a ÈRÙiÇ4ã@sddlmZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZddlmZddlmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*ddlm+Z+m,Z,m-Z-dd l.m/Z/m0Z0m1Z1m2Z2m3Z3d Z4d Z5d Z6d Z7dZ8dZ9dZ:dZ;e e „Zbd?d@„ZciZddAdB„Zeeee1jf_gehe dCdƒsz8ddliZjddlkZlejjm neljo¡ejjm ndD¡krÈepdEƒ‚WnepyÞYn80dFdG„Zqe1jrZsGdHdI„dIetƒZuGdJdK„dKe1jrƒZveve1_rdLdM„ZwejxfdNdO„ZydPdQ„ZzdRdS„Z{GdTdU„dUetƒZ|dVdW„Z}dXdY„Z~d½d[d\„Zd]d^„Z€d_d`„Zd¾dadb„Z‚dcdd„Zƒdedf„Z„dgdh„Z…didj„Z†dkdl„Z‡dmdn„Zˆdodp„Z‰dqdr„ZŠdsdt„Z‹dudv„ZŒdwdx„Zdydz„ZŽd{d|„Zd}d~„Zdd€„Z‘dd‚„Z’d¿dƒd„„Z“d…d†„Z”d‡dˆ„Z•d‰dŠ„Z–d‹dŒ„Z—dÀdŽd„Z˜dd‘„Z™d’d“„Zšd”d•„Z›d–d—„Zœe%jdÁd˜d™„ƒZždšd›„ZŸdœd„Z GdždŸ„dŸƒZ¡d d¡„Z¢d¢d£„Z£d¤d¥„Z¤d¦d§„Z¥ej¦ejxfd¨d©„Z§dªd«„Z¨e%je) ©d¬¡ej¦fd­d®„ƒƒZªd¯d°„Z«d±d²„Z¬d³d´„Z­dÂdµd¶„Z®d·d¸„Z¯d¹dº„Z°dS)Ãé)Úprint_functionN)ÚArgumentParser)Úcontextmanager)Údatetimeé)ÚanomalyÚauthÚ capabilitiesÚconfigÚconfig_handlersÚ constantsÚerrorsÚfetchÚ http_utilsÚ ipv6_supportÚkcareÚlibcareÚ log_utilsÚplatform_utilsÚ process_utilsÚselinuxÚ server_infoÚserveridÚ update_utilsÚutils)Ú KcareErrorÚNotFoundÚSafeExceptionWrapper)Ú HTTPErrorÚURLErrorÚhttplibÚjson_loads_nstrÚ urlencodeécZv3)Z12hZ24hZ48hÚtestz./etc/sysconfig/kcare/freezer.modules.blacklistz/usr/libexec/kcare/kcdoctor.sh)z latest.v3ú latest.v2z /etc/sysconfig/kcare/sysctl.confé z$==BLACKLIST== (.*)==END BLACKLIST== z'(kpatch.*|ksplice.*|kpatch_livepatch.*)z/usr/libexec/kcare/pythonÚignore)ÚcategorycCs@tƒ}tj t¡rÚAttributeErrorÚ TypeErrorÚKeyErrorÚIOErrorrÚetypeÚtypeÚinnerrMrÚ get_distror ÚVERSIONZget_python_versionÚgetattrÚstrr<rNZ format_tb)rYÚvalueÚtbZdetails_sanitizedrKr6r6r7Ú format_exception_without_detailsms,   ørbcCsttjr dSt tƒ¡}t t t  |¡¡¡}t  d¡d|}t   |t  ¡¡}zt  |¡WntynYn0dS)Nz/api/kcarectl-tracez?trace=)r ÚUPDATE_FROM_LOCALÚjsonÚdumpsrbrÚnstrÚbase64Zurlsafe_b64encodeZbstrÚget_patch_server_urlrZ http_requestrZget_http_auth_stringZ urlopen_baseÚ Exception)ZtraceZ encoded_traceÚurlZrequestr6r6r7Úsend_exc‰s  rkcCsèt ¡}|dkr t |d¡dSt ¡t ¡}|dkrBt d¡t d¡ttjdƒ0}t  |  ¡d¡t  |  ¡d¡Wdƒn1sŽ0Y|r¦t   |¡z |ƒWn(t yØtj d¡t d¡Yn0t d¡dS)zš Run func in a fork in an own process group (will stay alive after kcarectl process death). :param func: function to execute :return: rNÚarézWait exception)r+ÚforkÚwaitpidÚsetsidÚ_exitr2r/r ZLOG_FILEÚdup2ÚfilenoÚtimeÚsleeprirÚkcarelogÚ exception)ÚfuncruÚpidÚfdr6r6r7Ú nohup_fork›s(   .    r{c Csštj tjd¡}tj |¡r†t|dƒP}z,t| ¡ƒ}|t j t   ¡krRt ||ƒ‚Wnt yfYn0Wdƒn1s|0Yt |t ¡¡dS)aCheck the fact that there was a failed patching attempt. If anchor file not exists we should create an anchor with timestamp and schedule its deletion at $timeout. If anchor exists and its timestamp more than $timeout from now we should raise an error. ú.kcareprev.lockr)N)r+r,r<r Ú PATCH_CACHEr-r/ÚintÚreadr ÚSUCCESS_TIMEOUTrtÚPreviousPatchFailedExceptionÚ ValueErrorrÚ atomic_writeÚ timestamp_str)Zanchor_filepathZafileÚ timestampr6r6r7Ú touch_anchorÁs    $r†cCstzt tj tjd¡¡Wnty,Yn0td|ƒtj   ¡zt ddWnt ynt j d¡Yn0dS)zÀ See touch_anchor() for detailed explanation of anchor mechanics. See KPT-730 for details about action registration. :param state_data: dict with current level, kernel_id etc. r|Údone©ÚreasonzCannot send update info!N)r+Úremover,r<r r}rRÚregister_actionrÚget_loaded_modulesÚclearÚget_latest_patch_levelrirrvrw©Ú state_datar6r6r7Ú commit_updateØs    r‘cCs(tjtj tjd¡t ||d¡ddS)NÚpatchesrG)Z exclude_path) rÚclean_directoryr+r,r<r r}rÚget_cache_path)ÚkhashZplevelr6r6r7Ú clear_cacheísr–cCs>tjpd}d ||g¡}tjd|f}|r2||f7}tjj|ŽS)NÚnoneú-Úmodules)r ÚPREFIXr<r r}r+r,)r•ÚfnameÚprefixZ module_dirr3r6r6r7Úget_current_level_pathñs    rcCstjt|dƒt|ƒdddS)NÚlatestT)Z ensure_dir)rrƒrr_)r•Ú patch_levelr6r6r7Úsave_cache_latestúsr c CsVt|dƒ}tj |¡rRz$tt|dƒ ¡ ¡ƒ}t  ||¡WSt t fyPYn0dS)Nržr)) rr+r,r-r~r/rÚstriprÚLegacyKernelPatchLevelr‚rV)r•Zpath_with_latestÚplr6r6r7Úget_cache_latestþs  r¤c@s eZdZdS)ÚCertificateErrorN)rHÚ __module__Ú __qualname__r6r6r6r7r¥ sr¥cs eZdZdZ‡fdd„Z‡ZS)ÚUnknownKernelExceptionzunknown kernelc s:d t ¡dt ¡t ¡¡}tt|ƒj |fi|¤ŽdS)NúLNew kernel detected ({0} {1} {2}). There are no updates for this kernel yet.r) Úformatrr\ÚplatformÚreleaserÚget_kernel_hashÚsuperr¨Ú__init__)ÚselfÚkwargsÚmsg©Ú __class__r6r7r¯sÿzUnknownKernelException.