confluent/confluent_server/bin/confluent_selfcheck

#!/usr/bin/python3

import os
import socket
import glob
import ssl
import sys
import confluent.sshutil as sshutil
import confluent.certutil as certutil
import confluent.config.configmanager as configmanager
import subprocess
import tempfile
import shutil

def fprint(txt):
    sys.stdout.write(txt)
    sys.stdout.flush()


def tftp_works():
    try:
        subprocess.check_call(['curl', '--connect-timeout', '2', '-sf', 'tftp://localhost/confluent/x86_64/ipxe.efi', '-o', '/dev/null'])
        return True
    except Exception:
        return False

def emprint(txt):
    if sys.stdout.isatty():
        print('\x1b[1m\x1b[4m' + txt + '\x1b[0m')
    else:
        print(txt)

def deployment_configured():
    return os.path.exists('/var/lib/confluent/public/site/confluent_uuid')

def webserver_listening():
    try:
        conn = socket.create_connection(('localhost', 443))
        return conn
    except Exception:
        return False


def certificates_missing_ips(conn):
    # check if the tls can verify by the right CAs, then further
    # check if all ip addresses are in the certificate offered
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ctx.check_hostname = False
    for cacert in glob.glob('/var/lib/confluent/public/site/tls/*.pem'):
        ctx.load_verify_locations(cacert)
    sock = ctx.wrap_socket(conn)
    crt = sock.getpeercert()
    sans = crt.get('subjectAltName', [])
    ips = certutil.get_ip_addresses()
    missing_ips = []
    for ip in ips:
        for san in sans:
            field, val = san
            if val[-1] == '\n':
                val = val[:-1]
            if ':' in val:
                # must normalize ipv6 to a sane value
                val = socket.getaddrinfo(val, 443, type=socket.SOCK_STREAM)[0][-1][0]
            if ip == val:
                break
        else:
            missing_ips.append(ip)
    return missing_ips


def web_download_works():
    try:
        subprocess.check_call(['curl', '-skf', 'https://localhost/confluent-public/site/confluent_uuid', '-o', '/dev/null'])
    except Exception:
        return False
    return True
            

def nics_missing_ipv6():
    # check for ability to create AF_INET6, for kernel disabled ipv6
    a = socket.socket(socket.AF_INET6)
    ipaddrs = subprocess.check_output(['ip', '-br', 'a']).split(b'\n')
    missingnics = []
    for line in ipaddrs:
        comps = line.split()
        if not comps:
            continue
        iname, state = comps[:2]
        if iname == b'lo':
            continue
        addrs = comps[2:]
        hasv6 = False
        hasv4 = False
        for addr in addrs:
            if b'.' in addr:
                hasv4 = True
            if addr.startswith(b'fe80::'):
                hasv6 = True
        if hasv4 and not hasv6:
            missingnics.append(iname.decode('utf8'))
    return missingnics

def insecure_boot_attempts():
    insecurenodes = set([])
    with open('/var/log/confluent/events') as eventin:
        line = True
        while line:
            line = eventin.readline()
            if 'insecure mode is disabled' in line:
                line = line.split()
                insecurenodes.add(line[7])
    for node in insecurenodes:
        currattr = subprocess.check_output(['nodeattrib', node, 'deployment.useinsecureprotocols'])
        currattr = currattr.split()
        if len(currattr) > 2 and currattr[2] == b'firmware':
            continue
        else:
            return True
    return False


def uuid_matches():
    with open('/var/lib/confluent/public/site/confluent_uuid', 'r') as uuidf:
        fsuuid = uuidf.read().strip()
    dbuuid = configmanager.get_global('confluent_uuid')
    return dbuuid == fsuuid

