2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-23 01:53:28 +00:00
Commit Graph

4186 Commits

Author SHA1 Message Date
Jarrod Johnson
f168c4be2b Allow free ordering of noderange/arguments in nodeping
With nodeping, no concern about passing arguments to arbitrary subcommand, so
allow arguments to be anywhere.
2022-03-11 10:55:00 -05:00
Jarrod Johnson
2194ca9018 Create a nodeping script for quick ping wrapping 2022-03-11 10:23:11 -05:00
Jarrod Johnson
ceada3b7d9 Provide API for using one-time shared secret to register api key
This permits long haul node api key registration over a single port. It cannot validate that
the requester is privileged, but the auto-invalidation
offsets the risk of subsequent users having read access to the remote mount.
2022-03-10 16:06:02 -05:00
Jarrod Johnson
ad40c46509 Remove now-redundant genpasshmac.c file 2022-03-10 09:32:44 -05:00
Jarrod Johnson
301ed7a798 Fix mistake in b64e invocation 2022-03-10 09:15:26 -05:00
Jarrod Johnson
b42e2e4932 Change to b64 output for hmac
base64 utility is not always available, so natively
use base64 format for hmac output.
2022-03-10 09:00:54 -05:00
Jarrod Johnson
61d037ae31 Combine genpasshmac with clortho
This permits saving on addons size by using the same
binary for both networked api grant and hmac api
grant.
2022-03-09 13:36:47 -05:00
Jarrod Johnson
6a30afa31e Have SSDP ignore multicast disabled interfaces 2022-03-09 11:01:01 -05:00
Jarrod Johnson
625434fcaf Fix mistake in deploycfg parsing
More strictly match the field name.
2022-03-08 16:29:49 -05:00
Jarrod Johnson
a8c2f859e4 Add a genpasshmac utility
For far edge deployment, create utility
that can hmac a password for use in a REST
api call to skip need for tcp port 13001 access.
2022-03-08 16:27:37 -05:00
Jarrod Johnson
31dad09b0c Update makefile to build in sh256 to clortho 2022-03-08 14:46:33 -05:00
Jarrod Johnson
0abe978bd9 Implement hmac of apikey
For routed deployment, we have to preshare some information.

Additionally, the API arm mechanism gets too open ended.

Add support for using a shared secret over another
channel to do HMAC of a key to authenticate peer,
which has an alternate api arming mechanism
that is hardened.
2022-03-08 14:46:00 -05:00
Jarrod Johnson
e67bab4f12 Place cap on api password length
No more than 48 characters should ever be in
an api token. Cap it to avoid outrageous crypt
behavior at large password length.
2022-03-08 09:15:13 -05:00
Jarrod Johnson
21c0372a5b Support get_full_net_config without serverip
When trying to get a configuration
without a network context, it would fail.

