2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-29 13:00:03 +00:00
Commit Graph

2296 Commits

Author SHA1 Message Date
Jarrod Johnson
868367e052 Add sensing of ONIE switches
Have nodediscover show detected
ONIE install devices.
2020-02-19 15:20:45 -05:00
Jarrod Johnson
f6d4fef5e6 Improve error message for collective
When trying to not run as root, give a
better error message explaining the
situation more clearly.
2020-02-18 16:16:40 -05:00
Jarrod Johnson
b1b7ec4d50 Add affluent plugin
Implementing Cumulus NOS
support through an agent called
'affluent'.
2020-02-18 14:23:57 -05:00
Jarrod Johnson
c0cd6de4f7 Remove PrivateDevices from unit file
PrivateDevices breaks pam_unix, for some reason.  Remove this
protection.  We still have DevicePolicy closed and running as non-root,
so this should still be relatively safe.i
2020-02-13 11:42:21 -05:00
Jarrod Johnson
4437e81e04 Leverage unix_chkpwd
If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.

Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
2020-02-13 10:37:15 -05:00
Jarrod Johnson
6a12af1242 Remove non-root for older distributions
Older systemd does not support capabilities.  For such a platform,
disable non-root mode.
2020-02-12 13:20:08 -05:00
Jarrod Johnson
9879a83a10 Fix mistake in the redfish access protection
It contained a syntax error.
2020-02-11 14:22:19 -05:00
Jarrod Johnson
cce6b824de Merge branch 'master' of github.com:jjohnson42/confluent 2020-02-11 14:09:51 -05:00
Jarrod Johnson
ce1cb952e8 Fix PAM authentication
It's tricky.  On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability.  Unfortunately this is one of the nicest capabilities to have.

For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.

If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.

Short of that, having a separate authentication process
running and dropping privilege would potentially work.
2020-02-11 14:09:22 -05:00
Jarrod Johnson
c6812274e4 Fix media list through collective
The Media class was not
serializable by msgpack.  Fix this
and improve error messages in
future instances of this behavior.
2020-02-11 09:04:49 -05:00
Jarrod Johnson
7cd7068dd7 Remove stray developer output
Remove a developer repr from log
output.
2020-02-07 16:01:29 -05:00
Jarrod Johnson
48f0330568 Add affluent support to /networking
The /networking backend will now
check for affluent on the switches and
use it if possible for improved performance.
2020-02-07 15:57:33 -05:00
Jarrod Johnson
66e1d17d28 Have systemd manage confluent run dir
The run directory has to be created and owned by confluent,
or else things cannot start.
2020-02-06 13:45:46 -05:00
Jarrod Johnson
7480494432 Tighten up new PAM check
For one, remove the password cache cleaning, as it no longer is run.

For another, skip the fork if uid is already 0.

Finally, wrap the check in a try/finally to keep the privileged process
more certain in exiting.
2020-02-06 10:05:57 -05:00
Jarrod Johnson
49c00bfbb7 Become root to check a password
Running as non-root had broken PAM support.  Allow setuid so we
can assume root in one specific case.
2020-02-05 16:06:13 -05:00
Jarrod Johnson
201985dd0e Fix missing argument to rpc_set_user
Requests were unable to traverse
a collective.
2020-02-05 14:55:51 -05:00
Jarrod Johnson
1aee19997a Carry errors across msgpack
Messages that were formerly carried
as pickled exceptions are now sent
as generic strings over msgpack.
2020-02-04 10:16:48 -05:00
Jarrod Johnson
3bc366bef4 Fix mistake in the cert util 2020-02-03 15:37:20 -05:00
Jarrod Johnson
4c83a1a04e Fix typos
Previous commit had errors in
quotations.
2020-02-03 11:13:13 -05:00
Jarrod Johnson
cfae28a869 Add error mesasges to help with non-root confluent
non-root confluent daemon will have a larger struggle
with permissions, try to help the user navigate that.
2020-02-03 10:13:26 -05:00
Jarrod Johnson
44e6a72847 Switch to using the defined service
For now, this makes no difference, but it is poor form,
probably.  Correct by referencing the variable
name.
2020-02-03 09:57:02 -05:00
Jarrod Johnson
006fdc8280 Merge branch 'master' of github.com:jjohnson42/confluent 2020-02-02 18:19:06 -05:00
Jarrod Johnson
895b5264f6 Fix incorrect pam service
pam was defaulting to use of 'login', but we want 'confluent' for the service.
2020-02-02 18:18:39 -05:00
Jarrod Johnson
0b577af1ca Fix ownership of confluent cache
It needs to be owned by the confluent user.
2020-01-31 11:48:34 -05:00
Jarrod Johnson
ff0b1bba7f Fix rpm spec file
There was an ommision and a mistake.
2020-01-31 10:37:49 -05:00
Jarrod Johnson
0badd9e5b4 Migrate confluent installs to non-root
This will check for and repair uid 0 owned confluent directories.
2020-01-31 10:16:33 -05:00
Jarrod Johnson
c02064f0a5 Add missing msgpack dependencies 2020-01-31 10:02:38 -05:00
Jarrod Johnson
c1b82d8163 Protect confluent private data
This blocks use of private confluent data in commands like
nodelicense, nodefirmware, and nodemedia.
2020-01-31 10:00:35 -05:00
Jarrod Johnson
0d5fa7a98a Change confluent to run as non-root and harden systemd
This mitigates a great deal of risk compared to prior behavior.
2020-01-31 09:52:52 -05:00
Jarrod Johnson
968efe719a Add CAP_NET_BIND_SERVICE to unit file
This is preparing for running as non-root.

