async def validate_general_settings(self, data, schema):
verrors = ValidationErrors()
language = data.get('language')
if language:
system_languages = self.language_choices()
if language not in system_languages.keys():
verrors.add(
f'{schema}.language',
f'Specified "{language}" language not found, kindly correct it'
)
# kbd map needs work
timezone = data.get('timezone')
if timezone:
timezones = await self.timezone_choices()
if timezone not in timezones:
verrors.add(f'{schema}.timezone',
'Please select a correct timezone')
ip_addresses = await self.middleware.call('interface.ip_in_use')
ip4_addresses_list = [
alias_dict['address'] for alias_dict in ip_addresses
if alias_dict['type'] == 'INET'
]
ip6_addresses_list = [
alias_dict['address'] for alias_dict in ip_addresses
if alias_dict['type'] == 'INET6'
]
ip4_addresses = data.get('ui_address')
for ip4_address in ip4_addresses:
if (ip4_address and ip4_address != '0.0.0.0'
and ip4_address not in ip4_addresses_list):
verrors.add(
f'{schema}.ui_address',
f'{ip4_address} ipv4 address is not associated with this machine'
)
ip6_addresses = data.get('ui_v6address')
for ip6_address in ip6_addresses:
if (ip6_address and ip6_address != '::'
and ip6_address not in ip6_addresses_list):
verrors.add(
f'{schema}.ui_v6address',
f'{ip6_address} ipv6 address is not associated with this machine'
)
for key, wildcard, ips in [('ui_address', '0.0.0.0', ip4_addresses),
('ui_v6address', '::', ip6_addresses)]:
if wildcard in ips and len(ips) > 1:
verrors.add(
f'{schema}.{key}',
f'When "{wildcard}" has been selected, selection of other addresses is not allowed'
)
syslog_server = data.get('syslogserver')
if syslog_server:
match = re.match(r"^[\w\.\-]+(\:\d+)?$", syslog_server)
if not match:
verrors.add(f'{schema}.syslogserver',
'Invalid syslog server format')
elif ':' in syslog_server:
port = int(syslog_server.split(':')[-1])
if port < 0 or port > 65535:
verrors.add(f'{schema}.syslogserver',
'Port specified should be between 0 - 65535')
certificate_id = data.get('ui_certificate')
cert = await self.middleware.call('certificate.query',
[["id", "=", certificate_id]])
if not cert:
verrors.add(
f'{schema}.ui_certificate',
'Please specify a valid certificate which exists in the system'
)
else:
cert = cert[0]
verrors.extend(await self.middleware.call(
'certificate.cert_services_validation', certificate_id,
f'{schema}.ui_certificate', False))
if cert['fingerprint']:
syslog.openlog(logoption=syslog.LOG_PID,
facility=syslog.LOG_USER)
syslog.syslog(
syslog.LOG_ERR,
'Fingerprint of the certificate used in UI : ' +
cert['fingerprint'])
syslog.closelog()
return verrors
async def do_create(self, data):
verrors = ValidationErrors()
if (not data.get('group') and not data.get('group_create')) or (
data.get('group') is not None and data.get('group_create')):
verrors.add('group',
f'You need to either provide a group or group_create',
errno.EINVAL)
await self.__common_validation(verrors, data)
if data.get('sshpubkey') and not data['home'].startswith('/mnt'):
verrors.add('sshpubkey',
'Home directory is not writable, leave this blank"')
if verrors:
raise verrors
groups = data.pop('groups') or []
create = data.pop('group_create')
if create:
group = await self.middleware.call(
'group.query', [('group', '=', data['username'])])
if group:
group = group[0]
else:
group = await self.middleware.call('group.create',
{'name': data['username']})
group = (await self.middleware.call('group.query',
[('id', '=', group)]))[0]
data['group'] = group['id']
else:
group = await self.middleware.call('group.query',
[('id', '=', data['group'])])
if not group:
raise CallError(f'Group {data["group"]} not found')
group = group[0]
# Is this a new directory or not? Let's not nuke existing directories,
# e.g. /, /root, /mnt/tank/my-dataset, etc ;).
new_homedir = False
home_mode = data.pop('home_mode')
if data['home'] != '/nonexistent':
try:
os.makedirs(data['home'], mode=int(home_mode, 8))
except FileExistsError:
if not os.path.isdir(data['home']):
raise CallError(
'Path for home directory already '
'exists and is not a directory', errno.EEXIST)
except OSError as oe:
raise CallError('Failed to create the home directory '
f'({data["home"]}) for user: {oe}')
else:
new_homedir = True
if os.stat(data['home']).st_dev == os.stat('/mnt').st_dev:
raise CallError(f'Path for the home directory (data["home"]) '
'must be under a volume or dataset')
if not data.get('uid'):
data['uid'] = await self.get_next_uid()
pk = None # Make sure pk exists to rollback in case of an error
try:
password = await self.__set_password(data)
await self.__update_sshpubkey(data, group['group'])
pk = await self.middleware.call('datastore.insert',
'account.bsdusers', data,
{'prefix': 'bsdusr_'})
await self.__set_groups(pk, groups)
except Exception:
if pk is not None:
await self.middleware.call('datastore.delete',
'account.bsdusers', pk)
if new_homedir:
# Be as atomic as possible when creating the user if
# commands failed to execute cleanly.
shutil.rmtree(data['home'])
raise
await self.middleware.call('service.reload', 'user')
await self.__set_smbpasswd(data['username'], password)
return pk
async def do_update(self, id, data):
"""
Update a Periodic Snapshot Task with specific `id`
See the documentation for `create` method for information on payload contents
.. examples(websocket)::
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "pool.snapshottask.update",
"params": [
1,
{
"dataset": "data/work",
"recursive": true,
"exclude": ["data/work/temp"],
"lifetime_value": 2,
"lifetime_unit": "WEEK",
"naming_schema": "auto_%Y-%m-%d_%H-%M",
"schedule": {
"minute": "0",
"hour": "*",
"dom": "*",
"month": "*",
"dow": "1,2,3,4,5",
"begin": "09:00",
"end": "18:00"
}
}
]
}
"""
old = await self._get_instance(id)
new = old.copy()
new.update(data)
verrors = ValidationErrors()
verrors.add_child('periodic_snapshot_update', await
self._validate(new))
if not new['enabled']:
for replication_task in await self.middleware.call(
'replication.query', [['enabled', '=', True]]):
if any(periodic_snapshot_task['id'] == id
for periodic_snapshot_task in
replication_task['periodic_snapshot_tasks']):
verrors.add('periodic_snapshot_update.enabled', (
f'You can\'t disable this periodic snapshot task because it is bound to enabled replication '
f'task {replication_task["id"]!r}'))
break
if verrors:
raise verrors
Cron.convert_schedule_to_db_format(new, begin_end=True)
for key in ('vmware_sync', 'state'):
new.pop(key, None)
await self.middleware.call('datastore.update', self._config.datastore,
id, new,
{'prefix': self._config.datastore_prefix})
await self.middleware.call('zettarepl.update_tasks')
return await self._get_instance(id)
async def do_update(self, job, data):
"""
Update System Dataset Service Configuration.
`pool` is the name of a valid pool configured in the system which will be used to host the system dataset.
`pool_exclude` can be specified to make sure that we don't place the system dataset on that pool if `pool`
is not provided.
"""
config = await self.config()
new = config.copy()
new.update(data)
verrors = ValidationErrors()
if new['pool'] and new['pool'] != 'freenas-boot':
pool = await self.middleware.call('pool.query', [['name', '=', new['pool']]])
if not pool:
verrors.add(
'sysdataset_update.pool',
f'Pool "{new["pool"]}" not found',
errno.ENOENT
)
elif pool[0]['encrypt'] == 2:
# This will cover two cases - passphrase being set for a pool and that it might be locked as well
verrors.add(
'sysdataset_update.pool',
f'Pool "{new["pool"]}" has an encryption passphrase set. '
'The system dataset cannot be placed on this pool.'
)
elif not new['pool']:
for pool in await self.middleware.call(
'pool.query', [
['encrypt', '!=', 2]
]
):
if data.get('pool_exclude') == pool['name']:
continue
new['pool'] = pool['name']
break
else:
# If a data pool could not be found, reset it to blank
# Which will eventually mean its back to freenas-boot (temporarily)
new['pool'] = ''
verrors.check()
new['syslog_usedataset'] = new['syslog']
update_dict = new.copy()
for key in ('is_decrypted', 'basename', 'uuid_a', 'syslog', 'path', 'pool_exclude'):
update_dict.pop(key, None)
await self.middleware.call(
'datastore.update',
'system.systemdataset',
config['id'],
update_dict,
{'prefix': 'sys_'}
)
new = await self.config()
if config['pool'] != new['pool']:
await self.migrate(config['pool'], new['pool'])
await self.setup(True, data.get('pool_exclude'))
if config['syslog'] != new['syslog']:
await self.middleware.call('service.restart', 'syslogd')
if not await self.middleware.call('system.is_freenas') and await self.middleware.call('failover.licensed'):
if await self.middleware.call('failover.status') == 'MASTER':
try:
await self.middleware.call('failover.call_remote', 'system.reboot')
except Exception as e:
self.logger.debug('Failed to reboot passive storage controller after system dataset change: %s', e)
return await self.config()
async def do_create(self, data):
"""
Create a SMB Share.
`purpose` applies common configuration presets depending on intended purpose.
`timemachine` when set, enables Time Machine backups for this share.
`ro` when enabled, prohibits write access to the share.
`guestok` when enabled, allows access to this share without a password.
`hostsallow` is a list of hostnames / IP addresses which have access to this share.
`hostsdeny` is a list of hostnames / IP addresses which are not allowed access to this share. If a handful
of hostnames are to be only allowed access, `hostsdeny` can be passed "ALL" which means that it will deny
access to ALL hostnames except for the ones which have been listed in `hostsallow`.
`acl` enables support for storing the SMB Security Descriptor as a Filesystem ACL.
`streams` enables support for storing alternate datastreams as filesystem extended attributes.
`fsrvp` enables support for the filesystem remote VSS protocol. This allows clients to create
ZFS snapshots through RPC.
`shadowcopy` enables support for the volume shadow copy service.
`auxsmbconf` is a string of additional smb4.conf parameters not covered by the system's API.
"""
verrors = ValidationErrors()
path = data['path']
await self.clean(data, 'sharingsmb_create', verrors)
await self.validate(data, 'sharingsmb_create', verrors)
if verrors:
raise verrors
if path and not os.path.exists(path):
try:
os.makedirs(path)
except OSError as e:
raise CallError(f'Failed to create {path}: {e}')
await self.apply_presets(data)
await self.compress(data)
vuid = await self.generate_vuid(data['timemachine'])
data.update({'vuid': vuid})
data['id'] = await self.middleware.call(
'datastore.insert', self._config.datastore, data,
{'prefix': self._config.datastore_prefix})
await self.middleware.call('sharing.smb.reg_addshare', data)
await self.extend(data) # We should do this in the insert call ?
enable_aapl = await self.check_aapl(data)
if enable_aapl:
await self._service_change('cifs', 'restart')
else:
await self._service_change('cifs', 'reload')
return data
async def do_create(self, data):
"""
Create a new user.
If `uid` is not provided it is automatically filled with the next one available.
`group` is required if `group_create` is false.
`password` is required if `password_disabled` is false.
Available choices for `shell` can be retrieved with `user.shell_choices`.
`attributes` is a general-purpose object for storing arbitrary user information.
`smb` specifies whether the user should be allowed access to SMB shares. User
willl also automatically be added to the `builtin_users` group.
