2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-29 13:00:03 +00:00
Commit Graph

2132 Commits

Author SHA1 Message Date
Jarrod Johnson
4802c52854 If attempt to auto-restart service, reduce severity of result
Provide feedback as a warning rather than aborting the command entirely
2022-11-01 10:05:24 -04:00
Jarrod Johnson
817038c6cf Specify the valid values for apiarmed
Further, add more warning text around apiarmed, as it is a serious security
decision to take on continuous.
2022-11-01 08:37:03 -04:00
Jarrod Johnson
e0feb104ff Add facilities to subscribe/unsubscribe from discovery agents
This connects the new affluent discovery facility
to local discovery view.
2022-10-28 16:58:30 -04:00
Jarrod Johnson
d534f29c57 Implement fastpath for delegated discovery
When an enlisted discovery agent
notifies, skip slow searches and use
the agents information directly.
2022-10-27 15:42:58 -04:00
Jarrod Johnson
f6d8294e83 Check IP viability before commencing configuration
This avoids a pointless partial configuration from proceeding.
2022-10-27 15:41:13 -04:00
Jarrod Johnson
6c806c8171 Fix tentative path for real path 2022-10-27 10:03:18 -04:00
Jarrod Johnson
8bf067cac8 Fix issues in the auth nets logic 2022-10-25 12:52:22 -04:00
Jarrod Johnson
0d2a1b856b Fixes for the auth_nets configuration 2022-10-25 12:35:18 -04:00
Jarrod Johnson
4864d6abb0 Add mechanism to extend authentication to remote networks
This allows user to designate certain networks to be treated as
if they were local.

This enables the initial token grant to be allowed to a remote network.

This still requires that the api be armed (which should generally be a narrow window of
opportunity) and that the
request be privileged, it
just allows remote networks to be
elevated to be as trusted as local.
2022-10-25 11:26:44 -04:00
Jarrod Johnson
c57090a670 Correct order of find and replace strings in by-mac boot 2022-10-24 13:26:06 -04:00
Jarrod Johnson
29ad1bd57e Add various ways to look up boot file 2022-10-24 12:31:23 -04:00
Jarrod Johnson
f245f5cac5 Inject a hook for cmdline to specify confulent server
This enables a more manual approach
to indicate the deployment server.

This carries the assumption that a
normal OS autonetwork config
will get the node to the right network.

This is one step toward enabling a scenario where the target is remote and the DHCP is not going to relay, but instead the deployment feeds the DHCP a confluent URL entry point to get going.

Using this parameter precludes:
-Enhanced NIC auto selection.  If the OS auto-selection fails to
identify the correct interface, the profile will need nic name baked in.
-Auto-select deployment server from several.  This will mean that any
HA will require IP takeover be externally handled

This is of course on top of the manual process of
indicating confluent in kernelargs.
2022-10-17 13:07:18 -04:00
Jarrod Johnson
4ba0087c93 Close typo in edited attributes 2022-10-14 08:10:39 -04:00
Jarrod Johnson
c3afd45475 Normalize uid
python2 was crashing when getting unicode over the link.
2022-10-13 17:52:26 -04:00
Jarrod Johnson
730af73069 Correct open string in the attributes edit 2022-10-13 14:58:41 -04:00
Jarrod Johnson
84407e3d2b Correct syntax error in pxe handler 2022-10-13 14:49:09 -04:00
Jarrod Johnson
88b741e026 Add 'firmwarenone' ip method
Add a seting to allow user to suppress all DHCP offer during
PXE/HTTP activity.  This enables configurations
where users want to externally manage filename explicitly in their own dhcp configuration.
2022-10-13 12:11:46 -04:00
Jarrod Johnson
8de7402b56 Add ability to get booturl redirect
In some environments, there's a desire to manually manage DHCP configuration.
In such a case, provide a url
that can be given to the dhcp server
to allow confluent to control the profile
without updating such a DHCP service.

With this change, a node can be told to boot:
http://confluentserver/confluent-api/booturl/by-node/n123/boot.ipxe

To be redirected to the currently applicable os profile.
2022-10-13 10:54:11 -04:00
Jarrod Johnson
d5d0852890 Tighten redfish check timeout
The default timeout is overkill in the nodediscover scenario.
Notably, we can receive replies from unreachable IP addresses,
and those will extend rescan to the full timeout.  The devices should
comfortably reply within 3 seconds, making scans exit in
a timely fashion.
2022-10-07 09:22:37 -04:00
Jarrod Johnson
4fed609050 Avoid enumerating members of a bond
Various parts of confluent that go to try to use
all the interfaces will now skip bond members.

One example problem is that joining the SSDP multicast
group for SSDP would cause the kernel to IGMPv6 out
on bond members as well as the bond itself.  This change
ensures that the bond interface is only used and never
bypassed.
2022-10-07 08:52:02 -04:00
Jarrod Johnson
a77f211b8e Fix json restore of users and groups
Defaults were erroneously used
do to oversight and mistake in teh json restore code.
2022-10-06 09:23:43 -04:00
Jarrod Johnson
3c29a5aa7f Enable non-admin users for web gui 2022-10-06 08:49:00 -04:00
Jarrod Johnson
6eb4bf28e5 Another iteration to try to have IP adaptive syncfiles
It is likely that a client connects from fe80::, which
is explicitly omitted from ssh principals.

