| Dir : /proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/ |
| Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
| Dir : //proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/cloud.py |
"""
Utility functions for salt.cloud
"""
import codecs
import copy
import errno
import hashlib
import logging
import multiprocessing
import os
import re
import shlex
import shutil
import socket
import stat
import subprocess
import tempfile
import time
import traceback
import uuid
from jinja2 import Template
import salt.client
import salt.cloud
import salt.config
import salt.crypt
import salt.loader
import salt.template
import salt.utils.compat
import salt.utils.crypt
import salt.utils.data
import salt.utils.event
import salt.utils.files
import salt.utils.msgpack
import salt.utils.path
import salt.utils.platform
import salt.utils.stringutils
import salt.utils.versions
import salt.utils.vt
import salt.utils.yaml
from salt.exceptions import (
SaltCloudConfigError,
SaltCloudException,
SaltCloudExecutionFailure,
SaltCloudExecutionTimeout,
SaltCloudPasswordError,
SaltCloudSystemExit,
)
from salt.utils.nb_popen import NonBlockingPopen
from salt.utils.validate.path import is_writeable
try:
import salt.utils.smb
HAS_SMB = True
except ImportError:
HAS_SMB = False
try:
from pypsexec.client import Client as PsExecClient
from pypsexec.exceptions import SCMRException
from pypsexec.scmr import Service as ScmrService
from smbprotocol.exceptions import CannotDelete, SMBResponseException
from smbprotocol.tree import TreeConnect
logging.getLogger("smbprotocol").setLevel(logging.WARNING)
logging.getLogger("pypsexec").setLevel(logging.WARNING)
HAS_PSEXEC = True
except ImportError:
HAS_PSEXEC = False
# Set the minimum version of PyWinrm.
WINRM_MIN_VER = "0.3.0"
try:
# Verify WinRM 0.3.0 or greater
import pkg_resources # pylint: disable=3rd-party-module-not-gated
import winrm
from winrm.exceptions import WinRMTransportError
winrm_pkg = pkg_resources.get_distribution("pywinrm")
if not salt.utils.versions.compare(winrm_pkg.version, ">=", WINRM_MIN_VER):
HAS_WINRM = False
else:
HAS_WINRM = True
except ImportError:
HAS_WINRM = False
# Let's import pwd and catch the ImportError. We'll raise it if this is not
# Windows. This import has to be below where we import salt.utils.platform!
try:
import pwd
except ImportError:
if not salt.utils.platform.is_windows():
raise
try:
import getpass
HAS_GETPASS = True
except ImportError:
HAS_GETPASS = False
# This is required to support international characters in AWS EC2 tags or any
# other kind of metadata provided by particular Cloud vendor.
MSGPACK_ENCODING = "utf-8"
NSTATES = {
0: "running",
1: "rebooting",
2: "terminated",
3: "pending",
}
SSH_PASSWORD_PROMP_RE = re.compile(r"(?:.*)[Pp]assword(?: for .*)?:\ *$", re.M)
SSH_PASSWORD_PROMP_SUDO_RE = re.compile(
r"(?:.*sudo)(?:.*)[Pp]assword(?: for .*)?:", re.M
)
SERVER_ALIVE_INTERVAL = 60
SERVER_ALIVE_COUNT_MAX = 3
# Get logging started
log = logging.getLogger(__name__)
def __render_script(path, vm_=None, opts=None, minion=""):
"""
Return the rendered script
"""
log.info("Rendering deploy script: %s", path)
try:
with salt.utils.files.fopen(path, "r") as fp_:
template = Template(salt.utils.stringutils.to_unicode(fp_.read()))
return str(template.render(opts=opts, vm=vm_, minion=minion))
except AttributeError:
# Specified renderer was not found
with salt.utils.files.fopen(path, "r") as fp_:
return str(fp_.read())
def __ssh_gateway_config_dict(gateway):
"""
Return a dictionary with gateway options. The result is used
to provide arguments to __ssh_gateway_arguments method.
"""
extended_kwargs = {}
if gateway:
extended_kwargs["ssh_gateway"] = gateway["ssh_gateway"]
extended_kwargs["ssh_gateway_key"] = gateway["ssh_gateway_key"]
extended_kwargs["ssh_gateway_user"] = gateway["ssh_gateway_user"]
extended_kwargs["ssh_gateway_command"] = gateway["ssh_gateway_command"]
return extended_kwargs
def __ssh_gateway_arguments(kwargs):
"""
Return ProxyCommand configuration string for ssh/scp command.
All gateway options should not include quotes (' or "). To support
future user configuration, please make sure to update the dictionary
from __ssh_gateway_config_dict and get_ssh_gateway_config (ec2.py)
"""
extended_arguments = ""
ssh_gateway = kwargs.get("ssh_gateway", "")
ssh_gateway_port = 22
if ":" in ssh_gateway:
ssh_gateway, ssh_gateway_port = ssh_gateway.split(":")
ssh_gateway_command = kwargs.get("ssh_gateway_command", "nc -q0 %h %p")
if ssh_gateway:
ssh_gateway_port = kwargs.get("ssh_gateway_port", ssh_gateway_port)
ssh_gateway_key = (
"-i {}".format(kwargs["ssh_gateway_key"])
if "ssh_gateway_key" in kwargs
else ""
)
ssh_gateway_user = kwargs.get("ssh_gateway_user", "root")
# Setup ProxyCommand
extended_arguments = " ".join(
(
"ssh",
"-oStrictHostKeyChecking=no",
"-oServerAliveInterval={}".format(
kwargs.get("server_alive_interval", SERVER_ALIVE_INTERVAL)
),
"-oServerAliveCountMax={}".format(
kwargs.get("server_alive_count_max", SERVER_ALIVE_COUNT_MAX)
),
"-oUserKnownHostsFile=/dev/null",
"-oControlPath=none",
str(ssh_gateway_key),
f"{ssh_gateway_user}@{ssh_gateway}",
"-p",
str(ssh_gateway_port),
str(ssh_gateway_command),
)
)
log.info(
"Using SSH gateway %s@%s:%s %s",
ssh_gateway_user,
ssh_gateway,
ssh_gateway_port,
ssh_gateway_command,
)
return extended_arguments
def os_script(os_, vm_=None, opts=None, minion=""):
"""
Return the script as a string for the specific os
"""
if minion:
minion = salt_config_to_yaml(minion)
if os.path.isabs(os_):
# The user provided an absolute path to the deploy script, let's use it
return __render_script(os_, vm_, opts, minion)
if os.path.isabs(f"{os_}.sh"):
# The user provided an absolute path to the deploy script, although no
# extension was provided. Let's use it anyway.
return __render_script(f"{os_}.sh", vm_, opts, minion)
for search_path in opts["deploy_scripts_search_path"]:
if os.path.isfile(os.path.join(search_path, os_)):
return __render_script(os.path.join(search_path, os_), vm_, opts, minion)
if os.path.isfile(os.path.join(search_path, f"{os_}.sh")):
return __render_script(
os.path.join(search_path, f"{os_}.sh"), vm_, opts, minion
)
# No deploy script was found, return an empty string
return ""
def gen_keys(keysize=2048):
"""
Generate Salt minion keys and return them as PEM file strings
"""
# Mandate that keys are at least 2048 in size
if keysize < 2048:
keysize = 2048
tdir = tempfile.mkdtemp()
salt.crypt.gen_keys(tdir, "minion", keysize)
priv_path = os.path.join(tdir, "minion.pem")
pub_path = os.path.join(tdir, "minion.pub")
with salt.utils.files.fopen(priv_path) as fp_:
priv = salt.utils.stringutils.to_unicode(fp_.read())
with salt.utils.files.fopen(pub_path) as fp_:
pub = salt.utils.stringutils.to_unicode(fp_.read())
shutil.rmtree(tdir)
return priv, pub
def accept_key(pki_dir, pub, id_):
"""
If the master config was available then we will have a pki_dir key in
the opts directory, this method places the pub key in the accepted
keys dir and removes it from the unaccepted keys dir if that is the case.
"""
for key_dir in "minions", "minions_pre", "minions_rejected":
key_path = os.path.join(pki_dir, key_dir)
if not os.path.exists(key_path):
os.makedirs(key_path)
key = os.path.join(pki_dir, "minions", id_)
with salt.utils.files.fopen(key, "w+") as fp_:
fp_.write(salt.utils.stringutils.to_str(pub))
oldkey = os.path.join(pki_dir, "minions_pre", id_)
if os.path.isfile(oldkey):
with salt.utils.files.fopen(oldkey) as fp_:
if fp_.read() == pub:
os.remove(oldkey)
def remove_key(pki_dir, id_):
"""
This method removes a specified key from the accepted keys dir
"""
key = os.path.join(pki_dir, "minions", id_)
if os.path.isfile(key):
os.remove(key)
log.debug("Deleted '%s'", key)
def rename_key(pki_dir, id_, new_id):
"""
Rename a key, when an instance has also been renamed
"""
oldkey = os.path.join(pki_dir, "minions", id_)
newkey = os.path.join(pki_dir, "minions", new_id)
if os.path.isfile(oldkey):
os.rename(oldkey, newkey)
def minion_config(opts, vm_):
"""
Return a minion's configuration for the provided options and VM
"""
# Don't start with a copy of the default minion opts; they're not always
# what we need. Some default options are Null, let's set a reasonable default
minion = {
"master": "salt",
"log_level": "info",
"hash_type": "sha256",
}
# Now, let's update it to our needs
minion["id"] = vm_["name"]
master_finger = salt.config.get_cloud_config_value("master_finger", vm_, opts)
if master_finger is not None:
minion["master_finger"] = master_finger
minion.update(
# Get ANY defined minion settings, merging data, in the following order
# 1. VM config
# 2. Profile config
# 3. Global configuration
salt.config.get_cloud_config_value(
"minion", vm_, opts, default={}, search_global=True
)
)
make_master = salt.config.get_cloud_config_value("make_master", vm_, opts)
if "master" not in minion and make_master is not True:
raise SaltCloudConfigError(
"A master setting was not defined in the minion's configuration."
)
# Get ANY defined grains settings, merging data, in the following order
# 1. VM config
# 2. Profile config
# 3. Global configuration
minion.setdefault("grains", {}).update(
salt.config.get_cloud_config_value(
"grains", vm_, opts, default={}, search_global=True
)
)
return minion
def master_config(opts, vm_):
"""
Return a master's configuration for the provided options and VM
"""
# Let's get a copy of the salt master default options
master = copy.deepcopy(salt.config.DEFAULT_MASTER_OPTS)
# Some default options are Null, let's set a reasonable default
master.update(log_level="info", log_level_logfile="info", hash_type="sha256")
# Get ANY defined master setting, merging data, in the following order
# 1. VM config
# 2. Profile config
# 3. Global configuration
master.update(
salt.config.get_cloud_config_value(
"master", vm_, opts, default={}, search_global=True
)
)
return master
def salt_config_to_yaml(configuration, line_break="\n"):
"""
Return a salt configuration dictionary, master or minion, as a yaml dump
"""
return salt.utils.yaml.safe_dump(
configuration, line_break=line_break, default_flow_style=False
)
def bootstrap(vm_, opts=None):
"""
This is the primary entry point for logging into any system (POSIX or
Windows) to install Salt. It will make the decision on its own as to which
deploy function to call.
"""
if opts is None:
opts = __opts__
deploy_config = salt.config.get_cloud_config_value(
"deploy", vm_, opts, default=False
)
inline_script_config = salt.config.get_cloud_config_value(
"inline_script", vm_, opts, default=None
)
if deploy_config is False and inline_script_config is None:
return {"Error": {"No Deploy": "'deploy' is not enabled. Not deploying."}}
if vm_.get("driver") == "saltify":
saltify_driver = True
else:
saltify_driver = False
key_filename = salt.config.get_cloud_config_value(
"key_filename",
vm_,
opts,
search_global=False,
default=salt.config.get_cloud_config_value(
"ssh_keyfile", vm_, opts, search_global=False, default=None
),
)
if key_filename is not None and not os.path.isfile(key_filename):
raise SaltCloudConfigError(
f"The defined ssh_keyfile '{key_filename}' does not exist"
)
has_ssh_agent = False
if (
opts.get("ssh_agent", False)
and "SSH_AUTH_SOCK" in os.environ
and stat.S_ISSOCK(os.stat(os.environ["SSH_AUTH_SOCK"]).st_mode)
):
has_ssh_agent = True
if (
key_filename is None
and salt.config.get_cloud_config_value("password", vm_, opts, default=None)
is None
and salt.config.get_cloud_config_value("win_password", vm_, opts, default=None)
is None
and has_ssh_agent is False
):
raise SaltCloudSystemExit(
"Cannot deploy Salt in a VM if the 'key_filename' setting "
"is not set and there is no password set for the VM. "
"Check the provider docs for 'change_password' option if it "
"is supported by your provider."
