def __init__(self, stream, gate):
aj.worker = self
self.stream = stream
self.gate = gate
aj.master = False
os.setpgrp()
setproctitle.setproctitle('%s worker [%s]' %
(sys.argv[0], self.gate.name))
set_log_params(tag=self.gate.log_tag)
init_log_forwarding(self.send_log_event)
logging.info(
'New worker "%s" PID %s, EUID %s, EGID %s',
self.gate.name,
os.getpid(),
os.geteuid(),
os.getegid(),
)
self.context = Context(parent=aj.context)
self.context.session = self.gate.session
self.context.worker = self
self.handler = HttpMiddlewareAggregator([
AuthenticationMiddleware.get(self.context),
CentralDispatcher.get(self.context),
])
self._master_config_reloaded = Event()
def __init__(self, stream, gate):
self.stream = stream
self.gate = gate
aj.master = False
os.setpgrp()
setproctitle.setproctitle(
'%s worker [%s]' % (
sys.argv[0],
self.gate.name
)
)
set_log_params(tag=self.gate.log_tag)
init_log_forwarding(self.send_log_event)
logging.info(
'New worker "%s" PID %s, EUID %s, EGID %s',
self.gate.name,
os.getpid(),
os.geteuid(),
os.getegid(),
)
self.context = Context(parent=aj.context)
self.context.session = self.gate.session
self.context.worker = self
self.handler = HttpMiddlewareAggregator([
AuthenticationMiddleware.get(self.context),
CentralDispatcher.get(self.context),
])
self._master_config_reloaded = Event()
def handle_http_request(self, rq):
response_object = {
'type': 'http',
}
try:
http_context = HttpContext.deserialize(
rq.object['context'].encode())
logging.debug(' ... %s %s', http_context.method,
http_context.path)
# Generate response
stack = HttpMiddleware.all(self.context)
content = HttpMiddlewareAggregator(stack + [self.handler]).handle(
http_context)
# ---
http_context.add_header('X-Worker-Name', str(self.gate.name))
response_object['content'] = list(content)
response_object['status'] = http_context.status
response_object['headers'] = http_context.headers
self.stream.reply(rq, response_object)
# pylint: disable=W0703
except Exception as e:
logging.error(traceback.format_exc())
response_object.update({
'error': str(e),
'exception': repr(e),
})
self.stream.reply(rq, response_object)
class Worker(object):
def __init__(self, stream, gate):
aj.worker = self
self.stream = stream
self.gate = gate
aj.master = False
os.setpgrp()
setproctitle.setproctitle('%s worker [%s]' %
(sys.argv[0], self.gate.name))
set_log_params(tag=self.gate.log_tag)
init_log_forwarding(self.send_log_event)
logging.info(
'New worker "%s" PID %s, EUID %s, EGID %s',
self.gate.name,
os.getpid(),
os.geteuid(),
os.getegid(),
)
self.context = Context(parent=aj.context)
self.context.session = self.gate.session
self.context.worker = self
self.handler = HttpMiddlewareAggregator([
AuthenticationMiddleware.get(self.context),
CentralDispatcher.get(self.context),
])
self._master_config_reloaded = Event()
def demote(self, uid):
try:
username = pwd.getpwuid(uid).pw_name
gid = pwd.getpwuid(uid).pw_gid
except KeyError:
username = None
gid = uid
if os.getuid() == uid:
return
else:
if os.getuid() != 0:
logging.warn(
'Running as a limited user, setuid() unavailable!')
