|
 |
3012c9 |
From 999f2f8b4dc7d258679daf8c3f13d9b317ff4435 Mon Sep 17 00:00:00 2001
|
|
|
3012c9 |
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
|
|
|
3012c9 |
Date: Thu, 7 Apr 2022 13:11:12 +0200
|
|
|
3012c9 |
Subject: [PATCH] all agents: unify ssl parameters to avoid having to use --ssl
|
|
|
3012c9 |
when using --ssl-secure/--ssl-insecure for some agents
|
|
|
3012c9 |
|
|
|
3012c9 |
THIS MIGHT BREAK SETUPS USING fence_docker or fence_pve!
|
|
|
3012c9 |
---
|
|
|
3012c9 |
agents/cisco_ucs/fence_cisco_ucs.py | 9 +++++----
|
|
|
3012c9 |
agents/docker/fence_docker.py | 9 ++++++---
|
|
|
3012c9 |
agents/ibmz/fence_ibmz.py | 4 ++--
|
|
|
3012c9 |
agents/rhevm/fence_rhevm.py | 8 ++++----
|
|
|
3012c9 |
agents/skalar/fence_skalar.py | 2 +-
|
|
|
3012c9 |
agents/vmware_rest/fence_vmware_rest.py | 8 ++++----
|
|
|
3012c9 |
agents/vmware_soap/fence_vmware_soap.py | 2 +-
|
|
|
3012c9 |
agents/vmware_vcloud/fence_vmware_vcloud.py | 4 ++--
|
|
|
3012c9 |
agents/zvm/fence_zvmip.py | 8 +++++---
|
|
|
3012c9 |
lib/fencing.py.py | 6 ++++++
|
|
|
3012c9 |
tests/data/metadata/fence_docker.xml | 4 ++--
|
|
|
3012c9 |
13 files changed, 64 insertions(+), 31 deletions(-)
|
|
|
3012c9 |
|
|
|
3012c9 |
diff --git a/agents/cisco_ucs/fence_cisco_ucs.py b/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
3012c9 |
index 2280dbbc7..b85379a73 100644
|
|
|
3012c9 |
--- a/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
3012c9 |
+++ b/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
3012c9 |
@@ -99,7 +99,7 @@ def get_list(conn, options):
|
|
|
3012c9 |
|
|
|
3012c9 |
def send_command(opt, command, timeout):
|
|
|
3012c9 |
## setup correct URL
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ if "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
url = "https:"
|
|
|
3012c9 |
else:
|
|
|
3012c9 |
url = "http:"
|
|
|
3012c9 |
@@ -114,13 +114,14 @@ def send_command(opt, command, timeout):
|
|
|
3012c9 |
conn.setopt(pycurl.POSTFIELDS, command.encode("ascii"))
|
|
|
3012c9 |
conn.setopt(pycurl.WRITEFUNCTION, web_buffer.write)
|
|
|
3012c9 |
conn.setopt(pycurl.TIMEOUT, timeout)
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt:
|
|
|
3012c9 |
+
|
|
|
3012c9 |
+ if "--ssl-secure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
3012c9 |
-
|
|
|
3012c9 |
- if "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ elif "--ssl-insecure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
3012c9 |
+
|
|
|
3012c9 |
conn.perform()
|
|
|
3012c9 |
result = web_buffer.getvalue().decode()
|
|
|
3012c9 |
|
|
|
3012c9 |
diff --git a/agents/docker/fence_docker.py b/agents/docker/fence_docker.py
|
|
|
3012c9 |
index fef87da86..004402518 100644
|
|
|
3012c9 |
--- a/agents/docker/fence_docker.py
|
|
|
3012c9 |
+++ b/agents/docker/fence_docker.py
|
|
|
3012c9 |
@@ -43,7 +43,7 @@ def get_list(conn, options):
|
|
|
3012c9 |
|
|
|
3012c9 |