if __name__ == '__main__':
    sys.stdout.write('OS Deployment: ')
    sys.stdout.flush()
    if deployment_configured():
        print("Initialized")
        sys.stdout.write('Confluent UUID: ')
        sys.stdout.flush()
        if uuid_matches():
            print('Consistent')
        else:
            emprint('Inconsistent between confluent database and /var/lib/confluent (Example resolution: confetty set /uuid resync=1)')
        fprint('Web Server: ')
        conn = webserver_listening()
        if conn:
            print('Running')
            fprint('Web Certificate: ')
            cert = certificates_missing_ips(conn)
            if cert:
                cert = ', '.join(cert)
                emprint('Addresses missing from certificate: {0} (Example resolution: osdeploy initialize -t)'.format(cert))
            else:
                print('OK')
                fprint('Checking web download: ')
                if web_download_works():
                    print('OK')
                else:
                    emprint('Failed to download /confluent-public/site/confluent_uuid')
        else:
            emprint('Not Running (Example resolution: systemctl enable httpd --now)')
        fprint('TFTP Status: ')
        if tftp_works():
            print('OK')
        else:
            emprint('TFTP failure, PXE will not work, though media and HTTP boot can still work. (Example resolution: osdeploy initialize -p)')
        fprint('SSH root user public key: ')
        if glob.glob('/var/lib/confluent/public/site/ssh/*.rootpubkey'):
            print('OK')
        else:
            emprint('No trusted ssh keys for root user, passwordless SSH from managers to nodes may not work (Example resolution: osdeploy initialize -u)')
        if sshutil.sshver() > 7.6:
            fprint('Checking SSH Certificate authority: ')
            try:
                sshutil.prep_ssh_key('/etc/confluent/ssh/ca')
                print('OK')
            except Exception:
                emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)')            
            fprint('Checking confluent SSH automation key: ')
            try:
                sshutil.prep_ssh_key('/etc/confluent/ssh/automation')
                print('OK')
            except subprocess.CalledProcessError:
                emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)')
        fprint('Checking for blocked insecure boot: ')
        if insecure_boot_attempts():
            emprint('Some nodes are attempting network boot using PXE or HTTP boot, but the node is not configured to allow this (Example resolution: nodegroupattrib everything deployment.useinsecureprotocols=firmware)')
        else:
            print('OK')
        fprint('Checking IPv6 enablement: ')
        nics = nics_missing_ipv6()
        if nics:
            snics = ','.join(nics)
            emprint('Some interfaces ({0}) have ipv6 disabled, and may be unable to fully perform discovery or deployment (Example resolution: nmcli c m {1} ipv6.method link-local )'.format(snics, nics[0]))
        else:
            print('OK')
    else:
        print("Uninitialized, further OS deployment checks skipped, see `osdeploy initialize` to set up OS deployment feature")
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`#!/usr/bin/python3`

			`import os`
			`import socket`
			`import glob`
			`import ssl`
			`import sys`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`import confluent.sshutil as sshutil`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`import confluent.certutil as certutil`
			`import confluent.config.configmanager as configmanager`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`import subprocess`
			`import tempfile`
			`import shutil`

			`def fprint(txt):`
			`sys.stdout.write(txt)`
			`sys.stdout.flush()`


			`def tftp_works():`
			`try:`
			`subprocess.check_call(['curl', '--connect-timeout', '2', '-sf', 'tftp://localhost/confluent/x86_64/ipxe.efi', '-o', '/dev/null'])`
			`return True`
			`except Exception:`
			`return False`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00
			`def emprint(txt):`
			`if sys.stdout.isatty():`
			`print('\x1b[1m\x1b[4m' + txt + '\x1b[0m')`
			`else:`
			`print(txt)`

			`def deployment_configured():`
			`return os.path.exists('/var/lib/confluent/public/site/confluent_uuid')`

			`def webserver_listening():`
			`try:`
			`conn = socket.create_connection(('localhost', 443))`
			`return conn`
			`except Exception:`
			`return False`


			`def certificates_missing_ips(conn):`
			`# check if the tls can verify by the right CAs, then further`
			`# check if all ip addresses are in the certificate offered`
			`ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)`
			`ctx.check_hostname = False`
			`for cacert in glob.glob('/var/lib/confluent/public/site/tls/*.pem'):`
			`ctx.load_verify_locations(cacert)`
			`sock = ctx.wrap_socket(conn)`
			`crt = sock.getpeercert()`
			`sans = crt.get('subjectAltName', [])`
			`ips = certutil.get_ip_addresses()`
			`missing_ips = []`
			`for ip in ips:`
			`for san in sans:`
			`field, val = san`
			`if val[-1] == '\n':`
			`val = val[:-1]`
			`if ':' in val:`
			`# must normalize ipv6 to a sane value`
			`val = socket.getaddrinfo(val, 443, type=socket.SOCK_STREAM)[0][-1][0]`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`if ip == val:`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`break`
			`else:`
			`missing_ips.append(ip)`
			`return missing_ips`

Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00
			`def web_download_works():`
			`try:`
Add check for actual file download 2022-09-01 17:21:39 +00:00			`subprocess.check_call(['curl', '-skf', 'https://localhost/confluent-public/site/confluent_uuid', '-o', '/dev/null'])`
Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`except Exception:`
			`return False`
			`return True`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00

Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`def nics_missing_ipv6():`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`# check for ability to create AF_INET6, for kernel disabled ipv6`
Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`a = socket.socket(socket.AF_INET6)`
			`ipaddrs = subprocess.check_output(['ip', '-br', 'a']).split(b'\n')`
			`missingnics = []`
			`for line in ipaddrs:`
			`comps = line.split()`
			`if not comps:`
			`continue`
			`iname, state = comps[:2]`
			`if iname == b'lo':`
			`continue`
			`addrs = comps[2:]`
			`hasv6 = False`
			`hasv4 = False`
			`for addr in addrs:`
			`if b'.' in addr:`
			`hasv4 = True`
			`if addr.startswith(b'fe80::'):`
			`hasv6 = True`
			`if hasv4 and not hasv6:`
			`missingnics.append(iname.decode('utf8'))`
			`return missingnics`

