| Current Path : /usr/bin/ |
Linux gator3171.hostgator.com 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64 |
| Current File : //usr/bin/kcarectl |
#!/usr/bin/env python2
# Copyright (c) Cloud Linux GmbH & Cloud Linux Software, Inc
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT
from __future__ import print_function
import ast
import base64
import errno
import hashlib
import json
import logging
import logging.handlers
import os
import platform
import random
import re
import shutil
import socket
import ssl
import subprocess
import sys
import tempfile
import time
import warnings
import fnmatch
from argparse import ArgumentParser
from datetime import datetime
from contextlib import contextmanager
# The scanner interface should skip us
os.environ['KCARE_SCANNER_INTERFACE_DO_NOTHING'] = '1'
if os.path.isdir('/usr/libexec/kcare/python'): # pragma: no cover
sys.path.insert(0, '/usr/libexec/kcare/python')
warnings.filterwarnings('ignore', category=DeprecationWarning)
PY2 = sys.version_info[0] == 2
if PY2: # pragma: no py3 cover
from ConfigParser import ConfigParser
import httplib
from urllib import urlencode
from urllib import quote as urlquote
from urllib2 import HTTPError, URLError, Request, urlopen as std_urlopen
else: # pragma: no py2 cover
from urllib.parse import quote as urlquote
from configparser import ConfigParser
from http import client as httplib
from urllib.error import HTTPError, URLError
from urllib.parse import urlencode
from urllib.request import Request, urlopen as std_urlopen
kcarelog = logging.getLogger('kcare') # mocked: py/kcarectl_tests
kcarelog.setLevel(logging.INFO)
FLAGS = ['keep-registration']
BLACKLIST_FILE = 'kpatch.blacklist'
CACHE_ENTRIES = 3
CONFIG = '/etc/sysconfig/kcare/kcare.conf'
LOG_FILE = '/var/log/kcarectl.log'
CPANEL_GID = 99
EFFECTIVE_LATEST = 'v2'
EXPECTED_PREFIX = ('12h', '24h', '48h', 'test')
FIXUPS_FILE = 'kpatch.fixups'
FREEZER_BLACKLIST = '/etc/sysconfig/kcare/freezer.modules.blacklist'
GPG_KEY_DIR = '/etc/pki/kcare-gpg/'
KCDOCTOR = '/usr/libexec/kcare/kcdoctor.sh'
KERNEL_VERSION_FILE = '/proc/version'
KMOD_BIN = 'kcare.ko'
KPATCH_CTL = '/usr/libexec/kcare/kpatch_ctl'
LEVEL = None # a level to 'stick on' (if 0 then use latest level)
LIBCARE_CLIENT = '/usr/libexec/kcare/libcare-client'
LIBCARE_DISABLED = True
LIBCARE_PATCHES = '/etc/sysconfig/kcare/libcare_patches'
PATCH_BIN = 'kpatch.bin'
PATCH_CACHE = '/var/cache/kcare'
PATCH_DONE = '.done'
PATCH_INFO = 'kpatch.info'
PATCH_LATEST = ('latest.v2',)
PATCH_METHOD = ''
PATCH_SERVER = 'https://patches.kernelcare.com'
REGISTRATION_API_URL = 'https://cln.cloudlinux.com/api/kcare'
SYSCTL_CONFIG = '/etc/sysconfig/kcare/sysctl.conf'
TEST_PREFIX = ''
VERSION = '2.60-3.el7'
VIRTWHAT = '/usr/libexec/kcare/virt-what'
USERSPACE_PATCHES = None
IM360_LICENSE_FILE = '/var/imunify360/license.json'
SYSTEMID = '/etc/sysconfig/kcare/systemid'
# urlopen retry options
RETRY_DELAY = 3
RETRY_MAX_DELAY = 30
RETRY_BACKOFF = 2
RETRY_COUNT = 4
UPDATE_MODE_MANUAL = 'manual' # update is launched manually bu `kcarectl -u`
UPDATE_MODE_AUTO = 'auto' # update is launched by cron
UPDATE_MODE_SMART = 'smart' # update is launched by kcare daemon
CHECK_CLN_LICENSE_STATUS = True
VERSION_RE = re.compile(r'^(\d+[.]\d+[-]\d+)')
BLACKLIST_RE = re.compile('==BLACKLIST==\n(.*)==END BLACKLIST==\n', re.DOTALL)
CONFLICTING_MODULES_RE = re.compile('(kpatch.*|ksplice.*|kpatch_livepatch.*)')
KCARE_UNAME_FILE = '/proc/kcare/effective_version'
POLICY_REMOTE = 'REMOTE'
POLICY_LOCAL = 'LOCAL'
POLICY_LOCAL_FIRST = 'LOCAL_FIRST'
UPDATE_POLICY = POLICY_REMOTE
AUTO_UPDATE = True
LIB_AUTO_UPDATE = True
UPDATE_FROM_LOCAL = False
USE_SIGNATURE = True
IGNORE_UNKNOWN_KERNEL = False
LOAD_KCARE_SYSCTL = True
KPATCH_DEBUG = False
CHECK_SSL_CERTS = True
PATCH_TYPE = ''
PREV_PATCH_TYPE = 'default'
BEFORE_UPDATE_COMMAND = None
AFTER_UPDATE_COMMAND = None
PRINT_INFO = 1
PRINT_WARN = 2
PRINT_ERROR = 3
PRINT_CRITICAL = 4
PRINT_LEVEL = PRINT_INFO
SILENCE_ERRORS = True
SUCCESS_TIMEOUT = 5 * 60
REPORT_FQDN = False
FORCE_GID = None
ntype = type('')
btype = type(b'')
utype = type(u'')
def bstr(data, encoding='latin1'): # pragma: no py2 cover
if type(data) is utype:
data = data.encode(encoding)
return data
def ustr(data, encoding='latin1'): # pragma: no py2 cover
if type(data) is btype:
data = data.decode(encoding)
return data
def nstr(data, encoding='utf-8'): # pragma: no py2 cover
if type(data) is ntype:
return data
elif type(data) is btype:
return data.decode(encoding)
else:
return data.encode(encoding) # pragma: no py3 cover
GPG_BIN = '/usr/bin/gpg'
GPG_OWNER_TRUST = bstr('034327E8206469CB296AC14ECCE80D2B8B53D14B:6:\n')
def get_freezer_blacklist():
result = set()
try:
f = open(FREEZER_BLACKLIST, 'r')
for line in f:
result.add(line.rstrip())
f.close()
except Exception:
pass
return result
def _apply_ptype(ptype, filename):
name_parts = filename.split('.')
if ptype:
filename = '.'.join([name_parts[0], ptype, name_parts[-1]])
else:
filename = '.'.join([name_parts[0], name_parts[-1]])
return filename
def apply_ptype(ptype):
global PATCH_BIN, PATCH_INFO, BLACKLIST_FILE, FIXUPS_FILE, PATCH_DONE
PATCH_BIN = _apply_ptype(ptype, PATCH_BIN)
PATCH_INFO = _apply_ptype(ptype, PATCH_INFO)
BLACKLIST_FILE = _apply_ptype(ptype, BLACKLIST_FILE)
FIXUPS_FILE = _apply_ptype(ptype, FIXUPS_FILE)
PATCH_DONE = _apply_ptype(ptype, PATCH_DONE)
def _printlvl(message, level, file=None):
if level >= PRINT_LEVEL:
print(message, file=file)
def loginfo(message):
_printlvl(message, PRINT_INFO)
kcarelog.info(message)
def logerror(message, print_msg=True):
if print_msg:
_printlvl(message, PRINT_ERROR, file=sys.stderr)
kcarelog.error(message)
def logexc(message):
if PRINT_ERROR >= PRINT_LEVEL:
import traceback
traceback.print_exc()
kcarelog.exception(message)
def _timestmap_str():
return str(int(time.time()))
def nohup_fork(func, sleep=None): # pragma: no cover
"""
Run func in a fork in an own process group
(will stay alive after kcarectl process death).
:param func: function to execute
:return:
"""
pid = os.fork()
if pid != 0:
os.waitpid(pid, 0)
return
os.setsid()
pid = os.fork()
if pid != 0:
os._exit(0)
# close standard files to release TTY
os.close(0)
# redirect stdout/stdin into log file
with open(LOG_FILE, 'a') as fd:
os.dup2(fd.fileno(), 1)
os.dup2(fd.fileno(), 2)
if sleep:
time.sleep(sleep)
try:
func()
except Exception:
kcarelog.exception('Wait exception')
os._exit(1)
os._exit(0)
def atomic_write(fname, content, ensure_dir=False):
tmp_fname = fname + '.tmp'
dname = os.path.dirname(tmp_fname)
if ensure_dir and not os.path.exists(dname):
os.makedirs(dname)
with open(tmp_fname, 'w') as f:
f.write(content)
os.rename(tmp_fname, fname)
def touch_anchor():
""" Check the fact that there was a failed patching attempt.
If anchor file not exists we should create an anchor with
timestamp and schedule its deletion at $timeout.
If anchor exists and its timestamp more than $timeout from now
we should raise an error.
"""
anchor_filepath = os.path.join(PATCH_CACHE, '.kcareprev.lock')
if os.path.isfile(anchor_filepath):
with open(anchor_filepath, 'r') as afile:
try:
timestamp = int(afile.read())
# anchor was created quite recently
# that means that something went wrong
if timestamp + SUCCESS_TIMEOUT > time.time():
raise PreviousPatchFailedException(
timestamp, anchor_filepath)
except ValueError:
pass
atomic_write(anchor_filepath, _timestmap_str()) # write a new timestamp
def commit_update(state_data):
"""
See touch_anchor() for detailed explanation of anchor mechanics.
See KPT-730 for details about action registration.
:param state_data: dict with current level, kernel_id etc.
"""
try:
os.remove(os.path.join(PATCH_CACHE, '.kcareprev.lock'))
except OSError:
pass
register_action('done', state_data)
# reset module cache, to allow server_info get fresh data
get_loaded_modules.modules = None
try:
get_latest_patch_level(reason='done')
except Exception:
kcarelog.exception('Cannot send update info!')
def save_to_file(response, dst):
parent_dir = os.path.dirname(dst)
if not os.path.exists(parent_dir):
os.makedirs(parent_dir)
with open(dst, 'wb') as f:
shutil.copyfileobj(response, f)
def clean_directory(directory, exclude_path=None, keep_n=CACHE_ENTRIES, pattern=None):
if not os.path.exists(directory):
return
data = []
items = os.listdir(directory)
if pattern is not None:
items = fnmatch.filter(items, pattern)
for item in items:
full_path = os.path.join(directory, item)
if full_path != exclude_path:
data.append((os.stat(full_path).st_mtime, full_path))
data.sort(reverse=True)
for _, entry in data[keep_n:]:
if os.path.isfile(entry) or os.path.islink(entry):
os.remove(entry)
else:
shutil.rmtree(entry)
def clear_cache(khash, plevel):
clean_directory(os.path.join(PATCH_CACHE, 'patches'), exclude_path=get_cache_path(khash, plevel, ''))
def get_cache_path(khash, plevel, fname):
prefix = TEST_PREFIX or 'none'
ptype = PATCH_TYPE or 'default'
patch_dir = '-'.join([prefix, khash, plevel, ptype])
result = (PATCH_CACHE, 'patches', patch_dir)
if fname:
result += (fname,)
return os.path.join(*result)
def get_current_level_path(khash, fname):
prefix = TEST_PREFIX or 'none'
module_dir = '-'.join([prefix, khash])
result = (PATCH_CACHE, 'modules', module_dir)
if fname:
result += (fname,)
return os.path.join(*result)
def save_cache_latest(khash, patch_level):
atomic_write(get_current_level_path(khash, 'latest'), patch_level, ensure_dir=True)
def get_cache_latest(khash):
path_with_latest = get_current_level_path(khash, 'latest')
if os.path.isfile(path_with_latest):
return open(path_with_latest, 'r').read()
def check_gpg_signature(file_path, signature): # mocked: py/kcarectl_tests
"""
Check a file signature using the gpg tool.
