示例#1
0
def make_jwt(crypto, exp=None, nbf=None, claims=None, customer=None):
    """ Generate a JWT.

    :param crypto a brkt_cli.crypto.Crypto object
    :param exp expiration time as a datetime
    :param nbf not before as a datetime
    :param claims a dictionary of claims
    :param customer customer UUID as a string
    :return the JWT as a string
    """

    kid = jwk.get_thumbprint(crypto.x, crypto.y)

    payload = {
        'jti': util.make_nonce(),
        'iss': 'brkt-cli-' + brkt_cli.VERSION,
        'iat': int(time.time())
    }
    if claims:
        payload.update(claims)

    if exp:
        payload['exp'] = _datetime_to_timestamp(exp)
    if nbf:
        payload['nbf'] = _datetime_to_timestamp(nbf)
    if customer:
        payload['customer'] = customer

    return jwt.encode(payload,
                      crypto.private_key,
                      algorithm='ES384',
                      headers={'kid': kid})
示例#2
0
def make_jwt(crypto, exp=None, nbf=None, claims=None, customer=None):
    """ Generate a JWT.

    :param crypto a brkt_cli.crypto.Crypto object
    :param exp expiration time as a datetime
    :param nbf not before as a datetime
    :param claims a dictionary of claims
    :param customer customer UUID as a string
    :return the JWT as a string
    """

    kid = jwk.get_thumbprint(crypto.x, crypto.y)

    payload = {
        'jti': util.make_nonce(),
        'iss': 'brkt-cli-' + brkt_cli.VERSION,
        'iat': int(time.time())
    }
    if claims:
        payload.update(claims)

    if exp:
        payload['exp'] = _datetime_to_timestamp(exp)
    if nbf:
        payload['nbf'] = _datetime_to_timestamp(nbf)
    if customer:
        payload['customer'] = customer

    return jwt.encode(
        payload, crypto.private_key, algorithm='ES384', headers={'kid': kid})
示例#3
0
文件: __init__.py 项目: brkt/brkt-cli 
def make_jwt(crypto, exp=None, nbf=None, claims=None, customer=None):
    """ Generate a JWT.

    :param crypto a brkt_cli.crypto.Crypto object
    :param exp expiration time as a datetime
    :param nbf not before as a datetime
    :param claims a dictionary of claims
    :param customer customer UUID as a string
    :return the JWT as a string
    """

    kid = jwk.get_thumbprint(crypto.x, crypto.y)

    payload = {"jti": util.make_nonce(), "iss": "brkt-cli-" + brkt_cli.VERSION, "iat": int(time.time())}
    if claims:
        payload.update(claims)

    if exp:
        payload["exp"] = _datetime_to_timestamp(exp)
    if nbf:
        payload["nbf"] = _datetime_to_timestamp(nbf)
    if customer:
        payload["customer"] = customer

    return jwt.encode(payload, crypto.private_key, algorithm="ES384", headers={"kid": kid})
示例#4
0
def command_encrypt_ami(values, log):
    session_id = util.make_nonce()
    encryptor_ami = (
        values.encryptor_ami or
        encrypt_ami.get_encryptor_ami(values.region)
    )
    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)

    aws_svc = aws_service.AWSService(
        session_id, default_tags=default_tags)
    _connect_and_validate(aws_svc, values, encryptor_ami)

    log.info('Starting encryptor session %s', aws_svc.session_id)

    encrypted_image_id = encrypt_ami.encrypt(
        aws_svc=aws_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.ami,
        encryptor_ami=encryptor_ami,
        encrypted_ami_name=values.encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        brkt_env=values.brkt_env
    )
    # Print the AMI ID to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#5
0
def command_encrypt_ami(values):
    session_id = util.make_nonce()

    aws_svc = aws_service.AWSService(
        session_id,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
    log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
              aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (brkt_cli.brkt_env_from_values(values)
                or brkt_cli.get_prod_brkt_env())

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)

    if values.validate:
        guest_image = _validate_guest_ami(aws_svc, values.ami)
    else:
        guest_image = aws_svc.get_image(values.ami)

    pv = _use_pv_metavisor(values, guest_image)
    encryptor_ami = (values.encryptor_ami
                     or _get_encryptor_ami(values.region, pv=pv))

    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate(aws_svc, values, encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)

    encrypted_image_id = encrypt_ami.encrypt(
        aws_svc=aws_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=guest_image.id,
        encryptor_ami=encryptor_ami,
        encrypted_ami_name=values.encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        instance_config=make_instance_config(values, brkt_env),
        status_port=values.status_port,
        save_encryptor_logs=values.save_encryptor_logs)
    # Print the AMI ID to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#6
0
def command_diag(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    if values.snapshot_id and values.instance_id:
        raise ValidationError("Only one of --instance-id or --snapshot-id "
                              "may be specified")

    if not values.snapshot_id and not values.instance_id:
        raise ValidationError("--instance-id or --snapshot-id "
                              "must be specified")

    if values.validate:
        # Validate the region before connecting.
        region_names = [r.name for r in aws_svc.get_regions()]
        if values.region not in region_names:
            raise ValidationError(
                'Invalid region %s.  Supported regions: %s.' %
                (values.region, ', '.join(region_names)))

    aws_svc.connect(values.region, key_name=values.key_name)
    default_tags = {}
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        if values.key_name:
            aws_svc.get_key_pair(values.key_name)
        if values.instance_id:
            _validate_log_instance(
                aws_svc, values.instance_id)
        _validate_subnet_and_security_groups(
            aws_svc, values.subnet_id, values.security_group_ids)
    else:
        log.info('Skipping validation.')

    diag.diag(
        aws_svc,
        instance_id=values.instance_id,
        snapshot_id=values.snapshot_id,
        ssh_keypair=values.key_name
    )
    return 0
示例#7
0
def command_update_encrypted_ami(values, log):
    nonce = util.make_nonce()
    default_tags = encrypt_ami.get_default_tags(nonce, '')
    aws_svc = aws_service.AWSService(
        nonce, default_tags=default_tags)
    encryptor_ami = (
        values.encryptor_ami or
        encrypt_ami.get_encryptor_ami(values.region)
    )
    _connect_and_validate(aws_svc, values, encryptor_ami)

