From 5d49e030896a59ec83250d93352f3d37ae8ff364 Mon Sep 17 00:00:00 2001 From: Corentin LABBE Date: Fri, 5 Feb 2021 08:39:52 +0000 Subject: Permit to set worker token in boards.yaml LAVA 2020.09 dropped ZMQ and use now a token to authenticate worker against master. lava-docker already handle this by getting token via lavacli. But we need to support to set token in boards.yaml, this patch permits this. Furthermore, the token was given to worker via --token, but this is bad since token can be found by anyone running ps. A better secure way is to use --token-file. --- README.md | 1 + lava-slave/scripts/setup.sh | 29 +++++++++++++++++++++++------ lavalab-gen.py | 4 +++- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bbc8c15..61c2ce7 100644 --- a/README.md +++ b/README.md @@ -279,6 +279,7 @@ slaves: remote_user: the user used for connecting to the master remote_user_token: The remote_user's token. This option is necessary only if no master node exists in boards.yaml. Otherwise lavalab-gen.py will get from it. remote_proto: http(default) or https + lava_worker_token: token to authenticate worker to master/scheduler (LAVA 2020.09+) default_slave: Does this slave is the default slave where to add boards (default: lab-slave-0) bind_dev: Bind /dev from host to slave. This is needed when using some HID PDU use_tftp: Does LAVA need a TFTP server (default True) diff --git a/lava-slave/scripts/setup.sh b/lava-slave/scripts/setup.sh index 9873a91..7c31441 100755 --- a/lava-slave/scripts/setup.sh +++ b/lava-slave/scripts/setup.sh @@ -72,15 +72,32 @@ do fi grep -q "TOKEN" /root/entrypoint.sh if [ $? -eq 0 ];then + # This is 2020.09+ echo "DEBUG: Worker need a TOKEN" - # TODO use token from env - WTOKEN=$(getworkertoken.py $LAVA_MASTER_URI $worker) - if [ $? -eq 0 ];then - sed -i "s,.*TOKEN.*,TOKEN=\"--token $WTOKEN\"," /etc/lava-dispatcher/lava-worker || exit $? + if [ -z "$LAVA_WORKER_TOKEN" ];then + echo "DEBUG: get token dynamicly" + # Does not work on 2020.09, since token was not added yet in RPC2 + WTOKEN=$(getworkertoken.py $LAVA_MASTER_URI $worker) + if [ $? -ne 0 ];then + echo "ERROR: cannot get WORKER TOKEN" + exit 1 + fi + if [ -z "$WTOKEN" ];then + echo "ERROR: got an empty token" + exit 1 + fi else - echo "ERROR: cannot get WORKER TOKEN" - exit 1 + echo "DEBUG: got token from env" + WTOKEN=$LAVA_WORKER_TOKEN fi + echo "DEBUG: write token in /var/lib/lava/dispatcher/worker/" + mkdir -p /var/lib/lava/dispatcher/worker/ + echo "$WTOKEN" > /var/lib/lava/dispatcher/worker/token + # lava worker ran under root + chown root:root /var/lib/lava/dispatcher/worker/token + chmod 640 /var/lib/lava/dispatcher/worker/token + sed -i "s,.*TOKEN.*,TOKEN=\"--token-file /var/lib/lava/dispatcher/worker/token\"," /etc/lava-dispatcher/lava-worker || exit $? + echo "DEBUG: set master URL to $LAVA_MASTER_URL" sed -i "s,^# URL.*,URL=\"$LAVA_MASTER_URL\"," /etc/lava-dispatcher/lava-worker || exit $? cat /etc/lava-dispatcher/lava-worker diff --git a/lavalab-gen.py b/lavalab-gen.py index e4b3487..e901eb7 100755 --- a/lavalab-gen.py +++ b/lavalab-gen.py @@ -407,7 +407,7 @@ def main(): "devices", "dispatcher_ip", "default_slave", "extra_actions", "export_ser2net", "expose_ser2net", "expose_ports", "env", "host", "host_healthcheck", - "loglevel", "lava-coordinator", + "loglevel", "lava-coordinator", "lava_worker_token", "name", "remote_user", "remote_master", "remote_address", "remote_rpc_port", "remote_proto", "remote_user_token", "tags", @@ -493,6 +493,8 @@ def main(): else: remote_rpc_port = worker["remote_rpc_port"] dockcomp["services"][worker_name]["environment"]["LAVA_MASTER"] = remote_address + if "lava_worker_token" in worker: + dockcomp["services"][worker_name]["environment"]["LAVA_WORKER_TOKEN"] = worker["lava_worker_token"] remote_user = worker["remote_user"] # find master remote_token = "BAD" -- cgit 1.2.3-korg