return
logging.info('Worker %s is demoting to UID %s / GID %s...',
os.getpid(), uid, gid)
groups = [
g.gr_gid for g in grp.getgrall()
if username in g.gr_mem or g.gr_gid == gid
]
os.setgroups(groups)
os.setgid(gid)
os.setuid(uid)
logging.info('...done, new EUID %s EGID %s', os.geteuid(),
os.getegid())
def run(self):
if self.gate.restricted:
restricted_user = aj.config.data['restricted_user']
self.demote(pwd.getpwnam(restricted_user).pw_uid)
else:
if self.gate.initial_identity:
AuthenticationService.get(self.context).login(
self.gate.initial_identity, demote=True)
try:
socket_namespaces = {}
while True:
rq = self.stream.recv()
if not rq:
return
if rq.object['type'] == 'http':
gevent.spawn(self.handle_http_request, rq)
if rq.object['type'] == 'socket':
msg = rq.object['message']
nsid = rq.object['namespace']
event = rq.object['event']
if event == 'connect':
socket_namespaces[nsid] = WorkerSocketNamespace(
self.context, nsid)
socket_namespaces[nsid].process_event(event, msg)
if event == 'disconnect':
socket_namespaces[nsid].destroy()
logging.debug(
'Socket disconnected, destroying endpoints')
if rq.object['type'] == 'config-data':
aj.config.data = rq.object['data']
self._master_config_reloaded.set()
# pylint: disable=W0703
except Exception:
logging.error('Worker crashed!')
traceback.print_exc()
def terminate(self):
self.send_to_upstream({
'type': 'terminate',
})
def restart_master(self):
self.send_to_upstream({
'type': 'restart-master',
})
def reload_master_config(self):
self.send_to_upstream({
'type': 'reload-config',
})
self._master_config_reloaded.wait()
self._master_config_reloaded.clear()
def send_log_event(self, method, message, *args, **kwargs):
self.send_to_upstream({
'type': 'log',
'method': method,
'message': message % args,
'kwargs': kwargs,
})
def handle_http_request(self, rq):
response_object = {
'type': 'http',
}
try:
http_context = HttpContext.deserialize(rq.object['context'])
logging.debug(' ... %s %s', http_context.method,
http_context.path)
# Generate response
content = self.handler.handle(http_context)
# ---
http_context.add_header('X-Worker-Name', str(self.gate.name))
response_object['content'] = list(content)
response_object['status'] = http_context.status
response_object['headers'] = http_context.headers
self.stream.reply(rq, response_object)
# pylint: disable=W0703
except Exception as e:
logging.error(traceback.format_exc())
response_object.update({
'error': str(e),
'exception': repr(e),
})
self.stream.reply(rq, response_object)
def send_to_upstream(self, obj):
self.stream.reply(None, obj)
class Worker(object):
def __init__(self, stream, gate):
self.stream = stream
self.gate = gate
aj.master = False
os.setpgrp()
setproctitle.setproctitle(
'%s worker [%s]' % (
sys.argv[0],
self.gate.name
)
)
set_log_params(tag=self.gate.log_tag)
init_log_forwarding(self.send_log_event)
logging.info(
'New worker "%s" PID %s, EUID %s, EGID %s',
self.gate.name,
os.getpid(),
os.geteuid(),
os.getegid(),
)
self.context = Context(parent=aj.context)
self.context.session = self.gate.session
self.context.worker = self
self.handler = HttpMiddlewareAggregator([
AuthenticationMiddleware.get(self.context),
CentralDispatcher.get(self.context),
])
self._master_config_reloaded = Event()
def demote(self, uid):
try:
username = pwd.getpwuid(uid).pw_name
gid = pwd.getpwuid(uid).pw_gid
except KeyError:
username = None
gid = uid
if os.getuid() == uid:
return
else:
if os.getuid() != 0:
logging.warn('Running as a limited user, setuid() unavailable!')
return
logging.info(
'Worker %s is demoting to UID %s / GID %s...',
os.getpid(),
uid,
gid
)
groups = [
g.gr_gid
for g in grp.getgrall()
if username in g.gr_mem or g.gr_gid == gid
]
os.setgroups(groups)
os.setgid(gid)
os.setuid(uid)
logging.info(
'...done, new EUID %s EGID %s',
os.geteuid(),
os.getegid()
)
def run(self):
if self.gate.restricted:
restricted_user = aj.config.data['restricted_user']
self.demote(pwd.getpwnam(restricted_user).pw_uid)
else:
if self.gate.initial_identity:
AuthenticationService.get(self.context).login(
self.gate.initial_identity, demote=True
)
try:
socket_namespaces = {}
while True:
rq = self.stream.recv()
if not rq:
return
if rq.object['type'] == 'http':
gevent.spawn(self.handle_http_request, rq)
if rq.object['type'] == 'socket':
msg = rq.object['message']
nsid = rq.object['namespace']
event = rq.object['event']
if event == 'connect':
socket_namespaces[nsid] = WorkerSocketNamespace(
self.context, nsid
)
socket_namespaces[nsid].process_event(event, msg)
if event == 'disconnect':
socket_namespaces[nsid].destroy()
logging.debug('Socket disconnected, destroying endpoints')
if rq.object['type'] == 'config-data':
aj.config.data = rq.object['data']
self._master_config_reloaded.set()
# pylint: disable=W0703
except Exception:
logging.error('Worker crashed!')