    encrypted_ami = values.ami
    if values.validate:
        guest_ami_error = aws_svc.validate_guest_encrypted_ami(encrypted_ami)
        if guest_ami_error:
            raise ValidationError(
                'Encrypted AMI verification failed: %s' % guest_ami_error)
    else:
        log.info('skipping AMI verification')
    guest_image = aws_svc.get_image(encrypted_ami)
    mv_image = aws_svc.get_image(encryptor_ami)
    if (guest_image.virtualization_type !=
        mv_image.virtualization_type):
        log.error("Encryptor virtualization_type mismatch")
        return 1
    encrypted_ami_name = values.encrypted_ami_name
    if not encrypted_ami_name:
        # Replace nonce in AMI name
        name = guest_image.name
        m = re.match('(.+) \(encrypted (\S+)\)', name)
        if m:
            encrypted_ami_name = m.group(1) + ' (encrypted %s)' % (nonce,)
        else:
            encrypted_ami_name = name + ' (encrypted %s)' % (nonce,)
        filters = {'name': encrypted_ami_name}
        if aws_svc.get_images(filters=filters):
            raise ValidationError(
                    'There is already an image named %s' %
                     encrypted_ami_name
            )
    # Initial validation done
    log.info('Updating %s with new metavisor %s', encrypted_ami, encryptor_ami)

    updated_ami_id = update_ami(
        aws_svc, encrypted_ami, encryptor_ami, encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids)
    print(updated_ami_id)
    return 0
示例#8
0
def get_image_name(encrypted_image_name, name):
    if encrypted_image_name:
        return encrypted_image_name

    nonce = make_nonce()
    # Replace nonce in image name
    m = re.match('(.+)\-encrypted\-', name)
    if m:
        encrypted_image_name = append_suffix(m.group(1),
                                             '-encrypted-%s' % (nonce, ),
                                             GCE_NAME_MAX_LENGTH)
    else:
        encrypted_image_name = append_suffix(name, '-encrypted-%s' % (nonce, ),
                                             GCE_NAME_MAX_LENGTH)
    return encrypted_image_name
示例#9
0
def command_diag(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
    log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
              aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    if values.snapshot_id and values.instance_id:
        raise ValidationError("Only one of --instance-id or --snapshot-id "
                              "may be specified")

    if not values.snapshot_id and not values.instance_id:
        raise ValidationError("--instance-id or --snapshot-id "
                              "must be specified")

    if values.validate:
        # Validate the region before connecting.
        region_names = [r.name for r in aws_svc.get_regions()]
        if values.region not in region_names:
            raise ValidationError(
                'Invalid region %s.  Supported regions: %s.' %
                (values.region, ', '.join(region_names)))

    aws_svc.connect(values.region, key_name=values.key_name)
    default_tags = {}
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        if values.key_name:
            aws_svc.get_key_pair(values.key_name)
        if values.instance_id:
            _validate_log_instance(aws_svc, values.instance_id)
        _validate_subnet_and_security_groups(aws_svc, values.subnet_id,
                                             values.security_group_ids)
    else:
        log.info('Skipping validation.')

    diag.diag(aws_svc,
              instance_id=values.instance_id,
              snapshot_id=values.snapshot_id,
              ssh_keypair=values.key_name)
    return 0
示例#10
0
def get_image_name(encrypted_image_name, name):
    if encrypted_image_name:
        return encrypted_image_name

    nonce = make_nonce()
    # Replace nonce in image name
    m = re.match('(.+)\-encrypted\-', name)
    if m:
        encrypted_image_name = append_suffix(
                m.group(1),
                '-encrypted-%s' % (nonce,),
                GCE_NAME_MAX_LENGTH)
    else:
        encrypted_image_name = append_suffix(
                name,
                '-encrypted-%s' % (nonce,),
                GCE_NAME_MAX_LENGTH)
    return encrypted_image_name
示例#11
0
def command_share_logs(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    if values.snapshot_id and values.instance_id:
        raise ValidationError("Only one of --instance-id or --snapshot-id "
                              "may be specified")

    if not values.snapshot_id and not values.instance_id:
        raise ValidationError("--instance-id or --snapshot-id "
                              "must be specified")

    if values.validate:
        # Validate the region before connecting.
        region_names = [r.name for r in aws_svc.get_regions()]
        if values.region not in region_names:
            raise ValidationError(
                'Invalid region %s.  Supported regions: %s.' %
                (values.region, ', '.join(region_names)))

    aws_svc.connect(values.region)

    if values.validate:
        _validate_log_instance(
            aws_svc, values.instance_id)
    else:
        log.info('Skipping instance validation.')

    share_logs.share(
        aws_svc,
        instance_id=values.instance_id,
        snapshot_id=values.snapshot_id,
        bracket_aws_account=values.bracket_aws_account
    )
    return 0
示例#12
0
def command_encrypt_gce_image(values, log):
    session_id = util.make_nonce()
    gce_svc = gce_service.GCEService(values.project, session_id, log)
    check_args(values, gce_svc)

    encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)
    gce_service.validate_image_name(encrypted_image_name)
    gce_service.validate_images(gce_svc,
                                encrypted_image_name,
                                values.encryptor_image,
                                values.image,
                                values.image_project)
    if not values.verbose:
        logging.getLogger('googleapiclient').setLevel(logging.ERROR)

    log.info('Starting encryptor session %s', gce_svc.get_session_id())

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    encrypted_image_id = encrypt_gce_image.encrypt(
        gce_svc=gce_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.image,
        encryptor_image=values.encryptor_image,
        encrypted_image_name=encrypted_image_name,
        zone=values.zone,
        instance_config=make_instance_config(
            values, brkt_env,mode=INSTANCE_CREATOR_MODE),
        image_project=values.image_project,
        keep_encryptor=values.keep_encryptor,
        image_file=values.image_file,
        image_bucket=values.bucket,
        network=values.network,
        status_port=values.status_port
    )
    # Print the image name to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#13
0
def command_update_encrypted_gce_image(values, log):
    session_id = util.make_nonce()
    gce_svc = gce_service.GCEService(values.project, session_id, log)
    check_args(values, gce_svc)

    encrypted_image_name = gce_service.get_image_name(values.encrypted_image_name, values.image)

    gce_service.validate_image_name(encrypted_image_name)
    gce_service.validate_images(gce_svc,
                                encrypted_image_name,
                                values.encryptor_image,
                                values.image,
                                values.image_project)
    if not values.verbose:
        logging.getLogger('googleapiclient').setLevel(logging.ERROR)

    log.info('Starting updater session %s', gce_svc.get_session_id())

