setup-ssh 11.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
#!/usr/bin/python
#

# Copyright (C) 2010 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

"""Tool to setup the SSH configuration on a remote node.

This is needed before we can join the node into the cluster.

"""

27 28 29
# pylint: disable-msg=C0103
# C0103: Invalid name setup-ssh

30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
import getpass
import logging
import paramiko
import os.path
import optparse
import sys

from ganeti import cli
from ganeti import constants
from ganeti import errors
from ganeti import netutils
from ganeti import ssh
from ganeti import utils


class RemoteCommandError(errors.GenericError):
  """Exception if remote command was not successful.

  """


def _RunRemoteCommand(transport, command):
  """Invokes and wait for the command over SSH.

  @param transport: The paramiko transport instance
  @param command: The command to be executed

  """
  chan = transport.open_session()
  chan.set_combine_stderr(True)
  output_handler = chan.makefile("r")
  chan.exec_command(command)

  result = chan.recv_exit_status()
  msg = output_handler.read()

  out_msg = "'%s' exited with status code %s, output %r" % (command, result,
                                                            msg)

  # If result is -1 (no exit status provided) we assume it was not successful
  if result:
    raise RemoteCommandError(out_msg)

  if msg:
    logging.info(out_msg)


def _InvokeDaemonUtil(transport, command):
  """Invokes daemon-util on the remote side.

  @param transport: The paramiko transport instance
  @param command: The daemon-util command to be run

  """
  _RunRemoteCommand(transport, "%s %s" % (constants.DAEMON_UTIL, command))


def _WriteSftpFile(sftp, name, perm, data):
  """SFTPs data to a remote file.

  @param sftp: A open paramiko SFTP client
  @param name: The remote file name
  @param perm: The remote file permission
  @param data: The data to write

  """
  remote_file = sftp.open(name, "w")
  try:
    sftp.chmod(name, perm)
    remote_file.write(data)
  finally:
    remote_file.close()


def SetupSSH(transport):
  """Sets the SSH up on the other side.

  @param transport: The paramiko transport instance

  """
  priv_key, pub_key, auth_keys = ssh.GetUserFiles(constants.GANETI_RUNAS)
  keyfiles = [
    (constants.SSH_HOST_DSA_PRIV, 0600),
    (constants.SSH_HOST_DSA_PUB, 0644),
    (constants.SSH_HOST_RSA_PRIV, 0600),
    (constants.SSH_HOST_RSA_PUB, 0644),
    (priv_key, 0600),
    (pub_key, 0644),
    ]

  sftp = transport.open_sftp_client()

  filemap = dict((name, (utils.ReadFile(name), perm))
                 for (name, perm) in keyfiles)

  auth_path = os.path.dirname(auth_keys)

  try:
    sftp.mkdir(auth_path, 0700)
  except IOError:
    # Sadly paramiko doesn't provide errno or similiar
    # so we can just assume that the path already exists
132
    logging.info("Path %s seems already to exist on remote node. Ignoring.",
133 134 135 136 137 138 139
                 auth_path)

  for name, (data, perm) in filemap.iteritems():
    _WriteSftpFile(sftp, name, perm, data)

  authorized_keys = sftp.open(auth_keys, "a+")
  try:
140 141 142 143 144 145 146 147
    # Due to the way SFTPFile and BufferedFile are implemented,
    # opening in a+ mode and then issuing a read(), readline() or
    # iterating over the file (which uses read() internally) will see
    # an empty file, since the paramiko internal file position and the
    # OS-level file-position are desynchronized; therefore, we issue
    # an explicit seek to resynchronize these; writes should (note
    # should) still go to the right place
    authorized_keys.seek(0, 0)
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179
    # We don't have to close, as the close happened already in AddAuthorizedKey
    utils.AddAuthorizedKey(authorized_keys, filemap[pub_key][0])
  finally:
    authorized_keys.close()

  _InvokeDaemonUtil(transport, "reload-ssh-keys")


def SetupNodeDaemon(transport):
  """Sets the node daemon up on the other side.