traceback.print_exc()
def terminate(self):
self.send_to_upstream({
'type': 'terminate',
})
def restart_master(self):
self.send_to_upstream({
'type': 'restart-master',
})
def reload_master_config(self):
self.send_to_upstream({
'type': 'reload-config',
})
self._master_config_reloaded.wait()
self._master_config_reloaded.clear()
def send_log_event(self, method, message, *args, **kwargs):
self.send_to_upstream({
'type': 'log',
'method': method,
'message': message % args,
'kwargs': kwargs,
})
def handle_http_request(self, rq):
response_object = {
'type': 'http',
}
try:
http_context = HttpContext.deserialize(rq.object['context'])
logging.debug(
' ... %s %s',
http_context.method,
http_context.path
)
# Generate response
content = self.handler.handle(http_context)
# ---
http_context.add_header('X-Worker-Name', str(self.gate.name))
response_object['content'] = list(content)
response_object['status'] = http_context.status
response_object['headers'] = http_context.headers
self.stream.reply(rq, response_object)
# pylint: disable=W0703
except Exception as e:
logging.error(traceback.format_exc())
response_object.update({
'error': str(e),
'exception': repr(e),
})
self.stream.reply(rq, response_object)
def send_to_upstream(self, obj):
self.stream.reply(None, obj)
def run(config=None, plugin_providers=None, product_name='ajenti', dev_mode=False,
debug_mode=False, autologin=False):
"""
A global entry point for Ajenti.
:param config: config file implementation instance to use
:type config: :class:`aj.config.BaseConfig`
:param plugin_providers: list of plugin providers to load plugins from
:type plugin_providers: list(:class:`aj.plugins.PluginProvider`)
:param str product_name: a product name to use
:param bool dev_mode: enables dev mode (automatic resource recompilation)
:param bool debug_mode: enables debug mode (verbose and extra logging)
:param bool autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE.
"""
if config is None:
raise TypeError('`config` can\'t be None')
reload(sys)
if hasattr(sys, 'setdefaultencoding'):
sys.setdefaultencoding('utf8')
aj.product = product_name
aj.debug = debug_mode
aj.dev = dev_mode
aj.dev_autologin = autologin
aj.init()
aj.log.set_log_params(tag='master', master_pid=os.getpid())
aj.context = Context()
aj.config = config
aj.plugin_providers = plugin_providers or []
logging.info('Loading config from %s', aj.config)
aj.config.load()
aj.config.ensure_structure()
if aj.debug:
logging.warning('Debug mode')
if aj.dev:
logging.warning('Dev mode')
try:
locale.setlocale(locale.LC_ALL, '')
except locale.Error:
logging.warning('Couldn\'t set default locale')
# install a passthrough gettext replacement since all localization is handled in frontend
# and _() is here only for string extraction
__builtins__['_'] = lambda x: x
logging.info('Ajenti Core %s', aj.version)
logging.info('Master PID - %s', os.getpid())
logging.info('Detected platform: %s / %s', aj.platform, aj.platform_string)
logging.info('Python version: %s', aj.python_version)
# Load plugins
PluginManager.get(aj.context).load_all_from(aj.plugin_providers)
if len(PluginManager.get(aj.context)) == 0:
logging.warning('No plugins were loaded!')
