websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.0.5

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:50:50 +02:00
parent 8ff3be4216
commit 3bfaa6e020
2049 changed files with 317193 additions and 1632423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

525
install/tools/ipa-replica-conncheck
View File

@@ -18,81 +18,57 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import ipaclient.install.ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.dn import DN
from ipapython import version
from ipapython import ipautil, certdb
from ipalib import api, errors, x509
from ipapython import ipautil
from ipapython import dogtag
from ipapython.ipautil import CalledProcessError
from ipaserver.install import installutils
# pylint: disable=deprecated-module
from optparse import OptionGroup, OptionValueError
# pylint: enable=deprecated-module
from ipapython.ipa_log_manager import standard_logging_setup
import copy
import ipaclient.ipachangeconf
from optparse import OptionGroup
from ipapython.ipa_log_manager import *
import sys
import os
import signal
import tempfile
import select
import socket
import time
import threading
import traceback
import errno
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
import gssapi
logger = logging.getLogger(os.path.basename(__file__))
CONNECT_TIMEOUT = 5
RESPONDER = None
RESPONDERS = [ ]
QUIET = False
CCACHE_FILE = None
CCACHE_FILE = paths.CONNCHECK_CCACHE
KRB5_CONFIG = None
class SshExec(object):
def __init__(self, user, addr):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
# Bail if ssh is not installed
if self.cmd is None:
raise RuntimeError("ssh not installed")
def __call__(self, command, verbose=False):
# Bail if ssh is not installed
if self.cmd is None:
print "WARNING: ssh not installed, skipping ssh test"
return ('', '', 0)
tmpf = tempfile.NamedTemporaryFile()
cmd = [
self.cmd,
'-o StrictHostKeychecking=no',
'-o UserKnownHostsFile=%s' % tmpf.name,
'-o GSSAPIAuthentication=yes',
'-o User=%s' % self.user,
'%s' % self.addr,
command
'%s@%s' % (self.user, self.addr), command
]
if verbose:
cmd.insert(1, '-v')
env = dict()
if KRB5_CONFIG is not None:
env['KRB5_CONFIG'] = KRB5_CONFIG
elif 'KRB5_CONFIG' in os.environ:
env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
if CCACHE_FILE is not None:
env['KRB5CCNAME'] = CCACHE_FILE
elif 'KRB5CCNAME' in os.environ:
env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
return ipautil.run(cmd, env=env, raiseonerr=False,
capture_output=True, capture_error=True)
env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
return ipautil.run(cmd, env=env, raiseonerr=False)
class CheckedPort(object):
@@ -101,7 +77,6 @@ class CheckedPort(object):
self.port_type = port_type
self.description = description
BASE_PORTS = [
CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -114,27 +89,11 @@ BASE_PORTS = [
]
def print_info(msg):
if not QUIET:
print msg
def parse_options():
def ca_cert_file_callback(option, opt, value, parser):
if not os.path.exists(value):
raise OptionValueError(
"%s option '%s' does not exist" % (opt, value))
if not os.path.isfile(value):
raise OptionValueError(
"%s option '%s' is not a file" % (opt, value))
if not os.path.isabs(value):
raise OptionValueError(
"%s option '%s' is not an absolute file path" % (opt, value))
try:
x509.load_certificate_list_from_file(value)
except Exception:
raise OptionValueError(
"%s option '%s' is not a valid certificate file" %
(opt, value))
parser.values.ca_cert_file = value
parser = IPAOptionParser(version=version.VERSION)
replica_group = OptionGroup(parser, "on-replica options")
@@ -149,13 +108,9 @@ def parse_options():
replica_group.add_option("-k", "--kdc", dest="kdc",
help="Master KDC. Defaults to master address")
replica_group.add_option("-p", "--principal", dest="principal",
default=None, help="Principal to use to log in to remote master")
default="admin", help="Principal to use to log in to remote master")
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
help="Password for the principal")
replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
type="string", action="callback",
callback=ca_cert_file_callback,
help="load the CA certificate from this file")
help="Password for the principal"),
parser.add_option_group(replica_group)
@@ -173,8 +128,7 @@ def parse_options():
common_group.add_option("", "--hostname", dest="hostname",
help="The hostname of this server (FQDN). "
"By default the result of getfqdn() call from "
"Python's socket module is used.")