"""
verrors = ValidationErrors()
if (not data.get('group') and not data.get('group_create')) or (
data.get('group') is not None and data.get('group_create')):
verrors.add(
'user_create.group',
f'Enter either a group name or create a new group to '
'continue.', errno.EINVAL)
await self.__common_validation(verrors, data, 'user_create')
if data.get('sshpubkey') and not data['home'].startswith('/mnt'):
verrors.add(
'user_create.sshpubkey',
'The home directory is not writable. Leave this field blank.')
verrors.check()
groups = data.pop('groups')
create = data.pop('group_create')
if create:
group = await self.middleware.call(
'group.query', [('group', '=', data['username'])])
if group:
group = group[0]
else:
group = await self.middleware.call('group.create', {
'name': data['username'],
'smb': False
})
group = (await self.middleware.call('group.query',
[('id', '=', group)]))[0]
data['group'] = group['id']
else:
group = await self.middleware.call('group.query',
[('id', '=', data['group'])])
if not group:
raise CallError(f'Group {data["group"]} not found')
group = group[0]
if data['smb']:
groups.append(
(await self.middleware.call('group.query',
[('group', '=', 'builtin_users')],
{'get': True}))['id'])
# Is this a new directory or not? Let's not nuke existing directories,
# e.g. /, /root, /mnt/tank/my-dataset, etc ;).
new_homedir = False
home_mode = data.pop('home_mode')
if data['home'] and data['home'] != '/nonexistent':
try:
try:
os.makedirs(data['home'], mode=int(home_mode, 8))
new_homedir = True
await self.middleware.call(
'filesystem.setperm', {
'path': data['home'],
'mode': home_mode,
'uid': data['uid'],
'gid': group['gid'],
'options': {
'stripacl': True
}
})
except FileExistsError:
if not os.path.isdir(data['home']):
raise CallError(
'Path for home directory already '
'exists and is not a directory', errno.EEXIST)
# If it exists, ensure the user is owner.
await self.middleware.call(
'filesystem.chown', {
'path': data['home'],
'uid': data['uid'],
'gid': group['gid'],
})
except OSError as oe:
raise CallError('Failed to create the home directory '
f'({data["home"]}) for user: {oe}')
except Exception:
if new_homedir:
shutil.rmtree(data['home'])
raise
if not data.get('uid'):
data['uid'] = await self.get_next_uid()
pk = None # Make sure pk exists to rollback in case of an error
data = await self.user_compress(data)
try:
await self.__set_password(data)
sshpubkey = data.pop('sshpubkey',
None) # datastore does not have sshpubkey
pk = await self.middleware.call('datastore.insert',
'account.bsdusers', data,
{'prefix': 'bsdusr_'})
await self.__set_groups(pk, groups)
except Exception:
if pk is not None:
await self.middleware.call('datastore.delete',
'account.bsdusers', pk)
if new_homedir:
# Be as atomic as possible when creating the user if
# commands failed to execute cleanly.
shutil.rmtree(data['home'])
raise
await self.middleware.call('service.reload', 'user')
if data['smb']:
await self.__set_smbpasswd(data['username'])
if os.path.isdir(SKEL_PATH) and os.path.exists(data['home']):
for f in os.listdir(SKEL_PATH):
if f.startswith('dot'):
dest_file = os.path.join(data['home'], f[3:])
else:
dest_file = os.path.join(data['home'], f)
if not os.path.exists(dest_file):
shutil.copyfile(os.path.join(SKEL_PATH, f), dest_file)
await self.middleware.call(
'filesystem.chown', {
'path': dest_file,
'uid': data['uid'],
'gid': group['gid'],
'options': {
'recursive': True
}
})
data['sshpubkey'] = sshpubkey
try:
await self.update_sshpubkey(data['home'], data, group['group'])
except PermissionError as e:
self.logger.warn('Failed to update authorized keys',
exc_info=True)
raise CallError(f'Failed to update authorized keys: {e}')
return pk
async def attach(self, job, oid, options):
"""
For TrueNAS Core/Enterprise platform, if the `oid` pool is passphrase GELI encrypted, `passphrase`
must be specified for this operation to succeed.
`target_vdev` is the GUID of the vdev where the disk needs to be attached. In case of STRIPED vdev, this
is the STRIPED disk GUID which will be converted to mirror. If `target_vdev` is mirror, it will be converted
into a n-way mirror.
"""
pool = await self.middleware.call('pool.get_instance', oid)
verrors = ValidationErrors()
if not pool['is_decrypted']:
verrors.add('oid', 'Pool must be unlocked for this action.')
verrors.check()
topology = pool['topology']
topology_type = vdev = None
for i in topology:
for v in topology[i]:
if v['guid'] == options['target_vdev']:
topology_type = i
vdev = v
break
if topology_type:
break
else:
verrors.add('pool_attach.target_vdev', 'Unable to locate VDEV')
verrors.check()
if topology_type in ('cache', 'spares'):
verrors.add('pool_attach.target_vdev',
f'Attaching disks to {topology_type} not allowed.')
elif topology_type == 'data':
# We would like to make sure here that we don't have inconsistent vdev types across data
if vdev['type'] not in ('DISK', 'MIRROR'):
verrors.add(
'pool_attach.target_vdev',
f'Attaching disk to {vdev["type"]} vdev is not allowed.')
# Let's validate new disk now
verrors.add_child(
'pool_attach',
await self.middleware.call('disk.check_disks_availability',
[options['new_disk']],
options['allow_duplicate_serials']),
)
verrors.check()
guid = vdev['guid'] if vdev['type'] == 'DISK' else vdev['children'][0][
'guid']
disks = {
options['new_disk']: {
'create_swap': topology_type == 'data',
'vdev': []
}
}
await self.middleware.call('pool.format_disks', job, disks)
devname = disks[options['new_disk']]['vdev'][0]
extend_job = await self.middleware.call('zfs.pool.extend',
pool['name'], None,
[{
'target': guid,
'type': 'DISK',
'path': devname
}])
await job.wrap(extend_job)
asyncio.ensure_future(self.middleware.call('disk.swaps_configure'))
async def _common_validate(self, idmap_backend, data):
"""
Common validation checks for all idmap backends.
1) Check for a high range that is lower than the low range.
2) Check for overlap with other configured idmap ranges.
In some circumstances overlap is permitted:
- new idmap range may overlap previously configured idmap range of same domain.
- new idmap range may overlap an idmap range configured for a disabled directory service.
- new idmap range for 'autorid' may overlap DS_TYPE_DEFAULT_DOMAIN
- new idmap range for 'ad' may overlap other 'ad' ranges. In this situation, it is responsibility
of the system administrator to avoid id collisions between the configured domains.
"""
verrors = ValidationErrors()
if data['range_high'] < data['range_low']:
verrors.add(
f'idmap_range',
'Idmap high range must be greater than idmap low range')
return verrors
configured_domains = await self.get_configured_idmap_domains()
ldap_enabled = False if await self.middleware.call(
'ldap.get_state') == 'DISABLED' else True
ad_enabled = False if await self.middleware.call(
'activedirectory.get_state') == 'DISABLED' else True
new_range = range(data['range_low'], data['range_high'])
for i in configured_domains:
# Do not generate validation error comparing to oneself.
if i['domain']['id'] == data['domain']['id']:
continue
# Do not generate validation errors for overlapping with a disabled DS.
if not ldap_enabled and i['domain'][
'idmap_domain_name'] == 'DS_TYPE_LDAP':
continue
if not ad_enabled and i['domain'][
'idmap_domain_name'] == 'DS_TYPE_ACTIVEDIRECTORY':
continue
# Idmap settings under Services->SMB are ignored when autorid is enabled.
if idmap_backend == 'autorid' and i['domain']['id'] == 5:
continue
# Overlap between ranges defined for 'ad' backend are permitted.
if idmap_backend == 'ad' and i['idmap_backend'] == 'ad':
continue
existing_range = range(i['backend_data']['range_low'],
i['backend_data']['range_high'])
if range(max(existing_range[0], new_range[0]),
min(existing_range[-1], new_range[-1]) + 1):
verrors.add(
f'idmap_range',
f'new idmap range conflicts with existing range for domain [{i["domain"]["idmap_domain_name"]}]'
)
return verrors
async def validate_data(self, data, schema, old_data):
verrors = ValidationErrors()
if data.pop('migrate_applications', False):
if data['pool'] == old_data['pool']:
verrors.add(
f'{schema}.migrate_applications',
'Migration of applications dataset only happens when a new pool is configured.'
)
elif not data['pool']:
verrors.add(
f'{schema}.migrate_applications',
'Pool must be specified when migration of ix-application dataset is desired.'
)
elif not old_data['pool']:
verrors.add(
f'{schema}.migrate_applications',
'A pool must have been configured previously for ix-application dataset migration.'
)
else:
if await self.middleware.call(
'zfs.dataset.query',
[['id', '=', applications_ds_name(data['pool'])]]):
verrors.add(
f'{schema}.migrate_applications',
f'Migration of {applications_ds_name(old_data["pool"])!r} to {data["pool"]!r} not '
f'possible as {applications_ds_name(data["pool"])} already exists.'
)
if not await self.middleware.call(
'zfs.dataset.query',
[['id', '=',
applications_ds_name(old_data['pool'])]]):
# Edge case but handled just to be sure
verrors.add(
f'{schema}.migrate_applications',
f'{applications_ds_name(old_data["pool"])!r} does not exist, migration not possible.'
)
network_cidrs = set([
ipaddress.ip_network(
f'{ip_config["address"]}/{ip_config["netmask"]}', False)
for interface in await self.middleware.call('interface.query')
for ip_config in itertools.chain(interface['aliases'],
interface['state']['aliases'])
if ip_config['type'] != 'LINK'
])
unused_cidrs = []
if not data['cluster_cidr'] or not data['service_cidr']:
unused_cidrs = await self.unused_cidrs(network_cidrs)
# If index 0,1 belong to different classes, let's make sure that is not the case anymore
if len(unused_cidrs) > 2 and unused_cidrs[0].split(
'.')[0] != unused_cidrs[1].split('.')[0]:
unused_cidrs.pop(0)
if unused_cidrs and not data['cluster_cidr']:
data['cluster_cidr'] = unused_cidrs.pop(0)
if unused_cidrs and not data['service_cidr']:
data['service_cidr'] = unused_cidrs.pop(0)
if not data['cluster_dns_ip']:
if data['service_cidr']:
# Picking 10th ip ( which is the usual default ) from service cidr
data['cluster_dns_ip'] = str(
list(
ipaddress.ip_network(data['service_cidr'],
False).hosts())[9])
else:
verrors.add(f'{schema}.cluster_dns_ip',
'Please specify cluster_dns_ip.')
if data['pool'] and not await self.middleware.call(
'pool.query', [['name', '=', data['pool']]]):
verrors.add(
f'{schema}.pool',
'Please provide a valid pool configured in the system.')
for k in ('cluster_cidr', 'service_cidr'):
if not data[k]:
verrors.add(f'{schema}.{k}',
f'Please specify a {k.split("_")[0]} CIDR.')
elif any(
ipaddress.ip_network(data[k], False).overlaps(cidr)
for cidr in network_cidrs):
verrors.add(f'{schema}.{k}',
'Requested CIDR is already in use.')
if data['cluster_cidr'] and data[
'service_cidr'] and ipaddress.ip_network(
data['cluster_cidr'], False).overlaps(
ipaddress.ip_network(data['service_cidr'], False)):
verrors.add(f'{schema}.cluster_cidr',
'Must not overlap with service CIDR.')
if data['service_cidr'] and data[
'cluster_dns_ip'] and ipaddress.ip_address(
data['cluster_dns_ip']) not in ipaddress.ip_network(
data['service_cidr']):
verrors.add(f'{schema}.cluster_dns_ip',
'Must be in range of "service_cidr".')
if data['node_ip'] not in await self.bindip_choices():
verrors.add(f'{schema}.node_ip',
'Please provide a valid IP address.')
if not await self.middleware.call('route.configured_default_ipv4_route'
):
if not data['route_v4_gateway']:
verrors.add(
f'{schema}.route_v4_gateway',
'Please set a default route for system or for kubernetes.')
if not data['route_v4_interface']:
verrors.add(
f'{schema}.route_v4_interface',
'Please set a default route for system or specify default interface to be used for kubernetes.'
