def create_kvm_host(self):
devicename = disk.create_lvm_volumegroup(
self.hostname,
int(self.property_list['\$total_disk_gb']) + 1,
config.host(self.hostname).get_vol_group())
cmd = " virt-install"
cmd += " -d --connect qemu:///system"
cmd += " --name " + self.hostname
cmd += " --ram " + self.ram
cmd += " --vcpus=" + self.cpu
if self.cpu_max is not None and self.cpu_max != "":
cmd += ",maxvcpus=" + self.cpu_max
cmd += " --vnc --noautoconsole"
cmd += " --hvm"
cmd += " --virt-type=kvm"
cmd += " --autostart"
cmd += " --disk path=" + devicename
cmd += " --os-variant=rhel6"
cmd += " --arch x86_64"
if config.general.is_back_enabled(): cmd += " --network bridge:br0"
cmd += " --network bridge:br1"
cmd += " --location nfs:" + self.kvm_host_ip + ":/dvd"
cmd += ' -x "ks=nfs:' + self.kvm_host_ip + ':/kickstart/' + self.hostname + '.ks'
cmd += ' ksdevice=eth1'
cmd += ' ip=' + config.host(self.hostname).get_front_ip()
cmd += ' netmask=' + config.general.get_front_netmask()
cmd += ' dns=' + config.general.get_front_resolver_ip()
cmd += ' gateway=' + self.kvm_host_ip
cmd += ' "'
x(cmd)
self.wait_for_installation_to_complete()
self.autostart_guests()
def __init__(self):
server_front_ip = config.host(net.get_hostname()).get_front_ip()
server_back_ip = config.host(net.get_hostname()).get_back_ip()
server_network_front = net.get_network_cidr(server_front_ip, config.general.get_front_netmask())
server_network_back = net.get_network_cidr(server_back_ip, config.general.get_back_netmask())
def _add_all_systems():
for hostname in config.get_servers():
# Is a KVM host?
if config.host(hostname).is_host():
_host_add(hostname)
elif config.host(hostname).is_guest():
_guest_add(hostname)
def create_kvm_host(self):
devicename = disk.create_lvm_volumegroup(
self.hostname,
int(self.property_list['\$total_disk_gb']) + 1,
config.host(self.hostname).get_vol_group())
cmd = " virt-install"
cmd += " -d --connect qemu:///system"
cmd += " --name " + self.hostname
cmd += " --ram " + self.ram
cmd += " --vcpus=" + self.cpu
if self.cpu_max is not None and self.cpu_max != "": cmd += ",maxvcpus=" + self.cpu_max
cmd += " --vnc --noautoconsole"
cmd += " --hvm"
cmd += " --virt-type=kvm"
cmd += " --autostart"
cmd += " --disk path=" + devicename
cmd += " --os-variant=rhel6"
cmd += " --arch x86_64"
if config.general.is_back_enabled(): cmd += " --network bridge:br0"
cmd += " --network bridge:br1"
cmd += " --location nfs:" + self.kvm_host_ip + ":/dvd"
cmd += ' -x "ks=nfs:' + self.kvm_host_ip + ':/kickstart/' + self.hostname + '.ks'
cmd += ' ksdevice=eth1'
cmd += ' ip=' + config.host(self.hostname).get_front_ip()
cmd += ' netmask=' + config.general.get_front_netmask()
cmd += ' dns=' + config.general.get_front_resolver_ip()
cmd += ' gateway=' + self.kvm_host_ip
cmd += ' "'
x(cmd)
self.wait_for_installation_to_complete()
self.autostart_guests()
def _setup_network(hostname):
edit_iface(hostname, 'eth0',
config.host(hostname).get_back_ip(),
config.general.get_back_netmask(),
config.general.get_back_gateway_ip())
edit_iface(hostname, 'eth1',
config.host(hostname).get_front_ip(),
config.general.get_front_netmask(),
config.general.get_front_gateway_ip())
def _set_servers(self, hostname):
'''
Set servers/hosts to perform the remote install on.
