Skip to content

Commit e0994d5

Browse files
Copilotbootjp
Copilot
and
bootjp
committed
Address review feedback: sudo -n, env SSH vars, filepath.Clean
Co-authored-by: bootjp <1306365+bootjp@users.noreply.github.com>
1 parent 16b8ad2 commit e0994d5

File tree

3 files changed

+38
-27
lines changed

3 files changed

+38
-27
lines changed

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ require (
1919
github.com/emirpasic/gods v1.18.1
2020
github.com/getsentry/sentry-go v0.27.0
2121
github.com/hashicorp/go-hclog v1.6.3
22+
github.com/hashicorp/go-msgpack/v2 v2.1.2
2223
github.com/hashicorp/raft v1.7.3
2324
github.com/pkg/errors v0.9.1
2425
github.com/prometheus/client_golang v1.23.2
@@ -66,7 +67,6 @@ require (
6667
github.com/hashicorp/errwrap v1.0.0 // indirect
6768
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
6869
github.com/hashicorp/go-metrics v0.5.4 // indirect
69-
github.com/hashicorp/go-msgpack/v2 v2.1.2 // indirect
7070
github.com/hashicorp/go-multierror v1.1.1 // indirect
7171
github.com/hashicorp/golang-lru v1.0.2 // indirect
7272
github.com/klauspost/compress v1.18.0 // indirect

internal/raftstore/migrate.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ func prepareMigrationPaths(logsPath, stablePath, destDir string) (string, error)
5757
return "", errors.New("destination dir is required")
5858
}
5959

60+
destDir = filepath.Clean(destDir)
61+
6062
if err := requireExistingFile(logsPath); err != nil {
6163
return "", err
6264
}

scripts/rolling-update.sh

Lines changed: 35 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -363,24 +363,25 @@ update_one_node() {
363363
copy_raftadmin_to_remote "$node_id" "$ssh_target"
364364