)
for k, _ in await self.validate_interfaces(data):
verrors.add(f'{schema}.{k}', 'Please specify a valid interface.')
for k in ('route_v4', 'route_v6'):
gateway = data[f'{k}_gateway']
interface = data[f'{k}_interface']
if (not gateway and not interface) or (gateway and interface):
continue
for k2 in ('gateway', 'interface'):
verrors.add(
f'{schema}.{k}_{k2}',
f'{k}_gateway and {k}_interface must be specified together.'
)
verrors.check()
async def do_update(self, job, data):
"""
Update KMIP Server Configuration.
System currently authenticates connection with remote KMIP Server with a TLS handshake. `certificate` and
`certificate_authority` determine the certs which will be used to initiate the TLS handshake with `server`.
`validate` is enabled by default. When enabled, system will test connection to `server` making sure
it's reachable.
`manage_zfs_keys`/`manage_sed_disks` when enabled will sync keys from local database to remote KMIP server.
When disabled, if there are any keys left to be retrieved from the KMIP server,
it will sync them back to local database.
`enabled` if true, cannot be set to disabled if there are existing keys pending to be synced. However users
can still perform this action by enabling `force_clear`.
`ssl_version` can be specified to match the ssl configuration being used by KMIP server.
`change_server` is a boolean field which allows users to migrate data between two KMIP servers. System
will first migrate keys from old KMIP server to local database and then migrate the keys from local database
to new KMIP server. If it is unable to retrieve all the keys from old server, this will fail. Users can bypass
this by enabling `force_clear`.
`force_clear` is a boolean option which when enabled will in this case remove all
pending keys to be synced from database. It should be used with extreme caution as users may end up with
not having ZFS dataset or SED disks keys leaving them locked forever. It is disabled by default.
"""
old = await self.config()
new = old.copy()
new.update(data)
verrors = ValidationErrors()
if not new['server'] and new['enabled']:
verrors.add('kmip_update.server',
'Please specify a valid hostname or an IPv4 address')
if new['enabled']:
verrors.extend(
(await
self.middleware.call('certificate.cert_services_validation',
new['certificate'],
'kmip_update.certificate', False)))
ca = await self.middleware.call(
'certificateauthority.query',
[['id', '=', new['certificate_authority']]])
if ca and not verrors:
ca = ca[0]
if not await self.middleware.call(
'cryptokey.validate_cert_with_chain',
(await self.middleware.call(
'certificate.get_instance',
new['certificate']))['certificate'], [ca['certificate']]):
verrors.add(
'kmip_update.certificate_authority',
'Certificate chain could not be verified with specified certificate authority.'
)
elif not ca and new['enabled']:
verrors.add('kmip_update.certificate_authority',
'Please specify a valid id.')
if new.pop('validate', True) and new['enabled'] and not verrors:
if not await self.middleware.call('kmip.test_connection', new):
verrors.add(
'kmip_update.server',
f'Unable to connect to {new["server"]}:{new["port"]} KMIP server.'
)
change_server = new.pop('change_server', False)
if change_server and new['server'] == old['server']:
verrors.add(
'kmip_update.change_server',
'Please update server field to reflect the new server.')
if change_server and not new['enabled']:
verrors.add('kmip_update.enabled',
'Must be enabled when change server is enabled.')
force_clear = new.pop('force_clear', False)
clear_keys = force_clear if change_server else False
sync_error = 'KMIP sync is pending, please make sure database and KMIP server ' \
'are in sync before proceeding with this operation.'
if old['enabled'] != new['enabled'] and await self.middleware.call(
'kmip.kmip_sync_pending'):
if force_clear:
clear_keys = True
else:
verrors.add('kmip_update.enabled', sync_error)
verrors.check()
job.set_progress(30, 'Initial Validation complete')
if clear_keys:
await self.middleware.call('kmip.clear_sync_pending_keys')
job.set_progress(50, 'Cleared keys pending sync')
if change_server:
# We will first migrate all the keys to local database - once done with that,
# we will proceed with pushing it to the new server - we should have the old server
# old server -> db
# db -> new server
# First can be skipped if old server is not reachable and we want to clear keys
job.set_progress(
55, 'Starting migration from existing server to new server')
await self.middleware.call('datastore.update',
self._config.datastore, old['id'], {
'manage_zfs_keys': False,
'manage_sed_disks': False
})
job.set_progress(
60, 'Syncing keys from existing server to local database')
sync_jobs = [(await self.middleware.call(f'kmip.{i}'))
for i in ('sync_zfs_keys', 'sync_sed_keys')]
errors = []
for sync_job in sync_jobs:
await sync_job.wait()
if sync_job.error:
errors.append(sync_job.error)
elif sync_job.result:
errors.append(
f'Failed to sync {",".join(sync_job.result)}')
if errors:
await self.middleware.call('datastore.update',
self._config.datastore, old['id'],
old)
# We do this because it's possible a few datasets/disks got synced to db and few didn't - this is
# to push all the data of interest back to the KMIP server from db
await self.middleware.call('kmip.sync_keys')
errors = '\n'.join(errors)
raise CallError(
f'Failed to sync keys from {old["server"]} to host: {errors}'
)
if await self.middleware.call('kmip.kmip_sync_pending'):
raise CallError(sync_error)
job.set_progress(
80,
'Successfully synced keys from existing server to local database'
)
await self.middleware.call(
'datastore.update',
self._config.datastore,
old['id'],
new,
)
await self.middleware.call('service.start', 'kmip')
if new['enabled'] and old['enabled'] != new['enabled']:
await self.middleware.call('kmip.initialize_keys')
if any(old[k] != new[k]
for k in ('enabled', 'manage_zfs_keys',
'manage_sed_disks')) or change_server:
job.set_progress(
90,
'Starting sync between local database and configured KMIP server'
)
await self.middleware.call('kmip.sync_keys')
return await self.config()
async def do_update(self, data):
"""
Update Truecommand service settings.
`api_key` is a valid API key generated by iX Portal.
"""
# We have following cases worth mentioning wrt updating TC credentials
# 1) User enters API Key and enables the service
# 2) User disables the service
# 3) User changes API Key and service is enabled
#
# Another point to document is how we intend to poll, we are going to send a request to iX Portal
# and if it returns active state with the data we require for wireguard connection, we mark the
# API Key as connected. As long as we keep polling iX portal, we are going to be in a connecting state,
# no matter what errors we are getting from the polling bits. The failure case is when iX Portal sends
# us the state "unknown", which after confirming with Ken means that the portal has revoked the api key
# in question and we no longer use it. In this case we are going to stop polling and mark the connection
# as failed.
#
# For case (1), when user enters API key and enables the service, we are first going to generate wg keys
# if they haven't been generated already. Then we are going to register the new api key with ix portal.
# Once done, we are going to start polling. If polling gets us in success state, we are going to start
# wireguard connection, for the other case, we are going to emit an event with truecommand failure status.
#
# For case (2), if the service was running previously, we do nothing except for stopping wireguard and
# ensuring it is not started at boot as well. The connection details remain secure in the database.
#
# For case (3), everything is similar to how we handle case (1), however we are going to stop wireguard
# if it was running with previous api key credentials.
async with TRUECOMMAND_UPDATE_LOCK:
old = await self.middleware.call('datastore.config',
self._config.datastore)
new = old.copy()
new.update(data)
verrors = ValidationErrors()
if new['enabled'] and not new['api_key']:
verrors.add(
'truecommand_update.api_key',
'API Key must be provided when Truecommand service is enabled.'
)
verrors.check()
if all(old[k] == new[k] for k in ('enabled', 'api_key')):
# Nothing changed
return await self.config()
polling_jobs = await self.middleware.call(
'core.get_jobs',
[['method', '=', 'truecommand.poll_api_for_status'],
['state', 'in', ['WAITING', 'RUNNING']]])
for polling_job in polling_jobs:
await self.middleware.call('core.job_abort', polling_job['id'])
await self.set_status(Status.DISABLED.value)
new['api_key_state'] = Status.DISABLED.value
if new['enabled']:
if not old['wg_public_key'] or not old['wg_private_key']:
new.update(**(await self.middleware.call(
'truecommand.generate_wg_keys')))
if old['api_key'] != new['api_key']:
await self.middleware.call(
'truecommand.register_with_portal', new)
# Registration succeeded, we are good to poll now
elif all(new[k] for k in ('wg_address', 'wg_private_key',
'remote_address', 'endpoint',
'tc_public_key')):
# Api key hasn't changed and we have wireguard details, let's please start wireguard in this case
await self.set_status(Status.CONNECTING.value)
new['api_key_state'] = Status.CONNECTED.value
if old['api_key'] != new['api_key']:
new.update({
'remote_address': None,
'endpoint': None,
'tc_public_key': None,
'wg_address': None,
'api_key_state': Status.DISABLED.value,
})
await self.dismiss_alerts(True)
await self.middleware.call('datastore.update',
self._config.datastore, old['id'], new)
self.middleware.send_event('truecommand.config',
'CHANGED',
fields=(await self.config()))
# We are going to stop truecommand service with this update anyways as only 2 possible actions
# can happen on update
# 1) Service enabled/disabled
# 2) Api Key changed
await self.middleware.call('truecommand.stop_truecommand_service')
if new['enabled']:
if new['api_key'] != old['api_key'] or any(
not new[k] for k in ('wg_address', 'wg_private_key',
'remote_address', 'endpoint',
'tc_public_key')):
# We are going to start polling here
await self.middleware.call(
'truecommand.poll_api_for_status')
else:
# User just enabled the service after disabling it - we have wireguard details and
# we can initiate the connection. If it is not good, health check will fail and we will
# poll iX Portal to see what's up. Let's just start wireguard now
await self.middleware.call(
'truecommand.start_truecommand_service')
return await self.config()
async def validate_attrs(self, data):
verrors = ValidationErrors()
additional_params = data.get('additional_params')
if additional_params:
# Let's be very generic here and introduce very basic validation
# Expected format is as following
# [ipv6.icmpneighbor]
# history = 86400
# enabled = yes
#
# While we are here, we will also introduce basic formatting to the file to ensure
# that we can make it as compliable as possible
param_str = ''
for i in additional_params.split('\n'):
i = i.strip()
if not i:
continue
if i.startswith('#'):
# Let's not validate this
if i.replace('#', '').startswith('['):
param_str += f'\n\n{i}'
else:
param_str += f'\n\t{i}'
continue
if i.startswith('[') and not i.endswith(']'):
verrors.add(
'netdata_update.additional_params',
f'Please correct format for {i}. i.e [system.intr]')
elif not i.startswith('[') and '=' not in i:
verrors.add(
'netdata_update.additional_params',
f'Please correct format for {i}. i.e enabled = yes')
if i.startswith('['):
param_str += f'\n\n{i}'
else:
param_str += f'\n\t{i}'
data['additional_params'] = param_str + '\n'
bind_to_ips = data.get('bind')
if bind_to_ips:
valid_ips = [
ip['address']
for ip in await self.middleware.call('interfaces.ip_in_use')
]
valid_ips.extend(['127.0.0.1', '::1', '0.0.0.0', '::'])
for bind_ip in bind_to_ips:
if bind_ip not in valid_ips:
verrors.add('netdata_update.bind',
f'Invalid {bind_ip} bind IP')
else:
verrors.add('netdata_update.bind', 'This field is required')
update_alarms = data.pop('update_alarms', {})
valid_alarms = self._alarms
if update_alarms:
for alarm in update_alarms:
if alarm not in valid_alarms:
verrors.add('netdata_update.alarms',
f'{alarm} not a valid alarm')
verrors.extend(
validate_attributes([
Dict(key, Bool('enabled', required=True))
for key in update_alarms
], {'attributes': update_alarms}))
# Validating streaming metrics now
stream_mode = data.get('stream_mode')
if stream_mode == 'SLAVE':
for key in ('api_key', 'destination'):
if not data.get(key):
verrors.add(
f'netdata_update.{key}',
f'{key} is required with stream mode as SLAVE')
destinations = data.get('destination')
if destinations:
ip_addr = IpAddress()
port = Port()
for dest in destinations:
ip = dest.split(':')[0]
try:
ip_addr(ip)
except ValueError as e:
verrors.add('netdata_update.destination', str(e))
else:
if ':' in dest:
try:
port(dest.split(':')[1])
except ValueError as e:
verrors.add('netdata_update.destination',
f'Not a valid port: {e}')
elif stream_mode == 'MASTER':
for key in ('allow_from', 'api_key'):
if not data.get(key):
verrors.add(
f'netdata_update.{key}',
f'{key} is required with stream mode as MASTER')
verrors.check()
data['alarms'].update(update_alarms)
return data
async def do_update(self, data):
"""
Update active directory configuration.