'''
if (hostname):
self._servers.append(hostname)
if (config.host(hostname).is_host()):
self._servers += config.host(hostname).get_guests()
else:
self._servers = config.get_servers()
sorted(self._servers)
def _set_servers(self, hostname):
"""
Set servers/hosts to perform the remote install on.
"""
if hostname:
self._servers.append(hostname)
if config.host(hostname).is_host():
self._servers += config.host(hostname).get_guests()
else:
self._servers = config.get_servers()
sorted(self._servers)
def _set_servers(self, hostname):
'''
Set servers/hosts to perform the remote install on.
'''
if (hostname):
self.servers.append(hostname)
if (config.host(hostname).is_host()):
self.servers += config.host(hostname).get_guests()
else:
self.servers = config.get_servers()
sorted(self.servers)
def _get_host_list():
"""
This function polls through all hosts in the /opt/syco/etc/install.cfg and sorts them into host types (see object model UML).
A host class is defined in the bottom of this script. Host objects are instantiated with hostname, front-ip, and type in this function.
"""
# Create a list of host-objects from the syco-config (see host class)
serverList = []
for server in config.get_devices():
if config.host(server).is_guest():
serverList.append(
host(server,
config.host(server).get_any_ip(), "guest"))
elif config.host(server).is_host():
serverList.append(
host(server,
config.host(server).get_any_ip(), "host"))
elif config.host(server).is_firewall():
serverList.append(
host(server,
config.host(server).get_back_ip(), "firewall"))
elif config.host(server).is_switch():
serverList.append(
host(server,
config.host(server).get_any_ip(), "switch"))
return serverList
def _setup_network(hostname):
edit_iface(
hostname, 'eth0',
config.host(hostname).get_back_ip(),
config.general.get_back_netmask(),
config.general.get_back_gateway_ip()
)
edit_iface(
hostname, 'eth1',
config.host(hostname).get_front_ip(),
config.general.get_front_netmask(),
config.general.get_front_gateway_ip()
)
def set_kickstart_options(self):
'''
Properties that will be used to replace ${XXX} vars in kickstart file.
'''
prop = {}
prop['\$hostname'] = self.hostname
prop['\$front_ip'] = config.host(self.hostname).get_front_ip()
prop['\$front_netmask'] = config.general.get_front_netmask()
prop['\$front_gateway'] = config.general.get_front_gateway_ip()
prop['\$front_nameserver'] = config.general.get_front_resolver_ip()
prop['\$back_ip'] = config.host(self.hostname).get_back_ip()
prop['\$back_netmask'] = config.general.get_back_netmask()
prop['\$back_gateway'] = config.general.get_back_gateway_ip()
prop['\$back_nameserver'] = config.general.get_back_resolver_ip()
prop['\$default_password_crypted'] = app.get_root_password_hash()
prop['\$disk_swap_mb'] = config.host(self.hostname).get_disk_swap_mb()
prop['\$disk_var_mb'] = config.host(self.hostname).get_disk_var_mb()
prop['\$disk_log_mb'] = config.host(self.hostname).get_disk_log_mb()
prop['\$total_disk_mb'] = config.host(self.hostname).get_total_disk_mb()
prop['\$total_disk_gb'] = config.host(self.hostname).get_total_disk_gb()
prop['\$boot_device'] = config.host(self.hostname).get_boot_device("vda")
self.property_list = prop
def set_kickstart_options(self):
'''
Properties that will be used to replace ${XXX} vars in kickstart file.
'''
prop = {}
prop['\$hostname'] = self.hostname
prop['\$front_ip'] = config.host(self.hostname).get_front_ip()
prop['\$front_netmask'] = config.general.get_front_netmask()
prop['\$front_gateway'] = config.general.get_front_gateway_ip()
prop['\$front_nameserver'] = config.general.get_front_resolver_ip()
prop['\$back_ip'] = config.host(self.hostname).get_back_ip()
prop['\$back_netmask'] = config.general.get_back_netmask()
prop['\$back_gateway'] = config.general.get_back_gateway_ip()
prop['\$back_nameserver'] = config.general.get_back_resolver_ip()
prop['\$default_password_crypted'] = app.get_root_password_hash()
prop['\$disk_swap_mb'] = config.host(self.hostname).get_disk_swap_mb()
prop['\$disk_var_mb'] = config.host(self.hostname).get_disk_var_mb()
prop['\$disk_log_mb'] = config.host(self.hostname).get_disk_log_mb()
prop['\$total_disk_mb'] = config.host(
self.hostname).get_total_disk_mb()
prop['\$total_disk_gb'] = config.host(
self.hostname).get_total_disk_gb()
prop['\$boot_device'] = config.host(
self.hostname).get_boot_device("vda")
self.property_list = prop
def init_host_options_from_config(self):
'''
Initialize all used options from install.cfg.
