#!/usr/bin/env perl # IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html use strict; use warnings; use Carp qw(cluck confess); BEGIN { $::XCATROOT = $ENV{'XCATROOT'} ? $ENV{'XCATROOT'} : '/opt/xcat'; } # if AIX - make sure we include perl 5.8.2 in INC path. # Needed to find perl dependencies shipped in deps tarball. if ($^O =~ /^aix/i) { use lib "/usr/opt/perl5/lib/5.8.2/aix-thread-multi"; use lib "/usr/opt/perl5/lib/5.8.2"; use lib "/usr/opt/perl5/lib/site_perl/5.8.2/aix-thread-multi"; use lib "/usr/opt/perl5/lib/site_perl/5.8.2"; } use lib "$::XCATROOT/lib/perl"; use Storable qw(freeze thaw); use xCAT::Utils; use xCAT::MsgUtils; use File::Path; use Time::HiRes qw(sleep); use Thread qw(yield); use Fcntl ":flock"; use xCAT::Client qw(submit_request); my $clientselect = new IO::Select; my $sslclients = 0; #THROTTLE my $maxsslclients = 64; #default sub xexit { while (wait() > 0) { yield; } exit @_; } my $dispatch_children=0; my %dispatched_children=(); my $plugin_numchildren=0; my %plugin_children; my $inet6support; if ($^O =~ /^aix/i) { # disable AIX IPV6 TODO $inet6support = 0; } else { $inet6support=eval { require Socket6 }; } if ($inet6support) { $inet6support = eval { require IO::Socket::INET6 }; } if ($inet6support) { $inet6support = eval { require IO::Socket::SSL; IO::Socket::SSL->import('inet6'); 1; }; } unless ($inet6support) { eval { require Socket }; eval { require IO::Socket::INET }; eval { require IO::Socket::SSL; IO::Socket::SSL->import('inet4'); }; } my $dispatch_requests = 1; # govern whether commands are dispatchable use IO::Socket; use IO::Handle; use IO::Select; use XML::Simple; $XML::Simple::PREFERRED_PARSER='XML::Parser'; use xCAT::Table; my $dbmaster; use xCAT::ExtTab; use Data::Dumper; use Getopt::Long; use Sys::Syslog qw(:DEFAULT setlogsock); openlog("xcatd",,"local4"); setlogsock(["tcp","unix","stream"]); use xCAT::NotifHandler; use xCAT_monitoring::monitorctrl; Getopt::Long::Configure("bundling"); Getopt::Long::Configure("pass_through"); use Storable qw(dclone); use POSIX qw(WNOHANG setsid); my $pidfile; my $foreground; GetOptions( 'pidfile|p=s' => \$pidfile, 'foreground|f' => \$foreground ); #start syslog if it is not up if (xCAT::Utils->isLinux()) { my $init_file="/etc/init.d/syslog"; if (-f "/etc/fedora-release") { $init_file="/etc/init.d/rsyslog"; } if ( -x $init_file ) { my $result=`$init_file status 2>&1`; if ($result !~ /running/i) { `$init_file start`; } } } else { my $result=`lssrc -s syslogd 2>&1`; if ($result !~ /active/i) { `startsrc -s syslogd`; } } my $quit = 0; my $port; my $sport; my $domain; my $xcatdir; my $sitetab; my $retries = 0; # The database initialization may take some time in the system boot scenario # wait for a while for the database initialization while (!($sitetab=xCAT::Table->new('site')) && $retries < 20) { print ("Can not open basic site table for configuration, waiting the database to be initialized.\n"); sleep 1; $retries++; } unless ($sitetab) { xCAT::MsgUtils->message("S","ERROR: Unable to open basic site table for configuration"); die; } my ($tmp) = $sitetab->getAttribs({'key'=>'xcatdport'},'value'); unless ($tmp) { xCAT::MsgUtils->message("S","ERROR:Need xcatdport defined in site table, try chtab key=xcatdport site.value=3001"); die; } $port = $tmp->{value}; $sport = $tmp->{value}+1; my $plugins_dir=$::XCATROOT.'/lib/perl/xCAT_plugin'; ($tmp) = $sitetab->getAttribs({'key'=>'xcatconfdir'},'value'); $xcatdir = (($tmp and $tmp->{value}) ? $tmp->{value} : "/etc/xcat"); $sitetab->close; my $progname; $SIG{PIPE} = sub { confess "SIGPIPE $$progname encountered a broken pipe (probably Ctrl-C by client)" }; $progname = \$0; #create the user defined external database tables if they do not exist. #update the tables if there are schema changes. if (xCAT::Utils->isMN()) { xCAT::ExtTab->updateTables(); } sub daemonize { chdir('/'); umask 0022; my $pid; if (! defined($pid = xCAT::Utils->xfork)) { xCAT::MsgUtils->message("S","Can't fork: $!"); die; } if ($pid) { if ($pidfile) { open(PFILE, '>', $pidfile); print PFILE $pid; close (PFILE); } else { xCAT::MsgUtils->message("S","xCATd starting as PID $pid"); } exit; } if (! open STDIN, '/dev/null') { xCAT::MsgUtils->message("S","Can't read /dev/null: $!"); die; } open STDOUT, '>/dev/null'; open STDERR, '>/dev/null'; $0='xcatd'; $progname = \$0; if (! setsid) { xCAT::MsgUtils->message("S","Can't start new session"); die; } } my %cmd_handlers; sub do_installm_service { #This function servers as a handler for messages from installing nodes my $socket; if ($inet6support) { $socket = IO::Socket::INET6->new(LocalPort=>$sport, Proto => 'tcp', ReuseAddr => 1, Listen => 8192); } else { $socket = IO::Socket::INET->new(LocalPort=>$sport, Proto => 'tcp', ReuseAddr => 1, Listen => 8192); } unless ($socket) { xCAT::MsgUtils->message("S","xcatd unable to open install monitor services on $sport"); die; } until ($quit) { $SIG{ALRM} = sub { xCAT::MsgUtils->message("S","XCATTIMEOUT"); die; }; my $conn; next unless $conn = $socket->accept; my @clients; if ($inet6support) { @clients = gethostbyaddr($conn->peeraddr,AF_INET6); } else { @clients = gethostbyaddr($conn->peeraddr,AF_INET); } my $validclient=0; my $node; foreach my $client (@clients) { $client =~ s/\..*//; ($node) = noderange($client); #ensure this is coming from a node IP at least if ($node) { #Means the source isn't a valid deal... $validclient=1; last; } } unless ($validclient) { close($conn); next; } my $tftpdir = xCAT::Utils->getTftpDir(); eval { alarm(2); print $conn "ready\n"; while (my $text = <$conn>) { alarm(0); print $conn "done\n"; $text =~ s/\r//g; if ($text =~ /next/) { my %request = ( command => [ 'nodeset' ], node => [ $node ], arg => [ 'next' ], ); #node should be blocked, race condition may occur otherwise #my $pid=xCAT::Utils->xfork(); #unless ($pid) { #fork off the nodeset and potential slowness plugin_command(\%request,undef,\&build_response); # exit(0); #} close($conn); } elsif ($text =~ /installstatus/) { my @tmpa=split(' ', $text); for (my $i = 1; $i <= @tmpa-1; $i++) { my $newstat=$tmpa[$i]; my %request = ( command => [ 'updatenodestat' ], node => [ $node ], arg => [ "$newstat" ], ); #node should be blocked, race condition may occur otherwise #my $pid=xCAT::Utils->xfork(); #unless ($pid) { #fork off the nodeset and potential slowness plugin_command(\%request,undef,\&build_response); # exit(0); #} } close($conn); } elsif ($text =~ /^unlocktftpdir/) { #TODO: only nodes in install state should be allowed mkpath("$tftpdir/xcat/$node"); chmod 01777,"$tftpdir/xcat/$node"; chmod 0666,glob("$tftpdir/xcat/$node/*"); close($conn); } elsif ($text =~ /locktftpdir/) { chmod 0755,"$tftpdir/xcat/$node"; chmod 0644,glob("$tftpdir/xcat/$node/*"); } elsif ($text =~ /^getpostscript/) { my $reply =plugin_command({command=>['getpostscript'],_xcat_clienthost=>[$node]},undef,\&build_response); foreach (@{$reply->{data}}) { print $conn $_; } print $conn "#END OF SCRIPT\n"; close($conn); } elsif ($text =~ /^syncfiles/) { plugin_command({command=>['syncfiles'],_xcat_clienthost=>[$node]},undef,\&build_response); print $conn "syncfiles done\n"; close($conn); } elsif ($text =~ /^rebootnodes/) { my @cmdargs = split(/\s+/,$text); my $rebootcmd = shift(@cmdargs); close($conn); plugin_command({command=>[$rebootcmd],arg=>\@cmdargs,_xcat_clienthost=>[$node]},undef,\&build_response); } elsif ($text =~ /^setiscsiparms/) { $text =~ s/^setiscsiparms\s+//; my $kname; my $iname; my $kcmdline; ($kname,$iname,$kcmdline) = split(/\s+/,$text,3); chomp($kcmdline); my $bptab = xCAT::Table->new('bootparams',-create=>1); $bptab->setNodeAttribs($node,{kernel=>"xcat/$node/$kname",initrd=>"xcat/$node/$iname",kcmdline=>$kcmdline}); my $iscsitab = xCAT::Table->new('iscsi',-create=>1); $iscsitab->setNodeAttribs($node,{kernel=>"xcat/$node/$kname",initrd=>"xcat/$node/$iname",kcmdline=>$kcmdline}); my $chaintab = xCAT::Table->new('chain',-create=>1); $chaintab->setNodeAttribs($node,{currstate=>'iscsiboot',currchain=>'netboot'}); $bptab->close; $chaintab->close; undef $bptab; undef $chaintab; my %request = ( command => [ 'nodeset' ], node => [ $node ], arg => [ 'enact' ], ); my $pid=xCAT::Utils->xfork(); unless ($pid) { #fork off the nodeset and potential slowness plugin_command(\%request,undef,\&build_response); xexit(0); } } alarm(2); } alarm(0); }; if ($@) { if ($@ =~ /XCATTIMEOUT/) { xCAT::MsgUtils->message("S","xcatd installmonitor timed out talking to $node"); } else { xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT install monitor service: ".$@); } } } } sub do_udp_service { #This function opens up a UDP port #It will do similar to the standard service, except: #-Obviously, unencrypted and messages are not guaranteed #-For that reason, more often than not plugins designed with #-this method will not expect to have a callback #Also, this throttles to handle one message at a time, so no forking either #Explicitly, to handle whatever operations nodes periodically send during discover state #Could be used for heartbeating and such as desired $dispatch_requests=0; my $socket; my $select = new IO::Select; if ($inet6support) { $socket = IO::Socket::INET6->new(LocalPort => $port, Proto => 'udp', Domain => AF_INET); } else { $socket = IO::Socket::INET->new(LocalPort => $port, Proto => 'udp', Domain => AF_INET); } openlog("xCAT UDP",'','local4'); unless ($socket) { xCAT::MsgUtils->message("S","xCAT UDP service unable to open port $port: $!"); closelog(); die "Unable to start UDP on $port"; } $select->add($socket); my $data; my $part; my $sport; my $client; my $peerhost; my %packets; my $actualpid=$$; until ($quit) { eval { while (1) { unless ($actualpid == $$) { #This really should be impossible now... xCAT::MsgUtils->message("S","xcatd: Something absolutely ludicrous happpened, xCAT developers think this message is impossible to see, post if you see it, fork bomb averted"); exit(1); } until ($select->can_read(5)) { if ($quit) { last; }; yield; } #Wait for data while ($select->can_read(0)) { #Pull all buffer data that can be pulled $part = $socket->recv($data,1500); ($sport,$client) = sockaddr_in($part); if ($sport < 1000) { #Only remember udp packets from privileged ports $packets{inet_ntoa($client)} = [$part,$data]; } } foreach my $pkey (keys %packets) { ($sport,$client) = sockaddr_in($packets{$pkey}->[0]); $data=$packets{$pkey}->[1]; $peerhost=gethostbyaddr($client,AF_INET); $peerhost .="\n"; my $req = eval { XMLin($data, SuppressEmpty=>undef,ForceArray=>1) }; if ($req and $req->{command} and ($req->{command}->[0] eq "findme")) { $req->{'_xcat_clienthost'}=gethostbyaddr($client,AF_INET); $req->{'_xcat_clientip'}=inet_ntoa($client); $req->{'_xcat_clientport'}=$sport; if (defined($cmd_handlers{"findme"}) and xCAT::Utils->nodeonmynet(inet_ntoa($client))) { #only discover from ips that appear to be on a managed network $req->{cacheonly}->[0] = 1; plugin_command($req,undef,\&build_response); if ($req->{cacheonly}->[0]) { delete $req->{cacheonly}; plugin_command($req,undef,\&build_response); #if ($req) { # $req->{cacheonly}->[0] = 1; # $req->{checkallmacs}->[0] = 1; # plugin_command($req,undef,\&convey_response); # } } } } if ($quit) { last; } while ($select->can_read(0)) { #grab any incoming requests during run $part = $socket->recv($data,1500); ($sport,$client) = sockaddr_in($part); $packets{inet_ntoa($client)} = [$part,$data]; } #Some of those 'future' packets might be stale dupes of this packet, so... delete $packets{$pkey}; #Delete any duplicates of current packet } if ($quit) { last; } } }; if ($@) { xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT UDP service: ".$@); } unless ($actualpid == $$) { #We should absolutely never be here, exponential growth from a plugin crash. xCAT::MsgUtils->message("S","xcatd: Something ludicrous happpened, bailing to avoid fork bomb, double check perl XS modules like 'net-snmp-perl'"); exit 1; } } } sub scan_plugins { my @plugins=glob($plugins_dir."/*.pm"); foreach (@plugins) { /.*\/([^\/]*).pm$/; my $modname = $1; unless ( eval { require "$_" }) { xCAT::MsgUtils->message("S","Error loading module ".$_." ...skipping"); next; } no strict 'refs'; my $cmd_adds=${"xCAT_plugin::".$modname."::"}{handled_commands}->(); foreach (keys %$cmd_adds) { my $value = $_; if (defined($cmd_handlers{$_})) { # Add every plugin registration to cmd_handlers push @{$cmd_handlers{$_}},[$modname,$cmd_adds->{$_}]; } else { $cmd_handlers{$_} = [ [$modname,$cmd_adds->{$_}] ]; } } } foreach (@plugins) { no strict 'refs'; /.*\/([^\/]*).pm$/; my $modname = $1; unless (defined(${"xCAT_plugin::".$modname."::"}{init_plugin})) { next; } ${"xCAT_plugin::".$modname."::"}{init_plugin}->(\&do_request); } } scan_plugins; unless (xCAT::Utils->isLinux()) { # messes up the output of the service cmd on linux eval { xCAT::MsgUtils->message("S","xCATd: service starting"); }; } if ($@) { print "ERROR: $@"; xexit; } unless ($foreground) { daemonize; } $dbmaster=xCAT::Table::init_dbworker; my $CHILDPID=0; #Global for reapers sub generic_reaper { while (waitpid(-1,WNOHANG) > 0) { yield; } $SIG{CHLD} = \&generic_reaper; } sub ssl_reaper { while (waitpid(-1,WNOHANG) > 0) { $sslclients--; } $SIG{CHLD} = \&ssl_reaper; } sub dispatch_reaper { while (($CHILDPID =waitpid(-1, WNOHANG)) > 0) { if ($dispatched_children{$CHILDPID}) { delete $dispatched_children{$CHILDPID}; $dispatch_children--; } } $SIG{CHLD} = \&dispatch_reaper; } sub plugin_reaper { while (($CHILDPID = waitpid(-1, WNOHANG)) > 0) { if ($plugin_children{$CHILDPID}) { delete $plugin_children{$CHILDPID}; $plugin_numchildren--; } } $SIG{CHLD} = \&plugin_reaper; } $SIG{CHLD} = \&generic_reaper; my $pid_UDP; my $pid_MON; $SIG{TERM} = $SIG{INT} = sub { #printf("Asked to quit...\n"); $quit++; foreach (keys %dispatched_children) { kill 2, $_; } foreach (keys %plugin_children) { kill 2, $_; } if ($pid_UDP) { kill 2, $pid_UDP; } if ($pid_MON) { kill 2, $pid_MON; } xCAT::Table::shut_dbworker; if ($dbmaster) { kill 2, $dbmaster; } $SIG{ALRM} = sub { xexit 0; }; #die "Did not close out in time for 5 second grace period"; }; alarm(2); }; $pid_UDP = xCAT::Utils->xfork; if (! defined $pid_UDP) { xCAT::MsgUtils->message("S", "Unable to fork for UDP/TCP"); die; } unless ($pid_UDP) { $$progname="xcatd: UDP listener"; do_udp_service; xexit(0); } $pid_MON = xCAT::Utils->xfork; if (! defined $pid_MON) { xCAT::MsgUtils->message("S", "Unable to fork installmonitor"); die; } unless ($pid_MON) { $$progname="xcatd: install monitor"; do_installm_service; xexit(0); } $$progname="xcatd: SSL listener"; openlog("xCAT SSL","","local4"); my $listener; if ($inet6support) { $listener = IO::Socket::INET6->new( LocalPort => $port, Listen => 8192, Reuse => 1, ); } else { $listener = IO::Socket::INET->new( LocalPort => $port, Listen => 8192, Reuse => 1, ); } unless ($listener) { kill 2, $pid_UDP; kill 2, $pid_MON; xCAT::Table::shut_dbworker; if ($dbmaster) { kill 2, $dbmaster; } xCAT::MsgUtils->message("S","xCAT service unable to open SSL services on $port: $!"); closelog(); die "ERROR:Unable to start xCAT service on port $port."; } closelog(); #setup signal in NotifHandler so that the cache can be updated xCAT::NotifHandler::setup($$, $dbmaster); #start the monitoring process xCAT_monitoring::monitorctrl::start($$); my $peername; my $ssltimeout; until ($quit) { $SIG{CHLD} = \&ssl_reaper; #set here to ensure that signal handler is not corrupted during loop next unless my $cnnection=$listener->accept; my $connection; while ($sslclients > $maxsslclients) { #THROTTLE sleep 0.1; #Keep processor utilization down } my $child = xCAT::Utils->xfork(); #Yes we fork, IO::Socket::SSL is not threadsafe.. unless (defined $child) { xCAT::MsgUtils->message("S","xCATd cannot fork"); die; } if ($child == 0) { $SIG{TERM} = $SIG{INT} = {}; $SIG{CHLD} = \&generic_reaper; #THROTTLE $listener->close; $SIG{ALRM} = sub { $ssltimeout = 1; die; }; eval { alarm(10); $connection = IO::Socket::SSL->start_SSL($cnnection, SSL_key_file=>$xcatdir."/cert/server-cred.pem", SSL_cert_file=>$xcatdir."/cert/server-cred.pem", SSL_ca_file=>$xcatdir."/cert/ca.pem", SSL_server=>1, SSL_verify_mode=> 1 ); alarm(0); }; $SIG{ALRM}='DEFAULT'; if ($@) { #SSL failure close($cnnection); xexit 0; } unless ($connection) { xexit 0; } $clientselect->add($connection); my $peerhost=undef; my $peerfqdn=undef; my $peer=$connection->peer_certificate("owner"); if ($peer) { $peer =~ m/CN=([^\/]*)/; $peername = $1; } else { $peername=undef; } $sitetab=xCAT::Table->new('site'); my ($tmp) = $sitetab->getAttribs({'key'=>'domain'},'value'); if (defined $tmp->{value}) { $domain = $tmp->{value}; } $sitetab->close; if ($inet6support) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET6); } else { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); } unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); } $peerfqdn=$peerhost; if ($domain) { # strip off domain if set $peerhost && $peerhost =~ s/\.$domain\.*$//; } else { # otherwise just strip off whatever comes after the first dot $peerhost && $peerhost =~ s/^.*?\.//; } $peerhost && $peerhost =~ s/-eth\d*$//; $peerhost && $peerhost =~ s/-myri\d*$//; $peerhost && $peerhost =~ s/-ib\d*$//; #printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n"); $$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost) if $peerhost; service_connection($connection,$peername,$peerhost,$peerfqdn); xexit(0); } $sslclients++; #THROTTLE $cnnection->close(); } $listener->close; xCAT::Table::shut_dbworker; if ($dbmaster) { kill 2, $dbmaster; } #stop the monitoring process xCAT_monitoring::monitorctrl::stop($$); my $parent_fd; my %resps; sub plugin_command { my $req = shift; my $sock = shift; my $callback = shift; my %handler_hash; my $usesiteglobal = 0; use xCAT::NodeRange qw/extnoderange nodesmissed noderange/; $Main::resps={}; my @nodes; if ($req->{node}) { @nodes = @{$req->{node}}; } elsif ($req->{noderange} and $req->{noderange}->[0]) { @nodes = noderange($req->{noderange}->[0]); if (nodesmissed) { my $rsp = {errorcode=>1,error=>"Invalid nodes and/or groups in noderange: ".join(',',nodesmissed)}; $rsp->{serverdone} = {}; if ($sock) { print $sock XMLout($rsp,RootName=>'xcatresponse' ,NoAttr=>1); } return ($rsp); } unless (@nodes) { $req->{emptynoderange} = [1]; } } if (@nodes) { $req->{node} = \@nodes; } my %unhandled_nodes; foreach (@nodes) { $unhandled_nodes{$_}=1; } my $useunhandled=0; if (defined($cmd_handlers{$req->{command}->[0]})) { my $hdlspec; my @globalhandlers=(); my $useglobals=1; #If it stays 1, then use globals normally, if 0, use only for 'unhandled_nodes, if -1, don't do at all foreach (@{$cmd_handlers{$req->{command}->[0]}}) { $hdlspec =$_->[1]; my $ownmod = $_->[0]; if ($hdlspec =~ /^site:/) { #A site entry specifies a plugin my $sitekey = $hdlspec; $sitekey =~ s/^site://; $sitetab = xCAT::Table->new('site'); my $sent = $sitetab->getAttribs({key=>$sitekey},['value']); if ($sent and $sent->{value}) { #A site style plugin specification is just like #a static global, it grabs all nodes rather than some $useglobals = -1; #If they tried to specify anything, don't use the default global handlers at all unless (@nodes) { $handler_hash{$sent->{value}} = 1; $usesiteglobal = 1; } foreach (@nodes) { #Specified a specific plugin, not a table lookup $handler_hash{$sent->{value}}->{$_} = 1; } } } elsif ($hdlspec =~ /:/) { #Specificed a table lookup path for plugin name if (@nodes) { # only use table lookup plugin if nodelist exists # Usage will be handled in common AAAhelp plugin $useglobals = 0; #Only contemplate nodes that aren't caught through searching below in the global handler $useunhandled=1; my $table; my $cols; ($table,$cols) = split(/:/,$hdlspec); my @colmns=split(/,/,$cols); my @columns; my $hdlrtable=xCAT::Table->new($table); unless ($hdlrtable) { #TODO: proper error handling } my $node; my $colvals = {}; foreach my $colu (@colmns) { if ($colu =~ /=/) { #a value redirect to a pattern/specific name my $coln; my $colv; ($coln,$colv) = split(/=/,$colu,2); $colvals->{$coln} = $colv; push (@columns,$coln); } else { push (@columns,$colu); } } unless (@nodes) { #register the plugin in the event of usage $handler_hash{$ownmod} = 1; $useglobals = 1; } my $hdlrcache; if ($hdlrtable) { $hdlrcache = $hdlrtable->getNodesAttribs(\@nodes,\@columns); } foreach $node (@nodes) { unless ($hdlrcache) { next; } my $attribs = $hdlrcache->{$node}->[0]; #$hdlrtable->getNodeAttribs($node,\@columns); unless (defined($attribs)) { next; } foreach (@columns) { my $col=$_; if (defined($attribs->{$col})) { if ($colvals->{$col}) { #A pattern match style request. if ($attribs->{$col} =~ /$colvals->{$col}/) { $handler_hash{$ownmod}->{$node} = 1; delete $unhandled_nodes{$node}; last; } } else { # call the plugin that matches the table value for that node if ($attribs->{$col} =~ /$ownmod/) { $handler_hash{$attribs->{$col}}->{$node} = 1; delete $unhandled_nodes{$node}; last; } } } } } $hdlrtable->close; } # end if (@nodes) } else { push @globalhandlers,$hdlspec; } } if ($useglobals == 1) { #Behavior when globals have not been overriden my $hdlspec; foreach $hdlspec (@globalhandlers) { unless (@nodes) { $handler_hash{$hdlspec} = 1; } foreach (@nodes) { #Specified a specific plugin, not a table lookup $handler_hash{$hdlspec}->{$_} = 1; } } } elsif ($useglobals == 0) { unless (@nodes or $usesiteglobal) { #if something like 'makedhcp -n', foreach (keys %handler_hash) { if ($handler_hash{$_} == 1) { delete ($handler_hash{$_}) } } } foreach $hdlspec (@globalhandlers) { unless (@nodes or $usesiteglobal) { $handler_hash{$hdlspec} = 1; } foreach (keys %unhandled_nodes) { #Specified a specific plugin, not a table lookup $handler_hash{$hdlspec}->{$_} = 1; } } } #Otherwise, global handler is implicitly disabled } else { return 1; #TODO: error back that request has no known plugin for it } if ($useunhandled) { my $queuelist=''; foreach (@{$cmd_handlers{$req->{command}->[0]}}) { my $queueitem = $_->[1]; if (($queueitem =~ /:/) and !($queuelist =~ /($queueitem)/)) { $queuelist .= "$_->[1];"; } } $queuelist =~ s/;$//; $queuelist =~ s/:/./g; foreach (keys %unhandled_nodes) { if ($sock) { print $sock XMLout({node=>[{name=>[$_],error=>["Unable to identify plugin for this command, check relevant tables: $queuelist"],errorcode=>[1]}]},NoAttr=>1,RootName=>'xcatresponse'); } else { my $tabdesc = $queuelist; $tabdesc =~ s/=.*$//; $callback->({node=>[{name=>[$_],error=>['Unable to identify plugin for this command, check relevant tables: '.$tabdesc],errorcode=>[1]}]}); } } } $plugin_numchildren=0; %plugin_children=(); # save the old signal my $old_sig_chld = $SIG{CHLD}; $SIG{CHLD} = \&plugin_reaper; #sub {my $plugpid; while (($plugpid = waitpid(-1, WNOHANG)) > 0) { if ($plugin_children{$plugpid}) { delete $plugin_children{$plugpid}; $plugin_numchildren--; } } }; my $check_fds; if ($sock) { $check_fds = new IO::Select; } foreach (keys %handler_hash) { my $modname = $_; my $shouldbealivepid=$$; if (-r $plugins_dir."/".$modname.".pm") { require $plugins_dir."/".$modname.".pm"; $plugin_numchildren++; my $pfd; #will be referenced for inter-process messaging. my $parfd; #not causing a problem that I discern yet, but theoretically my $child; if ($sock) { #If $sock not passed in, don't fork.. if (! socketpair($pfd, $parfd,AF_UNIX,SOCK_STREAM,PF_UNSPEC)) { xCAT::MsgUtils->message("S", "socketpair failed: $!"); die; } #pipe($pfd,$cfd); $parfd->autoflush(1); $pfd->autoflush(1); binmode($parfd,':utf8'); binmode($pfd,':utf8'); $child = xCAT::Utils->xfork; } else { $child = 0; } unless (defined $child) { xCAT::MsgUtils->message("S", "Fork failed"); die; } if ($child == 0) { if ($parfd) { #If xCAT is doing multiple requests in same communication PID, things would get unfortunate otherwise $parent_fd = $parfd; } my $oldprogname=$$progname; $$progname=$oldprogname.": $modname instance"; if ($sock) { close $pfd; } unless ($handler_hash{$_} == 1) { my @nodes = sort {($a =~ /(\d+)/)[0] <=> ($b =~ /(\d+)/)[0] || $a cmp $b } (keys %{$handler_hash{$_}}); $req->{node}=\@nodes; } no strict "refs"; eval { #REMOVEEVALFORDEBUG if ($dispatch_requests) { dispatch_request($req,$callback,$modname); } else { $SIG{CHLD}='DEFAULT'; ${"xCAT_plugin::".$modname."::"}{process_request}->($req,$callback,\&do_request); } $$progname=$oldprogname; if ($sock) { close($parent_fd); xexit(0); } }; #REMOVEEVALFORDEBUG if ($sock or $shouldbealivepid != $$) { #We shouldn't still be alive, try to send as much detail to parent as possible as to why my $error= "$modname plugin bug, pid $$, process description: '$$progname'"; if ($@) { $error .= " with error '$@'"; } else { #Sys::Virt and perhaps Net::SNMP sometimes crashes in a way $@ won't catch.. $error .= " with missing eval error, probably due to special manipulation of $@ or strange circumstances in an XS library, remove evals in xcatd marked 'REMOVEEVALFORDEBUG and run xcatd -f for more info"; } if (scalar (@nodes)) { #Don't know which of the nodes, so one error message warning about the possibliity.. $error .= " while trying to fulfill request for the following nodes: ".join(",",@nodes); } xCAT::MsgUtils->message("S","xcatd: $error"); $callback->({error=>[$error],errorcode=>[1]}); xexit(0); #Die like we should have done } elsif ($@) { #We are still alive, should be alive, but yet we have an error. This means we are in the case of 'do_request' or something similar. Forward up the death since our communication channel is intact.. xCAT::MsgUtils->message("S", "$@"); die $@; } } else { $plugin_children{$child}=1; close $parfd; $check_fds->add($pfd); } } else { my $pm_name = $plugins_dir."/".$modname.".pm"; if (ref $handler_hash{$_}) { foreach my $node (keys %{$handler_hash{$_}}) { if ($sock) { print $sock XMLout({node=>[{name=>[$node],data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]}]},NoAttr=>1,RootName=>'xcatresponse'); } else { $callback->({node=>[{name=>[$node],data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]}]}); } } } else { if ($sock) { print $sock XMLout({data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]},NoAttr=>1,RootName=>'xcatresponse'); } else { $callback->({data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]}); } } } } unless ($sock) { # restore the old signal $SIG{CHLD} = $old_sig_chld; return $Main::resps } while (($plugin_numchildren > 0) and ($check_fds->count > 0)) { #this tracks end of useful data from children much more closely relay_fds($check_fds,$sock); } #while (relay_fds($check_fds,$sock)) {} # restore the old signal $SIG{CHLD} = $old_sig_chld; my %done; $done{serverdone} = {}; if ($req->{transid}) { $done{transid}=$req->{transid}->[0]; } if ($sock) { my $clientpresence = new IO::Select; #The client may have gone away without confirmation, don't PIPE over this trivial thing $clientpresence->add($sock); if ($clientpresence->can_write(5)) { print $sock XMLout(\%done,RootName => 'xcatresponse',NoAttr=>1); } } } my $dispatch_parentfd; sub dispatch_callback { my $rspo = shift; unless ($rspo) { return; } my $rsp = {%$rspo}; # deep copy delete $rsp->{serverdone}; unless (%$rsp) { return; } print $dispatch_parentfd freeze($rsp); print $dispatch_parentfd "\nENDOFFREEZE6sK6xa\n"; yield; #This has to happen before next line could possibly work anyway my $parselect = new IO::Select; $parselect->add($dispatch_parentfd); my $selbits = $parselect->bits; while (defined($selbits) && ($rsp = select($selbits,undef,undef,5))) { #block for up to 5 seconds before continuing if ($quit) { # termination requested by a clean shutdown facility xexit 0; } if ($rsp == 0) { #The select call failed to find any ready items last; } if ($rsp < 0) { #A child exited or other signal event that made select skip out before suggesting succes next; } if ($rsp = <$dispatch_parentfd>) { if ($rsp =~ /die/ or $quit) { xexit 0; } last; } else { $parselect->remove($dispatch_parentfd); #Block until parent acks data last; } $selbits = $parselect->bits; yield; } } sub relay_dispatch { my $fds = shift; my $dispatch_cb = shift; my @ready_ins = $fds->can_read(1); foreach my $rin (@ready_ins) { my $data; if ($data = <$rin>) { while ($data !~ /ENDOFFREEZE6sK6xa/) { $data .= <$rin>; } my $response = thaw($data); print $rin "dfin\n"; $dispatch_cb->($response); } else { $fds->remove($rin); close($rin); } } yield; #At this point, explicitly yield to other processes. If children will have more data, this process would otherwise uselessly loop on data that never will be. If children are all done, still no harm in waiting a short bit for a timeslice to come back return scalar(@ready_ins); } sub dispatch_request { %dispatched_children=(); my $req = shift; my $dispatch_cb = shift; my $modname = shift; my $reqs = []; my $child_fdset = new IO::Select; no strict "refs"; # save the old signal my $old_sig_chld = $SIG{CHLD}; #Hierarchy support. Originally, the default scope for noderange commands was #going to be the servicenode associated unless overriden. #However, assume for example that you have blades and a blade is the service node #rpower being executed by the servicenode for one of its subnodes would have to #reach it's own management module. This has the potential to be non-trivial for some quite possible network configurations. #Since plugins may commonly experience this, a preprocess_request implementation #will for now be required for a command to be scaled through service nodes #If the plugin offers a preprocess method, use it to set the request array if (defined(${"xCAT_plugin::".$modname."::"}{preprocess_request})) { $SIG{CHLD}='DEFAULT'; $reqs = ${"xCAT_plugin::".$modname."::"}{preprocess_request}->($req,$dispatch_cb,\&do_request); } else { #otherwise, pass it in without hierarchy support $reqs = [$req]; } $dispatch_children=0; $SIG{CHLD} = \&dispatch_reaper; #sub {my $cpid; while (($cpid =waitpid(-1, WNOHANG)) > 0) { if ($dispatched_children{$cpid}) { delete $dispatched_children{$cpid}; $dispatch_children--; } } }; my $onlyone=0; if (defined $reqs and (scalar(@{$reqs}) == 1)) { $onlyone=1; } foreach (@{$reqs}) { my $pfd; my $parfd; #use a private variable so it won't trounce itself recursively my $child; delete $_->{noderange}; if (ref $_->{'_xcatdest'} and (ref $_->{'_xcatdest'}) eq 'ARRAY') { _->{'_xcatdest'} = $_->{'_xcatdest'}->[0]; } if ($onlyone and not ($_->{'_xcatdest'} and xCAT::Utils->thishostisnot($_->{'_xcatdest'}))) { $SIG{CHLD}='DEFAULT'; ${"xCAT_plugin::".$modname."::"}{process_request}->($_,$dispatch_cb,\&do_request); return; } if (! socketpair($pfd, $parfd,AF_UNIX,SOCK_STREAM,PF_UNSPEC)) { xCAT::MsgUtils->message("S", "ERROR: socketpair: $!"); die; } $parfd->autoflush(1); $pfd->autoflush(1); binmode($parfd,':utf8'); binmode($pfd,':utf8'); $child = xCAT::Utils->xfork; if ($child) { $dispatch_children++; $dispatched_children{$child}=1; $child_fdset->add($pfd); next; } unless (defined $child) { $dispatch_cb->({error=>['Fork failure dispatching request'],errorcode=>[1]}); } $SIG{CHLD}='DEFAULT'; $dispatch_parentfd = $parfd; my @prexcatdests=(); my @xcatdests=(); if (ref($_->{'_xcatdest'}) eq 'ARRAY') { #If array, consider it an 'anycast' operation, broadcast done through dupe #requests, or an alternative join '&' maybe? @prexcatdests=@{$_->{'_xcatdest'}}; } else { @prexcatdests=($_->{'_xcatdest'}); } foreach (@prexcatdests) { if ($_ and /,/) { push @xcatdests,split /,/,$_; } else { push @xcatdests,$_; } } my $xcatdest; my $numdests=scalar(@xcatdests); my $request_satisfied=0; foreach $xcatdest (@xcatdests) { my $dlock; if ($xcatdest and xCAT::Utils->thishostisnot($xcatdest)) { #mkpath("/var/lock/xcat/"); #For now, limit intra-xCAT requests to one at a time, to mitigate DB handle usage #open($dlock,">","/var/lock/xcat/dispatchto_$xcatdest"); #flock($dlock,LOCK_EX); $ENV{XCATHOST} = ($xcatdest =~ /:/ ? $xcatdest : $xcatdest.":3001" ); $$progname.=": connection to ".$ENV{XCATHOST}; my $errstr; eval { undef $_->{'_xcatdest'}; xCAT::Client::submit_request($_,\&dispatch_callback,$xcatdir."/cert/server-cred.pem",$xcatdir."/cert/server-cred.pem",$xcatdir."/cert/ca.pem"); }; if ($@) { $errstr=$@; } #unlink("/var/lock/xcat/dispatchto_$xcatdest"); #flock($dlock,LOCK_UN); if ($errstr) { if ($numdests == 1) { dispatch_callback({error=>["Unable to dispatch command to ".$ENV{XCATHOST}.", command will not make changes to that server ($errstr)"],errorcode=>[1]}); xCAT::MsgUtils->message("S","Error dispatching request to ".$ENV{XCATHOST}.": ".$errstr); } else { xCAT::MsgUtils->message("S","Error dispatching request to ".$ENV{XCATHOST}.", trying other service nodes: ".$errstr); } next; } else { $request_satisfied=1; last; } } else { $$progname.=": locally executing"; $SIG{CHLD}='DEFAULT'; ${"xCAT_plugin::".$modname."::"}{process_request}->($_,\&dispatch_callback,\&do_request); last; } } if ($numdests > 1 and not $request_satisfied) { xCAT::MsgUtils->message("S","Error dispatching a request to all possible service nodes for request"); dispatch_callback({error=>["Failed to dispatch command to any of the following service nodes: ".join(",",@xcatdests)],errorcode=>[1]}); } xexit; } while (($dispatch_children > 0) and ($child_fdset->count > 0)) { relay_dispatch($child_fdset,$dispatch_cb) } while (relay_dispatch($child_fdset,$dispatch_cb)) { } #Potentially useless drain. # restore the old signal $SIG{CHLD} = $old_sig_chld; } sub do_request { my $req = shift; my $second = shift; my $rsphandler = \&build_response; my $sock = undef; if ($second) { if (ref($second) eq "CODE") { $rsphandler = $second; } elsif (ref($second) eq "GLOB") { $sock = $second; } } #my $sock = shift; #If no sock, will return a response hash if ($cmd_handlers{$req->{command}->[0]}) { return plugin_command($req,$sock,$rsphandler); } elsif ($req->{command}->[0] eq "noderange" and $req->{noderange}) { my @nodes = noderange($req->{noderange}->[0]); my %resp; if (nodesmissed) { $resp{warning}="Invalid nodes in noderange:".join ',',nodesmissed; } $resp{serverdone} = {}; @{$resp{node}}=@nodes; if ($req->{transid}) { $resp{transid}=$req->{transid}->[0]; } if ($sock) { print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1); } else { return (\%resp); } } else { my %resp=(error=>"Unsupported request"); $resp{serverdone} = {}; if ($req->{transid}) { $resp{transid}=$req->{transid}->[0]; } if ($sock) { print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1); } else { return (\%resp); } } } sub convey_response { my $resp=shift; #TODO: This is where the following will/may happen: #-Track transaction id #-Save output for deferred commands unless ($parent_fd) { build_response($resp); return; } $resp = XMLout($resp,KeyAttr=>[], NoAttr=>1,RootName=>'xcatresponse'); #sanitize the response, to avoid being killed by non-printable bytes #$resp =~ tr/\011-\177/?/c; #seeing if using utf-8 offloads potential issues to client terminal print $parent_fd $resp; yield; #parent must get timeslice anyway before an ack could possibly return my $parsel = new IO::Select; $parsel->add($parent_fd); my $selbits = $parsel->bits; my $rsp; while ($selbits && ($rsp = select($selbits, undef, undef, 5))) { #block up to five seconds if ($quit) { # Obey quit flag xexit 0; } if ($rsp == 0) { #This means the filedescriptor was removed last; } if ($rsp < 0) { # A signal caused select to skip out, do-over next; } #At this point, the only possibility is a positive return, meaning parent_fd requires attention of some sort $rsp = <$parent_fd>; if ($rsp) { #If data actually came in, last, otherwise, remove it from the IO::Select, but both should amount to the same thing last; } else { $parsel->remove($parent_fd); last; } } yield; #If still around, it means a peer process still hasn't gotten to us, so might as well yield $selbits = $parsel->bits; } sub build_response { # Handle responses from do_request calls made directly from a plugin # Merge this response into the full response hash. We'll collect all # the responses and ship it back on the return to the plugin. # Note: Need to create a new "deep clone" copy of each response structure # otherwise the next call will overwrite the reference we pushed on # the response array my $resp = shift; foreach (keys %$resp) { my $subresp = dclone($resp->{$_}); push (@{$Main::resps->{$_}}, @{$subresp}); } } sub becomeuser { #if username and password match, return the new username #otherwise, return undef #TODO PAM? my $passtab = xCAT::Table->new('passwd'); my $id=shift; my $pass=shift; unless (defined $id and defined $pass) { return undef; } my $passent=$passtab->getAttribs({key=>'xcat',username=>$id},['password']); unless ($passent) { return undef; } $passent=$passent->{password}; my $encryptedpass = crypt($pass,$passent); if ($encryptedpass eq $passent) { return $id; }elsif ($pass eq $passent) { return $id; } # if ($passent =~ /^\$(2a|1)\$.