)
ret = {}
minion_conf = minion_config(opts, vm_)
deploy_script_code = os_script(
salt.config.get_cloud_config_value("os", vm_, opts, default="bootstrap-salt"),
vm_,
opts,
minion_conf,
)
ssh_username = salt.config.get_cloud_config_value(
"ssh_username", vm_, opts, default="root"
)
if "file_transport" not in opts:
opts["file_transport"] = vm_.get("file_transport", "sftp")
# If we haven't generated any keys yet, do so now.
if "pub_key" not in vm_ and "priv_key" not in vm_:
log.debug("Generating keys for '%s'", vm_["name"])
vm_["priv_key"], vm_["pub_key"] = gen_keys(
salt.config.get_cloud_config_value("keysize", vm_, opts)
)
key_id = vm_.get("name")
if "append_domain" in vm_:
key_id = ".".join([key_id, vm_["append_domain"]])
accept_key(opts["pki_dir"], vm_["pub_key"], key_id)
if "os" not in vm_:
vm_["os"] = salt.config.get_cloud_config_value("script", vm_, opts)
# NOTE: deploy_kwargs is also used to pass inline_script variable content
# to run_inline_script function
host = salt.config.get_cloud_config_value("ssh_host", vm_, opts)
deploy_kwargs = {
"opts": opts,
"host": host,
"port": salt.config.get_cloud_config_value("ssh_port", vm_, opts, default=22),
"salt_host": vm_.get("salt_host", host),
"username": ssh_username,
"script": deploy_script_code,
"inline_script": inline_script_config,
"name": vm_["name"],
"has_ssh_agent": has_ssh_agent,
"tmp_dir": salt.config.get_cloud_config_value(
"tmp_dir", vm_, opts, default="/tmp/.saltcloud"
),
"vm_": vm_,
"start_action": opts["start_action"],
"parallel": opts["parallel"],
"sock_dir": opts["sock_dir"],
"conf_file": opts["conf_file"],
"minion_pem": vm_["priv_key"],
"minion_pub": vm_["pub_key"],
"master_sign_pub_file": salt.config.get_cloud_config_value(
"master_sign_pub_file", vm_, opts, default=None
),
"keep_tmp": opts["keep_tmp"],
"sudo": salt.config.get_cloud_config_value(
"sudo", vm_, opts, default=(ssh_username != "root")
),
"sudo_password": salt.config.get_cloud_config_value(
"sudo_password", vm_, opts, default=None
),
"tty": salt.config.get_cloud_config_value("tty", vm_, opts, default=True),
"password": salt.config.get_cloud_config_value(
"password", vm_, opts, search_global=False
),
"key_filename": key_filename,
"script_args": salt.config.get_cloud_config_value("script_args", vm_, opts),
"script_env": salt.config.get_cloud_config_value("script_env", vm_, opts),
"minion_conf": minion_conf,
"force_minion_config": salt.config.get_cloud_config_value(
"force_minion_config", vm_, opts, default=False
),
"preseed_minion_keys": vm_.get("preseed_minion_keys", None),
"display_ssh_output": salt.config.get_cloud_config_value(
"display_ssh_output", vm_, opts, default=True
),
"known_hosts_file": salt.config.get_cloud_config_value(
"known_hosts_file", vm_, opts, default="/dev/null"
),
"file_map": salt.config.get_cloud_config_value(
"file_map", vm_, opts, default=None
),
"maxtries": salt.config.get_cloud_config_value(
"wait_for_passwd_maxtries", vm_, opts, default=15
),
"preflight_cmds": salt.config.get_cloud_config_value(
"preflight_cmds", vm_, opts, default=[]
),
"cloud_grains": {
"driver": vm_["driver"],
"provider": vm_["provider"],
"profile": vm_["profile"],
},
}
inline_script_kwargs = deploy_kwargs.copy() # make a copy at this point
# forward any info about possible ssh gateway to deploy script
# as some providers need also a 'gateway' configuration
if "gateway" in vm_:
deploy_kwargs.update({"gateway": vm_["gateway"]})
# Deploy salt-master files, if necessary
if salt.config.get_cloud_config_value("make_master", vm_, opts) is True:
deploy_kwargs["make_master"] = True
deploy_kwargs["master_pub"] = vm_["master_pub"]
deploy_kwargs["master_pem"] = vm_["master_pem"]
master_conf = master_config(opts, vm_)
deploy_kwargs["master_conf"] = master_conf
if master_conf.get("syndic_master", None):
deploy_kwargs["make_syndic"] = True
deploy_kwargs["make_minion"] = salt.config.get_cloud_config_value(
"make_minion", vm_, opts, default=True
)
if saltify_driver:
deploy_kwargs["wait_for_passwd_maxtries"] = (
0 # No need to wait/retry with Saltify
)
win_installer = salt.config.get_cloud_config_value("win_installer", vm_, opts)
if win_installer:
deploy_kwargs["port"] = salt.config.get_cloud_config_value(
"smb_port", vm_, opts, default=445
)
deploy_kwargs["win_installer"] = win_installer
minion = minion_config(opts, vm_)
deploy_kwargs["master"] = minion["master"]
deploy_kwargs["username"] = salt.config.get_cloud_config_value(
"win_username", vm_, opts, default="Administrator"
)
win_pass = salt.config.get_cloud_config_value(
"win_password", vm_, opts, default=""
)
if win_pass:
deploy_kwargs["password"] = win_pass
deploy_kwargs["use_winrm"] = salt.config.get_cloud_config_value(
"use_winrm", vm_, opts, default=False
)
deploy_kwargs["winrm_port"] = salt.config.get_cloud_config_value(
"winrm_port", vm_, opts, default=5986
)
deploy_kwargs["winrm_use_ssl"] = salt.config.get_cloud_config_value(
"winrm_use_ssl", vm_, opts, default=True
)
deploy_kwargs["winrm_verify_ssl"] = salt.config.get_cloud_config_value(
"winrm_verify_ssl", vm_, opts, default=True
)
if saltify_driver:
deploy_kwargs["port_timeout"] = 1 # No need to wait/retry with Saltify
# Store what was used to the deploy the VM
event_kwargs = copy.deepcopy(deploy_kwargs)
del event_kwargs["opts"]
del event_kwargs["minion_pem"]
del event_kwargs["minion_pub"]
del event_kwargs["sudo_password"]
if "password" in event_kwargs:
del event_kwargs["password"]
ret["deploy_kwargs"] = event_kwargs
fire_event(
"event",
"executing deploy script",
"salt/cloud/{}/deploying".format(vm_["name"]),
args={"kwargs": salt.utils.data.simple_types_filter(event_kwargs)},
sock_dir=opts.get("sock_dir", os.path.join(__opts__["sock_dir"], "master")),
transport=opts.get("transport", "zeromq"),
)
if inline_script_config and deploy_config is False:
inline_script_deployed = run_inline_script(**inline_script_kwargs)
if inline_script_deployed is not False:
log.info("Inline script(s) ha(s|ve) run on %s", vm_["name"])
ret["deployed"] = False
return ret
else:
if win_installer:
deployed = deploy_windows(**deploy_kwargs)
else:
deployed = deploy_script(**deploy_kwargs)
if inline_script_config:
inline_script_deployed = run_inline_script(**inline_script_kwargs)
if inline_script_deployed is not False:
log.info("Inline script(s) ha(s|ve) run on %s", vm_["name"])
if deployed is not False:
ret["deployed"] = True
if deployed is not True:
ret.update(deployed)
log.info("Salt installed on %s", vm_["name"])
return ret
log.error("Failed to start Salt on host %s", vm_["name"])
return {
"Error": {"Not Deployed": "Failed to start Salt on host {}".format(vm_["name"])}
}
def ssh_usernames(vm_, opts, default_users=None):
"""
Return the ssh_usernames. Defaults to a built-in list of users for trying.
"""
if default_users is None:
default_users = ["root"]
usernames = salt.config.get_cloud_config_value("ssh_username", vm_, opts)
if not isinstance(usernames, list):
usernames = [usernames]
# get rid of None's or empty names
usernames = [x for x in usernames if x]
# Keep a copy of the usernames the user might have provided
initial = usernames[:]
# Add common usernames to the list to be tested
for name in default_users:
if name not in usernames:
usernames.append(name)
# Add the user provided usernames to the end of the list since enough time
# might need to pass before the remote service is available for logins and
# the proper username might have passed its iteration.
# This has detected in a CentOS 5.7 EC2 image
usernames.extend(initial)
return usernames
def wait_for_fun(fun, timeout=900, **kwargs):
"""
Wait until a function finishes, or times out
"""
start = time.time()
log.debug("Attempting function %s", fun)
trycount = 0
while True:
trycount += 1
try:
response = fun(**kwargs)
if not isinstance(response, bool):
return response
except Exception as exc: # pylint: disable=broad-except
log.debug("Caught exception in wait_for_fun: %s", exc)
time.sleep(1)
log.debug("Retrying function %s on (try %s)", fun, trycount)
if time.time() - start > timeout:
log.error("Function timed out: %s", timeout)
return False
def wait_for_port(
host,
port=22,
timeout=900,
gateway=None,
server_alive_interval=SERVER_ALIVE_INTERVAL,
server_alive_count_max=SERVER_ALIVE_COUNT_MAX,
):
"""
Wait until a connection to the specified port can be made on a specified
host. This is usually port 22 (for SSH), but in the case of Windows
installations, it might be port 445 (for psexec). It may also be an
alternate port for SSH, depending on the base image.
"""
start = time.time()
# Assign test ports because if a gateway is defined
# we first want to test the gateway before the host.
test_ssh_host = host
test_ssh_port = port
if gateway:
ssh_gateway = gateway["ssh_gateway"]
ssh_gateway_port = 22
if ":" in ssh_gateway:
ssh_gateway, ssh_gateway_port = ssh_gateway.split(":")
if "ssh_gateway_port" in gateway:
ssh_gateway_port = gateway["ssh_gateway_port"]
test_ssh_host = ssh_gateway
test_ssh_port = ssh_gateway_port
log.debug(
"Attempting connection to host %s on port %s via gateway %s on port %s",
host,
port,
ssh_gateway,
ssh_gateway_port,
)
else:
log.debug("Attempting connection to host %s on port %s", host, port)
trycount = 0
while True:
trycount += 1
try:
if socket.inet_pton(socket.AF_INET6, host):
sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
else:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except OSError:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.settimeout(5)
sock.connect((test_ssh_host, int(test_ssh_port)))
# Stop any remaining reads/writes on the socket
sock.shutdown(socket.SHUT_RDWR)
# Close it!
sock.close()
break
except OSError as exc:
log.debug("Caught exception in wait_for_port: %s", exc)
time.sleep(1)
if time.time() - start > timeout:
log.error("Port connection timed out: %s", timeout)
return False
log.debug(
"Retrying connection to %s %s on port %s (try %s)",
"gateway" if gateway else "host",
test_ssh_host,
test_ssh_port,
trycount,
)
if not gateway:
return True
# Let the user know that his gateway is good!
log.debug("Gateway %s on port %s is reachable.", test_ssh_host, test_ssh_port)
# Now we need to test the host via the gateway.
# We will use netcat on the gateway to test the port
ssh_args = []
ssh_args.extend(
[
# Don't add new hosts to the host key database
"-oStrictHostKeyChecking=no",
# make sure ssh can time out on connection lose
f"-oServerAliveInterval={server_alive_interval}",
f"-oServerAliveCountMax={server_alive_count_max}",
# Set hosts key database path to /dev/null, i.e., non-existing
"-oUserKnownHostsFile=/dev/null",
# Don't re-use the SSH connection. Less failures.
"-oControlPath=none",
]
)
# There should never be both a password and an ssh key passed in, so
if "ssh_gateway_key" in gateway:
ssh_args.extend(
[
# tell SSH to skip password authentication
"-oPasswordAuthentication=no",
"-oChallengeResponseAuthentication=no",
# Make sure public key authentication is enabled
"-oPubkeyAuthentication=yes",
# do only use the provided identity file
"-oIdentitiesOnly=yes",
# No Keyboard interaction!
"-oKbdInteractiveAuthentication=no",
# Also, specify the location of the key file
"-i {}".format(gateway["ssh_gateway_key"]),
]
)
# Netcat command testing remote port
command = f"nc -z -w5 -q0 {host} {port}"
# SSH command
pcmd = "ssh {} {}@{} -p {} {}".format(
" ".join(ssh_args),
gateway["ssh_gateway_user"],
ssh_gateway,
ssh_gateway_port,
shlex.quote("date"),
)
cmd = "ssh {} {}@{} -p {} {}".format(
" ".join(ssh_args),
gateway["ssh_gateway_user"],
ssh_gateway,
ssh_gateway_port,
shlex.quote(command),
)
log.debug("SSH command: '%s'", cmd)
kwargs = {
"display_ssh_output": False,
"password": gateway.get("ssh_gateway_password", None),
}
trycount = 0
usable_gateway = False
gateway_retries = 5
while True:
trycount += 1
# test gateway usage
if not usable_gateway:
pstatus = _exec_ssh_cmd(pcmd, allow_failure=True, **kwargs)
if pstatus == 0:
usable_gateway = True
else:
gateway_retries -= 1
log.error(
"Gateway usage seems to be broken, password error ? Tries left: %s",
gateway_retries,
)
if not gateway_retries:
raise SaltCloudExecutionFailure(
"SSH gateway is reachable but we can not login"
)
# then try to reach out the target
if usable_gateway:
status = _exec_ssh_cmd(cmd, allow_failure=True, **kwargs)
# Get the exit code of the SSH command.
# If 0 then the port is open.
if status == 0:
return True
time.sleep(1)
if time.time() - start > timeout:
log.error("Port connection timed out: %s", timeout)
return False
log.debug(
"Retrying connection to host %s on port %s "
"via gateway %s on port %s. (try %s)",
host,
port,
ssh_gateway,
ssh_gateway_port,
trycount,
)
class Client:
"""
Wrap pypsexec.client.Client to fix some stability issues:
- Set the service name from a keyword arg, this allows multiple service
instances to be created in a single process.
- Keep trying service and file deletes since they may not succeed on the
first try. Raises an exception if they do not succeed after a timeout
period.
"""
def __init__(
self,
server,
username=None,
password=None,
port=445,
encrypt=True,
service_name=None,
):
self.service_name = service_name
self._exe_file = f"{self.service_name}.exe"
self._client = PsExecClient(server, username, password, port, encrypt)
self._client._service = ScmrService(self.service_name, self._client.session)
def __enter__(self):
self.connect()
self.create_service()
return self
def __exit__(self, tb_type, tb_value, tb):
self.remove_service()
self.disconnect()
def connect(self):
return self._client.connect()
def disconnect(self):
try:
# This removes any lingering PAExec binaries
self._client.cleanup()
except CannotDelete as exc:
# We shouldn't hard crash here, so just log the error
log.debug("Exception cleaning up PAexec: %r", exc)
return self._client.disconnect()
def create_service(self):
return self._client.create_service()
def run_executable(self, *args, **kwargs):
return self._client.run_executable(*args, **kwargs)
def remove_service(self, wait_timeout=10, sleep_wait=1):
"""
Removes the PAExec service and executable that was created as part of
the create_service function. This does not remove any older executables
or services from previous runs, use cleanup() instead for that purpose.
"""
# Stops/remove the PAExec service and removes the executable
log.debug("Deleting PAExec service at the end of the process")
wait_start = time.time()
while True:
try:
self._client._service.delete()
except SCMRException as exc:
log.debug("Exception encountered while deleting service %s", repr(exc))
if time.time() - wait_start > wait_timeout:
raise exc
time.sleep(sleep_wait)
continue
break
# delete the PAExec executable
smb_tree = TreeConnect(
self._client.session,
rf"\\{self._client.connection.server_name}\ADMIN$",
)
log.info("Connecting to SMB Tree %s", smb_tree.share_name)
smb_tree.connect()
wait_start = time.time()
while True:
try:
log.info("Creating open to PAExec file with delete on close flags")
self._client._delete_file(smb_tree, self._exe_file)
except SMBResponseException as exc:
log.debug("Exception deleting file %s %s", self._exe_file, repr(exc))
if time.time() - wait_start > wait_timeout:
raise exc
time.sleep(sleep_wait)
continue
break
log.info("Disconnecting from SMB Tree %s", smb_tree.share_name)
smb_tree.disconnect()
def run_winexe_command(cmd, args, host, username, password, port=445):
"""
Run a command remotely via the winexe executable
"""
creds = f"-U '{username}%{password}' //{host}"
logging_creds = f"-U '{username}%XXX-REDACTED-XXX' //{host}"
cmd = f"winexe {creds} {cmd} {args}"
logging_cmd = f"winexe {logging_creds} {cmd} {args}"
return win_cmd(cmd, logging_command=logging_cmd)
def run_psexec_command(cmd, args, host, username, password, port=445):
"""
Run a command remotely using the psexec protocol
"""
service_name = f"PS-Exec-{uuid.uuid4()}"
with Client(
host, username, password, port=port, encrypt=False, service_name=service_name
) as client:
stdout, stderr, ret_code = client.run_executable(cmd, args)
return stdout, stderr, ret_code
def wait_for_winexe(host, port, username, password, timeout=900):
"""
Wait until winexe connection can be established.
"""
start = time.time()
log.debug("Attempting winexe connection to host %s on port %s", host, port)
try_count = 0
while True:
try_count += 1
try:
# Shell out to winexe to check %TEMP%
ret_code = run_winexe_command(
"sc", "query winexesvc", host, username, password, port
)
if ret_code == 0:
log.debug("winexe connected...")
return True
log.debug("Return code was %s", ret_code)
except OSError as exc:
log.debug("Caught exception in wait_for_winexesvc: %s", exc)
if time.time() - start > timeout:
return False
time.sleep(1)
def wait_for_psexecsvc(host, port, username, password, timeout=900):
"""
Wait until psexec connection can be established.
"""
start = time.time()
try_count = 0
while True:
try_count += 1
ret_code = 1
try:
stdout, stderr, ret_code = run_psexec_command(
"cmd.exe", "/c hostname", host, username, password, port=port
)
except Exception as exc: # pylint: disable=broad-except
log.exception("Unable to execute command")
if ret_code == 0:
log.debug("psexec connected...")
return True
if time.time() - start > timeout:
return False
log.debug(
"Retrying psexec connection to host %s on port %s (try %s)",
host,
port,
try_count,
)
time.sleep(1)
def wait_for_winrm(
host, port, username, password, timeout=900, use_ssl=True, verify=True
):
"""
Wait until WinRM connection can be established.
"""
# Ensure the winrm service is listening before attempting to connect
wait_for_port(host=host, port=port, timeout=timeout)
start = time.time()
log.debug("Attempting WinRM connection to host %s on port %s", host, port)
transport = "ssl"
if not use_ssl:
transport = "ntlm"
trycount = 0
while True:
trycount += 1
try:
winrm_kwargs = {
"target": host,
"auth": (username, password),
"transport": transport,
}
if not verify:
log.debug("SSL validation for WinRM disabled.")
winrm_kwargs["server_cert_validation"] = "ignore"
s = winrm.Session(**winrm_kwargs)
if hasattr(s.protocol, "set_timeout"):
s.protocol.set_timeout(15)
log.trace("WinRM endpoint url: %s", s.url)
r = s.run_cmd("sc query winrm")
if r.status_code == 0:
log.debug("WinRM session connected...")
return s
log.debug("Return code was %s", r.status_code)
except WinRMTransportError as exc:
log.debug("Caught exception in wait_for_winrm: %s", exc)
if time.time() - start > timeout:
log.error("WinRM connection timed out: %s", timeout)
return None
log.debug(
"Retrying WinRM connection to host %s on port %s (try %s)",
host,
port,
trycount,
)
time.sleep(1)
def validate_windows_cred_winexe(
host, username="Administrator", password=None, retries=10, retry_delay=1
):
"""
Check if the windows credentials are valid
"""
cmd = f"winexe -U '{username}%{password}' //{host} \"hostname\""
logging_cmd = "winexe -U '{}%XXX-REDACTED-XXX' //{} \"hostname\"".format(
username, host
)
for i in range(retries):
ret_code = win_cmd(cmd, logging_command=logging_cmd)
return ret_code == 0
def validate_windows_cred(
host, username="Administrator", password=None, retries=10, retry_delay=1
):
"""
Check if the windows credentials are valid
"""
for i in range(retries):
ret_code = 1
try:
stdout, stderr, ret_code = run_psexec_command(
"cmd.exe", "/c hostname", host, username, password, port=445
)
except Exception as exc: # pylint: disable=broad-except
log.exception("Exception while executing psexec")
if ret_code == 0:
break
time.sleep(retry_delay)
return ret_code == 0
def wait_for_passwd(
host,
port=22,
ssh_timeout=15,
username="root",
password=None,
key_filename=None,
maxtries=15,
trysleep=1,
display_ssh_output=True,
gateway=None,
known_hosts_file="/dev/null",
hard_timeout=None,
):
"""
Wait until ssh connection can be accessed via password or ssh key
"""
trycount = 0
while trycount < maxtries:
connectfail = False
try:
kwargs = {
"hostname": host,
"port": port,
"username": username,
"password_retries": maxtries,
"timeout": ssh_timeout,
"display_ssh_output": display_ssh_output,
"known_hosts_file": known_hosts_file,
"ssh_timeout": ssh_timeout,
"hard_timeout": hard_timeout,
}
kwargs.update(__ssh_gateway_config_dict(gateway))
if key_filename:
if not os.path.isfile(key_filename):
raise SaltCloudConfigError(
"The defined key_filename '{}' does not exist".format(
key_filename
)
)
kwargs["key_filename"] = key_filename
log.debug("Using %s as the key_filename", key_filename)
elif password:
kwargs["password"] = password
log.debug("Using password authentication")
trycount += 1
log.debug(
"Attempting to authenticate as %s (try %s of %s)",
username,
trycount,
maxtries,
)
status = root_cmd("date", tty=False, sudo=False, **kwargs)
if status != 0:
connectfail = True
if trycount < maxtries:
time.sleep(trysleep)
continue
log.error("Authentication failed: status code %s", status)
return False
if connectfail is False:
return True
return False
except SaltCloudPasswordError:
raise
except Exception: # pylint: disable=broad-except
if trycount >= maxtries:
return False
time.sleep(trysleep)
def _format_master_param(master):
"""
If the master is a list, we need to convert it to a comma delimited string
Otherwise, we just return master
"""
if isinstance(master, list):
return ",".join(master)
return master
def deploy_windows(
host,
port=445,
timeout=900,
username="Administrator",
password=None,
name=None,
sock_dir=None,
conf_file=None,
start_action=None,
parallel=False,
minion_pub=None,
minion_pem=None,
minion_conf=None,
keep_tmp=False,
script_args=None,
script_env=None,
port_timeout=15,
preseed_minion_keys=None,
win_installer=None,
master=None,
tmp_dir="C:\\salttmp",
opts=None,
master_sign_pub_file=None,
use_winrm=False,
winrm_port=5986,
winrm_use_ssl=True,
winrm_verify_ssl=True,
**kwargs,
):
"""
Copy the install files to a remote Windows box, and execute them
"""
if not isinstance(opts, dict):
opts = {}
if use_winrm and not HAS_WINRM:
log.error(
"WinRM requested but module winrm could not be imported. "
"Ensure you are using version %s or higher.",
WINRM_MIN_VER,
)
return False
starttime = time.mktime(time.localtime())
log.debug("Deploying %s at %s (Windows)", host, starttime)
log.trace("HAS_WINRM: %s, use_winrm: %s", HAS_WINRM, use_winrm)
port_available = wait_for_port(host=host, port=port, timeout=port_timeout * 60)
if not port_available:
return False
service_available = False
winrm_session = None
if HAS_WINRM and use_winrm:
winrm_session = wait_for_winrm(
host=host,
port=winrm_port,
username=username,
password=password,
timeout=port_timeout * 60,
use_ssl=winrm_use_ssl,
verify=winrm_verify_ssl,
)
if winrm_session is not None:
service_available = True
else:
service_available = wait_for_psexecsvc(
host=host,
port=port,
username=username,
password=password,
timeout=port_timeout * 60,
)
if port_available and service_available:
log.debug("SMB port %s on %s is available", port, host)
log.debug("Logging into %s:%s as %s", host, port, username)
smb_conn = salt.utils.smb.get_conn(host, username, password, port)
if smb_conn is False:
log.error("Please install smbprotocol to enable SMB functionality")
return False
salt.utils.smb.mkdirs("salttemp", conn=smb_conn)
root_dir = "ProgramData/Salt Project/Salt"
salt.utils.smb.mkdirs(f"{root_dir}/conf/pki/minion", conn=smb_conn)
root_dir = "ProgramData\\Salt Project\\Salt"
if minion_pub:
salt.utils.smb.put_str(
minion_pub,
f"{root_dir}\\conf\\pki\\minion\\minion.pub",
conn=smb_conn,
)
if minion_pem:
salt.utils.smb.put_str(
minion_pem,
f"{root_dir}\\conf\\pki\\minion\\minion.pem",
conn=smb_conn,
)
if master_sign_pub_file:
# Read master-sign.pub file
log.debug(
"Copying master_sign.pub file from %s to minion", master_sign_pub_file
)
try:
salt.utils.smb.put_file(
master_sign_pub_file,
f"{root_dir}\\conf\\pki\\minion\\master_sign.pub",
conn=smb_conn,
)
except Exception as e: # pylint: disable=broad-except
log.debug(
"Exception copying master_sign.pub file %s to minion",
master_sign_pub_file,
)
# Copy over win_installer
# win_installer refers to a file such as:
# /root/Salt-Minion-0.17.0-win32-Setup.exe
# ..which exists on the same machine as salt-cloud
comps = win_installer.split("/")
local_path = "/".join(comps[:-1])
installer = comps[-1]
salt.utils.smb.put_file(
win_installer,
f"salttemp\\{installer}",
"C$",
conn=smb_conn,
)
cmd = f"c:\\salttemp\\{installer}"
args = [
"/S",
f"/master={_format_master_param(master)}",
f"/minion-name={name}",
]
if use_winrm:
winrm_cmd(winrm_session, cmd, args)
else:
stdout, stderr, ret_code = run_psexec_command(
cmd, " ".join(args), host, username, password
)
if ret_code != 0:
raise Exception(f"Fail installer {ret_code}")
# Copy over minion_conf
if minion_conf:
if not isinstance(minion_conf, dict):
# Let's not just fail regarding this change, specially
# since we can handle it
raise DeprecationWarning(
"`salt.utils.cloud.deploy_windows` now only accepts "
"dictionaries for its `minion_conf` parameter. "
"Loading YAML..."