If signature is wrong BadSignatureException will be raised.
:param file_path: path to file which signature will be checked
:param signature: a file with the signature
:return: True in case of valid signature
:raises: BadSignatureException
"""
if gpg_exec(['--verify', signature, file_path]) != 0:
raise BadSignatureException('Bad Signature: {0}'.format(file_path))
return True
class CertificateError(ValueError):
pass
class KcareError(Exception):
""" Base kernelcare exception which will be considered as expected
error and the full traceback will not be shown.
"""
pass
class NotFound(HTTPError):
pass
class UnknownKernelException(KcareError):
def __init__(self):
Exception.__init__(self, 'Unknown Kernel ({0} {1} {2})'.format(
get_distro()[0], platform.release(), get_kernel_hash()))
class UnableToGetLicenseException(KcareError):
def __init__(self, code):
Exception.__init__(self, 'Unknown Issue when getting trial license. Error code: ' + str(code))
class ApplyPatchError(KcareError):
def __init__(self, code, freezer_style, level, patch_file, *args, **kwargs):
super(ApplyPatchError, self).__init__(*args, **kwargs)
self.code = code
self.freezer_style = freezer_style
self.level = level
self.patch_file = patch_file
self.distro = get_distro()[0]
self.release = platform.release()
def __str__(self):
return 'Unable to apply patch ({0} {1} {2} {3} {4}, {5})'.format(
self.patch_file,
self.level,
self.code,
self.distro,
self.release,
', '.join([str(i) for i in self.freezer_style])
)
class AlreadyTrialedException(KcareError):
def __init__(self, ip, created, *args, **kwargs):
super(AlreadyTrialedException, self).__init__(*args, **kwargs)
self.created = created[0:created.index('T')]
self.ip = ip
def __str__(self):
return 'The IP {0} was already used for a trial license on {1}'.format(self.ip, self.created)
class BadSignatureException(KcareError):
pass
# KCARE-509
class PreviousPatchFailedException(KcareError):
def __init__(self, timestamp, anchor, *args, **kwargs):
super(PreviousPatchFailedException, self).__init__(*args, **kwargs)
self.timestamp = timestamp
self.anchor = anchor
def __str__(self):
message = 'It seems, the latest patch, applying at {0}, crashed, ' \
'and further attempts will be suspended. ' \
'To force patch applying, remove `{1}` file'
return message.format(self.timestamp, self.anchor)
class NoLibcareLicenseException(KcareError):
pass
def http_request(url, auth_string):
request = Request(url)
if not UPDATE_FROM_LOCAL and auth_string:
request.add_header('Authorization', 'Basic {0}'.format(auth_string))
return request
def print_cln_http_error(ex, url=None, stdout=True):
url = url or '<route cannot be logged>'
logerror('Unable to fetch {0}. Please try again later (error: {1})'.format(url, str(ex)), stdout)
def parse_response_date(str_raw):
# Try to split it by T
str_date, sep, _ = str_raw.partition('T')
# No success - split by space
if not sep:
str_date, _, _ = str_raw.partition(' ')
return datetime.strptime(str_date, '%Y-%m-%d')
def set_monitoring_key_for_ip_license(key):
url = REGISTRATION_API_URL + '/nagios/register_key.plain?key={0}'.format(key)
try:
response = urlopen(url)
res = data_as_dict(nstr(response.read()))
code = int(res['code'])
if code == 0:
print('Key successfully registered')
elif code == 1:
print('Wrong key format or size')
elif code == 2:
print('No KernelCare license for that IP')
else:
print('Unknown error {0}'.format(code))
return code
except HTTPError as e:
print_cln_http_error(e, url)
return -1
@contextmanager
def execute_hooks():
if BEFORE_UPDATE_COMMAND:
run_command(BEFORE_UPDATE_COMMAND, shell=True)
try:
yield
finally:
if AFTER_UPDATE_COMMAND:
run_command(AFTER_UPDATE_COMMAND, shell=True)
def update_config(prop, value):
cf = open(CONFIG)
lines = cf.readlines()
cf.close()
updated = False
prop_eq = prop + '='
prop_sp = prop + ' '
for i in range(len(lines)):
if lines[i].startswith(prop_eq) or lines[i].startswith(prop_sp):
lines[i] = prop + ' = ' + str(value) + '\n'
updated = True
break
if not updated:
lines.append(prop + ' = ' + str(value) + '\n')
atomic_write(CONFIG, ''.join(lines))
def plugin_info(fmt=None):
"""
The output will consist of:
Ignore output up to the line with "--START--"
Line 1: show if update is needed:
0 - updated to latest,
1 - update available,
2 - unknown kernel
3 - kernel doesn't need patches
4 - no license, cannot determine
Line 2: licensing message (can be skipped, can be more then one line)
Line 3: LICENSE: CODE: 1: license present, 2: trial license present, 0: no license
Line 4: Update mode (True - auto-update, False, no auto update)
Line 5: Effective kernel version
Line 6: Real kernel version
Line 7: Patchset Installed # --> If None, no patchset installed
Line 8: Uptime (in seconds)
If *format* is 'json' return the results in JSON format.
Any other output means error retrieving info
:return:
"""
pli = _patch_level_info()
update_code = pli.code
loaded_pl = pli.applied_lvl
license_info_result = license_info()
if fmt == 'json':
results = {
'updateCode': str(update_code),
'autoUpdate': AUTO_UPDATE,
'effectiveKernel': kcare_uname(),
'realKernel': platform.release(),
'loadedPatchLevel': loaded_pl,
'uptime': int(get_uptime()),
'license': license_info_result,
}
print('--START--')
print(json.dumps(results))
else:
print('--START--')
print(str(update_code))
print('LICENSE: ' + str(license_info_result))
print(AUTO_UPDATE)
print(kcare_uname())
print(platform.release())
print(loaded_pl)
print(get_uptime())
def license_info():
server_id = server_id_store.get_serverid()
if server_id:
url = REGISTRATION_API_URL + '/check.plain?server_id={0}'.format(server_id)
try:
response = urlopen(url)
content = nstr(response.read())
res = data_as_dict(content)
if not res or not res.get('code'):
print('Unexpected CLN response: {0}'.format(content))
return 1
code = int(res['code'])
if code == 0:
print('Key-based valid license found')
return 1
else:
license_type = _get_license_info_by_ip(key_checked=1)
if license_type == 0:
print('No valid key-based license found')
return license_type
except HTTPError as e:
print_cln_http_error(e, url)
return 0
else:
return _get_license_info_by_ip()
def _get_license_info_by_ip(key_checked=0):
url = REGISTRATION_API_URL + '/check.plain'
try:
response = urlopen(url)
content = nstr(response.read())
res = data_as_dict(content)
if res['success'].lower() == 'true':
code = int(res['code'])
if code == 0:
print('Valid license found for IP {0}'.format(res['ip']))
return 1 # valid license
if code == 1:
ip = res['ip']
expires_str = parse_response_date(res['expire_date']).strftime('%Y-%m-%d')
print('You have a trial license for the IP {0} that will expire on {1}'.format(ip, expires_str))
return 2 # trial license
if code == 2 and key_checked == 0:
ip = res['ip']
expires_str = parse_response_date(res['expire_date']).strftime('%Y-%m-%d')
print('Your trial license for the IP {0} expired on {1}'.format(ip, expires_str))
if code == 3 and key_checked == 0:
if 'ip' in res:
print("The IP {0} hasn't been licensed".format(res['ip']))
else:
print("This server hasn't been licensed")
else:
message = res.get('message', '')
print('Error retrieving license info: {0}'.format(message))
except HTTPError as e:
print_cln_http_error(e, url)
except KeyError as key:
print('Unexpected CLN response, cannot find {0} key:\n{1}'.format(key, content.strip()))
return 0 # no valid license
def register_trial():
trial_mark = os.path.join(PATCH_CACHE, 'trial-requested')
if os.path.exists(trial_mark):
return
try:
response = urlopen(REGISTRATION_API_URL + '/trial.plain')
res = data_as_dict(nstr(response.read()))
try:
if res['success'].lower() == 'true':
atomic_write(trial_mark, '', ensure_dir=True)
if res['expired'] == 'true':
raise AlreadyTrialedException(res['ip'], res['created'])
loginfo('Requesting trial license for IP {0}. Please wait...'.format(res['ip']))
return None
elif res['success'] == 'na':
atomic_write(trial_mark, '', ensure_dir=True)
raise KcareError('Invalid License')
else:
# TODO: make sane exception messages
raise UnableToGetLicenseException(-1) # Invalid response?
except KeyError as ke:
raise UnableToGetLicenseException(ke)
except HTTPError as e:
raise UnableToGetLicenseException(e.code)
def get_uptime():
f = None
try:
f = open('/proc/uptime', 'r')
line = f.readline()
result = str(int(float(line.split()[0])))
f.close()
return result
except Exception:
if f is not None:
f.close()
return '-1'
def get_last_stop():
""" Returns timestamp from PATCH_CACHE/stoped.at if its exsits
"""
stopped_at_filename = os.path.join(PATCH_CACHE, 'stopped.at')
if os.path.exists(stopped_at_filename):
with open(stopped_at_filename, 'r') as fh:
return fh.read().rstrip()
return '-1'
def get_distro():
if sys.version_info[:2] < (3, 8): # pragma: no py3 cover
return platform.linux_distribution()
else: # pragma: no distro cover
import distro
return distro.linux_distribution(full_distribution_name=False)
def edf_fallback_ptype():
distro, version = get_distro()[:2]
# From talk with @kolshanov
if distro == 'CloudLinux' and version.startswith('7.'):
return 'extra'
else:
return ''
def strip_version_timestamp(version):
match = VERSION_RE.match(version)
return match and match.group(1) or version
def server_info(reason, now=None):
data = dict()
data['ts'] = int(now or time.time())
data['reason'] = reason
data['machine'] = platform.machine()
data['processor'] = platform.processor()
data['release'] = platform.release()
data['system'] = platform.system()
data['version'] = platform.version()
distro = get_distro()
data['distro'] = distro[0]
data['distro_version'] = distro[1]
data['euname'] = kcare_uname()
data['kcare_version'] = strip_version_timestamp(VERSION)
data['last_stop'] = get_last_stop()
data['node'] = get_hostname()
data['uptime'] = get_uptime()
data['virt'] = check_output([VIRTWHAT]).strip()
description = parse_patch_description(loaded_patch_description())
data['ltimestamp'] = description['last-update']
data['patch_level'] = description['patch-level']
data['patch_type'] = description['patch-type']
data['kmod'] = get_current_kmod_version() or ''
server_id = server_id_store.get_serverid()
if server_id:
data['server_id'] = server_id
state_file = os.path.join(PATCH_CACHE, 'kcare.state')
if os.path.exists(state_file):
with open(state_file, 'r') as f:
state = f.read()
try:
data['state'] = ast.literal_eval(state)
except (SyntaxError, ValueError):
pass
return data
def based_server_info(reason):
return nstr(base64.b16encode(bstr(str(server_info(reason)))))
def get_http_auth_string():
server_id = server_id_store.get_serverid()
if server_id:
return nstr(base64.b64encode(bstr('{0}:{1}'.format(server_id, 'kernelcare'))))
return None
# addr -> resolved_peer_addr map
CONNECTION_STICKY_MAP = {}
def sticky_connect(self):
"""Function remembers IP address of host connected to
and uses it for later connections.
