def remove_unused_from(dirname, fileutil, grace_seconds): ''' Get a list of all files in the given directory that aren't opened and delete them. fileutil - full path of fileutil grace_seconds - Even if a file isn't currently opened we consider it being in-use if it has been accessed recently (less this many seconds ago) ''' if not dirname: logging.error("Not given a directory to cleanup") return open_files_cmd = ("lsof +D %s -Fn" % dirname) (status, output) = E.getstatusoutput(open_files_cmd) #if status != E.ERR_OK: # return # lsof doesn't return 0 even on success, so ignore it # lsof returns several lines for each file because multiple threads in a # process could have it open. Get a list of unique files. open_files = {} for line in output.split(): if line[0] == 'n': file = line[1:] open_files[file] = 1 # Get a list of all files in the directory - not starting with . all_files = glob.glob("%s/*" % dirname) # Delete all unused files. for file in all_files: if file not in open_files: try: age = int(time.time()) - os.stat(file)[stat.ST_ATIME] if age > grace_seconds: logging.info('Removing unused file %s' % file) (s, o) = E.getstatusoutput("%s rm -f %s" % (fileutil, file)) # If fileutil can't delete it for any reason, nuke it directly # And its attribute file. if os.path.exists(file): os.remove(file) os.remove( '%s/.attr.plain.%s' % (os.path.dirname(file), os.path.basename(file))) else: logging.info('Ignoring unused file %s of age %s seconds' % (file, age)) continue except OSError: # File got deleted since we ran glob? Ignore away. continue
def remove_unused_from(dirname, fileutil, grace_seconds): ''' Get a list of all files in the given directory that aren't opened and delete them. fileutil - full path of fileutil grace_seconds - Even if a file isn't currently opened we consider it being in-use if it has been accessed recently (less this many seconds ago) ''' if not dirname: logging.error("Not given a directory to cleanup") return open_files_cmd = ("lsof +D %s -Fn" % dirname) (status, output) = E.getstatusoutput(open_files_cmd) #if status != E.ERR_OK: # return # lsof doesn't return 0 even on success, so ignore it # lsof returns several lines for each file because multiple threads in a # process could have it open. Get a list of unique files. open_files = {} for line in output.split(): if line[0] == 'n': file = line[1:] open_files[file] = 1 # Get a list of all files in the directory - not starting with . all_files = glob.glob("%s/*" % dirname) # Delete all unused files. for file in all_files: if file not in open_files: try: age = int(time.time()) - os.stat(file)[stat.ST_ATIME] if age > grace_seconds: logging.info('Removing unused file %s' % file) (s, o) = E.getstatusoutput("%s rm -f %s" % (fileutil, file)) # If fileutil can't delete it for any reason, nuke it directly # And its attribute file. if os.path.exists(file): os.remove(file) os.remove('%s/.attr.plain.%s' % (os.path.dirname(file), os.path.basename(file))) else: logging.info('Ignoring unused file %s of age %s seconds' % (file, age)) continue except OSError: # File got deleted since we ran glob? Ignore away. continue
def getcertinfo(self, whichcert): """ returns information about the currently installed, or the staging certificate whichCert is "staging", or "installed" returns 0 hostname organizational unit organization locality state country email notValidBefore date notValidAfter date on success, or 1 on failure""" retcode, result = E.getstatusoutput( "%s getcertinfo %s %s" % (self.sslWrapperPath, whichcert, self.cfg.getGlobalParam("ENTERPRISE_HOME")) ) if retcode == 0: return "0\n%s" % result else: logging.info("Couldn't get cert info for %s: %s" % (whichcert, result)) return "1"
def run(self): i = self.n while i < len(self.jobs): (cfg, gwssers, site, testwords, epochs, num) = self.jobs[i] i = i + NUM_THREADS # do the tests on all gwssers - do 2 tries, 15 seconds apart max_epoch_site = -1 for (gws, port) in gwssers: cmd = ". %s; cd %s/local/google3/enterprise/legacy/checks && "\ "./gws_production_check.py %s %d %s %s %s %d" % ( cfg.getGlobalParam('ENTERPRISE_BASHRC'), cfg.entHome, commands.mkarg(gws), port, commands.mkarg(site), commands.mkarg(testwords), commands.mkarg(string.join(map(str, epochs), ",")), num) logging.info("Executing %s" % cmd) (err, msgs) = E.getstatusoutput(cmd) max_epoch = None; errors = None exec("(max_epoch, errors) = %s" % msgs) if max_epoch > max_epoch_site: max_epoch_site = max_epoch if errors: self.errors[site] = errors self.max_epochs[site] = max_epoch_site os.remove(testwords)
def getcertinfo(self, whichcert): """ returns information about the currently installed, or the staging certificate whichCert is "staging", or "installed" returns 0 hostname organizational unit organization locality state country email notValidBefore date notValidAfter date on success, or 1 on failure""" retcode, result = E.getstatusoutput( "%s getcertinfo %s %s" % (self.sslWrapperPath, whichcert, self.cfg.getGlobalParam("ENTERPRISE_HOME"))) if retcode == 0: return "0\n%s" % result else: logging.info("Couldn't get cert info for %s: %s" % (whichcert, result)) return "1"
def gencert(self, hostname, orgunit, organization, locality, state, country, emailaddr): """ Generates a self-signed SSL certificate returns: 0 on success, or 1 on failure """ self.updatelock.acquire() try: retcode, result = E.getstatusoutput( "secure_script_wrapper -p2 %s gencert %s %s %s %s %s %s %s %s" % ( self.sslWrapperPath, self.cfg.getGlobalParam("ENTERPRISE_HOME"), # orgunit always starts with an X because it can be empty commands.mkarg(hostname), commands.mkarg(orgunit[1:]), commands.mkarg(organization), commands.mkarg(locality), commands.mkarg(state), commands.mkarg(country), commands.mkarg(emailaddr), ) ) finally: self.updatelock.release() if retcode != 0: logging.error("Couldn't generate certificate for host %s: %s" % (hostname, result)) return retcode != 0
def gencert(self, hostname, orgunit, organization, locality, state, country, emailaddr): """ Generates a self-signed SSL certificate returns: 0 on success, or 1 on failure """ self.updatelock.acquire() try: retcode, result = E.getstatusoutput( "secure_script_wrapper -p2 %s gencert %s %s %s %s %s %s %s %s" % (self.sslWrapperPath, self.cfg.getGlobalParam("ENTERPRISE_HOME"), # orgunit always starts with an X because it can be empty commands.mkarg(hostname), commands.mkarg(orgunit[1:]), commands.mkarg(organization), commands.mkarg(locality), commands.mkarg(state), commands.mkarg(country), commands.mkarg(emailaddr))) finally: self.updatelock.release() if retcode != 0: logging.error("Couldn't generate certificate for host %s: %s" % (hostname, result)) return retcode != 0
def Reconnect(self): """Disconnect and then connect all the federated sessions. Returns: 0 for Success (inclduing result string). 1 for Error. """ fed_client_reactivate_cmd = ( '/etc/rc.d/init.d/fed_network_client_%s restart' % ( self.cfg.getGlobalParam('VERSION'))) logging.info('Executing Client Reconnect Command: %s' % ( fed_client_reactivate_cmd)) # Executing command fed_network_client restart to # reconnect federated client network. retcode, result = E.getstatusoutput( 'secure_script_wrapper -e %s' % ( fed_client_reactivate_cmd) ) if not retcode: logging.info('0\n%s' % (result)) else: logging.info('Could not reconnect Federation Network: %s' % (result)) return '1' fed_server_reactivate_cmd = '/etc/rc.d/init.d/fed_network_%s stop' % ( self.cfg.getGlobalParam('VERSION')) logging.info('Executing server stop command: %s' % ( fed_server_reactivate_cmd)) # Executing command fed_network restart to start the server. retcode, result = E.getstatusoutput( 'secure_script_wrapper -e %s' % ( fed_server_reactivate_cmd) ) if not retcode: return '0\n%s' % result else: logging.info('Could not start Federated Network Server: %s' % (result)) return '1'
def getcommonnames(self): ''' This return the concatenation of trusted CA\'s common names''' retcode, result = E.getstatusoutput( '%s getcommonnames %s' % (self.sslWrapperPath, self.cfg.getGlobalParam('TRUSTED_CA_DIRNAME'))) retcode = retcode / 256 if retcode == 0: return '0\n%s' % result else: logging.info('Error in getcommonnames %s' % result) return '1'
def start(self, boxId): """ start support call """ cmd = '%s --command=dstart' % self.supportWrapperPath os.system(cmd) # wait till daemon is ready cmd = '%s --command=ready' % self.supportWrapperPath while commands.getoutput(cmd) == '0': pass cmd = '%s --command=start --id=%s' % (self.supportWrapperPath, boxId); retcode, output = E.getstatusoutput(cmd) return output
def Reconnect(self): """Disconnect and then connect all the federated sessions. Returns: 0 for Success (inclduing result string). 1 for Error. """ fed_client_reactivate_cmd = ( '/etc/rc.d/init.d/fed_network_client_%s restart' % (self.cfg.getGlobalParam('VERSION'))) logging.info('Executing Client Reconnect Command: %s' % (fed_client_reactivate_cmd)) # Executing command fed_network_client restart to # reconnect federated client network. retcode, result = E.getstatusoutput('secure_script_wrapper -e %s' % (fed_client_reactivate_cmd)) if not retcode: logging.info('0\n%s' % (result)) else: logging.info('Could not reconnect Federation Network: %s' % (result)) return '1' fed_server_reactivate_cmd = '/etc/rc.d/init.d/fed_network_%s stop' % ( self.cfg.getGlobalParam('VERSION')) logging.info('Executing server stop command: %s' % (fed_server_reactivate_cmd)) # Executing command fed_network restart to start the server. retcode, result = E.getstatusoutput('secure_script_wrapper -e %s' % (fed_server_reactivate_cmd)) if not retcode: return '0\n%s' % result else: logging.info('Could not start Federated Network Server: %s' % (result)) return '1'
def GetInitState(entcfg): """Returns System's initialization state. For oneway, it is the value of C.ENT_SYSTEM_INIT_STATE and for clusters, it is the value stored in chubby file /ls/ent<version>/ENT_SYTEM_INIT_STATE. If chubby file is non existent, it returns state C.FRESH. @param entcfg - of type googleconfig. @return - state """ # oneway? if 1 == len(core_utils.GetNodes()): return entcfg.var(C.ENT_SYSTEM_INIT_STATE) # For cluster, get the state from chubby. version = entcfg.var('VERSION') lockserv_cmd_prefix = core_utils.GetLSClientCmd(version, is_test(version)) chubby_root_dir = '/ls/%s' % core_utils.GetCellName(version) # Verify that chubby is functional. We do not want to accidentally return # FRESH state that can result in total wipe out of data. ls_cmd = '%s ls %s' % (lockserv_cmd_prefix, chubby_root_dir) (status, output) = E.getstatusoutput(ls_cmd) if E.ERR_OK != status: logging.fatal('GetInitState: Could not talk to chubby.') return None cat_cmd = '%s cat %s/%s' % (lockserv_cmd_prefix, chubby_root_dir, 'ENT_SYSTEM_INIT_STATE') (status, state) = E.getstatusoutput(cat_cmd) if E.ERR_OK != status: # For fresh install, file init_state won't exist in chubby yet. # Hence, consider this as a FRESH state. state = C.FRESH logging.info('current system init state: %s', state) return state
def getcsr(self): """ Returns a certificate request returns: 0 numbytes content on success, and 1 on failure """ retcode, result = E.getstatusoutput( "secure_script_wrapper -p2 %s getcsr %s" % (self.sslWrapperPath, self.cfg.getGlobalParam("ENTERPRISE_HOME")) ) if retcode != 0: logging.error("Couldn't generate CSR: %s" % result) return "1" return "0\n%d\n%s" % (len(result), result)
def getcsr(self): """ Returns a certificate request returns: 0 numbytes content on success, and 1 on failure """ retcode, result = E.getstatusoutput( "secure_script_wrapper -p2 %s getcsr %s" % (self.sslWrapperPath, self.cfg.getGlobalParam("ENTERPRISE_HOME"))) if retcode != 0: logging.error("Couldn't generate CSR: %s" % result) return "1" return "0\n%d\n%s" % (len(result), result)
def hascrl(self, hashData): ''' Check if has CRL with given issuer hash ''' answer = [] for hash in hashData.split('\n'): if hash == '': break retcode, result = E.getstatusoutput( '%s hascrl %s %s' % (self.sslWrapperPath, hash, self.cfg.getGlobalParam('CRL_DIRNAME'))) retcode = retcode / 256 if retcode != -1: answer.append('%d' % retcode) else: logging.error(result) return '1' return '0\n%s' % '\n'.join(answer)
def importcrl(self, crldata): '''Import a CRL''' if not os.path.exists(self.cfg.getGlobalParam('CRL_DIRNAME')): os.mkdir(self.cfg.getGlobalParam('CRL_DIRNAME')) tempfilename = os.path.join( self.cfg.getGlobalParam('CRL_DIRNAME'), 'temp') retcode = 0 self.updatelock.acquire() try: try: open(tempfilename, 'w').write(crldata) except IOError: logging.error('Could not write CRL data to [%s]' % tempfilename) return '-4' retcode, result = E.getstatusoutput( '%s importcrl %s %s %s' % (self.sslWrapperPath, tempfilename, self.cfg.getGlobalParam('TRUSTED_CA_DIRNAME'), self.cfg.getGlobalParam('CRL_DIRNAME') )) retcode = retcode / 256 if retcode != 0: return result retcode = self._distributeFiles(self.cfg.getGlobalParam('CRL_DIRNAME')) if retcode != 0: logging.error('Error distributing CRL file: %d' % retcode) return str(retcode) finally: if os.path.exists(tempfilename): E.rm(['localhost'], tempfilename) self.updatelock.release() return '0'
def importcas(self, cadata): ''' This will import the list of trusted CAs in @cadata''' trusted_ca_dir = self.cfg.getGlobalParam('TRUSTED_CA_DIRNAME') if not os.path.exists(trusted_ca_dir): os.mkdir(trusted_ca_dir) ## write cadata to a temp file tempfilename = os.path.join(trusted_ca_dir, 'temp') self.updatelock.acquire() try: try: open(tempfilename, 'w').write(cadata) except IOError: logging.error('Could not write CA data to [%s]' % tempfilename) return '-4' retcode, result = E.getstatusoutput( '%s importcas %s %s' % (self.sslWrapperPath, tempfilename, trusted_ca_dir)) retcode = retcode / 256 if retcode != 0: return result # distribute CA files to all nodes in the network. retcode = self._distributeFiles(trusted_ca_dir) if retcode != 0: logging.error('Error distributing CA file: %d' % retcode) return str(retcode) finally: ## check for existence? E.rm(['localhost'], tempfilename) self.updatelock.release() return '0'
def diagnosenet(self, diagTasks): """ read in a bunch of items to diagnose, perform the tests and then return the results on the output stream. """ # TODO: not unittested diagnosenet lines = string.split(diagTasks, "\n") svr_mgr = self.cfg.globalParams.GetServerManager() fsgw_set = svr_mgr.Set('fsgw') fsgw_hosts = fsgw_set.Hosts() fsgw_host = 'localhost' if fsgw_hosts: fsgw_host = fsgw_hosts[0] cmd = DIAGNOSE_COMMAND % ( self.cfg.entHome, commands.mkarg("%s\n%s" % (len(lines), diagTasks)), self.cfg.entHome, fsgw_host, commands.mkarg("%s/networkdiag_out" % (self.cfg.getGlobalParam("LOGDIR"))), ) executed = 0 while not executed: try: err, out = E.getstatusoutput(cmd) executed = 1 except IOError: pass # diagnoseIt! The script returns data (post-CommandPipe processing) # in the form "status\ntuple1\ntuple2\n..." We're not concerned with # faulty script output, and pass the response for the UI to deal with it. return out
def diagnosenet(self, diagTasks): """ read in a bunch of items to diagnose, perform the tests and then return the results on the output stream. """ # TODO: not unittested diagnosenet lines = string.split(diagTasks, "\n") svr_mgr = self.cfg.globalParams.GetServerManager() fsgw_set = svr_mgr.Set('fsgw') fsgw_hosts = fsgw_set.Hosts() fsgw_host = 'localhost' if fsgw_hosts: fsgw_host = fsgw_hosts[0] cmd = DIAGNOSE_COMMAND % ( self.cfg.entHome, commands.mkarg("%s\n%s" % (len(lines), diagTasks)), self.cfg.entHome, fsgw_host, commands.mkarg("%s/networkdiag_out" % ( self.cfg.getGlobalParam("LOGDIR"))), ) executed = 0 while not executed: try: err, out = E.getstatusoutput(cmd) executed = 1 except IOError: pass # diagnoseIt! The script returns data (post-CommandPipe processing) # in the form "status\ntuple1\ntuple2\n..." We're not concerned with # faulty script output, and pass the response for the UI to deal with it. return out
def statusStr(self): """ get current status in string form """ cmd = '%s --command=statusStr' % self.supportWrapperPath retcode, output = E.getstatusoutput(cmd) return output
def status(self): """ get current status code """ cmd = '%s --command=status' % self.supportWrapperPath retcode, output = E.getstatusoutput(cmd) return output
def test(self): """ test suuport call connection """ cmd = '%s --command=test' % (self.supportWrapperPath); retcode, output = E.getstatusoutput(cmd) return output
def stop(self): """ stop support call """ cmd = '%s --command=stop' % self.supportWrapperPath retcode, output = E.getstatusoutput(cmd) return output
def mygetstatusoutput(self, cmd): status, output = E.getstatusoutput(cmd) if os.WIFEXITED(status): return (os.WEXITSTATUS(status), output) else: return (status, output)
def main(argv): # for cluster, gfs_aliases is passed as argv[6] if len(argv) != 7 and len(argv) != 8: sys.exit(__doc__) # gse_kill_command is roughly based on the babysitter's kill code. # The whole kill mechanism should be re-examined at some point. gse_kill_command = ( 'kill $(lsof -t -i :8000); sleep 3; ' 'kill -9 $(lsof -t -i :8000); sleep 3; ' 'kill -9 `ps axwwwwo pgid,pid,args | egrep "port=8000 " | egrep "java" | ' 'fgrep -v "egrep" | cut -b1-6 | sort -n | uniq | sed "s/[0-9]/-&/"`; ') if len(argv) == 8: gfs_aliases = argv[7] else: gfs_aliases = '' # LANG=en_US.utf-8 is specified so Java will use utf-8 as the default # encoding. # The maximum memory allowed for AdminConsole (-Xmx256m) directly # limits the size of import/export files supported. However, if it # set to 512m, other issues begin to appear, including adminrunner # timing out while processing the request. # # For the 1GB Lite virtual GSA, we do not specify any -Xm? flags # first, find out what product we are config = {} execfile('/etc/sysconfig/enterprise_config', config) ent_product = config.get('ENT_CONFIG_TYPE', '') gse_memory_flags = ' -Xms128m -Xmx256m ' if ent_product == 'LITE': gse_memory_flags = '' gse_restart_command = ( 'su -c %s nobody' % commands.mkarg( 'LD_LIBRARY_PATH=%s LANG=en_US.utf-8 ' '/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java ' '%s -Dswigdeps=EnterpriseAdminConsole_swigdeps.so ' '-classpath %s com.google.enterprise.servlets.EnterpriseAdminConsole ' '--port=8000 ' '--useripheader=X-User-Ip --secureheader=X-GFE-SSL --no_gwslog ' '--maxthreads=3 ' '--stderr_level=INFO %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s&') % (('%(ENTERPRISE_HOME)s/local/google/bin/EnterpriseAdminConsole_libs' % os.environ), # not mkarg, just a string for LD_LIBRARY_PATH gse_memory_flags, # not mkarg, just a string for -Xm? flags commands.mkarg( '%(ENTERPRISE_HOME)s/local/google:' '%(ENTERPRISE_HOME)s/local/google/bin/EnterpriseAdminConsole.jar' % os.environ), commands.mkarg( '--propertyfile=%(ENTERPRISE_HOME)s/local/conf/config.txt' % os.environ), commands.mkarg( '--contextbase=%(ENTERPRISE_HOME)s/local/googledata/html' % os.environ), commands.mkarg( '--ipwhitelist=%(ENTERPRISE_HOME)s/local/conf/AdminConsole_ipwhitelist' % os.environ), '--nowhitelist_internal_networks --forbidden_code=404', # /varz security commands.mkarg( '--maxpostsize=%s' % GSE_MAXPOSTSIZE), commands.mkarg( '--keystore=%(ENTERPRISE_HOME)s/local/conf/server.p12' % os.environ), commands.mkarg( '--trustedca_path=%(ENTERPRISE_HOME)s/local/conf/certs' % os.environ), commands.mkarg( '--crl_path=%(ENTERPRISE_HOME)s/local/conf/certs' % os.environ), commands.mkarg( '--connector_config_dir=%(ENTERPRISE_HOME)s/local/conf/connector/' % os.environ), commands.mkarg('--sso_rules_log_file=%s' % argv[0]), commands.mkarg('--sso_log_file=%s' % argv[1]), commands.mkarg('--sso_serving_efe_log_file=%s' % argv[2]), commands.mkarg('--sso_serving_headrequestor_log_file=%s' % argv[3]), commands.mkarg('--gfs_aliases=%s' % gfs_aliases), commands.mkarg('--bnsresolver_use_svelte=false'), commands.mkarg('--external_web_ip=%s' % argv[4]), commands.mkarg('--sitesearch_interface=%s' % argv[5]), commands.mkarg('--license_notices=%s' % argv[6]))) # Check stunnel config stunnel_config = (''' cert = %(ENTERPRISE_HOME)s/local/conf/certs/server.crt key = %(ENTERPRISE_HOME)s/local/conf/certs/server.key chroot = %(ENTERPRISE_HOME)s/tmp setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = %(ENTERPRISE_HOME)s/logs/stunnel.log ciphers = HIGH:MEDIUM:!MD5:!RC4:!RC2:!EXP:@STRENGTH [https] accept = 8443 connect = 8000 ''' % os.environ) stunnel_restart_command = ( 'kill $(lsof -t -i :8443); sleep 3; ' 'kill -9 $(lsof -t -i :8443); sleep 3; ' 'echo %s | stunnel -fd 0 ' % commands.mkarg(stunnel_config)) pidfile = E.GetPidFileName('loop_AdminConsole') E.WritePidFile(pidfile) while True: # Check if GSE is running. if not check_healthz.CheckHealthz(8000): os.system(gse_kill_command) os.system(gse_restart_command) else: # Check if stunnel is running. stunnel_pid = E.ReadPidFile("%(ENTERPRISE_HOME)s/tmp/stunnel.pid" % os.environ) (status, output) = E.getstatusoutput("lsof -i:8443 -t") if not output or int(output) != stunnel_pid: os.system(stunnel_restart_command) # Sleep for a while. time.sleep(60)
def main(argv): # for cluster, gfs_aliases is passed as argv[6] if len(argv) != 7 and len(argv) != 8: sys.exit(__doc__) # gse_kill_command is roughly based on the babysitter's kill code. # The whole kill mechanism should be re-examined at some point. gse_kill_command = ( 'kill $(lsof -t -i :8000); sleep 3; ' 'kill -9 $(lsof -t -i :8000); sleep 3; ' 'kill -9 `ps axwwwwo pgid,pid,args | egrep "port=8000 " | egrep "java" | ' 'fgrep -v "egrep" | cut -b1-6 | sort -n | uniq | sed "s/[0-9]/-&/"`; ') if len(argv) == 8: gfs_aliases = argv[7] else: gfs_aliases = '' # LANG=en_US.utf-8 is specified so Java will use utf-8 as the default # encoding. # The maximum memory allowed for AdminConsole (-Xmx256m) directly # limits the size of import/export files supported. However, if it # set to 512m, other issues begin to appear, including adminrunner # timing out while processing the request. # # For the 1GB Lite virtual GSA, we do not specify any -Xm? flags # first, find out what product we are config = {} execfile('/etc/sysconfig/enterprise_config', config) ent_product = config.get('ENT_CONFIG_TYPE', '') gse_memory_flags = ' -Xms128m -Xmx256m ' if ent_product == 'LITE': gse_memory_flags = '' gse_restart_command = ( 'su -c %s nobody' % commands.mkarg( 'LD_LIBRARY_PATH=%s LANG=en_US.utf-8 ' '/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java ' '%s -Dswigdeps=EnterpriseAdminConsole_swigdeps.so ' '-classpath %s com.google.enterprise.servlets.EnterpriseAdminConsole ' '--port=8000 ' '--useripheader=X-User-Ip --secureheader=X-GFE-SSL --no_gwslog ' '--maxthreads=3 ' '--stderr_level=INFO %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s&' ) % ( ('%(ENTERPRISE_HOME)s/local/google/bin/EnterpriseAdminConsole_libs' % os.environ), # not mkarg, just a string for LD_LIBRARY_PATH gse_memory_flags, # not mkarg, just a string for -Xm? flags commands.mkarg( '%(ENTERPRISE_HOME)s/local/google:' '%(ENTERPRISE_HOME)s/local/google/bin/EnterpriseAdminConsole.jar' % os.environ), commands.mkarg( '--propertyfile=%(ENTERPRISE_HOME)s/local/conf/config.txt' % os.environ), commands.mkarg( '--contextbase=%(ENTERPRISE_HOME)s/local/googledata/html' % os.environ), commands.mkarg( '--ipwhitelist=%(ENTERPRISE_HOME)s/local/conf/AdminConsole_ipwhitelist' % os.environ), '--nowhitelist_internal_networks --forbidden_code=404', # /varz security commands.mkarg('--maxpostsize=%s' % GSE_MAXPOSTSIZE), commands.mkarg( '--keystore=%(ENTERPRISE_HOME)s/local/conf/server.p12' % os.environ), commands.mkarg( '--trustedca_path=%(ENTERPRISE_HOME)s/local/conf/certs' % os.environ), commands.mkarg('--crl_path=%(ENTERPRISE_HOME)s/local/conf/certs' % os.environ), commands.mkarg( '--connector_config_dir=%(ENTERPRISE_HOME)s/local/conf/connector/' % os.environ), commands.mkarg('--sso_rules_log_file=%s' % argv[0]), commands.mkarg('--sso_log_file=%s' % argv[1]), commands.mkarg('--sso_serving_efe_log_file=%s' % argv[2]), commands.mkarg( '--sso_serving_headrequestor_log_file=%s' % argv[3]), commands.mkarg('--gfs_aliases=%s' % gfs_aliases), commands.mkarg('--bnsresolver_use_svelte=false'), commands.mkarg('--external_web_ip=%s' % argv[4]), commands.mkarg('--sitesearch_interface=%s' % argv[5]), commands.mkarg('--license_notices=%s' % argv[6]))) # Check stunnel config stunnel_config = (''' cert = %(ENTERPRISE_HOME)s/local/conf/certs/server.crt key = %(ENTERPRISE_HOME)s/local/conf/certs/server.key chroot = %(ENTERPRISE_HOME)s/tmp setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = %(ENTERPRISE_HOME)s/logs/stunnel.log ciphers = HIGH:MEDIUM:!MD5:!RC4:!RC2:!EXP:@STRENGTH [https] accept = 8443 connect = 8000 ''' % os.environ) stunnel_restart_command = ('kill $(lsof -t -i :8443); sleep 3; ' 'kill -9 $(lsof -t -i :8443); sleep 3; ' 'echo %s | stunnel -fd 0 ' % commands.mkarg(stunnel_config)) pidfile = E.GetPidFileName('loop_AdminConsole') E.WritePidFile(pidfile) while True: # Check if GSE is running. if not check_healthz.CheckHealthz(8000): os.system(gse_kill_command) os.system(gse_restart_command) else: # Check if stunnel is running. stunnel_pid = E.ReadPidFile("%(ENTERPRISE_HOME)s/tmp/stunnel.pid" % os.environ) (status, output) = E.getstatusoutput("lsof -i:8443 -t") if not output or int(output) != stunnel_pid: os.system(stunnel_restart_command) # Sleep for a while. time.sleep(60)