def deploy_ssh_pubkey(self, username, pubkey):
"""
Deploy authorized_key
"""
path, thumbprint, value = pubkey
if path is None:
raise OSUtilError("Public key path is None")
crytputil = CryptUtil(conf.get_openssl_cmd())
path = self._norm_path(path)
dir_path = os.path.dirname(path)
fileutil.mkdir(dir_path, mode=0o700, owner=username)
if value is not None:
if not value.startswith("ssh-"):
raise OSUtilError("Bad public key: {0}".format(value))
fileutil.write_file(path, value)
elif thumbprint is not None:
lib_dir = conf.get_lib_dir()
crt_path = os.path.join(lib_dir, thumbprint + '.crt')
if not os.path.isfile(crt_path):
raise OSUtilError("Can't find {0}.crt".format(thumbprint))
pub_path = os.path.join(lib_dir, thumbprint + '.pub')
pub = crytputil.get_pubkey_from_crt(crt_path)
fileutil.write_file(pub_path, pub)
self.set_selinux_context(pub_path,
'unconfined_u:object_r:ssh_home_t:s0')
self.openssl_to_openssh(pub_path, path)
fileutil.chmod(pub_path, 0o600)
else:
raise OSUtilError("SSH public key Fingerprint and Value are None")
self.set_selinux_context(path, 'unconfined_u:object_r:ssh_home_t:s0')
fileutil.chowner(path, username)
fileutil.chmod(path, 0o644)
def _get_net_info():
"""
There is no SIOCGIFCONF
on freeBSD - just parse ifconfig.
Returns strings: iface, inet4_addr, and mac
or 'None,None,None' if unable to parse.
We will sleep and retry as the network must be up.
"""
iface = ''
inet = ''
mac = ''
err, output = shellutil.run_get_output('ifconfig -l ether',
chk_err=False)
if err:
raise OSUtilError("Can't find ether interface:{0}".format(output))
ifaces = output.split()
if not ifaces:
raise OSUtilError("Can't find ether interface.")
iface = ifaces[0]
err, output = shellutil.run_get_output('ifconfig ' + iface,
chk_err=False)
if err:
raise OSUtilError("Can't get info for interface:{0}".format(iface))
for line in output.split('\n'):
if line.find('inet ') != -1:
inet = line.split()[1]
elif line.find('ether ') != -1:
mac = line.split()[1]
logger.verbose("Interface info: ({0},{1},{2})", iface, inet, mac)
return iface, inet, mac
def get_total_mem(self):
ret, output = shellutil.run_get_output("sysctl -n hw.physmem")
if ret:
raise OSUtilError("Failed to get total memory: {0}".format(output))
try:
return int(output) / 1024 / 1024
except ValueError:
raise OSUtilError("Failed to get total memory: {0}".format(output))
def get_processor_cores(self):
ret, output = shellutil.run_get_output("sysctl -n hw.ncpu")
if ret:
raise OSUtilError("Failed to get processor cores.")
try:
return int(output)
except ValueError:
raise OSUtilError("Failed to get total memory: {0}".format(output))
def get_total_mem(self):
cmd = "sysctl hw.physmem |awk '{print $2}'"
ret, output = shellutil.run_get_output(cmd)
if ret:
raise OSUtilError("Failed to get total memory: {0}".format(output))
try:
return int(output) / 1024 / 1024
except ValueError:
raise OSUtilError("Failed to get total memory: {0}".format(output))
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
if self.is_sys_user(username):
raise OSUtilError(("User {0} is a system user, "
"will not set password.").format(username))
passwd_hash = textutil.gen_password_hash(password, crypt_id, salt_len)
cmd = "usermod -p '{0}' {1}".format(passwd_hash, username)
ret, output = shellutil.run_get_output(cmd, log_cmd=False)
if ret != 0:
raise OSUtilError(("Failed to set password for {0}: {1}"
"").format(username, output))
def _get_netstat_rn_ipv4_routes():
"""
Runs `netstat -rn -f inet` and parses its output and returns a list of routes where the key is the column name
and the value is the value in the column, stripped of leading and trailing whitespace.
