def run(_umc_instance,
url='http://www.univention.de/',
connecttimeout=30,
timeout=30):
ucr.load()
proxy = ucr.get('proxy/http')
if not proxy:
return
proxy = urlparse(proxy)
MODULE.info('The proxy is configured, using host=%r, port=%r' %
(proxy.hostname, proxy.port))
curl = pycurl.Curl()
curl.setopt(pycurl.PROXYTYPE, pycurl.PROXYTYPE_HTTP)
if proxy.hostname:
curl.setopt(pycurl.PROXY, proxy.hostname)
if proxy.port:
curl.setopt(pycurl.PROXYPORT, proxy.port)
curl.setopt(pycurl.FOLLOWLOCATION, True)
curl.setopt(pycurl.MAXREDIRS, 5)
curl.setopt(pycurl.CONNECTTIMEOUT, connecttimeout)
curl.setopt(pycurl.TIMEOUT, 30)
if proxy.username:
curl.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY)
credentials = '%s' % (proxy.username, )
if proxy.password:
credentials = '%s:%s' % (proxy.username, proxy.password)
curl.setopt(pycurl.PROXYUSERPWD, credentials)
curl.setopt(pycurl.URL, url)
# curl.setopt(pycurl.VERBOSE, bVerbose)
buf = io.StringIO()
curl.setopt(pycurl.WRITEFUNCTION, buf.write)
MODULE.process(''.join("Trying to connect to %s via HTTP proxy %s" %
(url, proxy)))
try:
curl.perform()
except pycurl.error as exc:
try:
code, msg = exc.args
msg = '%s (code=%s)' % (msg, code)
MODULE.info(msg)
except ValueError:
MODULE.error(traceback.format_exc())
code = 0
msg = str(exc)
if code == pycurl.E_COULDNT_CONNECT:
msg = _(
'The proxy host could not be reached. Make sure that hostname (%(hostname)r) and port (%(port)r) are correctly set up.'
) % {
'hostname': proxy.hostname,
'port': proxy.port
}
elif code == pycurl.E_COULDNT_RESOLVE_PROXY:
msg = _(
'The hostname of the proxy could not be resolved. May check your DNS configuration.'
)
elif code == pycurl.E_OPERATION_TIMEOUTED:
msg = _(
'The server did not respond within %d seconds. Please check your network configuration.'
) % (timeout, )
elif code == 0:
MODULE.error(traceback.format_exc())
MODULE.error('\n'.join([description, msg]))
raise Critical('\n'.join([description, msg]))
else:
# page = buf.getvalue()
# MODULE.info(page[:100])
buf.close()
http_status = curl.getinfo(pycurl.HTTP_CODE)
if http_status >= 400:
warning = '\n'.join([
description,
_('The proxy server is reachable but the HTTP response status code (%d) does not indicate success.'
) % (http_status, ),
_('This warning might be harmless. Nevertheless make sure the authentication credentials (if any) are correct and the proxy server ACLs do not forbid requests to %s.'
) % (url, )
])
MODULE.warn(warning)
raise Warning(warning)
finally:
curl.close()
def run(_umc_instance):
# Now a workaround for paramico logging to connector-s4.log
# because one of the diagnostic plugins instantiates s4connector.s4.s4()
# which initializes univention.debug2, which initializes logging.basicConfig
logger = paramiko.util.logging.getLogger()
logger.setLevel(logging.CRITICAL)
try:
lo, position = uldap.getMachineConnection(ldap_master=False)
except Exception as err:
raise Warning(str(err))
modules.update()
ucs_hosts = []
roles = [
'computers/domaincontroller_backup',
'computers/domaincontroller_master',
'computers/domaincontroller_slave', 'computers/memberserver'
]
for role in roles:
udm_obj = modules.get(role)
modules.init(lo, position, udm_obj)
for host in udm_obj.lookup(None, lo, 'cn=*'):
if 'docker' in host.oldattr.get('univentionObjectFlag', []):
continue
if not host.get('ip'):
continue
host.open()
ucs_hosts.append(host['name'])
with open('/etc/machine.secret', 'rb') as fd:
password = fd.read().strip()
gen_msg = _('The ssh connection to at least one other UCS server failed. ')
gen_msg += _(
'The following list shows the affected remote servers and the reason for the failed ssh connection:'
)
key_msg = _('Host key for server does not match')
key_info = _(
'The ssh host key of the remote server has changed (maybe the host was reinstalled). '
)
key_info += _(
'Please repair the host key of the remote server in /root/.ssh/known_hosts on %(fqdn)s.'