|
|
|
3012c9 |
def send_cmd(options, cmd, post = False):
|
|
|
3012c9 |
- url = "http%s://%s:%s/v%s/%s" % ("s" if "--ssl" in options else "", options["--ip"], options["--ipport"], options["--api-version"], cmd)
|
|
|
3012c9 |
+ url = "http%s://%s:%s/v%s/%s" % ("s" if "--ssl-secure" in options or "--ssl-insecure" in options else "", options["--ip"], options["--ipport"], options["--api-version"], cmd)
|
|
|
3012c9 |
conn = pycurl.Curl()
|
|
|
3012c9 |
output_buffer = io.BytesIO()
|
|
|
3012c9 |
if logging.getLogger().getEffectiveLevel() < logging.WARNING:
|
|
|
3012c9 |
@@ -55,7 +55,8 @@ def send_cmd(options, cmd, post = False):
|
|
|
3012c9 |
conn.setopt(pycurl.POSTFIELDSIZE, 0)
|
|
|
3012c9 |
conn.setopt(pycurl.WRITEFUNCTION, output_buffer.write)
|
|
|
3012c9 |
conn.setopt(pycurl.TIMEOUT, int(options["--shell-timeout"]))
|
|
|
3012c9 |
- if "--ssl" in options:
|
|
|
3012c9 |
+
|
|
|
3012c9 |
+ if "--ssl-secure" in options:
|
|
|
3012c9 |
if not (set(("--tlscert", "--tlskey", "--tlscacert")) <= set(options)):
|
|
|
3012c9 |
fail_usage("Failed. If --ssl option is used, You have to also \
|
|
|
3012c9 |
specify: --tlscert, --tlskey and --tlscacert")
|
|
|
3012c9 |
@@ -63,7 +64,7 @@ def send_cmd(options, cmd, post = False):
|
|
|
3012c9 |
conn.setopt(pycurl.SSLCERT, options["--tlscert"])
|
|
|
3012c9 |
conn.setopt(pycurl.SSLKEY, options["--tlskey"])
|
|
|
3012c9 |
conn.setopt(pycurl.CAINFO, options["--tlscacert"])
|
|
|
3012c9 |
- else:
|
|
|
3012c9 |
+ elif "--ssl-insecure" in options:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
3012c9 |
|
|
|
3012c9 |
@@ -136,6 +137,8 @@ def main():
|
|
|
3012c9 |
|
|
|
3012c9 |
device_opt = ["ipaddr", "no_password", "no_login", "port", "method", "web", "tlscert", "tlskey", "tlscacert", "ssl", "api_version"]
|
|
|
3012c9 |
|
|
|
3012c9 |
+ all_opt["ssl"]["default"] = "1"
|
|
|
3012c9 |
+
|
|
|
3012c9 |
options = check_input(device_opt, process_input(device_opt))
|
|
|
3012c9 |
|
|
|
3012c9 |
docs = { }
|
|
|
3012c9 |
diff --git a/agents/ibmz/fence_ibmz.py b/agents/ibmz/fence_ibmz.py
|
|
|
3012c9 |
index 47408ccf4..d477adeb9 100644
|
|
|
3012c9 |
--- a/agents/ibmz/fence_ibmz.py
|
|
|
3012c9 |
+++ b/agents/ibmz/fence_ibmz.py
|
|
|
3012c9 |
@@ -534,7 +534,7 @@ def main():
|
|
|
3012c9 |
requests_log.propagate = True
|
|
|
3012c9 |
if "--verbose" in options:
|
|
|
3012c9 |
requests_log.setLevel(logging.DEBUG)
|
|
|
3012c9 |
- if "--ssl-secure" not in options:
|
|
|
3012c9 |
+ if "--ssl-insecure" in options:
|
|
|
3012c9 |
urllib3.disable_warnings(
|
|
|
3012c9 |
category=urllib3.exceptions.InsecureRequestWarning)
|
|
|
3012c9 |
|
|
|
3012c9 |
@@ -548,7 +548,7 @@ def main():
|
|
|
3012c9 |
'connect_timeout': int(options['--connect-timeout']),
|
|
|
3012c9 |
'read_timeout': int(options['--read-timeout']),
|
|
|
3012c9 |
'port': int(options['--ipport']),
|
|
|
3012c9 |
