Jarrod Johnson
f168c4be2b
Allow free ordering of noderange/arguments in nodeping
...
With nodeping, no concern about passing arguments to arbitrary subcommand, so
allow arguments to be anywhere.
2022-03-11 10:55:00 -05:00
Jarrod Johnson
2194ca9018
Create a nodeping script for quick ping wrapping
2022-03-11 10:23:11 -05:00
Jarrod Johnson
ceada3b7d9
Provide API for using one-time shared secret to register api key
...
This permits long haul node api key registration over a single port. It cannot validate that
the requester is privileged, but the auto-invalidation
offsets the risk of subsequent users having read access to the remote mount.
2022-03-10 16:06:02 -05:00
Jarrod Johnson
ad40c46509
Remove now-redundant genpasshmac.c file
2022-03-10 09:32:44 -05:00
Jarrod Johnson
301ed7a798
Fix mistake in b64e invocation
2022-03-10 09:15:26 -05:00
Jarrod Johnson
b42e2e4932
Change to b64 output for hmac
...
base64 utility is not always available, so natively
use base64 format for hmac output.
2022-03-10 09:00:54 -05:00
Jarrod Johnson
61d037ae31
Combine genpasshmac with clortho
...
This permits saving on addons size by using the same
binary for both networked api grant and hmac api
grant.
2022-03-09 13:36:47 -05:00
Jarrod Johnson
6a30afa31e
Have SSDP ignore multicast disabled interfaces
2022-03-09 11:01:01 -05:00
Jarrod Johnson
625434fcaf
Fix mistake in deploycfg parsing
...
More strictly match the field name.
2022-03-08 16:29:49 -05:00
Jarrod Johnson
a8c2f859e4
Add a genpasshmac utility
...
For far edge deployment, create utility
that can hmac a password for use in a REST
api call to skip need for tcp port 13001 access.
2022-03-08 16:27:37 -05:00
Jarrod Johnson
31dad09b0c
Update makefile to build in sh256 to clortho
2022-03-08 14:46:33 -05:00
Jarrod Johnson
0abe978bd9
Implement hmac of apikey
...
For routed deployment, we have to preshare some information.
Additionally, the API arm mechanism gets too open ended.
Add support for using a shared secret over another
channel to do HMAC of a key to authenticate peer,
which has an alternate api arming mechanism
that is hardened.
2022-03-08 14:46:00 -05:00
Jarrod Johnson
e67bab4f12
Place cap on api password length
...
No more than 48 characters should ever be in
an api token. Cap it to avoid outrageous crypt
behavior at large password length.
2022-03-08 09:15:13 -05:00
Jarrod Johnson
21c0372a5b
Support get_full_net_config without serverip
...
When trying to get a configuration
without a network context, it would fail.
Now, as intended, it generates network configuration without autosense in such a case.
2022-03-07 15:28:04 -05:00
Jarrod Johnson
98d8aaffe8
Merge branch '3.4'
2022-03-07 15:22:54 -05:00
Jarrod Johnson
ecd114ca5a
Add script for setting up ssh
...
A frequent scenario is to 'refresh' ssh configuration toward the
end of:
-changing trust nodes
-Adding a collective member
-Repairing a broken configuration
-As part of 'confluent-ifying' a node that wasn't confluent deployed
2022-03-03 12:34:37 -05:00
Jarrod Johnson
5fb766e62b
Move apiclient consistently to /opt/confluent/bin
...
It's more reasonable to have
it in a bin directory
2022-03-03 11:11:29 -05:00
Jarrod Johnson
76fdf59122
Change genesis functions location
...
Put it in a place consistent with more normal use.
2022-03-03 08:34:57 -05:00
Jarrod Johnson
003196bc9e
Allow -o with data file
...
This makes things like ssh key signing easier.
2022-03-03 08:25:04 -05:00
Jarrod Johnson
15e7e4464e
Keep known_hosts cleaner
...
When repeating osdeploy initialize
of local known_hosts, more
gracefeully avoid duplicate entries.
2022-03-02 16:04:01 -05:00
Jarrod Johnson
687136131e
Place Confluent CA certs into TLS anchors
...
When processes may update the certificate authorities, the confluent
CA trust would be lost. Place it appropriately so that
update-ca-trust will keep it in the appropriate place.
2022-03-02 08:41:47 -05:00
Jarrod Johnson
5f610b64b7
Place Confluent CA certs into TLS anchors
...
When processes may update the certificate authorities, the confluent
CA trust would be lost. Place it appropriately so that
update-ca-trust will keep it in the appropriate place.