)
minion_grains = minion_conf.pop("grains", {})
if minion_grains:
salt.utils.smb.put_str(
salt_config_to_yaml(minion_grains, line_break="\r\n"),
f"{root_dir}\\conf\\grains",
conn=smb_conn,
)
# Add special windows minion configuration
# that must be in the minion config file
windows_minion_conf = {
"ipc_mode": minion_conf.pop("ipc_mode", "tcp"),
"pki_dir": minion_conf.pop("pki_dir", "/conf/pki/minion"),
"multiprocessing": minion_conf.pop("multiprocessing", True),
}
if master and "master" not in minion_conf:
windows_minion_conf["master"] = master
if name and "id" not in minion_conf:
windows_minion_conf["id"] = name
minion_conf = dict(minion_conf, **windows_minion_conf)
salt.utils.smb.put_str(
salt_config_to_yaml(minion_conf, line_break="\r\n"),
f"{root_dir}\\conf\\minion",
conn=smb_conn,
)
# Delete C:\salttmp\ and installer file
# Unless keep_tmp is True
if not keep_tmp:
if use_winrm:
winrm_cmd(winrm_session, "rmdir", ["/Q", "/S", "C:\\salttemp\\"])
else:
salt.utils.smb.delete_file(
f"salttemp\\{installer}", "C$", conn=smb_conn
)
salt.utils.smb.delete_directory("salttemp", "C$", conn=smb_conn)
# Shell out to psexec to ensure salt-minion service started
if use_winrm:
winrm_cmd(winrm_session, "net", ["stop", "salt-minion"])
winrm_cmd(winrm_session, "net", ["start", "salt-minion"])
else:
stdout, stderr, ret_code = run_psexec_command(
"cmd.exe", "/c net stop salt-minion", host, username, password
)
if ret_code != 0:
return False
log.debug("Run psexec: sc start salt-minion")
stdout, stderr, ret_code = run_psexec_command(
"cmd.exe", "/c net start salt-minion", host, username, password
)
if ret_code != 0:
return False
# Fire deploy action
fire_event(
"event",
f"{name} has been deployed at {host}",
f"salt/cloud/{name}/deploy_windows",
args={"name": name},
sock_dir=opts.get("sock_dir", os.path.join(__opts__["sock_dir"], "master")),
transport=opts.get("transport", "zeromq"),
)
return True
return False
def deploy_script(
host,
port=22,
timeout=900,
username="root",
password=None,
key_filename=None,
script=None,
name=None,
sock_dir=None,
provider=None,
conf_file=None,
start_action=None,
make_master=False,
master_pub=None,
master_pem=None,
master_conf=None,
minion_pub=None,
minion_pem=None,
minion_conf=None,
keep_tmp=False,
script_args=None,
script_env=None,
ssh_timeout=15,
maxtries=15,
make_syndic=False,
make_minion=True,
display_ssh_output=True,
preseed_minion_keys=None,
parallel=False,
sudo_password=None,
sudo=False,
tty=None,
vm_=None,
opts=None,
tmp_dir="/tmp/.saltcloud",
file_map=None,
master_sign_pub_file=None,
cloud_grains=None,
force_minion_config=False,
**kwargs,
):
"""
Copy a deploy script to a remote server, execute it, and remove it
"""
if not isinstance(opts, dict):
opts = {}
vm_ = vm_ or {} # if None, default to empty dict
cloud_grains = cloud_grains or {}
tmp_dir = "{}-{}".format(tmp_dir.rstrip("/"), uuid.uuid4())
deploy_command = salt.config.get_cloud_config_value(
"deploy_command", vm_, opts, default=os.path.join(tmp_dir, "deploy.sh")
)
if key_filename is not None and not os.path.isfile(key_filename):
raise SaltCloudConfigError(
f"The defined key_filename '{key_filename}' does not exist"
)
gateway = None
if "gateway" in kwargs:
gateway = kwargs["gateway"]
starttime = time.localtime()
log.debug("Deploying %s at %s", host, time.strftime("%Y-%m-%d %H:%M:%S", starttime))
known_hosts_file = kwargs.get("known_hosts_file", "/dev/null")
hard_timeout = opts.get("hard_timeout", None)
if wait_for_port(host=host, port=port, gateway=gateway):
log.debug("SSH port %s on %s is available", port, host)
if wait_for_passwd(
host,
port=port,
username=username,
password=password,
key_filename=key_filename,
ssh_timeout=ssh_timeout,
display_ssh_output=display_ssh_output,
gateway=gateway,
known_hosts_file=known_hosts_file,
maxtries=maxtries,
hard_timeout=hard_timeout,
):
log.debug("Logging into %s:%s as %s", host, port, username)
ssh_kwargs = {
"hostname": host,
"port": port,
"username": username,
"timeout": ssh_timeout,
"ssh_timeout": ssh_timeout,
"display_ssh_output": display_ssh_output,
"sudo_password": sudo_password,
"sftp": opts.get("use_sftp", False),
}
ssh_kwargs.update(__ssh_gateway_config_dict(gateway))
if key_filename:
log.debug("Using %s as the key_filename", key_filename)
ssh_kwargs["key_filename"] = key_filename
elif password and kwargs.get("has_ssh_agent", False) is False:
ssh_kwargs["password"] = password
if root_cmd(
f"test -e '{tmp_dir}'", tty, sudo, allow_failure=True, **ssh_kwargs
):
ret = root_cmd(
f"sh -c \"( mkdir -p -m 700 '{tmp_dir}' )\"",
tty,
sudo,
**ssh_kwargs,
)
if ret:
raise SaltCloudSystemExit(
f"Can't create temporary directory in {tmp_dir} !"
)
if sudo:
comps = tmp_dir.lstrip("/").rstrip("/").split("/")
if comps:
if len(comps) > 1 or comps[0] != "tmp":
ret = root_cmd(
f'chown {username} "{tmp_dir}"', tty, sudo, **ssh_kwargs
)
if ret:
raise SaltCloudSystemExit(
f"Cant set {username} ownership on {tmp_dir}"
)
if not isinstance(file_map, dict):
file_map = {}
# Copy an arbitrary group of files to the target system
remote_dirs = []
file_map_success = []
file_map_fail = []
for map_item in file_map:
local_file = map_item
remote_file = file_map[map_item]
if not os.path.exists(map_item):
log.error(
'The local file "%s" does not exist, and will not be '
'copied to "%s" on the target system',
local_file,
remote_file,
)
file_map_fail.append({local_file: remote_file})
continue
if os.path.isdir(local_file):
dir_name = os.path.basename(local_file)
remote_dir = os.path.join(os.path.dirname(remote_file), dir_name)
else:
remote_dir = os.path.dirname(remote_file)
if remote_dir not in remote_dirs:
root_cmd(f"mkdir -p '{remote_dir}'", tty, sudo, **ssh_kwargs)
if ssh_kwargs["username"] != "root":
root_cmd(
"chown {} '{}'".format(ssh_kwargs["username"], remote_dir),
tty,
sudo,
**ssh_kwargs,
)
remote_dirs.append(remote_dir)
ssh_file(opts, remote_file, kwargs=ssh_kwargs, local_file=local_file)
file_map_success.append({local_file: remote_file})
# Minion configuration
if minion_pem:
ssh_file(opts, f"{tmp_dir}/minion.pem", minion_pem, ssh_kwargs)
ret = root_cmd(
f"chmod 600 '{tmp_dir}/minion.pem'", tty, sudo, **ssh_kwargs
)
if ret:
raise SaltCloudSystemExit(
f"Can't set perms on {tmp_dir}/minion.pem"
)
if minion_pub:
ssh_file(opts, f"{tmp_dir}/minion.pub", minion_pub, ssh_kwargs)
if master_sign_pub_file:
ssh_file(
opts,
f"{tmp_dir}/master_sign.pub",
kwargs=ssh_kwargs,
local_file=master_sign_pub_file,
)
if minion_conf:
if not isinstance(minion_conf, dict):
# Let's not just fail regarding this change, specially
# since we can handle it
raise DeprecationWarning(
"`salt.utils.cloud.deploy_script now only accepts "
"dictionaries for it's `minion_conf` parameter. "
"Loading YAML..."
)
minion_grains = minion_conf.pop("grains", {})
if minion_grains:
ssh_file(
opts,
f"{tmp_dir}/grains",
salt_config_to_yaml(minion_grains),
ssh_kwargs,
)
if cloud_grains and opts.get("enable_cloud_grains", True):
minion_conf["grains"] = {"salt-cloud": cloud_grains}
ssh_file(
opts,
f"{tmp_dir}/minion",
salt_config_to_yaml(minion_conf),
ssh_kwargs,
)
# Master configuration
if master_pem:
ssh_file(opts, f"{tmp_dir}/master.pem", master_pem, ssh_kwargs)
ret = root_cmd(
f"chmod 600 '{tmp_dir}/master.pem'", tty, sudo, **ssh_kwargs
)
if ret:
raise SaltCloudSystemExit(f"Cant set perms on {tmp_dir}/master.pem")
if master_pub:
ssh_file(opts, f"{tmp_dir}/master.pub", master_pub, ssh_kwargs)
if master_conf:
if not isinstance(master_conf, dict):
# Let's not just fail regarding this change, specially
# since we can handle it
raise DeprecationWarning(
"`salt.utils.cloud.deploy_script now only accepts "
"dictionaries for it's `master_conf` parameter. "
"Loading from YAML ..."