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    updated_image_id = update_gce_image.update_gce_image(
        gce_svc=gce_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.image,
        encryptor_image=values.encryptor_image,
        encrypted_image_name=encrypted_image_name,
        zone=values.zone,
        instance_config=make_instance_config(
            values, brkt_env,mode=INSTANCE_UPDATER_MODE),
        keep_encryptor=values.keep_encryptor,
        image_file=values.image_file,
        image_bucket=values.bucket,
        network=values.network,
        status_port=values.status_port
    )

    print(updated_image_id)
    return 0
示例#14
0
def create_encryptor_security_group(svc):
    sg_name = NAME_ENCRYPTOR_SECURITY_GROUP % {'nonce': make_nonce()}
    sg_desc = DESCRIPTION_ENCRYPTOR_SECURITY_GROUP
    sg_id = svc.create_security_group(sg_name, sg_desc)
    log.info('Created temporary security group with id %s', sg_id)
    try:
        svc.add_security_group_rule(sg_id, ip_protocol='tcp',
                                    from_port=service.ENCRYPTOR_STATUS_PORT,
                                    to_port=service.ENCRYPTOR_STATUS_PORT,
                                    cidr_ip='0.0.0.0/0')
    except Exception as e:
        log.error('Failed adding security group rule to %s: %s', sg_id, e)
        try:
            log.info('Cleaning up temporary security group %s', sg_id)
            svc.delete_security_group(sg_id)
        except Exception as e2:
            log.warn('Failed deleting temporary security group: %s', e2)
        raise e

    svc.create_tags(sg_id)
    return sg_id
示例#15
0
def command_encrypt_gce_image(values, log):
    session_id = util.make_nonce()
    gce_svc = gce_service.GCEService(values.project, session_id, log)
    check_args(values, gce_svc)

    encrypted_image_name = gce_service.get_image_name(
        values.encrypted_image_name, values.image)
    gce_service.validate_image_name(encrypted_image_name)
    gce_service.validate_images(gce_svc, encrypted_image_name,
                                values.encryptor_image, values.image,
                                values.image_project)
    if not values.verbose:
        logging.getLogger('googleapiclient').setLevel(logging.ERROR)

    log.info('Starting encryptor session %s', gce_svc.get_session_id())

    brkt_env = (brkt_cli.brkt_env_from_values(values)
                or brkt_cli.get_prod_brkt_env())

    encrypted_image_id = encrypt_gce_image.encrypt(
        gce_svc=gce_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.image,
        encryptor_image=values.encryptor_image,
        encrypted_image_name=encrypted_image_name,
        zone=values.zone,
        instance_config=make_instance_config(values,
                                             brkt_env,
                                             mode=INSTANCE_CREATOR_MODE),
        image_project=values.image_project,
        keep_encryptor=values.keep_encryptor,
        image_file=values.image_file,
        image_bucket=values.bucket,
        network=values.network,
        status_port=values.status_port)
    # Print the image name to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#16
0
def create_diag_security_group(aws_svc, vpc_id=None):
    sg_name = NAME_DIAG_SECURITY_GROUP % {'nonce': make_nonce()}
    sg_desc = DESCRIPTION_DIAG_SECURITY_GROUP
    sg = aws_svc.create_security_group(sg_name, sg_desc, vpc_id=vpc_id)
    log.info('Created temporary security group with id %s', sg.id)
    try:
        aws_svc.add_security_group_rule(sg.id,
                                        ip_protocol='tcp',
                                        from_port=22,
                                        to_port=22,
                                        cidr_ip='0.0.0.0/0')
    except Exception as e:
        log.error('Failed adding security group rule to %s: %s', sg.id, e)
        try:
            log.info('Cleaning up temporary security group %s', sg.id)
            aws_svc.delete_security_group(sg.id)
        except Exception as e2:
            log.warn('Failed deleting temporary security group: %s', e2)
        raise
    if aws_svc.default_tags:
        aws_svc.create_tags(sg.id)
    return sg
示例#17
0
def create_diag_security_group(aws_svc, vpc_id=None):
    sg_name = NAME_DIAG_SECURITY_GROUP % {'nonce': make_nonce()}
    sg_desc = DESCRIPTION_DIAG_SECURITY_GROUP
    sg = aws_svc.create_security_group(sg_name, sg_desc, vpc_id=vpc_id)
    log.info('Created temporary security group with id %s', sg.id)
    try:
        aws_svc.add_security_group_rule(
            sg.id, ip_protocol='tcp',
            from_port=22,
            to_port=22,
            cidr_ip='0.0.0.0/0')
    except Exception as e:
        log.error('Failed adding security group rule to %s: %s', sg.id, e)
        try:
            log.info('Cleaning up temporary security group %s', sg.id)
            aws_svc.delete_security_group(sg.id)
        except Exception as e2:
            log.warn('Failed deleting temporary security group: %s', e2)
        raise
    if aws_svc.default_tags:
        aws_svc.create_tags(sg.id)
    return sg
示例#18
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_update(values, config):
    session_id = util.make_nonce()
    gce_svc = gce_service.GCEService(values.project, session_id, log)
    check_args(values, gce_svc, config)

    encrypted_image_name = gce_service.get_image_name(
        values.encrypted_image_name, values.image)
    gce_service.validate_image_name(encrypted_image_name)
    if values.validate:
        gce_service.validate_images(gce_svc,
                                    encrypted_image_name,
                                    values.encryptor_image,
                                    values.image)
    if not values.verbose:
        logging.getLogger('googleapiclient').setLevel(logging.ERROR)

    log.info('Starting updater session %s', gce_svc.get_session_id())

    updated_image_id = update_gce_image.update_gce_image(
        gce_svc=gce_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.image,
        encryptor_image=values.encryptor_image,
        encrypted_image_name=encrypted_image_name,
        zone=values.zone,
        instance_config=instance_config_from_values(
            values, mode=INSTANCE_UPDATER_MODE,
            cli_config=config),
        keep_encryptor=values.keep_encryptor,
        image_file=values.image_file,
        image_bucket=values.bucket,
        network=values.network,
        subnetwork=values.subnetwork,
        status_port=values.status_port,
        cleanup=values.cleanup
    )

    print(updated_image_id)
    return 0
示例#19
0
def command_share_logs(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
    log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
              aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    if values.snapshot_id and values.instance_id:
        raise ValidationError("Only one of --instance-id or --snapshot-id "
                              "may be specified")

    if not values.snapshot_id and not values.instance_id:
        raise ValidationError("--instance-id or --snapshot-id "
                              "must be specified")

    if values.validate:
        # Validate the region before connecting.
        region_names = [r.name for r in aws_svc.get_regions()]
        if values.region not in region_names:
            raise ValidationError(
                'Invalid region %s.  Supported regions: %s.' %
                (values.region, ', '.join(region_names)))

    aws_svc.connect(values.region)

    if values.validate:
        _validate_log_instance(aws_svc, values.instance_id)
    else:
        log.info('Skipping instance validation.')