Replaces stdlib version of httplib.HTTPConnection.connect
"""
addr = self.host, self.port
resolved_addr = CONNECTION_STICKY_MAP.get(addr, addr)
self.sock = socket.create_connection(resolved_addr, self.timeout)
self.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
if addr not in CONNECTION_STICKY_MAP:
CONNECTION_STICKY_MAP[addr] = self.sock.getpeername()
if self._tunnel_host:
self._tunnel()
httplib.HTTPConnection.connect = sticky_connect
# python >= 2.7.9 stdlib (with ssl.HAS_SNI) is able to process https request on its own,
# for earlier versions manual checks should be done
if not getattr(ssl, 'HAS_SNI', None): # pragma: no cover unit
try:
import distutils.version
import OpenSSL.SSL
if distutils.version.StrictVersion(OpenSSL.__version__) < distutils.version.StrictVersion('0.13'):
raise ImportError('No pyOpenSSL module with SNI ability.')
except ImportError:
pass
else:
def dummy_verify_callback(*args):
# OpenSSL.SSL.Context.set_verify() requires callback
# where additional checks could be done;
# here is a dummy callback and a hostname check is made externally
# to provide original exception from match_hostname()
return True
PureHTTPSConnection = httplib.HTTPSConnection
class SSLSock(object):
def __init__(self, sock):
self._ssl_conn = sock
self._makefile_refs = 0
def makefile(self, *args):
self._makefile_refs += 1
return socket._fileobject(self._ssl_conn, *args, close=True)
def close(self):
if not self._makefile_refs and self._ssl_conn:
self._ssl_conn.close()
self._ssl_conn = None
def sendall(self, *args):
return self._ssl_conn.sendall(*args)
class PyOpenSSLHTTPSConnection(httplib.HTTPSConnection):
def connect(self):
httplib.HTTPConnection.connect(self)
# workaround to force pyopenssl to use TLSv1.2
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2 | OpenSSL.SSL.OP_NO_SSLv3)
if CHECK_SSL_CERTS:
ctx.set_verify(OpenSSL.SSL.VERIFY_PEER, dummy_verify_callback)
else:
ctx.set_verify(OpenSSL.SSL.VERIFY_NONE, dummy_verify_callback)
ctx.set_default_verify_paths()
conn = OpenSSL.SSL.Connection(ctx, self.sock)
conn.set_connect_state()
# self._tunnel_host is an original hostname in case of proxy use
server_host = self._tunnel_host or self.host
conn.set_tlsext_host_name(server_host)
conn.do_handshake()
if CHECK_SSL_CERTS:
match_hostname(conn.get_peer_certificate(), server_host)
self.sock = SSLSock(conn)
httplib.HTTPSConnection = PyOpenSSLHTTPSConnection
def _urlopen(url, *args, **kwargs): # mocked: py/kcarectl_tests
if hasattr(url, 'get_full_url'):
request_url = url.get_full_url()
else:
request_url = url
url = Request(url)
url.add_header('KC-Version', VERSION)
try:
if not CHECK_SSL_CERTS and getattr(ssl, 'HAS_SNI', None): # pragma: no cover unit
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
return std_urlopen(url, *args, context=ctx, **kwargs)
return std_urlopen(url, *args, **kwargs)
except HTTPError as ex:
if ex.code == 404:
raise NotFound(ex.url, ex.code, ex.msg, ex.hdrs, ex.fp)
# HTTPError is a URLError descendant and contains URL, raise it as is
raise
except URLError as ex:
# Local patches OSError(No such file) should be interpreted as Not found(404)
# It was done as a chain because when it implemented with "duck-typing" it will mess
# with error context
if ex.args and hasattr(ex.args[0], 'errno') and ex.args[0].errno == errno.ENOENT:
raise NotFound(url, 404, str(ex), None, None)
# there is no information about URL in the base URLError class, add it and raise
ex.reason = 'Request for `{0}` failed: {1}'.format(request_url, ex)
ex.url = request_url
raise
def check_exc(*exc_list):
def inner(e, state):
return isinstance(e, exc_list)
return inner
def retry(check_retry, count=None, delay=None, backoff=None):
if delay is None:
delay = RETRY_DELAY
if count is None:
count = RETRY_COUNT
if backoff is None:
backoff = RETRY_BACKOFF
state = {}
def decorator(fn):
def inner(*args, **kwargs):
ldelay = delay
for _ in range(count):
try:
return fn(*args, **kwargs)
except Exception as e:
if not check_retry(e, state):
raise
time.sleep(ldelay)
ldelay = min(ldelay * backoff, RETRY_MAX_DELAY)
# last try
return fn(*args, **kwargs)
return inner
return decorator
def check_urlopen_retry(e, state):
if isinstance(e, HTTPError):
return e.code >= 500
elif isinstance(e, URLError):
return True
def check_auth_retry(e, state):
if isinstance(e, HTTPError):
if e.code in (403, 401):
return handle_forbidden(state)
return e.code >= 500
elif isinstance(e, URLError):
return True
def is_local_url(url):
if hasattr(url, 'get_full_url'):
url = url.get_full_url()
return url.startswith('file:')
def urlopen(url, *args, **kwargs):
if is_local_url(url):
return _urlopen(url, *args, **kwargs)
return retry(check_urlopen_retry)(_urlopen)(url, *args, **kwargs)
def urlopen_auth(url, *args, **kwargs):
if is_local_url(url):
return _urlopen(url, *args, **kwargs)
request = http_request(url, get_http_auth_string())
if kwargs.pop('check_license', True):
check = check_auth_retry
else:
check = check_urlopen_retry
return retry(check)(_urlopen)(request, *args, **kwargs)
def handle_forbidden(state):
""" In case of 403 error we should check what's happen.
Case #1. We are trying to register unlicensed machine and should try to register trial.
Case #2. We have a valid license but access restrictions on server are not consistent yet
and we had to try later.
"""
if 'license' in state:
# license has already been checked and is valid, no need to ask CLN again
return True
if CHECK_CLN_LICENSE_STATUS:
server_id = server_id_store.get_serverid()
if server_id:
url = REGISTRATION_API_URL + '/check.plain' + '?server_id={0}'.format(server_id)
else:
url = REGISTRATION_API_URL + '/check.plain'
try:
# do not retry in case of 500 from CLN!
# otherwise, CLN will die in pain because of too many requests
content = nstr(_urlopen(url).read())
info = data_as_dict(content)
except URLError as ex:
print_cln_http_error(ex, url, stdout=False)
return
if not info or not info.get('code'):
kcarelog.error('Unexpected CLN response: {0}'.format(content))
return
if info['code'] in ['0', '1']:
# license is fine: 0 - valid license, 1 - valid trial license;
# looks like htpasswd not updated yet;
# mark state as licensed to avoid repeated requests to CLN
state['license'] = True
logerror('Unable to access server. Retrying...')
return True
else:
register_trial()
def fetch_patch_level(reason):
if LEVEL is not None:
return LEVEL
for latest in PATCH_LATEST:
if UPDATE_FROM_LOCAL:
url = get_kernel_url(KHASH, latest)
else:
url = get_kernel_url(KHASH, stickyfy(latest)) + '?' + based_server_info(reason)
try:
response = urlopen_auth(url, check_license=False)
return nstr(response.read()).rstrip('\n')
except NotFound:
pass
except HTTPError as ex:
# No license - no access
if ex.code in (403, 401):
raise KcareError('KC licence is required')
raise
raise UnknownKernelException()
def fetch_signature(url, dst, auth=False):
urlopen_local = urlopen
if auth:
urlopen_local = urlopen_auth
sig_exts = ['.sig2', '.sig']
for sig_ext in sig_exts:
try:
signature = urlopen_local(url + sig_ext)
break
except NotFound as e:
if sig_ext == sig_exts[-1]:
raise e # pragma: no cover
sig_dst = dst + sig_ext
save_to_file(signature, sig_dst)
return sig_dst
# BadSignatureException is the only side effect of interrupted connection,
# should retry file extraction in this case
# TODO: what about clients with USE_SIGNATURE == False? use content-len?
@retry(check_exc(BadSignatureException), count=3, delay=0)
def fetch_url(url, dst, check_signature=False):
response = urlopen_auth(url)
save_to_file(response, dst)
if check_signature:
try:
signature = fetch_signature(url, dst, auth=True)
return check_gpg_signature(dst, signature)
except BadSignatureException:
if os.path.exists(dst):
os.rename(dst, dst + '.tmp')
raise
else:
return True
def probe_patch(khash, level, ptype):
sig_exts = ['.sig2', '.sig']
for sig_ext in sig_exts:
url = get_kernel_url(khash, level, _apply_ptype(ptype, PATCH_BIN) + sig_ext)
kcarelog.info('Probing patch URL: {0}'.format(url))
try:
urlopen_auth(url, check_license=False)
except NotFound:
kcarelog.info('{0} is not available: 404'.format(url))
if sig_ext != sig_exts[-1]:
continue
return False
except URLError as ex:
kcarelog.info('{0} is not available: {1}'.format(url, str(ex)))
return True
class PatchFetcher(object):
def __init__(self, _hash, patch_level=None):
self.hash = _hash
self.patch_level = patch_level
def fetch_patch_file_level(self, level, name, check_signature=False):
url = get_kernel_url(self.hash, level, name)
dst = get_cache_path(self.hash, level, name)
return fetch_url(url, dst, check_signature)
def fetch_patch_file(self, name, check_signature=False):
assert self.patch_level is not None
return self.fetch_patch_file_level(self.patch_level, name, check_signature)
def fetch_kmod(self):
if 'patches.kernelcare.com' in PATCH_SERVER:
url = get_kernel_url(self.hash, self.patch_level, KMOD_BIN)
else: # ePortal workaround ):
url = get_kernel_url(self.hash, KMOD_BIN)
dst = get_cache_path(self.hash, self.patch_level, KMOD_BIN)
return fetch_url(url, dst, USE_SIGNATURE)
def is_patch_fetched(self):
assert self.patch_level is not None
patch_files = (
get_cache_path(self.hash, self.patch_level, PATCH_DONE),
get_cache_path(self.hash, self.patch_level, PATCH_BIN),
get_cache_path(self.hash, self.patch_level, PATCH_INFO),
get_cache_path(self.hash, self.patch_level, KMOD_BIN),
)
for fname in patch_files:
if not os.path.isfile(fname):
return False
return True
def fetch_patch(self):
assert self.patch_level is not None
if self.patch_level == '0':
return self.patch_level
if self.is_patch_fetched():
loginfo('Updates already downloaded')
return self.patch_level
loginfo('Downloading updates')
try:
self.fetch_patch_file(PATCH_BIN, check_signature=USE_SIGNATURE)
except NotFound:
raise KcareError('The `{0}` patch level is not found for `{1}` patch type. '
'Please select valid patch type or patch level'
.format(self.patch_level, PATCH_TYPE or 'default'))
self.fetch_patch_file(PATCH_INFO, check_signature=USE_SIGNATURE)
self.fetch_kmod()
self.extract_blacklist()
open(get_cache_path(self.hash, self.patch_level, PATCH_DONE), 'wb').close()
return self.patch_level
def extract_blacklist(self):
assert self.patch_level is not None
buf = open(get_cache_path(self.hash, self.patch_level, PATCH_INFO), 'r').read()
if buf:
mo = BLACKLIST_RE.search(buf)
if mo:
open(get_cache_path(self.hash, self.patch_level, BLACKLIST_FILE), 'w').write(mo.group(1))
def fetch_fixups(self, level):
"""
Download fixup files for defined patch level
:param level: download fixups for this patch level (usually it's a level of loaded patch)
:return: None
"""
if level is None:
return
try:
# never use cache for fixup files, must be downloaded from scratch
self.fetch_patch_file_level(level, FIXUPS_FILE, check_signature=USE_SIGNATURE)
except NotFound:
return
fixups = get_cache_path(self.hash, level, FIXUPS_FILE)
with open(fixups, 'r') as f:
fixups = set([fixup.strip() for fixup in f.readlines()])
for fixup in fixups:
self.fetch_patch_file_level(level, fixup, check_signature=USE_SIGNATURE)
def get_kernel_hash():
f = open(KERNEL_VERSION_FILE, 'rb')
try:
return hashlib.sha1(f.read()).hexdigest()
finally:
f.close()
def kcare_check():
pli = _patch_level_info()
print(pli.msg)
if pli.code == PLI.PATCH_NEED_UPDATE:
sys.exit(0)
else:
sys.exit(1)
def kcare_latest_patch_info(is_json=False):
"""
Retrieve and output to STDOUT latest patch info, so it is easy to get
list of CVEs in use. More info at
https://cloudlinux.atlassian.net/browse/KCARE-952
:return: None
"""
try:
latest = get_latest_patch_level(reason='info', policy=POLICY_REMOTE)
if not latest or latest == '0':
raise UnknownKernelException
url = get_kernel_url(KHASH, latest, PATCH_INFO)
patch_info = nstr(urlopen_auth(url).read())
if is_json:
patches, result = [], {}
for chunk in patch_info.split('\n\n'):
data = data_as_dict(chunk)
if data and 'kpatch-name' in data:
patches.append(data)
else:
result.update(data)
result['patches'] = patches
patch_info = json.dumps(result)
print(patch_info)
except HTTPError as e:
print_cln_http_error(e, e.url)
return 1
except UnknownKernelException:
print('No patches available')
return 0
def _kcare_patch_info_json(pli):
result = {'message': pli.msg}
if pli.applied_lvl is not None:
patch_info = _kcare_patch_info(pli)
patches = []
for chunk in patch_info.split('\n\n'):
data = data_as_dict(chunk)
if data and 'kpatch-name' in data:
patches.append(data)
else:
result.update(data)
result['patches'] = patches
return json.dumps(result, sort_keys=True)
def _kcare_patch_info(pli):
khash = get_kernel_hash()
cache_path = get_cache_path(khash, pli.applied_lvl, PATCH_INFO)
if not os.path.isfile(cache_path):
raise KcareError("Can't find information due to the absent patch information file."
