diff --git a/confluent_server/bin/confluent_selfcheck b/confluent_server/bin/confluent_selfcheck index fe45f637..74b50c91 100755 --- a/confluent_server/bin/confluent_selfcheck +++ b/confluent_server/bin/confluent_selfcheck @@ -213,19 +213,34 @@ if __name__ == '__main__': else: emprint('No trusted ssh keys for root user, passwordless SSH from managers to nodes may not work (Example resolution: osdeploy initialize -u)') if sshutil.sshver() > 7.6: - fprint('Checking SSH Certificate authority: ') - try: - sshutil.prep_ssh_key('/etc/confluent/ssh/ca') - print('OK') - except Exception: - emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)') - fprint('Checking confluent SSH automation key: ') - try: - sshutil.prep_ssh_key('/etc/confluent/ssh/automation') - print('OK') - except Exception: - emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)') - os.kill(int(sshutil.agent_pid), signal.SIGTERM) + child = os.fork() + if child > 0: + pid, extcode = os.waitpid(child, 0) + else: + sshutil.ready_keys = {} + sshutil.agent_pid = None + cuser = pwd.getpwnam('confluent') + os.setgid(cuser.pw_gid) + os.setuid(cuser.pw_uid) + fprint('Checking SSH Certificate authority: ') + try: + sshutil.prep_ssh_key('/etc/confluent/ssh/ca') + print('OK') + except Exception as e: + if type(e).__name__ == 'CalledProcessError' and 'UNPROTECTED' in e.stderr.decode(): + emprint('Permissions incorrect on /etc/confluent/ssh/ca (Example resolution: chmod 600 /etc/confluent/ssh/ca)') + else: + emprint('Failed to load SSH authority key, deployed servers will not have host certificates for known_hosts and users may be unable to ssh between nodes without a password (Example resolution: osdeploy initialize -s)') + fprint('Checking confluent SSH automation key: ') + try: + sshutil.prep_ssh_key('/etc/confluent/ssh/automation') + print('OK') + except Exception as e: + if type(e).__name__ == 'CalledProcessError' and 'UNPROTECTED' in e.stderr.decode(): + emprint('Permissions incorrect on /etc/confluent/ssh/automation (Example resolution: chmod 600 /etc/confluent/ssh/automation)') + else: + emprint('Failed to load confluent automation key, syncfiles and profile ansible plays will not work (Example resolution: osdeploy initialize -a)') + sys.exit(0) fprint('Checking for blocked insecure boot: ') if insecure_boot_attempts(): emprint('Some nodes are attempting network boot using PXE or HTTP boot, but the node is not configured to allow this (Example resolution: nodegroupattrib everything deployment.useinsecureprotocols=firmware)') diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index 40512648..eb3509d6 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -136,7 +136,7 @@ def prep_ssh_key(keyname): os.environ['SSH_ASKPASS'] = askpass try: with open(os.devnull, 'wb') as devnull: - subprocess.check_output(['ssh-add', keyname], stdin=devnull, stderr=devnull) + subprocess.check_output(['ssh-add', keyname], stdin=devnull, stderr=subprocess.PIPE) finally: del os.environ['CONFLUENT_SSH_PASSPHRASE'] del os.environ['DISPLAY']