`domainname` full DNS domain name of the Active Directory domain.
`bindname` username used to perform the intial domain join.
`bindpw` password used to perform the initial domain join. User-
provided credentials are used to obtain a kerberos ticket, which
is used to perform the actual domain join.
`verbose_logging` increase logging during the domain join process.
`use_default_domain` controls whether domain users and groups have
the pre-windows 2000 domain name prepended to the user account. When
enabled, the user appears as "administrator" rather than
"EXAMPLE\administrator"
`allow_trusted_doms` enable support for trusted domains. If this
parameter is enabled, then separate idmap backends _must_ be configured
for each trusted domain, and the idmap cache should be cleared.
`allow_dns_updates` during the domain join process, automatically
generate DNS entries in the AD domain for the NAS. If this is disabled,
then a domain administrator must manually add appropriate DNS entries
for the NAS. This parameter is recommended for TrueNAS HA servers.
`disable_freenas_cache` disables active caching of AD users and groups.
When disabled, only users cached in winbind's internal cache are
visible in GUI dropdowns. Disabling active caching is recommended
in environments with a large amount of users.
`site` AD site of which the NAS is a member. This parameter is auto-
detected during the domain join process. If no AD site is configured
for the subnet in which the NAS is configured, then this parameter
appears as 'Default-First-Site-Name'. Auto-detection is only performed
during the initial domain join.
`kerberos_realm` in which the server is located. This parameter is
automatically populated during the initial domain join. If the NAS has
an AD site configured and that site has multiple kerberos servers, then
the kerberos realm is automatically updated with a site-specific
configuration to use those servers. Auto-detection is only performed
during initial domain join.
`kerberos_principal` kerberos principal to use for AD-related
operations outside of Samba. After intial domain join, this field is
updated with the kerberos principal associated with the AD machine
account for the NAS.
`nss_info` controls how Winbind retrieves Name Service Information to
construct a user's home directory and login shell. This parameter
is only effective if the Active Directory Domain Controller supports
the Microsoft Services for Unix (SFU) LDAP schema.
`timeout` timeout value for winbind-related operations. This value may
need to be increased in environments with high latencies for
communications with domain controllers or a large number of domain
controllers. Lowering the value may cause status checks to fail.
`dns_timeout` timeout value for DNS queries during the initial domain
join. This value is also set as the NETWORK_TIMEOUT in the ldap config
file.
`createcomputer` Active Directory Organizational Unit in which new
computer accounts are created.
The OU string is read from top to bottom without RDNs. Slashes ("/")
are used as delimiters, like `Computers/Servers/NAS`. The backslash
("\\") is used to escape characters but not as a separator. Backslashes
are interpreted at multiple levels and might require doubling or even
quadrupling to take effect.
When this field is blank, new computer accounts are created in the
Active Directory default OU.
The Active Directory service is started after a configuration
update if the service was initially disabled, and the updated
configuration sets `enable` to `True`. The Active Directory
service is stopped if `enable` is changed to `False`. If the
configuration is updated, but the initial `enable` state is `True`, and
remains unchanged, then the samba server is only restarted.
During the domain join, a kerberos keytab for the newly-created AD
machine account is generated. It is used for all future
LDAP / AD interaction and the user-provided credentials are removed.
"""
await self.middleware.call("smb.cluster_check")
verrors = ValidationErrors()
old = await self.config()
new = old.copy()
new.update(data)
new['domainname'] = new['domainname'].upper()
try:
await self.update_netbios_data(old, new)
except Exception as e:
raise ValidationError('activedirectory_update.netbiosname', str(e))
await self.common_validate(new, old, verrors)
verrors.check()
if new['enable'] and not old['enable']:
"""
Currently run two health checks prior to validating domain.
1) Attempt to kinit with user-provided credentials. This is used to
verify that the credentials are correct.
2) Check for an overly large time offset. System kerberos libraries
may not report the time offset as an error during kinit, but the large
time offset will prevent libads from using the ticket for the domain
join.
"""
try:
domain_info = await self.domain_info(new['domainname'])
except CallError as e:
raise ValidationError('activedirectory.domainname', e.errmsg)
if abs(domain_info['Server time offset']) > 180:
raise ValidationError(
'activedirectory.domainname',
'Time offset from Active Directory domain exceeds maximum '
'permitted value. This may indicate an NTP misconfiguration.'
)
try:
await self.validate_credentials(new)
except CallError as e:
if new['kerberos_principal']:
method = "activedirectory.kerberos_principal"
else:
method = "activedirectory.bindpw"
raise ValidationError(
method,
f'Failed to validate bind credentials: {e.errmsg.split(":")[-1:][0]}'
)
new = await self.ad_compress(new)
ret = await super().do_update(new)
diff = await self.diff_conf_and_registry(new)
await self.middleware.call('sharing.smb.apply_conf_diff', 'GLOBAL',
diff)
job = None
if not old['enable'] and new['enable']:
job = (await self.middleware.call('activedirectory.start')).id
elif not new['enable'] and old['enable']:
job = (await self.middleware.call('activedirectory.stop')).id
elif new['enable'] and old['enable']:
await self.middleware.call('service.restart', 'idmap')
ret.update({'job_id': job})
return ret
def send(self, job, message, config):
"""
Sends mail using configured mail settings.
`text` will be formatted to HTML using Markdown and rendered using default E-Mail template.
You can put your own HTML using `html`. If `html` is null, no HTML MIME part will be added to E-Mail.
If `attachments` is true, a list compromised of the following dict is required
via HTTP upload:
- headers(list)
- name(str)
- value(str)
- params(dict)
- content (str)
[
{
"headers": [
{
"name": "Content-Transfer-Encoding",
"value": "base64"
},
{
"name": "Content-Type",
"value": "application/octet-stream",
"params": {
"name": "test.txt"
}
}
],
"content": "dGVzdAo="
}
]
"""
product_name = self.middleware.call_sync('system.product_name')
gc = self.middleware.call_sync('datastore.config',
'network.globalconfiguration')
hostname = f'{gc["gc_hostname"]}.{gc["gc_domain"]}'
message['subject'] = f'{product_name} {hostname}: {message["subject"]}'
add_html = True
if 'html' in message and message['html'] is None:
message.pop('html')
add_html = False
if 'text' not in message:
if 'html' not in message:
verrors = ValidationErrors()
verrors.add('mail_message.text',
'Text is required when HTML is not set')
verrors.check()
message['text'] = html2text.html2text(message['html'])
if add_html and 'html' not in message:
template = get_template('assets/templates/mail.html')
message['html'] = template.render(
body=html.escape(message['text']).replace('\n', '<br>\n'))
return self.send_raw(job, message, config)
async def do_update(self, id, data):
"""
Update a Replication Task with specific `id`
See the documentation for `create` method for information on payload contents
.. examples(websocket)::
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "replication.update",
"params": [
7,
{
"name": "Work Backup",
"direction": "PUSH",
"transport": "SSH",
"ssh_credentials": [12],
"source_datasets", ["data/work"],
"target_dataset": "repl/work",
"recursive": true,
"periodic_snapshot_tasks": [5],
"auto": true,
"restrict_schedule": {
"minute": "0",
"hour": "*/2",
"dom": "*",
"month": "*",
"dow": "1,2,3,4,5",
"begin": "09:00",
"end": "18:00"
},
"only_matching_schedule": true,
"retention_policy": "CUSTOM",
"lifetime_value": 1,
"lifetime_unit": "WEEK",
}
]
}
"""
old = await self._get_instance(id)
new = old.copy()
if new["ssh_credentials"]:
new["ssh_credentials"] = new["ssh_credentials"]["id"]
new["periodic_snapshot_tasks"] = [
task["id"] for task in new["periodic_snapshot_tasks"]
]
new.update(data)
verrors = ValidationErrors()
verrors.add_child("replication_update", await self._validate(new))
if verrors:
raise verrors
periodic_snapshot_tasks = new["periodic_snapshot_tasks"]
await self.compress(new)
new.pop('state', None)
await self.middleware.call("datastore.update", self._config.datastore,
id, new,
{'prefix': self._config.datastore_prefix})
await self._set_periodic_snapshot_tasks(id, periodic_snapshot_tasks)
await self.middleware.call("service.restart", "cron")
await self.middleware.call("zettarepl.update_tasks")
return await self._get_instance(id)
async def do_update(self, id, data):
"""
Update SMB Share of `id`.
"""
verrors = ValidationErrors()
path = data.get('path')
old = await self.middleware.call(
'datastore.query', self._config.datastore, [('id', '=', id)],
{'extend': self._config.datastore_extend,
'prefix': self._config.datastore_prefix,
'get': True})
new = old.copy()
new.update(data)
oldname = 'homes' if old['home'] else old['name']
newname = 'homes' if new['home'] else new['name']
new['vuid'] = await self.generate_vuid(new['timemachine'], new['vuid'])
await self.clean(new, 'sharingsmb_update', verrors, id=id)
await self.validate(new, 'sharingsmb_update', verrors, old=old)
if verrors:
raise verrors
if path and not os.path.exists(path):
try:
os.makedirs(path)
except OSError as e:
raise CallError(f'Failed to create {path}: {e}')
if old['purpose'] != new['purpose']:
await self.apply_presets(new)
old_is_locked = (await self.get_instance(id))['locked']
if old['path'] != new['path']:
new_is_locked = await self.middleware.call('pool.dataset.path_in_locked_datasets', new['path'])
else:
new_is_locked = old_is_locked
await self.compress(new)
await self.middleware.call(
'datastore.update', self._config.datastore, id, new,
{'prefix': self._config.datastore_prefix})
await self.strip_comments(new)
if not new_is_locked:
"""
Enabling AAPL SMB2 extensions globally affects SMB shares. If this
happens, the SMB service _must_ be restarted. Skip this step if dataset
underlying the new path is encrypted.
"""
enable_aapl = await self.check_aapl(new)
else:
enable_aapl = False
"""
OLD NEW = dataset path is encrypted
----------
- - = pre-12 behavior. Remove and replace if name changed, else update.
- X = Delete share from running configuration
X - = Add share to running configuration
X X = no-op
"""
if old_is_locked and new_is_locked:
"""
Configuration change only impacts a locked SMB share. From standpoint of
running config, this is a no-op. No need to restart or reload service.
"""
return await self.get_instance(id)
elif not old_is_locked and not new_is_locked:
"""
Default behavior before changes for locked datasets.
