def _gen_and_copy_cert(args):
"""
Generate certs if they don't exist or if cert regen was requested with "force-new-certs"
"""
crt_dir = "/etc/pki/rsyslog/"
x("mkdir -p {0}".format(crt_dir))
fqdn = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
srv = config.general.get_log_server_hostname1()
cert_files = [
"{0}{1}.crt".format(crt_dir, fqdn),
"{0}{1}.key".format(crt_dir, fqdn),
"{0}/ca.crt".format(crt_dir)
]
# Determine whether to generate and copy rsyslog certificates
if 'force-new-certs' in args or not _all_files_exist(cert_files):
# Generate the certs on the remote machine
general.wait_for_server_root_login(srv)
general.run_remote_command(srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(fqdn))
# Retrieve the certs
general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
general.retrieve_from_server(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir,
verify_local=cert_files, remove_remote_files=True)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
else:
app.print_verbose("Found all certs and force-new-certs was not specified so not updating certificates")
def __init__(self):
server_front_ip = config.host(net.get_hostname()).get_front_ip()
server_back_ip = config.host(net.get_hostname()).get_back_ip()
server_network_front = net.get_network_cidr(server_front_ip, config.general.get_front_netmask())
server_network_back = net.get_network_cidr(server_back_ip, config.general.get_back_netmask())
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose("This server will later install the postfix server, abort client installation.")
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace(
"#myhostname = host.domain.tld",
"myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
) # monitor.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace(
"mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
)
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace(
"#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
)
postfix_main_cf.replace(
"#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
)
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def send_test_mail(args):
'''
Sends a test-email either to admin email or argv email if present using mailx.
'''
app.print_verbose("Send testmail for " + get_hostname())
try:
email = args[1]
except IndexError:
email = config.general.get_admin_email()
x('echo "" | mail -s "Test email from {0}" {1}'.format(get_hostname(), email))
def send_test_mail(args):
'''
Sends a test-email either to admin email or argv email if present using mailx.
'''
app.print_verbose("Send testmail for " + get_hostname())
try:
email = args[1]
except IndexError:
email = config.general.get_admin_email()
x('echo "" | mail -s "Test email from {0}" {1}'.format(
get_hostname(), email))
def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
"--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca)
)
# Copy server template and cert/key generator script
target_template = '/etc/pki/rsyslog/template.server'
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(target_template))
_replace_tags(target_template, fqdn)
# New generator script used by clients directly
generator_script = "syco-gen-rsyslog-client-keys.sh"
x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(generator_script))
x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server and all clients defined in install.cfg.
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
+ "--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca))
#
# Create rsyslog SERVER cert
#
for server in get_servers():
_create_cert(server)
def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
+ "--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca))
# Copy server template and cert/key generator script
target_template = '/etc/pki/rsyslog/template.server'
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(
target_template))
_replace_tags(target_template, fqdn)
# New generator script used by clients directly
generator_script = "syco-gen-rsyslog-client-keys.sh"
x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(
generator_script))
x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def rsyslog_newcerts(args):
'''
Generate new tls certs for rsyslog server and all clients defined in install.cfg.
NOTE: This needs to be executed once a year.
'''
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
"--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca)
)
#
# Create rsyslog SERVER cert
#
for server in get_servers():
_create_cert(server)
def add_haproxy_chain():
del_haproxy_chain()
if not os.path.exists('/etc/haproxy/haproxy.cfg'):
return
app.print_verbose("Add iptables chain for haproxy")
# Create chains.
iptables("-N haproxy_inout")
iptables("-A syco_input -p tcp -j haproxy_inout")
iptables("-A syco_output -p tcp -j haproxy_inout")
iptables(
"-A haproxy_inout -p tcp -m multiport --dports 80:84 -j allowed_tcp"
)
iptables(
"-A haproxy_inout -p tcp -m multiport --dports 443 -j allowed_tcp"
)
custom_target_ports = config.host(net.get_hostname()).get_option("haproxy.target-ports", default_value="").\
split(",")
for port in custom_target_ports:
if port:
iptables("-A haproxy_inout -p tcp -m multiport --dports %s -j allowed_tcp" % port)
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
x("yum install -y perl-suidperl")
x(
"""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(
PLG_PATH
)
)
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for check_iostat
x("yum install -y sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
x("yum -y install hp-health hpacucli")
# Let nrpe run hpasmcli and hpacucli
x(
"""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(
PLG_PATH
)
)
# Dependency for check_ulimit
x("yum install -y lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def install_mysql_replication(args):
"""
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
"""
app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION)
version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION)
version_obj.check_executed()
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
general.wait_for_server_to_start(repl_peer, "3306")
repl_password=general.generate_password(20)
for ip in [current_host_config.get_front_ip(), repl_peer]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******';", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + repl_peer + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + current_host_config.get_front_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
if ip==current_host_config.get_front_ip():
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + repl_peer + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
else:
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + current_host_config.get_front_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def add_haproxy_chain():
del_haproxy_chain()
if not os.path.exists('/etc/haproxy/haproxy.cfg'):
return
app.print_verbose("Add iptables chain for haproxy")
# Create chains.
iptables("-N haproxy_inout")
iptables("-A syco_input -p tcp -j haproxy_inout")
iptables("-A syco_output -p tcp -j haproxy_inout")
iptables(
"-A haproxy_inout -p tcp -m multiport --dports 80:84 -j allowed_tcp"
)
iptables(
"-A haproxy_inout -p tcp -m multiport --dports 443 -j allowed_tcp"
)
custom_target_ports = config.host(net.get_hostname()).get_option("haproxy.target-ports", default_value="").\
split(",")
for port in custom_target_ports:
if port:
iptables("-A haproxy_inout -p tcp -m multiport --dports %s -j allowed_tcp" % port)
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
)
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def send_test_mail(args, additional_emails_to_test=[]):
"""
Sends a test-email either to admin email or argv email if present using mailx.