365365
ssh "${SSH_BASE_OPTS[@]}" "$ssh_target" \
366-
IMAGE="$IMAGE" \
367-
RAFTADMIN_BIN_PATH="$RAFTADMIN_REMOTE_BIN" \
368-
CONTAINER_NAME="$CONTAINER_NAME" \
369-
DATA_DIR="$DATA_DIR" \
370-
SERVER_ENTRYPOINT="$SERVER_ENTRYPOINT" \
371-
RAFT_PORT="$RAFT_PORT" \
372-
REDIS_PORT="$REDIS_PORT" \
373-
DYNAMO_PORT="$DYNAMO_PORT" \
374-
HEALTH_TIMEOUT_SECONDS="$HEALTH_TIMEOUT_SECONDS" \
375-
LEADERSHIP_TRANSFER_TIMEOUT_SECONDS="$LEADERSHIP_TRANSFER_TIMEOUT_SECONDS" \
376-
LEADER_DISCOVERY_TIMEOUT_SECONDS="$LEADER_DISCOVERY_TIMEOUT_SECONDS" \
377-
RAFTADMIN_RPC_TIMEOUT_SECONDS="$RAFTADMIN_RPC_TIMEOUT_SECONDS" \
378-
NODE_ID="$node_id" \
379-
NODE_HOST="$node_host" \
380-
ALL_NODE_IDS_CSV="$all_node_ids_csv" \
381-
ALL_NODE_HOSTS_CSV="$all_node_hosts_csv" \
382-
RAFT_TO_REDIS_MAP="$RAFT_TO_REDIS_MAP" \
383-
'bash -s' <<'REMOTE'
366+
env \
367+
IMAGE="$IMAGE" \
368+
RAFTADMIN_BIN_PATH="$RAFTADMIN_REMOTE_BIN" \
369+
CONTAINER_NAME="$CONTAINER_NAME" \
370+
DATA_DIR="$DATA_DIR" \
371+
SERVER_ENTRYPOINT="$SERVER_ENTRYPOINT" \
372+
RAFT_PORT="$RAFT_PORT" \
373+
REDIS_PORT="$REDIS_PORT" \
374+
DYNAMO_PORT="$DYNAMO_PORT" \
375+
HEALTH_TIMEOUT_SECONDS="$HEALTH_TIMEOUT_SECONDS" \
376+
LEADERSHIP_TRANSFER_TIMEOUT_SECONDS="$LEADERSHIP_TRANSFER_TIMEOUT_SECONDS" \
377+
LEADER_DISCOVERY_TIMEOUT_SECONDS="$LEADER_DISCOVERY_TIMEOUT_SECONDS" \
378+
RAFTADMIN_RPC_TIMEOUT_SECONDS="$RAFTADMIN_RPC_TIMEOUT_SECONDS" \
379+
NODE_ID="$node_id" \
380+
NODE_HOST="$node_host" \
381+
ALL_NODE_IDS_CSV="$all_node_ids_csv" \
382+
ALL_NODE_HOSTS_CSV="$all_node_hosts_csv" \
383+
RAFT_TO_REDIS_MAP="$RAFT_TO_REDIS_MAP" \
384+
bash -s <<'REMOTE'
384385
set -euo pipefail
385386
386387
IFS=, read -r -a ALL_NODE_IDS <<< "$ALL_NODE_IDS_CSV"
@@ -619,6 +620,13 @@ run_container() {
619620
--raftRedisMap "$RAFT_TO_REDIS_MAP" >/dev/null
620621
}
621622
623+
require_passwordless_sudo() {
624+
if ! sudo -n true 2>/dev/null; then
625+
echo "error: passwordless sudo is required on this host; configure NOPASSWD sudo for the remote user" >&2
626+
exit 1
627+
fi
628+
}
629+
622630
archive_legacy_dir() {
623631
local dir="$1"
624632
local ts backup_dir moved
@@ -627,10 +635,10 @@ archive_legacy_dir() {
627635
ts="$(date -u +%Y%m%dT%H%M%SZ)"
628636
backup_dir="${dir%/}/legacy-boltdb-${ts}"
629637
630-
sudo mkdir -p "$backup_dir"
638+
sudo -n mkdir -p "$backup_dir"
631639
for name in logs.dat stable.dat; do
632-
if sudo test -e "$dir/$name"; then
633-
sudo mv "$dir/$name" "$backup_dir/$name"
640+
if sudo -n test -e "$dir/$name"; then
641+
sudo -n mv "$dir/$name" "$backup_dir/$name"
634642
moved=1
635643
fi
636644
done
@@ -640,17 +648,17 @@ archive_legacy_dir() {
640648
return 0
641649
fi
642650
643-
sudo rmdir "$backup_dir" 2>/dev/null || true
651+
sudo -n rmdir "$backup_dir" 2>/dev/null || true
644652
return 1
645653
}
646654
647655
archive_default_legacy_dir() {
648656
local node_data_dir
649657
650658
node_data_dir="${DATA_DIR%/}/${NODE_ID}"
651-
if sudo test -d "$node_data_dir"; then
659+
if sudo -n test -d "$node_data_dir"; then
652660
archive_legacy_dir "$node_data_dir" || true
653-
sudo rm -rf "${node_data_dir}/raft.db.migrating" 2>/dev/null || true
661+
sudo -n rm -rf "${node_data_dir}/raft.db.migrating" 2>/dev/null || true
654662
fi
655663
}
656664
@@ -662,7 +670,7 @@ archive_legacy_dirs_from_logs() {
662670
while IFS= read -r dir; do
663671
[[ -n "$dir" ]] || continue
664672
archive_legacy_dir "$dir" || true
665-
sudo rm -rf "${dir}/raft.db.migrating" 2>/dev/null || true
673+
sudo -n rm -rf "${dir}/raft.db.migrating" 2>/dev/null || true
666674
found=1
667675
done < <(
668676
printf '%s\n' "$logs" |
@@ -686,7 +694,8 @@ if [[ "$new_image_id" == "$running_image_id" && "$running_status" == "running" ]
686694
echo "container is running but gRPC is not reachable; recreating"
687695
fi
688696
689-
sudo mkdir -p "$DATA_DIR"
697+
require_passwordless_sudo
698+
sudo -n mkdir -p "$DATA_DIR"
690699
if [[ "$running_status" == "running" ]]; then
691700
ensure_not_leader_before_restart
692701
fi

0 commit comments

Comments
 (0)