"""
if newname != oldname:
# This is disruptive change. Share is actually being removed and replaced.
# Forcibly closes any existing SMB sessions.
await self.close_share(oldname)
try:
await self.middleware.call('sharing.smb.reg_delshare', oldname)
except Exception:
self.logger.warning('Failed to remove stale share [%s]',
old['name'], exc_info=True)
await self.middleware.call('sharing.smb.reg_addshare', new)
else:
diff = await self.middleware.call(
'sharing.smb.diff_middleware_and_registry', new['name'], new
)
if diff is None:
await self.middleware.call('sharing.smb.reg_addshare', new)
else:
share_name = new['name'] if not new['home'] else 'homes'
await self.middleware.call('sharing.smb.apply_conf_diff',
'REGISTRY', share_name, diff)
elif old_is_locked and not new_is_locked:
"""
Since the old share was not in our running configuration, we need
to add it.
"""
await self.middleware.call('sharing.smb.reg_addshare', new)
elif not old_is_locked and new_is_locked:
try:
await self.middleware.call('sharing.smb.reg_delshare', oldname)
except Exception:
self.logger.warning('Failed to remove locked share [%s]',
old['name'], exc_info=True)
if enable_aapl:
await self._service_change('cifs', 'restart')
else:
await self._service_change('cifs', 'reload')
return await self.get_instance(id)
async def _validate(self, data):
verrors = ValidationErrors()
# Direction
snapshot_tasks = []
if data["direction"] == "PUSH":
e, snapshot_tasks = await self._query_periodic_snapshot_tasks(
data["periodic_snapshot_tasks"])
verrors.add_child("periodic_snapshot_tasks", e)
if data["naming_schema"]:
verrors.add("naming_schema",
"This field has no sense for push replication")
if data["schedule"]:
if data["periodic_snapshot_tasks"]:
verrors.add(
"schedule",
"Push replication can't be bound to periodic snapshot task and have "
"schedule at the same time")
else:
if data["auto"] and not data[
"periodic_snapshot_tasks"] and data[
"transport"] != "LEGACY":
verrors.add(
"auto",
"Push replication that runs automatically must be either "
"bound to periodic snapshot task or have schedule")
if data["direction"] == "PULL":
if data["schedule"]:
pass
else:
if data["auto"]:
verrors.add(
"auto",
"Pull replication that runs automatically must have schedule"
)
if data["periodic_snapshot_tasks"]:
verrors.add(
"periodic_snapshot_tasks",
"Pull replication can't be bound to periodic snapshot task"
)
if not data["naming_schema"]:
verrors.add("naming_schema",
"Naming schema is required for pull replication")
if data["also_include_naming_schema"]:
verrors.add("also_include_naming_schema",
"This field has no sense for pull replication")
if data["hold_pending_snapshots"]:
verrors.add(
"hold_pending_snapshots",
"Pull replication tasks can't hold pending snapshots because "
"they don't do source retention")
# Transport
if data["transport"] == "SSH+NETCAT":
if data["netcat_active_side"] is None:
verrors.add(
"netcat_active_side",
"You must choose active side for SSH+netcat replication")
if data["netcat_active_side_port_min"] is not None and data[
"netcat_active_side_port_max"] is not None:
if data["netcat_active_side_port_min"] > data[
"netcat_active_side_port_max"]:
verrors.add(
"netcat_active_side_port_max",
"Please specify value greater or equal than netcat_active_side_port_min"
)
if data["compression"] is not None:
verrors.add(
"compression",
"Compression is not supported for SSH+netcat replication")
if data["speed_limit"] is not None:
verrors.add(
"speed_limit",
"Speed limit is not supported for SSH+netcat replication")
else:
if data["netcat_active_side"] is not None:
verrors.add(
"netcat_active_side",
"This field only has sense for SSH+netcat replication")
for k in [
"netcat_active_side_listen_address",
"netcat_active_side_port_min",
"netcat_active_side_port_max",
"netcat_passive_side_connect_address"
]:
if data[k] is not None:
verrors.add(
k,
"This field only has sense for SSH+netcat replication")
if data["transport"] == "LOCAL":
if data["ssh_credentials"] is not None:
verrors.add(
"ssh_credentials",
"Remote credentials have no sense for local replication")
if data["compression"] is not None:
verrors.add("compression",
"Compression has no sense for local replication")
if data["speed_limit"] is not None:
verrors.add("speed_limit",
"Speed limit has no sense for local replication")
else:
if data["ssh_credentials"] is None:
verrors.add(
"ssh_credentials",
"SSH Credentials are required for non-local replication")
else:
try:
await self.middleware.call(
"keychaincredential.get_of_type",
data["ssh_credentials"], "SSH_CREDENTIALS")
except CallError as e:
verrors.add("ssh_credentials", str(e))
if data["transport"] == "LEGACY":
for should_be_true in ["auto", "allow_from_scratch"]:
if not data[should_be_true]:
verrors.add(
should_be_true,
"Legacy replication does not support disabling this option"
)
for should_be_false in [
"exclude", "periodic_snapshot_tasks", "naming_schema",
"also_include_naming_schema", "only_matching_schedule",
"dedup", "large_block", "embed", "compressed"
]:
if data[should_be_false]:
verrors.add(
should_be_false,
"Legacy replication does not support this option")
if data["direction"] != "PUSH":
verrors.add(
"direction",
"Only push application is allowed for Legacy transport")
if len(data["source_datasets"]) != 1:
verrors.add(
"source_datasets",
"You can only have one source dataset for legacy replication"
)
if data["retries"] != 1:
verrors.add("retries",
"This value should be 1 for legacy replication")
# Common for all directions and transports
for i, source_dataset in enumerate(data["source_datasets"]):
for snapshot_task in snapshot_tasks:
if is_child(source_dataset, snapshot_task["dataset"]):
if data["recursive"]:
for exclude in snapshot_task["exclude"]:
if exclude not in data["exclude"]:
verrors.add(
"exclude",
f"You should exclude {exclude!r} as bound periodic snapshot "
f"task dataset {snapshot_task['dataset']!r} does"
)
else:
if source_dataset in snapshot_task["exclude"]:
verrors.add(
f"source_datasets.{i}",
f"Dataset {source_dataset!r} is excluded by bound "
f"periodic snapshot task for dataset "
f"{snapshot_task['dataset']!r}")
if not data["recursive"] and data["exclude"]:
verrors.add(
"exclude",
"Excluding child datasets is only supported for recursive replication"
)
for i, v in enumerate(data["exclude"]):
if not any(
v.startswith(ds + "/") for ds in data["source_datasets"]):
verrors.add(
f"exclude.{i}",
"This dataset is not a child of any of source datasets")
if data["schedule"]:
if not data["auto"]:
verrors.add(
"schedule",
"You can't have schedule for replication that does not run automatically"
)
else:
if data["only_matching_schedule"]:
verrors.add(
"only_matching_schedule",
"You can't have only-matching-schedule without schedule")
if data["retention_policy"] == "CUSTOM":
if data["lifetime_value"] is None:
verrors.add(
"lifetime_value",
"This field is required for custom retention policy")
if data["lifetime_unit"] is None:
verrors.add(
"lifetime_value",
"This field is required for custom retention policy")
else:
if data["lifetime_value"] is not None:
verrors.add(
"lifetime_value",
"This field has no sense for specified retention policy")
if data["lifetime_unit"] is not None:
verrors.add(
"lifetime_unit",
"This field has no sense for specified retention policy")
if data["enabled"]:
for i, snapshot_task in enumerate(snapshot_tasks):
if not snapshot_task["enabled"]:
verrors.add(
f"periodic_snapshot_tasks.{i}",
"You can't bind disabled periodic snapshot task to enabled replication task"
)
return verrors
def __ca_sign_csr(self, data, schema_name):
verrors = ValidationErrors()
ca_data = self.middleware.call_sync('certificateauthority.query',
([('id', '=', data['ca_id'])]))
csr_cert_data = self.middleware.call_sync(
'certificate.query', [('id', '=', data['csr_cert_id'])])
if not ca_data:
verrors.add(
f'{schema_name}.ca_id',
f'No Certificate Authority found for id {data["ca_id"]}')
else:
ca_data = ca_data[0]
if not ca_data.get('privatekey'):
verrors.add(
f'{schema_name}.ca_id',
'Please use a CA which has a private key assigned')
if not csr_cert_data:
verrors.add(f'{schema_name}.csr_cert_id',
f'No Certificate found for id {data["csr_cert_id"]}')
else:
csr_cert_data = csr_cert_data[0]
if not csr_cert_data.get('CSR'):
verrors.add(f'{schema_name}.csr_cert_id',
'No CSR has been filed by this certificate')
else:
try:
csr = crypto.load_certificate_request(
crypto.FILETYPE_PEM, csr_cert_data['CSR'])
except crypto.Error:
verrors.add(f'{schema_name}.csr_cert_id', 'CSR not valid')
if verrors:
raise verrors
cert_info = crypto.load_certificate(crypto.FILETYPE_PEM,
ca_data['certificate'])
PKey = load_private_key(ca_data['privatekey'])
serial = self.middleware.call_sync(
'certificateauthority.get_serial_for_certificate', ca_data['id'])
cert = crypto.X509()
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(86400 * 365 * 10)
cert.set_issuer(cert_info.get_subject())
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.sign(PKey, ca_data['digest_algorithm'])
new_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()
new_csr = {
'type': CERT_TYPE_INTERNAL,
'name': data['name'],
'certificate': new_cert,
'privatekey': csr_cert_data['privatekey'],
'create_type': 'CERTIFICATE_CREATE',
'signedby': ca_data['id']
}
new_csr_dict = self.middleware.call_sync('certificate.create', new_csr)
return new_csr_dict
async def do_update(self, pk, data):
"""
Update attributes of an existing user.