"""
app.print_verbose("Send testmail for " + get_hostname())
try:
email = args[1]
except IndexError:
email = config.general.get_admin_email()
x('echo "" | mail -s "Test email from {0}. Installation complete!" {1}'.format(get_hostname(), email))
for email in additional_emails_to_test:
app.print_verbose("Send additional test mail to: %s" % email)
x('echo "" | mail -s "Test email to {0}" {0}.'.format(email))
def test_general(self):
self.assertEqual(net.get_all_interfaces(), {'sit0': None, 'lo': '127.0.0.1', 'eth0': '10.100.100.231'})
self.assertEqual(net.get_interface_ip("eth0"), "10.100.100.231")
self.assertEqual(net.get_lan_ip(), "10.100.100.231")
self.assertEqual(net.reverse_ip("1.2.3.4"), "4.3.2.1")
self.assertEqual(net.get_ip_class_c("1.2.3.4"), "1.2.3")
self.assertEqual(net.num_of_eth_interfaces(), 1)
self.assertEqual(net.get_hostname(), "fo-tp-dalitst")
def install_ntp_client(args):
if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
app.print_verbose(
"This server will later install the ntp server, abort client installation."
)
return
ip = config.general.get_ntp_server_ip()
install_ntp(ip)
def install_ntp_client(args):
if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
app.print_verbose(
"This server will later install the ntp server, abort client installation."
)
return
ip = config.general.get_ntp_server_ip()
install_ntp(ip)
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def send_test_mail(args, additional_emails_to_test=[]):
"""
Sends a test-email either to admin email or argv email if present using mailx.
"""
app.print_verbose("Send testmail for " + get_hostname())
try:
email = args[1]
except IndexError:
email = config.general.get_admin_email()
x('echo "" | mail -s "Test email from {0}. Installation complete!" {1}'.format(get_hostname(), email))
for email in additional_emails_to_test:
app.print_verbose("Send additional test mail to: %s" % email)
x('echo "" | mail -s "Test email from {0} to {1}" {1}'.format(get_hostname(),
email))
def add_rsyslog_chain(context=None):
"""
Rsyslog IPtables rules
Rsyslog Server
Servers in network -> IN -> tcp -> 514 -> Rsyslog Server
Rsyslog Client
Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client
"""
del_rsyslog_chain()
app.print_verbose("Add iptables chain for rsyslog")
iptables("-N rsyslog_in")
iptables("-N rsyslog_out")
iptables("-A syco_input -p all -j rsyslog_in")
iptables("-A syco_output -p all -j rsyslog_out")
# Reference to syco.py commands
global _commands_obj_reference
all_rules = []
syco_command_names = config.host(net.get_hostname()).get_syco_command_names()
# On rsyslog server
if "install-rsyslogd" in syco_command_names or context is "server":
back_subnet = config.general.get_back_subnet()
front_subnet = config.general.get_front_subnet()
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
front_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
front_subnet
)
# On rsyslog client
elif "install-rsyslogd-client" in syco_command_names or context is "client" :
iptables(
"-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
config.general.get_log_server_hostname1()
)
iptables(
"-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
config.general.get_log_server_hostname2()
)
def add_rsyslog_chain(context=None):
"""
Rsyslog IPtables rules
Rsyslog Server
Servers in network -> IN -> tcp -> 514 -> Rsyslog Server
Rsyslog Client
Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client
"""
del_rsyslog_chain()
app.print_verbose("Add iptables chain for rsyslog")
iptables("-N rsyslog_in")
iptables("-N rsyslog_out")
iptables("-A syco_input -p all -j rsyslog_in")
iptables("-A syco_output -p all -j rsyslog_out")
# Reference to syco.py commands
global _commands_obj_reference
all_rules = []
syco_command_names = config.host(net.get_hostname()).get_syco_command_names()
# On rsyslog server
if "install-rsyslogd" in syco_command_names or context is "server":
back_subnet = config.general.get_back_subnet()
front_subnet = config.general.get_front_subnet()
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
front_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
front_subnet
)
# On rsyslog client
elif "install-rsyslogd-client" in syco_command_names or context is "client" :
iptables(
"-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
config.general.get_log_server_hostname1()
)
iptables(
"-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
config.general.get_log_server_hostname2()
)
def __init__(self):
netmasks = {}
#Add localhost IP/netmask
local_ip = "127.0.0.1"
self.server_ips.append(local_ip)
netmasks[local_ip] = "255.0.0.0"
#Add IPs for front/back net if they exist.
