From 956cc87cc1e8bbff44107fba2164c3066f7c46f2 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Tue, 20 Aug 2019 14:10:43 +0200 Subject: [PATCH] Fix error message when OTP is missing, add logging * Fix cloud-init error message when OTP is missing * Add a log message in novajoin-server Change-Id: Ib299269c564744af6a5fcded9195d27be1c14ce7 Related-Bug: 1836529 --- files/cloud-config-novajoin.json | 2 +- files/cloud-config-novajoin.yaml | 5 +++++ novajoin/ipa.py | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/files/cloud-config-novajoin.json b/files/cloud-config-novajoin.json index 6c7faf6..4ddc585 100644 --- a/files/cloud-config-novajoin.json +++ b/files/cloud-config-novajoin.json @@ -1 +1 @@ -{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n function get_metadata_config_drive {\n if [ -f /run/cloud-init/status.json ]; then\n # Get metadata from config drive\n data=`cat /run/cloud-init/status.json`\n config_drive=`echo $data | python -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get(\"v1\", {}).get(\"datasource\"); print(re.findall(r\"source=(.*)]\", ds)[0])'`\n if [[ -b $config_drive ]]; then\n temp_dir=`mktemp -d`\n mount $config_drive $temp_dir\n if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then\n data=`cat $temp_dir/openstack/latest/vendor_data2.json`\n umount $config_drive\n rmdir $temp_dir\n else\n umount $config_drive\n rmdir $temp_dir\n fi\n else \n echo \"Unable to retrieve metadata from config drive.\"\n return 1\n fi\n else\n echo \"Unable to retrieve metadata from config drive.\"\n return 1\n fi\n \n return 0\n }\n \n function get_metadata_network {\n # Get metadata over the network\n data=$(timeout 300 /bin/bash -c 'data=\"\"; while [ -z \"$data\" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')\n \n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata from metadata service.\"\n return 1\n fi\n }\n \n function get_fqdn {\n # Get the instance hostname out of the metadata\n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"hostname\", \"\"))'`\n if [ -z \"$fqdn\"]; then\n echo \"Unable to determine hostname\"\n return 1\n fi\n return 0\n }\n \n if ! get_metadata_config_drive || ! get_fqdn; then\n if ! get_metadata_network || ! get_fqdn; then\n echo \"FATAL: No metadata available or could not read the hostname from the metadata\"\n exit 1\n fi\n fi\n \n realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"krb_realm\", \"\"))'`\n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"ipaotp\", \"\"))'`\n \n # run ipa-client-install\n OPTS=\"-U -w $otp --hostname $fqdn --mkhomedir\"\n if [ -n \"$realm\" ]; then\n OPTS=\"$OPTS --realm=$realm\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"} +{"cloud-init": "#cloud-config\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\n - hostname\nwrite_files:\n - content: |\n #!/bin/sh\n \n function get_metadata_config_drive {\n if [ -f /run/cloud-init/status.json ]; then\n # Get metadata from config drive\n data=`cat /run/cloud-init/status.json`\n config_drive=`echo $data | python -c 'import json,re,sys;obj=json.load(sys.stdin);ds=obj.get(\"v1\", {}).get(\"datasource\"); print(re.findall(r\"source=(.*)]\", ds)[0])'`\n if [[ -b $config_drive ]]; then\n temp_dir=`mktemp -d`\n mount $config_drive $temp_dir\n if [ -f $temp_dir/openstack/latest/vendor_data2.json ]; then\n data=`cat $temp_dir/openstack/latest/vendor_data2.json`\n umount $config_drive\n rmdir $temp_dir\n else\n umount $config_drive\n rmdir $temp_dir\n fi\n else \n echo \"Unable to retrieve metadata from config drive.\"\n return 1\n fi\n else\n echo \"Unable to retrieve metadata from config drive.\"\n return 1\n fi\n \n return 0\n }\n \n function get_metadata_network {\n # Get metadata over the network\n data=$(timeout 300 /bin/bash -c 'data=\"\"; while [ -z \"$data\" ]; do sleep $[ ( $RANDOM % 10 ) + 1 ]s; data=`curl -s http://169.254.169.254/openstack/2016-10-06/vendor_data2.json 2>/dev/null`; done; echo $data')\n \n if [[ $? != 0 ]] ; then\n echo \"Unable to retrieve metadata from metadata service.\"\n return 1\n fi\n }\n \n function get_fqdn {\n # Get the instance hostname out of the metadata\n fqdn=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"hostname\", \"\"))'`\n if [ -z \"$fqdn\"]; then\n echo \"Unable to determine hostname\"\n return 1\n fi\n return 0\n }\n \n if ! get_metadata_config_drive || ! get_fqdn; then\n if ! get_metadata_network || ! get_fqdn; then\n echo \"FATAL: No metadata available or could not read the hostname from the metadata\"\n exit 1\n fi\n fi\n \n realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"krb_realm\", \"\"))'`\n otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get(\"join\", {}).get(\"ipaotp\", \"\"))'`\n \n if [ -z \"$otp\" ]; then\n echo \"FATAL: Could not read OTP from the metadata. This means that a host with the same name was already enrolled in IPA.\"\n exit 1\n fi\n \n # run ipa-client-install\n OPTS=\"-U -w $otp --hostname $fqdn --mkhomedir\"\n if [ -n \"$realm\" ]; then\n OPTS=\"$OPTS --realm=$realm\"\n fi\n ipa-client-install $OPTS\n path: /root/setup-ipa-client.sh\n permissions: '0700'\n owner: root:root\nruncmd:\n- sh -x /root/setup-ipa-client.sh > /var/log/setup-ipa-client.log 2>&1"} diff --git a/files/cloud-config-novajoin.yaml b/files/cloud-config-novajoin.yaml index 5bf5650..c60d9a4 100644 --- a/files/cloud-config-novajoin.yaml +++ b/files/cloud-config-novajoin.yaml @@ -67,6 +67,11 @@ write_files: realm=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("krb_realm", ""))'` otp=`echo $data | python -c 'import json,sys;obj=json.load(sys.stdin);print(obj.get("join", {}).get("ipaotp", ""))'` + if [ -z "$otp" ]; then + echo "FATAL: Could not read OTP from the metadata. This means that a host with the same name was already enrolled in IPA." + exit 1 + fi + # run ipa-client-install OPTS="-U -w $otp --hostname $fqdn --mkhomedir" if [ -n "$realm" ]; then diff --git a/novajoin/ipa.py b/novajoin/ipa.py index b4f0a42..f94581d 100644 --- a/novajoin/ipa.py +++ b/novajoin/ipa.py @@ -338,6 +338,9 @@ class IPAClient(IPANovaJoinBase): # Updating the OTP on an enrolled-host is not allowed # in IPA and really a no-op. # We don't know the OTP of the host, so we cannot update the cache. + LOG.info('OTP is unknown for host %s. This is because validation ' + 'failed during host_mod operation, which means the host ' + 'with the same name was already enrolled.', hostname) return False return self.host_cache.get(hostname, False)