If the options are invalid, app and config will throw exceptions,
that will be forwarded to the starter app.
'''
# The ip connected to the admin net, from which the nfs
# export is done.
self.kvm_host_back_ip = net.get_lan_ip()
self.ram = str(config.host(self.hostname).get_ram())
self.cpu = str(config.host(self.hostname).get_cpu())
self.set_kickstart_options()
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose("This server will later install the postfix server, abort client installation.")
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace(
"#myhostname = host.domain.tld",
"myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
) # monitor.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace(
"mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
)
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace(
"#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
)
postfix_main_cf.replace(
"#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
)
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _install_host(self, hostname):
'''
Execute the commands on the remote host.
Create one process for each remote host.
'''
try:
server = config.host(hostname).get_front_ip()
app.print_verbose("Try to install " + hostname + " (" + server + ")", 2)
obj = ssh.Ssh(server, app.get_root_password())
self._validate_alive(obj, hostname)
app.print_verbose("========================================================================================")
app.print_verbose("=== Update " + hostname + " (" + server + ")")
app.print_verbose("========================================================================================")
obj.install_ssh_key()
self._install_syco_on_remote_host(obj)
self._execute_commands(obj, hostname)
except pexpect.EOF, e:
app.print_error(e, 2)
# Remove progress state.
if hostname in self._installed:
del(self._installed[hostname])
def _prompt_for_passwords(self):
#Reference to syco.py commands
global _commands_obj_reference
for hostname in self._servers:
commands = config.host(hostname).get_commands()
for command in commands:
#Assume second word is the command name
split_commands = command.split(" ")
if len(split_commands) < 1:
app.print_verbose("Did not understand command: %s, skipping" % command)
continue
elif split_commands[0].lower() == "syco":
if len(split_commands) < 2:
app.print_verbose("Did not understand syco command: %s, skipping" % command)
continue
else:
#This is not a syco command, ignoring it.
continue
#else, this is a syco command and arg[1] should be the name of the command
syco_command = split_commands[1]
#Find the passwords for command
passwords = _commands_obj_reference.get_command_passwords(syco_command)
if len(passwords) > 0:
app.print_verbose("Retrieving passwords for command %s" % command)
for password_combo in passwords:
app.get_custom_password(password_combo[0], password_combo[1])
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
x("yum install -y perl-suidperl")
x(
"""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(
PLG_PATH
)
)
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for check_iostat
x("yum install -y sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
x("yum -y install hp-health hpacucli")
# Let nrpe run hpasmcli and hpacucli
x(
"""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(
PLG_PATH
)
)
# Dependency for check_ulimit
x("yum install -y lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _print_install_stat(self):
'''
Display information about the servers that are being installed.
'''
print("\n\n\n")
app.print_verbose(str(self._servers_left_to_install()) + " server(s) left to install.")
app.print_verbose(str(threading.activeCount()) + " thread(s) are running.")
app.print_verbose(" " +
"SERVER NAME".ljust(30) +
"IP".ljust(15) +
"ALIVE".ljust(6) +
"VALID CONFIG".ljust(13) +
"INSTALLED".ljust(10) +
"ABORT ERROR".ljust(20)
)
app.print_verbose(" " +
("-" * 29).ljust(30) +
("-" * 14).ljust(15) +
("-" * 5).ljust(6) +
("-" * 12).ljust(13) +
("-" * 9).ljust(10) +
("-" * 20).ljust(21)
)
for hostname in self.servers:
app.print_verbose(" " +
hostname.ljust(30) +
config.host(hostname).get_back_ip().ljust(15) +
self._get_alive(hostname).ljust(6) +
self._get_invalid_config(hostname).ljust(13) +
self._get_installed(hostname).ljust(10) +
self._get_abort_errors(hostname)
)
print("\n\n\n")
def init_host_options_from_config(self):
'''
Initialize all used options from install.cfg.