"""
user = await self._get_instance(pk)
verrors = ValidationErrors()
if 'group' in data:
group = await self.middleware.call('datastore.query',
'account.bsdgroups',
[('id', '=', data['group'])])
if not group:
verrors.add('user_update.group',
f'Group {data["group"]} not found', errno.ENOENT)
group = group[0]
else:
group = user['group']
user['group'] = group['id']
await self.__common_validation(verrors, data, 'user_update', pk=pk)
home = data.get('home') or user['home']
has_home = home != '/nonexistent'
# root user (uid 0) is an exception to the rule
if data.get('sshpubkey'
) and not home.startswith('/mnt') and user['uid'] != 0:
verrors.add('user_update.sshpubkey',
'Home directory is not writable, leave this blank"')
# Do not allow attributes to be changed for builtin user
if user['builtin']:
for i in ('group', 'home', 'home_mode', 'uid', 'username'):
if i in data:
verrors.add(f'user_update.{i}',
'This attribute cannot be changed')
verrors.check()
must_change_pdb_entry = False
for k in ('username', 'password', 'locked'):
new_val = data.get(k)
old_val = user.get(k)
if new_val is not None and old_val != new_val:
if k == 'username':
try:
await self.middleware.call("smb.remove_passdb_user",
old_val)
except Exception:
self.logger.debug(
"Failed to remove passdb entry for user [%s]",
old_val,
exc_info=True)
must_change_pdb_entry = True
# Copy the home directory if it changed
if (has_home and 'home' in data and data['home'] != user['home']
and not data['home'].startswith(f'{user["home"]}/')):
home_copy = True
home_old = user['home']
else:
home_copy = False
# After this point user dict has values from data
user.update(data)
if home_copy and not os.path.isdir(user['home']):
try:
os.makedirs(user['home'])
await self.middleware.call(
'filesystem.chown', {
'path': user['home'],
'uid': user['uid'],
'gid': group['bsdgrp_gid'],
})
except OSError:
self.logger.warn('Failed to chown homedir', exc_info=True)
if not os.path.isdir(user['home']):
raise CallError(f'{user["home"]} is not a directory')
home_mode = user.pop('home_mode', None)
if user['builtin']:
home_mode = None
def set_home_mode():
if home_mode is not None:
try:
# Strip ACL before chmod. This is required when aclmode = restricted
setfacl = subprocess.run(
['/bin/setfacl', '-b', user['home']], check=False)
if setfacl.returncode != 0 and setfacl.stderr:
self.logger.debug('Failed to strip ACL: %s',
setfacl.stderr.decode())
os.chmod(user['home'], int(home_mode, 8))
except OSError:
self.logger.warn('Failed to set homedir mode',
exc_info=True)
try:
update_sshpubkey_args = [
home_old if home_copy else user['home'],
user,
group['bsdgrp_group'],
]
await self.update_sshpubkey(*update_sshpubkey_args)
except PermissionError as e:
self.logger.warn('Failed to update authorized keys', exc_info=True)
raise CallError(f'Failed to update authorized keys: {e}')
else:
if user['uid'] == 0:
if await self.middleware.call('failover.licensed'):
try:
await self.middleware.call('failover.call_remote',
'user.update_sshpubkey',
update_sshpubkey_args)
except Exception:
self.logger.error(
'Failed to sync root ssh pubkey to standby node',
exc_info=True)
if home_copy:
def do_home_copy():
try:
command = f"/bin/cp -a {shlex.quote(home_old) + '/'} {shlex.quote(user['home'] + '/')}"
subprocess.run(
["/usr/bin/su", "-", user["username"], "-c", command],
check=True)
except subprocess.CalledProcessError as e:
self.logger.warn(f"Failed to copy homedir: {e}")
set_home_mode()
asyncio.ensure_future(self.middleware.run_in_thread(do_home_copy))
elif has_home:
asyncio.ensure_future(self.middleware.run_in_thread(set_home_mode))
user.pop('sshpubkey', None)
await self.__set_password(user)
if 'groups' in user:
groups = user.pop('groups')
await self.__set_groups(pk, groups)
user = await self.user_compress(user)
await self.middleware.call('datastore.update', 'account.bsdusers', pk,
user, {'prefix': 'bsdusr_'})
await self.middleware.call('service.reload', 'user')
if user['smb'] and must_change_pdb_entry:
await self.__set_smbpasswd(user['username'])
return pk
async def validate_rsync_task(self, data, schema):
verrors = ValidationErrors()
# Windows users can have spaces in their usernames
# http://www.freebsd.org/cgi/query-pr.cgi?pr=164808
username = data.get('user')
if ' ' in username:
verrors.add(f'{schema}.user', 'User names cannot have spaces')
raise verrors
user = await self.middleware.call(
'notifier.get_user_object',
username
)
if not user:
verrors.add(f'{schema}.user', f'Provided user "{username}" does not exist')
raise verrors
remote_host = data.get('remotehost')
if not remote_host:
verrors.add(f'{schema}.remotehost', 'Please specify a remote host')
if data.get('extra'):
data['extra'] = ' '.join(data['extra'])
else:
data['extra'] = ''
mode = data.get('mode')
if not mode:
verrors.add(f'{schema}.mode', 'This field is required')
remote_module = data.get('remotemodule')
if mode == 'MODULE' and not remote_module:
verrors.add(f'{schema}.remotemodule', 'This field is required')
if mode == 'SSH':
remote_port = data.get('remoteport')
if not remote_port:
verrors.add(f'{schema}.remoteport', 'This field is required')
remote_path = data.get('remotepath')
if not remote_path:
verrors.add(f'{schema}.remotepath', 'This field is required')
search = os.path.join(user['pw_dir'], '.ssh', 'id_[edr]*')
exclude_from_search = os.path.join(user['pw_dir'], '.ssh', 'id_[edr]*pub')
key_files = set(glob.glob(search)) - set(glob.glob(exclude_from_search))
if not key_files:
verrors.add(
f'{schema}.user',
'In order to use rsync over SSH you need a user'
' with a private key (DSA/ECDSA/RSA) set up in home dir.'
)
else:
for file in glob.glob(search):
if '.pub' not in file:
# file holds a private key and it's permissions should be 600
if os.stat(file).st_mode & 0o077 != 0:
verrors.add(
f'{schema}.user',
f'Permissions {oct(os.stat(file).st_mode & 0o777)} for {file} are too open. Please '
f'correct them by running chmod 600 {file}'
)
if(
data.get('validate_rpath') and
remote_path and
remote_host and
remote_port
):
if '@' in remote_host:
remote_username, remote_host = remote_host.rsplit('@', 1)
else:
remote_username = username
try:
with (await asyncio.wait_for(asyncssh.connect(
remote_host,
port=remote_port,
username=remote_username,
client_keys=key_files,
known_hosts=None
), timeout=5)) as conn:
await conn.run(f'test -d {shlex.quote(remote_path)}', check=True)
except asyncio.TimeoutError:
verrors.add(
f'{schema}.remotehost',
'SSH timeout occurred. Remote path cannot be validated.'
)
except OSError as e:
if e.errno == 113:
verrors.add(
f'{schema}.remotehost',
f'Connection to the remote host {remote_host} on port {remote_port} failed.'
)
else:
verrors.add(
f'{schema}.remotehost',
e.__str__()
)
except asyncssh.DisconnectError as e:
verrors.add(
f'{schema}.remotehost',
f'Disconnect Error[ error code {e.code} ] was generated when trying to '
f'communicate with remote host {remote_host} and remote user {remote_username}.'
)
except asyncssh.ProcessError as e:
if e.code == '1':
verrors.add(
f'{schema}.remotepath',
'The Remote Path you specified does not exist or is not a directory.'
'Either create one yourself on the remote machine or uncheck the '
'validate_rpath field'
)
else:
verrors.add(
f'{schema}.remotepath',
f'Connection to Remote Host was successful but failed to verify '
f'Remote Path. {e.__str__()}'
)
except asyncssh.Error as e:
if e.__class__.__name__ in e.__str__():
exception_reason = e.__str__()
else:
exception_reason = e.__class__.__name__ + ' ' + e.__str__()
verrors.add(
f'{schema}.remotepath',
f'Remote Path could not be validated. An exception was raised. {exception_reason}'
)
elif data.get('validate_rpath'):
verrors.add(
f'{schema}.remotepath',
'Remote path could not be validated because of missing fields'
)
data.pop('validate_rpath', None)
# Keeping compatibility with legacy UI
for field in ('mode', 'direction'):
data[field] = data[field].lower()
return verrors, data
async def do_update(self, data):
"""
Update NFS Service Configuration.
`servers` represents number of servers to create.
When `allow_nonroot` is set, it allows non-root mount requests to be served.
`bindip` is a list of IP's on which NFS will listen for requests. When it is unset/empty, NFS listens on
all available addresses.
`v4` when set means that we switch from NFSv3 to NFSv4.
`v4_v3owner` when set means that system will use NFSv3 ownership model for NFSv4.
`v4_krb` will force NFS shares to fail if the Kerberos ticket is unavailable.
`v4_domain` overrides the default DNS domain name for NFSv4.
`mountd_port` specifies the port mountd(8) binds to.
`rpcstatd_port` specifies the port rpc.statd(8) binds to.
`rpclockd_port` specifies the port rpclockd_port(8) binds to.
.. examples(websocket)::
Update NFS Service Configuration to listen on 192.168.0.10 and use NFSv4
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "pool.resilver.update",
"params": [{
"bindip": [
"192.168.0.10"
],
"v4": true
}]
}
"""
if data.get("v4") is False:
data.setdefault("v4_v3owner", False)
old = await self.config()
new = old.copy()
new.update(data)
verrors = ValidationErrors()
new_v4_krb_enabled = (
new["v4_krb"] or await self.middleware.call("kerberos.keytab.query")
)
if new["v4"] and new_v4_krb_enabled and not await self.middleware.call("system.is_freenas"):
if await self.middleware.call("failover.licensed"):
gc = await self.middleware.call("datastore.config", "network.globalconfiguration")
if not gc["gc_hostname_virtual"] or not gc["gc_domain"]:
verrors.add(
"nfs_update.v4",
"Enabling kerberos authentication on TrueNAS HA requires setting the virtual hostname and "
"domain"
)
if osc.IS_LINUX:
if len(new['bindip']) > 1:
verrors.add('nfs_update.bindip', 'Listening on more than one address is not supported')
bindip_choices = await self.bindip_choices()
for i, bindip in enumerate(new['bindip']):
if bindip not in bindip_choices:
verrors.add(f'nfs_update.bindip.{i}', 'Please provide a valid ip address')
if new["v4"] and new_v4_krb_enabled and await self.middleware.call('activedirectory.get_state') != "DISABLED":
"""
In environments with kerberized NFSv4 enabled, we need to tell winbindd to not prefix
usernames with the short form of the AD domain. Directly update the db and regenerate
the smb.conf to avoid having a service disruption due to restarting the samba server.
"""
if await self.middleware.call('smb.get_smb_ha_mode') == 'LEGACY':
raise ValidationError(
'nfs_update.v4',
'Enabling kerberos authentication on TrueNAS HA requires '
'the system dataset to be located on a data pool.'
)
ad = await self.middleware.call('activedirectory.config')
await self.middleware.call(
'datastore.update',
'directoryservice.activedirectory',
ad['id'],
{'ad_use_default_domain': True}
)
await self.middleware.call('etc.generate', 'smb')
await self.middleware.call('service.reload', 'cifs')
if not new["v4"] and new["v4_v3owner"]:
verrors.add("nfs_update.v4_v3owner", "This option requires enabling NFSv4")
if new["v4_v3owner"] and new["userd_manage_gids"]:
verrors.add(
"nfs_update.userd_manage_gids", "This option is incompatible with NFSv3 ownership model for NFSv4")
if not new["v4"] and new["v4_domain"]:
verrors.add("nfs_update.v4_domain", "This option does not apply to NFSv3")
if verrors:
raise verrors
await self.nfs_compress(new)
await self._update_service(old, new)
await self.nfs_extend(new)
return new
async def validate_general_settings(self, data, schema):
verrors = ValidationErrors()
language = data.get('language')
if language:
system_languages = self.language_choices()
if language not in system_languages.keys():
verrors.add(
f'{schema}.language',
f'Specified "{language}" language not found, kindly correct it'
)
# kbd map needs work
timezone = data.get('timezone')
if timezone:
timezones = await self.timezone_choices()
if timezone not in timezones:
verrors.add(
f'{schema}.timezone',
'Please select a correct timezone'
)
ip_addresses = await self.middleware.call(
'interfaces.ip_in_use'
)
ip4_addresses_list = [alias_dict['address'] for alias_dict in ip_addresses if alias_dict['type'] == 'INET']
ip6_addresses_list = [alias_dict['address'] for alias_dict in ip_addresses if alias_dict['type'] == 'INET6']
ip4_address = data.get('ui_address')
if (
ip4_address and
ip4_address != '0.0.0.0' and
ip4_address not in ip4_addresses_list
):
verrors.add(
f'{schema}.ui_address',
'Selected ipv4 address is not associated with this machine'
)
ip6_address = data.get('ui_v6address')
if (
ip6_address and
ip6_address != '::' and
ip6_address not in ip6_addresses_list
):
verrors.add(
f'{schema}.ui_v6address',
'Selected ipv6 address is not associated with this machine'
)
syslog_server = data.get('syslogserver')
if syslog_server:
match = re.match("^[\w\.\-]+(\:\d+)?$", syslog_server)
if not match:
verrors.add(
f'{schema}.syslogserver',
'Invalid syslog server format'
)
elif ':' in syslog_server:
port = int(syslog_server.split(':')[-1])
if port < 0 or port > 65535:
verrors.add(
f'{schema}.syslogserver',
'Port specified should be between 0 - 65535'
)
protocol = data.get('ui_protocol')
if protocol:
if protocol != 'HTTP':
certificate_id = data.get('ui_certificate')
if not certificate_id:
verrors.add(
f'{schema}.ui_certificate',
'Protocol has been selected as HTTPS, certificate is required'
)
else:
# getting fingerprint for certificate
fingerprint = await self.middleware.call(
'certificate.get_fingerprint_of_cert',
certificate_id
)
if fingerprint:
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
syslog.syslog(syslog.LOG_ERR, 'Fingerprint of the certificate used in UI : ' + fingerprint)
syslog.closelog()
else:
# Two reasons value is None - certificate not found - error while parsing the certificate for
# fingerprint
verrors.add(
f'{schema}.ui_certificate',
'Kindly check if the certificate has been added to the system and it is a valid certificate'
)
return verrors
async def do_update(self, data):
"""
Update SMB Service Configuration.