    share_logs.share(aws_svc,
                     instance_id=values.instance_id,
                     snapshot_id=values.snapshot_id,
                     bracket_aws_account=values.bracket_aws_account)
    return 0
示例#20
0
def command_update_encrypted_gce_image(values, log):
    session_id = util.make_nonce()
    gce_svc = gce_service.GCEService(values.project, session_id, log)
    check_args(values, gce_svc)

    encrypted_image_name = gce_service.get_image_name(
        values.encrypted_image_name, values.image)

    gce_service.validate_image_name(encrypted_image_name)
    gce_service.validate_images(gce_svc, encrypted_image_name,
                                values.encryptor_image, values.image,
                                values.image_project)
    if not values.verbose:
        logging.getLogger('googleapiclient').setLevel(logging.ERROR)

    log.info('Starting updater session %s', gce_svc.get_session_id())

    brkt_env = (brkt_cli.brkt_env_from_values(values)
                or brkt_cli.get_prod_brkt_env())

    updated_image_id = update_gce_image.update_gce_image(
        gce_svc=gce_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=values.image,
        encryptor_image=values.encryptor_image,
        encrypted_image_name=encrypted_image_name,
        zone=values.zone,
        instance_config=make_instance_config(values,
                                             brkt_env,
                                             mode=INSTANCE_UPDATER_MODE),
        keep_encryptor=values.keep_encryptor,
        image_file=values.image_file,
        image_bucket=values.bucket,
        network=values.network,
        status_port=values.status_port)

    print(updated_image_id)
    return 0
示例#21
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_rescue_metavisor(values, parsed_config, log):
    session_id = util.make_nonce()
    if values.protocol != 'http':
        raise ValidationError("Unsupported rescue protocol %s",
                              values.protocol)
    _check_env_vars_set('VCENTER_USER_NAME')
    vcenter_password = _get_vcenter_password(False)
    # Connect to vCenter
    try:
        vc_swc = esx_service.initialize_vcenter(
            host=values.vcenter_host,
            user=os.getenv('VCENTER_USER_NAME'),
            password=vcenter_password,
            port=values.vcenter_port,
            datacenter_name=values.vcenter_datacenter,
            datastore_name=values.vcenter_datastore,
            esx_host=False,
            cluster_name=values.vcenter_cluster,
            no_of_cpus=None,
            memory_gb=None,
            session_id=session_id,
            network_name=None,
            nic_type=None,
            verify=values.validate,
        )
    except Exception as e:
        raise ValidationError("Failed to connect to vCenter ", e)
    try:
        user_data_str = vc_swc.create_userdata_str(None,
            rescue_proto=values.protocol,
            rescue_url=values.url)
        rescue_metavisor.rescue_metavisor_vcenter(
            vc_swc, user_data_str, values.vm_name
        )
        return 0
    except Exception as e:
        log.exception("Failed to put Metavisor in rescue mode %s", e)
        return 1
示例#22
0
def command_update_encrypted_ami(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds)
    log.debug('Retry timeout=%.02f, initial sleep seconds=%.02f',
              aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (brkt_cli.brkt_env_from_values(values)
                or brkt_cli.get_prod_brkt_env())

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)
    encrypted_image = _validate_ami(aws_svc, values.ami)
    pv = _use_pv_metavisor(values, encrypted_image)
    encryptor_ami = (values.encryptor_ami
                     or _get_encryptor_ami(values.region, pv=pv))

    default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
                                      encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)
        _validate(aws_svc, values, encryptor_ami)
        _validate_guest_encrypted_ami(aws_svc, encrypted_image.id,
                                      encryptor_ami)
    else:
        log.info('Skipping AMI validation.')

    mv_image = aws_svc.get_image(encryptor_ami)
    if (encrypted_image.virtualization_type != mv_image.virtualization_type):
        log.error(
            'Virtualization type mismatch.  %s is %s, but encryptor %s is '
            '%s.', encrypted_image.id, encrypted_image.virtualization_type,
            mv_image.id, mv_image.virtualization_type)
        return 1

    encrypted_ami_name = values.encrypted_ami_name
    if encrypted_ami_name:
        # Check for name collision.
        filters = {'name': encrypted_ami_name}
        if aws_svc.get_images(filters=filters, owners=['self']):
            raise ValidationError('You already own image named %s' %
                                  encrypted_ami_name)
    else:
        encrypted_ami_name = _get_updated_image_name(encrypted_image.name,
                                                     nonce)
    log.debug('Image name: %s', encrypted_ami_name)
    aws_service.validate_image_name(encrypted_ami_name)

    # Initial validation done
    log.info('Updating %s with new metavisor %s', encrypted_image.id,
             encryptor_ami)

    updated_ami_id = update_ami(
        aws_svc,
        encrypted_image.id,
        encryptor_ami,
        encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        updater_instance_type=values.updater_instance_type,
        instance_config=make_instance_config(values, brkt_env),
        status_port=values.status_port,
    )
    print(updated_ami_id)
    return 0
示例#23
0
def command_update_encrypted_ami(values, log):
    encrypted_ami_name = None
    if values.encrypted_ami_name:
        try:
            aws_service.validate_image_name(values.encrypted_ami_name)
            encrypted_ami_name = values.encrypted_ami_name
        except aws_service.ImageNameError as e:
            print(e.message, file=sys.stderr)
            return 1
    region = values.region
    nonce = util.make_nonce()
    default_tags = encrypt_ami.get_default_tags(nonce, '')
    aws_svc = aws_service.AWSService(
        nonce, default_tags=default_tags)
    if not aws_svc.validate_region(region):
        print ('Invalid region %s' % region,
               file=sys.stderr)
        return 1
    aws_svc.connect(region)
    encrypted_ami = values.ami
    if not values.no_validate_ami:
        guest_ami_error = aws_svc.validate_guest_encrypted_ami(encrypted_ami)
        if guest_ami_error:
            print ('Encrypted AMI verification failed: %s' % guest_ami_error,
                   file=sys.stderr)
            return 1
    else:
        log.info('skipping AMI verification')
    updater_ami = values.updater_ami
    updater_ami_error = aws_svc.validate_encryptor_ami(values.updater_ami)
    if updater_ami_error:
        log.error('Update failed: %s', updater_ami_error)
        return 1
    # Initial validation done
    log.info('Updating %s', encrypted_ami)
    # snapshot the guest's volume
    guest_snapshot, volume_info, error = \
        update_encrypted_ami.retrieve_guest_volume_snapshot(
            aws_svc,
            encrypted_ami)
    if not guest_snapshot:
        log.error('failed to launch instance %s: %s' % (encrypted_ami, error))
        return 1
    log.info('Launching metavisor update encryptor instance')
    updater_ami_block_devices = \
        update_encrypted_ami.snapshot_updater_ami_block_devices(
            aws_svc,
            encrypted_ami,
            updater_ami,
            guest_snapshot.id,
            volume_info['size'])
    ami = encrypt_ami.register_new_ami(
        aws_svc,
        updater_ami_block_devices[encrypt_ami.NAME_METAVISOR_GRUB_SNAPSHOT],
        updater_ami_block_devices[encrypt_ami.NAME_METAVISOR_ROOT_SNAPSHOT],
        updater_ami_block_devices[encrypt_ami.NAME_METAVISOR_LOG_SNAPSHOT],
        guest_snapshot,
        volume_info['type'],
        volume_info['iops'],
        encrypted_ami,
        encrypted_ami_name=encrypted_ami_name)
    log.info('Done.')
    print(ami)
    return 0
示例#24
0
def command_encrypt_ami(values):
    session_id = util.make_nonce()

    aws_svc = aws_service.AWSService(
        session_id,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)

    if values.validate:
        guest_image = _validate_guest_ami(aws_svc, values.ami)
    else:
        guest_image = aws_svc.get_image(values.ami)

    pv = _use_pv_metavisor(values, guest_image)
    encryptor_ami = (
        values.encryptor_ami or
        _get_encryptor_ami(values.region, pv=pv)
    )