If the options are invalid, app and config will throw exceptions,
that will be forwarded to the starter app.
'''
# The ip connected to the admin net, from which the nfs
# export is done.
self.kvm_host_back_ip = net.get_lan_ip()
self.ram = str(config.host(self.hostname).get_ram())
self.cpu = str(config.host(self.hostname).get_cpu())
self.set_kickstart_options()
def _install_host(self, hostname):
'''
Execute the commands on the remote host.
Create one process for each remote host.
'''
try:
server = config.host(hostname).get_back_ip()
app.print_verbose("Try to install " + hostname + " (" + server + ")", 2)
obj = ssh.Ssh(server, app.get_root_password())
self._validate_alive(obj, hostname)
app.print_verbose("========================================================================================")
app.print_verbose("=== Update " + hostname + " (" + server + ")")
app.print_verbose("========================================================================================")
obj.install_ssh_key()
self._install_syco_on_remote_host(obj)
self._execute_commands(obj, hostname)
except pexpect.EOF, e:
app.print_error(e, 2)
# Remove progress state.
if hostname in self.installed:
del(self.installed[hostname])
def _print_install_stat(self):
'''
Display information about the servers that are being installed.
'''
print("\n\n\n")
app.print_verbose(str(self._servers_left_to_install()) + " server(s) left to install.")
app.print_verbose(str(threading.activeCount()) + " thread(s) are running.")
app.print_verbose(" " +
"SERVER NAME".ljust(30) +
"IP".ljust(15) +
"ALIVE".ljust(6) +
"VALID CONFIG".ljust(13) +
"INSTALLED".ljust(10) +
"ABORT ERROR".ljust(20)
)
app.print_verbose(" " +
("-" * 29).ljust(30) +
("-" * 14).ljust(15) +
("-" * 5).ljust(6) +
("-" * 12).ljust(13) +
("-" * 9).ljust(10) +
("-" * 20).ljust(21)
)
for hostname in self._servers:
app.print_verbose(" " +
hostname.ljust(30) +
config.host(hostname).get_front_ip().ljust(15) +
self._get_alive(hostname).ljust(6) +
self._get_invalid_config(hostname).ljust(13) +
self._get_installed(hostname).ljust(10) +
self._get_abort_errors(hostname)
)
print("\n\n\n")
def install_mysql_replication(args):
"""
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
"""
app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION)
version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION)
version_obj.check_executed()
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
general.wait_for_server_to_start(repl_peer, "3306")
repl_password=general.generate_password(20)
for ip in [current_host_config.get_front_ip(), repl_peer]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******';", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + repl_peer + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + current_host_config.get_front_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
if ip==current_host_config.get_front_ip():
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + repl_peer + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
else:
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + current_host_config.get_front_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
)
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def install_ntp_client(args):
if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
app.print_verbose(
"This server will later install the ntp server, abort client installation."
)
return
ip = config.general.get_ntp_server_ip()
install_ntp(ip)
def install_ntp_client(args):
if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
app.print_verbose(
"This server will later install the ntp server, abort client installation."
)
return
ip = config.general.get_ntp_server_ip()
install_ntp(ip)
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _configure_squid():
x("rm -rf /etc/squid/*")
x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
x("mkdir -p %s/services" % (SQUID_CONF_DIR))
x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
env_ip = config.host(net.get_hostname()).get_front_ip()
if config.general.is_back_enabled():
#prefer backnet if enabled
env_ip = config.host(net.get_hostname()).get_back_ip()
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
#Some setups require the front IP as well
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${FRONT_IP}", config.host(net.get_hostname()).get_front_ip())
_chkconfig("squid", "on")
_service("squid", "restart")
def __init__(self):
netmasks = {}
#Add localhost IP/netmask
local_ip = "127.0.0.1"
self.server_ips.append(local_ip)
netmasks[local_ip] = "255.0.0.0"
#Add IPs for front/back net if they exist.