front_ip = config.host(net.get_hostname()).get_front_ip()
if front_ip:
self.server_ips.append(front_ip)
netmasks[front_ip] = config.general.get_front_netmask()
back_ip = config.host(net.get_hostname()).get_back_ip()
if config.general.is_back_enabled() and back_ip:
self.server_ips.append(back_ip)
netmasks[back_ip] = config.general.get_back_netmask()
if len(self.server_ips) < 2:
app.print_error(
"Didn't find any valid IP addresses from front or back net. Exiting"
)
sys.exit(1)
for ip in self.server_ips:
self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))
self.virtual_alias_domains = config.general.get_option(
"mailrelay.virtual_alias_domains", "")
for alias_row in config.general.get_option("mailrelay.virtual_aliases",
"").split(";"):
if len(alias_row.strip()) == 0:
#Don't process empty rows
break
split_row = alias_row.split(" ", 1)
if len(split_row) != 2:
app.print_error(
"Expected mailrelay.virtual_alias to be two words separated by space, several entries "
"separated by semicolon. Found \"%s\"" % alias_row)
sys.exit(1)
self.virtual_aliases[split_row[0]] = split_row[1]
def _configure_squid():
x("rm -rf /etc/squid/*")
x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
x("mkdir -p %s/services" % (SQUID_CONF_DIR))
x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
env_ip = config.host(net.get_hostname()).get_front_ip()
if config.general.is_back_enabled():
#prefer backnet if enabled
env_ip = config.host(net.get_hostname()).get_back_ip()
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
#Some setups require the front IP as well
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${FRONT_IP}", config.host(net.get_hostname()).get_front_ip())
_chkconfig("squid", "on")
_service("squid", "restart")
def _gen_and_copy_cert(args):
"""
Generate certs if they don't exist or if cert regen was requested with "force-new-certs"
"""
crt_dir = "/etc/pki/rsyslog/"
x("mkdir -p {0}".format(crt_dir))
fqdn = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
srv = config.general.get_log_server_hostname1()
cert_files = [
"{0}{1}.crt".format(crt_dir, fqdn), "{0}{1}.key".format(crt_dir, fqdn),
"{0}/ca.crt".format(crt_dir)
]
# Determine whether to generate and copy rsyslog certificates
if 'force-new-certs' in args or not _all_files_exist(cert_files):
# Generate the certs on the remote machine
general.wait_for_server_root_login(srv)
general.run_remote_command(
srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(
fqdn))
# Retrieve the certs
general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
general.retrieve_from_server(srv,
"/etc/pki/rsyslog/{0}*".format(
net.get_hostname()),
crt_dir,
verify_local=cert_files,
remove_remote_files=True)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
else:
app.print_verbose(
"Found all certs and force-new-certs was not specified so not updating certificates"
)
def _configure_squid():
x("rm -rf /etc/squid/*")
x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
x("mkdir -p %s/services" % (SQUID_CONF_DIR))
x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
env_ip = config.host(net.get_hostname()).get_front_ip()
if config.general.is_back_enabled():
#prefer backnet if enabled
env_ip = config.host(net.get_hostname()).get_back_ip()
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
#Some setups require the front IP as well
scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace(
"${FRONT_IP}",
config.host(net.get_hostname()).get_front_ip())
_chkconfig("squid", "on")
_service("squid", "restart")
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
x("yum install -y perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for check_iostat
x("yum install -y sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
x("yum -y install hp-health hpacucli")
# Let nrpe run hpasmcli and hpacucli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
x("yum install -y lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
)
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _replace_tags():
'''
Replace all tags in template files with apropriate values.
'''
sc = scOpen("/etc/rsyslog.conf")
sc.replace('${MASTER}', config.general.get_log_server_hostname1())
sc.replace('${SLAVE}', config.general.get_log_server_hostname2())
sc.replace('${DOMAIN}', config.general.get_resolv_domain())
fqdn = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
sc.replace('${SERVERNAME}', fqdn)
def test_general(self):
self.assertEqual(net.get_all_interfaces(), {
'sit0': None,
'lo': '127.0.0.1',
'eth0': '10.100.100.231'
})
self.assertEqual(net.get_interface_ip("eth0"), "10.100.100.231")
self.assertEqual(net.get_lan_ip(), "10.100.100.231")
self.assertEqual(net.reverse_ip("1.2.3.4"), "4.3.2.1")
self.assertEqual(net.get_ip_class_c("1.2.3.4"), "1.2.3")
self.assertEqual(net.num_of_eth_interfaces(), 1)
self.assertEqual(net.get_hostname(), "fo-tp-dalitst")
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH,
PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace(
"$(SQLPASS)",
app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def __init__(self):
netmasks = {}
# Add localhost IP/netmask
local_ip = "127.0.0.1"
self.server_ips.append(local_ip)
netmasks[local_ip] = "255.0.0.0"
# Add IPs for front/back net if they exist.
front_ip = config.host(net.get_hostname()).get_front_ip()
if front_ip:
self.server_ips.append(front_ip)
netmasks[front_ip] = config.general.get_front_netmask()
back_ip = config.host(net.get_hostname()).get_back_ip()
if config.general.is_back_enabled() and back_ip:
self.server_ips.append(back_ip)
netmasks[back_ip] = config.general.get_back_netmask()
if len(self.server_ips) < 2:
app.print_error("Didn't find any valid IP addresses from front or back net. Exiting")
sys.exit(1)
for ip in self.server_ips:
self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))
self.virtual_alias_domains = config.general.get_option("mailrelay.virtual_alias_domains", "")
for alias_row in config.general.get_option("mailrelay.virtual_aliases", "").split(";"):
if len(alias_row.strip()) == 0:
# Don't process empty rows
break
split_row = alias_row.split(" ", 1)
if len(split_row) != 2:
app.print_error(
"Expected mailrelay.virtual_alias to be two words separated by space, several entries "
'separated by semicolon. Found "%s"' % alias_row
)
sys.exit(1)
self.virtual_aliases[split_row[0]] = split_row[1]
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def _copy_cert():
'''
Coping certs for tls from rsyslog server
'''
crt_dir = "/etc/pki/rsyslog"
x("mkdir -p {0}".format(crt_dir))
srv = config.general.get_log_server_hostname1()
scp_from(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir)
scp_from(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
def _copy_cert():
'''
Coping certs for tls from rsyslog server
'''
crt_dir ="/etc/pki/rsyslog"
x("mkdir -p {0}".format(crt_dir))
srv = config.general.get_log_server_hostname1()
scp_from(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir)
scp_from(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
x("restorecon -r /etc/pki/rsyslog")
x("chmod 600 /etc/pki/rsyslog/*")
x("chown root:root /etc/pki/rsyslog/*")
def _replace_tags():
'''
Replace all tags in template files with apropriate values.
'''
sc = scOpen("/etc/rsyslog.conf")
sc.replace('${MASTER}', config.general.get_log_server_hostname1())
sc.replace('${SLAVE}', config.general.get_log_server_hostname2())
sc.replace('${DOMAIN}', config.general.get_resolv_domain())
fqdn = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
sc.replace('${SERVERNAME}', fqdn)
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose(
"This server will later install the postfix server, abort client installation."
)
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _install_nrpe_plugins_dependencies():
'''
Install libraries/binaries that the NRPE-plugins depend on.
