Add support for any local LDAP user to run collect

This update replaces the currently enforced sysadmin username,
allowing any local LDAP user, that is part of the sudo and
sys_protected groups, to run collect.

This change introduced several challenging new failure modes
that necessitated some refactoring of collect's existing fault
reporting.

Enhancements were made to the detection, handling and reporting of
failures at 'all levels' ; i.e. local host, remote host, subcloud
and subcloud remote host.

Specific attention was put towards handling of most probable failure
modes that include detection and handling of passwordless sudo,
unsupported sudo, unknown usernames, unreachable hosts, invalid
passwords, out of space errors, etc. 'at all levels'

Generally, multi host collect handling continues in the presence of
remote host collect errors or warnings. Whereas local host failures
are typically treated as fatal.

Additionally, reporting of collect timeout cases was improved by
instead of printing only a timeout code number, a string based
timeout cause is now included.

Improvements were also made in the handling and packaging of the
collect.log file. A collect.log is now included at the main bundle
and subcloud collect levels. Some failures to collect remote hosts
are now logged in these files at the appropriate level.
If a user notices that a host or subcloud is missing from a bundle,
say because it was unreachable or had sudo-less password enabled,
the collect log will have a warning message to that effect.

A 5 second yield was added to subcloud collect monitoring to reduce
the cpu load subcloud collect monitoring was inducing. This lines up
with the existing 5 second yield done for host collect monitoring.

In attempt to improve the collect user experience the following
additional improvements were made.

- Attempt to source the openrc file and query system inventory is
  moved after the password prompt. This allows the various password
  checks to be handled early making the tool feel more responsive.

- The global collect timeout now starts only after password is input
  and inventory is read so these operations don't contribute towards
  the collection time.

- Improves how collect reports to the console and logs the hosts and
  or subclouds that 'will be' and 'were successfully' collected from.

- Added expect segment debug logging tied to the --debug option.
  With debug enabled each function's expect segment logs its
  execution output to /tmp with files of the following form.

      /tmp/collect_expect_<username>_<unit>_<function>

- Added a --password option to simplify collect test automation.

- Replaced the subcloud collect verbose option with debug.
  The verbose subcloud collect was known to cause issues.

All the above changes warranted a collect tool up-version to 3.0

Test Plan: A full collect regression was performed

PASS: Verify install and collect testing on the following systems
      - All-In-One SX
      - All-In-One DX
      - Standard DX with 1 worker and 1 storage
      - Simplex DC system with 2 subclouds ; 1 SX and 1 DX

Success Path Handling: both sysadmin and any other username

PASS: Verify collect handling at all levels
PASS: Verify dated collect all for system and subcloud
PASS: Verify all variations of collect host list handling
PASS: Verify collect clean at all levels
PASS: Verify system and subcloud collect --report handling
PASS: Verify collect all --skip-mask
PASS: Verify collect all --timeout
PASS: Verify collect all --inline
PASS: Verify collect all --subcloud
PASS: Verify collect all --verbose
PASS: Verify collect all --verbose --debug
PASS: Verify collect all --version
PASS: Verify collect all --subcloud --inline
PASS: Verify collect all on SX/DX standard and DC systems
PASS: verify new collect --password option
PASS: Verify collect bundle content between sysadmin and other user.
PASS: Verify bundle includes collect.log at bundle and host levels
PASS: Verify collect.log content at each level.
PASS: Verify collect from remote host that does not have this update
PASS: Verify collect from subcloud that does not have this update
PASS: Verify system and subcloud collect using account password with
             special character(s).

Failure Path Handling: error response should clearly indicate the issue

PASS: Verify all level collect handling of unknown username
PASS: Verify all level collect handling with passwordless sudo enabled
PASS: Verify all level collect handling of unsupported sudo
PASS: Verify all level collect handling where hosts run out of scratch
PASS: Verify all level collect handling of a host whose scratch space
             is filled to 75% or more
PASS: Verify a successful collect following the cleanup of a previous
             out of space error.
PASS: Verify collect handling of all non-active controller cases
PASS: Verify collect handling of an invalid hostname
PASS: Verify collect handling of unreachable remote hosts at all levels
PASS: Verify collect handling of an invalid password at all levels
PASS: Verify collect host and subcloud collect timeout handling
PASS: Verify collect global timeout handling
PASS: Verify collect handling of failure to get the remote tarball
PASS: Verify collect debug option handling and data