front_ip = config.host(net.get_hostname()).get_front_ip()
if front_ip:
self.server_ips.append(front_ip)
netmasks[front_ip] = config.general.get_front_netmask()
back_ip = config.host(net.get_hostname()).get_back_ip()
if config.general.is_back_enabled() and back_ip:
self.server_ips.append(back_ip)
netmasks[back_ip] = config.general.get_back_netmask()
if len(self.server_ips) < 2:
app.print_error(
"Didn't find any valid IP addresses from front or back net. Exiting"
)
sys.exit(1)
for ip in self.server_ips:
self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))
self.virtual_alias_domains = config.general.get_option(
"mailrelay.virtual_alias_domains", "")
for alias_row in config.general.get_option("mailrelay.virtual_aliases",
"").split(";"):
if len(alias_row.strip()) == 0:
#Don't process empty rows
break
split_row = alias_row.split(" ", 1)
if len(split_row) != 2:
app.print_error(
"Expected mailrelay.virtual_alias to be two words separated by space, several entries "
"separated by semicolon. Found \"%s\"" % alias_row)
sys.exit(1)
self.virtual_aliases[split_row[0]] = split_row[1]
def _configure_squid():
x("rm -rf /etc/squid/*")
x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
x("mkdir -p %s/services" % (SQUID_CONF_DIR))
x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
env_ip = config.host(net.get_hostname()).get_front_ip()
if config.general.is_back_enabled():
#prefer backnet if enabled
env_ip = config.host(net.get_hostname()).get_back_ip()
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
#Some setups require the front IP as well
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace(
"${FRONT_IP}",
config.host(net.get_hostname()).get_front_ip())
_chkconfig("squid", "on")
_service("squid", "restart")
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
x("yum install -y perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for check_iostat
x("yum install -y sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
x("yum -y install hp-health hpacucli")
# Let nrpe run hpasmcli and hpacucli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
x("yum install -y lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
)
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _install_guest(guest_name):
'''
Create lvm vol and install guest with koan.
'''
app.print_verbose("Install " + guest_name)
# + 1 because it looks like the guest os needs a little bit more space
# than it uses inside the guest. Could proably be optimized, and lowered
# maybe just a few MB..
disk.create_lvm_volumegroup(
guest_name,
int(config.host(guest_name).get_total_disk_gb()) + 1,
config.host(guest_name).get_vol_group())
x(
"koan --server=" + config.general.get_installation_server_ip() +
" --system=" + guest_name +
" --virt -v --static-interface=eth1")
x("virsh autostart " + guest_name)
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH,
PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace(
"$(SQLPASS)",
app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def __init__(self):
netmasks = {}
# Add localhost IP/netmask
local_ip = "127.0.0.1"
self.server_ips.append(local_ip)
netmasks[local_ip] = "255.0.0.0"
# Add IPs for front/back net if they exist.
front_ip = config.host(net.get_hostname()).get_front_ip()
if front_ip:
self.server_ips.append(front_ip)
netmasks[front_ip] = config.general.get_front_netmask()
back_ip = config.host(net.get_hostname()).get_back_ip()
if config.general.is_back_enabled() and back_ip:
self.server_ips.append(back_ip)
netmasks[back_ip] = config.general.get_back_netmask()
if len(self.server_ips) < 2:
app.print_error("Didn't find any valid IP addresses from front or back net. Exiting")
sys.exit(1)
for ip in self.server_ips:
self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))
self.virtual_alias_domains = config.general.get_option("mailrelay.virtual_alias_domains", "")
for alias_row in config.general.get_option("mailrelay.virtual_aliases", "").split(";"):
if len(alias_row.strip()) == 0:
# Don't process empty rows
break
split_row = alias_row.split(" ", 1)
if len(split_row) != 2:
app.print_error(
"Expected mailrelay.virtual_alias to be two words separated by space, several entries "
'separated by semicolon. Found "%s"' % alias_row
)
sys.exit(1)
self.virtual_aliases[split_row[0]] = split_row[1]
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def _validate_install_config(self):
'''
Validate all host options in install.cfg.