Now, as intended, it generates network configuration without autosense in such a case.
2022-03-07 15:28:04 -05:00
Jarrod Johnson
98d8aaffe8 Merge branch '3.4' 2022-03-07 15:22:54 -05:00
Jarrod Johnson
ecd114ca5a Add script for setting up ssh
A frequent scenario is to 'refresh' ssh configuration toward the
end of:
-changing trust nodes
-Adding a collective member
-Repairing a broken configuration
-As part of 'confluent-ifying' a node that wasn't confluent deployed
2022-03-03 12:34:37 -05:00
Jarrod Johnson
5fb766e62b Move apiclient consistently to /opt/confluent/bin
It's more reasonable to have
it in a bin directory
2022-03-03 11:11:29 -05:00
Jarrod Johnson
76fdf59122 Change genesis functions location
Put it in a place consistent with more normal use.
2022-03-03 08:34:57 -05:00
Jarrod Johnson
003196bc9e Allow -o with data file
This makes things like ssh key signing easier.
2022-03-03 08:25:04 -05:00
Jarrod Johnson
15e7e4464e Keep known_hosts cleaner
When repeating osdeploy initialize
of local known_hosts, more
gracefeully avoid duplicate entries.
2022-03-02 16:04:01 -05:00
Jarrod Johnson
687136131e Place Confluent CA certs into TLS anchors
When processes may update the certificate authorities, the confluent
CA trust would be lost. Place it appropriately so that
update-ca-trust will keep it in the appropriate place.
2022-03-02 08:41:47 -05:00
Jarrod Johnson
5f610b64b7 Place Confluent CA certs into TLS anchors
When processes may update the certificate authorities, the confluent
CA trust would be lost. Place it appropriately so that
update-ca-trust will keep it in the appropriate place.
2022-03-02 08:40:27 -05:00
Jarrod Johnson
6f194f26c0 Fix contents and permissions
NetworkManager demands specific
permissions
2022-02-25 16:18:54 -05:00
Jarrod Johnson
71c60be659 Fix el8 dns configuration
The modification to add dns search must only be suggested
if the respective ip version section is enabled.
2022-02-25 15:22:45 -05:00
Jarrod Johnson
58a9aa03ef Add DNS domain to el8 network manager 2022-02-25 09:48:56 -05:00
Jarrod Johnson
19a370b0f5 Add explicit client version dependency 2022-02-25 07:31:12 -05:00
Jarrod Johnson
47a517aec1 Decrease retries to do https retries with bad TLS cert 2022-02-24 16:37:48 -05:00
Jarrod Johnson
1f7bd1a28a Fix autoconsole output on diskless 2022-02-24 16:27:32 -05:00
Jarrod Johnson
89cc49c4fc Add loginname to nodeshell man page 2022-02-24 16:08:50 -05:00
Jarrod Johnson
50da83b4f5 Fix api token message not being pushed 2022-02-24 15:56:29 -05:00
Jarrod Johnson
15f4cc085d Aggressively flush out error output 2022-02-24 15:46:38 -05:00
Jarrod Johnson
d7df1e7891 Prevent users from dupe group memberships 2022-02-24 15:06:41 -05:00
Jarrod Johnson
1a5f5aea3a Try an alternative approach to autoconsole errors 2022-02-24 12:18:41 -05:00
Jarrod Johnson
7068287ba3 Fix autocons spurious output 2022-02-24 10:25:59 -05:00
Jarrod Johnson
fb1f6b70bb Improve error handling on bad TLS cert
Bad TLS cert is a common problem, provide better feedback.
2022-02-24 09:27:40 -05:00
Jarrod Johnson
2c9be7a4c4 Remove slp snoop of XCC
SSDP snoop catches XCC, and do only
SSDP for consistent format of
snoop info coming into the
xcc handler.
2022-02-24 08:08:50 -05:00
Jarrod Johnson
24ef12e029 Disable autoconf of ipv6 in el
If autoconf is allowed when link is brought up, it scan
confuse redhat network configuration when it already finds
an ipv6 address.
2022-02-23 16:58:29 -05:00
Jarrod Johnson
e390618dd9 Fix handling without olduuid in database 2022-02-23 10:13:06 -05:00
Jarrod Johnson
8f4846c248 Fix for partial returns
full_net_config may not always apply,
be sure to gracefully degrade.
2022-02-22 17:08:23 -05:00
Jarrod Johnson
ac8918c2b9 Add ips to ssh principals
For any static address, also grant
certificate for that.
2022-02-22 16:48:58 -05:00
Jarrod Johnson
fdc9d94408 Also register to run before coreos-ignition-setup-user
For coreos, make sure we preempt either name.
2022-02-22 14:30:48 -05:00
Jarrod Johnson
3cf9edeeb8 Stub out buffering for shell sessions
This is not yet handled anyway.

For future, establish norm of a nodeid
to prefix multiple distinct sessions.
2022-02-22 08:49:31 -05:00
Jarrod Johnson
8fab8238ed Disambiguate console from shell buffer
There is room for the console replay to get confused,
fix by fully qualifying the console name.
2022-02-18 17:31:13 -05:00
Jarrod Johnson
80293efe57 Address coverity false-positives
Technically, the fread won't reach the
length index, but change the order
anyway to reassure coverity.
2022-02-17 17:09:21 -05:00
Jarrod Johnson
b463a53146 Cleanup per coverity
Fix a number of concerns that coverity reports
2022-02-17 17:05:00 -05:00
Jarrod Johnson
58b55b6ef6 Error on trying to double-add nodes or groups
Prevent user from repeatedly adding the
same group to a node or same node to a group.
2022-02-16 11:58:22 -05:00
Jarrod Johnson
33be75a9a2 Markup bandit exceptions
Apply bandit exceptions and explain
the rationale in each case
2022-02-16 09:10:33 -05:00
Jarrod Johnson
f10a27fd7a Switch to mkstemp
Use mkstemp to more confidently reserve a filename as expected.
2022-02-15 17:13:04 -05:00
Jarrod Johnson
3f53cb939a Add mkdir -p to build script for genesis 2022-02-15 10:32:39 -05:00
Jarrod Johnson
961398e34e Bump version to cover 8.6 update 2022-02-15 10:29:18 -05:00