__init__)rHr¦r§Ústatusr¯Ú __classcell__r6r6r³r7r¨sr¨cs(eZdZdZ‡fdd„Zdd„Z‡ZS)ÚApplyPatchErrorzpatch apply errorcsJtt|ƒj|i|¤Ž||_||_||_||_t ¡d|_ t   ¡|_ dS©Nr) r®r·r¯ÚcodeÚ freezer_styleÚlevelÚ patch_filerr\rKr«r¬)r°r¹rºr»r¼Úargsr±r³r6r7r¯szApplyPatchError.__init__c Cs0d |j|j|j|j|jd dd„|jDƒ¡¡S)Nz0Unable to apply patch ({0} {1} {2} {3} {4}, {5})ú, cSsg|] }t|ƒ‘qSr6)r_)Ú.0Úir6r6r7Ú ,óz+ApplyPatchError.__str__..)rªr¼r»r¹rKr¬r<rº©r°r6r6r7Ú__str__%súzApplyPatchError.__str__©rHr¦r§rµr¯rÄr¶r6r6r³r7r·s r·cs(eZdZdZ‡fdd„Zdd„Z‡ZS)rzprevious patch failedcs&tt|ƒj|i|¤Ž||_||_dSr@)r®rr¯r…Úanchor)r°r…rÆr½r±r³r6r7r¯4sz%PreviousPatchFailedException.__init__cCsd}| |j|j¡S)NzˆIt seems, the latest patch, applying at {0}, crashed, and further attempts will be suspended. To force patch applying, remove `{1}` file)rªr…rÆ)r°Úmessager6r6r7rÄ9sÿz$PreviousPatchFailedException.__str__rÅr6r6r³r7r1s rc CsÄt ¡d |¡}z|t |¡}t t | ¡¡¡}t |dƒ}|dkrRt  d¡n8|dkrft  d¡n$|dkrzt  d¡nt  d  |¡¡|WSt y¾}zt   ||¡WYd}~n d}~00d S) Nz"/nagios/register_key.plain?key={0}r¹rzKey successfully registeredrzWrong key format or sizermz!No KernelCare license for that IPzUnknown error {0}r:)rÚget_registration_urlrªrÚurlopenrÚ data_as_dictrfrr~Ú print_wrapperrrÚprint_cln_http_error)ÚkeyrjÚresponseÚresr¹Úer6r6r7Ú!set_monitoring_key_for_ip_licenseBs      "rÑc csTtjrtjtjddz dVWtjrPtjtjddntjrNtjtjdd0dS)NT)Úshell)r ZBEFORE_UPDATE_COMMANDrÚ run_commandZAFTER_UPDATE_COMMANDr6r6r6r7Ú execute_hooksVsÿrÔcCsÖtƒ}|j}|j}t ¡}|dkrht|ƒtjt  ¡t   ¡|t t  ¡ƒ|dœ}t d¡t t |¡¡njt d¡t t|ƒ¡t dt|ƒ¡t tj¡t t  ¡¡t t   ¡¡t |¡t t  ¡¡dS)a1 The output will consist of: Ignore output up to the line with "--START--" Line 1: show if update is needed: 0 - updated to latest, 1 - update available, 2 - unknown kernel 3 - kernel doesn't need patches 4 - no license, cannot determine Line 2: licensing message (can be skipped, can be more then one line) Line 3: LICENSE: CODE: 1: license present, 2: trial license present, 0: no license Line 4: Update mode (True - auto-update, False, no auto update) Line 5: Effective kernel version Line 6: Real kernel version Line 7: Patchset Installed # --> If None, no patchset installed Line 8: Uptime (in seconds) If *format* is 'json' return the results in JSON format. Any other output means error retrieving info :return: rd)Z updateCodeZ autoUpdateZeffectiveKernelZ realKernelZloadedPatchLevelZuptimeÚlicensez --START--z LICENSE: N)Ú_patch_level_infor¹Ú applied_lvlrÚ license_infor_r Ú AUTO_UPDATErÚ kcare_unamer«r¬r~rZ get_uptimerrËrdre)ÚfmtÚpliZ update_codeZ loaded_plZlicense_info_resultZresultsr6r6r7Ú plugin_infobs. ù    rÝcCs`t ¡}ztdd}Wn ty6tjr.dndYS0|durDdS||krPdSt ¡r\dSdS)NÚinforˆrérrm)rÚloaded_patch_levelrŽr¨r ÚIGNORE_UNKNOWN_KERNELrZstatus_gap_passed)Ú current_levelZlatest_patch_levelr6r6r7Úget_update_status–s rãcCs2t ¡dd…\}}|dkr*| d¡r*dSdSdS)NrmZ CloudLinuxz7.ÚextrarG)rr\Ú startswith)rKÚversionr6r6r7Úedf_fallback_ptype¦srçcCsl|j|jf}t ||¡}t ||j¡|_|j tj tj d¡|tvrZ|j  ¡dd…t|<|j rh|  ¡dS)zFunction remembers IP address of host connected to and uses it for later connections. Replaces stdlib version of httplib.HTTPConnection.connect rNrm)ÚhostZportÚCONNECTION_STICKY_MAPÚgetÚsocketZcreate_connectionZtimeoutÚsockZ setsockoptZ IPPROTO_TCPZ TCP_NODELAYZ getpeernameÚ _tunnel_hostZ_tunnel)r°ZaddrZ resolved_addrr6r6r7Ústicky_connect³s  rîZHAS_SNIz0.13z%No pyOpenSSL module with SNI ability.cGsdS)NTr6)r½r6r6r7Údummy_verify_callback×srïc@s,eZdZdd„Zdd„Zdd„Zdd„Zd S) ÚSSLSockcCs||_d|_dSr¸)Ú _ssl_connÚ_makefile_refs)r°rìr6r6r7r¯ászSSLSock.