cd20a23626
Merge branch 'master' into osdeploy
2020-02-27 07:20:20 -05:00
3c26beda1d
Fix loss of web connectivity during XCC discovery
...
The password policy was incorrectly logging out in the
middle of the flow when a forced password change occurred.
Fix by externally managing the web session.
2020-02-26 10:00:10 -05:00
54be209f4e
Merge branch 'nodesearch' into osdeploy
2020-02-24 16:26:07 -05:00
114324f513
Add CA to self signed cert constraints
...
Some applications require this be set for it to work
as an enrolled certificate. Notably UEFI
requires this.
2020-02-24 15:34:55 -05:00
d2de4ffa14
Fix single file OS image osimport
2020-02-21 14:25:18 -05:00
d4483bb59f
Polish up the osimport concept more
2020-02-21 14:18:15 -05:00
90bec92d1f
Fix python3 for os import
...
Need to be explicit about binary data with python 3.
2020-02-21 09:34:49 -05:00
4b3541e21d
Suppress libarchive logging
...
libarchive ffi goes crazy logging at *import* time. Pre-empt
use of the logging with a null handler prior to import.
2020-02-21 08:46:42 -05:00
737e7a440f
Add a prototype for imageimporter
...
This is a sample of fingerprinting, covering rhel/centos 7/8
and suse enterprise 12/15 and cumulus.
Mainly to run the gamut of detection schemes.
The schemes are for iso images, try to be very careful and adaptive.
Otherwise, go for a quick sum to see if we have a shot and a long checksum to confirm.
2020-02-20 23:24:42 -05:00
24874bb4be
Merge branch 'master' into nodesearch
2020-02-20 20:37:23 -05:00
e2d0e49fc7
Add HTTP boot architecture to pxe
...
This paves the way for future response to HTTP boot
2020-02-20 20:36:36 -05:00
da5a34c2e4
Fix wheezy builds
2020-02-20 08:05:21 -05:00
3629cb8ee7
Fix spelling of cumulus
2020-02-19 16:53:35 -05:00
8233e0a5bd
Merge branch 'master' of github.com:jjohnson42/confluent
2020-02-19 16:26:48 -05:00
eae7b3bd80
Add discovery snoop for Cumulus ZTP
...
When a cumulus switch does ZTP, detect
in the discovery facility.
2020-02-19 16:26:33 -05:00
868367e052
Add sensing of ONIE switches
...
Have nodediscover show detected
ONIE install devices.
2020-02-19 15:20:45 -05:00
6289cfaac4
Fix nodeboot when used with -m
...
nodeboot was erroneously using sys.argv rather
than the processed args from optionparser.
2020-02-19 14:36:10 -05:00
f6d4fef5e6
Improve error message for collective
...
When trying to not run as root, give a
better error message explaining the
situation more clearly.
2020-02-18 16:16:40 -05:00
b1b7ec4d50
Add affluent plugin
...
Implementing Cumulus NOS
support through an agent called
'affluent'.
2020-02-18 14:23:57 -05:00
c0cd6de4f7
Remove PrivateDevices from unit file
...
PrivateDevices breaks pam_unix, for some reason. Remove this
protection. We still have DevicePolicy closed and running as non-root,
so this should still be relatively safe.i
2020-02-13 11:42:21 -05:00
4437e81e04
Leverage unix_chkpwd
...
If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.
Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
2020-02-13 10:37:15 -05:00
6a12af1242
Remove non-root for older distributions
...
Older systemd does not support capabilities. For such a platform,
disable non-root mode.
2020-02-12 13:20:08 -05:00
9879a83a10
Fix mistake in the redfish access protection
...
It contained a syntax error.
2020-02-11 14:22:19 -05:00
cce6b824de
Merge branch 'master' of github.com:jjohnson42/confluent
2020-02-11 14:09:51 -05:00
ce1cb952e8
Fix PAM authentication
...
It's tricky. On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability. Unfortunately this is one of the nicest capabilities to have.
For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.
If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.
Short of that, having a separate authentication process
running and dropping privilege would potentially work.
2020-02-11 14:09:22 -05:00
c6812274e4
Fix media list through collective
...