    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate(aws_svc, values, encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)

    encrypted_image_id = encrypt_ami.encrypt(
        aws_svc=aws_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=guest_image.id,
        encryptor_ami=encryptor_ami,
        encrypted_ami_name=values.encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        instance_config=make_instance_config(values, brkt_env),
        status_port=values.status_port,
        save_encryptor_logs=values.save_encryptor_logs
    )
    # Print the AMI ID to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#25
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_update(values, config, verbose=False):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)
    encrypted_image = _validate_ami(aws_svc, values.ami)
    encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
    default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate_guest_encrypted_ami(
            aws_svc, encrypted_image.id, encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)
        _validate(aws_svc, values, encryptor_ami)
        _validate_guest_encrypted_ami(
            aws_svc, encrypted_image.id, encryptor_ami)
    else:
        log.info('Skipping AMI validation.')

    mv_image = aws_svc.get_image(encryptor_ami)
    if (encrypted_image.virtualization_type != mv_image.virtualization_type):
        log.error(
            'Virtualization type mismatch.  %s is %s, but encryptor %s is '
            '%s.',
            encrypted_image.id,
            encrypted_image.virtualization_type,
            mv_image.id,
            mv_image.virtualization_type
        )
        return 1

    encrypted_ami_name = values.encrypted_ami_name
    if encrypted_ami_name:
        # Check for name collision.
        filters = {'name': encrypted_ami_name}
        if aws_svc.get_images(filters=filters, owners=['self']):
            raise ValidationError(
                'You already own image named %s' % encrypted_ami_name)
    else:
        encrypted_ami_name = _get_updated_image_name(
            encrypted_image.name, nonce)
        log.debug('Image name: %s', encrypted_ami_name)
        aws_service.validate_image_name(encrypted_ami_name)

    # Initial validation done
    log.info(
        'Updating %s with new metavisor %s',
        encrypted_image.id, encryptor_ami
    )

    instance_config = instance_config_from_values(
        values, mode=INSTANCE_UPDATER_MODE, cli_config=config)
    if verbose:
        with tempfile.NamedTemporaryFile(
            prefix='user-data-',
            delete=False
        ) as f:
            log.debug('Writing instance user data to %s', f.name)
            f.write(instance_config.make_userdata())

    updated_ami_id = update_ami(
        aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        updater_instance_type=values.updater_instance_type,
        instance_config=instance_config,
        status_port=values.status_port,
    )
    print(updated_ami_id)
    return 0
示例#26
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_encrypt(values, config, verbose=False):
    session_id = util.make_nonce()

    aws_svc = aws_service.AWSService(
        session_id,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)

    if values.validate:
        guest_image = _validate_guest_ami(aws_svc, values.ami)
    else:
        guest_image = aws_svc.get_image(values.ami)

    encryptor_ami = values.encryptor_ami or _get_encryptor_ami(values.region)
    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate(aws_svc, values, encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)

    instance_config = instance_config_from_values(
        values, mode=INSTANCE_CREATOR_MODE, cli_config=config)
    if verbose:
        with tempfile.NamedTemporaryFile(
            prefix='user-data-',
            delete=False
        ) as f:
            log.debug('Writing instance user data to %s', f.name)
            f.write(instance_config.make_userdata())

    encrypted_image_id = encrypt_ami.encrypt(
        aws_svc=aws_svc,
        enc_svc_cls=encryptor_service.EncryptorService,
        image_id=guest_image.id,
        encryptor_ami=encryptor_ami,
        encrypted_ami_name=values.encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        instance_config=instance_config,
        status_port=values.status_port,
        save_encryptor_logs=values.save_encryptor_logs,
        terminate_encryptor_on_failure=(
            values.terminate_encryptor_on_failure)
    )
    # Print the AMI ID to stdout, in case the caller wants to process
    # the output.  Log messages go to stderr.
    print(encrypted_image_id)
    return 0
示例#27
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_encrypt(values, parsed_config, log, use_esx=False):
    session_id = util.make_nonce()
    if values.create_ovf or values.create_ova:
        # verify we have a valid output directory
        if values.target_path is None:
            raise ValidationError("Missing directory path to store "
                                  "final OVF/OVA images")
        if not os.path.exists(values.target_path):
            raise ValidationError("Target path %s not present",
                                  values.target_path)
        if values.create_ova:
            # verify ovftool is present
            try:
                cmd = [values.ovftool_path, '-v']
                subprocess.check_call(cmd)
            except:
                raise ValidationError("OVFtool not present. "
                                      "Cannot create OVA")
    else:
        if use_esx is False and values.template_vm_name is None:
            raise ValidationError("Missing template-vm-name for the "
                                  "template VM")
    if (values.source_image_path is not None and values.image_name is None):
        raise ValidationError("Specify the Metavisor OVF file.")
    if use_esx:
        _check_env_vars_set('ESX_USER_NAME')
    else:
        _check_env_vars_set('VCENTER_USER_NAME')
    vcenter_password = _get_vcenter_password(use_esx)
    brkt_cli.validate_ntp_servers(values.ntp_servers)
    brkt_env = brkt_cli.brkt_env_from_values(values)
    if brkt_env is None:
        _, brkt_env = parsed_config.get_current_env()
    if not values.token:
        raise ValidationError('Must provide a token')

    proxy = None
    if values.http_proxy:
        proxy = _parse_proxies(values.http_proxy)[0]