__init__cGs(|jd7_tj|jg|¢RddiŽS)Nrr2T)ròrëZ _fileobjectrñ©r°r½r6r6r7ÚmakefileåszSSLSock.makefilecCs |js|jr|j ¡d|_dSr@)ròrñr2rÃr6r6r7r2és  z SSLSock.closecGs |jj|ŽSr@)rñÚsendallrór6r6r7rõîszSSLSock.sendallN)rHr¦r§r¯rôr2rõr6r6r6r7rðàsrðc@seZdZdd„ZdS)ÚPyOpenSSLHTTPSConnectioncCs¾tj |¡tj tjj¡}| tjjtjj B¡t j rJ|  tjj t¡n|  tjjt¡| ¡tj ||j¡}| ¡|jp„|j}| | ¡¡| ¡t j r°t| ¡|ƒt|ƒ|_dSr@)r ÚHTTPConnectionÚconnectÚOpenSSLZSSLZContextZ SSLv23_METHODZ set_optionsZ OP_NO_SSLv2Z OP_NO_SSLv3r ÚCHECK_SSL_CERTSZ set_verifyZ VERIFY_PEERrïZ VERIFY_NONEZset_default_verify_pathsZ ConnectionrìZset_connect_staterírèZset_tlsext_host_nameÚencodeZ do_handshakeÚmatch_hostnameZget_peer_certificaterð)r°ÚctxZconnZ server_hostr6r6r7røòs  z PyOpenSSLHTTPSConnection.connectN)rHr¦r§rør6r6r6r7röñsröc Csºtjr&t ||¡}t tj¡|ddS|dv}tjo6|}d|fd|fdfD]h\}}t j |||d} t j | |d} |r€d  | ¡} t |t ||ƒ¡d | }d } |s¦|rÌt |ƒ| krÌ|rºd nd } t d | ¡qJz~t tj¡|dd} tjrBt | ¡rBt | ¡}t |¡}|r&tjd  |¡ddntjddd|rB| ¡| WSty²}zN|sh|rœ|jdvs€|jdkrœt d  |¡¡WYd}~qJ‚WYd}~qJd}~00qJdS)NF©Ú check_license)z latest.v1r%T)FF)Úsecure_boot_infoÚ perf_metrics)Ú b64_encodingzinfo={0}ú?iXzsecure boot infoz perf metricsz.Check-in URL param is too large, discarding %sz:Automatic kernel anomaly report uploaded successfully: {0}©Z print_msgú$Failed to send kernel anomaly report)iižiôzCCheck-in request failed with error: {0}, retrying with reduced info)r rcrZget_kernel_prefixed_urlrZwrap_with_cache_keyrÚ urlopen_authZSEND_PERF_METRICSrZencode_checkin_payloadrªÚstickyfyÚlenrÚlogwarnZKERNEL_ANOMALY_REPORT_ENABLErZdetect_anomalyÚprepare_kernel_anomaly_reportÚsend_data_packageÚloginfoÚremove_archiverr¹)r•ržr‰ÚmoderjrZ perf_enabledrrZsinfoZ request_paramZmax_url_lengthZ discard_infor3Ú data_packageÚ upload_nameÚexr6r6r7Ú_fetch_patch_level_request sD        ÿ $ rc Cs>t ¡}tjdur$t |ttjƒ¡StD]}z¶t||||ƒ}t  |j ¡t ƒt   | ¡¡ ¡}tjd ||¡dd|rÐ| d¡rÐt|ƒ}| dg¡}t |¡s®t d¡‚t ||d|d|d ¡WSt |t|ƒ¡WStyöYq(ty0}z"|jd vrtd ƒ‚‚WYd}~q(d}~00q(tƒ‚dS) Nz;fetch patch level, reason: {0}, kernel latest response: {1}FrÚ{r zeLatest KernelCare patchset is incompatible with the current kernecare package version, please upgrader»Úbaseurlr¬)i“i‘zKC licence is required) rr­r Ú PATCH_LEVELr¢r~Ú PATCH_LATESTrr Zset_feature_flags_from_headersÚheadersÚupdate_all_kmod_paramsrrfrr¡rr rªrår!rêr Zhas_kc_capabilitiesr ÚCapabilitiesMismatchZKernelPatchLevelrrr¹rr¨) r‰rr•ržrÎr£Z latest_infoZrequired_capabilitiesrr6r6r7Úfetch_patch_level:s4     ÿ"  rc CsB| t|tjƒ¡}tj d |¡¡ztj |dddWdSt y`tj d |¡¡YdSt yš}z$tj  d |t |ƒ¡¡WYd}~n d}~00| t|tjƒtj¡}tj d |¡¡ztj |ddWndt ytj d |¡¡YdSty<}z$tj d  |t |ƒ¡¡WYd}~n d}~00dS) NzProbing patch URL: {0}FÚHEAD)rÿÚmethodTz{0} is not available: 404zFHEAD request for {0} raised an error, fallback to the GET request: {1}rþz{0} is not available: {1})Úfile_urlr?r rArrvrÞrªrrrriÚdebugr_r ZSIGr)r»r=Zbin_urlrrjr6r6r7Ú probe_patch[s( ..rcCsF|tjkr| tj¡}n | |¡}| |¡}tj||tjt  |¡dS)N)Z hash_checker) r ÚKMOD_BINZkmod_urlrÚ cache_pathrZ fetch_urlr Ú USE_SIGNATUREZget_hash_checker)r»ÚnamerjZdstr6r6r7Úfetch_and_verify_kernel_filets    r$c@s>eZdZddd„Zdd„Zdd„Zdd „Zd d „Zd d „ZdS)Ú PatchFetcherNcCs ||_dSr@)rŸ)r°rŸr6r6r7r¯szPatchFetcher.