2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 03:19:48 +00:00
Commit Graph

371 Commits

Author SHA1 Message Date
Jarrod Johnson
68037473d0 Replace login event mechanism
Provide a different scheme that does not involve a wait(), if by chance
the flow dies without getting back to our thread.  wait() has no timeout
so this is a strategy to cope by making sure we hang for no longer than
3 minutes, which is well beyond any time a login should possibly take.
2017-04-26 14:26:00 -04:00
Jarrod Johnson
6ab4d3c886 Add a recourse to drain queue
While it may not have been possible in eventlet for this to happen,
strictly speaking if it were a thread, it could exit during check for
liveness and leave data on the queue.

To be careful, also drain the queue after all children dead.
2017-04-25 16:48:35 -04:00
Jarrod Johnson
cf97bbe299 Rework ipmi worker management
Provide a more concrete measurement of
children, rather than relying upon a
sentinel value on the queue.  It seems
that even using 'finally' didn't assure
that we always get that sentinel value
before a worker dies.  Sentinel value
still used to avoid a long wait in the
usual case.
2017-04-25 15:27:29 -04:00
Allen Lin37
b64858e0b3 Removing unnecessary case if groups ever has a key of 'value' 2017-04-20 15:41:11 -04:00
Allen Lin37
86e502a47a remove debug and fixing issue checking attribute 2017-04-13 22:07:47 -04:00
Allen Lin37
2042bcb8f0 updating server side for use with nodegroupattrib 2017-04-13 17:36:41 -04:00
Allen Lin37
db15992894 Adding nodegroupattrib to update nodegroups 2017-04-12 10:36:27 -04:00
Jarrod Johnson
e230f803ce Correct missing argument
__new__ was missed in the last commit.
2017-04-11 15:42:16 -04:00
Jarrod Johnson
563a2b11c3 Change the stdout/stderr/trace logs to not buffer things over time
If something went completely off the rails, it could easily fill up lots of memory with log entries in the 2 seconds it
would buffer.  For now disable the buffering on key debug logs, as the main purpose was reducing IOPs in the per-node
console logs anyway.  A future behavior may be to also limit the size and/or number of outstanding log entries before
committing to disk.
2017-04-11 14:40:05 -04:00
Jarrod Johnson
919dab9b55 Create auth multiprocessing pool on demand
Most of the time, we don't need this pool.  Create when needed,
and clean up after 30 seconds of inactivity.  This avoids a slow
shutdown that was due to core python hanging in help_finish_stuff,
and as a bonus means most of the time, one only sees one confluent
process, which has been a source of questions already.
2017-03-05 08:28:35 -05:00
Jarrod Johnson
9e593f0554 Clean up nodepower
nodepower boot and reset output was misleading.
2017-02-15 10:46:27 -05:00
Jarrod Johnson
ecc6bcf96c Add the util to the setup.py
Previously packaging was missing the new utility
2017-02-15 10:46:27 -05:00
Jarrod Johnson
6ad383c6ad Assure deterministic enumeration of areas
nodegroup must be restored first.
2017-02-15 10:46:27 -05:00
Jarrod Johnson
446d2270c9 Give a friendlier message on restore of redact DB
A redacted dump will not have a keys.json file, which
is natural.  Replace 'file not found' with a message
indicating the possibility of a redacted dump.
2017-02-15 10:46:27 -05:00
Jarrod Johnson
5395f97a21 Do not write out keys when redacting
It's silly to store keys when redact is requested
2017-02-15 10:46:27 -05:00
Jarrod Johnson
04781e0ece Actually hook up the redact feature 2017-02-15 10:46:27 -05:00
Jarrod Johnson
9bd0b7af9d Make confluentdbutil executable 2017-02-15 10:46:27 -05:00
Jarrod Johnson
ae806e55b0 Add a utility to frontend DB dump/restore
This exposes the library functions as a utility
2017-02-15 10:46:26 -05:00
Jarrod Johnson
393ea41696 Implement restore from db
This provides at least restore for the primary tenant (the only tenant currently used by anyone)
2017-02-15 10:46:26 -05:00
Jarrod Johnson
b87cb87c2a Flesh out the restoration of the master keys
With this commit, the key portion of import should be complete.
2017-02-15 10:46:26 -05:00
Jarrod Johnson
a91d7047b2 Start work on a db restore
Start by parsing the previously dumped key data, since the key data requires special handling.
2017-02-15 10:46:26 -05:00
Jarrod Johnson
638842beec Fix no password backup
If password=None was supplied, it would fail.  Now accomodate unprotected keys.
2017-02-15 10:46:26 -05:00
Jarrod Johnson
612350ca65 Provide for a terminal session to process normal commands
If it is not one of the 'special' terminal ones, assume it's a normal one.  Recurse into
the process request to handle it as a separate request.
2017-01-27 14:18:22 -05:00
Jarrod Johnson
bc5efa8a7e Try restarting confluent if running on update
This mitigates chance of confluent being stale.
2017-01-20 15:50:12 -05:00
Jarrod Johnson
486c322233 Have binding network sockets occur in a retry loop
There seems to be scenarios where a previously used socket won't open up immediately.  Retry when
this is detected.
2017-01-17 13:59:22 -05:00
Jarrod Johnson
548e4404ce Fix confluent startup error if dead
Clean up stale dbg.sock if present rather than fail to start.  Also, if the pid indicated in pid file doesn't exist, ignore
the pidfile contents.