'''
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable sudo yum install perl-suidperl")
nrpe_sudoers_file = scopen.scOpen("/etc/sudoers.d/nrpe")
nrpe_sudoers_file.add("Defaults:nrpe !requiretty")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamav".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamscan".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_disk".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}get_services".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs".format(PLG_PATH))
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
# Create an installname and filenames
install_dir = general.get_install_dir()
# Download and install HP health monitoring package
general.download_file(
HP_HEALTH_URL, HP_HEALTH_FILENAME, md5=HP_HEALTH_MD5
)
x("yum install {0} -y".format(HP_HEALTH_FILENAME))
# Remove their evil crontab
x("rm -f /etc/cron.d/hp-health")
# Let nrpe run hpasmcli
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:/sbin/hpasmcli")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_hpasm".format(PLG_PATH))
x("service hp-health start")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def add_mail_relay_chain():
del_mail_relay_chain()
app.print_verbose("Add iptables chain for mail relay")
iptables("-N incoming_mail")
iptables("-N outgoing_mail")
iptables("-A syco_input -p tcp -j incoming_mail")
iptables("-A syco_output -p tcp -j outgoing_mail")
# Allow mailrelay to receive email
if config.general.get_mail_relay_server() == get_hostname():
iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
# Allow all hosts to send mail on DMZ
iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
def add_mail_relay_chain():
del_mail_relay_chain()
app.print_verbose("Add iptables chain for mail relay")
iptables("-N incoming_mail")
iptables("-N outgoing_mail")
iptables("-A syco_input -p tcp -j incoming_mail")
iptables("-A syco_output -p tcp -j outgoing_mail")
# Allow mailrelay to receive email
if config.general.get_mail_relay_server() == get_hostname():
iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
# Allow all hosts to send mail on DMZ
iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
def install_mariadb_replication(args):
"""
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
"""
app.print_verbose(
"Install MariaDB replication version: %d" % SCRIPT_VERSION
)
version_obj = version.Version("install-mariadb-replication", SCRIPT_VERSION)
version_obj.check_executed()
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
general.wait_for_server_to_start(repl_peer, "3306")
repl_password = general.generate_password(20)
front_ip = current_host_config.get_front_ip()
for ip in ["127.0.0.1", repl_peer]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******'", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec(
"GRANT REPLICATION SLAVE ON *.* TO " +
"'repl'@'%s' IDENTIFIED BY '%s'," % (repl_peer, repl_password) +
"'repl'@'%s' IDENTIFIED BY '%s'" % (front_ip, repl_password),
True, ip)
if ip == "127.0.0.1":
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % repl_peer +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
else:
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % front_ip +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def _setup_rsyslogd():
"""
Setup rsyslogd config files.
"""
x("cp -f /opt/syco/var/rsyslog/rsyslogd.conf /etc/rsyslog.conf")
x("chmod 640 /etc/rsyslog.conf")
sc = scOpen("/etc/rsyslog.conf")
sc.replace("${SERVERNAME}", "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()))
sc.replace("${DOMAIN}", config.general.get_resolv_domain())
# Setup folder to store logs from clients.
app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
app.print_verbose(" Will not create individual files.")
x("mkdir -p /var/log/rsyslog/")
x("chown root:root /var/log/rsyslog/")
x("chmod 700 /var/log/rsyslog/")
x("restorecon /var/log/rsyslog/")
def generate_report(app, fullpacket=False, pcapfile=''):
'''
Print report based on collected data
'''
report = {}
report['app'] = app
report['testtime'] = os.path.getmtime(pcapfile)
# This is an un-failable test
report['failedtest'] = False
report['targets'] = net.targets
report['dnsreqs'] = net.dnsreqs
if app.endswith('.pcap'):
app_or_pcap = 'pcap'
jsonfile = '%s.%s' % (app, json_output)
else:
app_or_pcap = 'application'
jsonfile = os.path.join(os.path.dirname(pcapfile), 'net.json')
print('')
print('Summary for %s: %s' % (app_or_pcap, color.bright(color.cyan(app))))
print('')
print(color.bright('Hosts contacted:'))
# For each target (unsorted)
for target in net.targets:
# Get protocols used
if fullpacket:
protos = get_protos_full(net.targets[target])
else:
protos = get_protos(net.targets[target])
# Get host name
host = net.get_hostname(target)
protolist = ', '.join(protos)
print('%s : %s : %s' % (color.bright('CONNECT'), host, protolist))
print('')
print(color.bright('DNS queries made:'))
for dnsreq in net.dnsreqs:
print('%s : %s' % (color.bright('LOOKUP'), dnsreq))
with open(jsonfile, 'w') as fp:
json.dump(report, fp)
def add_httpd_chain():
del_httpd_chain()
if (not os.path.exists('/etc/init.d/httpd')):
return
app.print_verbose("Add iptables chain for httpd")
iptables("-N httpd_input")
iptables("-N httpd_output")
iptables("-A syco_input -p ALL -j httpd_input")
iptables("-A syco_output -p ALL -j httpd_output")
app.print_verbose("Setup httpd input rule.")
iptables("-A httpd_input -p TCP -m multiport --dports 80,443 -j allowed_tcp")
# We assume this is an application server that requires connection to the
# syco mysql server.
mysql_servers = config.host(net.get_hostname()).get_option("mysql_servers", "").split(",")
for mysql_server in mysql_servers:
if mysql_server:
iptables("-A httpd_output -p TCP -m multiport -d %s --dports 3306 -j allowed_tcp" % mysql_server)
def _setup_rsyslogd():
"""
Setup rsyslogd config files.