    # Download images from S3
    try:
        if (values.encryptor_vmdk is None and
            values.source_image_path is None):
            (ovf, file_list) = \
                esx_service.download_ovf_from_s3(
                    values.bucket_name,
                    image_name=values.image_name,
                    proxy=proxy
                )
            if ovf is None:
                raise ValidationError("Did not find MV OVF images")
    except Exception as e:
        raise ValidationError("Failed to download MV image from S3: ", e)
    # Connect to vCenter
    try:
        vc_swc = esx_service.initialize_vcenter(
            host=values.vcenter_host,
            user=os.getenv('ESX_USER_NAME') if use_esx else os.getenv('VCENTER_USER_NAME'),
            password=vcenter_password,
            port=values.vcenter_port,
            datacenter_name=None if use_esx else values.vcenter_datacenter,
            datastore_name=values.vcenter_datastore,
            esx_host=use_esx,
            cluster_name=None if use_esx else values.vcenter_cluster,
            no_of_cpus=values.no_of_cpus,
            memory_gb=values.memory_gb,
            session_id=session_id,
            network_name=values.network_name,
            nic_type=values.nic_type,
            verify=False if use_esx else values.validate,
        )
    except Exception as e:
        raise ValidationError("Failed to connect to vCenter: ", e)
    # Validate that template does not already exist
    if values.template_vm_name:
        if vc_swc.find_vm(values.template_vm_name):
            raise ValidationError("VM with the same name as requested "
                                  "template VM name %s already exists" %
                                  values.template_vm_name)
    # Set tear-down
    vc_swc.set_teardown(values.no_teardown)
    # Set the disk-type
    if values.disk_type == "thin":
        vc_swc.set_thin_disk(True)
        vc_swc.set_eager_scrub(False)
    elif values.disk_type == "thick-lazy-zeroed":
        vc_swc.set_thin_disk(False)
        vc_swc.set_eager_scrub(False)
    elif values.disk_type == "thick-eager-zeroed":
        vc_swc.set_thin_disk(False)
        vc_swc.set_eager_scrub(True)
    else:
        raise ValidationError("Disk Type %s not correct. Can only be "
                              "thin, thick-lazy-zeroed or "
                              "thick-eager-zeroed" % (values.disk_type,))

    try:
        instance_config = instance_config_from_values(
            values, mode=INSTANCE_CREATOR_MODE, cli_config=parsed_config)
        user_data_str = vc_swc.create_userdata_str(instance_config,
            update=False, ssh_key_file=values.ssh_public_key_file)
        if (values.encryptor_vmdk is not None):
            # Create from MV VMDK
            encrypt_vmdk.encrypt_from_vmdk(
                vc_swc, encryptor_service.EncryptorService,
                values.vmdk, vm_name=values.template_vm_name,
                create_ovf=values.create_ovf,
                create_ova=values.create_ova,
                target_path=values.target_path,
                image_name=values.encrypted_ovf_name,
                ovftool_path=values.ovftool_path,
                metavisor_vmdk=values.encryptor_vmdk,
                user_data_str=user_data_str,
                serial_port_file_name=values.serial_port_file_name,
                status_port=values.status_port,
            )
        elif (values.source_image_path is not None):
            # Create from MV OVF in local directory
            encrypt_vmdk.encrypt_from_local_ovf(
                vc_swc, encryptor_service.EncryptorService,
                values.vmdk, vm_name=values.template_vm_name,
                create_ovf=values.create_ovf,
                create_ova=values.create_ova,
                target_path=values.target_path,
                image_name=values.encrypted_ovf_name,
                ovftool_path=values.ovftool_path,
                source_image_path=values.source_image_path,
                ovf_image_name=values.image_name,
                user_data_str=user_data_str,
                serial_port_file_name=values.serial_port_file_name,
                status_port=values.status_port,
            )
        else:
            # Create from MV OVF in S3
            encrypt_vmdk.encrypt_from_s3(
                vc_swc, encryptor_service.EncryptorService,
                values.vmdk, vm_name=values.template_vm_name,
                create_ovf=values.create_ovf,
                create_ova=values.create_ova,
                target_path=values.target_path,
                image_name=values.encrypted_ovf_name,
                ovftool_path=values.ovftool_path,
                ovf_name=ovf,
                download_file_list=file_list,
                user_data_str=user_data_str,
                serial_port_file_name=values.serial_port_file_name,
                status_port=values.status_port,
            )
        return 0
    except Exception as e:
        log.error("Failed to encrypt the guest VMDK: %s", e)
        return 1
示例#28
0
文件: __init__.py 项目: brkt/brkt-cli 
def run_update(values, parsed_config, log, use_esx=False):
    session_id = util.make_nonce()
    encrypted_ovf_name = None
    encrypted_ova_name = None
    if values.create_ovf or values.create_ova:
        # verify we have a valid input directory
        if values.target_path is None:
            raise ValidationError("Missing directory path to fetch "
                                  "encrypted OVF/OVA images from")
        if not os.path.exists(values.target_path):
            raise ValidationError("Target path %s not present",
                                  values.target_path)
        if values.create_ovf:
            name = os.path.join(values.target_path,
                                values.encrypted_ovf_name + ".ovf")
            if (os.path.exists(name) is False):
                raise ValidationError("Encrypted OVF image not found at "
                                      "%s", name)
            encrypted_ovf_name = values.encrypted_ovf_name
        else:
            encrypted_ova_name = values.encrypted_ovf_name
            name = os.path.join(values.target_path,
                                values.encrypted_ovf_name + ".ova")
            if (os.path.exists(name) is False):
                raise ValidationError("Encrypted OVA image not found at "
                                      "%s", name)
            # verify ovftool is present
            try:
                cmd = [values.ovftool_path, '-v']
                subprocess.check_call(cmd)
            except:
                raise ValidationError("OVFtool not present. "
                                      "Cannot process OVA")
    else:
        if use_esx:
            raise ValidationError("Cannot use template VMs for "
                                  "updation on a single ESX host")
        if (values.template_vm_name is None):
            raise ValidationError("Encrypted image not provided")
    if (values.source_image_path is not None and values.image_name is None):
        raise ValidationError("Specify the Metavisor OVF file.")
    if use_esx:
        _check_env_vars_set('ESX_USER_NAME')
    else:
        _check_env_vars_set('VCENTER_USER_NAME')
    vcenter_password = _get_vcenter_password(use_esx)
    brkt_cli.validate_ntp_servers(values.ntp_servers)
    brkt_env = brkt_cli.brkt_env_from_values(values)
    if brkt_env is None:
        _, brkt_env = parsed_config.get_current_env()
    if not values.token:
        raise ValidationError('Must provide a token')