__init__cCs t|j|ƒSr@)r$rŸ)r°r#r6r6r7Ú_fetch‚szPatchFetcher._fetchcCsr|j tj¡}|j tj¡}|j tj¡}|j tj¡}tdd„||||fDƒƒopt j   |¡dkopt j   |¡dkS)Ncss|]}tj |¡VqdSr@)r+r,r-)r¿r,r6r6r7Ú ŒrÂz0PatchFetcher.is_patch_fetched..r) rŸr!r rErArBr r Úallr+r,Úgetsize)r°Zpatch_done_pathZpatch_bin_pathZpatch_info_pathZ kmod_bin_pathr6r6r7Úis_patch_fetched…sÿýzPatchFetcher.is_patch_fetchedcCs0|jdurtdƒ‚|js|jS| ¡r6t d¡|jSt d¡t|jtjƒr¤ztj |j  t j ¡dd}Wnt y|Yn(0|j dd¡}|r¤|j t |¡¡|_z| t j ¡Wn.t yâtd |jt jpÔd¡d d ‚Yn0| t j¡| tj¡| ¡tj|j t j¡d d d t tj ¡|jS)Nz+Cannot fetch patch as no patch level is setzUpdates already downloadedzDownloading updatesr)rú KC-Base-UrlzfThe `{0}` patch level is not found for `{1}` patch type. Please select valid patch type or patch levelÚdefaultzpatch level not found©rµrÂÚwb©r)!rŸr‚r*rr rQrr¢rrrr rArrrêÚupgraderrfr&rrªÚ PATCH_TYPErBr r Úextract_blacklistrƒr!rErÚrestore_selinux_contextr})r°Úresprr6r6r7Ú fetch_patch‘s>      ÿý    zPatchFetcher.fetch_patchcCsJt|j tj¡dƒ ¡}|rFt |¡}|rFt  |j tj ¡|  d¡¡dS)Nr)r) r/rŸr!r rBrÚ BLACKLIST_REÚsearchrrƒrCÚgroup)r°ZbufZmor6r6r7r2ºs  zPatchFetcher.extract_blacklistcCsÄ|dur dSzt|tjƒ}Wnty0YdS0|j dd¡}|rT| t |¡¡}|  tj¡}t |dƒ&}t dd„|  ¡Dƒƒ}Wdƒn1s–0Y|D]}t||ƒq¤t  tj¡dS)z¶ Download fixup files for defined patch level :param level: download fixups for this patch level (usually it's a level of loaded patch) :return: None Nr+r)cSsg|] }| ¡‘qSr6)r¡)r¿Úfixupr6r6r7rÁ×rÂz-PatchFetcher.fetch_fixups..)r$r rDrrrêr0rrfr!r/r*Ú readlinesrr3r r})r°r»r4rZ fixups_fnamer4Úfixupsr9r6r6r7Ú fetch_fixupsÁs   4 zPatchFetcher.fetch_fixups)N) rHr¦r§r¯r&r*r5r2r<r6r6r6r7r%}s   )r%cCs8tƒ}t |j¡|jtjkr*t d¡n t d¡dS)Nrr) rÖrrËr²r¹ÚPLIÚPATCH_NEED_UPDATErOÚexit)rÜr6r6r7Ú kcare_checkßs    r@cCsZtƒ}t|ƒ}z t ¡}Wnty0i}Yn0t ¡}d}|durZt |d¡  d¡}t  ¡}|  dg¡}t t j|ddƒ}t |ƒ}dd„|Dƒ} t t j| d dƒ} td d „|Dƒƒ} || } t ¡} | sÚt  d ¡n t  d ¡t  d |¡¡t  d |¡¡|dkrt  d |¡¡| dkr8t  d | ¡¡| dkrLt  d¡t  d¡dS)NZUnknownÚtsz%Y-%m-%dr’z kpatch-cve)Z cve_fieldcSs"g|]}| dg¡D]}|‘qqS)r’)rê)r¿ÚrecÚpatchr6r6r7rÁürÂz%show_generic_info..Zcvecss|]}t| dg¡ƒVqdS)r’N)rrê)r¿rBr6r6r7r'þrÂz$show_generic_info..z$KernelCare live patching is disabledz"KernelCare live patching is activez - Last updated on {0}z - Effective kernel version {0}rz* - {0} kernel vulnerabilities live patchedz- - {0} userspace vulnerabilities live patchedz% - This system has no applied patchesz(Type kcarectl --patch-info to learn more)rÖÚ_kcare_patch_info_jsonrZlibcare_patch_info_basicrrZ get_staterZ fromtimestampÚstrftimerÚrêrrZextract_unique_cvesÚsumràrËrª)rÜÚ kcare_infoÚ libcare_infoÚstateZ latest_updateZeffective_versionZkernel_patchesZkernel_vulnerabilitiesZkernel_patches_countZuserspace_patchesZuserspace_vulnerabilitiesZuserspace_patches_countZtotal_patches_countrŸr6r6r7Úshow_generic_infoès>          rJFc Csôz tdtjd}|st‚| tj¡}t t   |¡  ¡¡}|r”gi}}|  d¡D]0}t  |¡}|rvd|vrv| |¡qP| |¡qP||d<t |¡}t |¡WnNtyÔ}zt ||j¡WYd}~dSd}~0tyît d¡Yn0d S) z½ Retrieve and output to STDOUT latest patch info, so it is easy to get list of CVEs in use. More info at https://cloudlinux.atlassian.net/browse/KCARE-952 :return: None rÞ)r‰Úpolicyú ú kpatch-namer’NrzNo patches availabler)rŽr Ú POLICY_REMOTEr¨rr rBrrfrrrr;rÊÚappendÚupdaterdrerËrrrÌrj) Úis_jsonržrjÚ patch_infor’r3ÚchunkÚdatarÐr6r6r7Úkcare_latest_patch_infos,        rUcCs„d|ji}|jdur€t|ƒ}g}| d¡D]0}t |¡}|rPd|vrP| |¡q*| |¡q*||d<t  ¡}|rx|dnd|d<|S)NrÇrLrMr’r¬Úunknown) r²r×Ú_kcare_patch_infor;rrÊrOrPrZread_dumped_kernel_patch_level)rÜr3rRr’rSrTZsaved_patch_levelr6r6r7rD3s      rDcCsTt ¡}t ||jtj¡}tj |¡s2t ddd‚t |dƒ  ¡}|rPt   d|¡}|S)NzvCan't find information due to the absent patch information file. Please, run /usr/bin/kcarectl --update and try again.zpatch info not foundr-r)rG)rr­r”r×r rBr+r,r-rr/rr6Úsub)rÜr•r!rÞr6r6r7rWGs ý rWcCsZtƒ}|s>|jdkr t |j¡|jdur.dSt t|ƒ¡nt tjt |ƒdd¡dS)NrT)Z sort_keys) rÖr¹rrËr²r×rWrdrerD©rQrÜr6r6r7rRVs   rRcCs:tjd|g}t |¡}t ¡}d}t ||¡t ||¡kS)Nz file-infozkpatch-build-time)r Ú KPATCH_CTLrÚ check_outputrÚ _patch_infoZget_patch_value)Únew_patch_filer½Znew_patch_infoZcurrent_patch_infoZbuild_time_labelr6r6r7Ú is_same_patchbs   