CasperSecurity
# Copyright (C) 2009 Red Hat, Inc., Joey Boggs <jboggs@redhat.com>
# Copyright (C) 2012 Rackspace US, Inc.,
# Justin Shepherd <jshepher@rackspace.com>
# Copyright (C) 2013 Red Hat, Inc., Jeremy Agee <jagee@redhat.com>
# Copyright (C) 2015 Red Hat, Inc., Abhijeet Kasurde <akasurde@redhat.com>
# Copyright (C) 2017 Red Hat, Inc., Martin Schuppert <mschuppert@redhat.com>
# This file is part of the sos project: https://github.com/sosreport/sos
#
# This copyrighted material is made available to anyone wishing to use,
# modify, copy, or redistribute it subject to the terms and conditions of
# version 2 of the GNU General Public License.
#
# See the LICENSE file in the source distribution for further information.
import os
import re
from sos.report.plugins import Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin
class OpenStackNova(Plugin):
short_desc = 'OpenStack Nova'
plugin_name = "openstack_nova"
profiles = ('openstack', 'openstack_controller',
'openstack_compute', 'openstack_edpm')
containers = ('.*nova_api',)
var_puppet_gen = "/var/lib/config-data/puppet-generated/nova"
service_name = "openstack-nova-api.service"
apachepkg = None
def setup(self):
# collect commands output only if the openstack-nova-api service
# is running
in_container = self.container_exists('.*nova_api')
if self.is_service_running(self.service_name) or in_container:
nova_config = ""
# if containerized we need to pass the config to the cont.
if in_container:
nova_config = "--config-dir " + self.var_puppet_gen + \
"/etc/nova/"
self.add_cmd_output(
"nova-manage " + nova_config + " db version",
suggest_filename="nova-manage_db_version"
)
self.add_cmd_output(
"nova-manage " + nova_config + " fixed list",
suggest_filename="nova-manage_fixed_list"
)
self.add_cmd_output(
"nova-manage " + nova_config + " floating list",
suggest_filename="nova-manage_floating_list"
)
self.add_cmd_output(
"nova-status " + nova_config + " upgrade check",
suggest_filename="nova-status_upgrade_check"
)
vars_all = [p in os.environ for p in [
'OS_USERNAME', 'OS_PASSWORD']]
vars_any = [p in os.environ for p in [
'OS_TENANT_NAME', 'OS_PROJECT_NAME']]
if not (all(vars_all) and any(vars_any)):
self.soslog.warning("Not all environment variables set. "
"Source the environment file for the user "
"intended to connect to the OpenStack "
"environment.")
else:
self.add_cmd_output("openstack compute service list")
self.add_cmd_output("openstack flavor list --long")
self.add_cmd_output("openstack compute agent list")
self.add_cmd_output("nova version-list")
self.add_cmd_output("openstack hypervisor list")
self.add_cmd_output("openstack quota show")
self.add_cmd_output("openstack hypervisor stats show")
res = self.collect_cmd_output(
"openstack server list --all-projects"
)
# get details for each nova instance
if res['status'] == 0:
nova_instances = res['output']
for instance in nova_instances.splitlines()[3:-1]:
instance = instance.split()[1]
cmd = f"openstack server show {instance}"
self.add_cmd_output(cmd)
if self.get_option("all_logs"):
self.add_copy_spec([
"/var/log/nova/",
f"/var/log/{self.apachepkg}*/nova*",
"/var/lib/nova/instances/*/console.log",
])
else:
novadir = '/var/log/nova/'
novalogs = [
"nova-api.log*",
"nova-compute.log*",
"nova-conductor.log*",
"nova-metadata-api.log*",
"nova-manage.log*",
