Fix /tmp directory by secure location

build/base.install

@@ -256,8 +256,10 @@ install_megacli() {
                 wget "https://github.com/enovance/edeploy-roles/blob/master/files/${MEGACLIVER}_MegaCLI_Linux.zip?raw=true" -O  $MEGACLIZIP
             fi
             if [ -r "$MEGACLIZIP" ]; then
-                unzip "${MEGACLIZIP}" "${MEGACLIVER}_MegaCLI_Linux/Linux MegaCLI ${MEGACLIVER}/MegaCli-${MEGACLIVER}-1.noarch.rpm" -d $target/tmp
-                chroot $target rpm -ivh "/tmp/${MEGACLIVER}_MegaCLI_Linux/Linux MegaCLI ${MEGACLIVER}/MegaCli-${MEGACLIVER}-1.noarch.rpm"
+                TMP_BUILD=$(mktemp -d --suffix=-edeploy --tmpdir=$target/tmp)
+                unzip "${MEGACLIZIP}" "${MEGACLIVER}_MegaCLI_Linux/Linux MegaCLI ${MEGACLIVER}/MegaCli-${MEGACLIVER}-1.noarch.rpm" -d $TMP_BUILD
+                CHROOT_TMP_BUILD=$(echo -n ${TMP_BUILD} | sed "s#${target}##")
+                chroot $target rpm -ivh "${CHROOT_TMP_BUILD}/${MEGACLIVER}_MegaCLI_Linux/Linux MegaCLI ${MEGACLIVER}/MegaCli-${MEGACLIVER}-1.noarch.rpm"
                 chroot $target ln -sf /opt/MegaRAID/MegaCli/MegaCli64 /usr/sbin/megacli
             else
                 echo "NO MEGACLI ARCHIVE AVAILABLE: download it from www.lsi.com" 1>&2
@@ -274,10 +276,12 @@ install_hp_raid_cli_tool() {
         if [ ! -r $target/../../$package_name ]; then
             wget --no-verbose http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name -O $target/../../$package_name
         fi
-        cp $target/../../$package_name $target/tmp/
+        TMP_BUILD=$(mktemp -d --suffix=-edeploy --tmpdir=$target/tmp)
+        cp $target/../../$package_name ${TMP_BUILD}
         install_packages $target "python-pexpect"
-        do_chroot $target dpkg -i /tmp/$package_name
-        rm -f $target/tmp/$package_name
+        CHROOT_TMP_BUILD=$(echo -n ${TMP_BUILD} | sed "s#${target}##")
+        do_chroot $target dpkg -i ${CHROOT_TMP_BUILD}/$package_name
+        [ -d ${TMP_BUILD} ] && rm -Rf ${TMP_BUILD}
     elif [ "$(package_type)" = "rpm" ]; then
         install_packages $target "pexpect"
         if [ ! -f "$target/usr/sbin/hpacucli" ]; then

build/img.embedded

@@ -38,7 +38,7 @@ HEALTHDIR=/flash/$vardir//health/
 CONFIGDIR=/flash/$vardir/config
 LOGDIR=/flash/$vardir/config/logs
 HWDIR=/flash/$vardir/hw
-LOCKFILE=/tmp/edeploy.lock
+LOCKFILE=/var/run/edeploy.lock
 USEPXEMNGR=False
 #METADATAURL = http://192.168.122.1/
 EOF

build/img.install

@@ -30,7 +30,7 @@ VDI_IMAGE="$IMG-$ver.vdi"
 FLASH_SIZE=256 #in Megabytes
 LOOPBACK_BOOT=NONE
 LOOPBACK_DATA=NONE
-BOOT_MOUNT_POINT=/tmp/$2-$3.tmp
+BOOT_MOUNT_POINT=$(mktemp -d)-$2-$3.tmp
 
 . $LOCAL_PATH/img.embedded
 

build/infiniband

@@ -28,9 +28,11 @@ ORIG=$(cd $(dirname $0); pwd)
 
 # sdpnetstat is not in Ubuntu Trusty yet.
 if [ "$RELEASE" = "trusty" ]; then
-    wget --no-verbose 'http://cs.stanford.edu/pub/mirrors/ubuntu/ubuntu/pool/universe/s/sdpnetstat/sdpnetstat_1.60-1ubuntu2_amd64.deb' -O ${dir}/tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb
-    do_chroot $dir dpkg -i /tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb
-    do_chroot $dir rm /tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb
+    TMP_DIR=$(mktemp -d --suffix=-edeploy --tmpdir=$dir/tmp)
+    wget --no-verbose 'http://cs.stanford.edu/pub/mirrors/ubuntu/ubuntu/pool/universe/s/sdpnetstat/sdpnetstat_1.60-1ubuntu2_amd64.deb' -O ${TMP_DIR}/sdpnetstat_1.60-1ubuntu2_amd64.deb
+    CHROOT_TMP_DIR=$(echo -n $TMP_DIR | sed "s#$dir##")
+    do_chroot $dir dpkg -i  ${CHROOT_TMP_DIR}/sdpnetstat_1.60-1ubuntu2_amd64.deb
+    [ -d ${TMP_DIR} ] && rm -Rf ${TMP_DIR}
 fi
 
 case "$(package_type)" in

build/init

@@ -395,18 +395,20 @@ if /configure; then
                             fi
                         fi
 