2022-03-02 08:40:27 -05:00
Jarrod Johnson
6f194f26c0
Fix contents and permissions
...
NetworkManager demands specific
permissions
2022-02-25 16:18:54 -05:00
Jarrod Johnson
71c60be659
Fix el8 dns configuration
...
The modification to add dns search must only be suggested
if the respective ip version section is enabled.
2022-02-25 15:22:45 -05:00
Jarrod Johnson
58a9aa03ef
Add DNS domain to el8 network manager
2022-02-25 09:48:56 -05:00
Jarrod Johnson
19a370b0f5
Add explicit client version dependency
2022-02-25 07:31:12 -05:00
Jarrod Johnson
47a517aec1
Decrease retries to do https retries with bad TLS cert
2022-02-24 16:37:48 -05:00
Jarrod Johnson
1f7bd1a28a
Fix autoconsole output on diskless
2022-02-24 16:27:32 -05:00
Jarrod Johnson
89cc49c4fc
Add loginname to nodeshell man page
2022-02-24 16:08:50 -05:00
Jarrod Johnson
50da83b4f5
Fix api token message not being pushed
2022-02-24 15:56:29 -05:00
Jarrod Johnson
15f4cc085d
Aggressively flush out error output
2022-02-24 15:46:38 -05:00
Jarrod Johnson
d7df1e7891
Prevent users from dupe group memberships
2022-02-24 15:06:41 -05:00
Jarrod Johnson
1a5f5aea3a
Try an alternative approach to autoconsole errors
2022-02-24 12:18:41 -05:00
Jarrod Johnson
7068287ba3
Fix autocons spurious output
2022-02-24 10:25:59 -05:00
Jarrod Johnson
fb1f6b70bb
Improve error handling on bad TLS cert
...
Bad TLS cert is a common problem, provide better feedback.
2022-02-24 09:27:40 -05:00
Jarrod Johnson
2c9be7a4c4
Remove slp snoop of XCC
...
SSDP snoop catches XCC, and do only
SSDP for consistent format of
snoop info coming into the
xcc handler.
2022-02-24 08:08:50 -05:00
Jarrod Johnson
24ef12e029
Disable autoconf of ipv6 in el
...
If autoconf is allowed when link is brought up, it scan
confuse redhat network configuration when it already finds
an ipv6 address.
2022-02-23 16:58:29 -05:00
Jarrod Johnson
e390618dd9
Fix handling without olduuid in database
2022-02-23 10:13:06 -05:00
Jarrod Johnson
8f4846c248
Fix for partial returns
...
full_net_config may not always apply,
be sure to gracefully degrade.
2022-02-22 17:08:23 -05:00
Jarrod Johnson
ac8918c2b9
Add ips to ssh principals
...
For any static address, also grant
certificate for that.
2022-02-22 16:48:58 -05:00
Jarrod Johnson
fdc9d94408
Also register to run before coreos-ignition-setup-user
...
For coreos, make sure we preempt either name.
2022-02-22 14:30:48 -05:00
Jarrod Johnson
3cf9edeeb8
Stub out buffering for shell sessions
...
This is not yet handled anyway.
For future, establish norm of a nodeid
to prefix multiple distinct sessions.
2022-02-22 08:49:31 -05:00
Jarrod Johnson
8fab8238ed
Disambiguate console from shell buffer
...
There is room for the console replay to get confused,
fix by fully qualifying the console name.
2022-02-18 17:31:13 -05:00
Jarrod Johnson
80293efe57
Address coverity false-positives
...
Technically, the fread won't reach the
length index, but change the order
anyway to reassure coverity.
2022-02-17 17:09:21 -05:00
Jarrod Johnson
b463a53146
Cleanup per coverity
...
Fix a number of concerns that coverity reports
2022-02-17 17:05:00 -05:00
Jarrod Johnson
58b55b6ef6
Error on trying to double-add nodes or groups
...
Prevent user from repeatedly adding the
same group to a node or same node to a group.
2022-02-16 11:58:22 -05:00
Jarrod Johnson
33be75a9a2
Markup bandit exceptions
...
Apply bandit exceptions and explain
the rationale in each case
2022-02-16 09:10:33 -05:00
Jarrod Johnson
f10a27fd7a
Switch to mkstemp
...
Use mkstemp to more confidently reserve a filename as expected.
2022-02-15 17:13:04 -05:00
Jarrod Johnson
3f53cb939a
Add mkdir -p to build script for genesis
2022-02-15 10:32:39 -05:00
Jarrod Johnson
961398e34e
Bump version to cover 8.6 update
2022-02-15 10:29:18 -05:00