- 'ssl_verify': bool('--ssl-secure' in options),
|
|
|
3012c9 |
+ 'ssl_verify': bool('--ssl-insecure' not in options),
|
|
|
3012c9 |
}
|
|
|
3012c9 |
try:
|
|
|
3012c9 |
conn = APIClient(hmc_address, hmc_userid, hmc_password, config)
|
|
|
3012c9 |
diff --git a/agents/rhevm/fence_rhevm.py b/agents/rhevm/fence_rhevm.py
|
|
|
3012c9 |
index 25aecbe58..5f74d06f6 100644
|
|
|
3012c9 |
--- a/agents/rhevm/fence_rhevm.py
|
|
|
3012c9 |
+++ b/agents/rhevm/fence_rhevm.py
|
|
|
3012c9 |
@@ -85,7 +85,7 @@ def send_command(opt, command, method="GET"):
|
|
|
3012c9 |
logging.debug("auto-detected API version: " + opt["--api-version"])
|
|
|
3012c9 |
|
|
|
3012c9 |
## setup correct URL
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ if "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
url = "https:"
|
|
|
3012c9 |
else:
|
|
|
3012c9 |
url = "http:"
|
|
|
3012c9 |
@@ -126,11 +126,11 @@ def send_command(opt, command, method="GET"):
|
|
|
3012c9 |
conn.setopt(pycurl.COOKIEJAR, cookie_file)
|
|
|
3012c9 |
|
|
|
3012c9 |
conn.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt:
|
|
|
3012c9 |
+
|
|
|
3012c9 |
+ if "--ssl-secure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
3012c9 |
-
|
|
|
3012c9 |
- if "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ elif "--ssl-insecure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
3012c9 |
|
|
|
3012c9 |
diff --git a/agents/skalar/fence_skalar.py b/agents/skalar/fence_skalar.py
|
|
|
3012c9 |
index 959527411..0e11d83f9 100644
|
|
|
3012c9 |
--- a/agents/skalar/fence_skalar.py
|
|
|
3012c9 |
+++ b/agents/skalar/fence_skalar.py
|
|
|
3012c9 |
@@ -200,7 +200,7 @@ def main():
|
|
|
3012c9 |
run_delay(options)
|
|
|
3012c9 |
|
|
|
3012c9 |
proto = "https://"
|
|
|
3012c9 |
- if "--ssl" in options or "--ssl-secure" in options:
|
|
|
3012c9 |
+ if "--ssl-secure" in options:
|
|
|
3012c9 |
ssl_verify = True
|
|
|
3012c9 |
elif "--ssl-insecure" in options:
|
|
|
3012c9 |
ssl_verify = False
|
|
|
3012c9 |
diff --git a/agents/vmware_rest/fence_vmware_rest.py b/agents/vmware_rest/fence_vmware_rest.py
|
|
|
3012c9 |
index e49fd5663..4b884fc62 100644
|
|
|
3012c9 |
--- a/agents/vmware_rest/fence_vmware_rest.py
|
|
|
3012c9 |
+++ b/agents/vmware_rest/fence_vmware_rest.py
|
|
|
3012c9 |
@@ -69,7 +69,7 @@ def connect(opt):
|
|
|
3012c9 |
conn = pycurl.Curl()
|
|
|
3012c9 |
|
|
|
3012c9 |
## setup correct URL
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ if "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
conn.base_url = "https:"
|
|
|
3012c9 |
else:
|
|
|
3012c9 |
conn.base_url = "http:"
|
|
|
3012c9 |
@@ -89,11 +89,11 @@ def connect(opt):
|
|
|
3012c9 |
conn.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
|
|
|
3012c9 |
|
|
|
3012c9 |
conn.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt:
|
|
|
3012c9 |
+
|
|
|
3012c9 |
+ if "--ssl-secure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