We need this capability to snoop SLP and PXE
2020-01-31 09:34:13 -05:00
Jarrod Johnson
7a63ca8759 Fix python3 problem with confetty
Under python3, there is no unicode.
2020-01-31 08:53:42 -05:00
Jarrod Johnson
a24866c2df Fix exitcode for confetty noderange commands
The exitcode was not being set for noderange commands
where each node may independently raise errors.

Correct the oversight by catching each subelements errors.
2020-01-31 08:22:20 -05:00
Jarrod Johnson
c666b11138 Add ability to foreground exec confluent
This allows easier debug and option for unit file
in systemd to run foreground if it makes sense.
2020-01-31 08:10:01 -05:00
Jarrod Johnson
22f6198f60 Fix nodebmcreset on bad noderange
This prevents confusing python stack when
a bad noderange is specified.
2020-01-30 14:35:58 -05:00
Jarrod Johnson
c99d01dffc Fix indentation of date conversion
The conversion was not checking each element.
2020-01-29 17:08:00 -05:00
Jarrod Johnson
8d0028a1de Catch all for serialization errors
Rather than odd bool error, return something a
bit more precise.
2020-01-29 15:45:27 -05:00
Jarrod Johnson
bb9c2297c9 Stringify firmware datetime
With the change to msgpack, datetime objects cannot be serialized.  Apply
tlvdata compliant transform before storing.
2020-01-29 15:41:13 -05:00
Jarrod Johnson
91fa5bd1eb Enhance nodeconfig treatment of IMM
This makes the IMM attributes usable, but not intrusive.
2020-01-29 14:20:56 -05:00
Jarrod Johnson
ac9609c40d Adjust to pyghmi api change
Due to confusion of mixed settings, pyghmi api changes
to enable the confluent experience to be more
sane.
2020-01-29 10:56:31 -05:00
Jarrod Johnson
0c4cb49c20 Implement nodeconfig -e
This provides access to 'extra' settings.
Mainly intended to avoid slowing down nodeconfig
with IMM attributes that most people don't
want anyway.
2020-01-29 10:15:32 -05:00
Jarrod Johnson
4be4100014 Fix configmanager msgpack
msgpack method had some regressions.  For one, python2 strings
became bytes on mixed collective, fix by using raw=False on the
receiver.

Additionally, del_nodes tends to use sets, and that's not viable for
msgpack.  Guard against that.
2020-01-29 09:24:57 -05:00
Jarrod Johnson
9f7c8c69f2 Fix invalid credentials msgpack
The invalid credentials did not accept an argument like
the rest, fix the inconsistency for msgpack deserialization.
2020-01-28 15:41:50 -05:00
Jarrod Johnson
c35f7d99f7 Update stripped exceptions to include node
While the exception had the node name, in some contexts the
exception was processed genericly.
2020-01-28 10:18:58 -05:00
Jarrod Johnson
445950d02a Roll back library level force of role
Doing collective and config restore breaks.  The API
will still prevent implicit role assumption.
2020-01-28 10:05:04 -05:00
Jarrod Johnson
cf72cf2d8c Require role explicitly on user/group creation
Rather than default to administrator, require
the user to explicitly set the role to administrator.
2020-01-27 16:12:03 -05:00
Jarrod Johnson
0652a7321b Apply whitelist to rpc functions in configmanager 2020-01-27 15:59:22 -05:00
Jarrod Johnson
4c8ba92856 Change configuration sync to use msgpack
This removes use of pickle for config sync over network.
2020-01-27 15:53:29 -05:00
Jarrod Johnson
09582d7597 Move input handling to destination
It is tricky to serialize a configmanager object, and
probably was making the requests gigantic anyway.

Serialize the parameters to let the target use its local copy instead
of serializing an entire config manager.
2020-01-27 15:26:54 -05:00
Jarrod Johnson
8a9e9aa7b3 Always use string type in msgpack
To facilitate py2/py3 consistency, for these
messages just always use the native string.
With this, python 2 strings will be unpacked as
strings by python 3.  This means bytes cannot be
passed, but we will suffer that limitation for now.
2020-01-24 14:07:34 -05:00
Jarrod Johnson
b766e7b0ee Opt into the msgpack 1.0 behavior
This fixes the dispatch to actually work.
2020-01-24 11:39:44 -05:00