Print error messages in verbose mode.
'''
for hostname in self._servers:
if (not config.host(hostname).get_front_ip()):
self._invalid_config[hostname] = "No"
app.print_verbose("In install.cfg, cant find ip for " + hostname)
else:
self._invalid_config[hostname] = "Yes"
def get_hosts_to_install(args):
# Set what guests that should be installed.
guest_hostnames = []
if (len(args) == 2):
guest_hostnames.append(args[1])
else:
hostname = socket.gethostname()
guest_hostnames += config.host(hostname).get_guests()
if (len(guest_hostnames) <= 0):
raise Exception("No guests to install.")
return guest_hostnames
def _validate_install_config(self):
"""
Validate all host options in install.cfg.
Print error messages in verbose mode.
"""
for hostname in self._servers:
if not config.host(hostname).get_front_ip():
self._invalid_config[hostname] = "No"
app.print_verbose("In install.cfg, cant find ip for " + hostname)
else:
self._invalid_config[hostname] = "Yes"
def _execute_commands(self, obj, hostname):
commands = config.host(hostname).get_commands(app.options.verbose >= 2)
while(len(commands) != 0):
try:
obj.ssh_exec(commands[0])
commands.pop(0)
except ssh.SSHTerminatedException, e:
app.print_error("SSHTerminatedException on host " + hostname + " with command " + commands[0])
obj.wait_until_alive()
except pexpect.EOF, e:
app.print_error("pexpect.EOF on host " + hostname + " with command " + commands[0])
def _validate_install_config(self):
'''
Validate all host options in install.cfg.
Print error messages in verbose mode.
'''
for hostname in self.servers:
if (not config.host(hostname).get_back_ip()):
self.invalid_config[hostname] = "No"
app.print_verbose("In install.cfg, cant find ip for " + hostname)
else:
self.invalid_config[hostname] = "Yes"
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose(
"This server will later install the postfix server, abort client installation."
)
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _install_nrpe_plugins_dependencies():
'''
Install libraries/binaries that the NRPE-plugins depend on.
'''
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable sudo yum install perl-suidperl")
nrpe_sudoers_file = scopen.scOpen("/etc/sudoers.d/nrpe")
nrpe_sudoers_file.add("Defaults:nrpe !requiretty")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamav".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamscan".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_disk".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}get_services".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs".format(PLG_PATH))
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
# Create an installname and filenames
install_dir = general.get_install_dir()
# Download and install HP health monitoring package
general.download_file(
HP_HEALTH_URL, HP_HEALTH_FILENAME, md5=HP_HEALTH_MD5
)
x("yum install {0} -y".format(HP_HEALTH_FILENAME))
# Remove their evil crontab
x("rm -f /etc/cron.d/hp-health")
# Let nrpe run hpasmcli
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:/sbin/hpasmcli")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_hpasm".format(PLG_PATH))
x("service hp-health start")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _install_guest(guest_name):
'''
Create lvm vol and install guest with koan.
'''
app.print_verbose("Install " + guest_name)
devicename = disk.create_lvm_volumegroup(
guest_name,
config.host(guest_name).get_total_disk_gb())
x("koan --server=" + config.general.get_installation_server_ip() +
" --system=" + guest_name + " --virt -v --static-interface=eth0")
x("virsh autostart " + guest_name)
def _execute_commands(self, obj, hostname):
commands = config.host(hostname).get_commands(app.options.verbose >= 2)
while (len(commands) != 0):
try:
obj.ssh_exec(commands[0])
commands.pop(0)
except ssh.SSHTerminatedException, e:
app.print_error("SSHTerminatedException on host " + hostname +
" with command " + commands[0])
obj.wait_until_alive()
except pexpect.EOF, e:
app.print_error("pexpect.EOF on host " + hostname +
" with command " + commands[0])
def _install_guest(guest_name):
'''
Create lvm vol and install guest with koan.
'''
app.print_verbose("Install " + guest_name)
devicename = disk.create_lvm_volumegroup(guest_name, config.host(guest_name).get_total_disk_gb())
x(
"koan --server=" + config.general.get_installation_server_ip() +
" --system=" + guest_name +
" --virt -v --static-interface=eth0")
x("virsh autostart " + guest_name)
def _edit_kopts(hostname):
'''
Set kernel options for systems used during installation.