:return: List of dictionaries representing routes in the ipv4 route priority list from `netstat -rn -f inet`
:rtype: list(dict)
"""
cmd = ["netstat", "-rn", "-f", "inet"]
output = shellutil.run_command(cmd, log_error=True)
output_lines = output.split("\n")
if len(output_lines) < 3:
raise OSUtilError(
"`netstat -rn -f inet` output seems to be empty")
output_lines = [line.strip() for line in output_lines if line]
if "Internet:" not in output_lines:
raise OSUtilError(
"`netstat -rn -f inet` output seems to contain no ipv4 routes"
)
route_header_line = output_lines.index("Internet:") + 1
# Parse the file structure and left justify the routes
route_start_line = route_header_line + 1
route_line_length = max(
[len(line) for line in output_lines[route_header_line:]])
netstat_route_list = [
line.ljust(route_line_length)
for line in output_lines[route_start_line:]
]
# Parse the headers
_route_headers = output_lines[route_header_line].split()
n_route_headers = len(_route_headers)
route_columns = {}
for i in range(0, n_route_headers - 1):
route_columns[_route_headers[i]] = (
output_lines[route_header_line].index(_route_headers[i]),
(output_lines[route_header_line].index(
_route_headers[i + 1]) - 1))
route_columns[_route_headers[n_route_headers - 1]] = (
output_lines[route_header_line].index(
_route_headers[n_route_headers - 1]), None)
# Parse the routes
netstat_routes = []
n_netstat_routes = len(netstat_route_list)
for i in range(0, n_netstat_routes):
netstat_route = {}
for column in route_columns:
netstat_route[column] = netstat_route_list[
i][route_columns[column][0]:route_columns[column]
[1]].strip()
netstat_route["Metric"] = n_netstat_routes - i
netstat_routes.append(netstat_route)
# Return the Sections
return netstat_routes
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
if self.is_sys_user(username):
raise OSUtilError(("User {0} is a system user. "
"Will not set passwd.").format(username))
cmd = "echo -n {0}|encrypt".format(password)
ret, output = shellutil.run_get_output(cmd, log_cmd=False)
if ret != 0:
raise OSUtilError(("Failed to encrypt password for {0}: {1}"
"").format(username, output))
passwd_hash = output.strip()
cmd = "usermod -p '{0}' {1}".format(passwd_hash, username)
ret, output = shellutil.run_get_output(cmd, log_cmd=False)
if ret != 0:
raise OSUtilError(("Failed to set password for {0}: {1}"
"").format(username, output))
def mount_dvd(self,
max_retry=6,
chk_err=True,
dvd_device=None,
mount_point=None,
sleep_time=5):
if dvd_device is None:
dvd_device = self.get_dvd_device()
if mount_point is None:
mount_point = conf.get_dvd_mount_point()
if not os.path.isdir(mount_point):
os.makedirs(mount_point)
for retry in range(0, max_retry):
retcode = self.mount(dvd_device,
mount_point,
option="-o ro -t udf",
chk_err=False)
if retcode == 0:
logger.info("Successfully mounted DVD")
return
if retry < max_retry - 1:
mountlist = shellutil.run_get_output("/sbin/mount")[1]
existing = self.get_mount_point(mountlist, dvd_device)
if existing is not None:
logger.info("{0} is mounted at {1}", dvd_device, existing)
return
logger.warn("Mount DVD failed: retry={0}, ret={1}", retry,
retcode)
time.sleep(sleep_time)
if chk_err:
raise OSUtilError("Failed to mount DVD.")
def mount_dvd(self,
max_retry=6,
chk_err=True,
dvd_device=None,
mount_point=None):
if dvd_device is None:
dvd_device = self.get_dvd_device()
if mount_point is None:
mount_point = conf.get_dvd_mount_point()
mountlist = shellutil.run_get_output("mount")[1]
existing = self.get_mount_point(mountlist, dvd_device)
if existing is not None: #Already mounted
logger.info("{0} is already mounted at {1}", dvd_device, existing)
return
if not os.path.isdir(mount_point):
os.makedirs(mount_point)
for retry in range(0, max_retry):
retcode = self.mount(dvd_device,
mount_point,
option="-o ro -t udf,iso9660",
chk_err=chk_err)
if retcode == 0:
logger.info("Successfully mounted dvd")
return
if retry < max_retry - 1:
logger.warn("Mount dvd failed: retry={0}, ret={1}", retry,
retcode)
time.sleep(5)
if chk_err:
raise OSUtilError("Failed to mount dvd.")