"""
x("cp -f /opt/syco/var/rsyslog/rsyslogd.conf /etc/rsyslog.conf")
x("chmod 640 /etc/rsyslog.conf")
sc = scOpen("/etc/rsyslog.conf")
sc.replace('${SERVERNAME}', '{0}.{1}'.format(
net.get_hostname(), config.general.get_resolv_domain())
)
sc.replace('${DOMAIN}', config.general.get_resolv_domain())
# Setup folder to store logs from clients.
app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
app.print_verbose(" Will not create individual files.")
x("mkdir -p /var/log/rsyslog/")
x("chown root:root /var/log/rsyslog/")
x("chmod 700 /var/log/rsyslog/")
x("restorecon /var/log/rsyslog/")
def add_httpd_chain():
del_httpd_chain()
if (not os.path.exists('/etc/init.d/httpd')):
return
app.print_verbose("Add iptables chain for httpd")
iptables("-N httpd_input")
iptables("-N httpd_output")
iptables("-A syco_input -p ALL -j httpd_input")
iptables("-A syco_output -p ALL -j httpd_output")
app.print_verbose("Setup httpd input rule.")
iptables("-A httpd_input -p TCP -m multiport --dports 80,443 -j allowed_tcp")
# We assume this is an application server that requires connection to the
# syco mysql server.
mysql_servers = config.host(net.get_hostname()).get_option("mysql_servers", "").split(",")
for mysql_server in mysql_servers:
iptables("-A httpd_output -p TCP -m multiport -d " + mysql_server + " --dports 3306 -j allowed_tcp")
def add_mysql_chain():
del_mysql_chain()
if (not os.path.exists('/etc/init.d/mysqld')):
return
app.print_verbose("Add iptables chain for mysql")
iptables("-N mysql_input")
iptables("-N mysql_output")
iptables("-A syco_input -p ALL -j mysql_input")
iptables("-A syco_output -p ALL -j mysql_output")
iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")
# Required for replication.
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
iptables("-A mysql_output -p TCP -m multiport -d " + current_host_config.get_front_ip() + " --dports 3306 -j allowed_tcp")
if repl_peer is not None:
iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer + " --dports 3306 -j allowed_tcp")
def add_mysql_chain():
del_mysql_chain()
if not (exists('/etc/init.d/mysqld') or exists('/etc/init.d/mysql')):
return
app.print_verbose("Add iptables chain for mysql")
iptables("-N mysql_input")
iptables("-N mysql_output")
iptables("-A syco_input -p ALL -j mysql_input")
iptables("-A syco_output -p ALL -j mysql_output")
iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")
# Required for replication.
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer", 'None')
ip = current_host_config.get_front_ip()
if ip:
iptables("-A mysql_output -p TCP -m multiport -d %s --dports 3306 -j allowed_tcp" % ip)
if repl_peer and repl_peer.lower() != 'None':
iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer + " --dports 3306 -j allowed_tcp")
def add_mysql_chain():
del_mysql_chain()
if (not os.path.exists('/etc/init.d/mysqld')):
return
app.print_verbose("Add iptables chain for mysql")
iptables("-N mysql_input")
iptables("-N mysql_output")
iptables("-A syco_input -p ALL -j mysql_input")
iptables("-A syco_output -p ALL -j mysql_output")
iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")
# Required for replication.
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
iptables("-A mysql_output -p TCP -m multiport -d " +
current_host_config.get_front_ip() +
" --dports 3306 -j allowed_tcp")
if repl_peer is not None:
iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer +
" --dports 3306 -j allowed_tcp")
def net_setup_bond_br(args):
"""
Setup bonded network interfaces and bridges.
This must work together with a virtual host using KVM.
Read more.
http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
http://www.linux-kvm.org/page/HOWTO_BONDING
https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html
"""
app.print_verbose("Install bonded bridges host version: %d" % SCRIPT_VERSION)
version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
version_obj.check_executed()
#
app.print_verbose(
"Install yum package with all tools that is required to setup bridges."
)
install.package("bridge-utils")
#
print_verbose(
"Setup modprobe alias for bonding, don't know exactly why we need to " +
"do that. Maybe because the ifcfg files referars to bond0 instead of " +
"bonding, or because it loads the module bonding at the same time as " +
"the alias is created."
)
sycoConf = scOpen("/etc/modprobe.d/syco.conf")
sycoConf.remove("alias bond.*")
sycoConf.add("alias bond0 bonding")
# Get all parameters from syco config.
num_of_if = net.num_of_eth_interfaces()
front_ip = config.host(net.get_hostname()).get_front_ip()
front_netmask = config.general.get_front_netmask()
front_gw = config.general.get_front_gateway_ip()
front_resolver = config.general.get_front_resolver_ip()
back_ip = config.host(net.get_hostname()).get_back_ip()
back_netmask = config.general.get_back_netmask()
back_gw = config.general.get_back_gateway_ip()
back_resolver = config.general.get_back_resolver_ip()
if (num_of_if >= 4):
app.print_verbose(
"{0} network interfaces was found, and 2 eth interfaces per bond " +
"will be configured."
)
# Setup back-net
setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
setup_bond("bond0", "br0")
setup_eth("eth0", "bond0")
setup_eth("eth1", "bond0")
# _setup front-net
setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
setup_bond("bond1", "br1")
setup_eth("eth2", "bond1")
setup_eth("eth3", "bond1")
elif (num_of_if == 2):
app.print_verbose(
"2 network interfaces was found, and 1 eth interfaces per bond " +
"will be configured. There is no point in bonding in this case, " +
"except that we have the same kind of configuration on all hosts. "
)
# Setup back-net
setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
setup_bond("bond0", "br0")
setup_eth("eth0", "bond0")
# _setup front-net
setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
setup_bond("bond1", "br1")
setup_eth("eth1", "bond1")
else:
app.print_error("To few network interfaces: " + str(num_of_if))
raise Exception("To few network interfaces: " + str(num_of_if))
#
app.print_verbose(
"Restart the network service so all changes will be applied."
)
x("service network restart")
#
version_obj.mark_executed()
def net_setup_bond_br(args):
"""
Setup bonded network interfaces and bridges.
This must work together with a virtual host using KVM.
Read more.
http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
http://www.linux-kvm.org/page/HOWTO_BONDING
https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html
"""
app.print_verbose("Install bonded bridges host version: %d" %
SCRIPT_VERSION)
version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
version_obj.check_executed()
#
app.print_verbose(
"Install yum package with all tools that is required to setup bridges."