The network interface settings are the changes from the default settings.
The guest don't get any network access without them, and can't find
kickstart files and installation files.
'''
x(('cobbler system edit --profile=centos-vm_host --name=%s ' +
'--kopts="ksdevice=eth0 ip=%s netmask=%s dns=%s gateway=%s ' +
'lang= kssendmac text"') %
(hostname, config.host(hostname).get_back_ip(),
config.general.get_back_netmask(),
config.general.get_back_resolver_ip(),
config.general.get_back_gateway_ip()))
def test_host_vh01_install(self):
host = config.host("syco-vh01")
self.assertEqual(host.get_front_ip(), None)
self.assertEqual(host.get_back_ip(), "10.0.0.2")
self.assertEqual(host.get_back_mac(), "xx:xx:xx:xx:xx:xx")
self.assertRaises(config.ConfigException, host.get_ram)
self.assertRaises(config.ConfigException, host.get_cpu)
self.assertRaises(config.ConfigException, host.get_disk_var)
self.assertRaises(config.ConfigException, host.get_boot_device)
self.assertEqual(host.get_boot_device("hda"), "hda")
self.assertEqual(host.is_host(), True)
self.assertEqual(host.has_guests(), True)
self.assertEqual(host.get_commands(), ['syco iptables-setup', 'syco hardening'])
self.assertEqual(host.get_guests(), ['syco-install', 'syco-ntp'])
self.assertEqual(host.get_backup_pathes(), ['/etc/', '/tmp/'])
def _setup_radius_clients():
'''
Create client config/certs for all radius clients.
Currently only switches and localhost can act as clients to radius.
'''
# Deleting all clients
x("rm /etc/raddb/clients.conf")
# Adding localhost
_setup_radius_client("localhost", "127.0.0.1")
# Adding switches
for switch_name in get_switches():
_setup_radius_client(switch_name, config.host(switch_name).get_back_ip())
def _get_host_list():
"""
This function polls through all hosts in the /opt/syco/etc/install.cfg and sorts them into host types (see object model UML).
A host class is defined in the bottom of this script. Host objects are instantiated with hostname, front-ip, and type in this function.
"""
# Create a list of host-objects from the syco-config (see host class)
serverList=[]
for server in config.get_devices():
if config.host(server).is_guest():
serverList.append(host(server, config.host(server).get_any_ip(), "guest"))
elif config.host(server).is_host():
serverList.append(host(server, config.host(server).get_any_ip(), "host"))
elif config.host(server).is_firewall():
serverList.append(host(server, config.host(server).get_back_ip(), "firewall"))
elif config.host(server).is_switch():
serverList.append(host(server, config.host(server).get_any_ip(), "switch"))
return serverList
def install_ossecd(args):
'''
Install OSSEC server in the server
'''
#OSSEC DOWNLOAD URL
ossec_download = "http://www.ossec.net/files/ossec-hids-2.6.tar.gz"
#Installing OSSEC
x('yum install gcc make perl-Time-HiRes')
x("wget -P /tmp/ " + ossec_download)
x("tar -C /tmp -zxf /tmp/ossec-hids* ")
x("rm -rf /tmp/ossec-hids*.tar.gz")
x("mv /tmp/ossec-hids* /tmp/ossecbuild")
x('\cp -f /opt/syco/var/ossec/osseconf/preloaded-vars-server.conf /tmp/ossecbuild/etc/preloaded-vars.conf'
)
x('/tmp/ossecbuild/install.sh')
#Generating keys for ossec all klients to work
for server in get_servers():
x('/tmp/ossecbuild/contrib/ossec-batch-manager.pl -a -n ' + server +
'.fareoffice.com -p ' + config.host(server).get_back_ip())
x("grep " + server +
".fareoffice.com /var/ossec/etc/client.keys > /var/ossec/etc/" +
server + ".fareoffice.com_client.keys")
#Setting upp server config and local rules from syco
('\cp -f /opt/syco/var/ossec/osseconf/ossec_server.conf /var/ossec/etc/ossec.conf'
)
x('\cp -f /opt/syco/var/ossec/osseconf/local_rules.xml /var/ossec/rules/local_rules.xml'
)
x('chown root:ossec /var/ossec/rules/local_rules.xml')
