xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-25 11:01:09 +00:00
Code Issues Projects Releases Wiki Activity
2,305 Commits 39 Branches 63 Tags 18 MiB
634e5a8944
Commit Graph

2305 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jarrod Johnson
634e5a8944 Update gitignore 2020-03-02 13:15:09 -05:00
Jarrod Johnson
67e3530d16 Add group count to collate 
Feature request to offer the
ability to count output groups
rather than actually show output
groups.
 2020-03-02 11:29:28 -05:00
Jarrod Johnson
3c26beda1d Fix loss of web connectivity during XCC discovery 
The password policy was incorrectly logging out in the
middle of the flow when a forced password change occurred.
Fix by externally managing the web session.
 2020-02-26 10:00:10 -05:00
Jarrod Johnson
e2d0e49fc7 Add HTTP boot architecture to pxe 
This paves the way for future response to HTTP boot
 2020-02-20 20:36:36 -05:00
Jarrod Johnson
da5a34c2e4 Fix wheezy builds 2020-02-20 08:05:21 -05:00
Jarrod Johnson
3629cb8ee7 Fix spelling of cumulus 2020-02-19 16:53:35 -05:00
Jarrod Johnson
8233e0a5bd Merge branch 'master' of github.com:jjohnson42/confluent 2020-02-19 16:26:48 -05:00
Jarrod Johnson
eae7b3bd80 Add discovery snoop for Cumulus ZTP 
When a cumulus switch does ZTP, detect
in the discovery facility.
 2020-02-19 16:26:33 -05:00
Jarrod Johnson
868367e052 Add sensing of ONIE switches 
Have nodediscover show detected
ONIE install devices.
 2020-02-19 15:20:45 -05:00
Jarrod Johnson
6289cfaac4 Fix nodeboot when used with -m 
nodeboot was erroneously using sys.argv rather
than the processed args from optionparser.
 2020-02-19 14:36:10 -05:00
Jarrod Johnson
f6d4fef5e6 Improve error message for collective 
When trying to not run as root, give a
better error message explaining the
situation more clearly.
 2020-02-18 16:16:40 -05:00
Jarrod Johnson
b1b7ec4d50 Add affluent plugin 
Implementing Cumulus NOS
support through an agent called
'affluent'.
 2020-02-18 14:23:57 -05:00
Jarrod Johnson
c0cd6de4f7 Remove PrivateDevices from unit file 
PrivateDevices breaks pam_unix, for some reason.  Remove this
protection.  We still have DevicePolicy closed and running as non-root,
so this should still be relatively safe.i
 2020-02-13 11:42:21 -05:00
Jarrod Johnson
4437e81e04 Leverage unix_chkpwd 
If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.

Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
 2020-02-13 10:37:15 -05:00
Jarrod Johnson
6a12af1242 Remove non-root for older distributions 
Older systemd does not support capabilities.  For such a platform,
disable non-root mode.
 2020-02-12 13:20:08 -05:00
Jarrod Johnson
9879a83a10 Fix mistake in the redfish access protection 
It contained a syntax error.
 2020-02-11 14:22:19 -05:00
Jarrod Johnson
cce6b824de Merge branch 'master' of github.com:jjohnson42/confluent 2020-02-11 14:09:51 -05:00
Jarrod Johnson
ce1cb952e8 Fix PAM authentication 
It's tricky.  On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability.  Unfortunately this is one of the nicest capabilities to have.

For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.

If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.

Short of that, having a separate authentication process
running and dropping privilege would potentially work.
 2020-02-11 14:09:22 -05:00
Jarrod Johnson
c6812274e4 Fix media list through collective 
The Media class was not
serializable by msgpack.  Fix this
and improve error messages in
future instances of this behavior.
 2020-02-11 09:04:49 -05:00
Jarrod Johnson
7cd7068dd7 Remove stray developer output 
Remove a developer repr from log
output.
 2020-02-07 16:01:29 -05:00
Jarrod Johnson
48f0330568 Add affluent support to /networking 
The /networking backend will now
check for affluent on the switches and
use it if possible for improved performance.
 2020-02-07 15:57:33 -05:00
Jarrod Johnson
66e1d17d28 Have systemd manage confluent run dir 
The run directory has to be created and owned by confluent,
or else things cannot start.
 2020-02-06 13:45:46 -05:00
Jarrod Johnson
7480494432 Tighten up new PAM check 
For one, remove the password cache cleaning, as it no longer is run.

For another, skip the fork if uid is already 0.

