static gboolean
sscg_make_dummy_cert (const gchar *key_file,
const gchar *cert_file,
const gchar *ca_file,
GError **error)
{
gboolean ret = FALSE;
gint exit_status;
gchar *stderr_str = NULL;
gchar *command_line = NULL;
gchar *cn = get_common_name ();
gchar *machine_id = get_machine_id ();
gchar *org;
if (machine_id)
org = machine_id;
else
org = "";
const gchar *argv[] = {
"sscg", "--quiet",
"--lifetime", "3650",
"--key-strength", "2048",
"--cert-key-file", key_file,
"--cert-file", cert_file,
"--ca-file", ca_file,
"--hostname", cn,
"--organization", org,
"--subject-alt-name", "localhost",
"--subject-alt-name", "IP:127.0.0.1/255.255.255.255",
NULL
};
command_line = g_strjoinv (" ", (gchar **)argv);
g_info ("Generating temporary certificate using: %s", command_line);
if (!g_spawn_sync (NULL, (gchar **)argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL,
NULL, &stderr_str, &exit_status, error) ||
!g_spawn_check_exit_status (exit_status, error))
{
/* Failure of SSCG is non-fatal */
g_info ("Error generating temporary dummy cert using sscg, "
"falling back to openssl");
g_clear_error (error);
goto out;
}
ret = TRUE;
out:
g_free (stderr_str);
g_free (command_line);
g_free (machine_id);
g_free (cn);
return ret;
}
DWORD request_core_machine_id(Remote* remote, Packet* packet)
{
DWORD res = ERROR_SUCCESS;
Packet* response = packet_create_response(packet);
if (response) {
packet_add_tlv_string(response, TLV_TYPE_MACHINE_ID, get_machine_id());
packet_transmit_response(res, remote, response);
}
return ERROR_SUCCESS;
}
static gchar *
generate_subject (void)
{
gchar *cn;
gchar *machine_id;
gchar *subject;
/*
* HACK: We have to use a unique value in DN because otherwise
* firefox hangs.
*
* https://bugzilla.redhat.com/show_bug.cgi?id=1204670
*
* In addition we have to generate the certificate with CA:TRUE
* because old versions of NSS refuse to process self-signed
* certificates if that's not the case.
*
*/
cn = get_common_name ();
machine_id = get_machine_id ();
if (machine_id && !g_str_equal (machine_id, ""))
{
subject = g_strdup_printf ("/O=%s/CN=%s",
machine_id, cn);
}
else
{
subject = g_strdup_printf ("/CN=%s", cn);
}
g_free (cn);
g_free (machine_id);
return subject;
}
static int load_config_file(DaemonConfig *c) {
int r = -1;
AvahiIniFile *f;
AvahiIniFileGroup *g;
assert(c);
if (!(f = avahi_ini_file_load(c->config_file ? c->config_file : AVAHI_CONFIG_FILE)))
goto finish;
for (g = f->groups; g; g = g->groups_next) {
if (strcasecmp(g->name, "server") == 0) {
AvahiIniFilePair *p;
for (p = g->pairs; p; p = p->pairs_next) {
if (strcasecmp(p->key, "host-name") == 0) {
avahi_free(c->server_config.host_name);
c->server_config.host_name = avahi_strdup(p->value);
} else if (strcasecmp(p->key, "domain-name") == 0) {
avahi_free(c->server_config.domain_name);
c->server_config.domain_name = avahi_strdup(p->value);
} else if (strcasecmp(p->key, "browse-domains") == 0) {
char **e, **t;
e = avahi_split_csv(p->value);
for (t = e; *t; t++) {
char cleaned[AVAHI_DOMAIN_NAME_MAX];
if (!avahi_normalize_name(*t, cleaned, sizeof(cleaned))) {
avahi_log_error("Invalid domain name \"%s\" for key \"%s\" in group \"%s\"\n", *t, p->key, g->name);
avahi_strfreev(e);
goto finish;
}
c->server_config.browse_domains = avahi_string_list_add(c->server_config.browse_domains, cleaned);
}
avahi_strfreev(e);
c->server_config.browse_domains = filter_duplicate_domains(c->server_config.browse_domains);
} else if (strcasecmp(p->key, "use-ipv4") == 0)
c->server_config.use_ipv4 = is_yes(p->value);
else if (strcasecmp(p->key, "use-ipv6") == 0)