"nova-placement-api.log*",
"nova-scheduler.log*"
]
for novalog in novalogs:
self.add_copy_spec(self.path_join(novadir, novalog))
self.add_copy_spec([
f"/var/log/{self.apachepkg}*/nova*.log",
f"/var/log/{self.apachepkg}*/placement*.log",
])
npaths = ['', '_libvirt', '_metadata', '_placement']
syspaths = [
'/etc/nova/',
'/etc/my.cnf.d/tripleo.cnf',
'/etc/httpd/conf/',
'/etc/httpd/conf.d/',
'/etc/httpd/conf.modules.d/*.conf'
]
# excludes httpd'ish specs in the libvirt path
specs = [
"/etc/nova/",
"authorized_keys",
self.var_puppet_gen + "/../memcached/etc/sysconfig/memcached",
self.var_puppet_gen + "/var/spool/cron/nova",
self.var_puppet_gen + "_libvirt/etc/libvirt/",
self.var_puppet_gen + "_libvirt/etc/nova/migration/",
self.var_puppet_gen + "_libvirt/var/lib/nova/.ssh/config"
] + list(
filter(re.compile('^((?!libvirt.+httpd).)*$').match,
[f'{self.var_puppet_gen}{p}{s}'
for p in npaths for s in syspaths
]))
self.add_copy_spec(specs)
def apply_regex_sub(self, regexp, subst):
""" Apply regex substitution """
self.do_path_regex_sub("/etc/nova/*", regexp, subst)
for npath in ['', '_libvirt', '_metadata', '_placement']:
self.do_path_regex_sub(
f"{self.var_puppet_gen}{npath}/etc/nova/*",
regexp, subst)
def postproc(self):
protect_keys = [
"ldap_dns_password", "neutron_admin_password", "rabbit_password",
"qpid_password", "powervm_mgr_passwd", "virtual_power_host_pass",
"xenapi_connection_password", "password", "host_password",
"vnc_password", "admin_password", "connection_password",
"memcache_secret_key", "s3_secret_key",
"metadata_proxy_shared_secret", "fixed_key", "transport_url",
"rbd_secret_uuid"
]
connection_keys = ["connection", "sql_connection"]
join_con_keys = "|".join(connection_keys)
self.apply_regex_sub(
fr"(^\s*({'|'.join(protect_keys)})\s*=\s*)(.*)",
r"\1*********"
)
self.apply_regex_sub(
fr"(^\s*({join_con_keys})\s*=\s*(.*)://(\w*):)(.*)(@(.*))",
r"\1*********\6"
)
class DebianNova(OpenStackNova, DebianPlugin, UbuntuPlugin):
apachepkg = "apache2"
nova = False
packages = (
'nova-api-ec2',
'nova-api-metadata',
'nova-api-os-compute',
'nova-api-os-volume',
'nova-common',
'nova-compute',
'nova-compute-kvm',
'nova-compute-lxc',
'nova-compute-qemu',
'nova-compute-uml',
'nova-compute-xcp',
'nova-compute-xen',
'nova-xcp-plugins',
'nova-consoleauth',
'nova-network',
'nova-scheduler',
'nova-volume',
'novnc',
'python-nova',
'python-novnc',
'python3-nova',
)
service_name = "nova-api.service"
def setup(self):
super().setup()
self.add_copy_spec([
"/etc/sudoers.d/nova_sudoers",
"/usr/share/polkit-1/rules.d/60-libvirt.rules",
])
class RedHatNova(OpenStackNova, RedHatPlugin):
apachepkg = "httpd"
nova = False
packages = ('openstack-selinux',)
def setup(self):
super().setup()
self.add_copy_spec([
"/etc/logrotate.d/openstack-nova",
"/etc/polkit-1/localauthority/50-local.d/50-nova.pkla",
"/etc/sudoers.d/nova",
"/etc/security/limits.d/91-nova.conf",
"/etc/sysconfig/openstack-nova-novncproxy",
"/var/lib/openstack/config/nova",
"/var/lib/openstack/containers/nova*.json"
])
if self.get_option("all_logs"):
self.add_copy_spec([
"/var/log/httpd/placement*",
"/var/log/containers/nova/*"
])
else:
self.add_copy_spec([
"/var/log/httpd/placement*.log",
"/var/log/containers/nova/*.log"
])
self.add_forbidden_path([
"/var/lib/openstack/config/nova/ssh-privatekey"
])
# vim: set et ts=4 sw=4 :