"By default a nodename from uname(2) is used.")
parser.add_option_group(common_group)
parser.add_option("-d", "--debug", dest="debug",
@@ -183,10 +137,8 @@ def parse_options():
parser.add_option("-q", "--quiet", dest="quiet",
action="store_true",
default=False, help="Output only errors")
parser.add_option("--no-log", dest="log_to_file", action="store_false",
default=True, help="Do not log into file")
options, _args = parser.parse_args()
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.master and options.replica:
@@ -207,18 +159,30 @@ def parse_options():
if not options.hostname:
options.hostname = socket.getfqdn()
return safe_options, options
if options.quiet:
global QUIET
QUIET = True
return safe_options, options
def logging_setup(options):
log_file = None
if os.getegid() == 0 and options.log_to_file:
if os.getegid() == 0:
log_file = paths.IPAREPLICA_CONNCHECK_LOG
standard_logging_setup(log_file, verbose=(not options.quiet),
debug=options.debug, console_format='%(message)s')
standard_logging_setup(log_file, debug=options.debug)
def clean_responders(responders):
if not responders:
return
for responder in responders:
responder.stop()
for responder in responders:
responder.join()
responders.remove(responder)
def sigterm_handler(signum, frame):
# do what SIGINT does (raise a KeyboardInterrupt)
@@ -226,10 +190,9 @@ def sigterm_handler(signum, frame):
if callable(sigint_handler):
sigint_handler(signum, frame)
def configure_krb5_conf(realm, kdc, filename):
krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment((" = ", " "))
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
@@ -244,8 +207,7 @@ def configure_krb5_conf(realm, kdc, filename):
libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'true'})
libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
opts.append({'name':'empty', 'type':'empty'})
@@ -269,123 +231,45 @@ def configure_krb5_conf(realm, kdc, filename):
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
logger.debug("Writing temporary Kerberos configuration to %s:\n%s",
filename, krbconf.dump(opts))
root_logger.debug("Writing temporary Kerberos configuration to %s:\n%s"
% (filename, krbconf.dump(opts)))
krbconf.newConf(filename, opts)
class PortResponder(threading.Thread):
PROTO = {socket.SOCK_STREAM: 'tcp',
socket.SOCK_DGRAM: 'udp'}
def __init__(self, ports):
"""
ports: a list of CheckedPort
"""
def __init__(self, port, port_type, socket_timeout=1):
super(PortResponder, self).__init__()
# copy ports to avoid the need to synchronize it between threads
self.ports = copy.deepcopy(ports)
self._sockets = []
self._close = False
self._close_lock = threading.Lock()
self.responder_data = b'FreeIPA'
self.ports_opened = False
self.ports_open_cond = threading.Condition()
self.port = port
self.port_type = port_type
self.socket_timeout = socket_timeout
self._stop_request = False
def run(self):
logger.debug('Starting listening thread.')
for port in self.ports:
self._bind_to_port(port.port, port.port_type)
with self.ports_open_cond:
self.ports_opened = True
logger.debug('Ports opened, notify original thread')
self.ports_open_cond.notify()
while not self._is_closing():
ready_socks, _socks1, _socks2 = select.select(
self._sockets, [], [], 1)
if ready_socks:
ready_sock = ready_socks[0]
self._respond(ready_sock)
for sock in self._sockets:
port = sock.getsockname()[1]
proto = PortResponder.PROTO[sock.type]
sock.close()
logger.debug('%d %s: Stopped listening', port, proto)
def _is_closing(self):
with self._close_lock: # pylint: disable=not-context-manager
return self._close
def _bind_to_port(self, port, socket_type):
# Use IPv6 socket as it is able to accept both IPv6 and IPv4
# connections. Since IPv6 kernel module is required by other
# parts of IPA, it should always be available.
family = socket.AF_INET6
host = '::' # all available interfaces
proto = PortResponder.PROTO[socket_type]
try:
sock = socket.socket(family, socket_type)
# Make sure IPv4 clients can connect to IPv6 socket
sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
if socket_type == socket.SOCK_STREAM:
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((host, port))
if socket_type == socket.SOCK_STREAM:
# There might be a delay before accepting the connection,
# because a single thread is used to handle all the
# connections. Thus a backlog size of at least 1 is needed.
sock.listen(1)
logger.debug('%d %s: Started listening', port, proto)
except socket.error:
logger.warning('%d %s: Failed to bind', port, proto)
logger.debug("%s", traceback.format_exc())
else:
self._sockets.append(sock)
def _respond(self, sock):
port = sock.getsockname()[1]
if sock.type == socket.SOCK_STREAM:
connection, addr = sock.accept()
while not self._stop_request:
try:
connection.sendall(self.responder_data)
logger.debug('%d tcp: Responded to %s', port, addr[0])
finally:
connection.close()
elif sock.type == socket.SOCK_DGRAM:
_data, addr = sock.recvfrom(1)
sock.sendto(self.responder_data, addr)
logger.debug('%d udp: Responded to %s', port, addr[0])
ipautil.bind_port_responder(self.port,
self.port_type,
socket_timeout=self.socket_timeout,
responder_data="FreeIPA")
except socket.timeout:
pass
except socket.error, e:
if e.errno == errno.EADDRINUSE:
time.sleep(1)
else:
raise
def stop(self):
logger.debug('Stopping listening thread.')