x('chmod 550 /var/ossec/rules/local_rules.xml')
x('chown root:ossec /var/ossec/etc/ossec.conf')
#Enabling syslog logging
x('/var/ossec/bin/ossec-control enable client-syslog')
#Restaring OSSEC server
x('/var/ossec/bin/ossec-control restart')
x('/var/ossec/bin/ossec-remoted start')
#Cleaning upp install
x('rm -rf /tmp/ossecbuild')
x('yum remove gcc make perl-Time-HiRes')
def _execute_commands(self, obj, hostname):
if self._enable_commands:
commands = config.host(hostname).get_commands(app.options.verbose >= 2)
while(len(commands) != 0):
try:
obj.ssh_exec(commands[0])
commands.pop(0)
except ssh.SSHTerminatedException, e:
app.print_error("SSHTerminatedException on host " + hostname + " with command " + commands[0])
obj.wait_until_alive()
except pexpect.EOF, e:
app.print_error("pexpect.EOF on host " + hostname + " with command " + commands[0])
except pxssh.ExceptionPxssh, e:
app.print_error("pxssh.ExceptionPxssh on host " + hostname + " with command " + commands[0] + ", might be because the remote host rebooted.")
def _setup_radius_clients():
'''
Create client config/certs for all radius clients.
Currently only switches and localhost can act as clients to radius.
'''
# Deleting all clients
x("rm /etc/raddb/clients.conf")
# Adding localhost
_setup_radius_client("localhost", "127.0.0.1")
# Adding switches
for switch_name in get_switches():
_setup_radius_client(switch_name,
config.host(switch_name).get_back_ip())
def test_host_syco_install(self):
host = config.host("syco-install")
self.assertEqual(host.get_front_ip(), "10.0.1.3")
self.assertEqual(host.get_back_ip(), "10.0.0.3")
self.assertRaises(config.ConfigException, host.get_back_mac)
self.assertEqual(host.get_ram(), "1024")
self.assertEqual(host.get_cpu(), "1")
self.assertEqual(host.get_disk_var(), "40")
self.assertRaises(config.ConfigException, host.get_boot_device)
self.assertEqual(host.get_boot_device("hda"), "hda")
self.assertEqual(host.is_host(), False)
self.assertEqual(host.has_guests(), False)
self.assertEqual(host.get_commands(), ['syco iptables-setup', 'syco hardening'])
self.assertEqual(host.get_guests(), [])
self.assertEqual(host.get_backup_pathes(), ['/etc/'])
def install_mariadb_replication(args):
"""
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
"""
app.print_verbose(
"Install MariaDB replication version: %d" % SCRIPT_VERSION
)
version_obj = version.Version("install-mariadb-replication", SCRIPT_VERSION)
version_obj.check_executed()
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
general.wait_for_server_to_start(repl_peer, "3306")
repl_password = general.generate_password(20)
front_ip = current_host_config.get_front_ip()
for ip in ["127.0.0.1", repl_peer]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******'", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec(
"GRANT REPLICATION SLAVE ON *.* TO " +
"'repl'@'%s' IDENTIFIED BY '%s'," % (repl_peer, repl_password) +
"'repl'@'%s' IDENTIFIED BY '%s'" % (front_ip, repl_password),
True, ip)
if ip == "127.0.0.1":
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % repl_peer +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
else:
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % front_ip +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def vir_list(args):
old_verbose = app.options.verbose
app.options.verbose = 2
try:
for hostname in config.get_hosts():
server = config.host(hostname).get_front_ip()
obj = ssh.Ssh(server, app.get_root_password())
app.print_verbose("List KVM guests on host " + hostname + " (" + server + ")")
if (obj.is_alive()):
obj.install_ssh_key()
obj.ssh_exec("virsh list --all")
else:
app.print_verbose(" Not online.")
except SettingsError, e:
app.print_error(e, 2)