)
ssh_file(
opts,
f"{tmp_dir}/master",
salt_config_to_yaml(master_conf),
ssh_kwargs,
)
# XXX: We need to make these paths configurable
preseed_minion_keys_tempdir = f"{tmp_dir}/preseed-minion-keys"
if preseed_minion_keys is not None:
# Create remote temp dir
ret = root_cmd(
f"mkdir '{preseed_minion_keys_tempdir}'", tty, sudo, **ssh_kwargs
)
if ret:
raise SaltCloudSystemExit(
f"Cant create {preseed_minion_keys_tempdir}"
)
ret = root_cmd(
f"chmod 700 '{preseed_minion_keys_tempdir}'",
tty,
sudo,
**ssh_kwargs,
)
if ret:
raise SaltCloudSystemExit(
f"Can't set perms on {preseed_minion_keys_tempdir}"
)
if ssh_kwargs["username"] != "root":
root_cmd(
"chown {} '{}'".format(
ssh_kwargs["username"], preseed_minion_keys_tempdir
),
tty,
sudo,
**ssh_kwargs,
)
# Copy pre-seed minion keys
for minion_id, minion_key in preseed_minion_keys.items():
rpath = os.path.join(preseed_minion_keys_tempdir, minion_id)
ssh_file(opts, rpath, minion_key, ssh_kwargs)
if ssh_kwargs["username"] != "root":
root_cmd(
f"chown -R root '{preseed_minion_keys_tempdir}'",
tty,
sudo,
**ssh_kwargs,
)
if ret:
raise SaltCloudSystemExit(
"Can't set ownership for {}".format(
preseed_minion_keys_tempdir
)
)
# Run any pre-flight commands before running deploy scripts
preflight_cmds = kwargs.get("preflight_cmds", [])
for command in preflight_cmds:
cmd_ret = root_cmd(command, tty, sudo, **ssh_kwargs)
if cmd_ret:
raise SaltCloudSystemExit(f"Pre-flight command failed: '{command}'")
# The actual deploy script
if script:
# got strange escaping issues with sudoer, going onto a
# subshell fixes that
ssh_file(opts, f"{tmp_dir}/deploy.sh", script, ssh_kwargs)
ret = root_cmd(
f"sh -c \"( chmod +x '{tmp_dir}/deploy.sh' )\";exit $?",
tty,
sudo,
**ssh_kwargs,
)
if ret:
raise SaltCloudSystemExit(f"Can't set perms on {tmp_dir}/deploy.sh")
time_used = time.mktime(time.localtime()) - time.mktime(starttime)
newtimeout = timeout - time_used
queue = None
process = None
# Consider this code experimental. It causes Salt Cloud to wait
# for the minion to check in, and then fire a startup event.
# Disabled if parallel because it doesn't work!
if start_action and not parallel:
queue = multiprocessing.Queue()
process = multiprocessing.Process(
target=check_auth,
kwargs=dict(
name=name, sock_dir=sock_dir, timeout=newtimeout, queue=queue
),
name=f"DeployScriptCheckAuth({name})",
)
log.debug("Starting new process to wait for salt-minion")
process.start()
# Run the deploy script
if script:
if "bootstrap-salt" in script:
deploy_command += f" -c '{tmp_dir}'"
if force_minion_config:
deploy_command += " -F"
if make_syndic is True:
deploy_command += " -S"
if make_master is True:
deploy_command += " -M"
if make_minion is False:
deploy_command += " -N"
if keep_tmp is True:
deploy_command += " -K"
if preseed_minion_keys is not None:
deploy_command += f" -k '{preseed_minion_keys_tempdir}'"
if script_args:
deploy_command += f" {script_args}"
if script_env:
if not isinstance(script_env, dict):
raise SaltCloudSystemExit(
"The 'script_env' configuration setting NEEDS "
"to be a dictionary not a {}".format(type(script_env))
)
environ_script_contents = ["#!/bin/sh"]
for key, value in script_env.items():
environ_script_contents.append(
"setenv {0} '{1}' >/dev/null 2>&1 || "
"export {0}='{1}'".format(key, value)
)
environ_script_contents.append(deploy_command)
# Upload our environ setter wrapper
ssh_file(
opts,
f"{tmp_dir}/environ-deploy-wrapper.sh",
"\n".join(environ_script_contents),
ssh_kwargs,
)
root_cmd(
f"chmod +x '{tmp_dir}/environ-deploy-wrapper.sh'",
tty,
sudo,
**ssh_kwargs,
)
# The deploy command is now our wrapper
deploy_command = "'{}/environ-deploy-wrapper.sh'".format(
tmp_dir,
)
if root_cmd(deploy_command, tty, sudo, **ssh_kwargs) != 0:
raise SaltCloudSystemExit(
f"Executing the command '{deploy_command}' failed"
)
log.debug("Executed command '%s'", deploy_command)
# Remove the deploy script
if not keep_tmp:
root_cmd(f"rm -f '{tmp_dir}/deploy.sh'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/deploy.sh", tmp_dir)
if script_env:
root_cmd(
f"rm -f '{tmp_dir}/environ-deploy-wrapper.sh'",
tty,
sudo,
**ssh_kwargs,
)
log.debug("Removed %s/environ-deploy-wrapper.sh", tmp_dir)
if keep_tmp:
log.debug("Not removing deployment files from %s/", tmp_dir)
else:
# Remove minion configuration
if minion_pub:
root_cmd(f"rm -f '{tmp_dir}/minion.pub'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/minion.pub", tmp_dir)
if minion_pem:
root_cmd(f"rm -f '{tmp_dir}/minion.pem'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/minion.pem", tmp_dir)
if minion_conf:
root_cmd(f"rm -f '{tmp_dir}/grains'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/grains", tmp_dir)
root_cmd(f"rm -f '{tmp_dir}/minion'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/minion", tmp_dir)
if master_sign_pub_file:
root_cmd(
f"rm -f {tmp_dir}/master_sign.pub", tty, sudo, **ssh_kwargs
)
log.debug("Removed %s/master_sign.pub", tmp_dir)
# Remove master configuration
if master_pub:
root_cmd(f"rm -f '{tmp_dir}/master.pub'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/master.pub", tmp_dir)
if master_pem:
root_cmd(f"rm -f '{tmp_dir}/master.pem'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/master.pem", tmp_dir)
if master_conf:
root_cmd(f"rm -f '{tmp_dir}/master'", tty, sudo, **ssh_kwargs)
log.debug("Removed %s/master", tmp_dir)
# Remove pre-seed keys directory
if preseed_minion_keys is not None:
root_cmd(
f"rm -rf '{preseed_minion_keys_tempdir}'",
tty,
sudo,
**ssh_kwargs,
)
log.debug("Removed %s", preseed_minion_keys_tempdir)
if start_action and not parallel:
queuereturn = queue.get()
process.join()
if queuereturn and start_action:
# client = salt.client.LocalClient(conf_file)
# output = client.cmd_iter(
# host, 'state.highstate', timeout=timeout
# )
# for line in output:
# print(line)
log.info("Executing %s on the salt-minion", start_action)
root_cmd(f"salt-call {start_action}", tty, sudo, **ssh_kwargs)
log.info("Finished executing %s on the salt-minion", start_action)
# Fire deploy action
fire_event(
"event",
f"{name} has been deployed at {host}",
f"salt/cloud/{name}/deploy_script",
args={"name": name, "host": host},
sock_dir=opts.get(
"sock_dir", os.path.join(__opts__["sock_dir"], "master")
),
transport=opts.get("transport", "zeromq"),
)
if file_map_fail or file_map_success:
return {
"File Upload Success": file_map_success,
"File Upload Failure": file_map_fail,
}
return True
return False
def run_inline_script(
host,
name=None,
port=22,
timeout=900,
username="root",
key_filename=None,
inline_script=None,
ssh_timeout=15,
display_ssh_output=True,
parallel=False,
sudo_password=None,
sudo=False,
password=None,
tty=None,
opts=None,
tmp_dir="/tmp/.saltcloud-inline_script",
**kwargs,
):
"""
Run the inline script commands, one by one
:**kwargs: catch all other things we may get but don't actually need/use
"""
gateway = None
if "gateway" in kwargs:
gateway = kwargs["gateway"]
starttime = time.mktime(time.localtime())
log.debug("Deploying %s at %s", host, starttime)
known_hosts_file = kwargs.get("known_hosts_file", "/dev/null")
if wait_for_port(host=host, port=port, gateway=gateway):
log.debug("SSH port %s on %s is available", port, host)
newtimeout = timeout - (time.mktime(time.localtime()) - starttime)
if wait_for_passwd(
host,
port=port,
username=username,
password=password,
key_filename=key_filename,
ssh_timeout=ssh_timeout,
display_ssh_output=display_ssh_output,
gateway=gateway,
known_hosts_file=known_hosts_file,
):
log.debug("Logging into %s:%s as %s", host, port, username)
newtimeout = timeout - (time.mktime(time.localtime()) - starttime)
ssh_kwargs = {
"hostname": host,
"port": port,
"username": username,
"timeout": ssh_timeout,
"display_ssh_output": display_ssh_output,
"sudo_password": sudo_password,
"sftp": opts.get("use_sftp", False),
}
ssh_kwargs.update(__ssh_gateway_config_dict(gateway))
if key_filename:
log.debug("Using %s as the key_filename", key_filename)
ssh_kwargs["key_filename"] = key_filename
elif (
password
and "has_ssh_agent" in kwargs
and kwargs["has_ssh_agent"] is False
):
ssh_kwargs["password"] = password
# TODO: write some tests ???
# TODO: check edge cases (e.g. ssh gateways, salt deploy disabled, etc.)
if (
root_cmd(
f'test -e \\"{tmp_dir}\\"',
tty,
sudo,
allow_failure=True,
**ssh_kwargs,
)
and inline_script
):
log.debug("Found inline script to execute.")
for cmd_line in inline_script:
log.info("Executing inline command: %s", cmd_line)
ret = root_cmd(
f'sh -c "( {cmd_line} )"',
tty,
sudo,
allow_failure=True,
**ssh_kwargs,
)
if ret:
log.info("[%s] Output: %s", cmd_line, ret)
# TODO: ensure we send the correct return value
return True
def filter_event(tag, data, defaults):
"""
Accept a tag, a dict and a list of default keys to return from the dict, and
check them against the cloud configuration for that tag
"""
ret = {}
keys = []
use_defaults = True
for ktag in __opts__.get("filter_events", {}):
if tag != ktag:
continue
keys = __opts__["filter_events"][ktag]["keys"]
use_defaults = __opts__["filter_events"][ktag].get("use_defaults", True)
if use_defaults is False:
defaults = []
# For PY3, if something like ".keys()" or ".values()" is used on a dictionary,
# it returns a dict_view and not a list like in PY2. "defaults" should be passed
# in with the correct data type, but don't stack-trace in case it wasn't.
if not isinstance(defaults, list):
defaults = list(defaults)
defaults = list(set(defaults + keys))
for key in defaults:
if key in data:
ret[key] = data[key]
return ret
def fire_event(key, msg, tag, sock_dir, args=None, transport="zeromq"):
"""
Fire deploy action
"""
with salt.utils.event.get_event("master", sock_dir, listen=False) as event:
try:
event.fire_event(msg, tag)
except ValueError:
# We're using at least a 0.17.x version of salt
if isinstance(args, dict):
args[key] = msg
else:
args = {key: msg}
event.fire_event(args, tag)
# https://github.com/zeromq/pyzmq/issues/173#issuecomment-4037083
# Assertion failed: get_load () == 0 (poller_base.cpp:32)
time.sleep(0.025)
def _exec_ssh_cmd(cmd, error_msg=None, allow_failure=False, **kwargs):
if error_msg is None:
error_msg = "A wrong password has been issued while establishing ssh session."
