def run(_umc_instance, url='http://www.univention.de/', connecttimeout=30, timeout=30): ucr.load() proxy = ucr.get('proxy/http') if not proxy: return proxy = urlparse(proxy) MODULE.info('The proxy is configured, using host=%r, port=%r' % (proxy.hostname, proxy.port)) curl = pycurl.Curl() curl.setopt(pycurl.PROXYTYPE, pycurl.PROXYTYPE_HTTP) if proxy.hostname: curl.setopt(pycurl.PROXY, proxy.hostname) if proxy.port: curl.setopt(pycurl.PROXYPORT, proxy.port) curl.setopt(pycurl.FOLLOWLOCATION, True) curl.setopt(pycurl.MAXREDIRS, 5) curl.setopt(pycurl.CONNECTTIMEOUT, connecttimeout) curl.setopt(pycurl.TIMEOUT, 30) if proxy.username: curl.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY) credentials = '%s' % (proxy.username, ) if proxy.password: credentials = '%s:%s' % (proxy.username, proxy.password) curl.setopt(pycurl.PROXYUSERPWD, credentials) curl.setopt(pycurl.URL, url) # curl.setopt(pycurl.VERBOSE, bVerbose) buf = io.StringIO() curl.setopt(pycurl.WRITEFUNCTION, buf.write) MODULE.process(''.join("Trying to connect to %s via HTTP proxy %s" % (url, proxy))) try: curl.perform() except pycurl.error as exc: try: code, msg = exc.args msg = '%s (code=%s)' % (msg, code) MODULE.info(msg) except ValueError: MODULE.error(traceback.format_exc()) code = 0 msg = str(exc) if code == pycurl.E_COULDNT_CONNECT: msg = _( 'The proxy host could not be reached. Make sure that hostname (%(hostname)r) and port (%(port)r) are correctly set up.' ) % { 'hostname': proxy.hostname, 'port': proxy.port } elif code == pycurl.E_COULDNT_RESOLVE_PROXY: msg = _( 'The hostname of the proxy could not be resolved. May check your DNS configuration.' ) elif code == pycurl.E_OPERATION_TIMEOUTED: msg = _( 'The server did not respond within %d seconds. Please check your network configuration.' ) % (timeout, ) elif code == 0: MODULE.error(traceback.format_exc()) MODULE.error('\n'.join([description, msg])) raise Critical('\n'.join([description, msg])) else: # page = buf.getvalue() # MODULE.info(page[:100]) buf.close() http_status = curl.getinfo(pycurl.HTTP_CODE) if http_status >= 400: warning = '\n'.join([ description, _('The proxy server is reachable but the HTTP response status code (%d) does not indicate success.' ) % (http_status, ), _('This warning might be harmless. Nevertheless make sure the authentication credentials (if any) are correct and the proxy server ACLs do not forbid requests to %s.' ) % (url, ) ]) MODULE.warn(warning) raise Warning(warning) finally: curl.close()
def run(_umc_instance): # Now a workaround for paramico logging to connector-s4.log # because one of the diagnostic plugins instantiates s4connector.s4.s4() # which initializes univention.debug2, which initializes logging.basicConfig logger = paramiko.util.logging.getLogger() logger.setLevel(logging.CRITICAL) try: lo, position = uldap.getMachineConnection(ldap_master=False) except Exception as err: raise Warning(str(err)) modules.update() ucs_hosts = [] roles = [ 'computers/domaincontroller_backup', 'computers/domaincontroller_master', 'computers/domaincontroller_slave', 'computers/memberserver' ] for role in roles: udm_obj = modules.get(role) modules.init(lo, position, udm_obj) for host in udm_obj.lookup(None, lo, 'cn=*'): if 'docker' in host.oldattr.get('univentionObjectFlag', []): continue if not host.get('ip'): continue host.open() ucs_hosts.append(host['name']) with open('/etc/machine.secret', 'rb') as fd: password = fd.read().strip() gen_msg = _('The ssh connection to at least one other UCS server failed. ') gen_msg += _( 'The following list shows the affected remote servers and the reason for the failed ssh connection:' ) key_msg = _('Host key for server does not match') key_info = _( 'The ssh host key of the remote server has changed (maybe the host was reinstalled). ' ) key_info += _( 'Please repair the host key of the remote server in /root/.ssh/known_hosts on %(fqdn)s.' ) auth_msg = _('Machine authentication failed') auth_info = _( 'Login to the remote server with the uid %(uid)s and the password