			`def insecure_boot_attempts():`
			`insecurenodes = set([])`
			`with open('/var/log/confluent/events') as eventin:`
			`line = True`
			`while line:`
			`line = eventin.readline()`
			`if 'insecure mode is disabled' in line:`
			`line = line.split()`
			`insecurenodes.add(line[7])`
			`for node in insecurenodes:`
			`currattr = subprocess.check_output(['nodeattrib', node, 'deployment.useinsecureprotocols'])`
			`currattr = currattr.split()`
			`if len(currattr) > 2 and currattr[2] == b'firmware':`
			`continue`
			`else:`
			`return True`
			`return False`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00

			`def uuid_matches():`
			`with open('/var/lib/confluent/public/site/confluent_uuid', 'r') as uuidf:`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`fsuuid = uuidf.read().strip()`
			`dbuuid = configmanager.get_global('confluent_uuid')`
			`return dbuuid == fsuuid`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00
			`if __name__ == '__main__':`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`sys.stdout.write('OS Deployment: ')`
			`sys.stdout.flush()`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`if deployment_configured():`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`print("Initialized")`
			`sys.stdout.write('Confluent UUID: ')`
			`sys.stdout.flush()`
			`if uuid_matches():`
			`print('Consistent')`
			`else:`
Add facility to fix confluent uuid problem 2022-09-01 17:26:25 +00:00			`emprint('Inconsistent between confluent database and /var/lib/confluent (Example resolution: confetty set /uuid resync=1)')`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`fprint('Web Server: ')`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`conn = webserver_listening()`
			`if conn:`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`print('Running')`
			`fprint('Web Certificate: ')`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`cert = certificates_missing_ips(conn)`
			`if cert:`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`cert = ', '.join(cert)`
			`emprint('Addresses missing from certificate: {0} (Example resolution: osdeploy initialize -t)'.format(cert))`
			`else:`
			`print('OK')`
Add check for actual file download 2022-09-01 17:21:39 +00:00			`fprint('Checking web download: ')`
			`if web_download_works():`
			`print('OK')`
			`else:`
			`emprint('Failed to download /confluent-public/site/confluent_uuid')`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`else:`
			`emprint('Not Running (Example resolution: systemctl enable httpd --now)')`
			`fprint('TFTP Status: ')`
			`if tftp_works():`
			`print('OK')`
			`else:`
			`emprint('TFTP failure, PXE will not work, though media and HTTP boot can still work. (Example resolution: osdeploy initialize -p)')`
			`fprint('SSH root user public key: ')`
			`if glob.glob('/var/lib/confluent/public/site/ssh/*.rootpubkey'):`
			`print('OK')`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`else:`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`emprint('No trusted ssh keys for root user, passwordless SSH from managers to nodes may not work (Example resolution: osdeploy initialize -u)')`
			`if sshutil.sshver() > 7.6:`
			`fprint('Checking SSH Certificate authority: ')`
			`try:`
			`sshutil.prep_ssh_key('/etc/confluent/ssh/ca')`
Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`print('OK')`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`except Exception:`
			`emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)')`
			`fprint('Checking confluent SSH automation key: ')`
			`try:`
			`sshutil.prep_ssh_key('/etc/confluent/ssh/automation')`
Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`print('OK')`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			`except subprocess.CalledProcessError:`
			`emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)')`
Add IPv6 and insecure boot checking 2022-09-01 17:17:17 +00:00			`fprint('Checking for blocked insecure boot: ')`
			`if insecure_boot_attempts():`
			`emprint('Some nodes are attempting network boot using PXE or HTTP boot, but the node is not configured to allow this (Example resolution: nodegroupattrib everything deployment.useinsecureprotocols=firmware)')`
			`else:`
			`print('OK')`
			`fprint('Checking IPv6 enablement: ')`
			`nics = nics_missing_ipv6()`
			`if nics:`
			`snics = ','.join(nics)`
			`emprint('Some interfaces ({0}) have ipv6 disabled, and may be unable to fully perform discovery or deployment (Example resolution: nmcli c m {1} ipv6.method link-local )'.format(snics, nics[0]))`
			`else:`
			`print('OK')`
Begin work on a sanity checker Check various facets that are frequently not quite right, making recommendations on how to correct. 2022-08-30 20:59:40 +00:00			`else:`
Add TFTP and ssh key checks to checkconfluent 2022-08-31 21:30:41 +00:00			print("Uninitialized, further OS deployment checks skipped, see `osdeploy initialize` to set up OS deployment feature")