This time, have the client provide all currently set IP addresses
and the server will make a determination.

There remains the possibility it misconfigures a nic and tries to use that,
inducing failure.  One strategy would be to filter the addresses and
only provide from the 'current' interface.  Another is to just take
the hit as the node is likely going to suffer a lot from such a
misconfiguration anyway.
2022-10-05 12:23:47 -04:00
Jarrod Johnson
c612129d64 Have syncfiles attempt to use client ip, if feasible
When a node installs, it may not have it's node mapped address up,
or may not have one at all. Try to use the ip if it would be in the
same set that produced it's ssh certificate.

There remains a gap if a system has no static addressing *and* doesn't
map nodename to IP, but we have an impasse as the situation is too fuzzy
to grant a prinicpal in an SSH cert, and without that we can't securely
attempt rsync.  For now, this scenario would still fail and I will
just hope that doesn't come up.
2022-10-05 08:31:37 -04:00
Jarrod Johnson
75484db014 Fix macok incorrect value on finding the mac 2022-10-03 10:33:21 -04:00
Jarrod Johnson
763b157802 Fix syntax error 2022-09-30 12:36:12 -04:00
Jarrod Johnson
6e803e9fca Add insecure protocol check 2022-09-30 12:22:39 -04:00
Jarrod Johnson
9ecd3e3ac7 Add API check
Particularly SELinux is a frequently missed configuration
facet, alert when the selinux is blocking.
2022-09-30 12:17:31 -04:00
Jarrod Johnson
ee3aef0a4c Mark COPYRIGHT as legal in rpm 2022-09-30 11:02:55 -04:00
Jarrod Johnson
b7dfe20286 Add legal artifacts to confluent_server 2022-09-30 10:43:18 -04:00
Jarrod Johnson
c647dec069 Add message on successful node attribute run 2022-09-29 15:45:07 -04:00
Jarrod Johnson
903de26dd8 Add node attribute checks to selfcheck 2022-09-29 15:27:12 -04:00
Jarrod Johnson
cf000d6872 Add node name resolution check
A common scenario for closed networks
is a misconfigured DNS situation.

Detect and report, as this can wreak havoc on a confluent instance.
2022-09-29 09:57:43 -04:00
Jarrod Johnson
5a62307d1e Restore config by name
The change to allow CIDR syntax
broke for configurations that use name for
bmc 'address'.

Fix by letting getaddrinfo have a chance to process the ip before
trying to pton it.
2022-09-27 17:05:13 -04:00
Jarrod Johnson
0c08d8f6d3 Provide helpful error on bad user/password in delta pdu 2022-09-21 16:19:13 -04:00
Jarrod Johnson
5a935d99fc Have SMM devices register cleanly
In remote discovery registration, the
SMM path was not fully implemented
2022-09-13 13:29:42 -04:00
Jarrod Johnson
7cbd105ae3 Workaround TSM issue with redfish configuration 2022-09-09 12:04:38 -04:00
Jarrod Johnson
2bc2736da4 Fix neighutil invocation of ipn_is_local 2022-09-08 16:07:04 -04:00
Jarrod Johnson
4a8af0ad85 Fix assumptions about ip going into netutil 2022-09-08 14:35:16 -04:00
Jarrod Johnson
7b98b7dc00 Fix wrong uid after duplicate identity check 2022-09-08 09:51:21 -04:00
Jarrod Johnson
cde18bcd3a Cap the number of deferred packets
Prevent deferred packets from growing endlessly
if activity is keeping the loop running.
2022-09-07 08:04:47 -04:00
Jarrod Johnson
60cfa1d3c5 Skip peer probe on remote
When remote ip is detected,
communicate by returning False
instead of None.

Use this indication to let ssdp
skip a transmit and growing
pending list in such a case.
2022-09-06 16:40:34 -04:00
Jarrod Johnson
596fcb0f4c Implement mitigations for ovewhelming SSDP
First, for a given contiguous set of snoop activity, start ignoring a given peer during that contiguous chenk after it has been considered once.

Further, make get_hwaddr cheaper for attempts against
remote IPs.

To facilitate the above, create an efficient 'ip_is_local' to be
a relatively cheap function, with
potential to cache result in future
if it needs to be even cheaper.
2022-09-06 16:08:31 -04:00
Jarrod Johnson
7980534bad Fix confluentdbgcli.py for python3 2022-09-02 15:11:30 -04:00
Jarrod Johnson
6c1f87aeb7 Add mechanism for copernicus to request any confluent
This can be used for network debug in a generic way, to identify vlan adjacency without regard to nodedoploy state or uuid matching.
2022-09-02 13:32:05 -04:00
Jarrod Johnson
1c811dbf3e Fix python path automatically in confluent_selfcheck 2022-09-02 10:11:12 -04:00
Jarrod Johnson
503746131c Add selfcheck to packaging 2022-09-02 09:53:06 -04:00
Jarrod Johnson
a0037a305c Add confluent_selfcheck to server package 2022-09-02 09:44:13 -04:00
Jarrod Johnson
d1d15f29c1 Add facility to fix confluent uuid problem 2022-09-01 13:26:25 -04:00
Jarrod Johnson
67f0c8a81b Add IPv6 and insecure boot checking 2022-09-01 13:17:17 -04:00