Slapgrid(object): ...@@ -388,6 +396,7 @@ class Slapgrid(object):
self.signature_certificate_list = signature_certificate_list self.signature_certificate_list = signature_certificate_list
self.download_binary_cache_url = download_binary_cache_url self.download_binary_cache_url = download_binary_cache_url
self.upload_binary_cache_url = upload_binary_cache_url self.upload_binary_cache_url = upload_binary_cache_url
self.binary_cache_url_blacklist = binary_cache_url_blacklist
self.upload_cache_url = upload_cache_url self.upload_cache_url = upload_cache_url
self.download_binary_dir_url = download_binary_dir_url self.download_binary_dir_url = download_binary_dir_url
self.upload_binary_dir_url = upload_binary_dir_url self.upload_binary_dir_url = upload_binary_dir_url
...@@ -484,6 +493,7 @@ class Slapgrid(object): ...@@ -484,6 +493,7 @@ class Slapgrid(object):
signature_certificate_list=self.signature_certificate_list, signature_certificate_list=self.signature_certificate_list,
download_binary_cache_url=self.download_binary_cache_url, download_binary_cache_url=self.download_binary_cache_url,
upload_binary_cache_url=self.upload_binary_cache_url, upload_binary_cache_url=self.upload_binary_cache_url,
binary_cache_url_blacklist=self.binary_cache_url_blacklist,
upload_cache_url=self.upload_cache_url, upload_cache_url=self.upload_cache_url,
download_binary_dir_url=self.download_binary_dir_url, download_binary_dir_url=self.download_binary_dir_url,
upload_binary_dir_url=self.upload_binary_dir_url, upload_binary_dir_url=self.upload_binary_dir_url,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment