5c92a9fb45
git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@7803 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
1878 lines
63 KiB
Perl
Executable File
1878 lines
63 KiB
Perl
Executable File
#!/usr/bin/env perl
|
|
# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
|
|
use strict;
|
|
use warnings;
|
|
use Carp qw(cluck confess);
|
|
BEGIN
|
|
{
|
|
$::XCATROOT = $ENV{'XCATROOT'} ? $ENV{'XCATROOT'} : '/opt/xcat';
|
|
}
|
|
|
|
# if AIX - make sure we include perl 5.8.2 in INC path.
|
|
# Needed to find perl dependencies shipped in deps tarball.
|
|
if ($^O =~ /^aix/i) {
|
|
use lib "/usr/opt/perl5/lib/5.8.2/aix-thread-multi";
|
|
use lib "/usr/opt/perl5/lib/5.8.2";
|
|
use lib "/usr/opt/perl5/lib/site_perl/5.8.2/aix-thread-multi";
|
|
use lib "/usr/opt/perl5/lib/site_perl/5.8.2";
|
|
}
|
|
|
|
use lib "$::XCATROOT/lib/perl";
|
|
use Storable qw(freeze thaw);
|
|
use xCAT::Utils;
|
|
use xCAT::MsgUtils;
|
|
use File::Path;
|
|
use Time::HiRes qw(sleep);
|
|
use Thread qw(yield);
|
|
use Fcntl ":flock";
|
|
use xCAT::Client qw(submit_request);
|
|
my $clientselect = new IO::Select;
|
|
my $sslclients = 0; #THROTTLE
|
|
my $maxsslclients = 64; #default
|
|
|
|
sub xexit {
|
|
while (wait() > 0) {
|
|
yield;
|
|
}
|
|
exit @_;
|
|
}
|
|
my $dispatch_children=0;
|
|
my %dispatched_children=();
|
|
my $plugin_numchildren=0;
|
|
my %plugin_children;
|
|
my $inet6support;
|
|
if ($^O =~ /^aix/i) { # disable AIX IPV6 TODO
|
|
$inet6support = 0;
|
|
} else {
|
|
$inet6support=eval { require Socket6 };
|
|
}
|
|
if ($inet6support) {
|
|
$inet6support = eval { require IO::Socket::INET6 };
|
|
}
|
|
if ($inet6support) {
|
|
$inet6support = eval { require IO::Socket::SSL; IO::Socket::SSL->import('inet6'); 1; };
|
|
}
|
|
unless ($inet6support) {
|
|
eval { require Socket };
|
|
eval { require IO::Socket::INET };
|
|
eval { require IO::Socket::SSL; IO::Socket::SSL->import('inet4'); };
|
|
}
|
|
|
|
my $dispatch_requests = 1; # govern whether commands are dispatchable
|
|
use IO::Socket;
|
|
use IO::Handle;
|
|
use IO::Select;
|
|
use XML::Simple;
|
|
$XML::Simple::PREFERRED_PARSER='XML::Parser';
|
|
use xCAT::Table;
|
|
my $dbmaster;
|
|
use xCAT::ExtTab;
|
|
use Data::Dumper;
|
|
use Getopt::Long;
|
|
use Sys::Syslog qw(:DEFAULT setlogsock);
|
|
openlog("xcatd",,"local4");
|
|
setlogsock(["tcp","unix","stream"]);
|
|
use xCAT::NotifHandler;
|
|
use xCAT_monitoring::monitorctrl;
|
|
|
|
|
|
Getopt::Long::Configure("bundling");
|
|
Getopt::Long::Configure("pass_through");
|
|
|
|
use Storable qw(dclone);
|
|
use POSIX qw(WNOHANG setsid);
|
|
my $pidfile;
|
|
my $foreground;
|
|
GetOptions(
|
|
'pidfile|p=s' => \$pidfile,
|
|
'foreground|f' => \$foreground
|
|
);
|
|
|
|
|
|
#start syslog if it is not up
|
|
if (xCAT::Utils->isLinux()) {
|
|
my $init_file="/etc/init.d/syslog";
|
|
if (-f "/etc/fedora-release") {
|
|
$init_file="/etc/init.d/rsyslog";
|
|
}
|
|
if ( -x $init_file ) {
|
|
my $result=`$init_file status 2>&1`;
|
|
if ($result !~ /running/i) {
|
|
`$init_file start`;
|
|
}
|
|
}
|
|
} else {
|
|
my $result=`lssrc -s syslogd 2>&1`;
|
|
if ($result !~ /active/i) {
|
|
`startsrc -s syslogd`;
|
|
}
|
|
}
|
|
|
|
|
|
my $quit = 0;
|
|
my $port;
|
|
my $sport;
|
|
my $domain;
|
|
my $xcatdir;
|
|
my $sitetab;
|
|
my $retries = 0;
|
|
# The database initialization may take some time in the system boot scenario
|
|
# wait for a while for the database initialization
|
|
while (!($sitetab=xCAT::Table->new('site')) && $retries < 200)
|
|
{
|
|
print ("Can not open basic site table for configuration, waiting the database to be initialized.\n");
|
|
sleep 1;
|
|
$retries++;
|
|
}
|
|
unless ($sitetab) {
|
|
xCAT::MsgUtils->message("S","ERROR: Unable to open basic site table for configuration");
|
|
die;
|
|
}
|
|
|
|
my ($tmp) = $sitetab->getAttribs({'key'=>'xcatdport'},'value');
|
|
unless ($tmp) {
|
|
xCAT::MsgUtils->message("S","ERROR:Need xcatdport defined in site table, try chtab key=xcatdport site.value=3001");
|
|
die;
|
|
}
|
|
$port = $tmp->{value};
|
|
$sport = $tmp->{value}+1;
|
|
|
|
|
|
my $plugins_dir=$::XCATROOT.'/lib/perl/xCAT_plugin';
|
|
($tmp) = $sitetab->getAttribs({'key'=>'xcatconfdir'},'value');
|
|
$xcatdir = (($tmp and $tmp->{value}) ? $tmp->{value} : "/etc/xcat");
|
|
|
|
$sitetab->close;
|
|
my $progname;
|
|
$SIG{PIPE} = sub {
|
|
confess "SIGPIPE $$progname encountered a broken pipe (probably Ctrl-C by client)"
|
|
};
|
|
$progname = \$0;
|
|
|
|
#create and update any xCAt tables
|
|
#create the user defined external database tables if they do not exist.
|
|
#update the tables if there are schema changes.
|
|
# runsqlcmd runs sql scripts provided by the user in
|
|
# /opt/xcat/lib/perl/xCAT_schema
|
|
|
|
if (xCAT::Utils->isMN()) {
|
|
# update schema for xCAT tables
|
|
my @table;
|
|
push @table,xCAT::Table->getTableList();
|
|
foreach my $tablename (@table) {
|
|
my $tablelisttab=xCAT::Table->new($tablename,-create=>1);
|
|
my $rc= $tablelisttab->updateschema();
|
|
$tablelisttab->close;
|
|
}
|
|
# update schema for user tables
|
|
xCAT::ExtTab->updateTables();
|
|
# run any sql commands
|
|
`$::XCATROOT/sbin/runsqlcmd`;
|
|
}
|
|
|
|
|
|
sub daemonize {
|
|
chdir('/');
|
|
umask 0022;
|
|
my $pid;
|
|
if (! defined($pid = xCAT::Utils->xfork)) {
|
|
xCAT::MsgUtils->message("S","Can't fork: $!");
|
|
die;
|
|
}
|
|
if ($pid) {
|
|
if ($pidfile) {
|
|
open(PFILE, '>', $pidfile);
|
|
print PFILE $pid;
|
|
close (PFILE);
|
|
} else {
|
|
xCAT::MsgUtils->message("S","xCATd starting as PID $pid");
|
|
}
|
|
exit;
|
|
}
|
|
if (! open STDIN, '/dev/null') {
|
|
xCAT::MsgUtils->message("S","Can't read /dev/null: $!");
|
|
die;
|
|
}
|
|
open STDOUT, '>/dev/null';
|
|
open STDERR, '>/dev/null';
|
|
$0='xcatd';
|
|
$progname = \$0;
|
|
if (! setsid) {
|
|
xCAT::MsgUtils->message("S","Can't start new session");
|
|
die;
|
|
}
|
|
}
|
|
|
|
my %cmd_handlers;
|
|
sub do_installm_service {
|
|
#This function servers as a handler for messages from installing nodes
|
|
my $socket;
|
|
my $installpidfile;
|
|
my $retry=1;
|
|
$SIG{USR2} = sub {
|
|
xCAT::MsgUtils->message("S","xcatd install monitor $$ quiescing");
|
|
unlink("/tmp/xcat/installservice.pid"); close($socket); $quit=1; };
|
|
if (open($installpidfile,"<","/tmp/xcat/installservice.pid")) {
|
|
my $pid = <$installpidfile>;
|
|
if ($pid) {
|
|
$retry=100; #grace period for old instance to get out of the way, 5 seconds
|
|
kill 12,$pid;
|
|
yield(); # let peer have a shot at closure
|
|
}
|
|
close($installpidfile);
|
|
}
|
|
while (not $socket and $retry) {
|
|
$retry--;
|
|
if ($inet6support) {
|
|
$socket = IO::Socket::INET6->new(LocalPort=>$sport,
|
|
Proto => 'tcp',
|
|
ReuseAddr => 1,
|
|
Listen => 8192);
|
|
} else {
|
|
$socket = IO::Socket::INET->new(LocalPort=>$sport,
|
|
Proto => 'tcp',
|
|
ReuseAddr => 1,
|
|
Listen => 8192);
|
|
}
|
|
sleep 0.05; #up to 50 ms outage possible
|
|
}
|
|
open($installpidfile,">","/tmp/xcat/installservice.pid"); #if here, everyone else has unlinked installservicepid or doesn't care
|
|
print $installpidfile $$;
|
|
close($installpidfile);
|
|
|
|
unless ($socket) {
|
|
xCAT::MsgUtils->message("S","xcatd unable to open install monitor services on $sport");
|
|
die;
|
|
}
|
|
until ($quit) {
|
|
$SIG{ALRM} = sub { xCAT::MsgUtils->message("S","XCATTIMEOUT"); die; };
|
|
my $conn;
|
|
next unless $conn = $socket->accept;
|
|
|
|
my @clients;
|
|
if ($inet6support) {
|
|
@clients = gethostbyaddr($conn->peeraddr,AF_INET6);
|
|
} else {
|
|
@clients = gethostbyaddr($conn->peeraddr,AF_INET);
|
|
}
|
|
|
|
my $validclient=0;
|
|
my $node;
|
|
foreach my $client (@clients) {
|
|
$client =~ s/\..*//;
|
|
($node) = noderange($client); #ensure this is coming from a node IP at least
|
|
if ($node) { #Means the source isn't a valid deal...
|
|
$validclient=1;
|
|
last;
|
|
}
|
|
}
|
|
unless ($validclient) {
|
|
close($conn);
|
|
next;
|
|
}
|
|
my $tftpdir = xCAT::Utils->getTftpDir();
|
|
eval {
|
|
alarm(2);
|
|
print $conn "ready\n";
|
|
while (my $text = <$conn>) {
|
|
alarm(0);
|
|
print $conn "done\n";
|
|
$text =~ s/\r//g;
|
|
if ($text =~ /next/) {
|
|
my %request = (
|
|
command => [ 'nodeset' ],
|
|
node => [ $node ],
|
|
arg => [ 'next' ],
|
|
);
|
|
#node should be blocked, race condition may occur otherwise
|
|
#my $pid=xCAT::Utils->xfork();
|
|
#unless ($pid) { #fork off the nodeset and potential slowness
|
|
plugin_command(\%request,undef,\&build_response);
|
|
# exit(0);
|
|
#}
|
|
close($conn);
|
|
} elsif ($text =~ /installstatus/) {
|
|
my @tmpa=split(' ', $text);
|
|
for (my $i = 1; $i <= @tmpa-1; $i++) {
|
|
my $newstat=$tmpa[$i];
|
|
my %request = (
|
|
command => [ 'updatenodestat' ],
|
|
node => [ $node ],
|
|
arg => [ "$newstat" ],
|
|
);
|
|
#node should be blocked, race condition may occur otherwise
|
|
#my $pid=xCAT::Utils->xfork();
|
|
#unless ($pid) { #fork off the nodeset and potential slowness
|
|
plugin_command(\%request,undef,\&build_response);
|
|
# exit(0);
|
|
#}
|
|
}
|
|
close($conn);
|
|
} elsif ($text =~ /^unlocktftpdir/) { #TODO: only nodes in install state should be allowed
|
|
mkpath("$tftpdir/xcat/$node");
|
|
chmod 01777,"$tftpdir/xcat/$node";
|
|
chmod 0666,glob("$tftpdir/xcat/$node/*");
|
|
close($conn);
|
|
} elsif ($text =~ /locktftpdir/) {
|
|
chmod 0755,"$tftpdir/xcat/$node";
|
|
chmod 0644,glob("$tftpdir/xcat/$node/*");
|
|
} elsif ($text =~ /^getpostscript/) {
|
|
my $reply =plugin_command({command=>['getpostscript'],_xcat_clienthost=>[$node]},undef,\&build_response);
|
|
foreach (@{$reply->{data}}) {
|
|
print $conn $_;
|
|
}
|
|
print $conn "#END OF SCRIPT\n";
|
|
close($conn);
|
|
} elsif ($text =~ /^syncfiles/) {
|
|
plugin_command({command=>['syncfiles'],_xcat_clienthost=>[$node]},undef,\&build_response);
|
|
print $conn "syncfiles done\n";
|
|
close($conn);
|
|
} elsif ($text =~ /^setiscsiparms/) {
|
|
$text =~ s/^setiscsiparms\s+//;
|
|
my $kname;
|
|
my $iname;
|
|
my $kcmdline;
|
|
($kname,$iname,$kcmdline) = split(/\s+/,$text,3);
|
|
chomp($kcmdline);
|
|
my $bptab = xCAT::Table->new('bootparams',-create=>1);
|
|
$bptab->setNodeAttribs($node,{kernel=>"xcat/$node/$kname",initrd=>"xcat/$node/$iname",kcmdline=>$kcmdline});
|
|
my $iscsitab = xCAT::Table->new('iscsi',-create=>1);
|
|
$iscsitab->setNodeAttribs($node,{kernel=>"xcat/$node/$kname",initrd=>"xcat/$node/$iname",kcmdline=>$kcmdline});
|
|
my $chaintab = xCAT::Table->new('chain',-create=>1);
|
|
$chaintab->setNodeAttribs($node,{currstate=>'iscsiboot',currchain=>'netboot'});
|
|
$bptab->close;
|
|
$chaintab->close;
|
|
undef $bptab;
|
|
undef $chaintab;
|
|
my %request = (
|
|
command => [ 'nodeset' ],
|
|
node => [ $node ],
|
|
arg => [ 'enact' ],
|
|
);
|
|
my $pid=xCAT::Utils->xfork();
|
|
unless ($pid) { #fork off the nodeset and potential slowness
|
|
plugin_command(\%request,undef,\&build_response);
|
|
xexit(0);
|
|
}
|
|
}
|
|
alarm(2);
|
|
}
|
|
alarm(0);
|
|
};
|
|
if ($@) {
|
|
if ($@ =~ /XCATTIMEOUT/) {
|
|
xCAT::MsgUtils->message("S","xcatd installmonitor timed out talking to $node");
|
|
} else {
|
|
xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT install monitor service: ".$@);
|
|
}
|
|
}
|
|
}
|
|
if (open($installpidfile,"<","/tmp/xcat/installservice.pid")) {
|
|
my $pid = <$installpidfile>;
|
|
if ($pid == $$) { #if our pid, unlink the file, otherwise, we managed to see the pid after someone else created it
|
|
unlink("/tmp/xcat/installservice.pid");
|
|
}
|
|
close($installpidfile);
|
|
}
|
|
}
|
|
|
|
|
|
sub do_udp_service { #This function opens up a UDP port
|
|
#It will do similar to the standard service, except:
|
|
#-Obviously, unencrypted and messages are not guaranteed
|
|
#-For that reason, more often than not plugins designed with
|
|
#-this method will not expect to have a callback
|
|
#Also, this throttles to handle one message at a time, so no forking either
|
|
#Explicitly, to handle whatever operations nodes periodically send during discover state
|
|
#Could be used for heartbeating and such as desired
|
|
$dispatch_requests=0;
|
|
my $udppidfile;
|
|
my $retry=1;
|
|
my $socket;
|
|
$SIG{USR2} = sub {
|
|
xCAT::MsgUtils->message("S","xcatd udp service $$ quiescing");
|
|
unlink("/tmp/xcat/udpservice.pid"); close($socket); $quit=1; };
|
|
if (open($udppidfile,"<","/tmp/xcat/udpservice.pid")) {
|
|
my $pid = <$udppidfile>;
|
|
if ($pid) {
|
|
$retry=100; #grace period for old instance to get out of the way, 5 seconds
|
|
kill 12,$pid;
|
|
yield(); # let peer have a shot at closure
|
|
}
|
|
close($udppidfile);
|
|
}
|
|
my $select = new IO::Select;
|
|
while (not $socket and $retry) {
|
|
if ($inet6support) {
|
|
$socket = IO::Socket::INET6->new(LocalPort => $port,
|
|
Proto => 'udp',
|
|
Domain => AF_INET);
|
|
} else {
|
|
$socket = IO::Socket::INET->new(LocalPort => $port,
|
|
Proto => 'udp',
|
|
Domain => AF_INET);
|
|
}
|
|
sleep 0.05;
|
|
}
|
|
open($udppidfile,">","/tmp/xcat/udpservice.pid"); #if here, everyone else has unlinked udpservicepid or doesn't care
|
|
print $udppidfile $$;
|
|
close($udppidfile);
|
|
|
|
openlog("xCAT UDP",'','local4');
|
|
unless ($socket) {
|
|
xCAT::MsgUtils->message("S","xCAT UDP service unable to open port $port: $!");
|
|
closelog();
|
|
die "Unable to start UDP on $port";
|
|
}
|
|
$select->add($socket);
|
|
my $data;
|
|
my $part;
|
|
my $sport;
|
|
my $client;
|
|
my $peerhost;
|
|
my %packets;
|
|
my $actualpid=$$;
|
|
until ($quit) {
|
|
eval {
|
|
while (1) {
|
|
unless ($actualpid == $$) { #This really should be impossible now...
|
|
xCAT::MsgUtils->message("S","xcatd: Something absolutely ludicrous happpened, xCAT developers think this message is impossible to see, post if you see it, fork bomb averted");
|
|
exit(1);
|
|
}
|
|
until ($select->can_read(5)) { if ($quit) { last; }; yield; } #Wait for data
|
|
while ($select->can_read(0)) { #Pull all buffer data that can be pulled
|
|
$part = $socket->recv($data,1500);
|
|
($sport,$client) = sockaddr_in($part);
|
|
if ($sport < 1000) { #Only remember udp packets from privileged ports
|
|
$packets{inet_ntoa($client)} = [$part,$data];
|
|
}
|
|
}
|
|
foreach my $pkey (keys %packets) {
|
|
($sport,$client) = sockaddr_in($packets{$pkey}->[0]);
|
|
$data=$packets{$pkey}->[1];
|
|
$peerhost=gethostbyaddr($client,AF_INET);
|
|
$peerhost .="\n";
|
|
my $req = eval { XMLin($data, SuppressEmpty=>undef,ForceArray=>1) };
|
|
if ($req and $req->{command} and ($req->{command}->[0] eq "findme")) {
|
|
$req->{'_xcat_clienthost'}=gethostbyaddr($client,AF_INET);
|
|
$req->{'_xcat_clientip'}=inet_ntoa($client);
|
|
$req->{'_xcat_clientport'}=$sport;
|
|
if (defined($cmd_handlers{"findme"}) and xCAT::Utils->nodeonmynet(inet_ntoa($client))) { #only discover from ips that appear to be on a managed network
|
|
$req->{cacheonly}->[0] = 1;
|
|
plugin_command($req,undef,\&build_response);
|
|
if ($req->{cacheonly}->[0]) {
|
|
delete $req->{cacheonly};
|
|
plugin_command($req,undef,\&build_response);
|
|
#if ($req) {
|
|
# $req->{cacheonly}->[0] = 1;
|
|
# $req->{checkallmacs}->[0] = 1;
|
|
# plugin_command($req,undef,\&convey_response);
|
|
# }
|
|
|
|
}
|
|
}
|
|
}
|
|
if ($quit) { last; }
|
|
while ($select->can_read(0)) { #grab any incoming requests during run
|
|
$part = $socket->recv($data,1500);
|
|
($sport,$client) = sockaddr_in($part);
|
|
$packets{inet_ntoa($client)} = [$part,$data];
|
|
}
|
|
#Some of those 'future' packets might be stale dupes of this packet, so...
|
|
delete $packets{$pkey}; #Delete any duplicates of current packet
|
|
}
|
|
if ($quit) { last; }
|
|
}
|
|
};
|
|
if ($@) {
|
|
xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT UDP service: ".$@);
|
|
}
|
|
unless ($actualpid == $$) { #We should absolutely never be here, exponential growth from a plugin crash.
|
|
xCAT::MsgUtils->message("S","xcatd: Something ludicrous happpened, bailing to avoid fork bomb, double check perl XS modules like 'net-snmp-perl'");
|
|
exit 1;
|
|
}
|
|
}
|
|
if (open($udppidfile,"<","/tmp/xcat/udpservice.pid")) {
|
|
my $pid = <$udppidfile>;
|
|
if ($pid == $$) { #if our pid, unlink the file, otherwise, we managed to see the pid after someone else created it
|
|
unlink("/tmp/xcat/udpservice.pid");
|
|
}
|
|
close($udppidfile);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
sub scan_plugins {
|
|
my @plugins=glob($plugins_dir."/*.pm");
|
|
foreach (@plugins) {
|
|
/.*\/([^\/]*).pm$/;
|
|
my $modname = $1;
|
|
unless ( eval { require "$_" }) {
|
|
xCAT::MsgUtils->message("S","Error loading module ".$_." ...skipping");
|
|
|
|
next;
|
|
}
|
|
no strict 'refs';
|
|
my $cmd_adds=${"xCAT_plugin::".$modname."::"}{handled_commands}->();
|
|
foreach (keys %$cmd_adds) {
|
|
my $value = $_;
|
|
my @modulehandlerinfos;
|
|
if (ref $cmd_adds->{$_}) {
|
|
@modulehandlerinfos=@{$cmd_adds->{$value}};
|
|
} else {
|
|
@modulehandlerinfos=($cmd_adds->{$value});
|
|
}
|
|
unless (defined($cmd_handlers{$value})) {
|
|
$cmd_handlers{$value} = [ ];
|
|
}
|
|
# Add every plugin registration to cmd_handlers
|
|
foreach (@modulehandlerinfos) {
|
|
push @{$cmd_handlers{$value}},[$modname,$_];
|
|
}
|
|
}
|
|
}
|
|
foreach (@plugins) {
|
|
no strict 'refs';
|
|
/.*\/([^\/]*).pm$/;
|
|
my $modname = $1;
|
|
unless (defined(${"xCAT_plugin::".$modname."::"}{init_plugin})) {
|
|
next;
|
|
}
|
|
${"xCAT_plugin::".$modname."::"}{init_plugin}->(\&do_request);
|
|
}
|
|
}
|
|
scan_plugins;
|
|
unless (xCAT::Utils->isLinux()) { # messes up the output of the service cmd on linux
|
|
eval {
|
|
xCAT::MsgUtils->message("S","xCATd: service starting");
|
|
};
|
|
}
|
|
if ($@) {
|
|
print "ERROR: $@";
|
|
xexit;
|
|
}
|
|
unless ($foreground) {
|
|
daemonize;
|
|
}
|
|
|
|
$dbmaster=xCAT::Table::init_dbworker;
|
|
my $CHILDPID=0; #Global for reapers
|
|
my %immediatechildren;
|
|
sub generic_reaper {
|
|
while (($CHILDPID=waitpid(-1,WNOHANG)) > 0) {
|
|
yield;
|
|
}
|
|
$SIG{CHLD} = \&generic_reaper;
|
|
}
|
|
|
|
sub ssl_reaper {
|
|
while (($CHILDPID=waitpid(-1,WNOHANG)) > 0) {
|
|
if ($immediatechildren{$CHILDPID}) {
|
|
delete $immediatechildren{$CHILDPID};
|
|
}
|
|
$sslclients--;
|
|
}
|
|
$SIG{CHLD} = \&ssl_reaper;
|
|
}
|
|
|
|
sub dispatch_reaper {
|
|
while (($CHILDPID =waitpid(-1, WNOHANG)) > 0) {
|
|
if ($dispatched_children{$CHILDPID}) {
|
|
delete $dispatched_children{$CHILDPID};
|
|
$dispatch_children--;
|
|
}
|
|
}
|
|
$SIG{CHLD} = \&dispatch_reaper;
|
|
}
|
|
|
|
sub plugin_reaper {
|
|
while (($CHILDPID = waitpid(-1, WNOHANG)) > 0) {
|
|
if ($plugin_children{$CHILDPID}) {
|
|
delete $plugin_children{$CHILDPID};
|
|
$plugin_numchildren--;
|
|
}
|
|
}
|
|
$SIG{CHLD} = \&plugin_reaper;
|
|
}
|
|
|
|
$SIG{CHLD} = \&generic_reaper;
|
|
|
|
my $pid_UDP;
|
|
my $pid_MON;
|
|
$SIG{TERM} = $SIG{INT} = sub {
|
|
#printf("Asked to quit...\n");
|
|
$quit++;
|
|
foreach (keys %dispatched_children) {
|
|
kill 2, $_;
|
|
}
|
|
foreach (keys %plugin_children) {
|
|
kill 2, $_;
|
|
}
|
|
if ($pid_UDP) {
|
|
kill 2, $pid_UDP;
|
|
}
|
|
if ($pid_MON) {
|
|
kill 2, $pid_MON;
|
|
}
|
|
xCAT::Table::shut_dbworker;
|
|
if ($dbmaster) {
|
|
kill 2, $dbmaster;
|
|
}
|
|
$SIG{ALRM} = sub { xexit 0; }; #die "Did not close out in time for 5 second grace period"; };
|
|
alarm(2);
|
|
};
|
|
|
|
$pid_UDP = xCAT::Utils->xfork;
|
|
if (! defined $pid_UDP) {
|
|
xCAT::MsgUtils->message("S", "Unable to fork for UDP/TCP");
|
|
die;
|
|
}
|
|
unless ($pid_UDP) {
|
|
$$progname="xcatd: UDP listener";
|
|
do_udp_service;
|
|
xexit(0);
|
|
}
|
|
$pid_MON = xCAT::Utils->xfork;
|
|
if (! defined $pid_MON) {
|
|
xCAT::MsgUtils->message("S", "Unable to fork installmonitor");
|
|
die;
|
|
}
|
|
unless ($pid_MON) {
|
|
$$progname="xcatd: install monitor";
|
|
do_installm_service;
|
|
xexit(0);
|
|
}
|
|
$$progname="xcatd: SSL listener";
|
|
|
|
#setup signal in NotifHandler so that the cache can be updated
|
|
xCAT::NotifHandler::setup($$, $dbmaster);
|
|
|
|
#start the monitoring process
|
|
xCAT_monitoring::monitorctrl::start($$);
|
|
|
|
my $peername;
|
|
my $ssltimeout;
|
|
my $retry=1;
|
|
openlog("xCAT SSL","","local4");
|
|
my $listener;
|
|
my $mainpidfile;
|
|
$SIG{USR2} = sub {
|
|
xCAT::MsgUtils->message("S","xcatd main service $$ quiescing");
|
|
unlink("/tmp/xcat/mainservice.pid"); close($listener); $quit=1; $listener=0; };
|
|
if (open($mainpidfile,"<","/tmp/xcat/mainservice.pid")) {
|
|
my $pid = <$mainpidfile>;
|
|
if ($pid) {
|
|
$retry=100; #grace period for old instance to get out of the way, 5 seconds
|
|
kill 12,$pid;
|
|
yield(); # let peer have a shot at closure
|
|
}
|
|
close($mainpidfile);
|
|
}
|
|
while (not $listener and $retry) {
|
|
$retry--;
|
|
if ($inet6support) {
|
|
$listener = IO::Socket::INET6->new(
|
|
LocalPort => $port,
|
|
Listen => 8192,
|
|
Reuse => 1,
|
|
);
|
|
} else {
|
|
$listener = IO::Socket::INET->new(
|
|
LocalPort => $port,
|
|
Listen => 8192,
|
|
Reuse => 1,
|
|
);
|
|
}
|
|
sleep(0.05);
|
|
}
|
|
open($mainpidfile,">","/tmp/xcat/mainservice.pid"); #if here, everyone else has unlinked mainservicepid or doesn't care
|
|
print $mainpidfile $$;
|
|
close($mainpidfile);
|
|
|
|
unless ($listener) {
|
|
kill 2, $pid_UDP;
|
|
kill 2, $pid_MON;
|
|
xCAT::Table::shut_dbworker;
|
|
if ($dbmaster) {
|
|
kill 2, $dbmaster;
|
|
}
|
|
xCAT::MsgUtils->message("S","xCAT service unable to open SSL services on $port: $!");
|
|
closelog();
|
|
die "ERROR:Unable to start xCAT service on port $port.";
|
|
}
|
|
closelog();
|
|
until ($quit) {
|
|
$SIG{CHLD} = \&ssl_reaper; #set here to ensure that signal handler is not corrupted during loop
|
|
next unless my $cnnection=$listener->accept;
|
|
my $connection;
|
|
while ($sslclients > $maxsslclients) { #THROTTLE
|
|
sleep 0.1; #Keep processor utilization down
|
|
}
|
|
my $child = xCAT::Utils->xfork(); #Yes we fork, IO::Socket::SSL is not threadsafe..
|
|
if ($child) {
|
|
$immediatechildren{$child}=1;
|
|
}
|
|
|
|
unless (defined $child) {
|
|
xCAT::MsgUtils->message("S","xCATd cannot fork");
|
|
die;
|
|
}
|
|
|
|
if ($child == 0) {
|
|
$SIG{TERM} = $SIG{INT} = {};
|
|
$SIG{CHLD} = \&generic_reaper; #THROTTLE
|
|
$listener->close;
|
|
|
|
$SIG{ALRM} = sub { $ssltimeout = 1; die; };
|
|
eval {
|
|
alarm(10);
|
|
$connection = IO::Socket::SSL->start_SSL($cnnection,
|
|
SSL_key_file=>$xcatdir."/cert/server-cred.pem",
|
|
SSL_cert_file=>$xcatdir."/cert/server-cred.pem",
|
|
SSL_ca_file=>$xcatdir."/cert/ca.pem",
|
|
SSL_server=>1,
|
|
SSL_verify_mode=> 1
|
|
);
|
|
alarm(0);
|
|
};
|
|
$SIG{ALRM}='DEFAULT';
|
|
if ($@) { #SSL failure
|
|
close($cnnection);
|
|
xexit 0;
|
|
}
|
|
unless ($connection) {
|
|
xexit 0;
|
|
}
|
|
$clientselect->add($connection);
|
|
my $peerhost=undef;
|
|
my $peerfqdn=undef;
|
|
my $peer=$connection->peer_certificate("owner");
|
|
if ($peer) {
|
|
$peer =~ m/CN=([^\/]*)/;
|
|
$peername = $1;
|
|
} else {
|
|
$peername=undef;
|
|
}
|
|
$sitetab=xCAT::Table->new('site');
|
|
my ($tmp) = $sitetab->getAttribs({'key'=>'domain'},'value');
|
|
if (defined $tmp->{value}) {
|
|
$domain = $tmp->{value};
|
|
}
|
|
$sitetab->close;
|
|
|
|
if ($inet6support) {
|
|
$peerhost = gethostbyaddr($connection->peeraddr,AF_INET6);
|
|
} else {
|
|
$peerhost = gethostbyaddr($connection->peeraddr,AF_INET);
|
|
}
|
|
|
|
|
|
unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); }
|
|
$peerfqdn=$peerhost;
|
|
|
|
if ($domain) {
|
|
# strip off domain if set
|
|
$peerhost && $peerhost =~ s/\.$domain\.*$//;
|
|
} else {
|
|
# otherwise just strip off whatever comes after the first dot
|
|
$peerhost && $peerhost =~ s/\..*//;
|
|
}
|
|
|
|
$peerhost && $peerhost =~ s/-eth\d*$//;
|
|
$peerhost && $peerhost =~ s/-myri\d*$//;
|
|
$peerhost && $peerhost =~ s/-ib\d*$//;
|
|
#printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n");
|
|
$$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost) if $peerhost;
|
|
service_connection($connection,$peername,$peerhost,$peerfqdn);
|
|
xexit(0);
|
|
}
|
|
$sslclients++; #THROTTLE
|
|
$cnnection->close();
|
|
}
|
|
if (open($mainpidfile,"<","/tmp/xcat/mainservice.pid")) {
|
|
my $pid = <$mainpidfile>;
|
|
if ($pid == $$) { #if our pid, unlink the file, otherwise, we managed to see the pid after someone else created it
|
|
unlink("/tmp/xcat/mainservice.pid");
|
|
}
|
|
close($mainpidfile);
|
|
}
|
|
if ($listener) { $listener->close; }
|
|
while (keys %immediatechildren) { yield(); }
|
|
xCAT::Table::shut_dbworker;
|
|
if ($dbmaster) {
|
|
kill 2, $dbmaster;
|
|
}
|
|
|
|
#stop the monitoring process
|
|
xCAT_monitoring::monitorctrl::stop($$);
|
|
|
|
my $parent_fd;
|
|
my %resps;
|
|
|
|
|
|
|
|
|
|
|
|
sub plugin_command {
|
|
my $req = shift;
|
|
my $sock = shift;
|
|
my $callback = shift;
|
|
my %handler_hash;
|
|
my $usesiteglobal = 0;
|
|
use xCAT::NodeRange qw/extnoderange nodesmissed noderange/;
|
|
$Main::resps={};
|
|
my @nodes;
|
|
if ($req->{node}) {
|
|
@nodes = @{$req->{node}};
|
|
} elsif ($req->{noderange} and $req->{noderange}->[0]) {
|
|
@nodes = noderange($req->{noderange}->[0]);
|
|
if (nodesmissed) {
|
|
my $rsp = {errorcode=>1,error=>"Invalid nodes and/or groups in noderange: ".join(',',nodesmissed)};
|
|
$rsp->{serverdone} = {};
|
|
if ($sock) {
|
|
print $sock XMLout($rsp,RootName=>'xcatresponse' ,NoAttr=>1);
|
|
}
|
|
return ($rsp);
|
|
}
|
|
unless (@nodes) {
|
|
$req->{emptynoderange} = [1];
|
|
}
|
|
}
|
|
if (@nodes) { $req->{node} = \@nodes; }
|
|
my %unhandled_nodes;
|
|
foreach (@nodes) {
|
|
$unhandled_nodes{$_}=1;
|
|
}
|
|
my $useunhandled=0;
|
|
if (defined($cmd_handlers{$req->{command}->[0]})) {
|
|
my $hdlspec;
|
|
my @globalhandlers=();
|
|
my $useglobals=1; #If it stays 1, then use globals normally, if 0, use only for 'unhandled_nodes, if -1, don't do at all
|
|
foreach (@{$cmd_handlers{$req->{command}->[0]}}) {
|
|
$hdlspec =$_->[1];
|
|
my $ownmod = $_->[0];
|
|
if ($hdlspec =~ /^site:/) { #A site entry specifies a plugin
|
|
my $sitekey = $hdlspec;
|
|
$sitekey =~ s/^site://;
|
|
$sitetab = xCAT::Table->new('site');
|
|
my $sent = $sitetab->getAttribs({key=>$sitekey},['value']);
|
|
if ($sent and $sent->{value}) { #A site style plugin specification is just like
|
|
#a static global, it grabs all nodes rather than some
|
|
$useglobals = -1; #If they tried to specify anything, don't use the default global handlers at all
|
|
unless (@nodes) {
|
|
$handler_hash{$sent->{value}} = 1;
|
|
$usesiteglobal = 1;
|
|
}
|
|
foreach (@nodes) { #Specified a specific plugin, not a table lookup
|
|
$handler_hash{$sent->{value}}->{$_} = 1;
|
|
}
|
|
}
|
|
} elsif ($hdlspec =~ /:/) { #Specificed a table lookup path for plugin name
|
|
if (@nodes) { # only use table lookup plugin if nodelist exists
|
|
# Usage will be handled in common AAAhelp plugin
|
|
$useglobals = 0; #Only contemplate nodes that aren't caught through searching below in the global handler
|
|
$useunhandled=1;
|
|
my $table;
|
|
my $cols;
|
|
($table,$cols) = split(/:/,$hdlspec);
|
|
my @colmns=split(/,/,$cols);
|
|
my @columns;
|
|
my $hdlrtable=xCAT::Table->new($table);
|
|
unless ($hdlrtable) {
|
|
#TODO: proper error handling
|
|
}
|
|
my $node;
|
|
my $colvals = {};
|
|
foreach my $colu (@colmns) {
|
|
if ($colu =~ /=/) { #a value redirect to a pattern/specific name
|
|
my $coln; my $colv;
|
|
($coln,$colv) = split(/=/,$colu,2);
|
|
$colvals->{$coln} = $colv;
|
|
push (@columns,$coln);
|
|
} else {
|
|
push (@columns,$colu);
|
|
}
|
|
}
|
|
|
|
|
|
unless (@nodes) { #register the plugin in the event of usage
|
|
$handler_hash{$ownmod} = 1;
|
|
$useglobals = 1;
|
|
}
|
|
my $hdlrcache;
|
|
if ($hdlrtable) {
|
|
$hdlrcache = $hdlrtable->getNodesAttribs(\@nodes,\@columns);
|
|
}
|
|
foreach $node (@nodes) {
|
|
unless ($hdlrcache) { next; }
|
|
my $attribs = $hdlrcache->{$node}->[0]; #$hdlrtable->getNodeAttribs($node,\@columns);
|
|
unless (defined($attribs)) { next; }
|
|
foreach (@columns) {
|
|
my $col=$_;
|
|
if (defined($attribs->{$col})) {
|
|
if ($colvals->{$col}) { #A pattern match style request.
|
|
if ($attribs->{$col} =~ /$colvals->{$col}/) {
|
|
$handler_hash{$ownmod}->{$node} = 1;
|
|
delete $unhandled_nodes{$node};
|
|
last;
|
|
}
|
|
} else {
|
|
# call the plugin that matches the table value for that node
|
|
if ($attribs->{$col} =~ /$ownmod/) {
|
|
$handler_hash{$attribs->{$col}}->{$node} = 1;
|
|
delete $unhandled_nodes{$node};
|
|
last;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
$hdlrtable->close;
|
|
} # end if (@nodes)
|
|
|
|
} else {
|
|
push @globalhandlers,$hdlspec;
|
|
}
|
|
}
|
|
if ($useglobals == 1) { #Behavior when globals have not been overriden
|
|
my $hdlspec;
|
|
foreach $hdlspec (@globalhandlers) {
|
|
unless (@nodes) {
|
|
$handler_hash{$hdlspec} = 1;
|
|
}
|
|
foreach (@nodes) { #Specified a specific plugin, not a table lookup
|
|
$handler_hash{$hdlspec}->{$_} = 1;
|
|
}
|
|
}
|
|
} elsif ($useglobals == 0) {
|
|
unless (@nodes or $usesiteglobal) { #if something like 'makedhcp -n',
|
|
foreach (keys %handler_hash) {
|
|
if ($handler_hash{$_} == 1) {
|
|
delete ($handler_hash{$_})
|
|
}
|
|
}
|
|
}
|
|
foreach $hdlspec (@globalhandlers) {
|
|
unless (@nodes or $usesiteglobal) {
|
|
$handler_hash{$hdlspec} = 1;
|
|
}
|
|
foreach (keys %unhandled_nodes) { #Specified a specific plugin, not a table lookup
|
|
$handler_hash{$hdlspec}->{$_} = 1;
|
|
}
|
|
}
|
|
} #Otherwise, global handler is implicitly disabled
|
|
} else {
|
|
return 1; #TODO: error back that request has no known plugin for it
|
|
}
|
|
if ($useunhandled) {
|
|
my $queuelist='';
|
|
foreach (@{$cmd_handlers{$req->{command}->[0]}}) {
|
|
my $queueitem = $_->[1];
|
|
if (($queueitem =~ /:/) and !($queuelist =~ /($queueitem)/)) {
|
|
$queuelist .= "$_->[1];";
|
|
}
|
|
}
|
|
$queuelist =~ s/;$//;
|
|
$queuelist =~ s/:/./g;
|
|
foreach (keys %unhandled_nodes) {
|
|
if ($sock) {
|
|
print $sock XMLout({node=>[{name=>[$_],error=>["Unable to identify plugin for this command, check relevant tables: $queuelist"],errorcode=>[1]}]},NoAttr=>1,RootName=>'xcatresponse');
|
|
} else {
|
|
my $tabdesc = $queuelist;
|
|
$tabdesc =~ s/=.*$//;
|
|
$callback->({node=>[{name=>[$_],error=>['Unable to identify plugin for this command, check relevant tables: '.$tabdesc],errorcode=>[1]}]});
|
|
}
|
|
}
|
|
}
|
|
$plugin_numchildren=0;
|
|
%plugin_children=();
|
|
# save the old signal
|
|
my $old_sig_chld = $SIG{CHLD};
|
|
$SIG{CHLD} = \&plugin_reaper; #sub {my $plugpid; while (($plugpid = waitpid(-1, WNOHANG)) > 0) { if ($plugin_children{$plugpid}) { delete $plugin_children{$plugpid}; $plugin_numchildren--; } } };
|
|
my $check_fds;
|
|
if ($sock) {
|
|
$check_fds = new IO::Select;
|
|
}
|
|
foreach (keys %handler_hash) {
|
|
my $modname = $_;
|
|
my $shouldbealivepid=$$;
|
|
if (-r $plugins_dir."/".$modname.".pm") {
|
|
require $plugins_dir."/".$modname.".pm";
|
|
$plugin_numchildren++;
|
|
my $pfd; #will be referenced for inter-process messaging.
|
|
my $parfd; #not causing a problem that I discern yet, but theoretically
|
|
my $child;
|
|
if ($sock) { #If $sock not passed in, don't fork..
|
|
if (! socketpair($pfd, $parfd,AF_UNIX,SOCK_STREAM,PF_UNSPEC)) {
|
|
xCAT::MsgUtils->message("S", "socketpair failed: $!");
|
|
die;
|
|
}
|
|
#pipe($pfd,$cfd);
|
|
$parfd->autoflush(1);
|
|
$pfd->autoflush(1);
|
|
binmode($parfd,':utf8');
|
|
binmode($pfd,':utf8');
|
|
$child = xCAT::Utils->xfork;
|
|
} else {
|
|
$child = 0;
|
|
}
|
|
unless (defined $child) {
|
|
xCAT::MsgUtils->message("S", "Fork failed");
|
|
die;
|
|
}
|
|
if ($child == 0) {
|
|
if ($parfd) { #If xCAT is doing multiple requests in same communication PID, things would get unfortunate otherwise
|
|
$parent_fd = $parfd;
|
|
}
|
|
my $oldprogname=$$progname;
|
|
$$progname=$oldprogname.": $modname instance";
|
|
if ($sock) { close $pfd; }
|
|
unless ($handler_hash{$_} == 1) {
|
|
my @nodes = sort {($a =~ /(\d+)/)[0] <=> ($b =~ /(\d+)/)[0] || $a cmp $b } (keys %{$handler_hash{$_}});
|
|
$req->{node}=\@nodes;
|
|
}
|
|
no strict "refs";
|
|
eval { #REMOVEEVALFORDEBUG
|
|
if ($dispatch_requests) {
|
|
dispatch_request($req,$callback,$modname);
|
|
} else {
|
|
$SIG{CHLD}='DEFAULT';
|
|
${"xCAT_plugin::".$modname."::"}{process_request}->($req,$callback,\&do_request);
|
|
}
|
|
$$progname=$oldprogname;
|
|
if ($sock) {
|
|
close($parent_fd);
|
|
xexit(0);
|
|
}
|
|
$@=""; #sometimes a child 'eval' doesn't clean up $@, if we make it this far, no non-eval bug bombed out
|
|
}; #REMOVEEVALFORDEBUG
|
|
if ($sock or $shouldbealivepid != $$) { #We shouldn't still be alive, try to send as much detail to parent as possible as to why
|
|
my $error= "$modname plugin bug, pid $$, process description: '$$progname'";
|
|
if ($@) {
|
|
$error .= " with error '$@'";
|
|
} else { #Sys::Virt and perhaps Net::SNMP sometimes crashes in a way $@ won't catch..
|
|
$error .= " with missing eval error, probably due to special manipulation of $@ or strange circumstances in an XS library, remove evals in xcatd marked 'REMOVEEVALFORDEBUG and run xcatd -f for more info";
|
|
}
|
|
if (scalar (@nodes)) { #Don't know which of the nodes, so one error message warning about the possibliity..
|
|
$error .= " while trying to fulfill request for the following nodes: ".join(",",@nodes);
|
|
}
|
|
xCAT::MsgUtils->message("S","xcatd: $error");
|
|
$callback->({error=>[$error],errorcode=>[1]});
|
|
xexit(0); #Die like we should have done
|
|
} elsif ($@) { #We are still alive, should be alive, but yet we have an error. This means we are in the case of 'do_request' or something similar. Forward up the death since our communication channel is intact..
|
|
xCAT::MsgUtils->message("S", "$@");
|
|
die $@;
|
|
}
|
|
} else {
|
|
$plugin_children{$child}=1;
|
|
close $parfd;
|
|
$check_fds->add($pfd);
|
|
}
|
|
} else {
|
|
my $pm_name = $plugins_dir."/".$modname.".pm";
|
|
if (ref $handler_hash{$_}) {
|
|
foreach my $node (keys %{$handler_hash{$_}}) {
|
|
if ($sock) {
|
|
print $sock XMLout({node=>[{name=>[$node],data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]}]},NoAttr=>1,RootName=>'xcatresponse');
|
|
} else {
|
|
$callback->({node=>[{name=>[$node],data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]}]});
|
|
}
|
|
}
|
|
} else {
|
|
if ($sock) {
|
|
print $sock XMLout({data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]},NoAttr=>1,RootName=>'xcatresponse');
|
|
} else {
|
|
$callback->({data=>["Cannot find the perl module to complete the operation: $pm_name"],errorcode=>[1]});
|
|
}
|
|
}
|
|
}
|
|
}
|
|
unless ($sock) {
|
|
# restore the old signal
|
|
$SIG{CHLD} = $old_sig_chld;
|
|
return $Main::resps
|
|
}
|
|
|
|
while (($plugin_numchildren > 0) and ($check_fds->count > 0)) { #this tracks end of useful data from children much more closely
|
|
relay_fds($check_fds,$sock);
|
|
}
|
|
#while (relay_fds($check_fds,$sock)) {}
|
|
|
|
# restore the old signal
|
|
$SIG{CHLD} = $old_sig_chld;
|
|
|
|
my %done;
|
|
$done{serverdone} = {};
|
|
if ($req->{transid}) {
|
|
$done{transid}=$req->{transid}->[0];
|
|
}
|
|
if ($sock) {
|
|
my $clientpresence = new IO::Select; #The client may have gone away without confirmation, don't PIPE over this trivial thing
|
|
$clientpresence->add($sock);
|
|
if ($clientpresence->can_write(5)) {
|
|
print $sock XMLout(\%done,RootName => 'xcatresponse',NoAttr=>1);
|
|
}
|
|
}
|
|
}
|
|
|
|
my $dispatch_parentfd;
|
|
sub dispatch_callback {
|
|
my $rspo = shift;
|
|
unless ($rspo) {
|
|
return;
|
|
}
|
|
my $rsp = {%$rspo}; # deep copy
|
|
delete $rsp->{serverdone};
|
|
unless (%$rsp) { return; }
|
|
print $dispatch_parentfd freeze($rsp);
|
|
print $dispatch_parentfd "\nENDOFFREEZE6sK6xa\n";
|
|
yield; #This has to happen before next line could possibly work anyway
|
|
my $parselect = new IO::Select;
|
|
$parselect->add($dispatch_parentfd);
|
|
my $selbits = $parselect->bits;
|
|
while (defined($selbits) && ($rsp = select($selbits,undef,undef,5))) { #block for up to 5 seconds before continuing
|
|
if ($quit) { # termination requested by a clean shutdown facility
|
|
xexit 0;
|
|
}
|
|
if ($rsp == 0) { #The select call failed to find any ready items
|
|
last;
|
|
}
|
|
if ($rsp < 0) { #A child exited or other signal event that made select skip out before suggesting succes
|
|
next;
|
|
}
|
|
if ($rsp = <$dispatch_parentfd>) {
|
|
if ($rsp =~ /die/ or $quit) {
|
|
xexit 0;
|
|
}
|
|
last;
|
|
} else {
|
|
$parselect->remove($dispatch_parentfd); #Block until parent acks data
|
|
last;
|
|
}
|
|
$selbits = $parselect->bits;
|
|
yield;
|
|
}
|
|
}
|
|
|
|
sub relay_dispatch {
|
|
my $fds = shift;
|
|
my $dispatch_cb = shift;
|
|
my @ready_ins = $fds->can_read(1);
|
|
foreach my $rin (@ready_ins) {
|
|
my $data;
|
|
if ($data = <$rin>) {
|
|
while ($data !~ /ENDOFFREEZE6sK6xa/) {
|
|
$data .= <$rin>;
|
|
}
|
|
my $response = thaw($data);
|
|
print $rin "dfin\n";
|
|
$dispatch_cb->($response);
|
|
} else {
|
|
$fds->remove($rin);
|
|
close($rin);
|
|
}
|
|
}
|
|
yield; #At this point, explicitly yield to other processes. If children will have more data, this process would otherwise uselessly loop on data that never will be. If children are all done, still no harm in waiting a short bit for a timeslice to come back
|
|
return scalar(@ready_ins);
|
|
}
|
|
|
|
sub dispatch_request {
|
|
%dispatched_children=();
|
|
my $req = shift;
|
|
my $dispatch_cb = shift;
|
|
|
|
my $modname = shift;
|
|
my $reqs = [];
|
|
my $child_fdset = new IO::Select;
|
|
no strict "refs";
|
|
|
|
# save the old signal
|
|
my $old_sig_chld = $SIG{CHLD};
|
|
|
|
#Hierarchy support. Originally, the default scope for noderange commands was
|
|
#going to be the servicenode associated unless overriden.
|
|
#However, assume for example that you have blades and a blade is the service node
|
|
#rpower being executed by the servicenode for one of its subnodes would have to
|
|
#reach it's own management module. This has the potential to be non-trivial for some quite possible network configurations.
|
|
#Since plugins may commonly experience this, a preprocess_request implementation
|
|
#will for now be required for a command to be scaled through service nodes
|
|
#If the plugin offers a preprocess method, use it to set the request array
|
|
if (defined(${"xCAT_plugin::".$modname."::"}{preprocess_request})) {
|
|
$SIG{CHLD}='DEFAULT';
|
|
$reqs = ${"xCAT_plugin::".$modname."::"}{preprocess_request}->($req,$dispatch_cb,\&do_request);
|
|
} else { #otherwise, pass it in without hierarchy support
|
|
$reqs = [$req];
|
|
}
|
|
|
|
$dispatch_children=0;
|
|
$SIG{CHLD} = \&dispatch_reaper; #sub {my $cpid; while (($cpid =waitpid(-1, WNOHANG)) > 0) { if ($dispatched_children{$cpid}) { delete $dispatched_children{$cpid}; $dispatch_children--; } } };
|
|
my $onlyone=0;
|
|
if (defined $reqs and (scalar(@{$reqs}) == 1)) {
|
|
$onlyone=1;
|
|
}
|
|
|
|
foreach (@{$reqs}) {
|
|
my $pfd;
|
|
my $parfd; #use a private variable so it won't trounce itself recursively
|
|
my $child;
|
|
delete $_->{noderange};
|
|
if (ref $_->{'_xcatdest'} and (ref $_->{'_xcatdest'}) eq 'ARRAY') {
|
|
_->{'_xcatdest'} = $_->{'_xcatdest'}->[0];
|
|
}
|
|
if ($onlyone and not ($_->{'_xcatdest'} and xCAT::Utils->thishostisnot($_->{'_xcatdest'}))) {
|
|
$SIG{CHLD}='DEFAULT';
|
|
${"xCAT_plugin::".$modname."::"}{process_request}->($_,$dispatch_cb,\&do_request);
|
|
return;
|
|
}
|
|
|
|
if (! socketpair($pfd, $parfd,AF_UNIX,SOCK_STREAM,PF_UNSPEC)) {
|
|
xCAT::MsgUtils->message("S", "ERROR: socketpair: $!");
|
|
die;
|
|
}
|
|
$parfd->autoflush(1);
|
|
$pfd->autoflush(1);
|
|
binmode($parfd,':utf8');
|
|
binmode($pfd,':utf8');
|
|
$child = xCAT::Utils->xfork;
|
|
if ($child) {
|
|
$dispatch_children++;
|
|
$dispatched_children{$child}=1;
|
|
$child_fdset->add($pfd);
|
|
next;
|
|
}
|
|
unless (defined $child) {
|
|
$dispatch_cb->({error=>['Fork failure dispatching request'],errorcode=>[1]});
|
|
}
|
|
$SIG{CHLD}='DEFAULT';
|
|
$dispatch_parentfd = $parfd;
|
|
my @prexcatdests=();
|
|
my @xcatdests=();
|
|
if (ref($_->{'_xcatdest'}) eq 'ARRAY') { #If array, consider it an 'anycast' operation, broadcast done through dupe
|
|
#requests, or an alternative join '&' maybe?
|
|
@prexcatdests=@{$_->{'_xcatdest'}};
|
|
} else {
|
|
@prexcatdests=($_->{'_xcatdest'});
|
|
}
|
|
foreach (@prexcatdests) {
|
|
if ($_ and /,/) {
|
|
push @xcatdests,split /,/,$_;
|
|
} else {
|
|
push @xcatdests,$_;
|
|
}
|
|
}
|
|
my $xcatdest;
|
|
my $numdests=scalar(@xcatdests);
|
|
my $request_satisfied=0;
|
|
foreach $xcatdest (@xcatdests) {
|
|
my $dlock;
|
|
if ($xcatdest and xCAT::Utils->thishostisnot($xcatdest)) {
|
|
#mkpath("/var/lock/xcat/"); #For now, limit intra-xCAT requests to one at a time, to mitigate DB handle usage
|
|
#open($dlock,">","/var/lock/xcat/dispatchto_$xcatdest");
|
|
#flock($dlock,LOCK_EX);
|
|
$ENV{XCATHOST} = ($xcatdest =~ /:/ ? $xcatdest : $xcatdest.":3001" );
|
|
$$progname.=": connection to ".$ENV{XCATHOST};
|
|
my $errstr;
|
|
eval {
|
|
undef $_->{'_xcatdest'};
|
|
xCAT::Client::submit_request($_,\&dispatch_callback,$xcatdir."/cert/server-cred.pem",$xcatdir."/cert/server-cred.pem",$xcatdir."/cert/ca.pem");
|
|
};
|
|
if ($@) {
|
|
$errstr=$@;
|
|
}
|
|
#unlink("/var/lock/xcat/dispatchto_$xcatdest");
|
|
#flock($dlock,LOCK_UN);
|
|
if ($errstr) {
|
|
if ($numdests == 1) {
|
|
dispatch_callback({error=>["Unable to dispatch command to ".$ENV{XCATHOST}.", command will not make changes to that server ($errstr)"],errorcode=>[1]});
|
|
xCAT::MsgUtils->message("S","Error dispatching request to ".$ENV{XCATHOST}.": ".$errstr);
|
|
} else {
|
|
xCAT::MsgUtils->message("S","Error dispatching request to ".$ENV{XCATHOST}.", trying other service nodes: ".$errstr);
|
|
}
|
|
next;
|
|
} else {
|
|
$request_satisfied=1;
|
|
last;
|
|
}
|
|
} else {
|
|
$$progname.=": locally executing";
|
|
$SIG{CHLD}='DEFAULT';
|
|
${"xCAT_plugin::".$modname."::"}{process_request}->($_,\&dispatch_callback,\&do_request);
|
|
last;
|
|
}
|
|
}
|
|
if (!(xCAT::Utils->isServiceNode())) { # not on a service node
|
|
if ($numdests > 1 and not $request_satisfied) {
|
|
xCAT::MsgUtils->message("S","Error dispatching a request to all possible service nodes for request");
|
|
dispatch_callback({error=>["Failed to dispatch command to any of the following service nodes: ".join(",",@xcatdests)],errorcode=>[1]});
|
|
}
|
|
}
|
|
|
|
xexit;
|
|
}
|
|
while (($dispatch_children > 0) and ($child_fdset->count > 0)) { relay_dispatch($child_fdset,$dispatch_cb) }
|
|
while (relay_dispatch($child_fdset,$dispatch_cb)) { } #Potentially useless drain.
|
|
|
|
# restore the old signal
|
|
$SIG{CHLD} = $old_sig_chld;
|
|
}
|
|
|
|
|
|
sub do_request {
|
|
my $req = shift;
|
|
my $second = shift;
|
|
my $rsphandler = \&build_response;
|
|
my $sock = undef;
|
|
if ($second) {
|
|
if (ref($second) eq "CODE") {
|
|
$rsphandler = $second;
|
|
} elsif (ref($second) eq "GLOB") {
|
|
$sock = $second;
|
|
}
|
|
}
|
|
|
|
#my $sock = shift; #If no sock, will return a response hash
|
|
if ($cmd_handlers{$req->{command}->[0]}) {
|
|
return plugin_command($req,$sock,$rsphandler);
|
|
} elsif ($req->{command}->[0] eq "noderange" and $req->{noderange}) {
|
|
my @nodes = noderange($req->{noderange}->[0]);
|
|
my %resp;
|
|
if (nodesmissed) {
|
|
$resp{warning}="Invalid nodes in noderange:".join ',',nodesmissed;
|
|
}
|
|
$resp{serverdone} = {};
|
|
@{$resp{node}}=@nodes;
|
|
if ($req->{transid}) {
|
|
$resp{transid}=$req->{transid}->[0];
|
|
}
|
|
if ($sock) {
|
|
print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
} else {
|
|
return (\%resp);
|
|
}
|
|
} else {
|
|
my %resp=(error=>"Unsupported request");
|
|
$resp{serverdone} = {};
|
|
if ($req->{transid}) {
|
|
$resp{transid}=$req->{transid}->[0];
|
|
}
|
|
if ($sock) {
|
|
print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
} else {
|
|
return (\%resp);
|
|
}
|
|
}
|
|
}
|
|
|
|
sub convey_response {
|
|
my $resp=shift;
|
|
#TODO: This is where the following will/may happen:
|
|
#-Track transaction id
|
|
#-Save output for deferred commands
|
|
unless ($parent_fd) {
|
|
build_response($resp);
|
|
return;
|
|
}
|
|
$resp = XMLout($resp,KeyAttr=>[], NoAttr=>1,RootName=>'xcatresponse');
|
|
#sanitize the response, to avoid being killed by non-printable bytes
|
|
$resp =~ tr/\011-\177/?/c;
|
|
#seeing if using utf-8 offloads potential issues to client terminal, it didn't
|
|
print $parent_fd $resp;
|
|
yield; #parent must get timeslice anyway before an ack could possibly return
|
|
my $parsel = new IO::Select;
|
|
$parsel->add($parent_fd);
|
|
my $selbits = $parsel->bits;
|
|
my $rsp;
|
|
while ($selbits && ($rsp = select($selbits, undef, undef, 5))) { #block up to five seconds
|
|
if ($quit) { # Obey quit flag
|
|
xexit 0;
|
|
}
|
|
if ($rsp == 0) { #This means the filedescriptor was removed
|
|
last;
|
|
}
|
|
if ($rsp < 0) { # A signal caused select to skip out, do-over
|
|
next;
|
|
}
|
|
#At this point, the only possibility is a positive return, meaning parent_fd requires attention of some sort
|
|
$rsp = <$parent_fd>;
|
|
if ($rsp) { #If data actually came in, last, otherwise, remove it from the IO::Select, but both should amount to the same thing
|
|
last;
|
|
} else {
|
|
$parsel->remove($parent_fd);
|
|
last;
|
|
}
|
|
}
|
|
yield; #If still around, it means a peer process still hasn't gotten to us, so might as well yield
|
|
$selbits = $parsel->bits;
|
|
}
|
|
|
|
sub build_response {
|
|
# Handle responses from do_request calls made directly from a plugin
|
|
# Merge this response into the full response hash. We'll collect all
|
|
# the responses and ship it back on the return to the plugin.
|
|
# Note: Need to create a new "deep clone" copy of each response structure
|
|
# otherwise the next call will overwrite the reference we pushed on
|
|
# the response array
|
|
my $resp = shift;
|
|
foreach (keys %$resp) {
|
|
my $subresp = dclone($resp->{$_});
|
|
push (@{$Main::resps->{$_}}, @{$subresp});
|
|
}
|
|
}
|
|
|
|
sub becomeuser {
|
|
#if username and password match, return the new username
|
|
#otherwise, return undef
|
|
#TODO PAM?
|
|
my $passtab = xCAT::Table->new('passwd');
|
|
my $id=shift;
|
|
my $pass=shift;
|
|
unless (defined $id and defined $pass) {
|
|
return undef;
|
|
}
|
|
my $passent=$passtab->getAttribs({key=>'xcat',username=>$id},['password']);
|
|
unless ($passent) {
|
|
return undef;
|
|
}
|
|
$passent=$passent->{password};
|
|
my $encryptedpass = crypt($pass,$passent);
|
|
if ($encryptedpass eq $passent) {
|
|
return $id;
|
|
}elsif ($pass eq $passent) {
|
|
return $id;
|
|
}
|
|
# if ($passent =~ /^\$(2a|1)\$.*\$/) { #MD5 or Blowfish hash, calculate before comparison
|
|
# $pass = crypt($pass,$passent);
|
|
# } #Not bothering with old DES method, for now assume plaintext if not set
|
|
# if ($pass eq $passent) {
|
|
# return $id;
|
|
# }
|
|
#If here, unable to validate given credential
|
|
return undef;
|
|
}
|
|
|
|
sub service_connection {
|
|
my $sock = shift;
|
|
my $peername = shift;
|
|
my $peerhost = shift;
|
|
my $peerfqdn = shift;
|
|
my $peerport = $sock->peerport;
|
|
my %tables=();
|
|
#some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs:
|
|
# -Well, minimally, ignore requests if requesting node is not in spconfig mode (stage3)
|
|
# -Option to generate a random password per 'getipmi' request. This reduces the exposure to a D.O.S. hopefully
|
|
#Give only 15 seconds of silence allowed or terminate connection. Using alarm since we are in thread-unsafe world anyway
|
|
my $timedout = 0;
|
|
|
|
$SIG{ALRM} = sub { $timedout = 1; die; };
|
|
my $evalpid = $$;
|
|
eval { #REMOVEEVALFORDEBUG
|
|
my $request;
|
|
my $req=undef;
|
|
alarm(15);
|
|
while (<$sock>) {
|
|
alarm(0);
|
|
$request .= $_;
|
|
#$req = eval { XMLin($request, ForceArray => [ 'attribute' , 'attributepair' ]) };
|
|
if (m/<\/xcatrequest>/) {
|
|
$req = eval { XMLin($request, SuppressEmpty=>undef,ForceArray=>1) };
|
|
#first change peername on 'becomeuser' tag if present and valid
|
|
if (defined $req->{becomeuser}) {
|
|
$peername=becomeuser($req->{becomeuser}->[0]->{username}->[0],
|
|
$req->{becomeuser}->[0]->{password}->[0]);
|
|
unless (defined $peername) {
|
|
my $resp={error=>["Authentication failure"],errorcode=>[1]};
|
|
$resp->{serverdone}={};
|
|
print $sock XMLout($resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
return;
|
|
}
|
|
delete($req->{becomeuser}); #Remove it to keep it from view
|
|
}
|
|
|
|
#we have a full request..
|
|
#printf $request."\n";
|
|
$request="";
|
|
if (validate($peername,$peerhost,$req)) {
|
|
$req->{'_xcat_authname'} = [$peername];
|
|
$req->{'_xcat_clienthost'} = [$peerhost];
|
|
$req->{'_xcat_clientfqdn'} = [$peerfqdn];
|
|
$req->{'_xcat_clientport'}= [$peerport];
|
|
$$progname="xCATd SSL: ".$req->{command}->[0];
|
|
if ($req->{noderange} && defined($req->{noderange}->[0])) {
|
|
$$progname .= " to ".$req->{noderange}->[0];
|
|
}
|
|
|
|
if($peerhost){
|
|
$$progname .= " for ".($peername ? $peername ."@".$peerhost : $peerhost);
|
|
}
|
|
if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action
|
|
my $resp;
|
|
if ($peername or $peername eq "0") {
|
|
$resp->{username}=[$peername];
|
|
$resp->{data}=["Authenticated"];
|
|
} else {
|
|
$resp->{data}=["Unauthenticated"];
|
|
}
|
|
$resp->{serverdone}={};
|
|
print $sock XMLout($resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
} elsif ($cmd_handlers{$req->{command}->[0]}) {
|
|
return plugin_command($req,$sock,\&convey_response);
|
|
} elsif ($req->{command}->[0] eq "noderange" and $req->{noderange}) {
|
|
my @nodes = noderange($req->{noderange}->[0]);
|
|
my %resp;
|
|
if (nodesmissed) {
|
|
$resp{warning}="Invalid nodes in noderange:".join ',',nodesmissed;
|
|
}
|
|
$resp{serverdone} = {};
|
|
@{$resp{node}}=@nodes;
|
|
if ($req->{transid}) {
|
|
$resp{transid}=$req->{transid}->[0];
|
|
}
|
|
print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
next;
|
|
} elsif ($req->{command}->[0] eq "extnoderange" and $req->{noderange}) { #This is intended for the UIs to build trees
|
|
#as this would be part of a highly dynamic construct, it has a shortcut here to minimize server load
|
|
my $subgroups=0;
|
|
if ($req->{arg} and grep /subgroups/,@{$req->{arg}}) {
|
|
$subgroups=1;
|
|
}
|
|
my %resp=%{extnoderange($req->{noderange}->[0],{intersectinggroups=>$subgroups})};
|
|
$resp{serverdone}={};
|
|
print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
next;
|
|
} else {
|
|
my %resp=(error=>"Unsupported request");
|
|
$resp{serverdone} = {};
|
|
if ($req->{transid}) {
|
|
$resp{transid}=$req->{transid}->[0];
|
|
}
|
|
print $sock XMLout(\%resp,RootName => 'xcatresponse',NoAttr=>1);
|
|
next;
|
|
}
|
|
} else {
|
|
my %resp=(error=>"Permission denied for request");
|
|
$resp{serverdone} = {};
|
|
if ($req->{transid}) {
|
|
$resp{transid}=$req->{transid}->[0];
|
|
}
|
|
my $response=XMLout(\%resp,RootName =>'xcatresponse',NoAttr => 1);
|
|
print $sock $response;
|
|
next;
|
|
}
|
|
}
|
|
alarm(15);
|
|
}
|
|
}; #REMOVEEVALFORDEBUG
|
|
if ($@) { # The eval statement caught a program bug..
|
|
if ($@ =~ /^SIGPIPE/) {
|
|
xCAT::MsgUtils->message("S","xcatd: Unexpected client disconnect");
|
|
if ($sock) {
|
|
eval {
|
|
print $sock XMLout({error=>"Generic PIPE error occurred. $@"},RootName=>'xcatresponse',NoAttr=>1);
|
|
};
|
|
}
|
|
} elsif ($@ =~ /Client abort requested/) {
|
|
} else {
|
|
my $errstr="A fatal error was encountered, the following information may help identify a bug: $@";
|
|
chomp($errstr);
|
|
xCAT::MsgUtils->message("S","xcatd: possible BUG encountered by xCAT TCP service: ".$@);
|
|
if ($sock) {
|
|
eval {
|
|
print $sock XMLout({error=>$errstr},RootName=>'xcatresponse',NoAttr=>1);
|
|
};
|
|
}
|
|
}
|
|
} elsif ($evalpid ne $$) {
|
|
xCAT::MsgUtils->message("S","A child jumped to where it should never ever be, this shouldn't be possible, please report this bug");
|
|
#The folowing corrupts the SSL state preventing any further output by the parent.
|
|
#A bug triggering this absolutely
|
|
#needs to fixed. With the current code layout it is either trash valid data that could have been or
|
|
#risk user missing data
|
|
#without knowing it. It's likely possible to rearchitect to change that, but as it stands it really
|
|
#should be no longer possible to hit this condition.
