starlingx/metal
Code Issues Proposed changes
1,043 Commits 22 Branches 30 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kyale, Eliud 94b9761011 Replace bmc system() commands with fork() execv() 
Mtce uses the system() command to run the ipmitool and redfishtool.
The system() command launches a shell process that is susceptible
to code injection.
By switching to fork() execv() we can prevent command injection attacks
if for example the bmc parameters are compromised.

The bmc parameters are:
- bm_type
- bm_ip
- bm_username
- bm_password

These are initially provided as user input and stored
in either barbican (bm_password) or the sysinv postgres database.

If these parameters are compromised, the injected code will not be run.
For example, if bm_username="root; reboot&"
the reboot command will not be run.

Test plan:

PASS - Code testing: designer testing of failure paths, verifying logs
                     by compiling errors in the code
               - fork fail error path
               - file open failure path
               - dup/dup2 failure path
               - execv failure

PASS - AIO-SX: iso install
PASS - AIO-DX: iso install
PASS - AIO-SX: ipmi bmc sensor/device queries
               system host-sensor-list <controller-0>
PASS - AIO-SX: ipmi bmc reset
               designer modification of sysinv to allow simplex reset
PASS - AIO-SX: modify bmc parameters in postgres
               and verify bmc command failure and proper handling
               e.g bm_username="root; reboot&"
PASS - AIO-SX: file leak testing of execv error path
               sudo lsof -p `pidof mtcAgent`
               sudo lsof -p `pidof hwmond`
PASS - AIO-SX: memory leak and file leak testingsoak
               sudo /usr/sbin/dmemchk.sh --C mtcAgent hwmond
PASS - AIO-DX: ipmi bmc reset
               Virtual machine AIO-DX configured to physical bmc
               simulate reset on virtual machine by power down
               at the same time as system host-reset <controller>
PASS - AIO-DX: ipmi bmc sensor/device queries
               system host-sensor-list <controller-0|1>

Example postgres commands to compromise the bm_username parameter:

sudo -u postgres \
psql -d sysinv \
-c "select bm_username from i_host where hostname='controller-0';"

sudo -u postgres \
psql -d sysinv \
-c \
"update i_host set bm_username='root; reboot&' "\
"where hostname='controller-0';"

Story: 2011095
Task: 50344

Change-Id: I250900d1c757d7e04058f4c954502b1a38db235e
Signed-off-by: Kyale, Eliud <Eliud.Kyale@windriver.com>
2024-06-13 14:43:44 -04:00
api-ref/source
Fix reference to LLDP neighbors API path in the documentation
2024-02-22 16:32:47 -03:00
bsp-files
Upversion to 24.09
2024-05-15 15:29:41 -03:00
devstack
Security: Handle nospectre_v1 in the bootargs
2020-01-28 18:21:13 -05:00
doc
Fix tox-docs failing sphinx
2023-08-29 16:50:22 -04:00
installer
Fix kickstarts patching
2023-10-11 14:40:38 +00:00
kickstart
Add a ostree pull retry if the first pull attempt fails
2024-06-06 18:12:51 +00:00
mtce
Replace bmc system() commands with fork() execv()
2024-06-13 14:43:44 -04:00
mtce-common
Replace bmc system() commands with fork() execv()
2024-06-13 14:43:44 -04:00
mtce-compute
Remove qemu dependency from mtce-compute and mtce-control
2023-12-04 14:19:28 +00:00
mtce-control
Add ipsec auth server pmon configuration
2024-02-09 16:05:18 -03:00
mtce-storage
Update mtce debian package ver based on git
2023-03-02 14:50:35 +00:00
releasenotes
Switch to newer openstackdocstheme and reno versions
2020-06-04 14:32:46 +02:00
tools
Set longer shutdown time and fix power state error log
2023-10-05 17:12:19 -04:00
.gitignore
Update tox.ini files to use stein constraints
2019-06-25 13:20:35 -04:00
.gitreview
OpenDev Migration Patch
2019-04-19 19:52:33 +00:00
.zuul.yaml
Fix github mirroring for this repo
2023-04-28 12:38:51 -04:00
centos_build_layer.cfg
Build layering, add layer build config file
2019-10-15 19:19:45 +08:00
centos_iso_image.inc
Remove unused inventory and python-inventoryclient
2020-01-08 14:12:05 -06:00
centos_pkg_dirs
rvmc: remove un-used build data
2020-01-16 08:39:54 -08:00
centos_stable_docker_images.inc
Utility to install a server via Redfish
2019-12-31 15:34:54 +00:00
CONTRIBUTORS.wrs
StarlingX open source release updates
2018-05-31 07:36:43 -07:00
debian_build_layer.cfg
Add debian_build_layer.cfg file
2021-10-05 14:08:23 -04:00
debian_iso_image.inc
Debian: metal: update debian_iso_image.inc
2022-11-16 12:06:51 +08:00
debian_pkg_dirs
Include upgrades meta files to Debian ISO
2022-08-02 21:01:58 +00:00
debian_stable_docker_images.inc
debian: port rvmc docker image to Debian
2022-08-12 16:30:01 +00:00
LICENSE
StarlingX open source release updates
2018-05-31 07:36:43 -07:00
pylint.rc
Add pylint py3 portability checks for the metal repo
2021-09-13 11:57:42 -03:00
README.rst
starlingx/metal README improvement
2023-07-19 12:32:13 -03:00
test-requirements.txt
Removed wait_for_worker_config_init in AIO systems
2021-07-08 18:48:28 -04:00
tox.ini
Update tox.ini to work with tox 4
2022-12-26 23:26:54 +00:00

README.rst

metal

The starlingx/metal repository handles StarlingX Bare Metal Management1.

This repository is not intended to be developed standalone, but rather as part of the StarlingX Source System, which is defined by the StarlingX manifest2.

References

  1. https://docs.starlingx.io/api-ref/metal↩︎

  2. https://opendev.org/starlingx/manifest.git↩︎

Description
StarlingX Bare Metal and Node Management, Hardware Maintenance
Readme 15 MiB
Languages
C++ 82.9%
Shell 10.2%
Python 3.3%
C 2.6%
Makefile 1%