The Media class was not
serializable by msgpack. Fix this
and improve error messages in
future instances of this behavior.
2020-02-11 09:04:49 -05:00
7cd7068dd7
Remove stray developer output
...
Remove a developer repr from log
output.
2020-02-07 16:01:29 -05:00
48f0330568
Add affluent support to /networking
...
The /networking backend will now
check for affluent on the switches and
use it if possible for improved performance.
2020-02-07 15:57:33 -05:00
66e1d17d28
Have systemd manage confluent run dir
...
The run directory has to be created and owned by confluent,
or else things cannot start.
2020-02-06 13:45:46 -05:00
7480494432
Tighten up new PAM check
...
For one, remove the password cache cleaning, as it no longer is run.
For another, skip the fork if uid is already 0.
Finally, wrap the check in a try/finally to keep the privileged process
more certain in exiting.
2020-02-06 10:05:57 -05:00
49c00bfbb7
Become root to check a password
...
Running as non-root had broken PAM support. Allow setuid so we
can assume root in one specific case.
2020-02-05 16:06:13 -05:00
201985dd0e
Fix missing argument to rpc_set_user
...
Requests were unable to traverse
a collective.
2020-02-05 14:55:51 -05:00
1aee19997a
Carry errors across msgpack
...
Messages that were formerly carried
as pickled exceptions are now sent
as generic strings over msgpack.
2020-02-04 10:16:48 -05:00
3bc366bef4
Fix mistake in the cert util
2020-02-03 15:37:20 -05:00
4c83a1a04e
Fix typos
...
Previous commit had errors in
quotations.
2020-02-03 11:13:13 -05:00
cfae28a869
Add error mesasges to help with non-root confluent
...
non-root confluent daemon will have a larger struggle
with permissions, try to help the user navigate that.
2020-02-03 10:13:26 -05:00
44e6a72847
Switch to using the defined service
...
For now, this makes no difference, but it is poor form,
probably. Correct by referencing the variable
name.
2020-02-03 09:57:02 -05:00
006fdc8280
Merge branch 'master' of github.com:jjohnson42/confluent
2020-02-02 18:19:06 -05:00
895b5264f6
Fix incorrect pam service
...
pam was defaulting to use of 'login', but we want 'confluent' for the service.
2020-02-02 18:18:39 -05:00
0b577af1ca
Fix ownership of confluent cache
...
It needs to be owned by the confluent user.
2020-01-31 11:48:34 -05:00
ff0b1bba7f
Fix rpm spec file
...
There was an ommision and a mistake.
2020-01-31 10:37:49 -05:00
0badd9e5b4
Migrate confluent installs to non-root
...
This will check for and repair uid 0 owned confluent directories.
2020-01-31 10:16:33 -05:00
c02064f0a5
Add missing msgpack dependencies
2020-01-31 10:02:38 -05:00
c1b82d8163
Protect confluent private data
...
This blocks use of private confluent data in commands like
nodelicense, nodefirmware, and nodemedia.
2020-01-31 10:00:35 -05:00
0d5fa7a98a
Change confluent to run as non-root and harden systemd
...
This mitigates a great deal of risk compared to prior behavior.
2020-01-31 09:52:52 -05:00
968efe719a
Add CAP_NET_BIND_SERVICE to unit file
...
This is preparing for running as non-root.
We need this capability to snoop SLP and PXE
2020-01-31 09:34:13 -05:00
7a63ca8759
Fix python3 problem with confetty
...
Under python3, there is no unicode.
2020-01-31 08:53:42 -05:00
a24866c2df
Fix exitcode for confetty noderange commands
...
The exitcode was not being set for noderange commands
where each node may independently raise errors.
Correct the oversight by catching each subelements errors.
2020-01-31 08:22:20 -05:00
c666b11138
Add ability to foreground exec confluent
...
This allows easier debug and option for unit file
in systemd to run foreground if it makes sense.
2020-01-31 08:10:01 -05:00
22f6198f60
Fix nodebmcreset on bad noderange
...
This prevents confusing python stack when
a bad noderange is specified.
2020-01-30 14:35:58 -05:00
Jarrod Johnson