)
install.package("bridge-utils")
#
print_verbose(
"Setup modprobe alias for bonding, don't know exactly why we need to "
+
"do that. Maybe because the ifcfg files referars to bond0 instead of "
+
"bonding, or because it loads the module bonding at the same time as "
+ "the alias is created.")
sycoConf = scOpen("/etc/modprobe.d/syco.conf")
sycoConf.remove("alias bond.*")
sycoConf.add("alias bond0 bonding")
# Get all parameters from syco config.
# Check if interfaces are defined, otherwise fall back to autodetecting
front_interfaces = config.host(net.get_hostname()).get_front_interfaces()
back_interfaces = config.host(net.get_hostname()).get_back_interfaces()
num_of_if = len(front_interfaces) + len(back_interfaces)
if num_of_if == 0:
# Autodetect
num_of_if = net.num_of_eth_interfaces()
front_ip = config.host(net.get_hostname()).get_front_ip()
front_netmask = config.general.get_front_netmask()
front_gw = config.general.get_front_gateway_ip()
front_resolver = config.general.get_front_resolver_ip()
net_count = 1
if config.general.is_back_enabled():
back_ip = config.host(net.get_hostname()).get_back_ip()
back_netmask = config.general.get_back_netmask()
back_gw = config.general.get_back_gateway_ip()
back_resolver = config.general.get_back_resolver_ip()
net_count += 1
eth_count = 0
if len(front_interfaces) < 1:
# Use default eth interfaces
# Also, if you don't specify front net interfaces, you may not specify back net interfaces.
if_per_net_count = int(math.floor(num_of_if / net_count))
if net_count > 1:
back_interfaces = []
for i in range(if_per_net_count):
back_interfaces.append("eth" + str(eth_count))
eth_count += 1
front_interfaces = []
for i in range(if_per_net_count):
front_interfaces.append("eth" + str(eth_count))
eth_count += 1
app.print_verbose(
"Configuring front net bond bond1 with interfaces: {0}".format(
front_interfaces))
setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
setup_bond("bond1", "br1")
for front_interface in front_interfaces:
setup_eth(front_interface, "bond1")
if net_count == 2:
app.print_verbose(
"Found back-net configuration, configuring second bond bond0 with interfaces: {0}"
.format(back_interfaces))
setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
setup_bond("bond0", "br0")
for back_interface in back_interfaces:
setup_eth(back_interface, "bond0")
#
app.print_verbose(
"Restart the network service so all changes will be applied.")
x("service network restart")
x("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf")
#
version_obj.mark_executed()
def _setup_network_interfaces():
"""
Setup bonded network interfaces and bridges.
Read more.
http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
http://www.linux-kvm.org/page/HOWTO_BONDING
https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html
"""
# Remove the virbr0, "NAT-interface".
# http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/chap-Virtualization-Network_Configuration.html
x("virsh net-destroy default")
x("virsh net-undefine default")
x("service libvirtd restart")
# Install network bridge
install.package("bridge-utils")
general.set_config_property2("/etc/modprobe.d/syco.conf",
"alias bond0 bonding")
num_of_if = net.num_of_eth_interfaces()
front_gw = config.general.get_front_gateway_ip()
front_resolver = config.general.get_front_resolver_ip()
front_netmask = config.general.get_front_netmask()
front_ip = config.host(net.get_hostname()).get_front_ip()
back_gw = config.general.get_back_gateway_ip()
back_resolver = config.general.get_back_resolver_ip()
back_netmask = config.general.get_back_netmask()
back_ip = config.host(net.get_hostname()).get_back_ip()
if (num_of_if >= 4):
# Setup back-net
_setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
_setup_bond("bond0", "br0")
_setup_eth("eth0", "bond0")
_setup_eth("eth1", "bond0")
# _setup front-net
_setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
_setup_bond("bond1", "br1")
_setup_eth("eth2", "bond1")
_setup_eth("eth3", "bond1")
elif (num_of_if == 2):
# Setup back-net
_setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
_setup_bond("bond0", "br0")
_setup_eth("eth0", "bond0")
# _setup front-net
_setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
_setup_bond("bond1", "br1")
_setup_eth("eth1", "bond1")
else:
app.print_error("To few network interfaces: " + str(num_of_if))
_abort_kvm_host_installation()
def install_mysql(args):
"""
Install and configure the mysql-server on the local host.
"""
app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
version_obj.check_executed()
if len(args) != 3:
raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]")
server_id=args[1]
innodb_buffer_pool_size=args[2]
# Initialize all passwords used by the script
app.init_mysql_passwords()
# Install the mysql-server packages.
if not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK):
x("yum -y install mysql-server hdparm")
x("/sbin/chkconfig mysqld on ")
if not os.access("/usr/bin/mysqld_safe", os.F_OK):
raise Exception("Couldn't install mysql-server")
# Configure iptables
iptables.add_mysql_chain()
iptables.save()
# Disable mysql history logging
if os.access("/root/.mysql_history", os.F_OK):
x("rm /root/.mysql_history")
x("ln -s /dev/null /root/.mysql_history")
# Used to log slow queries, configured in my.cnf with log-slow-queries=
x("touch /var/log/mysqld-slow.log")
x("chown mysql:mysql /var/log/mysqld-slow.log")
x("chmod 0640 /var/log/mysqld-slow.log")
x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")
# Not used at the moment, just preventing mysql to load any modules.
if not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK):
os.mkdir("/usr/share/mysql/plugins")
os.chmod("/usr/share/mysql/plugins", 0)
os.chown("/usr/share/mysql/plugins", 0, 0)
# Under Linux, it is advisable to disable the write-back cache. Otherwise data
# can get lost when computer get power-failures. Beware that some drives or
# disk controllers may be unable to disable the write-back cache.
#
app.print_verbose("TODO: Might need to be done from bios?")