    proxy = None
    if values.http_proxy:
        proxy = _parse_proxies(values.http_proxy)[0]
    # Download images from S3
    try:
        if (values.encryptor_vmdk is None and
            values.source_image_path is None):
            (ovf_name, download_file_list) = \
                esx_service.download_ovf_from_s3(
                    values.bucket_name,
                    image_name=values.image_name,
                    proxy=proxy
                )
            if ovf_name is None:
                raise ValidationError("Did not find MV OVF images")
    except Exception as e:
        raise ValidationError("Failed to download MV image from S3: ", e)
    # Connect to vCenter
    try:
        vc_swc = esx_service.initialize_vcenter(
            host=values.vcenter_host,
            user=os.getenv('ESX_USER_NAME') if use_esx else os.getenv('VCENTER_USER_NAME'),
            password=vcenter_password,
            port=values.vcenter_port,
            datacenter_name=None if use_esx else values.vcenter_datacenter,
            datastore_name=values.vcenter_datastore,
            esx_host=use_esx,
            cluster_name=None if use_esx else values.vcenter_cluster,
            no_of_cpus=values.no_of_cpus,
            memory_gb=values.memory_gb,
            session_id=session_id,
            network_name=values.network_name,
            nic_type=values.nic_type,
            verify=False if use_esx else values.validate,
        )
    except Exception as e:
        raise ValidationError("Failed to connect to vCenter: ", e)
    if values.template_vm_name:
        if vc_swc.find_vm(values.template_vm_name) is None:
            raise ValidationError("Template VM %s not found" %
                                  values.template_vm_name)
    try:
        instance_config = instance_config_from_values(
            values, mode=INSTANCE_UPDATER_MODE, cli_config=parsed_config)
        user_data_str = vc_swc.create_userdata_str(instance_config,
            update=True, ssh_key_file=values.ssh_public_key_file)
        if (values.encryptor_vmdk is not None):
            # Create from MV VMDK
            update_vmdk.update_from_vmdk(
                vc_swc, encryptor_service.EncryptorService,
                template_vm_name=values.template_vm_name,
                target_path=values.target_path,
                ovf_name=encrypted_ovf_name,
                ova_name=encrypted_ova_name,
                ovftool_path=values.ovftool_path,
                metavisor_vmdk=values.encryptor_vmdk,
                user_data_str=user_data_str,
                status_port=values.status_port,
            )
        elif (values.source_image_path is not None):
            # Create from MV OVF in local directory
            update_vmdk.update_from_local_ovf(
                vc_swc, encryptor_service.EncryptorService,
                template_vm_name=values.template_vm_name,
                target_path=values.target_path,
                ovf_name=encrypted_ovf_name,
                ova_name=encrypted_ova_name,
                ovftool_path=values.ovftool_path,
                source_image_path=values.source_image_path,
                ovf_image_name=values.image_name,
                user_data_str=user_data_str,
                status_port=values.status_port,
            )
        else:
            # Create from MV OVF in S3
            update_vmdk.update_from_s3(
                vc_swc, encryptor_service.EncryptorService,
                template_vm_name=values.template_vm_name,
                target_path=values.target_path,
                ovf_name=encrypted_ovf_name,
                ova_name=encrypted_ova_name,
                ovftool_path=values.ovftool_path,
                mv_ovf_name=ovf_name,
                download_file_list=download_file_list,
                user_data_str=user_data_str,
                status_port=values.status_port,
            )
        return 0
    except:
        log.error("Failed to update encrypted VMDK");
        return 1
示例#29
0
def get_encrypted_suffix():
    """ Return a suffix that will be appended to the encrypted image name.
    The suffix is in the format "(encrypted 787ace7a)".  The nonce portion of
    the suffix is necessary because Amazon requires image names to be unique.
    """
    return NAME_ENCRYPTED_IMAGE_SUFFIX % {'nonce': make_nonce()}
示例#30
0
def command_update_encrypted_ami(values):
    nonce = util.make_nonce()

    aws_svc = aws_service.AWSService(
        nonce,
        retry_timeout=values.retry_timeout,
        retry_initial_sleep_seconds=values.retry_initial_sleep_seconds
    )
    log.debug(
        'Retry timeout=%.02f, initial sleep seconds=%.02f',
        aws_svc.retry_timeout, aws_svc.retry_initial_sleep_seconds)

    brkt_env = (
        brkt_cli.brkt_env_from_values(values) or
        brkt_cli.get_prod_brkt_env()
    )

    if values.validate:
        # Validate the region before connecting.
        _validate_region(aws_svc, values.region)

        if values.token:
            brkt_cli.check_jwt_auth(brkt_env, values.token)

    aws_svc.connect(values.region, key_name=values.key_name)
    encrypted_image = _validate_ami(aws_svc, values.ami)
    pv = _use_pv_metavisor(values, encrypted_image)
    encryptor_ami = (
        values.encryptor_ami or
        _get_encryptor_ami(values.region, pv=pv)
    )

    default_tags = encrypt_ami.get_default_tags(nonce, encryptor_ami)
    default_tags.update(brkt_cli.parse_tags(values.tags))
    aws_svc.default_tags = default_tags

    if values.validate:
        _validate_guest_encrypted_ami(
            aws_svc, encrypted_image.id, encryptor_ami)
        brkt_cli.validate_ntp_servers(values.ntp_servers)
        _validate(aws_svc, values, encryptor_ami)
        _validate_guest_encrypted_ami(
            aws_svc, encrypted_image.id, encryptor_ami)
    else:
        log.info('Skipping AMI validation.')

    mv_image = aws_svc.get_image(encryptor_ami)
    if (encrypted_image.virtualization_type !=
            mv_image.virtualization_type):
        log.error(
            'Virtualization type mismatch.  %s is %s, but encryptor %s is '
            '%s.',
            encrypted_image.id,
            encrypted_image.virtualization_type,
            mv_image.id,
            mv_image.virtualization_type
        )
        return 1

    encrypted_ami_name = values.encrypted_ami_name
    if encrypted_ami_name:
        # Check for name collision.
        filters = {'name': encrypted_ami_name}
        if aws_svc.get_images(filters=filters, owners=['self']):
            raise ValidationError(
                'You already own image named %s' % encrypted_ami_name)
    else:
        encrypted_ami_name = _get_updated_image_name(
            encrypted_image.name, nonce)
    log.debug('Image name: %s', encrypted_ami_name)
    aws_service.validate_image_name(encrypted_ami_name)

    # Initial validation done
    log.info(
        'Updating %s with new metavisor %s',
        encrypted_image.id, encryptor_ami
    )

    updated_ami_id = update_ami(
        aws_svc, encrypted_image.id, encryptor_ami, encrypted_ami_name,
        subnet_id=values.subnet_id,
        security_group_ids=values.security_group_ids,
        guest_instance_type=values.guest_instance_type,
        updater_instance_type=values.updater_instance_type,
        instance_config=make_instance_config(values, brkt_env),
        status_port=values.status_port,
    )
    print(updated_ami_id)
    return 0
示例#31
0
def command_encrypt_ami(values, log):
    region = values.region

    # Initialize logging.  Log messages are written to stderr and are
    # prefixed with a compact timestamp, so that the user knows how long
    # each operation took.
    if values.verbose:
        log_level = logging.DEBUG
    else:
        # Boto logs auth errors and 401s at ERROR level by default.
        boto.log.setLevel(logging.FATAL)
        log_level = logging.INFO

    if values.encrypted_ami_name:
        try:
            aws_service.validate_image_name(values.encrypted_ami_name)
        except aws_service.ImageNameError as e:
            print(e.message, file=sys.stderr)
            return 1

    # Validate the region.
    regions = [str(r.name) for r in boto.vpc.regions()]
    if region not in regions:
        print(
            'Invalid region %s.  Must be one of %s.' %
            (region, str(regions)),
            file=sys.stderr
        )
        return 1

    encryptor_ami = values.encryptor_ami
    if not encryptor_ami:
        try:
            encryptor_ami = encrypt_ami.get_encryptor_ami(region)
        except:
            log.exception('Failed to get encryptor AMI.')
            return 1

    session_id = util.make_nonce()
    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)

    try:
        # Connect to AWS.
        aws_svc = aws_service.AWSService(
            session_id, default_tags=default_tags)
        aws_svc.connect(region, key_name=values.key_name)
    except NoAuthHandlerFound:
        msg = (
            'Unable to connect to AWS.  Are your AWS_ACCESS_KEY_ID and '
            'AWS_SECRET_ACCESS_KEY environment variables set?'
        )
        if values.verbose:
            log.exception(msg)
        else:
            log.error(msg)
        return 1

    try:
        if values.key_name:
            # Validate the key pair name.
            aws_svc.get_key_pair(values.key_name)

        if not values.no_validate_ami:
            error = aws_svc.validate_guest_ami(values.ami)
            if error:
                print(error, file=sys.stderr)
                return 1

            error = aws_svc.validate_encryptor_ami(encryptor_ami)
            if error:
                print(error, file=sys.stderr)
                return 1

        log.info('Starting encryptor session %s', aws_svc.session_id)

        encrypted_image_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=encryptor_service.EncryptorService,
            image_id=values.ami,
            encryptor_ami=encryptor_ami,
            encrypted_ami_name=values.encrypted_ami_name
        )
        # Print the AMI ID to stdout, in case the caller wants to process
        # the output.  Log messages go to stderr.
        print(encrypted_image_id)
        return 0
    except EC2ResponseError as e:
        if e.error_code == 'AuthFailure':
            msg = 'Check your AWS login credentials and permissions'
            if values.verbose:
                log.exception(msg)
            else:
                log.error(msg + ': ' + e.error_message)
        elif e.error_code == 'InvalidKeyPair.NotFound':
            if values.verbose:
                log.exception(e.error_message)
            else:
                log.error(e.error_message)
        elif e.error_code == 'UnauthorizedOperation':
            if values.verbose:
                log.exception(e.error_message)
            else:
                log.error(e.error_message)
            log.error(
                'Unauthorized operation.  Check the IAM policy for your '
                'AWS account.'
            )
        else:
            raise
    except util.BracketError as e:
        if values.verbose:
            log.exception(e.message)
        else:
            log.error(e.message)
    except KeyboardInterrupt:
        if values.verbose:
            log.exception('Interrupted by user')
        else:
            log.error('Interrupted by user')
    return 1
示例#32
0
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '-v',
        '--verbose',
        dest='verbose',
        action='store_true',
        help='Print status information to the console'
    )
    parser.add_argument(
        '--version',
        action='version',
        version='brkt-cli version %s' % VERSION
    )

    subparsers = parser.add_subparsers()

    encrypt_ami_parser = subparsers.add_parser('encrypt-ami')
    encrypt_ami_args.setup_encrypt_ami_args(encrypt_ami_parser)

    argv = sys.argv[1:]
    values = parser.parse_args(argv)
    region = values.region

    # Initialize logging.  Log messages are written to stderr and are
    # prefixed with a compact timestamp, so that the user knows how long
    # each operation took.
    if values.verbose:
        log_level = logging.DEBUG
    else:
        # Boto logs auth errors and 401s at ERROR level by default.
        boto.log.setLevel(logging.FATAL)
        log_level = logging.INFO

    # Set the log level of our modules explicitly.  We can't set the
    # default log level to INFO because we would see INFO messages from
    # boto and other 3rd party libraries in the command output.
    logging.basicConfig(format='%(asctime)s %(message)s', datefmt='%H:%M:%S')
    global log
    log = logging.getLogger(__name__)
    log.setLevel(log_level)
    aws_service.log.setLevel(log_level)
    encryptor_service.log.setLevel(log_level)

    if values.encrypted_ami_name:
        try:
            aws_service.validate_image_name(values.encrypted_ami_name)
        except aws_service.ImageNameError as e:
            print(e.message, file=sys.stderr)
            return 1

    # Validate the region.
    regions = [str(r.name) for r in boto.vpc.regions()]
    if region not in regions:
        print(
            'Invalid region %s.  Must be one of %s.' %
            (region, str(regions)),
            file=sys.stderr
        )
        return 1

    encryptor_ami = values.encryptor_ami
    if not encryptor_ami:
        try:
            encryptor_ami = encrypt_ami.get_encryptor_ami(region)
        except:
            log.exception('Failed to get encryptor AMI.')
            return 1

    session_id = util.make_nonce()
    default_tags = encrypt_ami.get_default_tags(session_id, encryptor_ami)

    try:
        # Connect to AWS.
        aws_svc = aws_service.AWSService(
            session_id, encryptor_ami, default_tags=default_tags)
        aws_svc.connect(region, key_name=values.key_name)
    except NoAuthHandlerFound:
        msg = (
            'Unable to connect to AWS.  Are your AWS_ACCESS_KEY_ID and '
            'AWS_SECRET_ACCESS_KEY environment variables set?'
        )
        if values.verbose:
            log.exception(msg)
        else:
            log.error(msg)
        return 1

    try:
        if values.key_name:
            # Validate the key pair name.
            aws_svc.get_key_pair(values.key_name)

        if not values.no_validate_ami:
            error = aws_svc.validate_guest_ami(values.ami)
            if error:
                print(error, file=sys.stderr)
                return 1

            error = aws_svc.validate_encryptor_ami(encryptor_ami)
            if error:
                print(error, file=sys.stderr)
                return 1

        log.info('Starting encryptor session %s', aws_svc.session_id)

        encrypted_image_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=encryptor_service.EncryptorService,
            image_id=values.ami,
            encryptor_ami=encryptor_ami,
            encrypted_ami_name=values.encrypted_ami_name
        )
        # Print the AMI ID to stdout, in case the caller wants to process
        # the output.  Log messages go to stderr.
        print(encrypted_image_id)
        return 0
    except EC2ResponseError as e:
        if e.error_code == 'AuthFailure':
            msg = 'Check your AWS login credentials and permissions'
            if values.verbose:
                log.exception(msg)
            else:
                log.error(msg + ': ' + e.error_message)
        elif e.error_code == 'InvalidKeyPair.NotFound':
            if values.verbose:
                log.exception(e.error_message)
            else:
                log.error(e.error_message)
        elif e.error_code == 'UnauthorizedOperation':
            if values.verbose:
                log.exception(e.error_message)
            else:
                log.error(e.error_message)
            log.error(
                'Unauthorized operation.  Check the IAM policy for your '
                'AWS account.'
            )
        else:
            raise
    except util.BracketError as e:
        if values.verbose:
            log.exception(e.message)
        else:
            log.error(e.message)
    except KeyboardInterrupt:
        if values.verbose:
            log.exception('Interrupted by user')
        else:
            log.error('Interrupted by user')
    return 1