def __init__(self):
super(NSBSDOSUtil, self).__init__()
if self.resolver is None:
# NSBSD doesn't have a system resolver, configure a python one
try:
import dns.resolver
except ImportError:
raise OSUtilError(
"Python DNS resolver not available. Cannot proceed!")
self.resolver = dns.resolver.Resolver()
servers = []
cmd = "getconf /usr/Firewall/ConfigFiles/dns Servers | tail -n +2"
ret, output = shellutil.run_get_output(cmd)
for server in output.split("\n"):
if server == '':
break
server = server[:-1] # remove last '='
cmd = "grep '{}' /etc/hosts".format(
server) + " | awk '{print $1}'"
ret, ip = shellutil.run_get_output(cmd)
servers.append(ip)
self.resolver.nameservers = servers
dns.resolver.override_system_resolver(self.resolver)
def _set_wireserver_endpoint(self, endpoint):
try:
self.endpoint = endpoint
file_path = self._get_wireserver_endpoint_file_path()
fileutil.write_file(file_path, endpoint)
except (IOError, OSError) as e:
raise OSUtilError(ustr(e))
def set_scsi_disks_timeout(self, timeout):
pattern = r'^set sd:sd_io_time *= *(.*)$'
#
# Since changes to this setting require a reboot to take effect,
# we're careful to only change the value and print the warning
# message if the current value is different than the desired
# value. Essentially, we only want to print the warning message
# that suggest a reboot is required, if we actually modify the
# value that's already set; otherwise, we could unnecessarily
# suggest rebooting the system when that's not actually necessary.
#
for sf in ['/etc/system', '/etc/system.d/.self-assembly']:
if not os.path.isfile(sf): continue
match = fileutil.findre_in_file(sf, pattern)
if match:
try:
current = int(match.group(1))
except ValueError:
raise OSUtilError(
'Unable to parse existing SCSI disk timeout: "{0}".'.
format(match.group(1)))
if current == int(timeout):
return
logger.warn(
'Updating SCSI disk timeout to desired value of "{0}", reboot required to take effect.'
.format(timeout))
fileutil.write_file('/etc/system.d/system:virtualization:azure-agent',
'set sd:sd_io_time = {0}\n'.format(timeout))
def get_processor_cores(self):
ret = shellutil.run_get_output(
"grep 'processor.*:' /proc/cpuinfo |wc -l")
if ret[0] == 0:
return int(ret[1])
else:
raise OSUtilError("Failed to get processor cores")
def get_total_mem(self):
cmd = "grep MemTotal /proc/meminfo |awk '{print $2}'"
ret = shellutil.run_get_output(cmd)
if ret[0] == 0:
return int(ret[1]) / 1024
else:
raise OSUtilError("Failed to get total memory: {0}".format(ret[1]))
def useradd(self, username, expiration=None, comment=None):
"""Create user account using tmsh
Our policy is to create two accounts when booting a BIG-IP instance.
The first account is the one that the user specified when they did
the instance creation. The second one is the admin account that is,
or should be, built in to the system.
:param username: The username that you want to add to the system
:param expiration: The expiration date to use. We do not use this
value.
:param comment: description of the account. We do not use this value.
"""
if self.get_userentry(username):
logger.info("User {0} already exists, skip useradd", username)
return None
cmd = "/usr/bin/tmsh create auth user %s partition-access add { all-partitions { role admin } } shell bash" % (
username)
retcode, out = shellutil.run_get_output(cmd,
log_cmd=True,
chk_err=True)
if retcode != 0:
raise OSUtilError(
"Failed to create user account:{0}, retcode:{1}, output:{2}".