Finally, wrap the check in a try/finally to keep the privileged process
more certain in exiting.
 2020-02-06 10:05:57 -05:00
Jarrod Johnson
49c00bfbb7 Become root to check a password 
Running as non-root had broken PAM support.  Allow setuid so we
can assume root in one specific case.
 2020-02-05 16:06:13 -05:00
Jarrod Johnson
201985dd0e Fix missing argument to rpc_set_user 
Requests were unable to traverse
a collective.
 2020-02-05 14:55:51 -05:00
Jarrod Johnson
1aee19997a Carry errors across msgpack 
Messages that were formerly carried
as pickled exceptions are now sent
as generic strings over msgpack.
 2020-02-04 10:16:48 -05:00
Jarrod Johnson
3bc366bef4 Fix mistake in the cert util 2020-02-03 15:37:20 -05:00
Jarrod Johnson
4c83a1a04e Fix typos 
Previous commit had errors in
quotations.
 2020-02-03 11:13:13 -05:00
Jarrod Johnson
cfae28a869 Add error mesasges to help with non-root confluent 
non-root confluent daemon will have a larger struggle
with permissions, try to help the user navigate that.
 2020-02-03 10:13:26 -05:00
Jarrod Johnson
44e6a72847 Switch to using the defined service 
For now, this makes no difference, but it is poor form,
probably.  Correct by referencing the variable
name.
 2020-02-03 09:57:02 -05:00
Jarrod Johnson
006fdc8280 Merge branch 'master' of github.com:jjohnson42/confluent 2020-02-02 18:19:06 -05:00
Jarrod Johnson
895b5264f6 Fix incorrect pam service 
pam was defaulting to use of 'login', but we want 'confluent' for the service.
 2020-02-02 18:18:39 -05:00
Jarrod Johnson
0b577af1ca Fix ownership of confluent cache 
It needs to be owned by the confluent user.
 2020-01-31 11:48:34 -05:00
Jarrod Johnson
ff0b1bba7f Fix rpm spec file 
There was an ommision and a mistake.
 2020-01-31 10:37:49 -05:00
Jarrod Johnson
0badd9e5b4 Migrate confluent installs to non-root 
This will check for and repair uid 0 owned confluent directories.
 2020-01-31 10:16:33 -05:00
Jarrod Johnson
c02064f0a5 Add missing msgpack dependencies 2020-01-31 10:02:38 -05:00
Jarrod Johnson
c1b82d8163 Protect confluent private data 
This blocks use of private confluent data in commands like
nodelicense, nodefirmware, and nodemedia.
 2020-01-31 10:00:35 -05:00
Jarrod Johnson
0d5fa7a98a Change confluent to run as non-root and harden systemd 
This mitigates a great deal of risk compared to prior behavior.
 2020-01-31 09:52:52 -05:00
Jarrod Johnson
968efe719a Add CAP_NET_BIND_SERVICE to unit file 
This is preparing for running as non-root.

We need this capability to snoop SLP and PXE
 2020-01-31 09:34:13 -05:00
Jarrod Johnson
7a63ca8759 Fix python3 problem with confetty 
Under python3, there is no unicode.
 2020-01-31 08:53:42 -05:00
Jarrod Johnson
a24866c2df Fix exitcode for confetty noderange commands 
The exitcode was not being set for noderange commands
where each node may independently raise errors.

Correct the oversight by catching each subelements errors.
 2020-01-31 08:22:20 -05:00
Jarrod Johnson
c666b11138 Add ability to foreground exec confluent 
This allows easier debug and option for unit file
in systemd to run foreground if it makes sense.
 2020-01-31 08:10:01 -05:00
Jarrod Johnson
22f6198f60 Fix nodebmcreset on bad noderange 
This prevents confusing python stack when
a bad noderange is specified.
 2020-01-30 14:35:58 -05:00
Jarrod Johnson
c99d01dffc Fix indentation of date conversion 
The conversion was not checking each element.
 2020-01-29 17:08:00 -05:00
Jarrod Johnson
8d0028a1de Catch all for serialization errors 
Rather than odd bool error, return something a
bit more precise.
 2020-01-29 15:45:27 -05:00
Jarrod Johnson
bb9c2297c9 Stringify firmware datetime 
With the change to msgpack, datetime objects cannot be serialized.  Apply
tlvdata compliant transform before storing.
 2020-01-29 15:41:13 -05:00
Jarrod Johnson
91fa5bd1eb Enhance nodeconfig treatment of IMM 
This makes the IMM attributes usable, but not intrusive.
 2020-01-29 14:20:56 -05:00
Jarrod Johnson
ac9609c40d Adjust to pyghmi api change 
Due to confusion of mixed settings, pyghmi api changes
to enable the confluent experience to be more
sane.
 2020-01-29 10:56:31 -05:00
Jarrod Johnson
0c4cb49c20 Implement nodeconfig -e 
This provides access to 'extra' settings.
Mainly intended to avoid slowing down nodeconfig
with IMM attributes that most people don't
want anyway.
 2020-01-29 10:15:32 -05:00
Jarrod Johnson
4be4100014 Fix configmanager msgpack 
msgpack method had some regressions.  For one, python2 strings
became bytes on mixed collective, fix by using raw=False on the
receiver.

Additionally, del_nodes tends to use sets, and that's not viable for
msgpack.  Guard against that.
 2020-01-29 09:24:57 -05:00