  @param transport: The paramiko transport instance

  """
  noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)

  sftp = transport.open_sftp_client()
  _WriteSftpFile(sftp, constants.NODED_CERT_FILE, 0400, noded_cert)

  _InvokeDaemonUtil(transport, "start %s" % constants.NODED)


def ParseOptions():
  """Parses options passed to program.

  """
  program = os.path.basename(sys.argv[0])

  parser = optparse.OptionParser(usage=("%prog [--debug|--verbose] <node>"
                                        " <node...>"), prog=program)
  parser.add_option(cli.DEBUG_OPT)
  parser.add_option(cli.VERBOSE_OPT)
180
  parser.add_option(cli.NOSSH_KEYCHECK_OPT)
181 182 183 184 185 186 187 188
  default_key = ssh.GetUserFiles(constants.GANETI_RUNAS)[0]
  parser.add_option(optparse.Option("-f", dest="private_key",
                                    default=default_key,
                                    help="The private key to (try to) use for"
                                    "authentication "))
  parser.add_option(optparse.Option("--key-type", dest="key_type",
                                    choices=("rsa", "dsa"), default="dsa",
                                    help="The private key type (rsa or dsa)"))
189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211

  (options, args) = parser.parse_args()

  return (options, args)


def SetupLogging(options):
  """Sets up the logging.

  @param options: Parsed options

  """
  fmt = "%(asctime)s: %(threadName)s "
  if options.debug or options.verbose:
    fmt += "%(levelname)s "
  fmt += "%(message)s"

  formatter = logging.Formatter(fmt)

  file_handler = logging.FileHandler(constants.LOG_SETUP_SSH)
  stderr_handler = logging.StreamHandler()
  stderr_handler.setFormatter(formatter)
  file_handler.setFormatter(formatter)
212
  file_handler.setLevel(logging.INFO)
213 214

  if options.debug:
215
    stderr_handler.setLevel(logging.DEBUG)
216 217 218
  elif options.verbose:
    stderr_handler.setLevel(logging.INFO)
  else:
219
    stderr_handler.setLevel(logging.WARNING)
220 221

  root_logger = logging.getLogger("")
222
  root_logger.setLevel(logging.NOTSET)
223 224
  root_logger.addHandler(stderr_handler)
  root_logger.addHandler(file_handler)
225 226 227

  # This is the paramiko logger instance
  paramiko_logger = logging.getLogger("paramiko")
228
  paramiko_logger.addHandler(file_handler)
229 230
  # We don't want to debug Paramiko, so filter anything below warning
  paramiko_logger.setLevel(logging.WARNING)
231 232


233 234
def LoadPrivateKeys(options):
  """Load the list of available private keys
235

236 237
  It loads the standard ssh key from disk and then tries to connect to
  the ssh agent too.
238

239 240
  @rtype: list
  @return: a list of C{paramiko.PKey}
241

242
  """
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
  if options.key_type == "rsa":
    pkclass = paramiko.RSAKey
  elif options.key_type == "dsa":
    pkclass = paramiko.DSSKey
  else:
    logging.critical("Unknown key type %s selected (choose either rsa or dsa)",
                     options.key_type)
    sys.exit(1)

  try:
    private_key = pkclass.from_private_key_file(options.private_key)
  except (paramiko.SSHException, EnvironmentError), err:
    logging.critical("Can't load private key %s: %s", options.private_key, err)
    sys.exit(1)

258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
  try:
    agent = paramiko.Agent()
    agent_keys = agent.get_keys()
  except paramiko.SSHException, err:
    # this will only be seen when the agent is broken/uses invalid
    # protocol; for non-existing agent, get_keys() will just return an
    # empty tuple
    logging.warning("Can't connect to the ssh agent: %s; skipping its use",
                    err)
    agent_keys = []

  return [private_key] + list(agent_keys)


def LoginViaKeys(transport, username, keys):
  """Try to login on the given transport via a list of keys.