Story: 2010533
Task: 50419
Change-Id: Ibd827e1c72190bcdcf710b32ad7903cfa397c394
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
This commit is contained in:
Eric MacDonald 2024-06-25 14:21:29 +00:00
parent 6d71e3f01c
commit 3b5d1182d4
4 changed files with 831 additions and 354 deletions

File diff suppressed because it is too large Load Diff

View File

@ -143,7 +143,7 @@ if [ "$nodetype" = "controller" -a "${ACTIVE}" = true ] ; then
echo >>${LOGFILE_HELM}
# NOTE: helm environment not configured for root user
CMD="sudo -u sysadmin KUBECONFIG=${KUBECONFIG} helm list --all --all-namespaces"
CMD="sudo -u $(whoami) KUBECONFIG=${KUBECONFIG} helm list --all --all-namespaces"
delimiter ${LOGFILE_HELM} "${CMD}"
${CMD} 2>>${COLLECT_ERROR_LOG} >>${LOGFILE_HELM}
@ -152,16 +152,16 @@ if [ "$nodetype" = "controller" -a "${ACTIVE}" = true ] ; then
for RELEASE in "${RELEASES[@]:1}"; do
NAME=$(echo ${RELEASE} | awk '{print $1}')
NAMESPACE=$(echo ${RELEASE} | awk '{print $2}')
CMD="sudo -u sysadmin KUBECONFIG=${KUBECONFIG} helm history -n ${NAMESPACE} ${NAME}"
CMD="sudo -u $(whoami) KUBECONFIG=${KUBECONFIG} helm history -n ${NAMESPACE} ${NAME}"
delimiter ${HELM_DIR}/helm-history.info "${CMD}"
${CMD} >> ${HELM_DIR}/helm-history.info 2>>${COLLECT_ERROR_LOG}
done
CMD="sudo -u sysadmin KUBECONFIG=${KUBECONFIG} helm search repo"
CMD="sudo -u $(whoami) KUBECONFIG=${KUBECONFIG} helm search repo"
delimiter ${LOGFILE_HELM} "${CMD}"
${CMD} 2>>${COLLECT_ERROR_LOG} >>${LOGFILE_HELM}
CMD="sudo -u sysadmin KUBECONFIG=${KUBECONFIG} helm repo list"
CMD="sudo -u $(whoami) KUBECONFIG=${KUBECONFIG} helm repo list"
delimiter ${LOGFILE_HELM} "${CMD}"
${CMD} 2>>${COLLECT_ERROR_LOG} >>${LOGFILE_HELM}

View File

@ -1,7 +1,7 @@
#! /bin/bash
########################################################################
#
# Copyright (c) 2016-2024 Wind River Systems, Inc.
# Copyright (c) 2016-2022, 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -36,6 +36,7 @@ COLLECT_NAME="${1}"
DEBUG=${8}
INVENTORY=${9}
set_debug_mode ${DEBUG}
expect_debug=$([ "${DEBUG}" = true ] && echo "-d" || echo "")
# Calling parms
#
@ -478,7 +479,7 @@ if [ "${OMIT_CERTS}" != "true" ]; then
dlog "running /usr/local/sbin/collect_certificates ${EXTRA_DIR}"
COLLECT_ERROR_LOG="$COLLECT_ERROR_LOG" \
/usr/local/sbin/collect_certificates ${EXTRA_DIR}
log_space "after collecting certificates :"
log_space "after certificates ..:"
fi
(cd ${COLLECT_BASE_DIR} ; ${IONICE_CMD} ${NICE_CMD} ${TAR_ZIP_CMD} ${COLLECT_NAME_DIR}.tgz ${COLLECT_NAME} 2>/dev/null 1>/dev/null )
@ -489,12 +490,9 @@ mkdir -p ${COLLECT_NAME_DIR}/${FLIGHT_RECORDER_PATH}
(cd /${FLIGHT_RECORDER_PATH} ; ${TAR_ZIP_CMD} ${COLLECT_NAME_DIR}/${FLIGHT_RECORDER_PATH}/${FLIGHT_RECORDER_FILE}.tgz ./${FLIGHT_RECORDER_FILE} 2>>${COLLECT_ERROR_LOG} 1>>${COLLECT_ERROR_LOG})
# Pull in an updated user.log which contains the most recent collect logs
# ... be sure to exclude any out of space logs
tail -30 /var/log/user.log | grep "COLLECT:" | grep -v "${FAIL_OUT_OF_SPACE_STR}" >> ${COLLECT_ERROR_LOG}
cp -a ${COLLECT_LOG} ${COLLECT_LOG}.last
cp -a ${COLLECT_ERROR_LOG} ${COLLECT_LOG}
cp -a ${COLLECT_LOG} ${COLLECT_NAME_DIR}/var/log
# save the collect.log file to this host's tarball
cp -a ${COLLECT_ERROR_LOG} ${COLLECT_NAME_DIR}/${COLLECT_LOG}
log_space "with flight data ....:"
@ -509,15 +507,22 @@ log_space "after cleanup .......:"
# Check for collect errors
# Only out of space error is enough to fail this hosts's collect
collect_errors ${HOSTNAME}
collect_errors "${HOSTNAME}"
RC=${?}
rm -f ${COLLECT_ERROR_LOG}
if [ ${RC} -ne 0 ] ; then
rm -f ${COLLECT_NAME_DIR}.tgz
ilog "${FAIL_OUT_OF_SPACE_STR} ${COLLECT_BASE_DIR}"
if [ "${REMOTE_HOST}" = true ] ; then
ilog "${FAIL_OUT_OF_SPACE_REMOTE_STR} ${COLLECT_BASE_DIR}"
else
ilog "${FAIL_OUT_OF_SPACE_STR} ${COLLECT_BASE_DIR}"
fi
else
ilog "collect of ${COLLECT_NAME_DIR}.tgz succeeded"
echo "${collect_done}"
fi
dlog "collect_host exit code: ${rc}"
exit ${rc}