from /etc/machine.secret failed. ' ) auth_info += _( 'Please check /var/log/auth.log on the remote server for further information.' ) bad = dict() key_failed = False auth_failed = False data = dict(fqdn=ucr['hostname'] + '.' + ucr['domainname'], uid=ucr['hostname'] + '$', hostname=ucr['hostname']) for host in ucs_hosts: client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(IgnorePolicy()) fqdn = host + '.' + ucr['domainname'] try: client.connect(fqdn, port=22, username=ucr['hostname'] + '$', password=password, timeout=2, banner_timeout=2, allow_agent=False) client.close() except paramiko.BadHostKeyException as err: bad[fqdn] = key_msg + '!' key_failed = True except paramiko.BadAuthenticationType as err: bad[fqdn] = auth_msg + '!' auth_failed = True except (paramiko.SSHException, socket.timeout) as err: # ignore if host is not reachable and other ssh errors pass except Exception as err: bad[fqdn] = str(err) if bad: msg = gen_msg msg += '\n\n' for host in bad: msg += '%s - %s\n' % (host, bad[host]) if key_failed: msg += '\n' + key_msg + ' - ' + key_info + '\n' if auth_failed: msg += '\n' + auth_msg + ' - ' + auth_info + '\n' msg += '\n' log_msg = msg.splitlines() for line in log_msg: if not re.match(r'^\s*$', line): MODULE.error("%s" % line) MODULE.error("%s" % data) raise Critical(msg % data)
def run(_umc_instance, retest=False): configRegistry = univention.config_registry.ConfigRegistry() configRegistry.load() target_realm = configRegistry.get('kerberos/realm') user_name = 'kdc-reachability-check' kdc_fqds = configRegistry.get('kerberos/kdc', '').split() dns_lookup_kdc = configRegistry.is_true('kerberos/defaults/dns_lookup_kdc', True) if not kdc_fqds or dns_lookup_kdc: domainname = configRegistry.get('domainname') kdc_to_check = list(resolve_kdc_record('tcp', domainname)) kdc_to_check.extend(resolve_kdc_record('udp', domainname)) else: kdc_to_check = [(kdc, 88, 'tcp') for kdc in kdc_fqds] kdc_to_check.extend((kdc, 88, 'udp') for kdc in kdc_fqds) kdc_reachabe = [(probe_kdc(kdc, port, protocol, target_realm, user_name), (kdc, port, protocol)) for (kdc, port, protocol) in kdc_to_check] reachable_kdc = [(kdc, port, protocol) for (reachable, (kdc, port, protocol)) in kdc_reachabe if reachable] unreachable_kdc = [(kdc, port, protocol) for (reachable, (kdc, port, protocol)) in kdc_reachabe if not reachable] error_descriptions = list() if unreachable_kdc: error = _('The following KDCs were unreachable: {}') unreach_string = ('{} {}:{}'.format(protocol, kdc, port) for (kdc, port, protocol) in unreachable_kdc) error_descriptions.append(error.format(', '.join(unreach_string))) if not reachable_kdc: is_dc = configRegistry.get('server/role') == 'domaincontroller_master' is_s4_dc = is_dc and util.is_service_active('Samba 4') if is_s4_dc and configRegistry.is_true('samba/interfaces/bindonly', False): local_included = False for interface in configRegistry.get('samba/interfaces', '').split(): try: addr = ipaddr.IPAddress(interface) except ValueError: local_included |= interface == 'lo' else: local_included |= addr.is_loopback or addr.is_unspecified if not local_included: error = _( 'samba/interfaces does not contain lo, 127.0.0.1 or 0.0.0.0.' ) error_descriptions.append(error) description = '\n'.join(error_descriptions) buttons = [{ 'action': 'add_lo_to_samba_interfaces', 'label': _('Add lo to samba/interfaces'), }, { 'action': 'reset_kerberos_kdc', 'label': _('Reset kerberos/kdc to 127.0.0.1'), }] raise Critical(description=description, buttons=buttons) error_descriptions.append(_('No reachable KDCs were found.')) description = '\n'.join(error_descriptions) raise Critical(description=description) if error_descriptions: error = '\n'.join(error_descriptions) MODULE.error(error) raise Warning(description=error) if retest: raise ProblemFixed()
def run(_umc_instance): error_descriptions = [str(error) for error in file_and_permission_checks() if isinstance(error, CheckError)] if error_descriptions: raise Warning(description='\n'.join(error_descriptions))