if aj.config.data['bind']['mode'] == 'unix':
path = aj.config.data['bind']['socket']
if os.path.exists(path):
os.unlink(path)
listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
try:
listener.bind(path)
except OSError:
logging.error('Could not bind to %s', path)
sys.exit(1)
if aj.config.data['bind']['mode'] == 'tcp':
host = aj.config.data['bind']['host']
port = aj.config.data['bind']['port']
listener = socket.socket(
socket.AF_INET6 if ':' in host else socket.AF_INET, socket.SOCK_STREAM
)
if aj.platform not in ['freebsd', 'osx']:
try:
listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1)
except socket.error:
logging.warning('Could not set TCP_CORK')
listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
logging.info('Binding to [%s]:%s', host, port)
try:
listener.bind((host, port))
except socket.error as e:
logging.error('Could not bind: %s', str(e))
sys.exit(1)
# Fix stupid socketio bug (it tries to do *args[0][0])
socket.socket.__getitem__ = lambda x, y: None
listener.listen(10)
gateway = GateMiddleware.get(aj.context)
application = HttpRoot(HttpMiddlewareAggregator([gateway])).dispatch
aj.server = SocketIOServer(
listener,
log=open(os.devnull, 'w'),
application=application,
handler_class=RequestHandler,
policy_server=False,
transports=[
str('websocket'),
str('xhr-polling'),
str('jsonp-polling'),
],
)
if aj.config.data['ssl']['enable'] and aj.config.data['bind']['mode'] == 'tcp':
aj.server.ssl_args = {'server_side': True}
cert_path = aj.config.data['ssl']['certificate']
if aj.config.data['ssl']['fqdn_certificate']:
fqdn_cert_path = aj.config.data['ssl']['fqdn_certificate']
else:
fqdn_cert_path = cert_path
context = gevent.ssl.SSLContext(ssl.PROTOCOL_TLS)
context.load_cert_chain(certfile=fqdn_cert_path, keyfile=fqdn_cert_path)
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
context.set_ciphers('ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM')
if aj.config.data['ssl']['client_auth']['enable']:
logging.info('Enabling SSL client authentication')
context.load_verify_locations(cafile=cert_path)
if aj.config.data['ssl']['client_auth']['force']:
context.verify_mode = ssl.CERT_REQUIRED
else:
context.verify_mode = ssl.CERT_OPTIONAL
## Test callback : client_certificate_callback must return None to get forward
# context.set_servername_callback(AuthenticationService.get(aj.context).client_certificate_callback)
aj.server.wrap_socket = lambda socket, **args:context.wrap_socket(sock=socket, server_side=True)
logging.info('SSL enabled')
# auth.log
try:
syslog.openlog(
ident=str(aj.product),
facility=syslog.LOG_AUTH,
)
except Exception as e:
syslog.openlog(aj.product)
def cleanup():
if hasattr(cleanup, 'started'):
return
cleanup.started = True
logging.info('Process %s exiting normally', os.getpid())
gevent.signal(signal.SIGINT, lambda: None)
gevent.signal(signal.SIGTERM, lambda: None)
if aj.master:
gateway.destroy()
p = psutil.Process(os.getpid())
for c in p.children(recursive=True):
try:
os.killpg(c.pid, signal.SIGTERM)
os.killpg(c.pid, signal.SIGKILL)
except OSError:
pass
def signal_handler():
cleanup()
sys.exit(0)
gevent.signal(signal.SIGINT, signal_handler)
gevent.signal(signal.SIGTERM, signal_handler)
aj.server.serve_forever()
if not aj.master:
# child process, server is stopped, wait until killed
gevent.wait()
if hasattr(aj.server, 'restart_marker'):
logging.warning('Restarting by request')
cleanup()
fd = 20 # Close all descriptors. Creepy thing
while fd > 2:
try:
os.close(fd)
logging.debug('Closed descriptor #%i', fd)
except OSError:
pass
fd -= 1
logging.warning('Will restart the process now')
if '-d' in sys.argv:
sys.argv.remove('-d')
os.execv(sys.argv[0], sys.argv)
else:
if aj.master:
logging.debug('Server stopped')
cleanup()
def run(config=None,
plugin_providers=None,
product_name='ajenti',
dev_mode=False,
debug_mode=False,
autologin=False):
"""
A global entry point for Ajenti.
