1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
From 81be3c529ec1165f3135b4f14fbec2a19403cfbe Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Fri, 27 Aug 2021 08:53:36 +0200
Subject: [PATCH 1/2] fence_zvmip: add ssl/tls support
---
agents/zvm/fence_zvmip.py | 20 ++++++++++++++++----
tests/data/metadata/fence_zvmip.xml | 19 +++++++++++++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
index 001106a44..874eb699f 100644
--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
@@ -26,12 +26,22 @@ def open_socket(options):
except socket.gaierror:
fail(EC_LOGIN_DENIED)
- conn = socket.socket()
+ if "--ssl" in options:
+ import ssl
+ sock = socket.socket()
+ sslcx = ssl.create_default_context()
+ if "--ssl-insecure" in options:
+ sslcx.check_hostname = False
+ sslcx.verify_mode = ssl.CERT_NONE
+ conn = sslcx.wrap_socket(sock, server_hostname=options["--ip"])
+ else:
+ conn = socket.socket()
conn.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
conn.settimeout(float(options["--shell-timeout"]) or None)
try:
conn.connect(addr)
- except socket.error:
+ except socket.error as e:
+ logging.debug(e)
fail(EC_LOGIN_DENIED)
return conn
@@ -122,11 +132,12 @@ def get_list_of_images(options, command, data_as_plug):
images = set()
if output_len > 3*INT4:
+ recvflag = socket.MSG_WAITALL if "--ssl" not in options else 0
array_len = struct.unpack("!i", conn.recv(INT4))[0]
data = ""
while True:
- read_data = conn.recv(1024, socket.MSG_WAITALL).decode("UTF-8")
+ read_data = conn.recv(1024, recvflag).decode("UTF-8")
data += read_data
if array_len == len(data):
break
@@ -146,7 +157,8 @@ def get_list_of_images(options, command, data_as_plug):
return (return_code, reason_code, images)
def main():
- device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off", "inet4_only", "inet6_only"]
+ device_opt = ["ipaddr", "login", "passwd", "port", "method", "missing_as_off",
+ "inet4_only", "inet6_only", "ssl"]
atexit.register(atexit_handler)
diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml
index f84115c08..d91192946 100644
--- a/tests/data/metadata/fence_zvmip.xml
+++ b/tests/data/metadata/fence_zvmip.xml
@@ -91,6 +91,21 @@ to access the system's directory manager.
<content type="string" />
<shortdesc lang="en">Physical plug number on device, UUID or identification of machine</shortdesc>
</parameter>
+ <parameter name="ssl" unique="0" required="0">
+ <getopt mixed="-z, --ssl" />
+ <content type="boolean" />
+ <shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
+ </parameter>
+ <parameter name="ssl_insecure" unique="0" required="0">
+ <getopt mixed="--ssl-insecure" />
+ <content type="boolean" />
+ <shortdesc lang="en">Use SSL connection without verifying certificate</shortdesc>
+ </parameter>
+ <parameter name="ssl_secure" unique="0" required="0">
+ <getopt mixed="--ssl-secure" />
+ <content type="boolean" />
+ <shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
+ </parameter>
<parameter name="username" unique="0" required="1" obsoletes="login">
<getopt mixed="-l, --username=[name]" />
<content type="string" />
@@ -181,6 +196,10 @@ to access the system's directory manager.
<content type="integer" default="1" />
<shortdesc lang="en">Count of attempts to retry power on</shortdesc>
</parameter>
+ <parameter name="gnutlscli_path" unique="0" required="0">
+ <getopt mixed="--gnutlscli-path=[path]" />
+ <shortdesc lang="en">Path to gnutls-cli binary</shortdesc>
+ </parameter>
</parameters>
<actions>
<action name="on" automatic="0"/>
From 8021e698095c5bd0ef33ee5f56fc448e946cb92c Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 10 Nov 2021 16:31:24 +0100
Subject: [PATCH 2/2] fence_zvmip: use ssl by default
---
agents/zvm/fence_zvmip.py | 1 +
tests/data/metadata/fence_zvmip.xml | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/agents/zvm/fence_zvmip.py b/agents/zvm/fence_zvmip.py
index 874eb699f..96021b13e 100644
--- a/agents/zvm/fence_zvmip.py
+++ b/agents/zvm/fence_zvmip.py
@@ -165,6 +165,7 @@ def main():
all_opt["ipport"]["default"] = "44444"
all_opt["shell_timeout"]["default"] = "5"
all_opt["missing_as_off"]["default"] = "1"
+ all_opt["ssl"]["default"] = "1"
options = check_input(device_opt, process_input(device_opt), other_conditions=True)
if len(options.get("--plug", "")) > 8:
diff --git a/tests/data/metadata/fence_zvmip.xml b/tests/data/metadata/fence_zvmip.xml
index d91192946..f32fc159d 100644
--- a/tests/data/metadata/fence_zvmip.xml
+++ b/tests/data/metadata/fence_zvmip.xml
@@ -93,7 +93,7 @@ to access the system's directory manager.
</parameter>
<parameter name="ssl" unique="0" required="0">
<getopt mixed="-z, --ssl" />
- <content type="boolean" />
+ <content type="boolean" default="1" />
<shortdesc lang="en">Use SSL connection with verifying certificate</shortdesc>
</parameter>
<parameter name="ssl_insecure" unique="0" required="0">
|