|
|
print $sock,XMLout({error=>"A child jumped to where it should never ever be, this shouldn't be possible, please report this bug"});
|
|
}
|
|
$SIG{ALRM}= sub { xCAT::MsgUtils->message("S","$$ failed shutting down"); die;};
|
|
alarm(10);
|
|
foreach (keys %tables) {
|
|
$tables{$_}->commit;
|
|
}
|
|
$sock->close(SSL_fast_shutdown=>1);
|
|
if ($timedout == 1) {
|
|
printf ("Client timeout");
|
|
}
|
|
}
|
|
|
|
sub relay_fds { #Relays file descriptors from pipes to children to the SSL socket
|
|
my $fds = shift;
|
|
my $sock = shift;
|
|
my $goneclient=0;
|
|
unless ($sock) { return 0; }
|
|
my $collate = ( scalar @_ > 0 ? shift : 0);
|
|
my @readyset = $fds->can_read(1);
|
|
my $rfh;
|
|
my $rc = @readyset;
|
|
my $text;
|
|
foreach $rfh (@readyset) { #go through each child, extract a complete, atomic message
|
|
my $line;
|
|
while ($line = <$rfh>) { #Will break on complete </xcatresponse> messages, avoid interleave
|
|
eval {
|
|
print $sock $line;
|
|
};
|
|
if ($@ and $@ =~ /PIPE/) {
|
|
$goneclient=1;
|
|
print "Piped while writing to client\n";
|
|
last;
|
|
}
|
|
if ($line =~ /<\/xcatresponse>/) {
|
|
last;
|
|
}
|
|
}
|
|
if ($line) {
|
|
print $rfh "nfin\n"; #Notify convey_response message done
|
|
} else {
|
|
$fds->remove($rfh);
|
|
close($rfh);
|
|
}
|
|
}
|
|
foreach my $rin ($clientselect->can_read(0)) {
|
|
my $subselect = new IO::Select;
|
|
$subselect->add($rin);
|
|
my $clientintr="";
|
|
my $subdata;
|
|
while ($subselect->can_read(1)) {
|
|
if ($subdata=<$rin>) {
|
|
$clientintr.=$subdata;
|
|
} else {
|
|
$subselect->remove($rin);
|
|
close($rin);
|
|
}
|
|
}
|
|
unless ($clientintr) {
|
|
next;
|
|
}
|
|
$clientintr=XMLin($clientintr, SuppressEmpty=>undef,ForceArray=>1 );
|
|
if ($clientintr->{abortcommand}->[0]) {
|
|
print "Aborting...";
|
|
foreach (keys %plugin_children) {
|
|
print "Sending INT to $_\n";
|
|
kill 2, $_;
|
|
}
|
|
foreach my $cin ($fds->handles) {
|
|
print $cin "die\n";
|
|
$fds->remove($cin);
|
|
close($cin);
|
|
}
|
|
xCAT::MsgUtils->message("S", "Client abort requested");
|
|
die;
|
|
}
|
|
}
|
|
yield; #Give other processes, including children, explicit control, to avoid uselessly aggressive looping
|
|
if ($goneclient) {
|
|
xCAT::MsgUtils->message("S", "SIGPIPE $$progname encountered a broken pipe (Sudden client disconnect)");
|
|
die;
|
|
}
|
|
return $rc;
|
|
}
|
|
|
|
sub validate {
|
|
#Here is where we check if $peername is allowed to do $request in policy tbl.
|
|
# $peername, if set signifies client has a cert that the xCAT CA accepted.
|
|
# Logs to syslog and auditlog table all user commands, see site.auditskipcmds
|
|
# attribute.
|
|
# returns 1 if policy engine allows the action, 0 if denied.
|
|
|
|
|
|
# now check the policy table if user can run the command
|
|
my $peername=shift;
|
|
my $peerhost=shift;
|
|
my $request=shift;
|
|
my $policytable = xCAT::Table->new('policy');
|
|
unless ($policytable) {
|
|
xCAT::MsgUtils->message("S","Unable to open policy data, denying");
|
|
return 0;
|
|
}
|
|
|
|
my $policies = $policytable->getAllEntries;
|
|
$policytable->close;
|
|
my $rule;
|
|
my $peerstatus="untrusted";
|
|
# check to see if peerhost is trusted
|
|
foreach $rule (@$policies) {
|
|
|
|
if (($rule->{name} and ($rule->{name} eq $peerhost)) && ($rule->{rule}=~ /trusted/i)) {
|
|
$peerstatus="Trusted";
|
|
last;
|
|
}
|
|
}
|
|
RULE: foreach $rule (@$policies) {
|
|
if ($rule->{name} and $rule->{name} ne '*') {
|
|
#TODO: more complex matching (lists, wildcards)
|
|
next unless ($peername and $peername eq $rule->{name});
|
|
}
|
|
if ($rule->{time} and $rule->{time} ne '*') {
|
|
#TODO: time ranges
|
|
}
|
|
if ($rule->{host} and $rule->{host} ne '*') {
|
|
#TODO: more complex matching (lists, noderanges?, wildcards)
|
|
next unless ($peerhost eq $rule->{host});
|
|
}
|
|
if ($rule->{commands} and $rule->{commands} ne '*') {
|
|
#TODO: syntax for multiple commands
|
|
next unless ($request->{command}->[0] eq $rule->{commands});
|
|
}
|
|
if ($rule->{parameters} and $rule->{parameters} ne '*') {
|
|
my $parms;
|
|
if ($request->{arg}) {
|
|
$parms = join(' ',@{$request->{arg}});
|
|
} else {
|
|
$parms = "";
|
|
}
|
|
my $patt = $rule->{parameters};
|
|
unless ($parms =~ /$patt/) {
|
|
next;
|
|
}
|
|
}
|
|
if ($rule->{noderange} and $rule->{noderange} ne '*') {
|
|
my $matchall=0;
|
|
if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) {
|
|
$matchall=1;
|
|
}
|
|
if (defined $request->{noderange}->[0]) {
|
|
my @tmpn=noderange($request->{noderange}->[0]);
|
|
$request->{node}=\@tmpn;
|
|
}
|
|
unless (defined $request->{node}) {
|
|
next RULE;
|
|
}
|
|
my @reqnodes = @{$request->{node}};
|
|
my %matchnodes;
|
|
foreach (noderange($rule->{noderange})) {
|
|
$matchnodes{$_}=1;
|
|
}
|
|
REQN: foreach (@reqnodes) {
|
|
if (defined ($matchnodes{$_})) {
|
|
if ($matchall) {
|
|
next REQN;
|
|
} else {
|
|
last REQN;
|
|
}
|
|
} elsif ($matchall) {
|
|
next RULE;
|
|
}
|
|
}
|
|
}
|
|
# If we are still in, that means this rule is the first match and dictates behavior.
|
|
# We are not going to log getdestiny,getbladecons,getipmicons commands, way
|
|
# too many of them
|
|
#print Dumper($request);
|
|
if ($rule->{rule}) {
|
|
my $logst;
|
|
my $rc;
|
|
my $status;
|
|
if ($rule->{rule} =~ /allow/i or $rule->{rule} =~ /accept/i or $rule->{rule} =~ /trusted/i) {
|
|
$logst = "xCAT: Allowing ".$request->{command}->[0];
|
|
$status = "Allowed";
|
|
$rc=1;
|
|
} else {
|
|
$logst = "xCAT: Denying ".$request->{command}->[0];
|
|
$status = "Denied";
|
|
$rc=0;
|
|
}
|
|
if (($request->{command}->[0] ne "getdestiny") && ($request->{command}->[0] ne "getbladecons") && ($request->{command}->[0] ne "getipmicons")) {
|
|
# set username authenticated to run command
|
|
# if from Trusted host, use input username, else set from creds
|
|
if (($request->{username}) && defined($request->{username}->[0])) {
|
|
if ($peerstatus ne "Trusted" ) { # then set to peername
|
|
$request->{username}->[0] = $peername;
|
|
}
|
|
} else {
|
|
$request->{username}->[0] = $peername;
|
|
}
|
|
if ($request->{noderange} && defined($request->{noderange}->[0]))
|
|
{
|
|
$logst .= " to ".$request->{noderange}->[0];
|
|
} else { # no noderange maybe a nodes
|
|
|
|
if ($request->{node} && defined($request->{node}->[0])) {
|
|
my @reqnodes = @{$request->{node}};
|
|
if (@reqnodes) {
|
|
$logst .= " to ";
|
|
foreach my $node (@reqnodes) {
|
|
$logst .= "$node,";
|
|
}
|
|
chop $logst;
|
|
}
|
|
}
|
|
}
|
|
# add each argument
|
|
my $args = $request->{arg};
|
|
my $arglist;
|
|
foreach my $argument (@$args){
|
|
|
|
$arglist .= " " . $argument;
|
|
}
|
|
if ($arglist) { $logst .= $arglist; }
|
|
if($peername) { $logst .= " for " . $request->{username}->[0]};
|
|
if ($peerhost) { $logst .= " from " . $peerhost };
|
|
|
|
# read site.auditskipcmds attribute,
|
|
# if set skip commands else audit all cmds.
|
|
my @skipcmds=xCAT::Utils->get_site_attribute('auditskipcmds');
|
|
# if not "ALL" and not a command from site.auditskipcmds
|
|
# and not getcredentials and not getcredentials ,
|
|
# put in syslog and auditlog
|
|
my $skip = 0;
|
|
my $all = "all";
|
|
if (defined($skipcmds[0])) { # if there are values
|
|
if (grep(/$all/i, @skipcmds)) { # skip all
|
|
$skip = 1;
|
|
} else {
|
|
if (grep(/$request->{command}->[0]/, @skipcmds)) { # skip the command
|
|
$skip = 1;
|
|
}
|
|
}
|
|
}
|
|
if (($request->{command}->[0] ne "getpostscript") && ($request->{command}->[0] ne "getcredentials") && ($skip == 0)) {
|
|
|
|
# put in audit Table and syslog
|
|
my $rsp = {};
|
|
$rsp->{syslogdata}->[0] = $logst;
|
|
if ($peername) {
|
|
$rsp->{userid} ->[0] = $request->{username}->[0];
|
|
}
|
|
if ($peerhost) {
|
|
$rsp->{clientname} -> [0] = $peerhost;
|
|
}
|
|
if (defined $request->{clienttype}) {
|
|
$rsp->{clienttype} -> [0] = $request->{clienttype} -> [0];
|
|
} else {
|
|
if (defined $request->{becomeuser}) {
|
|
$rsp->{clienttype} -> [0] = "webui";
|
|
} else {
|
|
$rsp->{clienttype} -> [0] = "other";
|
|
}
|
|
}
|
|
$rsp->{command} -> [0] = $request->{command}->[0];
|
|
if ($request->{noderange} && defined($request->{noderange}->[0])) {
|
|
$rsp->{noderange} -> [0] = $request->{noderange}->[0];
|
|
}
|
|
$rsp->{args} -> [0] =$arglist;
|
|
$rsp->{status} -> [0] = $status;
|
|
xCAT::MsgUtils->message("SA",$rsp);
|
|
} else { # getpostscript or getcredentials, just syslog
|
|
xCAT::MsgUtils->message("S",$logst);
|
|
}
|
|
} # end getbladecons,etc check
|
|
return $rc;
|
|
} else { #Shouldn't be possible....
|
|
xCAT::MsgUtils->message("S","Impossible line in xcatd reached");
|
|
return 0;
|
|
}
|
|
} # end RULE
|
|
#Reached end of policy table, reject by default.
|
|
xCAT::MsgUtils->message("S","Request matched no policy rule: ".$request->{command}->[0]);
|
|
return 0;
|
|
}
|
|
|