xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2026-04-26 02:31:28 +00:00
Code Issues Projects Releases Wiki Activity
5,823 Commits 41 Branches 79 Tags
3.15
Commit Graph

89 Commits

Author SHA1 Message Date
Jarrod Johnson
2fcfbe9774 Fix multi-session access to shell 
Shell sessions are now wired up to vtbufferd

The shellserver now correctly accounts for sessions being started.

The sockapi now correctly allows the client to specify/attach
to a specific session id.
 2025-02-05 16:57:26 -05:00
Jarrod Johnson
80296b6cbc Point to the C context object rather than python class 
The OpenSSL variant of Context is a python class, but it does have
a C context in it.
 2024-07-25 14:05:10 -04:00
Jarrod Johnson
2235faa76d Stop using private interface of PyCA 
PyCA changes their minds about which bindings to include.

So make the binding ourselves since PyCA removed it in certain versions.

This is a backport of the implementation from the async port effort.
 2024-07-24 08:33:20 -04:00
Jarrod Johnson
aa5de3c6a3 Suspend handling of new socket connections while configmanager down 2023-09-15 15:48:37 -04:00
Jarrod Johnson
bf10e58f00 Bump version 
With recent collective changes, bump the version to block connection with
older collective members until upgraded.
 2023-08-02 13:43:41 -04:00
Jarrod Johnson
90a8d80b45 Rework trusted networks to attribute 
This allows  more flexibility and less oddity with how remote subnets are treated.
 2022-11-21 09:57:27 -05:00
Jarrod Johnson
4864d6abb0 Add mechanism to extend authentication to remote networks 
This allows user to designate certain networks to be treated as
if they were local.

This enables the initial token grant to be allowed to a remote network.

This still requires that the api be armed (which should generally be a narrow window of
opportunity) and that the
request be privileged, it
just allows remote networks to be
elevated to be as trusted as local.
 2022-10-25 11:26:44 -04:00
Jarrod Johnson
86891eb2e5 Rework resolv watcher 
Handle symlinks better and do not trigger overly
eagerly
 2022-05-05 09:26:55 -04:00
Jarrod Johnson
dcca844e9b Refresh eventlet resolver on resolv.conf change 
Eventlet holds on to stale resolv.conf. As a workaround,
monitor resolv.conf and explicitly reinitialize greendns
resolver.
 2021-12-06 12:22:42 -05:00
Jarrod Johnson
797465b3eb Handle some intra-collective errors better 2021-08-24 15:50:03 -04:00
Jarrod Johnson
06cfd408fc Fix handling of abrupt client close 2021-08-24 07:57:14 -04:00
Jarrod Johnson
b07ca72a8b Close stray filehandles 
Proxied terminals and dispsatched
requests would leak filehandles.
 2021-08-17 17:18:10 -04:00
Jarrod Johnson
f32a9a2f08 Rework inline command handling 
Previously, if hotkey entry
had text data come in, it
would corrupt the state of
the client.

