Add IPv6 and insecure boot checking

2024-11-21 17:11:58 +00:00 · 2022-09-01 13:17:17 -04:00 · 2022-09-01 13:17:17 -04:00 · 67f0c8a81b
commit 67f0c8a81b
parent 28331adced
2 changed files with 63 additions and 7 deletions
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -125,13 +125,13 @@ def prep_ssh_key(keyname):
    try:
        askpass = os.path.join(tmpdir, 'askpass.sh')
        with open(askpass, 'w') as ap:
-            ap.write('#!/bin/sh\necho $CONFLUENT_SSH_PASSPHRASE\n;rm {0}\n'.format(askpass))
+            ap.write('#!/bin/sh\necho $CONFLUENT_SSH_PASSPHRASE\nrm {0}\n'.format(askpass))
        os.chmod(askpass, 0o700)
        os.environ['CONFLUENT_SSH_PASSPHRASE'] = get_passphrase()
        os.environ['DISPLAY'] = 'NONE'
        os.environ['SSH_ASKPASS'] = askpass
        with open(os.devnull, 'wb') as devnull:
-            subprocess.check_call(['ssh-add', keyname], stdin=devnull)
+            subprocess.check_output(['ssh-add', keyname], stdin=devnull, stderr=devnull)
        del os.environ['CONFLUENT_SSH_PASSPHRASE']
        ready_keys[keyname] = 1
    finally:
--- a/misc/checkconfluent
+++ b/misc/checkconfluent
@ -71,14 +71,56 @@ def certificates_missing_ips(conn):
            missing_ips.append(ip)
    return missing_ips

+
+def web_download_works():
+    try:
+        subprocess.check_call(['curl', '-skf', 'https://localhost/confluent-public/site/confluent_uuid'])
+    except Exception:
+        return False
+    return True
            

-def is_ipv6_enabled():
+def nics_missing_ipv6():
    # check for ability to create AF_INET6, for kernel disabled ipv6
-    pass
-    # for every interface with an ipv4 address, check if there's an fe80 as well
-    # warn that os deployment and  discovery services may be impacted for afflicted
-    # interface
+    a = socket.socket(socket.AF_INET6)
+    ipaddrs = subprocess.check_output(['ip', '-br', 'a']).split(b'\n')
+    missingnics = []
+    for line in ipaddrs:
+        comps = line.split()
+        if not comps:
+            continue
+        iname, state = comps[:2]
+        if iname == b'lo':
+            continue
+        addrs = comps[2:]
+        hasv6 = False
+        hasv4 = False
+        for addr in addrs:
+            if b'.' in addr:
+                hasv4 = True
+            if addr.startswith(b'fe80::'):
+                hasv6 = True
+        if hasv4 and not hasv6:
+            missingnics.append(iname.decode('utf8'))
+    return missingnics
+
+def insecure_boot_attempts():
+    insecurenodes = set([])
+    with open('/var/log/confluent/events') as eventin:
+        line = True
+        while line:
+            line = eventin.readline()
+            if 'insecure mode is disabled' in line:
+                line = line.split()
+                insecurenodes.add(line[7])
+    for node in insecurenodes:
+        currattr = subprocess.check_output(['nodeattrib', node, 'deployment.useinsecureprotocols'])
+        currattr = currattr.split()
+        if len(currattr) > 2 and currattr[2] == b'firmware':
+            continue
+        else:
+            return True
+    return False

 # check for http access to confluent-public, use site.cpio as file to check?

@ -129,12 +171,26 @@ if __name__ == '__main__':
            fprint('Checking SSH Certificate authority: ')
            try:
                sshutil.prep_ssh_key('/etc/confluent/ssh/ca')
+                print('OK')
            except Exception:
                emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)')            
            fprint('Checking confluent SSH automation key: ')
            try:
                sshutil.prep_ssh_key('/etc/confluent/ssh/automation')
+                print('OK')
            except subprocess.CalledProcessError:
                emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)')
+        fprint('Checking for blocked insecure boot: ')
+        if insecure_boot_attempts():
+            emprint('Some nodes are attempting network boot using PXE or HTTP boot, but the node is not configured to allow this (Example resolution: nodegroupattrib everything deployment.useinsecureprotocols=firmware)')
+        else:
+            print('OK')
+        fprint('Checking IPv6 enablement: ')
+        nics = nics_missing_ipv6()
+        if nics:
+            snics = ','.join(nics)
+            emprint('Some interfaces ({0}) have ipv6 disabled, and may be unable to fully perform discovery or deployment (Example resolution: nmcli c m {1} ipv6.method link-local )'.format(snics, nics[0]))
+        else:
+            print('OK')
    else:
        print("Uninitialized, further OS deployment checks skipped, see `osdeploy initialize` to set up OS deployment feature")