-                        cp $d/boot/vmlinuz*$KVER* /tmp/vmlinuz || give_up "Kexec: Unable to copy kernel"
+                        TMP_BUILD=$(mktemp -d --suffix=-edeploy)
+                        cp $d/boot/vmlinuz*$KVER* ${TMP_BUILD}/vmlinuz || give_up "Kexec: Unable to copy kernel"
                         if ls $d/boot/initrd*$KVER* &>/dev/null; then
-                            cp $d/boot/initrd*$KVER* /tmp/initrd.img || give_up "Kexec: Unable to copy initrd"
+                            cp $d/boot/initrd*$KVER* ${TMP_BUILD}/initrd.img || give_up "Kexec: Unable to copy initrd"
                         else
-                            cp $d/boot/initramfs*$KVER* /tmp/initrd.img || give_up "Kexec: Unable to copy initrd"
+                            cp $d/boot/initramfs*$KVER* ${TMP_BUILD}/initrd.img || give_up "Kexec: Unable to copy initrd"
                         fi
 
                         eval $(grep root=UUID= $d/boot/grub/grub.cfg|head -1|tr ' ' '\n'|grep '^root=UUID=')
                         if [ -z "$root" ]; then
                             log "Kexec: using alternative root detection"
                             root=$(grep 'root=' $d/boot/grub/grub.cfg | grep vmlinuz | head -1 | sed -e 's/.*root=\(.*\)/\1/g' | awk '{print $1}')
                         fi
+                        [ -d ${TMP_BUILD} ] && rm -Rf ${TMP_BUILD}
 
                         umount $d/boot
                         umount $d
@@ -423,7 +425,7 @@ if /configure; then
                         else
                             log "Kexec: Starting with append=root=${root}${BOOT_ARG}"
                             upload_log
-                            kexec -l /tmp/vmlinuz --initrd=/tmp/initrd.img --append="root=${root}${BOOT_ARG}"
+                            kexec -l ${TMP_BUILD}/vmlinuz --initrd=${TMP_BUILD}/initrd.img --append="root=${root}${BOOT_ARG}"
                             kexec -e
                         fi
                     else

build/remote-install.sh

@@ -101,8 +101,8 @@ done
 reboot -f
 EOF
 
-scp "$SCR" "$DST":/tmp/
+scp "$SCR" "$DST":/var/run
 rsync -e ssh -avP --numeric-ids --delete-after --exclude-from="$EXCL" "$src/"  "$DST":/
-ssh "$DST" bash /tmp/$(basename $SCR)
+ssh "$DST" bash /var/run/$(basename $SCR)
 
 # remote-install.sh ends here

docs/eDeployUserGuide.rst

@@ -932,7 +932,7 @@ An example of `/etc/edeploy.conf`
    CONFIGDIR = /var/lib/edeploy/config/
    LOGDIR = /var/lib/edeploy/config/logs
    HWDIR = /var/lib/edeploy/hw/
-   LOCKFILE = /tmp/edeploy.lock
+   LOCKFILE = /var/run/edeploy.lock
    USEPXEMNGR = True
    PXEMNGRURL = http://192.168.122.1:8000/
    METADATAURL = http://192.168.122.1/

server/edeploy.conf

@@ -4,7 +4,7 @@ HEALTHDIR=/var/lib/edeploy/health/
 CONFIGDIR=/root/edeploy/config
 LOGDIR=/root/edeploy/config/logs
 HWDIR=/root/edeploy/config/hw
-LOCKFILE=/tmp/edeploy.lock
+LOCKFILE=/var/run/edeploy.lock
 USEPXEMNGR=False
 PXEMNGRURL=http://192.168.122.1:8000/
 #METADATAURL = http://192.168.122.1/

server/upload.py

@@ -435,7 +435,7 @@ def config_get(section, name, default):
         fatal_error("'Invalid hardware file: %s'" % str(excpt))
 
     # avoid concurrent accesses
-    lock_filename = config_get(section, 'LOCKFILE', '/tmp/edeploy.lock')
+    lock_filename = config_get(section, 'LOCKFILE', '/var/run/edeploy.lock')
     try:
         lockfd = lock(lock_filename)
     except Exception, excpt:

src/health-client.py

@@ -164,7 +164,7 @@ def cleanup():
         s.close()
 
 if __name__ == '__main__':
-    HP.start_log('/var/tmp/health-client.log', logging.DEBUG)
+    HP.start_log('/var/log/health-client.log', logging.DEBUG)
     atexit.register(cleanup)
     if len(sys.argv) < 3:
         HP.logger.error("You must provide an hardware file and a host to "

tests/run_kvm.sh

@@ -28,7 +28,7 @@ DEBUG_SSH_PORT=2222
 SSH_PORT=222
 PYTHON_PID=0
 RSYNC_PID=0
-LOCKFILE=/tmp/edeploy.lock
+LOCKFILE=/var/run/edeploy.lock
 SYSLINUX_VER=5.10
 
 fatal_error() {

tools/jenkins-build.sh

@@ -17,7 +17,7 @@ shift
 ARCH="$1"
 shift
 
-if [ -f /var/tmp/froze-builds ]; then
+if [ -f /var/run/froze-builds ]; then
     exit 0
 fi