ENT-13005: Added integrity check to cf-remote remote installation#174
Conversation
victormlg
force-pushed
the
improved-remote-download
branch
from
6c48260 to
f43babf
Compare
victormlg
force-pushed
the
improved-remote-download
branch
from
f43babf to
c52900a
Compare
larsewi
left a comment
larsewi
left a comment
There was a problem hiding this comment.
Remember to test the script 😉
victormlg
force-pushed
the
improved-remote-download
branch
from
c52900a to
b680be0
Compare
larsewi
left a comment
larsewi
left a comment
There was a problem hiding this comment.
Most of these checks can be done before you actually download the file. Maybe do these checks first, and then download.
victormlg
force-pushed
the
improved-remote-download
branch
from
b680be0 to
8cb770f
Compare
olehermanse
left a comment
olehermanse
left a comment
There was a problem hiding this comment.
Please expand nt-discovery.sh and then do the error checking as early as possible (as fast as possible). This way you can detect errors right after running nt-discovery.sh, without having to transfer over another script.
victormlg
force-pushed
the
improved-remote-download
branch
2 times, most recently
from
3e755d9 to
ea263af
Compare
victormlg
force-pushed
the
improved-remote-download
branch
from
ea263af to
ca9da21
Compare
|
|
||
| print("Downloading '%s' on '%s' using curl" % (package, host)) | ||
| r = ssh_cmd( | ||
| cmd="curl --fail -O {}".format(package), connection=connection, errors=True |
There was a problem hiding this comment.
This code preferred curl. Why is wget preferred now?
There was a problem hiding this comment.
This is intended in the ticket https://northerntech.atlassian.net/browse/ENT-13005
There was a problem hiding this comment.
I don't think that's right, the ticket says;
Download with wget if that is available and curl is not
There was a problem hiding this comment.
In the initial PR I made it used curl as the default, but then changed it to wget after correction. What I mean that I changed it because it should be like it is now
victormlg
force-pushed
the
improved-remote-download
branch
2 times, most recently
from
63c24f3 to
5737c1f
Compare
victormlg
force-pushed
the
improved-remote-download
branch
from
5737c1f to
4296c22
Compare
larsewi
left a comment
larsewi
left a comment
There was a problem hiding this comment.
Consider using shlex.quote() on the passed arguments when building the shell commands in cf-remote. You could argue that if you can connect to a remote machine as root, then shell injection is not really a problem. But still it's good hygiene.
The commands are already manually escaped inside ssh_cmd and ssh_sudo. So adding one more layer of quoting with shlex breaks the remote command. I think it would make sense to add this in a separate PR, and handle everything in the ssh functions. |
Ticket: ENT-13005 Signed-off-by: Victor Moene <victor.moene@northern.tech>
victormlg
force-pushed
the
improved-remote-download
branch
from
4296c22 to
53ede36
Compare
3 participants
No description provided.