View File

@ -1,6 +1,6 @@
#! /bin/bash
#
# Copyright (c) 2013-2019 Wind River Systems, Inc.
# Copyright (c) 2013-2019, 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -8,6 +8,7 @@
##########################################################################################
DEBUG=false
redirect="/dev/null"
# Fail Codes
PASS=0
@ -16,18 +17,17 @@ RETRY=2
FAIL_NODETYPE=3
FAIL_TIMEOUT=10
FAIL_TIMEOUT1=11
FAIL_TIMEOUT2=12
FAIL_TIMEOUT3=13
FAIL_TIMEOUT4=14
FAIL_TIMEOUT5=15
FAIL_TIMEOUT6=16
FAIL_TIMEOUT7=17
FAIL_TIMEOUT8=18
FAIL_TIMEOUT9=19
FAIL_SUBCLOUD_TIMEOUT=20
FAIL_TIMEOUT_GLOBAL=10
FAIL_TIMEOUT_OPERATION=11
FAIL_TIMEOUT_OPERATION_SCP=12
FAIL_TIMEOUT_OPERATION_SSH=13
FAIL_TIMEOUT_HOST_ACCESS=14
FAIL_TIMEOUT_HOST=15
FAIL_TIMEOUT_PW=16
FAIL_TIMEOUT_SCP=17
FAIL_TIMEOUT_SSH=18
FAIL_TIMEOUT_SUBCLOUD_ACCESS=19
FAIL_TIMEOUT_SUBCLOUD=20
FAIL_PASSWORD=30
FAIL_PERMISSION=31
@ -35,7 +35,7 @@ FAIL_CLEANUP=32
FAIL_UNREACHABLE=33
FAIL_HOSTNAME=34
FAIL_INACTIVE=35
FAIL_PERMISSION_SKIP=36
FAIL_PERMISSION_REMOTE=36
FAIL_OUT_OF_SPACE=37
FAIL_INSUFFICIENT_SPACE=38
FAIL_INTERNAL=39
@ -59,6 +59,13 @@ FAIL_INVALID_START_DATE=56
FAIL_INVALID_END_DATE=57
FAIL_INVALID_DATE_RANGE=58
FAIL_TIMEOUT_ARG=59
FAIL_NOT_SUDOER=60
FAIL_NOT_SUDOER_REMOTE=61
FAIL_PASSWORDLESS=65
FAIL_PASSWORDLESS_REMOTE=66
FAIL_INSUFFICIENT_SPACE_REMOTE=70
FAIL_NOT_ENOUGH_SPACE_REMOTE=71
FAIL_OUT_OF_SPACE_REMOTE=72
# Warnings are above 200
WARN_WARNING=200
@ -69,23 +76,48 @@ COLLECT_ERROR="Error:"
COLLECT_DEBUG="Debug:"
COLLECT_WARN="Warning:"
# common permission error strings
pw_error="orry, try again"
ac_error="ermission denied"
su_error="not in the sudoers"
# Failure Strings
FAIL_NOT_ENOUGH_SPACE_STR="Not enough /scratch filesystem space"
FAIL_NOT_ENOUGH_SPACE_REMOTE_STR="Not enough remote /scratch filesystem space"
FAIL_OUT_OF_SPACE_STR="No space left on device"
FAIL_OUT_OF_SPACE_REMOTE_STR="No space left on remote device"
FAIL_TAR_OUT_OF_SPACE_STR="tar: Error is not recoverable"
FAIL_INSUFFICIENT_SPACE_STR="Not enough space on device"
FAIL_UNREACHABLE_STR="Unreachable"
FAIL_INSUFFICIENT_SPACE_REMOTE_STR="Not enough space on remote device"
FAIL_TIMEOUT_STR="operation timeout"
FAIL_TIMEOUT_ARG_STR="out-of-range timeout"
FAIL_SUBCLOUD_TIMEOUT_STR="subcloud collect timeout"
# Operational timeouts
FAIL_TIMEOUT_GLOBAL_STR="global collect timeout"
FAIL_TIMEOUT_PW_STR="password prompt timeout"
FAIL_TIMEOUT_SCP_STR="scp timeout"
FAIL_TIMEOUT_SSH_STR="ssh timeout"
FAIL_TIMEOUT_OPERATION_STR="linux operation timeout"
FAIL_TIMEOUT_OPERATION_SSH_STR="ssh operation timeout"
FAIL_TIMEOUT_OPERATION_SCP_STR="linux operation timeout"