r^cCsL|dkr dS|r||krdS||kr(dSt t ¡|tj¡}t|ƒsHdSdS)NrFT)rr”r­r rAr^)Ú applied_levelÚ new_levelr]r6r6r7Úkcare_need_updatejs racCsptjrltj t¡r t ttj¡s6tj   d  t¡¡dSt j dddtgdd\}}}|dkrltj   d  |¡¡dS) Nz-File {0} does not exist or has no read accessz /sbin/sysctlú-qz-pT©Ú catch_stdoutrz%Unable to load kcare sysctl.conf: {0})r ZUPDATE_SYSCTL_CONFIGr+r,r-Ú SYSCTL_CONFIGÚaccessÚR_OKrrvÚwarningrªrrÓ)r¹Ú_r6r6r7Ú update_sysctl|srjcsÈtj t¡sttdƒ ¡t ttj¡s>tj   d  t¡¡dSttdƒl}|  ¡}|  d¡|D]$‰t‡fdd„|Dƒƒs`| ˆ¡q`|D]}| |d¡qŠ| ¡Wdƒn1sº0YdS) z*Update SYSCTL_CONFIG accordingly the editsrlzFile {0} has no read accessNzr+rc3s|]}ˆ |¡VqdSr@)rå)r¿r)©r5r6r7r'˜rÂz#edit_sysctl_conf..Ú )r+r,r-rer/r2rfrgrrvrhrªr:ÚseekÚanyÚwriteÚtruncate)rŠrOZsysctlÚlinesrlr6rkr7Úedit_sysctl_conf‡s    rrcCs*|D] }t |¡rtd |¡dd‚qdS)NzDDetected '{0}' kernel module loaded. Please unload that module firstzconflicting kernel moduler-)ÚCONFLICTING_MODULES_REÚmatchrrª)r™Úmoduler6r6r7Údetect_conflicting_modules s  þrvcCsd t ¡¡S)Nz/lib/modules/{0}/extra/kcare.ko)rªrZget_system_unamer6r6r6r7Úget_kcare_kmod_link©srwcCsptdd}t t ¡|tj¡}tj |¡s.dSt |dƒ$}|  ¡dd…dkWdƒS1sb0YdS)NrÞrˆÚrbiäÿÿÿs~Module signature appended~ ) rŽrr”r­r r r+r,r-r/r)r»Z kmod_fileZvfdr6r6r7Úkmod_is_signed­s    rycs4t d¡‰ˆdurdSddg}t‡fdd„|DƒƒS)Nz /proc/keysZ(12ff0613c0f80cfba3b2f8eba71ebc27c5a76170Z(69a6d9eed3f620d5c2e13a1d211c46510a5ad9f5c3s|]}|ˆvVqdSr@r6)r¿rÍ©Z system_keysr6r7r'¾rÂz'kcare_certs_enrolled..)rZ try_to_readrn)Z kcare_keysr6rzr7Úkcare_certs_enrolled¶s þr{cKs`d|g}| ¡D]\}}| d ||¡¡qtj|dd\}}}|dkr\td ||¡dd‚dS) Nz /sbin/insmodz{0}={1}TrcrzLUnable to load kmod ({0} {1}). Try to run with `--check-compatibility` flag.zkmod load errorr-)ÚitemsrOrªrrÓr)Zkmodr±ÚcmdrÍr`r¹rir6r6r7Ú load_kmodÁs þr~cCsTt ¡r,tƒdurtdƒ‚tƒdur,tdƒ‚t ¡sDt ¡sDt ¡rPtddd‚dS)NFz4Secure boot is enabled. Not supported by KernelCare.z.)rwrr”r r ÚshutilÚcopyrir rr+r,rrrŽrŠÚdictr|r~Ú update_depmod)r•r»rˆZ kcare_fileZ kmod_paramsr6r–r7Úload_kcare_kmods   r›cCsXdg}|dur| d|g¡tj|ddd\}}}|rTtjd d |¡||¡dddS) Nz /sbin/depmodz-aTr€z%Running of `{0}` failed with {1}: {2}ú Fr)ÚextendrrÓrr„rªr<)Úunamer}r¹riÚstderrr6r6r7rš&sÿršcCs8tjd|gdd\}}}|dkr4td ||¡dd‚dS)Nz /sbin/rmmodTrcrzUnable to unload {0} kmod {1}zkmod unload errorr-)rrÓrrª)Úmodnamer¹rir6r6r7Ú unload_kmod2sr¡cCsPg}dg|D]<}t ||d |¡¡}tj |¡rt|ƒ| d |¡¡q|S)NZvmlinuxz fixup_{0}.koz fixup_{0})rr”rªr+r,rr~rO)r•râr™ZloadedÚmodÚmodpathr6r6r7Ú apply_fixups8s r¤c Cs>|D]4}z t|ƒWqty6tj d|¡Yq0qdS)Nz$Exception while unloading module %s.)r¡rirrvrw)r;r¢r6r6r7Ú remove_fixupsBs   r¥cCs’|r |}n6tjrtj}n(tƒ |¡r2d|tjdfSd|tjdfSddddddœ}| ¡}||vrj||}ntd ||tjd¡d d ‚||tjdfS) NZfreeze_conflictTr,FZ freeze_noneZ freeze_all)ZNONEZNOFREEZEZFULLZFREEZEZSMARTz3Unable to detect freezer style ({0}, {1}, {2}, {3})zfreezer style detection errorr-)r Z PATCH_METHODr8Ú intersectionÚupperrrª)Úfreezerr™rZpatch_method_mapr6r6r7Úget_freezer_styleJs* û þr©rGcsª|||dœ‰tdˆƒt ¡}t ¡}t|ƒt||ƒ}t ||tj¡}t ||ƒd  |tj t   ¡t |¡¡} d|v} | o„t ||¡} |du} | o¢t|ƒo¢t | ¡} ˆ || dœ¡| rÆtdˆƒdS| rtdˆƒt|||ƒ}tdˆƒt|ƒtd ˆƒt|ƒ| r"td ˆƒtdƒd } | s¨rÂzkcare_load..)ru)"r‹rràrŒrvr©r”r rAr rªr1rr„Z parse_unameZis_kmod_version_changedr^Zkcare_update_effective_versionrPr¤Úkpatch_ctl_unpatchr¥r¡r›r†Úkpatch_ctl_patchrjrr rÚrZtouch_status_gap_filer{r€)r•r»rr¨Ú use_anchorrâr™rºr¼Ú descriptionZ kmod_loadedr«Z patch_loadedZ same_patchr;r6rr7Ú kcare_loadlsT    ÿ          rµc CsŒtjg}t ||tj¡}tj |¡r2|  d|g¡|  dd|g¡|  d|dg¡|  |¡t j |dd\}}}|dkrˆt ||||ƒ‚dS)Nz-brCz-dú-mrTrc)r rZrr”r rCr+r,rrrOrrÓr·) r¼r•r»r´rºr½Zblacklist_filer¹rir6r6r7r²«s  r²cCs^tjtjdd|dgddd\}}}|dkrZtjd ||¡ddtd  |t|ƒ¡d d ‚dS) Nr¬r¶rTr€ú4Error unpatching, kpatch_ctl stdout: {0} stderr: {1}FrúError unpatching [{0}] {1}ú unpatch errorr-) rrÓr rZrr„rªrr_)rºr¹r‰rŸr6r6r7r±¸s