3012c9 |
-
|
|
|
3012c9 |
- if "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ elif "--ssl-insecure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
3012c9 |
|
|
|
3012c9 |
diff --git a/agents/vmware_soap/fence_vmware_soap.py b/agents/vmware_soap/fence_vmware_soap.py
|
|
|
3012c9 |
index 2cd45e0b3..51fb0f147 100644
|
|
|
3012c9 |
--- a/agents/vmware_soap/fence_vmware_soap.py
|
|
|
3012c9 |
+++ b/agents/vmware_soap/fence_vmware_soap.py
|
|
|
3012c9 |
@@ -34,7 +34,7 @@ def send(self, request):
|
|
|
3012c9 |
def soap_login(options):
|
|
|
3012c9 |
run_delay(options)
|
|
|
3012c9 |
|
|
|
3012c9 |
- if "--ssl" in options or "--ssl-secure" in options or "--ssl-insecure" in options:
|
|
|
3012c9 |
+ if "--ssl-secure" in options or "--ssl-insecure" in options:
|
|
|
3012c9 |
if "--ssl-insecure" in options:
|
|
|
3012c9 |
import ssl
|
|
|
3012c9 |
import urllib3
|
|
|
3012c9 |
diff --git a/agents/vmware_vcloud/fence_vmware_vcloud.py b/agents/vmware_vcloud/fence_vmware_vcloud.py
|
|
|
3012c9 |
index 42372a83d..7626b82bb 100644
|
|
|
3012c9 |
--- a/agents/vmware_vcloud/fence_vmware_vcloud.py
|
|
|
3012c9 |
+++ b/agents/vmware_vcloud/fence_vmware_vcloud.py
|
|
|
3012c9 |
@@ -60,7 +60,7 @@ def connect(opt):
|
|
|
3012c9 |
conn = pycurl.Curl()
|
|
|
3012c9 |
|
|
|
3012c9 |
## setup correct URL
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
+ if "--ssl-secure" in opt or "--ssl-insecure" in opt:
|
|
|
3012c9 |
conn.base_url = "https:"
|
|
|
3012c9 |
else:
|
|
|
3012c9 |
conn.base_url = "http:"
|
|
|
3012c9 |
@@ -76,7 +76,7 @@ def connect(opt):
|
|
|
3012c9 |
conn.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
|
|
|
3012c9 |
|
|
|
3012c9 |
conn.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
|
|
|
3012c9 |
- if "--ssl" in opt or "--ssl-secure" in opt:
|
|
|
3012c9 |
+ if "--ssl-secure" in opt:
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
3012c9 |
conn.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
3012c9 |
elif "--ssl-insecure" in opt:
|
|
|
3012c9 |
diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
|
|
|
3012c9 |
index e8f849eda..90ca95d45 100644
|
|
|
3012c9 |
--- a/agents/zvm/fence_zvmip.py
|
|
|
3012c9 |
+++ b/agents/zvm/fence_zvmip.py
|
|
|
3012c9 |
@@ -26,7 +26,7 @@ def open_socket(options):
|
|
|
3012c9 |
except socket.gaierror:
|
|
|
3012c9 |
fail(EC_LOGIN_DENIED)
|
|
|
3012c9 |
|
|
|
3012c9 |
- if "--ssl" in options:
|
|
|
3012c9 |
+ if "--ssl-secure" in options or "--ssl-insecure" in options:
|
|
|
3012c9 |
import ssl
|
|
|
3012c9 |
sock = socket.socket()
|
|
|
3012c9 |
sslcx = ssl.create_default_context()
|
|
|
3012c9 |
@@ -132,7 +132,7 @@ def get_list_of_images(options, command, data_as_plug):
|
|
|
3012c9 |
images = set()
|
|
|
3012c9 |
|
|
|
3012c9 |
if output_len > 3*INT4:
|
|
|
3012c9 |
- recvflag = socket.MSG_WAITALL if "--ssl" not in options else 0
|
|
|