with self._close_lock: # pylint: disable=not-context-manager
self._close = True
self._stop_request = True
def port_check(host, port_list):
ports_failed = []
ports_udp_warning = [] # conncheck could not verify that port is open
log_level = {
SOCK_DGRAM: logging.WARNING,
SOCK_STREAM: logging.ERROR
}
for port in port_list:
try:
port_open = ipautil.host_port_open(
host, port.port, port.port_type,
socket_timeout=CONNECT_TIMEOUT, log_errors=True,
log_level=log_level[port.port_type])
port_open = ipautil.host_port_open(host, port.port,
port.port_type, socket_timeout=CONNECT_TIMEOUT)
except socket.gaierror:
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
if port_open:
@@ -397,14 +281,13 @@ def port_check(host, port_list):
else:
ports_failed.append(port)
result = "FAILED"
logger.info(" %s (%d): %s", port.description, port.port, result)
print_info(" %s (%d): %s" % (port.description, port.port, result))
if ports_udp_warning:
logger.warning(
("The following UDP ports could not be verified as open: %s\n"
"This can happen if they are already bound to an application\n"
"and ipa-replica-conncheck cannot attach own UDP responder."),
", ".join(str(port.port) for port in ports_udp_warning))
print "The following UDP ports could not be verified as open: %s" \
% ", ".join(str(port.port) for port in ports_udp_warning)
print "This can happen if they are already bound to an application"
print "and ipa-replica-conncheck cannot attach own UDP responder."
if ports_failed:
msg_ports = []
@@ -414,15 +297,13 @@ def port_check(host, port_list):
raise RuntimeError("Port check failed! Inaccessible port(s): %s" \
% ", ".join(msg_ports))
def main():
global RESPONDER
safe_options, options = parse_options()
logging_setup(options)
logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
logger.debug("missing options might be asked for interactively later\n")
logger.debug('IPA version %s', version.VENDOR_VERSION)
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
signal.signal(signal.SIGTERM, sigterm_handler)
@@ -430,228 +311,122 @@ def main():
if options.check_ca:
# Check old Dogtag CA replication port
# New installs with unified databases use main DS port (checked above)
required_ports.append(CheckedPort(7389, SOCK_STREAM,
"PKI-CA: Directory Service port"))
required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT,
SOCK_STREAM, "PKI-CA: Directory Service port"))
if options.replica:
logger.info("Check connection from master to remote replica '%s':",
options.replica)
print_info("Check connection from master to remote replica '%s':" % options.replica)
port_check(options.replica, required_ports)
logger.info("\nConnection from master to replica is OK.")
print_info("\nConnection from master to replica is OK.")
# kinit to foreign master
if options.master:
# check ports on master first
logger.info("Check connection from replica to remote master '%s':",
options.master)
print_info("Check connection from replica to remote master '%s':" % options.master)
tcp_ports = [ port for port in required_ports if port.port_type == SOCK_STREAM ]
udp_ports = [ port for port in required_ports if port.port_type == SOCK_DGRAM ]
port_check(options.master, tcp_ports)
if udp_ports:
logger.info("\nThe following list of ports use UDP protocol"
"and would need to be\n"
"checked manually:")
print_info("\nThe following list of ports use UDP protocol and would need to be")
print_info("checked manually:")
for port in udp_ports:
result = "SKIPPED"
logger.info(" %s (%d): %s",
port.description, port.port, result)
print_info(" %s (%d): %s" % (port.description, port.port, result))
logger.info("\nConnection from replica to master is OK.")
print_info("\nConnection from replica to master is OK.")