ÿ r±cCs8||d<tt ¡ƒ|d<t tj tjd¡t |ƒ¡dS)NÚactionrAz kcare.state) r~rtrrƒr+r,r<r r}r_)rºrr6r6r7r‹Âsr‹cCsld}tj |¡sdSt |¡D]H}tj ||dd¡}tj |¡sBqt |¡}||krt |¡t|ƒqdS)Nz/usr/lib/modules/z weak-updateszkcare.ko) r+r,ÚisdirÚlistdirr<ÚislinkÚreadlinkÚunlinkrš)Ú kmod_linkZ modules_pathÚentryZ sym_link_pathZ target_pathr6r6r7Úupdate_weak_modulesÈs    rÂc Csbt ¡}tƒ}z| |¡Wn:tyV}z"|sBtd |¡dd‚WYd}~n d}~00t ¡}t||ƒ}t ƒÜd|vr|du}|rút t  ¡||ƒ}t j tjdd|dgddd \} } } t|ƒ| dkrútjd  | | ¡d d td  | t|ƒ¡dd‚tjt t¡dtdtƒdƒtƒ} tj | ¡r6t | ¡t| ƒWdƒn1sT0YdS)NzUnable to retrieve fixups: '{0}'. The unloading of patches has been interrupted. To proceed without fixups, use the --force flag.zfixups retrieval errorr-rr¬r¶rTr€r·Frr¸r¹r)ÚcountÚdelay) rràr%r<rirrªrŒr©rÔr¤r­rrÓr rZr¥rr„r_rZretryr Z check_excÚUNLOAD_RETRY_DELAYr¡rwr+r,r-r¿rÂ) r¨ÚforcerâÚpfÚerrr™rºZ need_unpatchr;r¹r‰rŸrÀr6r6r7Ú kcare_unloadØsBÿý  ÿ  ÿ rÉcCs8tƒ}|rt|ƒS|jdkr"|jS|jdur4t ¡SdSr¸)rÖÚ_kcare_info_jsonr¹r²r×rr\rYr6r6r7rGs  rGcCsRd|ji}|jdur>| t t ¡¡¡| t | d¡¡¡|j |d<t   |¡S)NrÇzkpatch-descriptionz kpatch-state) r²r×rPrrÊrr\Zparse_patch_descriptionrêrIrdre)rÜr3r6r6r7rÊs    rÊc@s$eZdZdZdZdZdZdd„ZdS)r=rrrmrßcCs"||_||_||_||_||_dSr@)r¹r²Ú remote_lvlr×rI)r°r¹r²rËr×rIr6r6r7r¯$s z PLI.__init__N)rHr¦r§rr>ÚPATCH_UNAVALIABLEÚPATCH_NOT_NEEDEDr¯r6r6r6r7r=s r=c Csút ¡}z‚tdd}|rJt||ƒr6tjdd}}}qxtjdd}}}n.|dkrftjdd}}}ntjd d}}}t|||||ƒ}Wnjtyôtj }t j rÂd   t j t  ¡dt ¡¡}nd   t  ¡dt ¡t ¡¡}t||ddd ƒ}Yn0|S) NrÞrˆz*Update available, run 'kcarectl --update'.ZappliedzThe latest patch is applied.rz(This kernel doesn't require any patches.ZunsetzDNo patches applied, but some are available, run 'kcarectl --update'.zuInvalid sticky patch tag {0} for kernel ({1} {2}). Please check /etc/sysconfig/kcare/kcare.conf STICKY_PATCH settingsr©Z unavailable)rràrŽrar=r>rrÍr¨rÌr Ú STICKY_PATCHrªrr\r«r¬r­)Zcurrent_patch_levelZnew_patch_levelr¹r²rIrÞr6r6r7rÖ,sF  ý ý ý ý  þÿÿrÖc Csüd}zZt ¡}td|fd|fgƒ}t ¡d |¡}t |¡}t  t  |  ¡¡¡}t |dƒWSt y}zt ||¡WYd}~dSd}~0tyÀ}zt ||¡WYd}~dSd}~0työ}zt d |¡¡WYd}~d Sd}~00dS) zÁ Request to tag server from ePortal. See KCARE-947 for more info :param tag: String used to tag the server :return: 0 on success, -1 on wrong server id, other values otherwise NÚ server_idÚtagz/tag_server.plain?{0}r¹éýÿÿÿéüÿÿÿzInternal Error {0}éûÿÿÿ)rÚ get_serveridr"rrÈrªrrÉrrÊrfrr~rrrÌrrir„) rÐrjrÏZqueryrÎrÏrÐZueZeer6r6r7Ú tag_server^s"   rÕc Csðt d¡}t d |¡¡t}t ¡¶}z:t  ||j ¡}t  t   |¡|j ¡t |j |¡|j }Wn4ty–}zt d |¡¡WYd}~n d}~00tjd|t ¡gdd\}}}|rÎtd ||¡dd ‚Wdƒn1sâ0YdS) Nz doctor.shz#Requesting doctor script from `{0}`z3Kcare doctor error: {0}. Fallback to the local one.ZbashT)rzScript failed with '{0}' {1}zdoctor script failedr-)rrhrZlogdebugrªÚKCDOCTORÚtempfileZNamedTemporaryFilerZfetch_signaturer#Z save_to_filerrÉZcheck_gpg_signaturerir„rrÓrZget_patch_serverr)Z doctor_urlZdoctor_filenameZ doctor_dstZ signaturerÈr¹rirŸr6r6r7Úkcdoctorys   &rØcCsBt d t¡¡}zt |¡Wnty2YdS0t d¡dS)Nz{0}-new-versionFzwA new version of the KernelCare package is available. To continue to get kernel updates, please install the new versionT) rrhrªÚEFFECTIVE_LATESTrrÉrrr )rjr6r6r7Úcheck_new_kc_versionŠs ÿrÚc Cst ¡}t|ƒ}|tjkp*|tjko*|du}zt||ƒ}WnŠtjyˆ}z4|durV‚t   t |ƒ¡t   d¡tj }WYd}~nFd}~0t yÄ}z&|rž‚nt j d |¡¡WYd}~n d}~00|tjkrÖ|} n@|} |dur|tj krüt |d¡} n|tjkr|} ntdƒ‚| S)aÒ Get patch level to apply. :param reason: what was the source of request (update, info etc.) :param policy: REMOTE -- get latest patch_level from patchserver, LOCAL -- use cached latest, LOCAL_FIRST -- if cached level is None get latest from patchserver, use cache otherwise :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART :return: patch_level string Nz#Using previously downloaded patcheszUnable to send data: {0}rz9Unknown policy, choose one of: REMOTE, LOCAL, LOCAL_FIRST)rr­r¤r rNZPOLICY_LOCAL_FIRSTrr rrr r_Z POLICY_LOCALrirvrhrªr¢r) r‰rKrr•Z cached_levelZconsider_remote_exZ remote_levelrÐrr»r6r6r7rŽ—s2  (    rŽcCs–|dkr dS|dkrdn|t_ttddtjƒr€tjtjdtjdvrnt ¡rntjpXt }t dd d   |¡fƒt   d   |¡¡ntd   |¡d d‚dS)NÚedfr,rGZproberˆ©r1r‚)zfs.enforce_symlinksifownerzfs.symlinkown_gidzfs.enforce_symlinksifowner=1zfs.symlinkown_gid={0}z'{0}' patch type selectedz/'{0}' patch type is unavailable for your kernelzpatch type unavailabler-)r r1rrr Ú update_configrZ is_cpanelZ FORCE_GIDÚ CPANEL_GIDrrrªrr r)r=Úgidr6r6r7Úupdate_patch_typeÅs  þràZkernelc Cs†ttjƒ|tjkrtƒztd||d}Wn^tyŠ}zF|tjtj fvrttj rtt |ƒ}t j  |¡WYd}~dS‚WYd}~n d}~00t ¡}t|ƒ}| ¡t||ds¾t  d¡dSz(tjtjdddtjtjdd dWn tyt j  d ¡Yn0t ¡}|tjks$tjrntƒ2| |¡t|||||tj kd Wdƒn1sd0Yt |¡t ||ƒdS) ax :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART :param policy: REMOTE -- download latest and patches from patchserver, LOCAL -- use cached files, LOCAL_FIRST -- download latest and patches if cached level is None, use cache in other cases :param freezer: freezer mode rP)r‰rKrN)r_r`z%No updates are needed for this kernelrßz kcore*.dump)Zkeep_nÚpatternz kmsg*.logz#Error during crash reporter cleanup)r³)!r…r r1r rNrÚrŽr¨ÚUPDATE_MODE_AUTOÚUPDATE_MODE_SMARTrár_rrvrhrràr%r5rar rr“rrirwr­rÙrÔr<rµZdump_kernel_patch_levelr–) r¨rrKr»rÐr²rârÇr•r6r6r7Ú do_updateÜs:      8 räcCs”tttjƒttjptjƒttjp$tjƒfƒ}|dkr@tddd‚tjrLtjS|t j krptjp`tj}tjpltj}n tj}tj}|r„|S|rd|SdS)Nrz‰Invalid configuration: conflicting settings STICKY_PATCH, [AUTO_]UPDATE_DELAY or [AUTO_]STICKY_PATCHSET. There should be only one of themzconflicting sticky settingsr-zrelease-) rFÚboolr rÎZ UPDATE_DELAYZAUTO_UPDATE_DELAYZSTICKY_PATCHSETZAUTO_STICKY_PATCHSETrr ÚUPDATE_MODE_MANUAL)rrÃrÄZpatchsetr6r6r7Ú get_stickys,ýÿý  rçcCs |d|S)Nr9r6)rœr›r6r6r7Ú _stickyfy4srèc Cs"t|ƒ}|s|S|dkr"t||ƒSt ¡}|sDtj d¡t d¡zt   t   ¡d  |¡¡}Wn<tyœ}z$t ||j¡t d¡WYd}~n d}~00t t | ¡¡¡}t|dƒ}|dkrÔt|d |ƒS|d krà|S|d krtj d ¡t d ¡tj d|d¡t d¡dS)z„ Used to add sticky prefix to satisfy KCARE-953 :param file: name of the file to stickify :return: stickified file. ÚKEYzHPatch set to STICKY_PATCH=KEY, but server is not registered with the keyrÒz!/sticky_patch.plain?server_id={0}rÓNr¹rrœrrmzEServer ID is not recognized. Please check if the server is registeredr:zError: rÇrÑ)rçrèrrÔrrvrÞrOr?rrÉrrÈrªrrÌrjrrÊrfrr~)ÚfilerÚsrÏrÎrÐrÏr¹r6r6r7r8s2        rc Csòg}|s dS| d¡}|d}|dd…}| d¡}||krLtdt|ƒƒ‚|s`| ¡| ¡kS|dkrt| d¡n>| d ¡sˆ| d ¡rš| t |¡¡n| t |¡  d d ¡¡|D]}| t |¡¡q¶t  d d   |¡dtj ¡} |   |¡S)zhMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 Fr9rrNÚ*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)r;rÃr¥ÚreprÚlowerrOråÚreÚescapeÚreplaceÚcompiler<Ú IGNORECASErt) ZdnÚhostnameZ max_wildcardsZpatsÚpiecesZleftmostZ remainderZ wildcardsZfragZpatr6r6r7Ú_dnsname_matchds(    röc Csg}t| ¡ƒD]2}| |¡}| ¡dkrdd„t|ƒ d¡Dƒ}q|sPtdƒ‚g}|D]*\}}|dkrXt||ƒrxdS| |¡qX|sª|  ¡j }t||ƒr dS| |¡t |ƒdkrÔt d  |d  tt|ƒ¡¡ƒ‚n*t |ƒdkröt d   ||d ¡ƒ‚nt d ƒ‚dS) NZsubjectAltNamecSsg|]}| ¡ dd¡‘qS)r†r)r¡r;)r¿Úitr6r6r7rÁœrÂz"match_hostname..ú,ztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZDNSrz(hostname {0} doesn't match either of {1}r¾zhostname {0} doesn't match {1}rz=no appropriate commonName or subjectAltName fields were found)ÚrangeZget_extension_countZ get_extensionZget_short_namer_r;r‚rörOZ get_subjectZ commonNamerr¥rªr<Úmaprí) ZcertrôZsanrÀrÐZdnsnamesrÍr`Zcnr6r6r7rü—s2  ÿ        rüc Cs8 tddd}|jdddd|jdd d dd|jd d dd|jd dddd|jdddd|jdddd|jdddd|jdddd|jdddd|jdddd|jdd dd|jd!d"dd|jd#d$dd|jd%d&dd|jd'd(d)d|jd*d+dd|jd,d-dd|jd.d/dd|jd0d1dd|jd2d3dd|jd4d5d6d|jd7d8d9d|jd:d;dd|jdd?dd|jd@dAdd|jdBdCddDdE|jdFdGdd|jdHdIdd|jdJdKdd|jdLdMdd|jdNdOdd|jdPdQdd|jdRdSdd|jdTdUdd|jdVdWdd|jdXdYdZtdd[d\|jd]d^dd|jd_d`dd| ¡}|jdadbdZd|jdcdddd|jdedfdd|jdgdhdZdd[di|jdjdkdldd[dm|jdndodp|jdqdrdd|jdsdtdudvdwtjsä|jdxdydzd{d[d||jd}d~dzd{dd||jd€ddd|jd‚dƒd„dd|jd…ddd|jd†d‡dˆdd|jd‰dŠd‹dd|jdŒddŽdd|jdd‘d’dd“d”|jd•d“dd|jd–d—dd| ¡}t ¡tjs tj d˜g7_ |j dur@t t d|j   d™¡ƒƒ tj ¡r|j?rì|j?t_@|jArt7 8d£t9¡d¤t_@tj@ Bd¥¡t_@tj@rDtj@tCvrDt"jD Ed¦ Ftj@d§ GtC¡¡¡|jHr^dt_Id¨|jHt_J|j=rptK|j=ƒtj;d¡kržtLƒt_;t7 8d© Ftj;p–d¢¡t9¡|jMr¾t' NtOjM|jPdª¡dS|jQrêtQjQd«ddd¬}t' NtP R|¡¡dStStj;ƒ|jTrtUƒdS|jVr–tW XtQjQd«ddd¬¡}d­ F|jY¡}|jZrDt' N|¡nRtW [|¡}|rft" \d® F|¡¡nt"j]d¯dd°|j^rˆt' N|¡n|r–| _¡|j`r¼|jPr²t`d±d²nt`ƒdS|jarÔtj,d³d´dS|jbrìtj,dµd´dS|jcrt d|jc¡dS|jertf|jeƒS|jgr&th g¡|jirVtj;d¶krFtj,d·d¸th i|ji|jj¡S|jkrtth k¡dškrpdšSd›S|jldurŠtm|jlƒS|jnržt' Ntjo¡tp|dzdƒdurÀtq r|js¡dšStj sø|jtrØtq u¡S|jvrøtq w¡durøt" \d¹¡|jx rtqjwtjydºn|jz r*tq {¡t" \d»¡|j| r@t' Ntq }¡¡|j~ rVt' Ntq ¡¡|j€ rztq ¡ rzt' Ntq ‚|j€¡¡|jƒdu rà|jƒdk rªtj„ p¦t…tqj† ‡¡ƒ}nd¼d½„|jƒ  d™¡Dƒ}tqjwtˆ|ƒd¾du ràt" \d¹¡|j‰ røtqjwtjydd¿|jŠ rt' Nt‹|jPdª¡d} |jŒ r.t7 8dÀt9¡dÁ} |j r<|j} |jŽ rVt| tjtj‘dÂ|j> rvt| tj’dºt" \dá|j rŒt' Nt“ ”¡¡|j• r¬t–| |j—dÄt" \dÅ¡|j rÚd[t_˜t™ št› œdšdÆ¡¡t| tjydº|j rît|jPdª|jž rütŸƒS|j  rt¡|jPdª|j¢ rt£ƒt¤tj¥ƒd›k r4t¦ƒdS)ÇNZkcarectlz)Manage KernelCare patches for your kernel)Zprogr´z--debugrGZ store_true)Úhelprºz-iz--infoz]Display information about KernelCare. Use with --json parameter to get result in JSON format.z --app-infozcDisplay information about KernelCare agent. Use with --json parameter to get result in JSON format.z-uz--updatez.)Úlimit)rrzQFlag --nofreeze has been deprecated and will be not available in future releases.r—)rrKzKernel is safe)rÆz=KernelCare protection disabled. Your kernel might not be safeé<)§rZ add_argumentr~Zadd_mutually_exclusive_groupr ZLIBCARE_DISABLEDZ parse_argsr Zset_settings_from_config_fileÚFLAGSZ has_flagsr*Úfilterr;ÚissubsetÚquietZ auto_updateZSILENCE_ERRORSr ZPRINT_CRITICALZ PRINT_LEVELZ PRINT_ERRORrZ PRINT_DEBUGržr+ÚgetuidÚprintrOrŸÚloggingÚINFOZWARNINGÚDEBUGrZinitialize_loggingZIGNORE_FEATURE_FLAGSZset_feature_flags_from_cacher–rZclear_all_cacheZset_patch_levelr_rrÝZset_sticky_patchrÎZ nosignaturer"Z no_check_certrúr‹rŒrZ edf_enabledÚwarningsÚwarnÚDeprecationWarningZ edf_disabledr1ZPREV_PATCH_TYPEZset_patch_typerPrœršr$r¡ÚEXPECTED_PREFIXrvrhrªr<ZlocalrcZ PATCH_SERVERràrçZapp_inforËrrdrrerFZdoctorrØZkernel_anomaly_reportrr Z archive_pathrþr r r Z keep_localr rÝZenable_auto_updateZdisable_auto_updateZ set_configZupdate_config_from_argsZset_monitoring_keyrÑZ unregisterrÚregisterZregister_autoretryrØrÐrÕrær]r^rZset_libcare_statusrZuserspace_statusZget_userspace_update_statusZ lib_updateZdo_userspace_updateZlib_auto_updaterâZ lib_unloadZlibcare_unloadZlib_inforHZlib_patch_infoZlibcare_patch_infoZ lib_versionZlibcare_server_startedZlibcare_versionZuserspace_updaterÚlistZ USERSPACE_MAPÚkeysÚsortedZuserspace_auto_updaterÞrGZnofreezer¨Z smart_updaterärãZ UPDATE_POLICYrærrÚr­rÉrÆZCHECK_CLN_LICENSE_STATUSrtruÚrandomZuniformrRrµrãZlatest_patch_inforUZcheckr@rÚargvrJ) ZparserZexclusive_groupr½r»rÞrZlocal_path_messagerrr¨r6r6r7ÚmainÀs| üýÿÿýýÿýüýýúÿû ÿ ÿ ÿÿÿûý               ÿ                         r)N)N)F)F)N)rGF)rGF)r)±Z __future__rrgrdr r+r«rrïr—rëZsslrOr×rtrNrZargparserÚ contextlibrrrGrrr r r r r rrrrrrrrrrrrrrrrZpy23rrr r!r"rÞrÙrr.rÖrrerÅròÚDOTALLr6rsr,r»ÚinsertÚfilterwarningsrÚAnyÚDictÚOptionalÚSetÚTupleÚUnionrvZsetLevelrr8r?rFrbrkr{r†r‘r–rr r¤r‚r¥r¨r·rrÑrÔrÝrãrçrérîr÷rør^Zdistutils.versionZ distutilsZ OpenSSL.SSLrùræZ StrictVersionÚ __version__Ú ImportErrorrïZHTTPSConnectionZPureHTTPSConnectionÚobjectrðrörrærrr$r%r@rJrUrDrWrRr^rarjrrrvrwryr{r~rr…rŠrŽrr‘r›ršr¡r¤r¥r©rµr²r±r‹rÂZlog_all_parent_processesrÉrGrÊr=rÖrÕrØrÚrNrŽràZtrack_update_statusrärçrèrrörürr6r6r6r7Ús    X    &    4  -! b +             " ?   -  2 .6 , 3)