)
auth_msg = _('Machine authentication failed')
auth_info = _(
'Login to the remote server with the uid %(uid)s and the password from /etc/machine.secret failed. '
)
auth_info += _(
'Please check /var/log/auth.log on the remote server for further information.'
)
bad = dict()
key_failed = False
auth_failed = False
data = dict(fqdn=ucr['hostname'] + '.' + ucr['domainname'],
uid=ucr['hostname'] + '$',
hostname=ucr['hostname'])
for host in ucs_hosts:
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(IgnorePolicy())
fqdn = host + '.' + ucr['domainname']
try:
client.connect(fqdn,
port=22,
username=ucr['hostname'] + '$',
password=password,
timeout=2,
banner_timeout=2,
allow_agent=False)
client.close()
except paramiko.BadHostKeyException as err:
bad[fqdn] = key_msg + '!'
key_failed = True
except paramiko.BadAuthenticationType as err:
bad[fqdn] = auth_msg + '!'
auth_failed = True
except (paramiko.SSHException, socket.timeout) as err:
# ignore if host is not reachable and other ssh errors
pass
except Exception as err:
bad[fqdn] = str(err)
if bad:
msg = gen_msg
msg += '\n\n'
for host in bad:
msg += '%s - %s\n' % (host, bad[host])
if key_failed:
msg += '\n' + key_msg + ' - ' + key_info + '\n'
if auth_failed:
msg += '\n' + auth_msg + ' - ' + auth_info + '\n'
msg += '\n'
log_msg = msg.splitlines()
for line in log_msg:
if not re.match(r'^\s*$', line):
MODULE.error("%s" % line)
MODULE.error("%s" % data)
raise Critical(msg % data)
def run(_umc_instance, retest=False):
configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()
target_realm = configRegistry.get('kerberos/realm')
user_name = 'kdc-reachability-check'
kdc_fqds = configRegistry.get('kerberos/kdc', '').split()
dns_lookup_kdc = configRegistry.is_true('kerberos/defaults/dns_lookup_kdc',
True)
if not kdc_fqds or dns_lookup_kdc:
domainname = configRegistry.get('domainname')
kdc_to_check = list(resolve_kdc_record('tcp', domainname))
kdc_to_check.extend(resolve_kdc_record('udp', domainname))
else:
kdc_to_check = [(kdc, 88, 'tcp') for kdc in kdc_fqds]
kdc_to_check.extend((kdc, 88, 'udp') for kdc in kdc_fqds)
kdc_reachabe = [(probe_kdc(kdc, port, protocol, target_realm,
user_name), (kdc, port, protocol))
for (kdc, port, protocol) in kdc_to_check]
reachable_kdc = [(kdc, port, protocol)
for (reachable, (kdc, port, protocol)) in kdc_reachabe
if reachable]
unreachable_kdc = [(kdc, port, protocol)
for (reachable, (kdc, port, protocol)) in kdc_reachabe
if not reachable]
error_descriptions = list()
if unreachable_kdc:
error = _('The following KDCs were unreachable: {}')
unreach_string = ('{} {}:{}'.format(protocol, kdc, port)
for (kdc, port, protocol) in unreachable_kdc)
error_descriptions.append(error.format(', '.join(unreach_string)))
if not reachable_kdc:
is_dc = configRegistry.get('server/role') == 'domaincontroller_master'
is_s4_dc = is_dc and util.is_service_active('Samba 4')
if is_s4_dc and configRegistry.is_true('samba/interfaces/bindonly',
False):
local_included = False
for interface in configRegistry.get('samba/interfaces',
'').split():
try:
addr = ipaddr.IPAddress(interface)
except ValueError:
local_included |= interface == 'lo'
else:
local_included |= addr.is_loopback or addr.is_unspecified
if not local_included:
error = _(
'samba/interfaces does not contain lo, 127.0.0.1 or 0.0.0.0.'
)
error_descriptions.append(error)
description = '\n'.join(error_descriptions)
buttons = [{
'action': 'add_lo_to_samba_interfaces',
'label': _('Add lo to samba/interfaces'),
}, {
'action': 'reset_kerberos_kdc',
'label': _('Reset kerberos/kdc to 127.0.0.1'),
}]
raise Critical(description=description, buttons=buttons)
error_descriptions.append(_('No reachable KDCs were found.'))
description = '\n'.join(error_descriptions)
raise Critical(description=description)
if error_descriptions:
error = '\n'.join(error_descriptions)
MODULE.error(error)
raise Warning(description=error)
if retest:
raise ProblemFixed()
def run(_umc_instance): error_descriptions = [str(error) for error in file_and_permission_checks() if isinstance(error, CheckError)] if error_descriptions: raise Warning(description='\n'.join(error_descriptions))