x("hdparm -W0 /dev/mapper/VolGroup00-var")
app.print_verbose("Install /etc/my.cnf")
shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf")
x("chown mysql:mysql /etc/my.cnf")
x("chmod 600 /etc/my.cnf")
for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
line=line.replace("${server-id}", server_id)
line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size)
print line,
# When the innodb files are configured to be large, it takes some time to
# generate the files.
app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
print line,
x("service mysqld start")
# Secure the mysql installation.
mysql_exec("truncate mysql.db")
mysql_exec("truncate mysql.user")
current_host_config = config.host(net.get_hostname())
# Used by monitor services (icingas nrpe plugin etc.)
mysql_exec(
"GRANT REPLICATION CLIENT ON *.* " +
"TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" % (
app.get_mysql_monitor_password()
)
)
# Used by backup scripts to flush master and check slave status etc. when
# doing an lvm backup.
mysql_exec(
"GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
"TO 'backup'@'127.0.0.1' IDENTIFIED BY '%s'" % (
app.get_mysql_backup_password()
)
)
mysql_exec("DROP DATABASE test;")
mysql_exec("SELECT host,user FROM mysql.db;")
mysql_exec("SELECT host,user FROM mysql.user;")
mysql_exec(
"GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'127.0.0.1' IDENTIFIED BY '%s', "
"'root'@'localhost' IDENTIFIED BY '%s', "
"'root'@'%s' IDENTIFIED BY '%s'"
" WITH GRANT OPTION" % (
app.get_mysql_root_password(),
app.get_mysql_root_password(),
current_host_config.get_front_ip(),
app.get_mysql_root_password()
)
)
repl_peer = current_host_config.get_option("repl_peer")
if repl_peer:
mysql_exec(
"GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'%s' IDENTIFIED BY '%s'"
"WITH GRANT OPTION" % (
repl_peer,
app.get_mysql_root_password()
),
with_user=True
)
mysql_exec("RESET MASTER;", with_user=True)
mysql_exec("FLUSH PRIVILEGES;", with_user=True)
version_obj.mark_executed()
def net_setup_bond_br(args):
"""
Setup bonded network interfaces and bridges.
This must work together with a virtual host using KVM.
Read more.
http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
http://www.linux-kvm.org/page/HOWTO_BONDING
https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html
"""
app.print_verbose("Install bonded bridges host version: %d" % SCRIPT_VERSION)
version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
version_obj.check_executed()
#
app.print_verbose(
"Install yum package with all tools that is required to setup bridges."
)
install.package("bridge-utils")
#
print_verbose(
"Setup modprobe alias for bonding, don't know exactly why we need to " +
"do that. Maybe because the ifcfg files referars to bond0 instead of " +
"bonding, or because it loads the module bonding at the same time as " +
"the alias is created."
)
sycoConf = scOpen("/etc/modprobe.d/syco.conf")
sycoConf.remove("alias bond.*")
sycoConf.add("alias bond0 bonding")
# Get all parameters from syco config.
# Check if interfaces are defined, otherwise fall back to autodetecting
front_interfaces = config.host(net.get_hostname()).get_front_interfaces()
back_interfaces = config.host(net.get_hostname()).get_back_interfaces()
num_of_if = len(front_interfaces) + len(back_interfaces)
if num_of_if == 0:
# Autodetect
num_of_if = net.num_of_eth_interfaces()
front_ip = config.host(net.get_hostname()).get_front_ip()
front_netmask = config.general.get_front_netmask()
front_gw = config.general.get_front_gateway_ip()
front_resolver = config.general.get_front_resolver_ip()
net_count = 1
if config.general.is_back_enabled():
back_ip = config.host(net.get_hostname()).get_back_ip()
back_netmask = config.general.get_back_netmask()
back_gw = config.general.get_back_gateway_ip()
back_resolver = config.general.get_back_resolver_ip()
net_count += 1
eth_count = 0;
if len(front_interfaces) < 1:
# Use default eth interfaces
# Also, if you don't specify front net interfaces, you may not specify back net interfaces.
if_per_net_count = int(math.floor(num_of_if / net_count))
if net_count > 1:
back_interfaces = []
for i in range(if_per_net_count):
back_interfaces.append("eth" + str(eth_count))
eth_count += 1
front_interfaces = []
for i in range(if_per_net_count):
front_interfaces.append("eth" + str(eth_count))
eth_count += 1
app.print_verbose("Configuring front net bond bond1 with interfaces: {0}".format(front_interfaces))
setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
setup_bond("bond1", "br1")
for front_interface in front_interfaces:
setup_eth(front_interface, "bond1")
if net_count == 2:
app.print_verbose("Found back-net configuration, configuring second bond bond0 with interfaces: {0}".format(back_interfaces))
setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
setup_bond("bond0", "br0")
for back_interface in back_interfaces:
setup_eth(back_interface, "bond0")
#
app.print_verbose(
"Restart the network service so all changes will be applied."
)
x("service network restart")
x("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf")
#
version_obj.mark_executed()
def install_mariadb(args):
"""
Install and configure the MariaDB-server on the local host.
"""
app.print_verbose("Install MariaDB version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallMariaDB", SCRIPT_VERSION)
version_obj.check_executed()
if len(args) != 3:
raise Exception(
"syco install-mariadb [server-id] [innodb-buffer-pool-size]"
)
# Collect command line parameters
server_id = args[1]
innodb_buffer_pool_size = args[2]
# Initialize all passwords used by the script
app.get_mysql_root_password()
app.get_mysql_monitor_password()
app.get_mysql_backup_password()
# Install yum packages.
x(
"curl -x 10.101.10.17:3128 -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | "
"bash"
)
x("yum -y install MariaDB-server")
x("/sbin/chkconfig mysql on")
if not os.access("/usr/bin/mysqld_safe", os.F_OK):
raise Exception("Couldn't install mariadb-server")
# Configure iptables
iptables.add_mysql_chain()
iptables.save()
# Disable mariadb history logging
if os.access("/root/.mysql_history", os.F_OK):
x("rm /root/.mysql_history")
x("ln -s /dev/null /root/.mysql_history")
# Used to log slow queries, configured in my.cnf with log-slow-queries=
x("touch /var/log/mysqld-slow.log")
x("chown mysql:mysql /var/log/mysqld-slow.log")
x("chmod 0640 /var/log/mysqld-slow.log")
x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")
app.print_verbose("Install /etc/my.cnf")
shutil.copy(app.SYCO_PATH + "var/mariadb/my.cnf", "/etc/my.cnf.d/")
x("chown root:root /etc/my.cnf.d/my.cnf")
x("chmod 644 /etc/my.cnf.d/my.cnf")
for line in fileinput.FileInput("/etc/my.cnf.d/my.cnf", inplace=1):
line = line.replace("${server-id}", server_id)
line = line.replace("${innodb_buffer_pool_size}",
innodb_buffer_pool_size)
print line,
x("service mysql start")
# Secure the mysql installation.
mysql_exec("truncate mysql.db")
mysql_exec("truncate mysql.user")
# Used by monitor services (icingas nrpe plugin etc.)
mysql_exec(
"GRANT REPLICATION CLIENT ON *.* " +
"TO 'monitor'@'localhost' IDENTIFIED BY '%s'" % (
app.get_mysql_monitor_password()
)
)
# Required by nrpe plugins
mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'localhost' ")
# Used by backup scripts to flush master and check slave status etc. when
# doing an lvm backup.
mysql_exec(
"GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
"TO 'backup'@'localhost' IDENTIFIED BY '%s'" % (
app.get_mysql_backup_password()
)
)
mysql_exec("DROP DATABASE test;")
mysql_exec(
"GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'localhost' IDENTIFIED BY '%s' "
" WITH GRANT OPTION" % (
app.get_mysql_root_password()
)
)
# Setup Replication user
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer", 'None')
if repl_peer and repl_peer.lower != 'none':
mysql_exec(
"GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'%s' IDENTIFIED BY '%s'"
" WITH GRANT OPTION" % (
repl_peer,
app.get_mysql_root_password()
)
)
# Flush all data
mysql_exec("RESET MASTER")
mysql_exec("flush privileges")
# Display current user setttings
app.print_verbose("Display mysql.db")
mysql_exec("SELECT host, user FROM mysql.db", with_user=True)
app.print_verbose("Display mysql.user")
mysql_exec("SELECT host, user FROM mysql.user", with_user=True)
version_obj.mark_executed()
def install_mysql(args):
"""
Install and configure the mysql-server on the local host.
"""
app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
version_obj.check_executed()
if len(args) != 3:
raise Exception(
"syco install-mysql [server-id] [innodb-buffer-pool-size]")
server_id = args[1]
innodb_buffer_pool_size = args[2]
# Initialize all passwords used by the script
app.init_mysql_passwords()
# Install the mysql-server packages.
if not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK):
x("yum -y install mysql-server hdparm")
x("/sbin/chkconfig mysqld on ")
if not os.access("/usr/bin/mysqld_safe", os.F_OK):
raise Exception("Couldn't install mysql-server")
# Configure iptables
iptables.add_mysql_chain()
iptables.save()
# Disable mysql history logging
if os.access("/root/.mysql_history", os.F_OK):
x("rm /root/.mysql_history")
x("ln -s /dev/null /root/.mysql_history")
# Used to log slow queries, configured in my.cnf with log-slow-queries=
x("touch /var/log/mysqld-slow.log")
x("chown mysql:mysql /var/log/mysqld-slow.log")
x("chmod 0640 /var/log/mysqld-slow.log")
x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")
# Not used at the moment, just preventing mysql to load any modules.
if not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK):
os.mkdir("/usr/share/mysql/plugins")
os.chmod("/usr/share/mysql/plugins", 0)
os.chown("/usr/share/mysql/plugins", 0, 0)
# Under Linux, it is advisable to disable the write-back cache. Otherwise data
# can get lost when computer get power-failures. Beware that some drives or
# disk controllers may be unable to disable the write-back cache.
#
app.print_verbose("TODO: Might need to be done from bios?")
x("hdparm -W0 /dev/mapper/VolGroup00-var")
app.print_verbose("Install /etc/my.cnf")
shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf")
x("chown mysql:mysql /etc/my.cnf")
x("chmod 600 /etc/my.cnf")
for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
line = line.replace("${server-id}", server_id)
line = line.replace("${innodb_buffer_pool_size}",
innodb_buffer_pool_size)
print line,
# When the innodb files are configured to be large, it takes some time to
# generate the files.
app.print_verbose(
"Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
print line,
x("service mysqld start")
# Secure the mysql installation.
mysql_exec("truncate mysql.db")
mysql_exec("truncate mysql.user")
current_host_config = config.host(net.get_hostname())
# Used by monitor services (icingas nrpe plugin etc.)
mysql_exec("GRANT REPLICATION CLIENT ON *.* " +
"TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" %
(app.get_mysql_monitor_password()))
# Required by nrpe plugins
mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ")
# Used by backup scripts to flush master and check slave status etc. when
# doing an lvm backup.
mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
"TO 'backup'@'localhost' IDENTIFIED BY '%s'" %
(app.get_mysql_backup_password()))
mysql_exec("DROP DATABASE test;")
mysql_exec("SELECT host,user FROM mysql.db;")
mysql_exec("SELECT host,user FROM mysql.user;")
mysql_exec(
"GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'127.0.0.1' IDENTIFIED BY '%s', "
"'root'@'localhost' IDENTIFIED BY '%s', "
"'root'@'%s' IDENTIFIED BY '%s'"
" WITH GRANT OPTION" %
(app.get_mysql_root_password(), app.get_mysql_root_password(),
current_host_config.get_front_ip(), app.get_mysql_root_password()))
mysql_exec("flush privileges;", )
repl_peer = current_host_config.get_option("repl_peer", 'None')
if repl_peer and repl_peer.lower != 'None':
mysql_exec("GRANT ALL PRIVILEGES ON *.* TO "
"'root'@'%s' IDENTIFIED BY '%s'"
" WITH GRANT OPTION" %
(repl_peer, app.get_mysql_root_password()),
with_user=True)
mysql_exec("RESET MASTER;", with_user=True)
mysql_exec("FLUSH PRIVILEGES;", with_user=True)
version_obj.mark_executed()