password_retries = kwargs.get("password_retries", 3)
try:
stdout, stderr = None, None
proc = salt.utils.vt.Terminal(
cmd,
shell=True,
log_stdout=True,
log_stderr=True,
stream_stdout=kwargs.get("display_ssh_output", True),
stream_stderr=kwargs.get("display_ssh_output", True),
)
sent_password = 0
while proc.has_unread_data:
stdout, stderr = proc.recv()
if stdout and SSH_PASSWORD_PROMP_RE.search(stdout):
# if authenticating with an SSH key and 'sudo' is found
# in the password prompt
if (
"key_filename" in kwargs
and kwargs["key_filename"]
and SSH_PASSWORD_PROMP_SUDO_RE.search(stdout)
):
proc.sendline(kwargs["sudo_password"])
# elif authenticating via password and haven't exhausted our
# password_retires
elif kwargs.get("password", None) and (
sent_password < password_retries
):
sent_password += 1
proc.sendline(kwargs["password"])
# else raise an error as we are not authenticating properly
# * not authenticating with an SSH key
# * not authenticating with a Password
else:
raise SaltCloudPasswordError(error_msg)
# 0.0125 is really too fast on some systems
time.sleep(0.5)
if proc.exitstatus != 0 and allow_failure is False:
raise SaltCloudSystemExit(
f"Command '{cmd}' failed. Exit code: {proc.exitstatus}"
)
return proc.exitstatus
except salt.utils.vt.TerminalException as err:
trace = traceback.format_exc()
log.error(error_msg.format(cmd, err, trace))
finally:
proc.close(terminate=True, kill=True)
# Signal an error
return 1
def scp_file(dest_path, contents=None, kwargs=None, local_file=None):
"""
Use scp or sftp to copy a file to a server
"""
file_to_upload = None
try:
if contents is not None:
try:
tmpfd, file_to_upload = tempfile.mkstemp()
os.write(tmpfd, contents)
finally:
try:
os.close(tmpfd)
except OSError as exc:
if exc.errno != errno.EBADF:
raise
log.debug("Uploading %s to %s", dest_path, kwargs["hostname"])
ssh_args = [
# Don't add new hosts to the host key database
"-oStrictHostKeyChecking=no",
# make sure ssh can time out on connection lose
"-oServerAliveInterval={}".format(
kwargs.get("server_alive_interval", SERVER_ALIVE_INTERVAL)
),
"-oServerAliveCountMax={}".format(
kwargs.get("server_alive_count_max", SERVER_ALIVE_COUNT_MAX)
),
# Set hosts key database path to /dev/null, i.e., non-existing
"-oUserKnownHostsFile=/dev/null",
# Don't re-use the SSH connection. Less failures.
"-oControlPath=none",
]
if local_file is not None:
file_to_upload = local_file
if os.path.isdir(local_file):
ssh_args.append("-r")
if "key_filename" in kwargs:
# There should never be both a password and an ssh key passed in, so
ssh_args.extend(
[
# tell SSH to skip password authentication
"-oPasswordAuthentication=no",
"-oChallengeResponseAuthentication=no",
# Make sure public key authentication is enabled
"-oPubkeyAuthentication=yes",
# do only use the provided identity file
"-oIdentitiesOnly=yes",
# No Keyboard interaction!
"-oKbdInteractiveAuthentication=no",
# Also, specify the location of the key file
"-i {}".format(kwargs["key_filename"]),
]
)
if "port" in kwargs:
ssh_args.append("-oPort={}".format(kwargs["port"]))
ssh_args.append(__ssh_gateway_arguments(kwargs))
try:
if socket.inet_pton(socket.AF_INET6, kwargs["hostname"]):
ipaddr = "[{}]".format(kwargs["hostname"])
else:
ipaddr = kwargs["hostname"]
except OSError:
ipaddr = kwargs["hostname"]
if file_to_upload is None:
log.warning(
"No source file to upload. Please make sure that either file "
"contents or the path to a local file are provided."
)
cmd = (
"scp {0} {1} {2[username]}@{4}:{3} || "
'echo "put {1} {3}" | sftp {0} {2[username]}@{4} || '
'rsync -avz -e "ssh {0}" {1} {2[username]}@{2[hostname]}:{3}'.format(
" ".join(ssh_args), file_to_upload, kwargs, dest_path, ipaddr
)
)
log.debug("SCP command: '%s'", cmd)
retcode = _exec_ssh_cmd(
cmd,
error_msg="Failed to upload file '{0}': {1}\n{2}",
password_retries=3,
**kwargs,
)
finally:
if contents is not None:
try:
os.remove(file_to_upload)
except OSError as exc:
if exc.errno != errno.ENOENT:
raise
return retcode
def ssh_file(opts, dest_path, contents=None, kwargs=None, local_file=None):
"""
Copies a file to the remote SSH target using either sftp or scp, as
configured.
"""
if opts.get("file_transport", "sftp") == "sftp":
return sftp_file(dest_path, contents, kwargs, local_file)
return scp_file(dest_path, contents, kwargs, local_file)
def sftp_file(dest_path, contents=None, kwargs=None, local_file=None):
"""
Use sftp to upload a file to a server
"""
put_args = []
if kwargs is None:
kwargs = {}
file_to_upload = None
try:
if contents is not None:
try:
tmpfd, file_to_upload = tempfile.mkstemp()
if isinstance(contents, str):
os.write(tmpfd, contents.encode(__salt_system_encoding__))
else:
os.write(tmpfd, contents)
finally:
try:
os.close(tmpfd)
except OSError as exc:
if exc.errno != errno.EBADF:
raise
if local_file is not None:
file_to_upload = local_file
if os.path.isdir(local_file):
put_args = ["-r"]
log.debug("Uploading %s to %s (sftp)", dest_path, kwargs.get("hostname"))
ssh_args = [
# Don't add new hosts to the host key database
"-oStrictHostKeyChecking=no",
# make sure ssh can time out on connection lose
"-oServerAliveInterval={}".format(
kwargs.get("server_alive_interval", SERVER_ALIVE_INTERVAL)
),
"-oServerAliveCountMax={}".format(
kwargs.get("server_alive_count_max", SERVER_ALIVE_COUNT_MAX)
),
# Set hosts key database path to /dev/null, i.e., non-existing
"-oUserKnownHostsFile=/dev/null",
# Don't re-use the SSH connection. Less failures.
"-oControlPath=none",
]
if "key_filename" in kwargs:
# There should never be both a password and an ssh key passed in, so
ssh_args.extend(
[
# tell SSH to skip password authentication
"-oPasswordAuthentication=no",
"-oChallengeResponseAuthentication=no",
# Make sure public key authentication is enabled
"-oPubkeyAuthentication=yes",
# do only use the provided identity file
"-oIdentitiesOnly=yes",
# No Keyboard interaction!
"-oKbdInteractiveAuthentication=no",
# Also, specify the location of the key file
"-oIdentityFile={}".format(kwargs["key_filename"]),
]
)
if "port" in kwargs:
ssh_args.append("-oPort={}".format(kwargs["port"]))
ssh_args.append(__ssh_gateway_arguments(kwargs))
try:
if socket.inet_pton(socket.AF_INET6, kwargs["hostname"]):
ipaddr = "[{}]".format(kwargs["hostname"])
else:
ipaddr = kwargs["hostname"]
except OSError:
ipaddr = kwargs["hostname"]
if file_to_upload is None:
log.warning(
"No source file to upload. Please make sure that either file "
"contents or the path to a local file are provided."
)
cmd = 'echo "put {0} {1} {2}" | sftp {3} {4[username]}@{5}'.format(
" ".join(put_args),
file_to_upload,
dest_path,
" ".join(ssh_args),
kwargs,
ipaddr,
)
log.debug("SFTP command: '%s'", cmd)
retcode = _exec_ssh_cmd(
cmd,
error_msg="Failed to upload file '{0}': {1}\n{2}",
password_retries=3,
**kwargs,
)
finally:
if contents is not None:
try:
os.remove(file_to_upload)
except OSError as exc:
if exc.errno != errno.ENOENT:
raise
return retcode
def win_cmd(command, **kwargs):
"""
Wrapper for commands to be run against Windows boxes
"""
logging_command = kwargs.get("logging_command", None)
try:
proc = NonBlockingPopen(
command,
shell=True,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE,
stream_stds=kwargs.get("display_ssh_output", True),
logging_command=logging_command,
)
if logging_command is None:
log.debug("Executing command(PID %s): '%s'", proc.pid, command)
else:
log.debug("Executing command(PID %s): '%s'", proc.pid, logging_command)
proc.poll_and_read_until_finish()
proc.communicate()
return proc.returncode
except Exception as err: # pylint: disable=broad-except
log.exception("Failed to execute command '%s'", logging_command)
# Signal an error
return 1
def winrm_cmd(session, command, flags, **kwargs):
"""
Wrapper for commands to be run against Windows boxes using WinRM.
"""
log.debug("Executing WinRM command: %s %s", command, flags)
r = session.run_cmd(command, flags)
return r.status_code
def root_cmd(command, tty, sudo, allow_failure=False, **kwargs):
"""
Wrapper for commands to be run as root
"""
logging_command = command
sudo_password = kwargs.get("sudo_password", None)
if sudo:
if sudo_password is None:
command = f"sudo {command}"
logging_command = command
else:
logging_command = f'sudo -S "XXX-REDACTED-XXX" {command}'
command = f"sudo -S {command}"
log.debug("Using sudo to run command %s", logging_command)
ssh_args = []
if tty:
# Use double `-t` on the `ssh` command, it's necessary when `sudo` has
# `requiretty` enforced.
ssh_args.extend(["-t", "-t"])
known_hosts_file = kwargs.get("known_hosts_file", "/dev/null")
host_key_checking = "no"
if known_hosts_file != "/dev/null":
host_key_checking = "yes"
ssh_args.extend(
[
# Don't add new hosts to the host key database
f"-oStrictHostKeyChecking={host_key_checking}",
# Set hosts key database path to /dev/null, i.e., non-existing
f"-oUserKnownHostsFile={known_hosts_file}",
# Don't re-use the SSH connection. Less failures.
"-oControlPath=none",
]
)
if "key_filename" in kwargs:
# There should never be both a password and an ssh key passed in, so
ssh_args.extend(
[
# tell SSH to skip password authentication
"-oPasswordAuthentication=no",
"-oChallengeResponseAuthentication=no",
# Make sure public key authentication is enabled
"-oPubkeyAuthentication=yes",
# do only use the provided identity file
"-oIdentitiesOnly=yes",
# No Keyboard interaction!
"-oKbdInteractiveAuthentication=no",
# Also, specify the location of the key file
"-i {}".format(kwargs["key_filename"]),
]
)
if "ssh_timeout" in kwargs:
ssh_args.extend(["-oConnectTimeout={}".format(kwargs["ssh_timeout"])])
ssh_args.extend([__ssh_gateway_arguments(kwargs)])
if "port" in kwargs:
ssh_args.extend(["-p {}".format(kwargs["port"])])
cmd = "ssh {0} {1[username]}@{1[hostname]} ".format(" ".join(ssh_args), kwargs)
logging_command = cmd + logging_command
cmd = cmd + shlex.quote(command)
hard_timeout = kwargs.get("hard_timeout")
if hard_timeout is not None:
logging_command = f"timeout {hard_timeout} {logging_command}"
cmd = f"timeout {hard_timeout} {cmd}"
log.debug("SSH command: '%s'", logging_command)
retcode = _exec_ssh_cmd(cmd, allow_failure=allow_failure, **kwargs)
return retcode
def check_auth(name, sock_dir=None, queue=None, timeout=300):
"""
This function is called from a multiprocess instance, to wait for a minion
to become available to receive salt commands
"""
with salt.utils.event.SaltEvent("master", sock_dir, listen=True) as event:
starttime = time.mktime(time.localtime())
newtimeout = timeout
log.debug("In check_auth, waiting for %s to become available", name)
while newtimeout > 0:
newtimeout = timeout - (time.mktime(time.localtime()) - starttime)
ret = event.get_event(full=True)
if ret is None:
continue
if ret["tag"] == f"salt/minion/{name}/start":
queue.put(name)
newtimeout = 0
log.debug("Minion %s is ready to receive commands", name)
def ip_to_int(ip):
"""
Converts an IP address to an integer
"""
ret = 0
for octet in ip.split("."):
ret = ret * 256 + int(octet)
return ret
def is_public_ip(ip):
"""
Determines whether an IP address falls within one of the private IP ranges
"""
if ":" in ip:
# ipv6
if ip.startswith("fe80:"):
# ipv6 link local
return False
return True
addr = ip_to_int(ip)
if 167772160 < addr < 184549375:
# 10.0.0.0/8
return False
elif 3232235520 < addr < 3232301055:
# 192.168.0.0/16
return False
elif 2886729728 < addr < 2887778303:
# 172.16.0.0/12
return False
elif 2130706432 < addr < 2147483647:
# 127.0.0.0/8
return False
return True
def check_name(name, safe_chars):
"""
Check whether the specified name contains invalid characters
"""
regexp = re.compile(f"[^{safe_chars}]")
if regexp.search(name):
raise SaltCloudException(
"{} contains characters not supported by this cloud provider. "
"Valid characters are: {}".format(name, safe_chars)
)
def remove_sshkey(host, known_hosts=None):
"""
Remove a host from the known_hosts file
"""
if known_hosts is None:
if "HOME" in os.environ:
known_hosts = "{}/.ssh/known_hosts".format(os.environ["HOME"])
else:
try:
known_hosts = "{}/.ssh/known_hosts".format(
pwd.getpwuid(os.getuid()).pwd_dir
)
except Exception: # pylint: disable=broad-except
pass
if known_hosts is not None:
log.debug("Removing ssh key for %s from known hosts file %s", host, known_hosts)
else:
log.debug("Removing ssh key for %s from known hosts file", host)
subprocess.call(["ssh-keygen", "-R", host])
def wait_for_ip(
update_callback,
update_args=None,
update_kwargs=None,
timeout=5 * 60,
interval=5,
interval_multiplier=1,
max_failures=10,
):
"""
Helper function that waits for an IP address for a specific maximum amount
of time.
:param update_callback: callback function which queries the cloud provider
for the VM ip address. It must return None if the
required data, IP included, is not available yet.
:param update_args: Arguments to pass to update_callback
:param update_kwargs: Keyword arguments to pass to update_callback
:param timeout: The maximum amount of time(in seconds) to wait for the IP
address.
:param interval: The looping interval, i.e., the amount of time to sleep
before the next iteration.
:param interval_multiplier: Increase the interval by this multiplier after
each request; helps with throttling
:param max_failures: If update_callback returns ``False`` it's considered
query failure. This value is the amount of failures
accepted before giving up.
:returns: The update_callback returned data
:raises: SaltCloudExecutionTimeout
"""
if update_args is None:
update_args = ()
if update_kwargs is None:
update_kwargs = {}
duration = timeout
while True:
log.debug(
"Waiting for VM IP. Giving up in 00:%02d:%02d.",
int(timeout // 60),
int(timeout % 60),
)
data = update_callback(*update_args, **update_kwargs)
if data is False:
log.debug(
"'update_callback' has returned 'False', which is "
"considered a failure. Remaining Failures: %s.",
max_failures,
)
max_failures -= 1
if max_failures <= 0:
raise SaltCloudExecutionFailure(
"Too many failures occurred while waiting for the IP address."
)
elif data is not None:
return data
if timeout < 0:
raise SaltCloudExecutionTimeout(
"Unable to get IP for 00:{:02d}:{:02d}.".format(
int(duration // 60), int(duration % 60)
)
)
time.sleep(interval)
timeout -= interval
if interval_multiplier > 1:
interval *= interval_multiplier
if interval > timeout:
interval = timeout + 1
log.info("Interval multiplier in effect; interval is now %ss.", interval)
def list_nodes_select(nodes, selection, call=None):
"""
Return a list of the VMs that are on the provider, with select fields
"""
if call == "action":
raise SaltCloudSystemExit(
"The list_nodes_select function must be called with -f or --function."
)
if "error" in nodes:
raise SaltCloudSystemExit(
"An error occurred while listing nodes: {}".format(
nodes["error"]["Errors"]["Error"]["Message"]
)
)
ret = {}
for node in nodes:
pairs = {}
data = nodes[node]
for key in data:
if str(key) in selection:
value = data[key]
pairs[key] = value
ret[node] = pairs
return ret
def lock_file(filename, interval=0.5, timeout=15):
"""
Lock a file; if it is already locked, then wait for it to become available
before locking it.
Note that these locks are only recognized by Salt Cloud, and not other
programs or platforms.
"""
log.trace("Attempting to obtain lock for %s", filename)
lock = filename + ".lock"
start = time.time()
while True:
if os.path.exists(lock):
if time.time() - start >= timeout:
log.warning("Unable to obtain lock for %s", filename)
return False
time.sleep(interval)
else:
break
with salt.utils.files.fopen(lock, "a"):
pass
def unlock_file(filename):
"""
Unlock a locked file
Note that these locks are only recognized by Salt Cloud, and not other
programs or platforms.
"""
log.trace("Removing lock for %s", filename)
lock = filename + ".lock"
try:
os.remove(lock)
except OSError as exc:
log.trace("Unable to remove lock for %s: %s", filename, exc)
def cachedir_index_add(minion_id, profile, driver, provider, base=None):
"""
Add an entry to the cachedir index. This generally only needs to happen when
a new instance is created. This entry should contain:
.. code-block:: yaml
- minion_id
- profile used to create the instance
- provider and driver name
The intent of this function is to speed up lookups for the cloud roster for
salt-ssh. However, other code that makes use of profile information can also
make use of this function.
"""
base = init_cachedir(base)
index_file = os.path.join(base, "index.p")
lock_file(index_file)
if os.path.exists(index_file):
with salt.utils.files.fopen(index_file, "rb") as fh_:
index = salt.utils.data.decode(
salt.utils.msgpack.load(fh_, encoding=MSGPACK_ENCODING)
)
else:
index = {}
prov_comps = provider.split(":")
index.update(
{
minion_id: {
"id": minion_id,
"profile": profile,
"driver": driver,
"provider": prov_comps[0],
}
}
)
with salt.utils.files.fopen(index_file, "wb") as fh_:
salt.utils.msgpack.dump(index, fh_, encoding=MSGPACK_ENCODING)
unlock_file(index_file)
def cachedir_index_del(minion_id, base=None):
"""
Delete an entry from the cachedir index. This generally only needs to happen
when an instance is deleted.
"""
base = init_cachedir(base)
index_file = os.path.join(base, "index.p")
lock_file(index_file)
if os.path.exists(index_file):
with salt.utils.files.fopen(index_file, "rb") as fh_:
index = salt.utils.data.decode(
salt.utils.msgpack.load(fh_, encoding=MSGPACK_ENCODING)
)
else:
return
if minion_id in index:
del index[minion_id]
with salt.utils.files.fopen(index_file, "wb") as fh_:
salt.utils.msgpack.dump(index, fh_, encoding=MSGPACK_ENCODING)
unlock_file(index_file)
def init_cachedir(base=None):
"""
Initialize the cachedir needed for Salt Cloud to keep track of minions
"""
if base is None:
base = __opts__["cachedir"]
needed_dirs = (base, os.path.join(base, "requested"), os.path.join(base, "active"))
for dir_ in needed_dirs:
if not os.path.exists(dir_):
os.makedirs(dir_)
os.chmod(base, 0o755)
return base
# FIXME: This function seems used nowhere. Dead code?
def request_minion_cachedir(
minion_id,
opts=None,
fingerprint="",
pubkey=None,
provider=None,
base=None,
):
"""
Creates an entry in the requested/ cachedir. This means that Salt Cloud has
made a request to a cloud provider to create an instance, but it has not
yet verified that the instance properly exists.
If the fingerprint is unknown, a raw pubkey can be passed in, and a
fingerprint will be calculated. If both are empty, then the fingerprint
will be set to None.
"""
if base is None:
base = __opts__["cachedir"]
if not fingerprint and pubkey is not None:
fingerprint = salt.utils.crypt.pem_finger(
key=pubkey, sum_type=(opts and opts.get("hash_type") or "sha256")
)
init_cachedir(base)
data = {
"minion_id": minion_id,
"fingerprint": fingerprint,
"provider": provider,
}
fname = f"{minion_id}.p"
path = os.path.join(base, "requested", fname)
with salt.utils.files.fopen(path, "wb") as fh_:
salt.utils.msgpack.dump(data, fh_, encoding=MSGPACK_ENCODING)
def change_minion_cachedir(
minion_id,
cachedir,
data=None,
base=None,
):
"""
Changes the info inside a minion's cachedir entry. The type of cachedir
must be specified (i.e., 'requested' or 'active'). A dict is also passed in
which contains the data to be changed.
Example:
change_minion_cachedir(
'myminion',
'requested',
{'fingerprint': '26:5c:8c:de:be:fe:89:c0:02:ed:27:65:0e:bb:be:60'},
)
"""
if not isinstance(data, dict):
return False
if base is None:
base = __opts__["cachedir"]
fname = f"{minion_id}.p"
path = os.path.join(base, cachedir, fname)
with salt.utils.files.fopen(path, "r") as fh_:
cache_data = salt.utils.data.decode(
salt.utils.msgpack.load(fh_, encoding=MSGPACK_ENCODING)
)
cache_data.update(data)
with salt.utils.files.fopen(path, "w") as fh_:
salt.utils.msgpack.dump(cache_data, fh_, encoding=MSGPACK_ENCODING)
def activate_minion_cachedir(minion_id, base=None):
"""
Moves a minion from the requested/ cachedir into the active/ cachedir. This
means that Salt Cloud has verified that a requested instance properly
exists, and should be expected to exist from here on out.
"""
if base is None:
base = __opts__["cachedir"]
fname = f"{minion_id}.p"
src = os.path.join(base, "requested", fname)
dst = os.path.join(base, "active")
shutil.move(src, dst)
def delete_minion_cachedir(minion_id, provider, opts, base=None):
"""
Deletes a minion's entry from the cloud cachedir. It will search through
all cachedirs to find the minion's cache file.
Needs `update_cachedir` set to True.
"""
if isinstance(opts, dict):
__opts__.update(opts)
if __opts__.get("update_cachedir", False) is False:
return
if base is None:
base = __opts__["cachedir"]
driver = next(iter(__opts__["providers"][provider].keys()))
fname = f"{minion_id}.p"
for cachedir in "requested", "active":
path = os.path.join(base, cachedir, driver, provider, fname)
log.debug("path: %s", path)
if os.path.exists(path):
os.remove(path)
def list_cache_nodes_full(opts=None, provider=None, base=None):
"""
Return a list of minion data from the cloud cache, rather from the cloud
providers themselves. This is the cloud cache version of list_nodes_full().
"""
if opts is None:
opts = __opts__
if opts.get("update_cachedir", False) is False:
return
if base is None:
base = os.path.join(opts["cachedir"], "active")
minions = {}
# First, get a list of all drivers in use
for driver in os.listdir(base):
minions[driver] = {}
prov_dir = os.path.join(base, driver)
# Then, get a list of all providers per driver
for prov in os.listdir(prov_dir):
# If a specific provider is requested, filter out everyone else
if provider and provider != prov:
continue
minions[driver][prov] = {}
min_dir = os.path.join(prov_dir, prov)
# Get a list of all nodes per provider
for fname in os.listdir(min_dir):
# Finally, get a list of full minion data
fpath = os.path.join(min_dir, fname)
minion_id = fname[:-2] # strip '.p' from end of msgpack filename
with salt.utils.files.fopen(fpath, "rb") as fh_:
minions[driver][prov][minion_id] = salt.utils.data.decode(
salt.utils.msgpack.load(fh_, encoding=MSGPACK_ENCODING)
)
return minions
def update_bootstrap(config, url=None):
"""
Update the salt-bootstrap script
url can be one of:
- The URL to fetch the bootstrap script from
- The absolute path to the bootstrap
- The content of the bootstrap script
"""
default_url = config.get("bootstrap_script_url", "https://bootstrap.saltstack.com")
if not url:
url = default_url
if not url:
raise ValueError("Cant get any source to update")
if url.startswith("http") or "://" in url:
log.debug("Updating the bootstrap-salt.sh script to latest stable")
try:
import requests
except ImportError:
return {
"error": (
"Updating the bootstrap-salt.sh script requires the "
"Python requests library to be installed"
)
}
req = requests.get(url, timeout=120)
if req.status_code != 200:
return {
"error": (
"Failed to download the latest stable version of the "
"bootstrap-salt.sh script from {}. HTTP error: "
"{}".format(url, req.status_code)
)
}
script_content = req.text
if url == default_url:
script_name = "bootstrap-salt.sh"
else:
script_name = os.path.basename(url)
elif os.path.exists(url):
with salt.utils.files.fopen(url) as fic:
script_content = salt.utils.stringutils.to_unicode(fic.read())
script_name = os.path.basename(url)
# in last case, assuming we got a script content
else:
script_content = url
script_name = f"{hashlib.sha1(script_content).hexdigest()}.sh"
if not script_content:
raise ValueError("No content in bootstrap script !")