# host and subcloud timeouts
FAIL_TIMEOUT_HOST_ACCESS_STR="host access timeout"
FAIL_TIMEOUT_HOST_STR="host collect timeout"
FAIL_TIMEOUT_SUBCLOUD_ACCESS_STR="subcloud access timeout"
FAIL_TIMEOUT_SUBCLOUD_STR="subcloud collect timeout"
FAIL_NO_FILE_SPECIFIED_STR="no file specified"
FAIL_FILE_NOT_FOUND_STR="no such file or directory"
FAIL_FILE_EMPTY_STR="file is empty"
FAIL_PASSWORD_PROMPT_STR="password for"
FAIL_PASSWORDLESS_STR="timeout waiting for password prompt"
FAIL_PASSWORDLESS_REMOTE_STR="timeout waiting for remote password prompt"
FAIL_NOT_SUDOER_STR="collect requires sudo on host"
FAIL_NOT_SUDOER_REMOTE_STR="collect requires sudo on remote host"
FAIL_INVALID_PASSWORD_STR="invalid password"
FAIL_PERMISSION_STR="permission error"
FAIL_DATE_FORMAT_STR="date format"
FAIL_INACTIVE_STR="not active"
FAIL_NO_HOSTS_STR="empty host list"
@ -93,6 +125,9 @@ FAIL_NO_SUBCLOUDS_STR="empty subcloud list"
FAIL_MISSING_PARAMETER_STR="missing parameter"
FAIL_FILE_COPY_STR="failed to copy"
FAIL_CONTINUE_STR="cannot continue"
FAIL_UNREACHABLE_STR="Unreachable"
FAIL_PERMISSION_REMOTE_STR="remote permission error"
FAIL_UNSPECIFIED_CAUSE_STR="unspecified cause"
# The minimum amount of % free space on /scratch to allow collect to proceed
MIN_PERCENT_SPACE_REQUIRED=75
@ -104,9 +139,9 @@ MIN_PERCENT_SPACE_REQUIRED=75
declare -i COLLECT_BASE_DIR_FULL_THRESHOLD=2147484 # 2Gib in K blocks rounded up
# Log file path/names
COLLECT_LOG=/var/log/collect.log
COLLECT_ERROR_LOG=/tmp/collect_error.log
HOST_COLLECT_ERROR_LOG="/tmp/host_collect_error.log"
COLLECT_LOG=collect.log
COLLECT_ERROR_LOG=/tmp/$(whoami)_collect_error.log
HOST_COLLECT_ERROR_LOG="/tmp/$(whoami)_host_collect_error.log"
DCROLE_SYSTEMCONTROLLER="systemcontroller"
DCROLE_SUBCLOUD="subcloud"
@ -132,7 +167,7 @@ function source_openrc_if_needed
fi
if [ "${nodetype}" != "controller" -a "${nodetype}" != "worker" -a "${nodetype}" != "storage" ] ; then
logger -t ${COLLECT_TAG} "could not identify nodetype ($nodetype)"
wlog "could not identify nodetype ($nodetype)"
exit $FAIL_NODETYPE
fi
@ -150,13 +185,13 @@ function source_openrc_if_needed
fi
}
# Setup an expect command completion file.
# This is used to force serialization of expect
# sequences and highlight command completion
collect_done="collect done"
cmd_done_sig="expect done"
cmd_done_file="/usr/local/sbin/expect_done"
EXPECT_LOG_FILE="/tmp/collect_expect"
# Compression Commands
TAR_ZIP_CMD="tar -cvzf"
@ -181,25 +216,25 @@ BUILD_INFO_CMD="cat /etc/build.info"
################################################################################
function log
{
logger -t ${COLLECT_TAG} $@
logger -t ${COLLECT_TAG} "$(whoami) $@"