" Please, run /usr/bin/kcarectl --update and try again.")
info = open(cache_path, 'r').read()
if info:
info = BLACKLIST_RE.sub('', info)
return info
def patch_info(is_json=False):
pli = _patch_level_info()
if not is_json:
if pli.code != 0:
print(pli.msg)
if pli.applied_lvl is None:
return
print(_kcare_patch_info(pli))
else:
print(_kcare_patch_info_json(pli))
UNAME_LABEL = 'uname: '
def is_uname_char(c):
return str.isalnum(c) or c in '.-_+'
def parse_uname(patch_level):
khash = get_kernel_hash()
f = open(get_cache_path(khash, patch_level, PATCH_INFO), 'r')
try:
for line in f.readlines():
if line.startswith(UNAME_LABEL):
return ''.join(filter(is_uname_char, line[len(UNAME_LABEL):].strip()))
finally:
f.close()
return ''
def kcare_uname_su():
patch_level = loaded_patch_level()
if patch_level is None or patch_level == '0':
return platform.release()
return parse_uname(patch_level)
def is_same_patch(new_patch_file): # mocked: py/kcarectl_tests
args = [KPATCH_CTL, 'file-info', new_patch_file]
new_patch_info = check_output(args)
current_patch_info = _patch_info()
build_time_label = 'kpatch-build-time'
return get_patch_value(new_patch_info, build_time_label) == get_patch_value(current_patch_info, build_time_label)
def kcare_update_effective_version(new_version):
if os.path.exists(KCARE_UNAME_FILE):
try:
f = open(KCARE_UNAME_FILE, 'w')
f.write(new_version)
f.close()
return True
except Exception:
pass
return False
def kcare_uname():
if os.path.exists(KCARE_UNAME_FILE):
return open(KCARE_UNAME_FILE, 'r').read().strip()
else:
# TODO: talk to @kolshanov about runtime results from KPATCH_CTL info
# (euname from kpatch-description -- not from kpatch.info file)
return kcare_uname_su()
def kcare_need_update(applied_level, new_level):
if new_level == '0':
return False
try:
cur_int = int(applied_level)
new_int = int(new_level)
if new_int < cur_int:
# ignore down-patching
return False
except (TypeError, ValueError):
pass
if applied_level != new_level:
return True
new_patch_file = get_cache_path(KHASH, new_level, PATCH_BIN)
if not is_same_patch(new_patch_file):
return True
return False
class FakeSecHead(object):
def __init__(self, fp):
self.fp = fp
self.sechead = '[asection]\n'
def readline(self): # pragma: no py3 cover
if self.sechead:
try:
return self.sechead
finally:
self.sechead = None
else:
return self.fp.readline()
def __iter__(self): # pragma: no py2 cover
if self.sechead:
yield self.sechead
self.sechead = None
for line in self.fp:
yield line
def get_proxy_from_env(scheme):
if scheme == 'http':
return os.getenv('http_proxy') or os.getenv('HTTP_PROXY')
elif scheme == 'https':
return os.getenv('https_proxy') or os.getenv('HTTPS_PROXY')
def get_config_settings():
result = {}
cp = ConfigParser(defaults={'HTTP_PROXY': '', 'HTTPS_PROXY': ''})
try:
config = FakeSecHead(open(CONFIG))
if PY2: # pragma: no py3 cover
cp.readfp(config)
else: # pragma: no py2 cover
cp.read_file(config)
except Exception:
return {}
def bool_converter(value):
return value.upper() in ('1', 'TRUE', 'YES', 'Y')
def read_var(name, default=None, convert=None, dst=None):
try:
value = cp.get('asection', name)
except Exception:
value = default
if value is not None:
if convert:
value = convert(value)
result[dst or name] = value
for scheme, variable in [('http', 'HTTP_PROXY'), ('https', 'HTTPS_PROXY')]:
# environment settings take precedence over kcare.config ones
if not get_proxy_from_env(scheme):
proxy = cp.get('asection', variable)
if proxy:
os.environ[variable] = proxy
read_var('UPDATE_POLICY', convert=str.upper)
read_var('PATCH_METHOD', convert=str.upper)
read_var('PATCH_SERVER', convert=lambda v: v.rstrip('/'))
read_var('AUTO_UPDATE', convert=bool_converter)
read_var('LIB_AUTO_UPDATE', convert=bool_converter)
read_var('REGISTRATION_URL', convert=lambda v: v.rstrip('/'), dst='REGISTRATION_API_URL')
read_var('PREFIX', dst='TEST_PREFIX')
read_var('IGNORE_UNKNOWN_KERNEL', convert=bool_converter)
read_var('UPDATE_SYSCTL_CONFIG', convert=bool_converter, dst='LOAD_KCARE_SYSCTL')
read_var('CHECK_SSL_CERTS', convert=bool_converter)
read_var('PATCH_TYPE', convert=str.lower)
read_var('PREV_PATCH_TYPE', convert=str.lower)
read_var('PATCH_LEVEL', convert=lambda v: v or None, dst='LEVEL')
read_var('STICKY_PATCH', convert=str.upper, dst='STICKY')
read_var('REPORT_FQDN', convert=bool_converter)
read_var('SILENCE_ERRORS', convert=bool_converter)
read_var('FORCE_GID')
read_var('LIBCARE_DISABLED', convert=bool_converter)
read_var('BEFORE_UPDATE_COMMAND', convert=lambda v: v.strip())
read_var('AFTER_UPDATE_COMMAND', convert=lambda v: v.strip())
read_var('KMSG_OUTPUT', convert=bool_converter)
read_var('KCORE_OUTPUT_SIZE', convert=int)
read_var('USERSPACE_PATCHES', convert=lambda v: [ptch.strip().lower() for ptch in v.split(',')])
return result
def update_sysctl():
if LOAD_KCARE_SYSCTL:
if not (os.path.isfile(SYSCTL_CONFIG) and os.access(SYSCTL_CONFIG, os.R_OK)):
kcarelog.warning('File {0} does not exist or has no read access'.format(SYSCTL_CONFIG))
return
code, _, _ = run_command(['/sbin/sysctl', '-q', '-p', SYSCTL_CONFIG], catch_stdout=True)
if code != 0:
kcarelog.warning('Unable to load kcare sysctl.conf: {0}'.format(code))
def is_cpanel():
return os.path.isfile('/usr/local/cpanel/cpanel')
def is_secure_boot(): # mocked: py/kcarectl_tests/test_load_kmod.py
efivars_location = "/sys/firmware/efi/efivars/"
if not os.path.exists(efivars_location):
return False
for filename in os.listdir(efivars_location):
if filename.startswith('SecureBoot'):
varfile = os.path.join(efivars_location, filename)
# Get last byte
with open(varfile, 'rb') as vfd:
return vfd.read()[-1:] == b'\x01'
return False
def inside_vz_container(): # mocked: py/kcarectl_tests/test_load_kmod.py
return os.path.exists('/proc/vz/veinfo') and not os.path.exists('/proc/vz/version')
def inside_lxc_container(): # mocked: py/kcarectl_tests/test_load_kmod.py
return '/lxc/' in open('/proc/1/cgroup').read()
def inside_docker_container(): # mocked: py/kcarectl_tests/test_load_kmod.py
return os.path.isfile('/.dockerenv')
def edit_sysctl_conf(remove, append):
""" Update SYSCTL_CONFIG accordingly the edits
"""
# Create if it does not exist
if not os.path.isfile(SYSCTL_CONFIG):
open(SYSCTL_CONFIG, 'a').close()
# Check kcare sysctl path and read access
if not os.access(SYSCTL_CONFIG, os.R_OK):
kcarelog.warning('File {0} has no read access'.format(SYSCTL_CONFIG))
return
with open(SYSCTL_CONFIG, 'r+') as sysctl:
lines = sysctl.readlines()
sysctl.seek(0)
for line in lines:
# Do not rewrite lines that should be deleted
if not any(line.startswith(r) for r in remove):
sysctl.write(line)
# Write additional lines
for a in append:
sysctl.write(a + '\n')
sysctl.truncate()
def run_command(command, catch_stdout=False, catch_stderr=False, shell=False): # mocked: py/kcarectl_tests/conftest.py
stdout = subprocess.PIPE if catch_stdout else None
stderr = subprocess.PIPE if catch_stderr else None
p = subprocess.Popen(command, stdout=stdout, stderr=stderr, shell=shell)
stdout, stderr = p.communicate()
code = p.returncode
if stdout is not None:
stdout = nstr(stdout)
if stderr is not None:
stderr = nstr(stderr)
return code, stdout, stderr
def check_output(args):
_, stdout, _ = run_command(args, catch_stdout=True)
return stdout
def get_loaded_modules_uncached():
return [line.split()[0] for line in open('/proc/modules')]
def get_loaded_modules():
modules = getattr(get_loaded_modules, 'modules', None)
if modules:
return modules
get_loaded_modules.modules = get_loaded_modules_uncached()
return get_loaded_modules.modules
def detect_conflicting_modules(modules):
for module in modules:
if CONFLICTING_MODULES_RE.match(module):
raise KcareError("Detected '{0}' kernel module loaded. Please unload that module first".format(module))
def get_current_kmod_version():
kmod_version_file = '/sys/module/kcare/version'
if not os.path.exists(kmod_version_file):
return
with open(kmod_version_file, 'r') as f:
version = f.read().strip()
return version
def is_kmod_version_changed(khash, plevel):
old_version = get_current_kmod_version()
if not old_version:
return True
new_version = check_output(
['/sbin/modinfo', '-F', 'version', get_cache_path(khash, plevel, KMOD_BIN)]
).strip()
return old_version != new_version
def get_kcare_kmod_link():
return '/lib/modules/{0}/extra/kcare.ko'.format(platform.uname()[2])
def kmod_is_signed():
level = get_latest_patch_level(reason='info')
kmod_file = get_cache_path(KHASH, level, KMOD_BIN)
if not os.path.isfile(kmod_file):
return
with open(kmod_file, 'rb') as vfd:
return vfd.read()[-28:] == b'~Module signature appended~\n'
def load_kmod(kmod, **kwargs):
cmd = ['/sbin/insmod', kmod]
for key, value in kwargs.items():
cmd.append('{0}={1}'.format(key, value))
code, _, _ = run_command(cmd, catch_stdout=True)
if code != 0:
raise KcareError('Unable to load kmod ({0} {1}). Try to run with `--check-compatibility` flag.'.format(kmod, code))
def check_compatibility():
if is_secure_boot() and not kmod_is_signed():
raise KcareError('Secure boot is enabled. Not supported by KernelCare.')