c->server_config.use_ipv6 = is_yes(p->value);
else if (strcasecmp(p->key, "check-response-ttl") == 0)
c->server_config.check_response_ttl = is_yes(p->value);
else if (strcasecmp(p->key, "allow-point-to-point") == 0)
c->server_config.allow_point_to_point = is_yes(p->value);
else if (strcasecmp(p->key, "use-iff-running") == 0)
c->server_config.use_iff_running = is_yes(p->value);
else if (strcasecmp(p->key, "disallow-other-stacks") == 0)
c->server_config.disallow_other_stacks = is_yes(p->value);
else if (strcasecmp(p->key, "host-name-from-machine-id") == 0) {
if (*(p->value) == 'y' || *(p->value) == 'Y') {
char *machine_id = get_machine_id();
if (machine_id != NULL) {
avahi_free(c->server_config.host_name);
c->server_config.host_name = machine_id;
}
}
}
#ifdef HAVE_DBUS
else if (strcasecmp(p->key, "enable-dbus") == 0) {
if (*(p->value) == 'w' || *(p->value) == 'W') {
c->fail_on_missing_dbus = 0;
c->enable_dbus = 1;
} else if (*(p->value) == 'y' || *(p->value) == 'Y') {
c->fail_on_missing_dbus = 1;
c->enable_dbus = 1;
} else {
c->enable_dbus = 0;
}
}
#endif
else if (strcasecmp(p->key, "allow-interfaces") == 0) {
char **e, **t;
avahi_string_list_free(c->server_config.allow_interfaces);
c->server_config.allow_interfaces = NULL;
e = avahi_split_csv(p->value);
for (t = e; *t; t++)
c->server_config.allow_interfaces = avahi_string_list_add(c->server_config.allow_interfaces, *t);
avahi_strfreev(e);
} else if (strcasecmp(p->key, "deny-interfaces") == 0) {
char **e, **t;
avahi_string_list_free(c->server_config.deny_interfaces);
c->server_config.deny_interfaces = NULL;
e = avahi_split_csv(p->value);
for (t = e; *t; t++)
c->server_config.deny_interfaces = avahi_string_list_add(c->server_config.deny_interfaces, *t);
avahi_strfreev(e);
} else if (strcasecmp(p->key, "ratelimit-interval-usec") == 0) {
AvahiUsec k;
if (parse_usec(p->value, &k) < 0) {
avahi_log_error("Invalid ratelimit-interval-usec setting %s", p->value);
goto finish;
}
c->server_config.ratelimit_interval = k;
} else if (strcasecmp(p->key, "ratelimit-burst") == 0) {
unsigned k;
if (parse_unsigned(p->value, &k) < 0) {
avahi_log_error("Invalid ratelimit-burst setting %s", p->value);
goto finish;
}
c->server_config.ratelimit_burst = k;
} else if (strcasecmp(p->key, "cache-entries-max") == 0) {
unsigned k;
if (parse_unsigned(p->value, &k) < 0) {
avahi_log_error("Invalid cache-entries-max setting %s", p->value);
goto finish;
}
c->server_config.n_cache_entries_max = k;
#ifdef HAVE_DBUS
} else if (strcasecmp(p->key, "clients-max") == 0) {
unsigned k;
if (parse_unsigned(p->value, &k) < 0) {
avahi_log_error("Invalid clients-max setting %s", p->value);
goto finish;
}
c->n_clients_max = k;
} else if (strcasecmp(p->key, "objects-per-client-max") == 0) {
unsigned k;
if (parse_unsigned(p->value, &k) < 0) {
avahi_log_error("Invalid objects-per-client-max setting %s", p->value);
goto finish;
}
c->n_objects_per_client_max = k;
} else if (strcasecmp(p->key, "entries-per-entry-group-max") == 0) {
unsigned k;
if (parse_unsigned(p->value, &k) < 0) {
avahi_log_error("Invalid entries-per-entry-group-max setting %s", p->value);
goto finish;
}
c->n_entries_per_entry_group_max = k;
#endif
} else {
avahi_log_error("Invalid configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
goto finish;
}
}
} else if (strcasecmp(g->name, "publish") == 0) {
AvahiIniFilePair *p;
for (p = g->pairs; p; p = p->pairs_next) {
if (strcasecmp(p->key, "publish-addresses") == 0)
c->server_config.publish_addresses = is_yes(p->value);
else if (strcasecmp(p->key, "publish-hinfo") == 0)
c->server_config.publish_hinfo = is_yes(p->value);