`netbiosname` defaults to the original hostname of the system.
`workgroup` and `netbiosname` should have different values.
`enable_smb1` allows legacy SMB clients to connect to the server when enabled.
`localmaster` when set, determines if the system participates in a browser election.
`domain_logons` is used to provide netlogin service for older Windows clients if enabled.
`guest` attribute is specified to select the account to be used for guest access. It defaults to "nobody".
`nullpw` when enabled allows the users to authorize access without a password.
`hostlookup` when enabled, allows using hostnames rather then IP addresses in "hostsallow"/"hostsdeny" fields
of SMB Shares.
"""
old = await self.config()
new = old.copy()
new.update(data)
verrors = ValidationErrors()
if data.get('unixcharset') and data[
'unixcharset'] not in await self.unixcharset_choices():
verrors.add('smb_update.unixcharset',
'Please provide a valid value for unixcharset')
for i in ('workgroup', 'netbiosname', 'netbiosname_b', 'netbiosalias'):
if i not in data or not data[i]:
continue
if i == 'netbiosalias':
for idx, item in enumerate(data[i]):
if not await self.__validate_netbios_name(item):
verrors.add(f'smb_update.{i}.{idx}',
f'Invalid NetBIOS name: {item}')
else:
if not await self.__validate_netbios_name(data[i]):
verrors.add(f'smb_update.{i}',
f'Invalid NetBIOS name: {data[i]}')
if new['netbiosname'] and new['netbiosname'].lower(
) == new['workgroup'].lower():
verrors.add('smb_update.netbiosname',
'NetBIOS and Workgroup must be unique')
if data.get('bindip'):
bindip_choices = list((await self.bindip_choices()).keys())
for idx, item in enumerate(data['bindip']):
if item not in bindip_choices:
verrors.add(
f'smb_update.bindip.{idx}',
f'IP address [{item}] is not a configured address for this server'
)
for i in ('filemask', 'dirmask'):
if i not in data or not data[i]:
continue
try:
if int(data[i], 8) & ~0o11777:
raise ValueError('Not an octet')
except (ValueError, TypeError):
verrors.add(f'smb_update.{i}', 'Not a valid mask')
if new['admin_group'] and new['admin_group'] != old['admin_group']:
await self.middleware.call('smb.add_admin_group',
new['admin_group'])
if verrors:
raise verrors
# TODO: consider using bidict
for k, v in LOGLEVEL_MAP.items():
if new['loglevel'] == v:
new['loglevel'] = k
break
await self.compress(new)
await self._update_service(old, new)
await self.reset_smb_ha_mode()
return await self.config()
async def do_update(self, pk, data):
"""
Update attributes of an existing user.
"""
user = await self._get_instance(pk)
verrors = ValidationErrors()
if 'group' in data:
group = await self.middleware.call('datastore.query', 'account.bsdgroups', [
('id', '=', data['group'])
])
if not group:
verrors.add('user_update.group', f'Group {data["group"]} not found', errno.ENOENT)
group = group[0]
else:
group = user['group']
user['group'] = group['id']
await self.__common_validation(verrors, data, 'user_update', pk=pk)
try:
st = os.stat(user.get("home", "/nonexistent")).st_mode
old_mode = f'{stat.S_IMODE(st):03o}'
except FileNotFoundError:
old_mode = None
home = data.get('home') or user['home']
has_home = home != '/nonexistent'
# root user (uid 0) is an exception to the rule
if data.get('sshpubkey') and not home.startswith('/mnt') and user['uid'] != 0:
verrors.add('user_update.sshpubkey', 'Home directory is not writable, leave this blank"')
# Do not allow attributes to be changed for builtin user
if user['builtin']:
for i in ('group', 'home', 'home_mode', 'uid', 'username', 'smb'):
if i in data and data[i] != user[i]:
verrors.add(f'user_update.{i}', 'This attribute cannot be changed')
if not user['smb'] and data.get('smb') and not data.get('password'):
# Changing from non-smb user to smb user requires re-entering password.
verrors.add('user_update.smb',
'Password must be changed in order to enable SMB authentication')
verrors.check()
must_change_pdb_entry = False
for k in ('username', 'password', 'locked'):
new_val = data.get(k)
old_val = user.get(k)
if new_val is not None and old_val != new_val:
if k == 'username':
try:
await self.middleware.call("smb.remove_passdb_user", old_val)
except Exception:
self.logger.debug("Failed to remove passdb entry for user [%s]",
old_val, exc_info=True)
must_change_pdb_entry = True
if user['smb'] is True and data.get('smb') is False:
try:
must_change_pdb_entry = False
await self.middleware.call("smb.remove_passdb_user", user['username'])
except Exception:
self.logger.debug("Failed to remove passdb entry for user [%s]",
user['username'], exc_info=True)
if user['smb'] is False and data.get('smb') is True:
must_change_pdb_entry = True
# Copy the home directory if it changed
if (
has_home and
'home' in data and
data['home'] != user['home'] and
not data['home'].startswith(f'{user["home"]}/')
):
home_copy = True
home_old = user['home']
else:
home_copy = False
# After this point user dict has values from data
user.update(data)
if home_copy and not os.path.isdir(user['home']):
try:
os.makedirs(user['home'])
mode_to_set = user.get('home_mode')
if not mode_to_set:
mode_to_set = '700' if old_mode is None else old_mode
perm_job = await self.middleware.call('filesystem.setperm', {
'path': user['home'],
'uid': user['uid'],
'gid': group['bsdgrp_gid'],
'mode': mode_to_set,
'options': {'stripacl': True},
})
await perm_job.wait()
except OSError:
self.logger.warn('Failed to chown homedir', exc_info=True)
if not os.path.isdir(user['home']):
raise CallError(f'{user["home"]} is not a directory')
home_mode = user.pop('home_mode', None)
if user['builtin']:
home_mode = None
try:
update_sshpubkey_args = [
home_old if home_copy else user['home'], user, group['bsdgrp_group'],
]
await self.update_sshpubkey(*update_sshpubkey_args)
except PermissionError as e:
self.logger.warn('Failed to update authorized keys', exc_info=True)
raise CallError(f'Failed to update authorized keys: {e}')
else:
if user['uid'] == 0:
if await self.middleware.call('failover.licensed'):
try:
await self.middleware.call('failover.call_remote', 'user.update_sshpubkey', update_sshpubkey_args)
except Exception:
self.logger.error('Failed to sync root ssh pubkey to standby node', exc_info=True)
if home_copy:
"""
Background copy of user home directoy to new path as the user in question.
"""
await self.middleware.call('user.do_home_copy', home_old, user['home'], user['username'], home_mode, user['uid'])
elif has_home and home_mode is not None:
"""
A non-recursive call to set permissions should return almost immediately.
"""
perm_job = await self.middleware.call('filesystem.setperm', {
'path': user['home'],
'mode': home_mode,
'options': {'stripacl': True},
})
await perm_job.wait()
user.pop('sshpubkey', None)
await self.__set_password(user)
if 'groups' in user:
groups = user.pop('groups')
await self.__set_groups(pk, groups)
user = await self.user_compress(user)
await self.middleware.call('datastore.update', 'account.bsdusers', pk, user, {'prefix': 'bsdusr_'})
await self.middleware.call('service.reload', 'user')
if user['smb'] and must_change_pdb_entry:
await self.__set_smbpasswd(user['username'])
return pk
async def do_update(self, id, data):
"""
Update SMB Share of `id`.
"""
verrors = ValidationErrors()
path = data.get('path')
old = await self.middleware.call(
'datastore.query', self._config.datastore, [('id', '=', id)], {
'extend': self._config.datastore_extend,
'prefix': self._config.datastore_prefix,
'get': True
})
new = old.copy()
new.update(data)
oldname = 'homes' if old['home'] else old['name']
newname = 'homes' if new['home'] else new['name']
new['vuid'] = await self.generate_vuid(new['timemachine'], new['vuid'])
await self.clean(new, 'sharingsmb_update', verrors, id=id)
await self.validate(new, 'sharingsmb_update', verrors, old=old)
if verrors:
raise verrors
if path and not os.path.exists(path):
try:
os.makedirs(path)
except OSError as e:
raise CallError(f'Failed to create {path}: {e}')
if old['purpose'] != new['purpose']:
await self.apply_presets(new)
await self.compress(new)
await self.middleware.call('datastore.update', self._config.datastore,
id, new,
{'prefix': self._config.datastore_prefix})
enable_aapl = await self.check_aapl(new)
if newname != oldname:
# This is disruptive change. Share is actually being removed and replaced.
# Forcibly closes any existing SMB sessions.
await self.close_share(oldname)
try:
await self.middleware.call('sharing.smb.reg_delshare', oldname)
except Exception:
self.logger.warning('Failed to remove stale share [%s]',
old['name'],
exc_info=True)
await self.middleware.call('sharing.smb.reg_addshare', new)
else:
diff = await self.middleware.call(
'sharing.smb.diff_middleware_and_registry', new['name'], new)
share_name = new['name'] if not new['home'] else 'homes'
await self.middleware.call('sharing.smb.apply_conf_diff',
'REGISTRY', share_name, diff)
await self.extend(new) # same here ?
if enable_aapl:
await self._service_change('cifs', 'restart')
else:
await self._service_change('cifs', 'reload')
return new
async def do_update(self, data):
"""
`hostname` list of ip addresses or hostnames of LDAP servers with
which to communicate in order of preference. Failover only occurs
if the current LDAP server is unresponsive.
`basedn` specifies the default base DN to use when performing ldap
operations. The base must be specified as a Distinguished Name in LDAP
format.
`binddn` specifies the default bind DN to use when performing ldap
operations. The bind DN must be specified as a Distinguished Name in
LDAP format.
`anonbind` use anonymous authentication.
`ssl` establish SSL/TLS-protected connections to the LDAP server(s).
GSSAPI signing is disabled on SSL/TLS-protected connections if
kerberos authentication is used.
`certificate` LDAPs client certificate to be used for certificate-
based authentication.
`validate_certificates` specifies whether to perform checks on server
certificates in a TLS session. If enabled, TLS_REQCERT demand is set.
The server certificate is requested. If no certificate is provided or
if a bad certificate is provided, the session is immediately terminated.
If disabled, TLS_REQCERT allow is set. The server certificate is
requested, but all errors are ignored.
`kerberos_realm` in which the server is located. This parameter is
only required for SASL GSSAPI authentication to the remote LDAP server.
`kerberos_principal` kerberos principal to use for SASL GSSAPI
authentication to the remote server. If `kerberos_realm` is specified
without a keytab, then the `binddn` and `bindpw` are used to
perform to obtain the ticket necessary for GSSAPI authentication.
`timeout` specifies a timeout (in seconds) after which calls to
synchronous LDAP APIs will abort if no response is received.
`dns_timeout` specifies the timeout (in seconds) after which the
poll(2)/select(2) following a connect(2) returns in case of no activity
for openldap. For nslcd this specifies the time limit (in seconds) to
use when connecting to the directory server. This directly impacts the
length of time that the LDAP service tries before failing over to
a secondary LDAP URI.