2017-01-06 13:43:02 -05:00
Jarrod Johnson
5ffc2c298b Correct mixup of parentheses and brackets 2017-01-04 09:56:31 -05:00
Jarrod Johnson
7bf8242aba Assign self.ipmicmd in case we are reusing an existing object that is already logged. 2017-01-04 09:45:19 -05:00
Jarrod Johnson
b3c28ad33e Defer assigning of self.ipmicmd until login
Wait until logged in to assign.  This way we have confirmation that ipmicmd is viable before trying to use it.
2017-01-04 09:17:07 -05:00
Jarrod Johnson
e7bdb5ee7d Defer TLS key handler registration
Wait until the object is logged in before trying to set
the key handler.  It carries some prerequisite on talking
to the BMC, so it is better handled in the logged handler.
2017-01-03 16:00:27 -05:00
Jarrod Johnson
8eef064b9f Provide more useful error on socket error
If a socket error occurred that wasn't -2, the client would get an error
about KeyError, which wouldn't be helpful.  raise the unhandled exception
to provide more informative data in case of an issue.
2016-12-02 10:35:24 -05:00
Jarrod Johnson
c016c55340 Add HTTP/1.0 cache suppression
There is not a single client that will ever talk
to this service that would not support HTTP/1.1.
However, do this to satisfy a scanner.
2016-11-30 11:42:50 -05:00
Jarrod Johnson
d2156f3d67 Move the anti-referrer login to only logout
This has no functional difference, just a cosmetic
difference that does not give the erroneous impression
a logout actually occurred.  This does mean that if a browser
disables cookies and uses the api explorer, there would
be an opportunity for a CSRF.
2016-11-30 10:15:44 -05:00
Jarrod Johnson
bf8dff90f3 Provide CSRF protection to logout resource
Though more annoying than harmful, guard against CSRF succeeding
against the logout resource.
2016-11-30 10:04:25 -05:00
Jarrod Johnson
004d40e7ca Implement more CSRF countermeasures
At some expense of convenience, make it difficult
for CSRF to succeed even against the API explorer
for most people.  User/Password will now only be
accepted on hitting enter in the address bar rather
than following any link.
2016-11-30 09:57:58 -05:00
Jarrod Johnson
ac084b212e Merge branch 'nodeexec' 2016-11-29 10:50:32 -05:00
Jarrod Johnson
7557136d5d Add a number of security headers
There are a number of headers security scanners expect.
Explicitly declare how strict browser should be with
responses.
2016-11-29 10:49:02 -05:00
Jarrod Johnson
61bd415ec4 Make confluent depend on python-dns
Fedora and family naming convention removes
'python' from the 'dnspython' name.  Work
within that standard to improve compatibility
with epel and such.
2016-11-07 14:07:12 -05:00
Jarrod Johnson
107337fdba Merge branch 'master' of github.com:jjohnson42/confluent 2016-11-07 10:19:41 -05:00
Jarrod Johnson
eb02247a58 Fix consistency of sessionid
Regardless of whether the client uses it as a session id
or not, the fact remains a sessionid is assigned.
Pass the session id in the auth data even if the client
did not send it.
2016-11-07 10:18:32 -05:00
Jarrod Johnson
53904a2a5a Revert "Remove 'path' condition for session cookie"
This reverts commit 0ad4ae90c9.
2016-11-01 13:45:33 -04:00
Jarrod Johnson
e0211fd8d8 Merge branch 'avoidrecursereplay' 2016-10-25 14:38:04 -04:00
Jarrod Johnson
0ad4ae90c9 Remove 'path' condition for session cookie
The cookie had an unnecessary limitation.  path need not be specified,
and it is possible for a client to request in a way that fails the criteria.
2016-10-21 09:56:14 -04:00
Jarrod Johnson
6f9bdf4a7c Create multiple files on roll conflict
Rather than removing the previous file, append a digit
to denote extra log files sharing the same roll date.
2016-10-18 11:28:47 -04:00
Jarrod Johnson
4eaab9db37 Avoid inifinite replay loop on bad previouslogfile
If circumstances result in a log file after rollover
pointing at itself, break out rather than looping trying
to get the same data from itself.
2016-10-18 11:18:57 -04:00
Jarrod Johnson
92fa2bf4d9 Add a number of security headers
There are a number of headers security scanners expect.
Explicitly declare how strict browser should be with
responses.
2016-10-13 11:08:05 -04:00
Jarrod Johnson
457f1fe30b Provide resource to allow clients to expand custom expressions
Clients may now format a string as if it were to be an expression for an attribute,
and have the server evaluate it using the same engine without passing through the
attribute engine.  This makes it easier, for example, to do nodeexec n1-n4 ipmitool -H {hardwaremanagement.manager}
2016-10-06 15:51:07 -04:00
Jarrod Johnson
bb38ff4588 Fix auto-version build
The build autoversion was not correct.  Use
git describe instead to be more complete.
2016-09-30 13:12:40 -04:00
Jarrod Johnson
d4ffc41451 Provide means of asynchttp of passing exceptions
This allows client code to be actually same when
using synchronous versus asynchonous.
2016-09-28 15:00:49 -04:00
Jarrod Johnson
fbd5059ade Unconditionally register key handler
For reasons not entirely understood, we can
have an ipmi command object without registering
a key handler.  Unconditionally register the key handler
on each use of the command object.  This still saves the
network load of logging in, so it's not a terrible workaround.
2016-09-28 14:59:43 -04:00