mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 02:52:07 +00:00
Add TFTP and ssh key checks to checkconfluent
This commit is contained in:
parent
ed91e0f2f3
commit
28331adced
@ -1,15 +1,7 @@
|
||||
#!/usr/bin/python3
|
||||
# frequent problems to check/repair
|
||||
# confluent_uuid mismatch from /var/lib/confluent/public/site
|
||||
# repair would be to set the uuid global to match filesystem for least disruptive change
|
||||
# local certificate is missing some addresses
|
||||
# repair is osdeploy initialize -t
|
||||
|
||||
# automation and/or ca certificates are somehow not viable
|
||||
# This may be simple as file not exist or exist but can't be decrypted, or something about the ssh-agent in confluent isn't working
|
||||
|
||||
# avoid regenerating ssh ca when not needed, people tend to repeat initialize and this needs to be made harmless. Instruct user to delete the file if they truly
|
||||
#want to start over.
|
||||
#
|
||||
#
|
||||
import os
|
||||
@ -17,8 +9,24 @@ import socket
|
||||
import glob
|
||||
import ssl
|
||||
import sys
|
||||
import confluent.sshutil as sshutil
|
||||
import confluent.certutil as certutil
|
||||
import confluent.config.configmanager as configmanager
|
||||
import subprocess
|
||||
import tempfile
|
||||
import shutil
|
||||
|
||||
def fprint(txt):
|
||||
sys.stdout.write(txt)
|
||||
sys.stdout.flush()
|
||||
|
||||
|
||||
def tftp_works():
|
||||
try:
|
||||
subprocess.check_call(['curl', '--connect-timeout', '2', '-sf', 'tftp://localhost/confluent/x86_64/ipxe.efi', '-o', '/dev/null'])
|
||||
return True
|
||||
except Exception:
|
||||
return False
|
||||
|
||||
def emprint(txt):
|
||||
if sys.stdout.isatty():
|
||||
@ -57,7 +65,7 @@ def certificates_missing_ips(conn):
|
||||
if ':' in val:
|
||||
# must normalize ipv6 to a sane value
|
||||
val = socket.getaddrinfo(val, 443, type=socket.SOCK_STREAM)[0][-1][0]
|
||||
if ip == 'val':
|
||||
if ip == val:
|
||||
break
|
||||
else:
|
||||
missing_ips.append(ip)
|
||||
@ -72,43 +80,61 @@ def is_ipv6_enabled():
|
||||
# warn that os deployment and discovery services may be impacted for afflicted
|
||||
# interface
|
||||
|
||||
# check ssh sanity, are there automation keys and ca keys? can the configmanager
|
||||
# keys unlock them?
|
||||
|
||||
# check for pxe support, tftp transfer of ipxe file
|
||||
|
||||
# check for http access to confluent-public, use site.cpio as file to check?
|
||||
|
||||
# check for deployment.useinsecureprotocols=firmware
|
||||
|
||||
def uuid_matches():
|
||||
with open('/var/lib/confluent/public/site/confluent_uuid', 'r') as uuidf:
|
||||
fsuuid = uuidf.read()
|
||||
dbuuid = configmanger.get_global('confluent_uuid')
|
||||
return dbuuid == fsuuid:
|
||||
|
||||
#TODO: osdeploy initialize needs to resync from filesystem at some point,
|
||||
|
||||
#if not confluentuuid:
|
||||
# confluentuuid = str(uuid.uuid4())
|
||||
# configmanager.set_global('confluent_uuid', confluentuuid)
|
||||
fsuuid = uuidf.read().strip()
|
||||
dbuuid = configmanager.get_global('confluent_uuid')
|
||||
return dbuuid == fsuuid
|
||||
|
||||
if __name__ == '__main__':
|
||||
sys.stdout.write('OS Deployment: ')
|
||||
sys.stdout.flush()
|
||||
if deployment_configured():
|
||||
print("OS Deployment: Initialized")
|
||||
if not uuid_matches():
|
||||
print("Initialized")
|
||||
sys.stdout.write('Confluent UUID: ')
|
||||
sys.stdout.flush()
|
||||
if uuid_matches():
|
||||
print('Consistent')
|
||||
else:
|
||||
#TODO: need a resolution to suggest
|
||||
emprint('UUID inconsistent between confluent database and /var/lib/confluent')
|
||||
emprint('Inconsistent between confluent database and /var/lib/confluent')
|
||||
fprint('Web Server: ')
|
||||
conn = webserver_listening()
|
||||
if conn:
|
||||
print('Running')
|
||||
fprint('Web Certificate: ')
|
||||
cert = certificates_missing_ips(conn)
|
||||
if cert:
|
||||
for addr in cert:
|
||||
emprint('Address missing from certificate: {0}'.format(addr))
|
||||
emprint('Example resolution: osdeploy initialize -t')
|
||||
cert = ', '.join(cert)
|
||||
emprint('Addresses missing from certificate: {0} (Example resolution: osdeploy initialize -t)'.format(cert))
|
||||
else:
|
||||
print('OK')
|
||||
else:
|
||||
emprint("Web Server: Not Running")
|
||||
emprint("Example resolution: systemctl enable httpd --now")
|
||||
emprint('Not Running (Example resolution: systemctl enable httpd --now)')
|
||||
fprint('TFTP Status: ')
|
||||
if tftp_works():
|
||||
print('OK')
|
||||
else:
|
||||
emprint('TFTP failure, PXE will not work, though media and HTTP boot can still work. (Example resolution: osdeploy initialize -p)')
|
||||
fprint('SSH root user public key: ')
|
||||
if glob.glob('/var/lib/confluent/public/site/ssh/*.rootpubkey'):
|
||||
print('OK')
|
||||
else:
|
||||
emprint('No trusted ssh keys for root user, passwordless SSH from managers to nodes may not work (Example resolution: osdeploy initialize -u)')
|
||||
if sshutil.sshver() > 7.6:
|
||||
fprint('Checking SSH Certificate authority: ')
|
||||
try:
|
||||
sshutil.prep_ssh_key('/etc/confluent/ssh/ca')
|
||||
except Exception:
|
||||
emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)')
|
||||
fprint('Checking confluent SSH automation key: ')
|
||||
try:
|
||||
sshutil.prep_ssh_key('/etc/confluent/ssh/automation')
|
||||
except subprocess.CalledProcessError:
|
||||
emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)')
|
||||
else:
|
||||
print("OS Deployment: Uninitialized")
|
||||
print()
|
||||
print("Uninitialized, further OS deployment checks skipped, see `osdeploy initialize` to set up OS deployment feature")
|
||||
|
Loading…
Reference in New Issue
Block a user