  @param transport: the transport to use
  @param username: the username to login as
  @type keys: list
  @param keys: list of C{paramiko.PKey} to use for authentication
  @rtype: boolean
  @return: True or False depending on whether the login was
      successfull or not

  """
  for private_key in keys:
    try:
      transport.auth_publickey(username, private_key)
      fpr = ":".join("%02x" % ord(i) for i in private_key.get_fingerprint())
      if isinstance(private_key, paramiko.AgentKey):
        logging.debug("Authentication via the ssh-agent key %s", fpr)
      else:
        logging.debug("Authenticated via public key %s", fpr)
      return True
    except paramiko.SSHException:
      continue
  else:
    # all keys exhausted
    return False


300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315
def LoadKnownHosts():
  """Loads the known hosts

    @return L{paramiko.util.load_host_keys} dict

  """
  homedir = utils.GetHomeDir(constants.GANETI_RUNAS)
  known_hosts = os.path.join(homedir, ".ssh", "known_hosts")

  try:
    return paramiko.util.load_host_keys(known_hosts)
  except EnvironmentError:
    # We didn't found the path, silently ignore and return an empty dict
    return {}


316 317 318 319 320 321 322 323 324 325
def main():
  """Main routine.

  """
  (options, args) = ParseOptions()

  SetupLogging(options)

  all_keys = LoadPrivateKeys(options)

326 327
  passwd = None
  username = constants.GANETI_RUNAS
328
  ssh_port = netutils.GetDaemonPort("ssh")
329
  host_keys = LoadKnownHosts()
330

331 332 333 334 335 336 337 338 339
  # Below, we need to join() the transport objects, as otherwise the
  # following happens:
  # - the main thread finishes
  # - the atexit functions run (in the main thread), and cause the
  #   logging file to be closed
  # - a tiny bit later, the transport thread is finally ending, and
  #   wants to log one more message, which fails as the file is closed
  #   now

340
  for host in args:
341
    transport = paramiko.Transport((host, ssh_port))
342
    transport.start_client()
343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364
    server_key = transport.get_remote_server_key()
    keytype = server_key.get_name()

    our_server_key = host_keys.get(host, {}).get(keytype, None)
    if options.ssh_key_check:
      if not our_server_key:
        hexified_key = ssh.FormatParamikoFingerprint(
            server_key.get_fingerprint())
        msg = ("Unable to verify hostkey of host %s: %s. Do you want to accept"
               " it?" % (host, hexified_key))

        if cli.AskUser(msg):
          our_server_key = server_key

      if our_server_key != server_key:
        logging.error("Unable to verify identity of host. Aborting")
        transport.close()
        transport.join()
        # TODO: Run over all hosts, fetch the keys and let them verify from the
        #       user beforehand then proceed with actual work later on
        raise paramiko.SSHException("Unable to verify identity of host")

365
    try:
366
      if LoginViaKeys(transport, username, all_keys):
367
        logging.info("Authenticated to %s via public key", host)
368
      else:
369 370 371 372 373 374 375
        logging.warning("Authentication to %s via public key failed, trying"
                        " password", host)
        if passwd is None:
          passwd = getpass.getpass(prompt="%s password:" % username)
        transport.auth_password(username=username, password=passwd)
        logging.info("Authenticated to %s via password", host)
    except paramiko.SSHException, err:
376 377 378 379 380 381 382
      logging.error("Connection or authentication failed to host %s: %s",
                    host, err)
      transport.close()
      # this is needed for compatibility with older Paramiko or Python
      # versions
      transport.join()
      continue
383 384 385 386 387
    try:
      try:
        SetupSSH(transport)
        SetupNodeDaemon(transport)
      except errors.GenericError, err:
388 389
        logging.error("While doing setup on host %s an error occured: %s",
                      host, err)
390 391
    finally:
      transport.close()
392 393 394
      # this is needed for compatibility with older Paramiko or Python
      # versions
      transport.join()
395 396 397 398


if __name__ == "__main__":
  main()