format(username, retcode, out))
self._save_sys_config()
return retcode
def conf_sudoer(self, username, nopasswd=False, remove=False):
doas_conf = "/etc/doas.conf"
doas = None
if not remove:
if not os.path.isfile(doas_conf):
# always allow root to become root
doas = "permit keepenv nopass root\n"
fileutil.append_file(doas_conf, doas)
if nopasswd:
doas = "permit keepenv nopass {0}\n".format(username)
else:
doas = "permit keepenv persist {0}\n".format(username)
fileutil.append_file(doas_conf, doas)
fileutil.chmod(doas_conf, 0o644)
else:
# Remove user from doas.conf
if os.path.isfile(doas_conf):
try:
content = fileutil.read_file(doas_conf)
doas = content.split("\n")
doas = [x for x in doas if username not in x]
fileutil.write_file(doas_conf, "\n".join(doas))
except IOError as err:
raise OSUtilError("Failed to remove sudoer: "
"{0}".format(err))
def umount_dvd(self, chk_err=True, mount_point=None):
if mount_point is None:
mount_point = conf.get_dvd_mount_point()
return_code = self.umount(mount_point, chk_err=chk_err)
if chk_err and return_code != 0:
raise OSUtilError("Failed to unmount dvd device at {0}",
mount_point)
def _wait_until_mcpd_is_initialized(self):
"""Wait for mcpd to become available
All configuration happens in mcpd so we need to wait that this is
available before we go provisioning the system. I call this method
at the first opportunity I have (during the DVD mounting call).
This ensures that the rest of the provisioning does not need to wait
for mcpd to be available unless it absolutely wants to.
:return bool: Returns True upon success
:raises OSUtilError: Raises exception if mcpd does not come up within
roughly 50 minutes (100 * 30 seconds)
"""
for retries in range(1, 100):
# Retry until mcpd completes startup:
logger.info("Checking to see if mcpd is up")
rc = shellutil.run(
"/usr/bin/tmsh -a show sys mcp-state field-fmt 2>/dev/null | grep phase | grep running",
chk_err=False)
if rc == 0:
logger.info("mcpd is up!")
break
time.sleep(30)
if rc == 0:
return True
raise OSUtilError(
"mcpd hasn't completed initialization! Cannot proceed!")
def conf_sudoer(self, username, nopasswd=False, remove=False):
sudoers_dir = conf.get_sudoers_dir()
sudoers_wagent = os.path.join(sudoers_dir, 'waagent')
if not remove:
# for older distros create sudoers.d
if not os.path.isdir(sudoers_dir):
sudoers_file = os.path.join(sudoers_dir, '../sudoers')
# create the sudoers.d directory
os.mkdir(sudoers_dir)
# add the include of sudoers.d to the /etc/sudoers
sudoers = '\n#includedir ' + sudoers_dir + '\n'
fileutil.append_file(sudoers_file, sudoers)
sudoer = None
if nopasswd:
sudoer = "{0} ALL=(ALL) NOPASSWD: ALL\n".format(username)
else:
sudoer = "{0} ALL=(ALL) ALL\n".format(username)
fileutil.append_file(sudoers_wagent, sudoer)
fileutil.chmod(sudoers_wagent, 0o440)
else:
#Remove user from sudoers
if os.path.isfile(sudoers_wagent):
try:
content = fileutil.read_file(sudoers_wagent)
sudoers = content.split("\n")
sudoers = [x for x in sudoers if username not in x]
fileutil.write_file(sudoers_wagent, "\n".join(sudoers))
except IOError as e:
raise OSUtilError("Failed to remove sudoer: {0}".format(e))
def set_scsi_disks_timeout(self, timeout):
if self._scsi_disks_timeout_set:
return
ret, output = shellutil.run_get_output('sysctl kern.cam.da.default_timeout={0}'.format(timeout))
if ret:
raise OSUtilError("Failed set SCSI disks timeout: {0}".format(output))
self._scsi_disks_timeout_set = True
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
logger.info('chpasswd')
passwd_hash = textutil.gen_password_hash(password, crypt_id, salt_len)
ret, out = self._run_clish('set user admin password-hash ' +
passwd_hash)
if ret != 0:
raise OSUtilError(("Failed to set password for {0}: {1}"
"").format('admin', out))
def openssl_to_openssh(self, input_file, output_file):
pubkey = fileutil.read_file(input_file)
try:
cryptutil = CryptUtil(conf.get_openssl_cmd())
ssh_rsa_pubkey = cryptutil.asn1_to_ssh(pubkey)
except CryptError as e:
raise OSUtilError(ustr(e))
fileutil.append_file(output_file, ssh_rsa_pubkey)
def get_dvd_device(self, dev_dir='/dev'):
cmd = "rmformat -l | grep 'Logical Node' | awk '{print $NF}' | sed -e 's/rdsk/dsk/'"
ret = shellutil.run_get_output(cmd)
if ret[0] == 0:
device = ret[1].strip()
logger.info('Using dvd device: "{0}"'.format(device))
return device
else:
raise OSUtilError('Failed to determine DVD device.')