3012c9 |
+ recvflag = socket.MSG_WAITALL if "--ssl-secure" not in options and "--ssl-insecure" not in options else 0
|
|
|
3012c9 |
array_len = struct.unpack("!i", conn.recv(INT4))[0]
|
|
|
3012c9 |
data = ""
|
|
|
3012c9 |
|
|
|
3012c9 |
@@ -182,7 +182,9 @@ def main():
|
|
|
3012c9 |
options = check_input(device_opt, process_input(device_opt), other_conditions=True)
|
|
|
3012c9 |
|
|
|
3012c9 |
if "--disable-ssl" in options or options["--ssl"] == "0":
|
|
|
3012c9 |
- del options["--ssl"]
|
|
|
3012c9 |
+ for k in ["--ssl", "--ssl-secure", "--ssl-insecure"]:
|
|
|
3012c9 |
+ if k in options:
|
|
|
3012c9 |
+ del options[k]
|
|
|
3012c9 |
|
|
|
3012c9 |
if len(options.get("--plug", "")) > 8:
|
|
|
3012c9 |
fail_usage("Failed: Name of image can not be longer than 8 characters")
|
|
|
3012c9 |
diff --git a/lib/fencing.py.py b/lib/fencing.py.py
|
|
|
3012c9 |
index 696388d55..b746ede8b 100644
|
|
|
3012c9 |
--- a/lib/fencing.py.py
|
|
|
3012c9 |
+++ b/lib/fencing.py.py
|
|
|
3012c9 |
@@ -789,6 +789,12 @@ def check_input(device_opt, opt, other_conditions = False):
|
|
|
3012c9 |
if "--password-script" in options:
|
|
|
3012c9 |
options["--password"] = os.popen(options["--password-script"]).read().rstrip()
|
|
|
3012c9 |
|
|
|
3012c9 |
+ if "--ssl-secure" in options or "--ssl-insecure" in options:
|
|
|
3012c9 |
+ options["--ssl"] = ""
|
|
|
3012c9 |
+
|
|
|
3012c9 |
+ if "--ssl" in options and "--ssl-insecure" not in options:
|
|
|
3012c9 |
+ options["--ssl-secure"] = ""
|
|
|
3012c9 |
+
|
|
|
3012c9 |
if os.environ.get("PCMK_service") == "pacemaker-fenced" and "--disable-timeout" not in options:
|
|
|
3012c9 |
options["--disable-timeout"] = "1"
|
|
|
3012c9 |
|
|
|
3012c9 |
diff --git a/tests/data/metadata/fence_docker.xml b/tests/data/metadata/fence_docker.xml
|
|
|
3012c9 |
index 723e72280..51c7c470a 100644
|
|
|
3012c9 |
--- a/tests/data/metadata/fence_docker.xml
|
|
|
3012c9 |
+++ b/tests/data/metadata/fence_docker.xml
|
|
|
3012c9 |
@@ -20,7 +20,7 @@
|
|
|
3012c9 |
</parameter>
|
|
|
3012c9 |
<parameter name="ipport" unique="0" required="0">
|
|
|
3012c9 |
<getopt mixed="-u, --ipport=[port]" />
|
|
|
3012c9 |
- <content type="integer" default="80" />
|
|
|
3012c9 |
+ <content type="integer" default="443" />
|
|
|
3012c9 |
<shortdesc lang="en">TCP/UDP port to use for connection with device</shortdesc>
|
|
|
3012c9 |
</parameter>
|
|
|
3012c9 |
<parameter name="method" unique="0" required="0">
|
|
|
3012c9 |
@@ -43,7 +43,7 @@
|
|
|
3012c9 |
</parameter>
|
|
|
3012c9 |
<parameter name="ssl" unique="0" required="0">
|
|
|
3012c9 |
<getopt mixed="-z, --ssl" />
|
|
|
3012c9 |
- <content type="boolean" />
|
|
|
3012c9 |
+ <content type="boolean" default="1" />
|
|
|
3012c9 |
<shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
|
|
|
3012c9 |
</parameter>
|
|
|
3012c9 |
<parameter name="ssl_insecure" unique="0" required="0">
|