:param config: config file implementation instance to use
:type config: :class:`aj.config.BaseConfig`
:param plugin_providers: list of plugin providers to load plugins from
:type plugin_providers: list(:class:`aj.plugins.PluginProvider`)
:param str product_name: a product name to use
:param bool dev_mode: enables dev mode (automatic resource recompilation)
:param bool debug_mode: enables debug mode (verbose and extra logging)
:param bool autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE.
"""
if config is None:
raise TypeError('`config` can\'t be None')
reload(sys)
if hasattr(sys, 'setdefaultencoding'):
sys.setdefaultencoding('utf8')
aj.product = product_name
aj.debug = debug_mode
aj.dev = dev_mode
aj.dev_autologin = autologin
aj.init()
aj.log.set_log_params(tag='master', master_pid=os.getpid())
aj.context = Context()
aj.config = config
aj.plugin_providers = plugin_providers or []
logging.info(f'Loading config from {aj.config}')
aj.config.load()
aj.config.ensure_structure()
logging.info('Loading users from /etc/ajenti/users.yml')
aj.users = AjentiUsers(aj.config.data['auth']['users_file'])
aj.users.load()
logging.info('Loading smtp config from /etc/ajenti/smtp.yml')
aj.smtp_config = SmtpConfig()
aj.smtp_config.load()
aj.smtp_config.ensure_structure()
if aj.debug:
logging.warning('Debug mode')
if aj.dev:
logging.warning('Dev mode')
try:
locale.setlocale(locale.LC_ALL, '')
except locale.Error:
logging.warning('Couldn\'t set default locale')
# install a passthrough gettext replacement since all localization is handled in frontend
# and _() is here only for string extraction
__builtins__['_'] = lambda x: x
logging.info(f'Ajenti Core {aj.version}')
logging.info(f'Master PID - {os.getpid()}')
logging.info(f'Detected platform: {aj.platform} / {aj.platform_string}')
logging.info(f'Python version: {aj.python_version}')
# Load plugins
PluginManager.get(aj.context).load_all_from(aj.plugin_providers)
if len(PluginManager.get(aj.context)) == 0:
logging.warning('No plugins were loaded!')
if aj.config.data['bind']['mode'] == 'unix':
path = aj.config.data['bind']['socket']
if os.path.exists(path):
os.unlink(path)
listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
try:
listener.bind(path)
except OSError:
logging.error(f'Could not bind to {path}')
sys.exit(1)
if aj.config.data['bind']['mode'] == 'tcp':
host = aj.config.data['bind']['host']
port = aj.config.data['bind']['port']
listener = socket.socket(
socket.AF_INET6 if ':' in host else socket.AF_INET,
socket.SOCK_STREAM)
if aj.platform not in ['freebsd', 'osx']:
try:
listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1)
except socket.error:
logging.warning('Could not set TCP_CORK')
listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
logging.info(f'Binding to [{host}]:{port}')
try:
listener.bind((host, port))
except socket.error as e:
logging.error(f'Could not bind: {str(e)}')
sys.exit(1)
listener.listen(10)
gateway = GateMiddleware.get(aj.context)
middleware_stack = HttpMasterMiddleware.all(aj.context) + [gateway]
sio = Server(async_mode='gevent',
cors_allowed_origins=aj.config.data['trusted_domains'])
application = WSGIApp(
sio,
HttpRoot(HttpMiddlewareAggregator(middleware_stack)).dispatch)
sio.register_namespace(SocketIONamespace(context=aj.context))
if aj.config.data['ssl']['enable'] and aj.config.data['bind'][
'mode'] == 'tcp':
aj.server = pywsgi.WSGIServer(
listener,
log=open(os.devnull, 'w'),
application=application,
handler_class=RequestHandler,
policy_server=False,
)
aj.server.ssl_args = {'server_side': True}
cert_path = aj.config.data['ssl']['certificate']
if aj.config.data['ssl']['fqdn_certificate']:
fqdn_cert_path = aj.config.data['ssl']['fqdn_certificate']
else:
fqdn_cert_path = cert_path
context = gevent.ssl.SSLContext(ssl.PROTOCOL_TLS)
context.load_cert_chain(certfile=fqdn_cert_path,
keyfile=fqdn_cert_path)