else if (strcasecmp(p->key, "publish-workstation") == 0)
c->server_config.publish_workstation = is_yes(p->value);
else if (strcasecmp(p->key, "publish-domain") == 0)
c->server_config.publish_domain = is_yes(p->value);
else if (strcasecmp(p->key, "publish-resolv-conf-dns-servers") == 0)
c->publish_resolv_conf = is_yes(p->value);
else if (strcasecmp(p->key, "disable-publishing") == 0)
c->server_config.disable_publishing = is_yes(p->value);
else if (strcasecmp(p->key, "disable-user-service-publishing") == 0)
c->disable_user_service_publishing = is_yes(p->value);
else if (strcasecmp(p->key, "add-service-cookie") == 0)
c->server_config.add_service_cookie = is_yes(p->value);
else if (strcasecmp(p->key, "publish-dns-servers") == 0) {
avahi_strfreev(c->publish_dns_servers);
c->publish_dns_servers = avahi_split_csv(p->value);
} else if (strcasecmp(p->key, "publish-a-on-ipv6") == 0)
c->server_config.publish_a_on_ipv6 = is_yes(p->value);
else if (strcasecmp(p->key, "publish-aaaa-on-ipv4") == 0)
c->server_config.publish_aaaa_on_ipv4 = is_yes(p->value);
else {
avahi_log_error("Invalid configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
goto finish;
}
}
} else if (strcasecmp(g->name, "wide-area") == 0) {
AvahiIniFilePair *p;
for (p = g->pairs; p; p = p->pairs_next) {
if (strcasecmp(p->key, "enable-wide-area") == 0)
c->server_config.enable_wide_area = is_yes(p->value);
else {
avahi_log_error("Invalid configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
goto finish;
}
}
} else if (strcasecmp(g->name, "reflector") == 0) {
AvahiIniFilePair *p;
for (p = g->pairs; p; p = p->pairs_next) {
if (strcasecmp(p->key, "enable-reflector") == 0)
c->server_config.enable_reflector = is_yes(p->value);
else if (strcasecmp(p->key, "reflect-ipv") == 0)
c->server_config.reflect_ipv = is_yes(p->value);
else {
avahi_log_error("Invalid configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
goto finish;
}
}
} else if (strcasecmp(g->name, "rlimits") == 0) {
AvahiIniFilePair *p;
for (p = g->pairs; p; p = p->pairs_next) {
if (strcasecmp(p->key, "rlimit-as") == 0) {
c->rlimit_as_set = 1;
c->rlimit_as = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-core") == 0) {
c->rlimit_core_set = 1;
c->rlimit_core = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-data") == 0) {
c->rlimit_data_set = 1;
c->rlimit_data = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-fsize") == 0) {
c->rlimit_fsize_set = 1;
c->rlimit_fsize = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-nofile") == 0) {
c->rlimit_nofile_set = 1;
c->rlimit_nofile = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-stack") == 0) {
c->rlimit_stack_set = 1;
c->rlimit_stack = atoi(p->value);
} else if (strcasecmp(p->key, "rlimit-nproc") == 0) {
#ifdef RLIMIT_NPROC
c->rlimit_nproc_set = 1;
c->rlimit_nproc = atoi(p->value);
#else
avahi_log_error("Ignoring configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
#endif
} else {
avahi_log_error("Invalid configuration key \"%s\" in group \"%s\"\n", p->key, g->name);
goto finish;
}
}
} else {
avahi_log_error("Invalid configuration file group \"%s\".\n", g->name);
goto finish;
}
}
r = 0;
finish:
if (f)
avahi_ini_file_free(f);
return r;
}
bool k8s_event_handler::handle_component(const Json::Value& json, const msg_data* data)
{
if(m_event_filter)
{
if(m_state)
{
if(data)
{
if((data->m_reason == k8s_component::COMPONENT_ADDED) ||
(data->m_reason == k8s_component::COMPONENT_MODIFIED))
{
g_logger.log("K8s EVENT: handling event.", sinsp_logger::SEV_TRACE);
const Json::Value& involved_object = json["involvedObject"];
if(!involved_object.isNull())
{
bool is_aggregate = (get_json_string(json , "message").find("events with common reason combined") != std::string::npos);
time_t last_ts = get_epoch_utc_seconds(get_json_string(json , "lastTimestamp"));
time_t now_ts = get_epoch_utc_seconds_now();
g_logger.log("K8s EVENT: lastTimestamp=" + std::to_string(last_ts) + ", now_ts=" + std::to_string(now_ts),
sinsp_logger::SEV_TRACE);
if(((last_ts > 0) && (now_ts > 0)) && // we got good timestamps
!is_aggregate && // not an aggregated cached event
((now_ts - last_ts) < 10)) // event not older than 10 seconds
{
const Json::Value& kind = involved_object["kind"];
const Json::Value& event_reason = json["reason"];
g_logger.log("K8s EVENT: involved object and event reason found:" + kind.asString() + '/' + event_reason.asString(),
sinsp_logger::SEV_TRACE);
if(!kind.isNull() && kind.isConvertibleTo(Json::stringValue) &&
!event_reason.isNull() && event_reason.isConvertibleTo(Json::stringValue))
{
bool is_allowed = m_event_filter->allows_all();
std::string type = kind.asString();
if(!is_allowed && !type.empty())
{
std::string reason = event_reason.asString();
is_allowed = m_event_filter->allows_all(type);
if(!is_allowed && !reason.empty())
{
is_allowed = m_event_filter->has(type, reason);
}
}
if(is_allowed)
{
k8s_events& evts = m_state->get_events();
if(evts.size() < sinsp_user_event::max_events_per_cycle())
{
k8s_event_t& evt = m_state->add_component<k8s_events, k8s_event_t>(evts,
data->m_name, data->m_uid, data->m_namespace);
m_state->update_event(evt, json);
m_event_limit_exceeded = false;
if(g_logger.get_severity() >= sinsp_logger::SEV_DEBUG)
{
g_logger.log("K8s EVENT: added event [" + data->m_name + "]. "
"Queued events count=" + std::to_string(evts.size()), sinsp_logger::SEV_DEBUG);
}
}
else if(!m_event_limit_exceeded) // only get in here once per cycle, to send event overflow warning
{
sinsp_user_event::emit_event_overflow("Kubernetes", get_machine_id());
m_event_limit_exceeded = true;
return false;
}
else // event limit exceeded and overflow logged, nothing to do
{
return false;
}
}
else // event not allowed by filter, ignore
{
if(g_logger.get_severity() >= sinsp_logger::SEV_TRACE)
{
g_logger.log("K8s EVENT: filter does not allow {\"" + type + "\", \"{" + event_reason.asString() + "\"} }",
sinsp_logger::SEV_TRACE);
g_logger.log(m_event_filter->to_string(), sinsp_logger::SEV_TRACE);
}
m_event_ignored = true;
return false;
}
}
else
{
g_logger.log("K8s EVENT: event type or involvedObject kind not found.", sinsp_logger::SEV_ERROR);
if(g_logger.get_severity() >= sinsp_logger::SEV_TRACE)
{
g_logger.log(Json::FastWriter().write(json), sinsp_logger::SEV_TRACE);
}
return false;
}
}
else // old event, ignore
{
g_logger.log("K8s EVENT: old event, ignoring: "
", lastTimestamp=" + std::to_string(last_ts) + ", now_ts=" + std::to_string(now_ts),
sinsp_logger::SEV_DEBUG);
m_event_ignored = true;
return false;
}
}
else
{
g_logger.log("K8s EVENT: involvedObject not found.", sinsp_logger::SEV_ERROR);
g_logger.log(Json::FastWriter().write(json), sinsp_logger::SEV_TRACE);
return false;
}
}
else // not ADDED or MODIFIED event, ignore
{
m_event_ignored = true;
return false;
}
}
else
{
g_logger.log("K8s EVENT: msg data is null.", sinsp_logger::SEV_ERROR);
g_logger.log(Json::FastWriter().write(json), sinsp_logger::SEV_TRACE);
return false;
}
}
else
{
g_logger.log("K8s EVENT: state is null.", sinsp_logger::SEV_ERROR);
return false;
}
}
else
{
g_logger.log("K8s EVENT: no filter, K8s events disabled.", sinsp_logger::SEV_TRACE);
return false;
}
return true;
}