if inside_vz_container() or inside_lxc_container() or inside_docker_container():
raise KcareError('You are running inside a container. Kernelcare should be executed on host side instead.')
def load_kcare_kmod(khash, level):
# To make `kdump` service work. We need to copy
# `kcare.ko` into `/lib/modules/$(uname -r)/extra/kcare.ko`
# and call `/sbin/depmod`
kcare_link = get_kcare_kmod_link()
kcare_file = get_cache_path(khash, level, KMOD_BIN)
try:
shutil.copy(kcare_file, kcare_link)
except Exception:
kcare_link = kcare_file
kmod_args = {}
if KPATCH_DEBUG:
kmod_args['kpatch_debug'] = 1
load_kmod(kcare_link, **kmod_args)
run_command(['/sbin/depmod'], catch_stdout=True, catch_stderr=True)
def unload_kmod(modname):
code, _, _ = run_command(['/sbin/rmmod', modname], catch_stdout=True)
if code != 0:
raise KcareError('Unable to unload {0} kmod {1}'.format(modname, code))
def apply_fixups(khash, current_level, modules):
loaded = []
for mod in ['vmlinux'] + modules:
modpath = get_cache_path(khash, current_level, 'fixup_{0}.ko'.format(mod))
if os.path.exists(modpath):
load_kmod(modpath)
loaded.append('fixup_{0}'.format(mod))
return loaded
def remove_fixups(fixups):
for mod in fixups:
try:
unload_kmod(mod)
except Exception: # pragma: no cover
pass
def get_freezer_style(freezer, modules):
if freezer:
method = freezer
elif PATCH_METHOD:
method = PATCH_METHOD
elif get_freezer_blacklist().intersection(modules):
# blacklist module found, use smart freezer
# xxx: this branch could be safely removed when smart would work by default
return 'freeze_conflict', freezer, PATCH_METHOD, True
else:
# user doesn't provide patch method and no conflicting modules loaded
return 'default', freezer, PATCH_METHOD, False
# non default patch method, translate it into form accepted by kpatch_ctl
patch_method_map = {
'NONE': 'freeze_none',
'NOFREEZE': 'freeze_none',
'FULL': 'freeze_all',
'FREEZE': 'freeze_all',
'SMART': 'freeze_conflict',
}
method = method.upper()
if method in patch_method_map:
method = patch_method_map[method]
else:
raise KcareError('Unable to detect freezer style ({0}, {1}, {2}, {3})'
.format(method, freezer, PATCH_METHOD, False))
return method, freezer, PATCH_METHOD, False
def kcare_load(khash, level, mode, freezer='', use_anchor=False):
state_data = {'khash': khash, 'future': level, 'mode': mode}
register_action('start', state_data)
current_level = loaded_patch_level()
modules = get_loaded_modules()
detect_conflicting_modules(modules)
# get freezer in the beginning to prevent any further job in case of exception
freezer_style = get_freezer_style(freezer, modules)
patch_file = get_cache_path(khash, level, PATCH_BIN)
save_cache_latest(khash, level)
description = '{0}-{1}:{2};{3}'.format(level, PATCH_TYPE,
_timestmap_str(), # future server_info['ltimestamp']
parse_uname(level))
kmod_loaded = 'kcare' in modules
kmod_changed = kmod_loaded and is_kmod_version_changed(khash, level)
patch_loaded = current_level is not None
same_patch = patch_loaded and is_same_patch(patch_file) and kcare_update_effective_version(description)
state_data.update({'current': current_level, 'kmod_changed': kmod_changed})
if same_patch:
register_action('done', state_data)
return
if patch_loaded:
register_action('fxp', state_data)
fixups = apply_fixups(khash, current_level, modules)
register_action('unpatch', state_data)
kpatch_ctl_unpatch(freezer_style)
register_action('unfxp', state_data)
remove_fixups(fixups)
if kmod_changed:
register_action('unload', state_data)
unload_kmod('kcare')
kmod_loaded = False
if not kmod_loaded:
register_action('load', state_data)
load_kcare_kmod(khash, level)
if use_anchor: # KCARE-509
touch_anchor()
register_action('patch', state_data)
kpatch_ctl_patch(patch_file, khash, level, description, freezer_style)
update_sysctl()
loginfo('Patch level {0} applied. Effective kernel version {1}'.format(level, kcare_uname()))
# do final actions when update is considered as successful
register_action('wait', state_data)
nohup_fork(lambda: commit_update(state_data), sleep=SUCCESS_TIMEOUT)
def kpatch_ctl_patch(patch_file, khash, level, description, freezer_style):
args = [KPATCH_CTL]
blacklist_file = get_cache_path(khash, level, BLACKLIST_FILE)
if os.path.exists(blacklist_file):
args.extend(['-b', blacklist_file])
args.extend(['patch', '-d', description])
args.extend(['-m', freezer_style[0]])
args.append(patch_file)
code, _, _ = run_command(args, catch_stdout=True)
if code != 0:
raise ApplyPatchError(code, freezer_style, level, patch_file)
def kpatch_ctl_unpatch(freezer_style):
code, _, _ = run_command([KPATCH_CTL, 'unpatch', '-m', freezer_style[0]], catch_stdout=True)
if code != 0:
raise KcareError('Error unpatching [{0}] {1}'.format(code, str(freezer_style)))
def register_action(action, state_data):
state_data['action'] = action
state_data['ts'] = int(time.time())
atomic_write(os.path.join(PATCH_CACHE, 'kcare.state'), str(state_data))
def kcare_unload(freezer=''):
current_level = loaded_patch_level()
pf = PatchFetcher(KHASH)
pf.fetch_fixups(current_level)
modules = get_loaded_modules()
freezer_style = get_freezer_style(freezer, modules)
with execute_hooks():
if 'kcare' in modules:
need_unpatch = current_level is not None
if need_unpatch:
fixups = apply_fixups(KHASH, current_level, modules)
code, _, _ = run_command([KPATCH_CTL, 'unpatch', '-m', freezer_style[0]], catch_stdout=True)
remove_fixups(fixups)
if code != 0:
raise KcareError('Error unpatching [{0}] {1}'.format(code, str(freezer_style)))
# Unload kcare module and retry once after 10 seconds if failed
retry(check_exc(KcareError), count=1, delay=10)(unload_kmod)('kcare')
try:
os.unlink(get_kcare_kmod_link())
except Exception:
pass
def kcare_info(is_json):
pli = _patch_level_info()
if is_json:
return _kcare_info_json(pli)
else:
if pli.code != 0:
return pli.msg
if pli.applied_lvl is not None:
return _patch_info()
def _kcare_info_json(pli):
result = {'message': pli.msg}
if pli.applied_lvl is not None:
result.update(data_as_dict(_patch_info()))
result.update(parse_patch_description(result.get('kpatch-description')))
result['kpatch-state'] = pli.state
return json.dumps(result)
def _patch_info():
return check_output([KPATCH_CTL, 'info'])
def data_as_dict(data):
result = {}
data = data.splitlines()
for line in data:
if line:
key, delimiter, value = line.partition(':')
if delimiter:
result[key] = value.strip()
return result
def get_patch_value(info, label):
return data_as_dict(info).get(label)
def loaded_patch_description():
if 'kcare' not in get_loaded_modules():
return None
# example: 28-:1532349972;4.4.0-128.154
# (patch level: number)-(patch type: free/extra/empty):(timestamp);(effective kernel version from kpatch.info)
return get_patch_value(_patch_info(), 'kpatch-description')
def parse_patch_description(desc):
result = {
'patch-level': None,
'patch-type': 'default',
'last-update': '',
'kernel-version': ''
}
if not desc:
return result
level_type_timestamp, _, kernel = desc.partition(';')
level_type, _, timestamp = level_type_timestamp.partition(':')
patch_level, _, patch_type = level_type.partition('-')
# need to return patch_level=None not to break old code
# TODO: refactor all loaded_patch_level() usages to work with empty string instead of None
result['patch-level'] = patch_level or None
result['patch-type'] = patch_type or 'default'
result['last-update'] = timestamp
result['kernel-version'] = kernel
return result
def loaded_patch_level(): # mocked: py/kcarectl_tests
return parse_patch_description(loaded_patch_description())['patch-level']
class PLI:
PATCH_LATEST = 0
PATCH_NEED_UPDATE = 1
PATCH_UNAVALIABLE = 2
PATCH_NOT_NEEDED = 3
def __init__(self, code, msg, remote_lvl, applied_lvl, state):
self.code = code
self.msg = msg
self.remote_lvl = remote_lvl
self.applied_lvl = applied_lvl
self.state = state
def _patch_level_info():
current_patch_level = loaded_patch_level()
try:
# this line raises UnknownKernel from the bottom of this try
new_patch_level = get_latest_patch_level(reason='info')
if current_patch_level:
if kcare_need_update(current_patch_level, new_patch_level):
code, msg, state = (
PLI.PATCH_NEED_UPDATE,
"Update available, run 'kcarectl --update'.",
'applied',
)
else:
code, msg, state = (
PLI.PATCH_LATEST,
'The latest patch is applied.',
'applied',
)
else:
# no patch applied
if new_patch_level == '0':
code, msg, state = (
PLI.PATCH_NOT_NEEDED,
"This kernel doesn't require any patches.",
'unset',
)
else:
code, msg, state = (
PLI.PATCH_NEED_UPDATE,
"No patches applied, but some are available, run 'kcarectl --update'.",
'unset',
)
info = PLI(code, msg, new_patch_level, current_patch_level, state)
except UnknownKernelException:
code = PLI.PATCH_UNAVALIABLE
if STICKY:
msg = 'Invalid sticky patch tag {0} for kernel ({1} {2}). ' \
'Please check /etc/sysconfig/kcare/kcare.conf ' \
'STICKY_PATCH settings'.format(STICKY, get_distro()[0], platform.release())
else:
msg = 'Unknown kernel ({0} {1} {2}), no patches available'.format(
get_distro()[0], platform.release(), get_kernel_hash())
info = PLI(code, msg, None, None, 'unavailable')
return info
def check_gpg_bin():
if not os.path.isfile(GPG_BIN):
raise KcareError('No {0} present. Please install gnupg'.format(GPG_BIN))
def gpg_exec(args, input=None):
""" Simple wrapper that doesn't supress stderr. Just runs GPG_BIN with args
and if it's not succeed prints stderr
"""
check_gpg_bin()
p = subprocess.Popen([GPG_BIN, ] + args,
env={'GNUPGHOME': GPG_KEY_DIR},
stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
_, stderrdata = p.communicate(input=input)
if p.returncode:
logerror('Error executing command [{0} {1}]'.format(GPG_BIN, ' '.join(args)))
logerror(stderrdata)
return p.returncode
def import_gpg_key(import_key):
if not os.path.exists(GPG_KEY_DIR):
os.makedirs(GPG_KEY_DIR)
gpg_exec(['--import', import_key])
gpg_exec(['--import-ownertrust'], input=GPG_OWNER_TRUST)
def rm_serverid():
os.unlink(SYSTEMID)
def set_server_id(server_id):
with open(SYSTEMID, 'w') as f:
f.write('server_id={0}\n'.format(server_id))
def unregister(silent=False):
url = None
try:
server_id = server_id_store.get_serverid()
if server_id is None:
if not silent:
logerror('Error unregistering server: cannot find server id')
return
url = REGISTRATION_API_URL + '/unregister_server.plain?server_id={0}'.format(server_id)
response = urlopen(url)
content = nstr(response.read())
res = data_as_dict(content)
if res['success'] == 'true':
rm_serverid()
if not silent:
loginfo('Server was unregistered')
elif not silent:
logerror(content)
logerror('Error unregistering server: ' + res['message'])
except HTTPError as e:
if not silent:
print_cln_http_error(e, url)
def register_retry(url): # pragma: no cover unit
print('Register auto-retry has been enabled, the system can be registered later')
pid = os.fork()
if pid > 0:
return
os.setsid()
pid = os.fork()
import sys
if pid > 0:
sys.exit(0)
sys.stdout.flush()
si = open('/dev/null', 'r')
so = open('/dev/null', 'a+')
os.dup2(si.fileno(), sys.stdin.fileno())
os.dup2(so.fileno(), sys.stdout.fileno())
os.dup2(so.fileno(), sys.stderr.fileno())
while True:
time.sleep(60 * 60 * 2)
code, server_id = try_register(url)
if code == 0 and server_id:
set_server_id(server_id)
sys.exit(0)
def tag_server(tag):
"""
Request to tag server from ePortal. See KCARE-947 for more info
:param tag: String used to tag the server
:return: 0 on success, -1 on wrong server id, other values otherwise
"""
url = None
try:
# TODO: is it ok to send request in case when no server_id found? (machine is not registered in ePortal)
server_id = server_id_store.get_serverid()
query = urlencode([('server_id', server_id), ('tag', tag)])
url = REGISTRATION_API_URL + '/tag_server.plain?{0}'.format(query)
response = urlopen(url)
res = data_as_dict(nstr(response.read()))
return int(res['code'])
except HTTPError as e:
print_cln_http_error(e, url)
return -3
except URLError as ue:
print_cln_http_error(ue, url)
return -4
except Exception as ee:
logerror('Internal Error {0}'.format(ee))
return -5
def try_register(url):
try:
response = urlopen(url)
res = data_as_dict(nstr(response.read()))
return int(res['code']), res.get('server_id')
except (HTTPError, URLError) as e:
print_cln_http_error(e, url)
return None, None
except Exception:
return None, None
def get_hostname():
# KCARE-1165 If fqdn gathering is forced
if REPORT_FQDN:
# getaddrinfo() -> [(family, socktype, proto, canonname, sockaddr), ...]
hostname = socket.getaddrinfo(socket.gethostname(), 0, 0, 0, 0, socket.AI_CANONNAME)[0][3]
else:
hostname = platform.node()
return hostname
def register(key, retry=False):
# TODO: save key
try:
unregister(True)
except Exception:
pass
hostname = get_hostname()
query = urlencode([('hostname', hostname), ('key', key)])
url = '{0}/register_server.plain?{1}'.format(REGISTRATION_API_URL, query)
code, server_id = try_register(url)
if code == 0:
set_server_id(server_id)
loginfo('Server Registered')
return 0
elif code == 1:
logerror('Account Locked')
elif code == 2:
logerror('Invalid Key')
elif code == 3:
logerror('You have reached maximum registered servers for this key. '
'Please go to your CLN account, remove unused servers and try again.')
elif code == 4:
logerror('IP is not allowed. Please change allowed IP ranges for the key in KernelCare Key tab in CLN')
elif code == 5:
logerror('This IP was already used for trial, you cannot use it for trial again')
elif code == 6:
logerror(
'This IP was banned. Please contact support for more information at https://www.kernelcare.com/support/')
else:
logerror('Unknown Error {0}'.format(code))
if retry: # pragma: no cover
# TODO: save key to use it in case of problems and remove this
register_retry(url)
return 0
return code or -1
def kcdoctor():
doctor_url = 'https://www.cloudlinux.com/clinfo/kcdoctor.sh'
doctor_filename = KCDOCTOR
with tempfile.NamedTemporaryFile() as doctor_dst:
try:
signature = fetch_signature(doctor_url, doctor_dst.name)
save_to_file(urlopen(doctor_url), doctor_dst.name)
check_gpg_signature(doctor_dst.name, signature)
doctor_filename = doctor_dst.name
except (socket.error, HTTPError, URLError) as err:
logerror('Kcare doctor download error: {0}. Fallback to the local one.'.format(err))
code, _, stderr = run_command(['bash', doctor_filename], catch_stderr=True)
if code:
raise KcareError("Script failed with '{0}' {1}".format(stderr, code))
class ServerIdStore:
def __init__(self):
self._server_id = None
def _systemid(self):
if not os.path.exists(SYSTEMID):
return None
cp = ConfigParser()
config = FakeSecHead(open(SYSTEMID))
if PY2: # pragma: no py3 cover
cp.readfp(config)
else: # pragma: no py2 cover
cp.read_file(config)
return cp.get('asection', 'server_id')
def _im360(self):
if not os.path.exists(IM360_LICENSE_FILE):
return None
data = {}
with open(IM360_LICENSE_FILE) as f:
content = f.read()
if content:
try:
data = json.loads(content)
except Exception:
pass # we are not interested why lic file can't be parsed
return data.get('id')
def get_serverid(self):
"""Get server_id or None if not present.
Lookup order: SYSTEMID then IM360_LICENSE_FILE
"""
if not self._server_id:
self._server_id = self._systemid() or self._im360()
return self._server_id
server_id_store = ServerIdStore()
KHASH = get_kernel_hash()
def get_kernel_url(khash, *parts):
return get_patch_server_url(TEST_PREFIX, khash, *parts)
def get_patch_server_url(*parts):
return '/'.join(it.strip('/') for it in filter(None, (PATCH_SERVER,) + parts))
def check_new_kc_version():
url = get_patch_server_url('{0}-new-version'.format(EFFECTIVE_LATEST))
try:
urlopen(url)
except URLError:
return False
loginfo('A new version of the KernelCare package is available. '
'To continue to get kernel updates, please install the new version')
return True
def get_latest_patch_level(reason, policy=POLICY_REMOTE): # mocked: py/kcarectl_tests/test_patch_level_info.py
"""
Get patch level to apply.
:param reason: what was the source of request (update, info etc.)
:param policy: REMOTE -- get latest patch_level from patchserver,
LOCAL -- use cached latest,
LOCAL_FIRST -- if cached level is None get latest from patchserver, use cache otherwise
:return: patch_level string
"""
cached_level = get_cache_latest(KHASH)
consider_remote_ex = policy == POLICY_REMOTE or (policy == POLICY_LOCAL_FIRST and cached_level is None)
try:
remote_level = fetch_patch_level(reason)
except Exception as ex:
if consider_remote_ex:
raise
else:
kcarelog.warning('Unable to send data: {0}'.format(ex))
if policy == POLICY_REMOTE:
level = remote_level
else:
level = cached_level
if cached_level is None:
if policy == POLICY_LOCAL:
level = '0'
elif policy == POLICY_LOCAL_FIRST:
level = remote_level
else:
raise KcareError('Unknown policy, choose one of: REMOTE, LOCAL, LOCAL_FIRST')
return level
def update_patch_type(ptype):
global PATCH_TYPE
if ptype == 'edf':
# The only way user can get here if call kcarectl --set-patch-type
# we don't support this anyway and can silently ignore
return
if ptype != 'default':
PATCH_TYPE = ptype
else:
PATCH_TYPE = ''
if probe_patch(KHASH, fetch_patch_level(reason='probe'), PATCH_TYPE):
update_config('PATCH_TYPE', PATCH_TYPE)
if PATCH_TYPE == 'free' and is_cpanel():
gid = FORCE_GID or CPANEL_GID
edit_sysctl_conf(
('fs.enforce_symlinksifowner', 'fs.symlinkown_gid',),
('fs.enforce_symlinksifowner=1', 'fs.symlinkown_gid={0}'.format(gid),)
)
loginfo("'{0}' patch type selected".format(ptype))
else:
raise KcareError("'{0}' patch type is unavailable for your kernel".format(ptype))
def do_update(freezer, mode, policy=POLICY_REMOTE):
"""
:param mode: UPDATE_MODE_MANUAL, UPDATE_MODE_AUTO or UPDATE_MODE_SMART
:param policy: REMOTE -- download latest and patches from patchserver,
LOCAL -- use cached files,
LOCAL_FIRST -- download latest and patches if cached level is None, use cache in other cases
:param freezer: freezer mode
"""
if policy == POLICY_REMOTE:
check_new_kc_version()
try:
level = get_latest_patch_level(reason='update', policy=policy)
except UnknownKernelException as e:
if mode == UPDATE_MODE_AUTO and IGNORE_UNKNOWN_KERNEL:
msg = str(e)
kcarelog.warning(msg)
return
raise
current_level = loaded_patch_level()
pf = PatchFetcher(KHASH, level)
pf.fetch_patch()
if not kcare_need_update(applied_level=current_level, new_level=level):
loginfo('No updates are needed for this kernel')
return
# take into account AUTO_UPDATE config setting in case of `--auto-update` cli option
if mode != UPDATE_MODE_AUTO or AUTO_UPDATE:
with execute_hooks():
pf.fetch_fixups(current_level)
try:
kcare_load(KHASH, level, mode, freezer, use_anchor=mode == UPDATE_MODE_SMART)
finally:
# Rotate crash report dumps
clean_directory('/var/cache/kcare/dumps/', keep_n=3, pattern="kcore*.dump")
clean_directory('/var/cache/kcare/dumps/', keep_n=3, pattern="kmsg*.log")
clear_cache(KHASH, level)
"""
This is needed to support sticky keys as per
https://cloudlinux.atlassian.net/browse/KCARE-953
"""
STICKY = False
def _stickyfy(prefix, fname):
return prefix + '.' + fname
def stickyfy(file):
"""
Used to add sticky prefix to satisfy KCARE-953
:param file: name of the file to stickify
:return: stickified file.