# create listeners
logger.info("Start listening on required ports for remote "
"master check")
global RESPONDERS
print_info("Start listening on required ports for remote master check")
RESPONDER = PortResponder(required_ports)
RESPONDER.start()
with RESPONDER.ports_open_cond:
if not RESPONDER.ports_opened:
logger.debug('Original thread stopped')
RESPONDER.ports_open_cond.wait()
logger.debug('Original thread resumed')
for port in required_ports:
root_logger.debug("Start listening on port %d (%s)" % (port.port, port.description))
responder = PortResponder(port.port, port.port_type)
responder.start()
RESPONDERS.append(responder)
remote_check_opts = ['--replica %s' % options.hostname]
if options.auto_master_check:
logger.info("Get credentials to log in to remote master")
cred = None
if options.principal is None:
# Check if ccache is available
try:
logger.debug('KRB5CCNAME set to %s',
os.environ.get('KRB5CCNAME', None))
# get default creds, will raise if none found
cred = gssapi.creds.Credentials()
principal = str(cred.name)
except gssapi.raw.misc.GSSError as e:
logger.debug('Failed to find default ccache: %s', e)
# Use admin as the default principal
principal = "admin"
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
print_info("Get credentials to log in to remote master")
if options.principal.find('@') == -1:
principal = '%s@%s' % (options.principal, options.realm)
user = options.principal
else:
principal = options.principal
user = options.principal.partition('@')[0]
if cred is None:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
(ccache_fd, ccache_name) = tempfile.mkstemp()
os.close(ccache_fd)
global CCACHE_FILE
CCACHE_FILE = ccache_name
if principal.find('@') == -1:
principal = '%s@%s' % (principal, options.realm)
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
result = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" %
result.error_output)
# Verify kinit was actually successful
result = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" %
result.error_output)
# Now that the cred cache file is initialized,
# use it for the IPA API calls
os.environ['KRB5CCNAME'] = CCACHE_FILE
try:
logger.info("Check RPC connection to remote master")
xmlrpc_uri = ('https://%s/ipa/xml' %
ipautil.format_netloc(options.master))
if options.ca_cert_file:
nss_dir = None
else:
nss_dir = paths.IPA_NSSDB_DIR
with certdb.NSSDatabase(nss_dir) as nss_db:
if options.ca_cert_file:
nss_db.create_db()
ca_certs = x509.load_certificate_list_from_file(
options.ca_cert_file)
for ca_cert in ca_certs:
nss_db.add_cert(
ca_cert,
str(DN(ca_cert.subject)),
certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
xmlrpc_uri=xmlrpc_uri,
nss_dir=nss_db.secdir)
api.finalize()
try:
api.Backend.rpcclient.connect()
api.Command.ping()
except Exception as e:
logger.info(
"Could not connect to the remote host: %s", e)
raise
logger.info("Execute check on remote master")
try:
result = api.Backend.rpcclient.forward(
'server_conncheck',
ipautil.fsdecode(options.master),
ipautil.fsdecode(options.hostname),
version=u'2.162',
)
except (errors.CommandError, errors.NetworkError) as e:
logger.info(
"Remote master does not support check over RPC: "
"%s", e)
raise
except errors.PublicError as e:
returncode = 1
stderr = e
else:
for message in result['messages']:
logger.info('%s', message['message'])
returncode = int(not result['result'])
stderr = ("ipa-replica-conncheck returned non-zero "
"exit code")
finally:
if api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.disconnect()
except Exception as e:
logger.debug("RPC connection failed: %s", e)
logger.info("Retrying using SSH...")
# Ticket 5812 Always qualify requests for admin
user = principal
try:
ssh = SshExec(user, options.master)
except RuntimeError as e:
logger.warning("WARNING: %s, skipping ssh test", e)
return 0
logger.info("Check SSH connection to remote master")
result = ssh('echo OK', verbose=True)
if result.returncode != 0:
logger.debug('%s', result.error_output)
raise RuntimeError(
'Could not SSH to remote host.\n'
'See /var/log/ipareplica-conncheck.log for more '
'information.')
logger.info("Execute check on remote master")
result = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
returncode = result.returncode
stderr = result.error_output
logger.info('%s', result.output)
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False)
if returncode != 0:
raise RuntimeError(
"Remote master check failed with following "
"error message(s):\n%s" % stderr)
raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
# Verify kinit was actually successful
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False)
if returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" % stderr)
ssh = SshExec(user, options.master)
print_info("Check SSH connection to remote master")
stdout, stderr, returncode = ssh('echo OK', verbose=True)
if returncode != 0:
print 'Could not SSH into remote host. Error output:'
for line in stderr.splitlines():
print ' %s' % line
raise RuntimeError('Could not SSH to remote host.')
print_info("Execute check on remote master")
stdout, stderr, returncode = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
print_info(stdout)
if returncode != 0:
raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
else:
# wait until user test is ready
logger.info(
"Listeners are started. Use CTRL+C to terminate the listening "
"part after the test.\n\n"
"Please run the following command on remote master:\n"
"/usr/sbin/ipa-replica-conncheck %s",
" ".join(remote_check_opts))
time.sleep(3600)
logger.info(
"Connection check timeout: terminating listening program")
print_info("Listeners are started. Use CTRL+C to terminate the listening part after the test.")
print_info("")
print_info("Please run the following command on remote master:")
print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
time.sleep(3600)
print_info("Connection check timeout: terminating listening program")
if __name__ == "__main__":
try:
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt:
logger.info("\nCleaning up...")
sys.exit(1)
except RuntimeError as e:
logger.error('ERROR: %s', e)
print_info("\nCleaning up...")
sys.exit(1)
except RuntimeError, e:
sys.exit(e)
finally:
if RESPONDER is not None:
RESPONDER.stop()
RESPONDER.join()
clean_responders(RESPONDERS)
for file_name in (CCACHE_FILE, KRB5_CONFIG):
if file_name:
try: