def unregister(self):
"""
Try to unregister the system from candlepin server
:return: None
"""
try:
self.uep.unregisterConsumer(self.identity.uuid)
log.info("Successfully un-registered.")
managerlib.system_log("Unregistered machine with identity: %s" %
self.identity.uuid)
managerlib.clean_all_data(backup=False)
self.cp_provider.clean()
except connection.GoneException as ge:
if ge.deleted_id == self.identity.uuid:
log.debug(
"This consumer's profile has been deleted from the server. Local certificates and "
"cache will be cleaned now.")
managerlib.clean_all_data(backup=False)
else:
raise ge
finally:
try:
if os.path.exists(INSIGHTS_REGISTER_UNIT_PATH) and os.path.islink(INSIGHTS_REGISTER_UNIT_PATH) and \
os.readlink(INSIGHTS_REGISTER_UNIT_PATH) == '/dev/null':
with open('/dev/null', 'w') as devnull:
subprocess.call([
'/usr/bin/systemctl', 'unmask',
'insights-register.path'
],
stdout=devnull,
stderr=devnull)
except:
log.warn(
"Failed to ensure insights automatic registration enabled")
def _do_command(self):
managerlib.clean_all_data(False)
print(_("All local data removed"))
self._request_validity_check()
# We have new credentials, restart virt-who
restart_virt_who()
def unregister(self):
"""
Try to unregister the system from candlepin server
:return: None
"""
try:
self.uep.unregisterConsumer(self.identity.uuid)
log.info("Successfully un-registered.")
managerlib.system_log("Unregistered machine with identity: %s" % self.identity.uuid)
managerlib.clean_all_data(backup=False)
self.cp_provider.clean()
except connection.GoneException as ge:
if ge.deleted_id == self.identity.uuid:
log.info(
"This consumer's profile has been deleted from the server. Local certificates and "
"cache will be cleaned now."
)
managerlib.clean_all_data(backup=False)
else:
raise ge
def main(options, log):
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
try:
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
mgr = certmgr.CertManager(uep=uep)
updates = mgr.update(options.autoheal)
print _('%d updates required') % updates
print _('done')
except connection.GoneException, ge:
uuid = ConsumerIdentity.read().getConsumerId()
if ge.deleted_id == uuid:
log.critical(_("This consumer's profile has been deleted from the server. It's local certificates will now be archived"))
managerlib.clean_all_data()
log.critical(_("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information."))
else:
raise ge
def _main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
cfg = config.initConfig()
log.debug('check for rhsmcertd disable')
if '1' == cfg.get('rhsmcertd', 'disable') and not options.force:
log.warning('The rhsmcertd process has been disabled by configuration.')
sys.exit(-1)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print(_('Updating entitlement certificates & repositories'))
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print(update_report)
except connection.ExpiredIdentityCertException as e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException as ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
# A GoneException and the deleted_id matches, then we actually delete the consumer.
#
# However... If we get a GoneException and it's deleted_id does not match the current
# consumer uuid, we do not delete the consumer. That would require using a valid consumer
# cert, but making a request for a different consumer uuid, so unlikely. Could register
# with --consumerid get there?
if ge.deleted_id == uuid:
log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid)
managerlib.clean_all_data()
log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.")
raise ge
try:
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
mgr = certmgr.CertManager(uep=uep)
updates = mgr.update(options.autoheal)
print _('%d updates required') % updates
print _('done')
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException, ge:
uuid = ConsumerIdentity.read().getConsumerId()
if ge.deleted_id == uuid:
log.critical(_("This consumer's profile has been deleted from the server. Its local certificates will now be archived"))
managerlib.clean_all_data()
log.critical(_("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information."))
raise ge
if __name__ == '__main__':
logutil.init_logger()
log = logging.getLogger('rhsm-app.' + __name__)
parser = OptionParser(usage=USAGE,
formatter=WrappedIndentedHelpFormatter())
parser.add_option("--autoheal", dest="autoheal", action="store_true",
default=False, help="perform an autoheal check")
(options, args) = parser.parse_args()
def _main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print(_('Updating entitlement certificates & repositories'))
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print(update_report)
except connection.ExpiredIdentityCertException as e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException as ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
# A GoneException and the deleted_id matches, then we actually delete the consumer.
#
# However... If we get a GoneException and it's deleted_id does not match the current
# consumer uuid, we do not delete the consumer. That would require using a valid consumer
# cert, but making a request for a different consumer uuid, so unlikely. Could register
# with --consumerid get there?
if ge.deleted_id == uuid:
log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid)
managerlib.clean_all_data()
log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.")
raise ge