"""
if STICKY:
if STICKY != 'KEY':
return _stickyfy(STICKY, file)
try:
server_id = server_id_store.get_serverid()
if server_id:
response = urlopen(REGISTRATION_API_URL + '/sticky_patch.plain?server_id={0}'.format(server_id))
res = data_as_dict(nstr(response.read()))
code = int(res['code'])
if code == 0:
return _stickyfy(res['prefix'], file)
if code == 1:
return file
if code == 2:
kcarelog.info('Server ID is not recognized. Please check if the server is registered')
sys.exit(-1)
kcarelog.info('Error: ' + res['message'])
sys.exit(-3)
else:
kcarelog.info('Patch set to STICKY=KEY, but server is not registered with the key')
sys.exit(-4)
except HTTPError as e:
print_cln_http_error(e, e.url)
sys.exit(-5)
return file
def initialize_logging(level): # pragma: no cover
syslog_initialized = False
if os.path.exists('/dev/log'):
formatter = logging.Formatter('kcare %(levelname)s: %(message)s')
try:
handler = logging.handlers.SysLogHandler(address='/dev/log',
facility=logging.handlers.SysLogHandler.LOG_USER)
handler.setLevel(logging.INFO)
handler.setFormatter(formatter)
syslog_initialized = True
except Exception:
pass
if not syslog_initialized:
formatter = logging.Formatter('%(asctime)s %(levelname)s: %(message)s')
handler = logging.handlers.RotatingFileHandler(LOG_FILE, maxBytes=1024 ** 2, backupCount=2)
handler.setLevel(level)
handler.setFormatter(formatter)
kcarelog.addHandler(handler)
#################################
# from python 2.7.17 ssl stdlib #
#################################
def _dnsname_match(dn, hostname, max_wildcards=1): # pragma: no cover
"""Matching according to RFC 6125, section 6.4.3
http://tools.ietf.org/html/rfc6125#section-6.4.3
"""
pats = []
if not dn:
return False
pieces = dn.split(r'.')
leftmost = pieces[0]
remainder = pieces[1:]
wildcards = leftmost.count('*')
if wildcards > max_wildcards:
# Issue #17980: avoid denials of service by refusing more
# than one wildcard per fragment. A survery of established
# policy among SSL implementations showed it to be a
# reasonable choice.
raise CertificateError('too many wildcards in certificate DNS name: ' + repr(dn))
# speed up common case w/o wildcards
if not wildcards:
return dn.lower() == hostname.lower()
# RFC 6125, section 6.4.3, subitem 1.
# The client SHOULD NOT attempt to match a presented identifier in which
# the wildcard character comprises a label other than the left-most label.
if leftmost == '*':
# When '*' is a fragment by itself, it matches a non-empty dotless
# fragment.
pats.append('[^.]+')
elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
# RFC 6125, section 6.4.3, subitem 3.
# The client SHOULD NOT attempt to match a presented identifier
# where the wildcard character is embedded within an A-label or
# U-label of an internationalized domain name.
pats.append(re.escape(leftmost))
else:
# Otherwise, '*' matches any dotless string, e.g. www*
pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
# add the remaining fragments, ignore any wildcards
for frag in remainder:
pats.append(re.escape(frag))
pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
return pat.match(hostname)
# match_hostname tweaked to get dns names from pyopenssl x509 cert object
def match_hostname(cert, hostname): # pragma: no cover
san = []
for i in range(cert.get_extension_count()):
e = cert.get_extension(i)
if e.get_short_name() == 'subjectAltName':
san = [it.strip().split(':', 1) for it in str(e).split(',')]
if not cert:
raise ValueError('empty or no certificate, match_hostname needs a '
'SSL socket or SSL context with either '
'CERT_OPTIONAL or CERT_REQUIRED')
dnsnames = []
for key, value in san:
if key == 'DNS':
if _dnsname_match(value, hostname):
return
dnsnames.append(value)
if not dnsnames:
# The subject is only checked when there is no dNSName entry
# in subjectAltName
cn = cert.get_subject().commonName
if _dnsname_match(cn, hostname):
return
dnsnames.append(value)
if len(dnsnames) > 1:
raise CertificateError(
"hostname {0} doesn't match either of {1}".format(hostname, ', '.join(map(repr, dnsnames))))
elif len(dnsnames) == 1:
raise CertificateError("hostname {0} doesn't match {1}".format(hostname, dnsnames[0]))
else:
raise CertificateError('no appropriate commonName or '
'subjectAltName fields were found')
#####################
# end of ssl stdlib #
#####################
# --- {{{ libcare ---
def get_userspace_cache_path(libname, *parts):
return os.path.join(PATCH_CACHE, 'userspace', libname, *parts)
LIBNAME_MAP = {
'mysqld': 'db',
'mariadbd': 'db',
'qemu-kvm': 'qemu',
'qemu-system-x86_64': 'qemu'
}
USERSPACE_MAP = {
'db': ['mysqld', 'mariadbd'],
'qemu': ['qemu-kvm', 'qemu-system-x86_64'],
'libs': ['libc', 'libssl'],
}
def fetch_userspace_patch(libname, build_id):
prefix = TEST_PREFIX or 'main'
libname = urlquote(libname)
url = get_patch_server_url(LIBNAME_MAP.get(libname, 'u'), prefix, libname, build_id, 'latest.v1')
try:
response = urlopen_auth(url, check_license=False)
except NotFound:
# There is no latest info, so we need to clear cache for corresponding
# build_id to prevent updates by "-ctl" utility.
shutil.rmtree(get_userspace_cache_path('all', build_id), ignore_errors=True)
raise
meta = json.loads(nstr(response.read()))
plevel = str(meta['level'])
patch_path = get_userspace_cache_path('all', build_id, plevel, 'patch.tar.gz')
if not os.path.exists(patch_path):
url = get_patch_server_url(meta['patch_url'])
try:
fetch_url(url, patch_path, check_signature=USE_SIGNATURE)
except HTTPError as ex:
# No license - no access
if ex.code in (403, 401):
raise NoLibcareLicenseException('KC+ licence is required')
raise
dst = get_userspace_cache_path('all', build_id, plevel)
cmd = ['tar', 'xf', patch_path, '-C', dst, '--no-same-owner']
code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
if code:
raise KcareError("Patches unpacking error: '{0}' '{1}' {2}".format(stderr, stdout, code))
link_name = get_userspace_cache_path('all', build_id, 'latest')
if not os.path.islink(link_name) and os.path.isdir(link_name):
shutil.rmtree(link_name)
os.symlink(plevel, link_name + '.tmp')
os.rename(link_name + '.tmp', link_name)
def unsupported_if_not_found(clbl):
def wrapper(*args, **kwargs):
try:
return clbl(*args, **kwargs)
except OSError as err:
if err.errno == errno.ENOENT:
raise KcareError('Unsupported Linux distribution')
raise # pragma: no cover unit
return wrapper
@unsupported_if_not_found
def _libcare_info():
code, info, stderr = run_command([LIBCARE_CLIENT, 'info', '-j'], catch_stdout=True, catch_stderr=True)
if code:
raise KcareError("Gathering userspace libraries info error: '{0}' {1}".format(stderr, code))
result = []
for line in info.split('\n'):
if line:
try:
result.append(json.loads(line))
except ValueError:
# We have to do that because socket's output isn't separated to stderr and stdout
# so there are chances that will be non-json lines
pass
# FIXME: remove that libe when library names will be separated to lower
# level from process name and pid
result = [{'comm': line.pop('comm'), 'pid': line.pop('pid'), 'libs': line} for line in result]
# Filter libs whithout patchlvl
for line in result:
line['libs'] = dict((k, v) for k, v in line['libs'].items() if 'patchlvl' in v)
return result
def _libcare_patch_info():
info = _libcare_info()
patches = set()
for rec in info:
for _, data in rec['libs'].items():
patches.add((data['buildid'], data['patchlvl']))
result = []
for build_id, patchlvl in patches:
patch_info_filename = get_userspace_cache_path('all', build_id, str(patchlvl), 'info.json')
if os.path.isfile(patch_info_filename):
with open(patch_info_filename, 'r') as fd:
result.append(json.load(fd))
return result
def libcare_patch_info():
result = _libcare_patch_info()
if not result:
logerror("No patched processes.")
return json.dumps({'result': result})
def libcare_info():
result = _libcare_info()
if not result:
logerror("No patched processes.")
return json.dumps({'result': result})
def _libcare_version():
result = {}
for rec in _libcare_patch_info():
result[rec.get('package')] = rec.get('latest-version', '')
return result
def libcare_version(libname):
for package, version in _libcare_version().items():
if libname.startswith(package):
return version
return ''
@unsupported_if_not_found
def libcare_patch_all():
cmd = [LIBCARE_CLIENT, 'update']
code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
if code:
raise KcareError("Userspace patch applying error: '{0}' '{1}' {2}".format(stdout, stderr, code))
def refresh_applied_patches_list(clbl):
def save_current_state():
''' KPT-1543 Save info about applyed patches
'''
content = ''
try:
content = '\n'.join([' '.join(rec) for rec in _libcare_version().items()])
finally:
atomic_write(LIBCARE_PATCHES, content)
def wrapper(*args, **kwargs):
try:
return clbl(*args, **kwargs)
finally:
save_current_state()
return wrapper
@refresh_applied_patches_list
@unsupported_if_not_found
def libcare_unload():
cmd = [LIBCARE_CLIENT, 'unload']
code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
if code:
raise KcareError("Userspace patch unloading error: '{0}' '{1}' {2}".format(stdout, stderr, code))
@unsupported_if_not_found
def get_userspace_processes(patched=False, limit=None):
""" Gather build snapshots for current userspace packages
"""
regexp = '|'.join("({0})".format(proc) for proc in limit or [])
cmd = [LIBCARE_CLIENT, 'info', '-j']
if not patched:
cmd += ['-l', '-r', regexp]
code, info, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
if code:
raise KcareError("Gathering userspace libraries info error: '{0}' {1}".format(stderr, code))
data = {}
for line in info.split('\n'):
if line:
try:
line_data = json.loads(line)
except ValueError:
# We have to do that because socket's output isn't separated to stderr and stdout
# so there are chances that will be non-json lines
continue
pid = line_data.pop('pid')
comm = line_data.pop('comm')
process = tuple([pid, comm])
for libname, buildid in line_data.items():
lib = tuple([libname, buildid['buildid']])
if lib not in data:
data[lib] = []
data[lib].append(process)
return data
def is_selinux_enabled():
try:
code, _, _ = run_command(['/usr/sbin/selinuxenabled'])
except OSError as err:
if err.errno == errno.ENOENT:
return False
raise # pragma: no cover unit
return code == 0
def is_selinux_module_present(semodule_name):
code, out, err = run_command(['/usr/sbin/semodule', '-l'], catch_stdout=True)
if code:
raise KcareError("SELinux modules list gathering error: '{0}' {1}".format(err, code))
for line in out.split('\n'):
if semodule_name in line:
return True
return False
def skip_if_no_selinux_module(clbl):
def wrapper(*args, **kwargs):
if is_selinux_enabled() and not is_selinux_module_present('libcare'):
raise KcareError('SELinux is enabled and kernelcare-selinux is not installed.')
return clbl(*args, **kwargs)
return wrapper
@refresh_applied_patches_list
@skip_if_no_selinux_module
def do_userspace_update(mode=UPDATE_MODE_MANUAL, limit=None):
""" Patch userspace processes to the latest version.
"""
# Auto-update means cron-initiated run and if no
# LIB_AUTO_UPDATE flag in the config - nothing will happen.
if mode == UPDATE_MODE_AUTO and not LIB_AUTO_UPDATE:
return
if limit is None:
limit = list(USERSPACE_MAP.keys())
process_filter = []
for userspace_patch in limit:
process_filter.extend(USERSPACE_MAP.get(userspace_patch, []))
if not process_filter:
loginfo('No such userspace patches: {0}'.format(limit))
return False
data = get_userspace_processes(limit=process_filter)
failed = something_found = False
for lib in data:
# Download and unpack patches
libname, build_id = lib
try:
fetch_userspace_patch(libname, build_id)
something_found = True
except NotFound:
# There is no patch for that lib
pass
except NoLibcareLicenseException:
pass
except AlreadyTrialedException:
raise
except KcareError as ex:
failed = True
logerror(str(ex))
if failed:
raise KcareError('There was an errors while patches downloading (unpacking).')
if not something_found:
loginfo('No patches were found.')
return False
try:
# Batch apply for all collected patches
libcare_patch_all()
# TODO: clear userspace cache. We need the same logic as for kernel, lets do
# it later to reduce this patch size.
except KcareError as ex:
logerror(str(ex))
raise KcareError('There was an errors while patches applying.')