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
context.set_ciphers(
'ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM')
if aj.config.data['ssl']['client_auth']['enable']:
logging.info('Enabling SSL client authentication')
context.load_verify_locations(cafile=cert_path)
if aj.config.data['ssl']['client_auth']['force']:
context.verify_mode = ssl.CERT_REQUIRED
else:
context.verify_mode = ssl.CERT_OPTIONAL
## Test callback : client_certificate_callback must return None to get forward
# context.set_servername_callback(AuthenticationService.get(aj.context).client_certificate_callback)
aj.server.wrap_socket = lambda socket, **args: context.wrap_socket(
sock=socket, server_side=True)
logging.info('SSL enabled')
if aj.config.data['ssl']['force']:
from aj.https_redirect import http_to_https
target_url = f'https://{aj.config.data["name"]}:{port}'
gevent.spawn(http_to_https, target_url)
logging.info(
f'HTTP to HTTPS redirection activated to {target_url}')
else:
# No policy_server argument for http
aj.server = pywsgi.WSGIServer(
listener,
log=open(os.devnull, 'w'),
application=application,
handler_class=RequestHandler,
)
# auth.log
try:
syslog.openlog(
ident=str(aj.product),
facility=syslog.LOG_AUTH,
)
except Exception as e:
syslog.openlog(aj.product)
def cleanup():
if hasattr(cleanup, 'started'):
return
cleanup.started = True
logging.info(f'Process {os.getpid()} exiting normally')
gevent.signal_handler(signal.SIGINT, lambda: None)
gevent.signal_handler(signal.SIGTERM, lambda: None)
if aj.master:
gateway.destroy()
p = psutil.Process(os.getpid())
for c in p.children(recursive=True):
try:
os.killpg(c.pid, signal.SIGTERM)
os.killpg(c.pid, signal.SIGKILL)
except OSError:
pass
def signal_handler():
cleanup()
sys.exit(0)
gevent.signal_handler(signal.SIGINT, signal_handler)
gevent.signal_handler(signal.SIGTERM, signal_handler)
aj.server.serve_forever()
if not aj.master:
# child process, server is stopped, wait until killed
gevent.wait()
if hasattr(aj.server, 'restart_marker'):
logging.warning('Restarting by request')
cleanup()
fd = 20 # Close all descriptors. Creepy thing
while fd > 2:
try:
os.close(fd)
logging.debug(f'Closed descriptor #{fd:d}')
except OSError:
pass
fd -= 1
restart()
else:
if aj.master:
logging.debug('Server stopped')
cleanup()
def run(config=None, plugin_providers=None, product_name='ajenti', dev_mode=False,
debug_mode=False, autologin=False):
"""
A global entry point for Ajenti.
:param config: config file implementation instance to use
:type config: :class:`aj.config.BaseConfig`
:param plugin_providers: list of plugin providers to load plugins from
:type plugin_providers: list(:class:`aj.plugins.PluginProvider`)
:param product_name: a product name to use
:param dev_mode: enables dev mode (automatic resource recompilation)
:type dev_mode: bool
:param debug_mode: enables debug mode (verbose and extra logging)
:type debug_mode: bool
:param autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE.
:type autologin: bool
"""
if config is None:
raise TypeError('`config` can\'t be None')
reload(sys)
sys.setdefaultencoding('utf8')
aj.product = product_name
aj.debug = debug_mode
aj.dev = dev_mode
aj.dev_autologin = autologin
aj.init()
aj.log.set_log_params(tag='master', master_pid=os.getpid())
aj.context = Context()
aj.config = config
aj.plugin_providers = plugin_providers or []
logging.info('Loading config from %s', aj.config)
aj.config.load()
if aj.debug:
logging.warn('Debug mode')
if aj.dev:
logging.warn('Dev mode')
try:
locale.setlocale(locale.LC_ALL, '')
except locale.Error:
logging.warning('Couldn\'t set default locale')
logging.info('Ajenti Core %s', aj.version)
logging.info('Detected platform: %s / %s', aj.platform, aj.platform_string)
# Load plugins
PluginManager.get(aj.context).load_all_from(aj.plugin_providers)
if len(PluginManager.get(aj.context).get_all()) == 0:
logging.warn('No plugins were loaded!')