Minimize the corruption and request the server to pause.
 2021-04-23 14:22:24 -04:00
Jarrod Johnson
f34e184d31 Restore libc access to sockapi 
Cleanup went too for in python2 port.
 2021-02-26 16:25:51 -05:00
Jarrod Johnson
83d92ecfcc Make file descriptor passing python2 friendly 
python 2 did not have recvmsg/sendmsg,
so have to use ctypes to access
them through the c library.
 2021-02-26 16:17:43 -05:00
Jarrod Johnson
0b5c4f6f0f Progress client managed filedescriptor 2021-02-18 14:58:45 -05:00
Jarrod Johnson
c525a08c17 Correct a number of mistakes in the draft commit 2021-02-17 14:34:45 -05:00
Jarrod Johnson
edaaafa059 Begin work on passing filehandles for local cli 
This would enable files to be uploaded/downloaded
using the client filehandles, overcoming awkward
difference in file privilege between client and
server.
 2021-02-17 13:54:18 -05:00
Jarrod Johnson
4348d9160b Provide ability for config file to specify cipher list 
The default set of TLS 1.3 and TLS1.2 restricted ciphers are
generally considered strong today, but for future or special
circumstances, provide ability to override the defaults.
 2020-08-26 09:43:55 -04:00
Jarrod Johnson
e52556affb Fix certificate watch hang 
If no certificate present, then once a day confluent could hang. Fix by
doing a non-blocking
read on the watcher.
 2020-08-24 14:00:47 -04:00
Jarrod Johnson
88436ff129 Merge branch 'master' into osdeploy 2020-05-22 13:56:59 -04:00
Jarrod Johnson
213d440052 Fix certificate watch 
In python3, it was not working.
If another file got added, it could go
with a busy loop.
 2020-05-22 13:55:24 -04:00
Jarrod Johnson
f798239f90 Switch to using the standard confluent port for credserver 
Also add a check and only accept API arming
requests from local ips
 2020-02-27 16:36:16 -05:00
Jarrod Johnson
f6d4fef5e6 Improve error message for collective 
When trying to not run as root, give a
better error message explaining the
situation more clearly.
 2020-02-18 16:16:40 -05:00
Jarrod Johnson
4c8ba92856 Change configuration sync to use msgpack 
This removes use of pickle for config sync over network.
 2020-01-27 15:53:29 -05:00
Jarrod Johnson
453c344f7f Fix audit log for non root usage with python 3 2019-10-10 16:07:45 -04:00
Jarrod Johnson
8fc3b7c9c0 Implement cross-python collective compat 
This enables cross-version compatibility
for a collective.
 2019-10-07 15:41:38 -04:00
Jarrod Johnson
90e546bcac Implement a number of py3 compatible adjustments 2019-10-02 08:58:39 -04:00
Jarrod Johnson
fbc4fc6846 Make unexpected error more specific 
Often a usable summary message is obfuscated.  Assume the subject line
is safe to relay, but continue to do a more verbose trace.
 2019-07-08 14:28:56 -04:00
Jarrod Johnson
4d5bfb13bf Add support for Operator role 
Support a reduced privilege user that can still perform
most operations, but cannot modify, delete, or add
users/groups to confluent or to BMCs.
 2019-05-01 16:57:15 -04:00
Jarrod Johnson
d78adc334d Fix overly verbose log on client close 
When a client would close (e.g. an unathenticated nodelist),
a large trace be logged.  Fix by returning silently in such a case.
 2019-04-30 15:03:55 -04:00
Jarrod Johnson
c28a963d62 Update the pyopenssl message 
It makes it more clear that a restart would be
required to pull in updated dependency.
 2019-04-02 09:39:06 -04:00
Jarrod Johnson
1902a333ae Rework audit on unix socket 
Capture root in audit and be consistent about audit skipping between
socket and http.
 2019-01-28 15:03:45 -05:00
Jarrod Johnson
2d63e68494 Enable support for TCP_FASTOPEN 
It might matter in some context.
 2019-01-10 15:17:34 -05:00
Jarrod Johnson
b511a02f20 Have correct size on connect for shell session 
In addition to resize, also support initial size being set
 2018-11-26 16:21:31 -05:00
Jarrod Johnson
c60cb3a027 Implement resize from CLI client 
The CLI resize is wired up for ssh usage.  At the time of this commit,
initial size is not handled.
 2018-11-26 15:31:36 -05:00
Jarrod Johnson
c96b5f0270 Fix spurious trace on immediate exit confetty 
When confetty exits without doing anything, it causes
sockapi to reference an empty request.  Check for that before
checking if it is a collective request.
 2018-10-25 14:12:15 -04:00
Jarrod Johnson
6a466b0100 Avoid proxy consoles generating proxy consoles 
When the client is a proxy term, disable ability to produce
proxy terminals.  This was wreaking havoc with client
count with ghosts and triggering output multiplication.
 2018-10-09 13:21:02 -04:00
Jarrod Johnson
df7cba00fd Amend the message on collective failure 2018-08-17 16:45:45 -04:00
Jarrod Johnson
dfb720d0ee Have collective command warn if the libssl library is not viable 
Main example is RedHat providing pyOpenSSL of relatively ancient
vintage.
 2018-08-17 13:57:13 -04:00
Jarrod Johnson
79cdf65a72 Fix SLES sockapi 
Previous fix was applied to the incorrect section of code
 2018-07-18 15:07:22 -04:00
Jarrod Johnson
3ab4203104 Explicitly set ECDHE curve 
Some vintages of the SSL stack require we explicitly request a curve,
so here it is.
 2018-07-16 16:23:33 -04:00
Jarrod Johnson
08cf698609 Only conditionally require ffi 
Only collective mode requires ffi, do not incur requirement for
non-collective mode.
 2018-07-09 09:41:10 -04:00
Jarrod Johnson
c6a0aeca3b Fix dispatch of commands with InputData 
Inputdata needed to be serialized for the network.  Further, had
to have a JSON-safe payload for indicating name for certificate look
up, to avoid doing pickle load on client input prior to client
validation.
 2018-06-22 14:41:41 -04:00
Jarrod Johnson
1543e145b7 Draft for proxyconsole object for remote use of consoles 
This would be the stub stand in for the console object to
connect to remote console object rather than local.
 2018-06-20 16:36:59 -04:00
Jarrod Johnson
78117a1b1a Draft proxyconsole support for sockapi 
Foundation for consoleserver to be able to do backend to backend
connections
 2018-06-19 16:50:49 -04:00
Jarrod Johnson
810be71720 Initial support for non-console dispatch 
For non-exceptional cases, it is now functional.
 2018-06-15 15:54:26 -04:00
Jarrod Johnson
8165b645d9 Fix invite process and unicode 
Unicode strings do not fit with our world view, make them bytes.
 2018-05-16 11:27:46 -04:00
Jarrod Johnson
033d59b04a Afetr some feedback, rename it 'collective' 2018-05-16 11:27:46 -04:00
Jarrod Johnson
1b912c4365 Further advance the swarm concept 
This marks the start of attempting to connect the invitation
to sockets and using the invitation to measure the certificates as
well as proving client knowledge of an invitation token.
 2018-05-16 11:27:46 -04:00