`idmap_backend` provides a plugin interface for Winbind to use varying
backends to store SID/uid/gid mapping tables. The correct setting
depends on the environment in which the NAS is deployed. The default is
to use idmap_ldap with the same LDAP configuration as the main LDAP
service.
`has_samba_schema` determines whether to configure samba to use the
ldapsam passdb backend to provide SMB access to LDAP users. This feature
requires the presence of Samba LDAP schema extensions on the remote
LDAP server.
"""
verrors = ValidationErrors()
must_reload = False
old = await self.config()
new = old.copy()
new.update(data)
await self.common_validate(new, old, verrors)
if verrors:
raise verrors
if old != new:
must_reload = True
if new['enable']:
try:
await self.middleware.call('ldap.ldap_validate', new)
except Exception as e:
raise ValidationError('ldap_update', str(e))
await self.ldap_compress(new)
await self.middleware.call('datastore.update', 'directoryservice.ldap',
old['id'], new, {'prefix': 'ldap_'})
if must_reload:
if new['enable']:
await self.middleware.call('ldap.start')
else:
await self.middleware.call('ldap.stop')
return await self.config()
async def do_update(self, pk, data):
user = await self._get_instance(pk)
verrors = ValidationErrors()
if 'group' in data:
group = await self.middleware.call('datastore.query',
'account.bsdgroups',
[('id', '=', data['group'])])
if not group:
verrors.add('group', f'Group {data["group"]} not found',
errno.ENOENT)
group = group[0]
else:
group = user['group']
user['group'] = group['id']
await self.__common_validation(verrors, data, pk=pk)
home = data.get('home') or user['home']
# root user (uid 0) is an exception to the rule
if data.get('sshpubkey'
) and not home.startswith('/mnt') and user['uid'] != 0:
verrors.add('sshpubkey',
'Home directory is not writable, leave this blank"')
# Do not allow attributes to be changed for builtin user
if user['builtin']:
for i in ('group', 'home', 'home_mode', 'uid', 'username'):
if i in data:
verrors.add(i, 'This attribute cannot be changed')
if verrors:
raise verrors
# Copy the home directory if it changed
if ('home' in data
and data['home'] not in (user['home'], '/nonexistent')
and not data["home"].startswith(f'{user["home"]}/')):
home_copy = True
home_old = user['home']
else:
home_copy = False
user.update(data)
password = await self.__set_password(user)
await self.__update_sshpubkey(user, group['bsdgrp_group'])
home_mode = user.pop('home_mode', None)
if home_mode is not None:
if not user['builtin'] and os.path.exists(user['home']):
try:
os.chmod(user['home'], int(home_mode, 8))
except OSError:
self.logger.warn('Failed to set homedir mode',
exc_info=True)
if home_copy:
def do_home_copy():
subprocess.run(
f"su - {user['username']} -c '/bin/cp -a {home_old}/* {user['home']}/'"
)
asyncio.ensure_future(self.middleware.threaded(do_home_copy))
if 'groups' in user:
groups = user.pop('groups')
await self.__set_groups(pk, groups)
await self.middleware.call('datastore.update', 'account.bsdusers', pk,
user, {'prefix': 'bsdusr_'})
await self.middleware.call('service.reload', 'user')
await self.__set_smbpasswd(user['username'], password)
return pk
async def do_create(self, data):
"""
Create a Replication Task
Create a Replication Task that will push or pull ZFS snapshots to or from remote host..
* `name` specifies a name for replication task
* `direction` specifies whether task will `PUSH` or `PULL` snapshots
* `transport` is a method of snapshots transfer:
* `SSH` transfers snapshots via SSH connection. This method is supported everywhere but does not achieve
great performance
`ssh_credentials` is a required field for this transport (Keychain Credential ID of type `SSH_CREDENTIALS`)
* `SSH+NETCAT` uses unencrypted connection for data transfer. This can only be used in trusted networks
and requires a port (specified by range from `netcat_active_side_port_min` to `netcat_active_side_port_max`)
to be open on `netcat_active_side`
`ssh_credentials` is also required for control connection
* `LOCAL` replicates to or from localhost
* `LEGACY` uses legacy replication engine prior to FreeNAS 11.3
* `source_datasets` is a non-empty list of datasets to replicate snapshots from
* `target_dataset` is a dataset to put snapshots into. It must exist on target side
* `recursive` and `exclude` have the same meaning as for Periodic Snapshot Task
* `periodic_snapshot_tasks` is a list of periodic snapshot task IDs that are sources of snapshots for this
replication task. Only push replication tasks can be bound to periodic snapshot tasks.
* `naming_schema` is a list of naming schemas for pull replication
* `also_include_naming_schema` is a list of naming schemas for push replication
* `auto` allows replication to run automatically on schedule or after bound periodic snapshot task
* `schedule` is a schedule to run replication task. Only `auto` replication tasks without bound periodic
snapshot tasks can have a schedule
* `restrict_schedule` restricts when replication task with bound periodic snapshot tasks runs. For example,
you can have periodic snapshot tasks that run every 15 minutes, but only run replication task every hour.
* Enabling `only_matching_schedule` will only replicate snapshots that match `schedule` or
`restrict_schedule`
* `allow_from_scratch` will destroy all snapshots on target side and replicate everything from scratch if none
of the snapshots on target side matches source snapshots
* `hold_pending_snapshots` will prevent source snapshots from being deleted by retention of replication fails
for some reason
* `retention_policy` specifies how to delete old snapshots on target side:
* `SOURCE` deletes snapshots that are absent on source side
* `CUSTOM` deletes snapshots that are older than `lifetime_value` and `lifetime_unit`
* `NONE` does not delete any snapshots
* `compression` compresses SSH stream. Available only for SSH transport
* `speed_limit` limits speed of SSH stream. Available only for SSH transport
* `dedup`, `large_block`, `embed` and `compressed` are various ZFS stream flag documented in `man zfs send`
* `retries` specifies number of retries before considering replication failed
.. examples(websocket)::
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "replication.create",
"params": [{
"name": "Work Backup",
"direction": "PUSH",
"transport": "SSH",
"ssh_credentials": [12],
"source_datasets", ["data/work"],
"target_dataset": "repl/work",
"recursive": true,
"periodic_snapshot_tasks": [5],
"auto": true,
"restrict_schedule": {
"minute": "0",
"hour": "*/2",
"dom": "*",
"month": "*",
"dow": "1,2,3,4,5",
"begin": "09:00",
"end": "18:00"
},
"only_matching_schedule": true,
"retention_policy": "CUSTOM",
"lifetime_value": 1,
"lifetime_unit": "WEEK",
}]
}
"""
verrors = ValidationErrors()
verrors.add_child("replication_create", await self._validate(data))
if verrors:
raise verrors
periodic_snapshot_tasks = data["periodic_snapshot_tasks"]
await self.compress(data)
id = await self.middleware.call(
"datastore.insert", self._config.datastore, data,
{"prefix": self._config.datastore_prefix})
await self._set_periodic_snapshot_tasks(id, periodic_snapshot_tasks)
await self.middleware.call("service.restart", "cron")
await self.middleware.call("zettarepl.update_tasks")
return await self._get_instance(id)
async def do_create(self, data):
"""
Create a Periodic Snapshot Task
Create a Periodic Snapshot Task that will take snapshots of specified `dataset` at specified `schedule`.
Recursive snapshots can be created if `recursive` flag is enabled. You can `exclude` specific child datasets
or zvols from the snapshot.
Snapshots will be automatically destroyed after a certain amount of time, specified by
`lifetime_value` and `lifetime_unit`.
If multiple periodic tasks create snapshots at the same time (for example hourly and daily at 00:00) the snapshot
will be kept until the last of these tasks reaches its expiry time.
Snapshots will be named according to `naming_schema` which is a `strftime`-like template for snapshot name
and must contain `%Y`, `%m`, `%d`, `%H` and `%M`.
.. examples(websocket)::
Create a recursive Periodic Snapshot Task for dataset `data/work` excluding `data/work/temp`. Snapshots
will be created on weekdays every hour from 09:00 to 18:00 and will be stored for two weeks.
:::javascript
{
"id": "6841f242-840a-11e6-a437-00e04d680384",
"msg": "method",
"method": "pool.snapshottask.create",
"params": [{
"dataset": "data/work",
"recursive": true,
"exclude": ["data/work/temp"],
"lifetime_value": 2,
"lifetime_unit": "WEEK",
"naming_schema": "auto_%Y-%m-%d_%H-%M",
"schedule": {
"minute": "0",
"hour": "*",
"dom": "*",
"month": "*",
"dow": "1,2,3,4,5",
"begin": "09:00",
"end": "18:00"
}
}]
}
"""
verrors = ValidationErrors()
verrors.add_child('periodic_snapshot_create', await
self._validate(data))
if verrors:
raise verrors
Cron.convert_schedule_to_db_format(data, begin_end=True)
data['id'] = await self.middleware.call(
'datastore.insert', self._config.datastore, data,
{'prefix': self._config.datastore_prefix})
await self.middleware.call('zettarepl.update_tasks')
return await self._get_instance(data['id'])
async def do_update(self, id, data):
"""
Update `id` IPMI Configuration.
`ipaddress` is a valid ip which will be used to connect to the IPMI interface.
`netmask` is the subnet mask associated with `ipaddress`.
`dhcp` is a boolean value which if unset means that `ipaddress`, `netmask` and `gateway` must be set.
"""
if not await self.is_loaded():
raise CallError('The ipmi device could not be found')
verrors = ValidationErrors()
if data.get('password') and len(data.get('password')) > 20:
verrors.add(
'ipmi_update.password',
'A maximum of 20 characters are allowed'
)
if not data.get('dhcp'):
for k in ['ipaddress', 'netmask', 'gateway']:
if not data.get(k):
verrors.add(
f'ipmi_update.{k}',
'This field is required when dhcp is not given'
)
if verrors:
raise verrors
args = ['ipmitool', 'lan', 'set', str(id)]
rv = 0
if data.get('dhcp'):
rv |= (await run(*args, 'ipsrc', 'dhcp', check=False)).returncode
else:
rv |= (await run(*args, 'ipsrc', 'static', check=False)).returncode
rv |= (await run(*args, 'ipaddr', data['ipaddress'], check=False)).returncode
rv |= (await run(*args, 'netmask', data['netmask'], check=False)).returncode
rv |= (await run(*args, 'defgw', 'ipaddr', data['gateway'], check=False)).returncode
rv |= (await run(
*args, 'vlan', 'id', str(data['vlan']) if data.get('vlan') else 'off'
)).returncode
rv |= (await run(*args, 'access', 'on', check=False)).returncode
rv |= (await run(*args, 'auth', 'USER', 'MD2,MD5', check=False)).returncode
rv |= (await run(*args, 'auth', 'OPERATOR', 'MD2,MD5', check=False)).returncode
rv |= (await run(*args, 'auth', 'ADMIN', 'MD2,MD5', check=False)).returncode
rv |= (await run(*args, 'auth', 'CALLBACK', 'MD2,MD5', check=False)).returncode
# Setting arp have some issues in some hardwares
# Do not fail if setting these couple settings do not work
# See #15578
await run(*args, 'arp', 'respond', 'on', check=False)
await run(*args, 'arp', 'generate', 'on', check=False)
if data.get('password'):
rv |= (await run(
'ipmitool', 'user', 'set', 'password', '2', data.get('password'),
)).returncode
rv |= (await run('ipmitool', 'user', 'enable', '2')).returncode
# XXX: according to dwhite, this needs to be executed off the box via
# the lanplus interface.
# rv |= (await run('ipmitool', 'sol', 'set', 'enabled', 'true', '1')).returncode
# )
return rv