# Get the path to the built-in deploy scripts directory
builtin_deploy_dir = os.path.join(os.path.dirname(__file__), "deploy")
# Compute the search path from the current loaded opts conf_file
# value
deploy_d_from_conf_file = os.path.join(
os.path.dirname(config["conf_file"]), "cloud.deploy.d"
)
# Compute the search path using the install time defined
# syspaths.CONF_DIR
deploy_d_from_syspaths = os.path.join(config["config_dir"], "cloud.deploy.d")
# Get a copy of any defined search paths, flagging them not to
# create parent
deploy_scripts_search_paths = []
for entry in config.get("deploy_scripts_search_path", []):
if entry.startswith(builtin_deploy_dir):
# We won't write the updated script to the built-in deploy
# directory
continue
if entry in (deploy_d_from_conf_file, deploy_d_from_syspaths):
# Allow parent directories to be made
deploy_scripts_search_paths.append((entry, True))
else:
deploy_scripts_search_paths.append((entry, False))
# In case the user is not using defaults and the computed
# 'cloud.deploy.d' from conf_file and syspaths is not included, add
# them
if deploy_d_from_conf_file not in deploy_scripts_search_paths:
deploy_scripts_search_paths.append((deploy_d_from_conf_file, True))
if deploy_d_from_syspaths not in deploy_scripts_search_paths:
deploy_scripts_search_paths.append((deploy_d_from_syspaths, True))
finished = []
finished_full = []
for entry, makedirs in deploy_scripts_search_paths:
# This handles duplicate entries, which are likely to appear
if entry in finished:
continue
else:
finished.append(entry)
if makedirs and not os.path.isdir(entry):
try:
os.makedirs(entry)
except OSError as err:
log.info("Failed to create directory '%s'", entry)
continue
if not is_writeable(entry):
log.debug("The '%s' is not writeable. Continuing...", entry)
continue
deploy_path = os.path.join(entry, script_name)
try:
finished_full.append(deploy_path)
with salt.utils.files.fopen(deploy_path, "w") as fp_:
fp_.write(salt.utils.stringutils.to_str(script_content))
except OSError as err:
log.debug("Failed to write the updated script: %s", err)
continue
return {"Success": {"Files updated": finished_full}}
def cache_node_list(nodes, provider, opts):
"""
If configured to do so, update the cloud cachedir with the current list of
nodes. Also fires configured events pertaining to the node list.
.. versionadded:: 2014.7.0
"""
if "update_cachedir" not in opts or not opts["update_cachedir"]:
return
base = os.path.join(init_cachedir(), "active")
driver = next(iter(opts["providers"][provider].keys()))
prov_dir = os.path.join(base, driver, provider)
if not os.path.exists(prov_dir):
os.makedirs(prov_dir)
# Check to see if any nodes in the cache are not in the new list
missing_node_cache(prov_dir, nodes, provider, opts)
for node in nodes:
diff_node_cache(prov_dir, node, nodes[node], opts)
path = os.path.join(prov_dir, f"{node}.p")
with salt.utils.files.fopen(path, "wb") as fh_:
salt.utils.msgpack.dump(nodes[node], fh_, encoding=MSGPACK_ENCODING)
def cache_node(node, provider, opts):
"""
Cache node individually
.. versionadded:: 2014.7.0
"""
if isinstance(opts, dict):
__opts__.update(opts)
if "update_cachedir" not in __opts__ or not __opts__["update_cachedir"]:
return
if not os.path.exists(os.path.join(__opts__["cachedir"], "active")):
init_cachedir()
base = os.path.join(__opts__["cachedir"], "active")
provider, driver = provider.split(":")
prov_dir = os.path.join(base, driver, provider)
if not os.path.exists(prov_dir):
os.makedirs(prov_dir)
path = os.path.join(prov_dir, "{}.p".format(node["name"]))
with salt.utils.files.fopen(path, "wb") as fh_:
salt.utils.msgpack.dump(node, fh_, encoding=MSGPACK_ENCODING)
def missing_node_cache(prov_dir, node_list, provider, opts):
"""
Check list of nodes to see if any nodes which were previously known about
in the cache have been removed from the node list.
This function will only run if configured to do so in the main Salt Cloud
configuration file (normally /etc/salt/cloud).
.. code-block:: yaml
diff_cache_events: True
.. versionadded:: 2014.7.0
"""
cached_nodes = []
for node in os.listdir(prov_dir):
cached_nodes.append(os.path.splitext(node)[0])
for node in cached_nodes:
if node not in node_list:
delete_minion_cachedir(node, provider, opts)
if "diff_cache_events" in opts and opts["diff_cache_events"]:
fire_event(
"event",
"cached node missing from provider",
f"salt/cloud/{node}/cache_node_missing",
args={"missing node": node},
sock_dir=opts.get(
"sock_dir", os.path.join(__opts__["sock_dir"], "master")
),
transport=opts.get("transport", "zeromq"),
)
def diff_node_cache(prov_dir, node, new_data, opts):
"""
Check new node data against current cache. If data differ, fire an event
which consists of the new node data.
This function will only run if configured to do so in the main Salt Cloud
configuration file (normally /etc/salt/cloud).
.. code-block:: yaml
diff_cache_events: True
.. versionadded:: 2014.7.0
"""
if "diff_cache_events" not in opts or not opts["diff_cache_events"]:
return
if node is None:
return
path = f"{os.path.join(prov_dir, node)}.p"
if not os.path.exists(path):
event_data = _strip_cache_events(new_data, opts)
fire_event(
"event",
"new node found",
f"salt/cloud/{node}/cache_node_new",
args={"new_data": event_data},
sock_dir=opts.get("sock_dir", os.path.join(__opts__["sock_dir"], "master")),
transport=opts.get("transport", "zeromq"),
)
return
with salt.utils.files.fopen(path, "r") as fh_:
try:
cache_data = salt.utils.data.decode(
salt.utils.msgpack.load(fh_, encoding=MSGPACK_ENCODING)
)
except ValueError:
log.warning("Cache for %s was corrupt: Deleting", node)
cache_data = {}
# Perform a simple diff between the old and the new data, and if it differs,
# return both dicts.
# TODO: Return an actual diff
diff = salt.utils.compat.cmp(new_data, cache_data)
if diff != 0:
fire_event(
"event",
"node data differs",
f"salt/cloud/{node}/cache_node_diff",
args={
"new_data": _strip_cache_events(new_data, opts),
"cache_data": _strip_cache_events(cache_data, opts),
},
sock_dir=opts.get("sock_dir", os.path.join(__opts__["sock_dir"], "master")),
transport=opts.get("transport", "zeromq"),
)
def _strip_cache_events(data, opts):
"""
Strip out user-configured sensitive event data. The fields to be stripped
are configured in the main Salt Cloud configuration file, usually
``/etc/salt/cloud``.
.. code-block:: yaml
cache_event_strip_fields:
- password
- priv_key
.. versionadded:: 2014.7.0
"""
event_data = copy.deepcopy(data)
strip_fields = opts.get("cache_event_strip_fields", [])
for field in strip_fields:
if field in event_data:
del event_data[field]
return event_data
def _salt_cloud_force_ascii(exc):
"""
Helper method to try its best to convert any Unicode text into ASCII
without stack tracing since salt internally does not handle Unicode strings
This method is not supposed to be used directly. Once
`py:module: salt.utils.cloud` is imported this method register's with
python's codecs module for proper automatic conversion in case of encoding
errors.
"""
if not isinstance(exc, (UnicodeEncodeError, UnicodeTranslateError)):
raise TypeError(f"Can't handle {exc}")
unicode_trans = {
# Convert non-breaking space to space
"\xa0": " ",
# Convert en dash to dash
"\u2013": "-",
}
if exc.object[exc.start : exc.end] in unicode_trans:
return unicode_trans[exc.object[exc.start : exc.end]], exc.end
# There's nothing else we can do, raise the exception
raise exc
codecs.register_error("salt-cloud-force-ascii", _salt_cloud_force_ascii)
def retrieve_password_from_keyring(credential_id, username):
"""
Retrieve particular user's password for a specified credential set from system keyring.
"""
try:
import keyring # pylint: disable=import-error
return keyring.get_password(credential_id, username)
except ImportError:
log.error(
"USE_KEYRING configured as a password, but no keyring module is installed"
)
return False
def _save_password_in_keyring(credential_id, username, password):
"""
Saves provider password in system keyring
"""
try:
import keyring # pylint: disable=import-error
return keyring.set_password(credential_id, username, password)
except ImportError:
log.error(
"Tried to store password in keyring, but no keyring module is installed"
)
return False
def store_password_in_keyring(credential_id, username, password=None):
"""
Interactively prompts user for a password and stores it in system keyring
"""
try:
# pylint: disable=import-error
import keyring
import keyring.errors
# pylint: enable=import-error
if password is None:
prompt = f"Please enter password for {credential_id}: "
try:
password = getpass.getpass(prompt)
except EOFError:
password = None
if not password:
# WE should raise something else here to be able to use this
# as/from an API
raise RuntimeError("Invalid password provided.")
try:
_save_password_in_keyring(credential_id, username, password)
except keyring.errors.PasswordSetError as exc:
log.debug("Problem saving password in the keyring: %s", exc)
except ImportError:
log.error(
"Tried to store password in keyring, but no keyring module is installed"
)
return False
def _unwrap_dict(dictionary, index_string):
"""
Accepts index in form of a string
Returns final value
Example: dictionary = {'a': {'b': {'c': 'foobar'}}}
index_string = 'a,b,c'
returns 'foobar'
"""
index = index_string.split(",")
for k in index:
dictionary = dictionary[k]
return dictionary
def run_func_until_ret_arg(
fun,
kwargs,
fun_call=None,
argument_being_watched=None,
required_argument_response=None,
):
"""
Waits until the function retrieves some required argument.
NOTE: Tested with ec2 describe_volumes and describe_snapshots only.
"""
status = None
while status != required_argument_response:
f_result = fun(kwargs, call=fun_call)
r_set = {}
for d in f_result:
if isinstance(d, list):
d0 = d[0]
if isinstance(d0, dict):
for k, v in d0.items():
r_set[k] = v
status = _unwrap_dict(r_set, argument_being_watched)
log.debug(
"Function: %s, Watched arg: %s, Response: %s",
str(fun).split(" ")[1],
argument_being_watched,
status,
)
time.sleep(5)
return True
def get_salt_interface(vm_, opts):
"""
Return the salt_interface type to connect to. Either 'public_ips' (default)
or 'private_ips'.
"""
salt_host = salt.config.get_cloud_config_value(
"salt_interface", vm_, opts, default=False, search_global=False
)
if salt_host is False:
salt_host = salt.config.get_cloud_config_value(
"ssh_interface", vm_, opts, default="public_ips", search_global=False
)
return salt_host
def check_key_path_and_mode(provider, key_path):
"""
Checks that the key_path exists and the key_mode is either 0400 or 0600.
Returns True or False.
.. versionadded:: 2016.3.0
provider
The provider name that the key_path to check belongs to.
key_path
The key_path to ensure that it exists and to check adequate permissions
against.
"""
if not os.path.exists(key_path):
log.error(
"The key file '%s' used in the '%s' provider configuration "
"does not exist.\n",
key_path,
provider,
)
return False
key_mode = stat.S_IMODE(os.stat(key_path).st_mode)
if key_mode not in (0o400, 0o600):
log.error(
"The key file '%s' used in the '%s' provider configuration "
"needs to be set to mode 0400 or 0600.\n",
key_path,
provider,
)
return False
return True
def userdata_template(opts, vm_, userdata):
"""
Use the configured templating engine to template the userdata file
"""
# No userdata, no need to template anything
if userdata is None:
return userdata
userdata_template = salt.config.get_cloud_config_value(
"userdata_template", vm_, opts, search_global=False, default=None
)
if userdata_template is False:
return userdata
# Use the cloud profile's userdata_template, otherwise get it from the
# master configuration file.
renderer = (
opts.get("userdata_template")
if userdata_template is None
else userdata_template
)
if renderer is None:
return userdata
else:
render_opts = opts.copy()
render_opts.update(vm_)
rend = salt.loader.render(render_opts, {})
blacklist = opts["renderer_blacklist"]
whitelist = opts["renderer_whitelist"]
templated = salt.template.compile_template(
":string:",
rend,
renderer,
blacklist,
whitelist,
input_data=userdata,
)
if not isinstance(templated, str):
# template renderers like "jinja" should return a StringIO
try:
templated = "".join(templated.readlines())
except AttributeError:
log.warning(
"Templated userdata resulted in non-string result (%s), "
"converting to string",
templated,
)
templated = str(templated)
return templated