if aj.config.data['bind']['mode'] == 'unix':
path = aj.config.data['bind']['socket']
if os.path.exists(path):
os.unlink(path)
listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
try:
listener.bind(path)
except OSError:
logging.error('Could not bind to %s', path)
sys.exit(1)
if aj.config.data['bind']['mode'] == 'tcp':
host = aj.config.data['bind']['host']
port = aj.config.data['bind']['port']
listener = socket.socket(
socket.AF_INET6 if ':' in host else socket.AF_INET, socket.SOCK_STREAM
)
if aj.platform not in ['freebsd', 'osx']:
try:
listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1)
except socket.error:
logging.warn('Could not set TCP_CORK')
listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
logging.info('Binding to [%s]:%s', host, port)
try:
listener.bind((host, port))
except socket.error as e:
logging.error('Could not bind: %s', str(e))
sys.exit(1)
# Fix stupid socketio bug (it tries to do *args[0][0])
socket.socket.__getitem__ = lambda x, y: None
listener.listen(10)
gateway = GateMiddleware.get(aj.context)
application = HttpRoot(HttpMiddlewareAggregator([gateway])).dispatch
aj.server = SocketIOServer(
listener,
log=open(os.devnull, 'w'),
application=application,
handler_class=RequestHandler,
policy_server=False,
transports=[
str('websocket'),
str('flashsocket'),
str('xhr-polling'),
str('jsonp-polling'),
],
)
if aj.config.data['ssl']['enable'] and aj.config.data['bind']['mode'] == 'tcp':
try:
context = SSL.Context(SSL.TLSv1_2_METHOD)
except:
context = SSL.Context(SSL.TLSv1_METHOD)
context.set_session_id(str(id(context)))
context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
context.set_cipher_list('ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM')
certificate = crypto.load_certificate(
crypto.FILETYPE_PEM,
open(aj.config.data['ssl']['certificate']).read()
)
private_key = crypto.load_privatekey(
crypto.FILETYPE_PEM,
open(aj.config.data['ssl']['certificate']).read()
)
context.use_certificate(certificate)
context.use_privatekey(private_key)
if aj.config.data['ssl']['client_auth']['enable']:
# todo harden files
logging.info('Enabling SSL client authentication')
context.add_client_ca(certificate)
context.get_cert_store().add_cert(certificate)
verify_flags = SSL.VERIFY_PEER
if aj.config.data['ssl']['client_auth']['force']:
verify_flags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT
context.set_verify(verify_flags, AuthenticationService.get(aj.context).client_certificate_callback)
context.set_verify_depth(0)
aj.server.ssl_args = {'server_side': True}
aj.server.wrap_socket = lambda socket, **ssl: SSLSocket(context, socket)
logging.info('SSL enabled')
# auth.log
try:
syslog.openlog(
ident=str(aj.product),
facility=syslog.LOG_AUTH,
)
except:
syslog.openlog(aj.product)
def cleanup():
if hasattr(cleanup, 'started'):
return
cleanup.started = True
logging.info('Process %s exiting normally', os.getpid())
gevent.signal(signal.SIGINT, lambda: None)
gevent.signal(signal.SIGTERM, lambda: None)
if aj.master:
gateway.destroy()
p = psutil.Process(os.getpid())
for c in p.children(recursive=True):
try:
os.killpg(c.pid, signal.SIGTERM)
os.killpg(c.pid, signal.SIGKILL)
except OSError:
pass
def signal_handler():
cleanup()
sys.exit(0)
gevent.signal(signal.SIGINT, signal_handler)
gevent.signal(signal.SIGTERM, signal_handler)
aj.server.serve_forever()
if not aj.master:
# child process, server is stopped, wait until killed
gevent.wait()
if hasattr(aj.server, 'restart_marker'):
logging.warn('Restarting by request')
cleanup()
fd = 20 # Close all descriptors. Creepy thing
while fd > 2:
try:
os.close(fd)
logging.debug('Closed descriptor #%i', fd)
except OSError:
pass
fd -= 1
logging.warn('Will restart the process now')
if '-d' in sys.argv:
sys.argv.remove('-d')
os.execv(sys.argv[0], sys.argv)
else:
if aj.master:
logging.debug('Server stopped')
cleanup()