}
function ilog
{
echo "$@"
logger -t ${COLLECT_TAG} $@
logger -t ${COLLECT_TAG} "$(whoami) $@"
}
function elog
{
echo "${COLLECT_ERROR} $@"
logger -t ${COLLECT_TAG} "${COLLECT_ERROR} $@"
logger -t ${COLLECT_TAG} "$(whoami) ${COLLECT_ERROR} $@"
}
function wlog
{
echo "${COLLECT_WARN} $@"
logger -t ${COLLECT_TAG} "${COLLECT_WARN} $@"
logger -t ${COLLECT_TAG} "$(whoami) ${COLLECT_WARN} $@"
}
function set_debug_mode()
@ -210,7 +245,7 @@ function set_debug_mode()
function dlog()
{
if [ "$DEBUG" == true ] ; then
logger -t ${COLLECT_TAG} "${COLLECT_DEBUG} $@"
logger -t ${COLLECT_TAG} $(whoami) "${COLLECT_DEBUG} $@"
echo "$(date) ${COLLECT_DEBUG} $@"
fi
}
@ -271,8 +306,8 @@ listOfOutOfSpaceErrors=(
function collect_errors()
{
local host=${1}
local RC=0
local host="${1}"
local rc=0
if [ -e "${COLLECT_ERROR_LOG}" ] ; then
@ -281,24 +316,19 @@ function collect_errors()
while [ "x${listOfOutOfSpaceErrors[index]}" != "x" ] ; do
grep -q "${listOfOutOfSpaceErrors[index]}" ${COLLECT_ERROR_LOG}
if [ "$?" == "0" ] ; then
string="failed to collect from ${host} (reason:${FAIL_OUT_OF_SPACE}:${FAIL_OUT_OF_SPACE_STR})"
# /var/log/user.log it
logger -t ${COLLECT_TAG} "${string}"
# logs that show up in the foreground
echo "${string}"
echo "Increase available space in ${host}:${COLLECT_BASE_DIR} and retry operation."
wlog "Out of space error(s) found in ${host}:${COLLECT_ERROR_LOG}"
if [ "${REMOTE_HOST}" = false ] ; then
rc=${FAIL_OUT_OF_SPACE}
else
rc=${FAIL_OUT_OF_SPACE_REMOTE}
fi
# return error code
RC=1
break
fi
index=$(($index+1))
done
fi
return ${RC}
return ${rc}
}
############################################################################
@ -320,11 +350,13 @@ function space_precheck()
size=`echo ${space1} | cut -f 1 -d '%'`
if [ ${size} -ge 0 -a ${size} -le 100 ] ; then
if [ ${size} -ge ${MIN_PERCENT_SPACE_REQUIRED} ] ; then
ilog "${COLLECT_BASE_DIR} is $size% full"
echo "${FAIL_INSUFFICIENT_SPACE_STR}"
wlog "${HOSTNAME}:${COLLECT_BASE_DIR} does not have enough available space in to perform collect"
wlog "${HOSTNAME}:${COLLECT_BASE_DIR} must be below ${MIN_PERCENT_SPACE_REQUIRED}% to perform collect"
wlog "Increase available space in ${HOSTNAME}:${COLLECT_BASE_DIR} and retry operation."
if [ "${REMOTE_HOST}" = false ] ; then
elog "${HOSTNAME}:${COLLECT_BASE_DIR} ${FAIL_INSUFFICIENT_SPACE_STR}"
else
wlog "${HOSTNAME}:${COLLECT_BASE_DIR} ${FAIL_INSUFFICIENT_SPACE_REMOTE_STR}"
fi
wlog "${HOSTNAME}:${COLLECT_BASE_DIR} at ${size}% ; usage must be below ${MIN_PERCENT_SPACE_REQUIRED}%"
wlog "Increase available space in ${HOSTNAME}:${COLLECT_BASE_DIR} and retry operation"
exit ${FAIL_INSUFFICIENT_SPACE}
fi
else