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
if self.is_sys_user(username):
raise OSUtilError(("User {0} is a system user, "
"will not set password.").format(username))
passwd_hash = textutil.gen_password_hash(password, crypt_id, salt_len)
self._run_command_raising_OSUtilError(
['pw', 'usermod', username, '-H', '0'],
cmd_input=passwd_hash,
err_msg="Failed to set password for {0}".format(username))
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
"""Change a user's password with tmsh
Since we are creating the user specified account and additionally
changing the password of the built-in 'admin' account, both must
be modified in this method.
Note that the default method also checks for a "system level" of the
user; based on the value of UID_MIN in /etc/login.defs. In our env,
all user accounts have the UID 0. So we can't rely on this value.
:param username: The username whose password to change
:param password: The unencrypted password to set for the user
:param crypt_id: If encrypting the password, the crypt_id that was used
:param salt_len: If encrypting the password, the length of the salt
value used to do it.
"""
# Start by setting the password of the user provided account
cmd = "/usr/bin/tmsh modify auth user {0} password '{1}'".format(
username, password)
ret, output = shellutil.run_get_output(cmd,
log_cmd=False,
chk_err=True)
if ret != 0:
raise OSUtilError("Failed to set password for {0}: {1}".format(
username, output))
# Next, set the password of the built-in 'admin' account to be have
# the same password as the user provided account
userentry = self.get_userentry('admin')
if userentry is None:
raise OSUtilError("The 'admin' user account was not found!")
cmd = "/usr/bin/tmsh modify auth user 'admin' password '{0}'".format(
password)
ret, output = shellutil.run_get_output(cmd,
log_cmd=False,
chk_err=True)
if ret != 0:
raise OSUtilError(
"Failed to set password for 'admin': {0}".format(output))
self._save_sys_config()
return ret
def _set_wireserver_endpoint(self, endpoint):
self.lock_wireserver_endpoint.acquire()
try:
self.endpoint = endpoint
file_path = self._get_wireserver_endpoint_file_path()
fileutil.write_file(file_path, endpoint)
except (IOError, OSError) as e:
raise OSUtilError(ustr(e))
finally:
self.lock_wireserver_endpoint.release()
def del_root_password(self):
try:
passwd_file_path = conf.get_passwd_file_path()
passwd_content = fileutil.read_file(passwd_file_path)
passwd = passwd_content.split('\n')
new_passwd = [x for x in passwd if not x.startswith("root:")]
new_passwd.insert(0, "root:*LOCK*:14600::::::")
fileutil.write_file(passwd_file_path, "\n".join(new_passwd))
except IOError as e:
raise OSUtilError("Failed to delete root password:{0}".format(e))
def get_dvd_device(self, dev_dir='/dev'):
pattern = r'(sr[0-9]|hd[c-z]|cdrom[0-9]|cd[0-9])'
device_list = os.listdir(dev_dir)
for dvd in [re.match(pattern, dev) for dev in device_list]:
if dvd is not None:
return "/dev/{0}".format(dvd.group(0))
inner_detail = "The following devices were found, but none matched " \
"the pattern [{0}]: {1}\n".format(pattern, device_list)
raise OSUtilError(msg="Failed to get dvd device from {0}".format(dev_dir),
inner=inner_detail)
def chpasswd(self, username, password, crypt_id=6, salt_len=10):
cmd = "/usr/Firewall/sbin/fwpasswd -p {0}".format(password)
ret, output = shellutil.run_get_output(cmd, log_cmd=False)
if ret != 0:
raise OSUtilError(("Failed to set password for admin: {0}"
"").format(output))
# password set, activate webadmin and ssh access
shellutil.run(
'setconf /usr/Firewall/ConfigFiles/webadmin ACL any && ensl',
chk_err=False)