*\$/) { #MD5 or Blowfish hash, calculate before comparison # $pass = crypt($pass,$passent); # } #Not bothering with old DES method, for now assume plaintext if not set # if ($pass eq $passent) { # return $id; # } #If here, unable to validate given credential return undef; } sub service_connection { my $sock = shift; my $peername = shift; my $peerhost = shift; my $peerfqdn = shift; my $peerport = $sock->peerport; my %tables=(); #some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs: # -Well, minimally, ignore requests if requesting node is not in spconfig mode (stage3) # -Option to generate a random password per 'getipmi' request. This reduces the exposure to a D.O.S. hopefully #Give only 15 seconds of silence allowed or terminate connection. Using alarm since we are in thread-unsafe world anyway my $timedout = 0; $SIG{ALRM} = sub { $timedout = 1; die; }; my $evalpid = $$; eval { #REMOVEEVALFORDEBUG my $request; my $req=undef; alarm(15); while (<$sock>) { alarm(0); $request .= $_; #$req = eval { XMLin($request, ForceArray => [ 'attribute' , 'attributepair' ]) }; if (m/<\/xcatrequest>/) { $req = eval { XMLin($request, SuppressEmpty=>undef,ForceArray=>1) }; #first change peername on 'becomeuser' tag if present and valid if (defined $req->{becomeuser}) { $peername=becomeuser($req->{becomeuser}->[0]->{username}->[0], $req->{becomeuser}->[0]->{password}->[0]); unless (defined $peername) { my $resp={error=>["Authentication failure"],errorcode=>[1]}; $resp->{serverdone}={}; print $sock XMLout($resp,RootName => 'xcatresponse',NoAttr=>1); return; } delete($req->{becomeuser}); #Remove it to keep it from view } #we have a full request.. #printf $request."\n"; $request=""; if (validate($peername,$peerhost,$req)) { $req->{'_xcat_authname'} = [$peername]; $req->{'_xcat_clienthost'} = [$peerhost]; $req->{'_xcat_clientfqdn'} = [$peerfqdn]; $req->{'_xcat_clientport'}= [$peerport]; $$progname="xCATd SSL: ".$req->{command}->[0]; if ($req->{noderange} && defined($req->{noderange}->[0])) { $$progname .= " to ".$req->{noderange}->[0]; } if($peerhost){ $$progname .= " for ".($peername ? $peername ."@".$peerhost : $peerhost); } if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action my $resp; if ($peername or $peername eq "0") { $resp->{username}=[$peername]; $resp->{data}=["Authenticated"]; } else { $resp->{data}=["Unauthenticated"]; } $resp->{serverdone}={}; print $sock XMLout($resp,RootName => 'xcatresponse',NoAttr=>1); } elsif ($cmd_handlers{$req->{command}->[0]}) { return plugin_command($req,$sock,\&convey_response); } elsif ($req->{command}->[0] eq "noderange" and $req->{noderange}) { my @nodes = noderange($req->{noderange}->[0]); my %resp; if (nodesmissed) { $resp{warning}="Invalid nodes in noderange:".join ',',nodesmissed; } $resp{serverdone} = {}; @{$resp{node}}=@nodes; if ($req->{transid}) { $resp{transid}=$req->{transid}->[0]; } print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1); next; } elsif ($req->{command}->[0] eq "extnoderange" and $req->{noderange}) { #This is intended for the UIs to build trees #as this would be part of a highly dynamic construct, it has a shortcut here to minimize server load my $subgroups=0; if ($req->{arg} and grep /subgroups/,@{$req->{arg}}) { $subgroups=1; } my %resp=%{extnoderange($req->{noderange}->[0],{intersectinggroups=>$subgroups})}; $resp{serverdone}={}; print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1); next; } else { my %resp=(error=>"Unsupported request"); $resp{serverdone} = {}; if ($req->{transid}) { $resp{transid}=$req->{transid}->[0]; } print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1); next; } } else { my %resp=(error=>"Permission denied for request"); $resp{serverdone} = {}; if ($req->{transid}) { $resp{transid}=$req->{transid}->[0]; } my $response=XMLout(\%resp,RootName =>'xcatresponse',NoAttr => 1); print $sock $response; next; } } alarm(15); } }; #REMOVEEVALFORDEBUG if ($@) { # The eval statement caught a program bug.. if ($@ =~ /^SIGPIPE/) { xCAT::MsgUtils->message("S","xcatd: Unexpected client disconnect"); if ($sock) { eval { print $sock XMLout({error=>"Generic PIPE error occurred. $@"},RootName=>'xcatresponse',NoAttr=>1); }; } } elsif ($@ =~ /Client abort requested/) { } else { my $errstr="A fatal error was encountered, the following information may help identify a bug: $@"; chomp($errstr); xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT TCP service: ".$@); if ($sock) { eval { print $sock XMLout({error=>$errstr},RootName=>'xcatresponse',NoAttr=>1); }; } } } elsif ($evalpid ne $$) { xCAT::MsgUtils->message("S","A child jumped to where it should never ever be, this shouldn't be possible, please report this bug"); #The folowing corrupts the SSL state preventing any further output by the parent. #A bug triggering this absolutely #needs to fixed. With the current code layout it is either trash valid data that could have been or #risk user missing data #without knowing it. It's likely possible to rearchitect to change that, but as it stands it really #should be no longer possible to hit this condition. print $sock,XMLout({error=>"A child jumped to where it should never ever be, this shouldn't be possible, please report this bug"}); } $SIG{ALRM}= sub { xCAT::MsgUtils->message("S","$$ failed shutting down"); die;}; alarm(10); foreach (keys %tables) { $tables{$_}->commit; } $sock->close(SSL_fast_shutdown=>1); if ($timedout == 1) { printf ("Client timeout"); } } sub relay_fds { #Relays file descriptors from pipes to children to the SSL socket my $fds = shift; my $sock = shift; my $goneclient=0; unless ($sock) { return 0; } my $collate = ( scalar @_ > 0 ? shift : 0); my @readyset = $fds->can_read(1); my $rfh; my $rc = @readyset; my $text; foreach $rfh (@readyset) { #go through each child, extract a complete, atomic message my $line; while ($line = <$rfh>) { #Will break on complete messages, avoid interleave eval { print $sock $line; }; if ($@ and $@ =~ /PIPE/) { $goneclient=1; print "Piped while writing to client\n"; last; } if ($line =~ /<\/xcatresponse>/) { last; } } if ($line) { print $rfh "nfin\n"; #Notify convey_response message done } else { $fds->remove($rfh); close($rfh); } } foreach my $rin ($clientselect->can_read(0)) { my $subselect = new IO::Select; $subselect->add($rin); my $clientintr=""; my $subdata; while ($subselect->can_read(1)) { if ($subdata=<$rin>) { $clientintr.=$subdata; } else { $subselect->remove($rin); close($rin); } } unless ($clientintr) { next; } $clientintr=XMLin($clientintr, SuppressEmpty=>undef,ForceArray=>1 ); if ($clientintr->{abortcommand}->[0]) { print "Aborting..."; foreach (keys %plugin_children) { print "Sending INT to $_\n"; kill 2, $_; } foreach my $cin ($fds->handles) { print $cin "die\n"; $fds->remove($cin); close($cin); } xCAT::MsgUtils->message("S", "Client abort requested"); die; } } yield; #Give other processes, including children, explicit control, to avoid uselessly aggressive looping if ($goneclient) { xCAT::MsgUtils->message("S", "SIGPIPE $$progname encountered a broken pipe (Sudden client disconnect)"); die; } return $rc; } sub validate { #Here is where we check if $peername is allowed to do $request in policy tbl. # $peername, if set signifies client has a cert that the xCAT CA accepted. # Logs to syslog and auditlog table all user commands, see site.auditskipcmds # attribute. # returns 1 if policy engine allows the action, 0 if denied. # now check the policy table if user can run the command my $peername=shift; my $peerhost=shift; my $request=shift; my $policytable = xCAT::Table->new('policy'); unless ($policytable) { xCAT::MsgUtils->message("S","Unable to open policy data, denying"); return 0; } my $policies = $policytable->getAllEntries; $policytable->close; my $rule; my $peerstatus="untrusted"; # check to see if peerhost is trusted foreach $rule (@$policies) { if (($rule->{name} and ($rule->{name} eq $peerhost)) && ($rule->{rule}=~ /trusted/i)) { $peerstatus="Trusted"; last; } } RULE: foreach $rule (@$policies) { if ($rule->{name} and $rule->{name} ne '*') { #TODO: more complex matching (lists, wildcards) next unless ($peername and $peername eq $rule->{name}); } if ($rule->{time} and $rule->{time} ne '*') { #TODO: time ranges } if ($rule->{host} and $rule->{host} ne '*') { #TODO: more complex matching (lists, noderanges?, wildcards) next unless ($peerhost eq $rule->{host}); } if ($rule->{commands} and $rule->{commands} ne '*') { #TODO: syntax for multiple commands next unless ($request->{command}->[0] eq $rule->{commands}); } if ($rule->{parameters} and $rule->{parameters} ne '*') { my $parms; if ($request->{arg}) { $parms = join(' ',@{$request->{arg}}); } else { $parms = ""; } my $patt = $rule->{parameters}; unless ($parms =~ /$patt/) { next; } } if ($rule->{noderange} and $rule->{noderange} ne '*') { my $matchall=0; if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) { $matchall=1; } if (defined $request->{noderange}->[0]) { my @tmpn=noderange($request->{noderange}->[0]); $request->{node}=\@tmpn; } unless (defined $request->{node}) { next RULE; } my @reqnodes = @{$request->{node}}; my %matchnodes; foreach (noderange($rule->{noderange})) { $matchnodes{$_}=1; } REQN: foreach (@reqnodes) { if (defined ($matchnodes{$_})) { if ($matchall) { next REQN; } else { last REQN; } } elsif ($matchall) { next RULE; } } } # If we are still in, that means this rule is the first match and dictates behavior. # We are not going to log getdestiny,getbladecons,getipmicons commands, way # too many of them #print Dumper($request); if ($rule->{rule}) { my $logst; my $rc; my $status; if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) { $logst = "xCAT: Allowing ".$request->{command}->[0]; $status = "Allowed"; $rc=1; } else { $logst = "xCAT: Denying ".$request->{command}->[0]; $status = "Denied"; $rc=0; } if (($request->{command}->[0] ne "getdestiny") && ($request->{command}->[0] ne "getbladecons") && ($request->{command}->[0] ne "getipmicons")) { # set username authenticated to run command # if from Trusted host, use input username, else set from creds if (($request->{username}) && defined($request->{username}->[0])) { if ($peerstatus ne "Trusted" ) { # then set to peername $request->{username}->[0] = $peername; } } else { $request->{username}->[0] = $peername; } if ($request->{noderange} && defined($request->{noderange}->[0])) { $logst .= " to ".$request->{noderange}->[0]; } else { # no noderange maybe a nodes if ($request->{node} && defined($request->{node}->[0])) { my @reqnodes = @{$request->{node}}; if (@reqnodes) { $logst .= " to "; foreach my $node (@reqnodes) { $logst .= "$node,"; } chop $logst; } } } # add each argument my $args = $request->{arg}; my $arglist; foreach my $argument (@$args){ $arglist .= " " . $argument; } if ($arglist) { $logst .= $arglist; } if($peername) { $logst .= " for " . $request->{username}->[0]}; if ($peerhost) { $logst .= " from " . $peerhost }; # read site.auditskipcmds attribute, # if set skip commands else audit all cmds. my @skipcmds=xCAT::Utils->get_site_attribute('auditskipcmds'); # if not "ALL" and not a command from site.auditskipcmds # and not getcredentials and not getcredentials , # put in syslog and auditlog my $skip = 0; my $all = "all"; if (defined($skipcmds[0])) { # if there are values if (grep(/$all/i, @skipcmds)) { # skip all $skip = 1; } else { if (grep(/$request->{command}->[0]/, @skipcmds)) { # skip the command $skip = 1; } } } if (($request->{command}->[0] ne "getpostscript") && ($request->{command}->[0] ne "getcredentials") && ($skip == 0)) { # put in audit Table and syslog my $rsp = {}; $rsp->{syslogdata}->[0] = $logst; if ($peername) { $rsp->{userid} ->[0] = $request->{username}->[0]; } if ($peerhost) { $rsp->{clientname} -> [0] = $peerhost; } if (defined $request->{clienttype}) { $rsp->{clienttype} -> [0] = $request->{clienttype} -> [0]; } else { if (defined $request->{becomeuser}) { $rsp->{clienttype} -> [0] = "webui"; } else { $rsp->{clienttype} -> [0] = "other"; } } $rsp->{command} -> [0] = $request->{command}->[0]; if ($request->{noderange} && defined($request->{noderange}->[0])) { $rsp->{noderange} -> [0] = $request->{noderange}->[0]; } $rsp->{args} -> [0] =$arglist; $rsp->{status} -> [0] = $status; xCAT::MsgUtils->message("SA",$rsp); } else { # getpostscript or getcredentials, just syslog xCAT::MsgUtils->message("S",$logst); } } # end getbladecons,etc check return $rc; } else { #Shouldn't be possible.... xCAT::MsgUtils->message("S","Impossible line in xcatd reached"); return 0; } } # end RULE #Reached end of policy table, reject by default. xCAT::MsgUtils->message("S","Request matched no policy rule: ".$request->{command}->[0]); return 0; }