# KPT-1369 Show more detailed information about what was done
result = {}
for rec in _libcare_info():
for lib, libdata in rec.get('libs', {}).items():
result[lib] = result.get(lib, 0) + 1
if not result:
# No patches were applyed
return False
for k, v in result.items():
loginfo("Shared library `{0}` was patched for {1} processes.".format(k, v))
return True
def libcare_server_started():
"""Assume that whenever the service is not running, we did not patch anything."""
if os.path.exists('/sbin/service'): # pragma: no cover
cmd = '/sbin/service'
elif os.path.exists('/usr/sbin/service'): # pragma: no cover
cmd = '/usr/sbin/service'
else: # pragma: no cover
return False
code, _, _ = run_command([cmd, 'libcare', 'status'], catch_stdout=True, catch_stderr=True)
return code == 0
# --- end libcare }}} ---
def main():
parser = ArgumentParser(description='Manage KernelCare patches for your kernel')
parser.add_argument('-i', '--info',
help='Display information about KernelCare. Use with --json parameter to get result in JSON format.',
action='store_true')
parser.add_argument('-u', '--update',
help='Download latest patches and apply them to the current kernel',
action='store_true')
parser.add_argument('--unload',
help='Unload patches',
action='store_true')
parser.add_argument('--smart-update',
help='Patch kernel based on UPDATE POLICY settings',
action='store_true')
parser.add_argument('--auto-update',
help='Check if update is available, if so -- update',
action='store_true')
parser.add_argument('--local',
help='Update from a server local directory; accepts a path where patches are located',
metavar='PATH')
parser.add_argument('--patch-info',
help='Return the list of applied patches',
action='store_true')
parser.add_argument('--freezer',
help='Freezer type: full (default), smart, none',
metavar='freezer')
parser.add_argument('--nofreeze',
help="[deprecated] Don't freeze tasks before patching",
action='store_true')
parser.add_argument('--force',
help='[deprecated] When used with update, '
'forces applying the patch even if unable to freeze some threads',
action='store_true')
parser.add_argument('--uname',
help='Return safe kernel version',
action='store_true')
parser.add_argument('--license-info',
help='Return current license info',
action='store_true')
parser.add_argument('--import-key',
help='Import gpg key', metavar='PATH')
parser.add_argument('--register',
help='Register using KernelCare Key',
metavar='KEY')
parser.add_argument('--register-autoretry',
help='Retry registering indefinitely if failed on the first attempt',
action='store_true')
parser.add_argument('--unregister',
help='Unregister from KernelCare (for key-based servers only)',
action='store_true')
parser.add_argument('--check',
help='Check if new update available',
action='store_true')
parser.add_argument('--latest-patch-info',
help='Return patch info for the latest available patch. '
'Use with --json parameter to get result in JSON format.',
action='store_true')
parser.add_argument('--test',
help='[deprecated] Use --prefix=test instead',
action='store_true')
parser.add_argument('--tag',
help='Tag server with custom metadata, for ePortal users only',
metavar='TAG')
parser.add_argument('--prefix',
help='Patch source prefix used to test different builds '
'by downloading builds from different locations based on prefix',
metavar='PREFIX')
parser.add_argument('--nosignature',
help='Do not check signature',
action='store_true')
parser.add_argument('--set-monitoring-key',
help='Set monitoring key for IP based licenses. 16 to 32 characters, alphanumeric only',
metavar='KEY')
parser.add_argument('--doctor',
help='Submits a vitals report to CloudLinux for analysis and bug-fixes',
action='store_true')
parser.add_argument('--enable-auto-update',
help='Enable auto updates',
action='store_true')
parser.add_argument('--disable-auto-update',
help='Disable auto updates',
action='store_true')
parser.add_argument('--plugin-info',
help='Provides the information shown in control panel plugins for KernelCare. '
'Use with --json parameter to get result in JSON format.',
action='store_true')
parser.add_argument('--json',
help="Return '--plugin-info', '--latest-patch-info', "
"'--patch-info' and '--info' results in JSON format",
action='store_true')
parser.add_argument('--version',
help='Return the current version of KernelCare',
action='store_true')
parser.add_argument('--kpatch-debug',
help='Enable the debug mode',
action='store_true')
parser.add_argument('--no-check-cert',
help='Disable the patch server SSL certificates checking',
action='store_true')
parser.add_argument('--set-patch-level',
help='Set patch level to be applied. To select latest patch level set -1',
action='store', type=int, default=None, required=False)
parser.add_argument('--check-compatibility',
help='Check compatibility.', action='store_true')
exclusive_group = parser.add_mutually_exclusive_group()
exclusive_group.add_argument('--set-patch-type',
help="Set patch type feed. To select default feed use 'default' option",
action='store')
exclusive_group.add_argument('--edf-enabled',
help='Enable exploit detection framework',
action='store_true')
exclusive_group.add_argument('--edf-disabled',
help='Disable exploit detection framework',
action='store_true')
parser.add_argument('--set-sticky-patch',
help='Set patch to stick to date in DDMMYY format, '
'or retrieve it from KEY if set to KEY. '
'Leave empty to unstick',
action='store', default=None, required=False)
parser.add_argument('-q', '--quiet',
help='Suppress messages, provide only errors and warnings to stderr',
action='store_true',
required=False)
parser.add_argument('--has-flags', help='Check agent features')
if not LIBCARE_DISABLED:
parser.add_argument('--lib-update',
help='Download latest patches and apply them to the current userspace libraries',
action='store_true')
parser.add_argument('--lib-unload', '--userspace-unload', help='Unload userspace patches', action='store_true')
parser.add_argument('--lib-auto-update',
help='Check if update is available, if so -- update',
action='store_true')
parser.add_argument('--lib-info', '--userspace-info',
help='Display information about KernelCare+.',
action='store_true')
parser.add_argument('--lib-patch-info', '--userspace-patch-info',
help='Return the list of applied userspace patches',
action='store_true')
parser.add_argument('--lib-version', '--userspace-version', help='Return safe package version',
metavar='PACKAGENAME')
parser.add_argument('--userspace-update', metavar='USERSPACE_PATCHES',
nargs='?', const="",
help='Download latest patches and apply them to the corresponding userspace processes')
parser.add_argument('--userspace-auto-update',
help='Download latest patches and apply them to the corresponding userspace processes',
action='store_true')
args = parser.parse_args()
if args.has_flags is not None:
if set(filter(None, args.has_flags.split(','))).issubset(FLAGS):
return 0
else:
return 1
globals().update(get_config_settings())
global PATCH_TYPE
# do not remove args.auto_update!
# once added to machine, kcare-cron is never changed by package update;
# old clients has no -q option in their cron,
# so auto_update default silent mode must be saved forever
if args.quiet or args.auto_update:
global PRINT_LEVEL
if SILENCE_ERRORS:
PRINT_LEVEL = PRINT_CRITICAL
else:
PRINT_LEVEL = PRINT_ERROR
if not args.uname:
if os.getuid() != 0:
print('Please run as root', file=sys.stderr)
return 1
# should be after root role check to create a log file with correct rights
initialize_logging(logging.WARNING if args.quiet else logging.INFO)
if args.set_patch_level:
global LEVEL
if args.set_patch_level >= 0:
LEVEL = str(args.set_patch_level)
update_config('PATCH_LEVEL', LEVEL)
else:
LEVEL = None
update_config('PATCH_LEVEL', '')
if args.set_sticky_patch is not None:
update_config('STICKY_PATCH', args.set_sticky_patch)
global STICKY
STICKY = args.set_sticky_patch
if args.nosignature:
global USE_SIGNATURE
USE_SIGNATURE = False
if args.no_check_cert:
global CHECK_SSL_CERTS
CHECK_SSL_CERTS = False
if args.kpatch_debug:
global KPATCH_DEBUG
KPATCH_DEBUG = True
if args.check_compatibility:
check_compatibility()
# EDF do nothing
if args.edf_enabled:
warnings.warn('Flag --edf-enabled has been deprecated and will be not '
'available in future releases.', DeprecationWarning)
elif args.edf_disabled:
if PATCH_TYPE == 'edf':
args.set_patch_type = ('' if PREV_PATCH_TYPE == 'edf' else PREV_PATCH_TYPE) or 'default'
args.update = True
global TEST_PREFIX
if args.prefix:
TEST_PREFIX = args.prefix
if args.test:
warnings.warn('Flag --test has been deprecated and will be not '
'available in future releases.', DeprecationWarning)
TEST_PREFIX = 'test'
TEST_PREFIX = TEST_PREFIX.strip('/')
if TEST_PREFIX and TEST_PREFIX not in EXPECTED_PREFIX:
kcarelog.warning('Prefix `{0}` is not in expected one {1}.'.format(
TEST_PREFIX, ' '.join(EXPECTED_PREFIX)))
if args.local:
global UPDATE_FROM_LOCAL
UPDATE_FROM_LOCAL = True
global PATCH_SERVER
PATCH_SERVER = 'file:' + args.local
if args.set_patch_type:
update_patch_type(args.set_patch_type)
if PATCH_TYPE == 'edf':
PATCH_TYPE = edf_fallback_ptype()
warnings.warn(
'edf patches are deprecated. Fallback to {0}'.format(
PATCH_TYPE or 'default'),
DeprecationWarning)
apply_ptype(PATCH_TYPE)
if args.doctor:
kcdoctor()
return
if args.plugin_info:
if args.json:
plugin_info(fmt='json')
else:
plugin_info()
return
if args.enable_auto_update:
update_config('AUTO_UPDATE', 'YES')
return
if args.disable_auto_update:
update_config('AUTO_UPDATE', 'NO')
return
if args.set_monitoring_key:
return set_monitoring_key_for_ip_license(args.set_monitoring_key)
if args.unregister:
unregister()
if args.register:
if PATCH_TYPE == 'free':
update_config('PATCH_TYPE', 'extra')
return register(args.register, args.register_autoretry)
if args.license_info:
# license_info returns zero if no valid license found and non-zero otherwise
if license_info() != 0:
return 0
else:
return 1
if args.tag is not None:
return tag_server(args.tag)
if args.version:
print(VERSION)
if not LIBCARE_DISABLED:
if args.lib_update:
if do_userspace_update():
loginfo('Userspace patches are applied.')
if args.lib_auto_update:
do_userspace_update(mode=UPDATE_MODE_AUTO)
elif args.lib_unload:
libcare_unload()
loginfo('Userspace patches are unloaded.')
if args.lib_info:
print(libcare_info())
if args.lib_patch_info:
print(libcare_patch_info())
if args.lib_version and libcare_server_started():
print(libcare_version(args.lib_version))
if args.userspace_update is not None:
if args.userspace_update == '':
# Get from config or defaults
limit = USERSPACE_PATCHES or list(USERSPACE_MAP.keys())
else:
limit = [ptch.strip().lower() for ptch in args.userspace_update.split(',')]
if do_userspace_update(limit=sorted(limit)):
loginfo('Userspace patches are applied.')
if args.userspace_auto_update:
do_userspace_update(mode=UPDATE_MODE_AUTO, limit=None)
if args.info:
print(kcare_info(is_json=args.json))
freezer = ''
if args.force or args.nofreeze:
warnings.warn('Flags --force and --nofreeze have been deprecated and will be not '
'available in future releases.', DeprecationWarning)
freezer = 'none'
if args.freezer:
freezer = args.freezer
if args.smart_update:
do_update(freezer, mode=UPDATE_MODE_SMART, policy=UPDATE_POLICY)
if args.update:
do_update(freezer, mode=UPDATE_MODE_MANUAL)
loginfo('Kernel is safe')
if args.uname:
print(kcare_uname())
if args.unload:
kcare_unload(freezer)
loginfo('KernelCare protection disabled. Your kernel might not be safe')
if args.auto_update:
global CHECK_CLN_LICENSE_STATUS
CHECK_CLN_LICENSE_STATUS = False
# wait to prevent spikes at the beginning of each minute KPT-1874
time.sleep(random.randint(0, 30))
do_update(freezer, mode=UPDATE_MODE_AUTO)
if args.patch_info:
patch_info(is_json=args.json)
if args.latest_patch_info:
kcare_latest_patch_info(is_json=args.json)
if args.import_key:
import_gpg_key(args.import_key)
if args.check:
kcare_check()
if __name__ == '__main__': # pragma: no cover unit
try:
sys.exit(main())
except URLError as err:
logerror('{0}: {1}'.format(err, getattr(err, 'url', 'unknown')))
except KcareError as err:
logerror(str(err))
sys.exit(1)
except Exception as err:
logexc(err)