a iqF@sddlZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZdZdZdZdZd Zd d d d d d Zgd ddggddZ ddZ!ddZ"Gddde#Z$ddZ%dIddZ&ddZ'ddZ(d d!Z)dJd#d$Z*d%d&Z+e"d'd(Z,e"d)d*Z-e"d+d,Z.d-d.Z/d/d0Z0d1d2Z1d3d4Z2d5d6Z3d7d8Z4e"e%d9d:Z5ej6e"e%e j7dfd;d<Z8e"d=d>Z9d?d@Z:dAdBZ;dKdCdDZdS)LN) auth capabilitiesconfigconfig_handlers constantserrorsfetch log_utils process_utilsselinux server_info update_utilsutils) HTTPErrorjson_loads_nstrurlquotez!/usr/libexec/kcare/libcare-client)z/run/libcare/libcare.sockz/var/run/libcare.sockz /var/cache/kcare/libcare_patchesz /var/cache/kcare/libcare_cvelistz&/etc/sysconfig/kcare/libcare.logrotatedbqemu)mysqldmariadbdpostgresqemu-kvmqemu-system-x86_64)rrrrr)libcZlibsslZnscdZlibm)rrlibscGstjjtjd|g|RS)N userspace)ospathjoinr PATCH_CACHE)libnamepartsr#-/usr/libexec/kcare/python/kcarectl/libcare.pyget_userspace_cache_path0sr%csfdd}|S)Ncsz|i|Wz tdWStyT}z tjd|ddWYd}~Sd}~00Sz tdWqty}z tjd|ddWYd}~qd}~00nHz tdWn8ty}z tjd|ddWYd}~n d}~000dS)N clearcachez$Libcare cache clearing failed: '{0}'F print_msg)libcare_client Exceptionr logerrorformat)argskwargserrclblr#r$wrapper5s * , z$clear_libcare_cache..wrapperr#r1r2r#r0r$clear_libcare_cache4s r4cs0eZdZdfdd Zd ddZddZZS) UserspacePatchLevelNcst||||SN)super__new__)clsr!buildidlevelbaseurl __class__r#r$r8CszUserspacePatchLevel.__new__cCs||_||_||_||_dSr6)r;r!r:r<)selfr!r:r;r<r#r#r$__init__FszUserspacePatchLevel.__init__cGst|j|jt|g|RSr6)r%r!r:str)r?r"r#r#r$ cache_pathLszUserspacePatchLevel.cache_path)N)N)__name__ __module__ __qualname__r8r@rB __classcell__r#r#r=r$r5Bs r5csddfdd}|S)Nc Ssd\}}z|durt}i}g}t|D]<}|dd||d<|dgD]}||dqNq(dd d |D}d|}Wtjt|d d tjt |d d n"tjt|d d tjt |d d 0dS) z(KPT-1543 Save info about applyed patches)rGNlatest-versionrGpackagepatchesZcve cSsg|]}d|qS) r).0recr#r#r$ ]zLrefresh_applied_patches_list..save_current_state..T) ensure_dir) _libcare_info_get_patches_infogetappendritemsr atomic_writeLIBCARE_PATCHESLIBCARE_CVE_LIST)infoZversionsZcvesZpackagesZ cves_listrOpatchr#r#r$save_current_stateQs   z8refresh_applied_patches_list..save_current_statecs0d}z|i|}|W|S|0dSr6r#)r-r.r[r1r]r#r$r2csz-refresh_applied_patches_list..wrapperr#r3r#r^r$refresh_applied_patches_listPsr_c Cs@tjpd}t|}t|}tt|d|||d}|dt d|7}t|d}zt t j |dd}Wn*tjytjt||d d Yn0t|jtt|}|d g}t|std |t|||d |d} t|d } t||| d} tj !| r2tj "| dkrt|d}zt j#|| tj$t %| dWn>t&y} z$| j'dvrt(dWYd} ~ n d} ~ 00t||| } dd| d| dg}t)j*|d d d\}}}|rt+d|||t||d}tj ,|stj -|rt|t.| |dt/|d|dS)Nmainuz latest.v1z?info=updaterF) check_licenseT) ignore_errorsrzkLatest LibCare patchset for {0} is incompatible with the current kernecare package version, please upgrade.r;r<z patch.tar.gzrZ patch_url)check_signature hash_checker)iizKC+ licence is requiredtarZxfz-Cz--no-same-owner catch_stdout catch_stderrz(Patches unpacking error: '{0}' '{1}' {2}latestz.tmp)0rPREFIXrstriprget_patch_server_url LIBNAME_MAPrUr Zencoded_server_lib_infor wrap_with_cache_keyr urlopen_authrNotFoundshutilrmtreer%rset_feature_flags_from_headersheadersrnstrreadrhas_lc_capabilitiesCapabilitiesMismatchr,r5rArrexistsgetsize fetch_url USE_SIGNATUREget_hash_checkerrcodeNoLibcareLicenseExceptionr run_command KcareErrorislinkisdirsymlinkrename)r!build_id patch_levelprefixurl cache_dstresponsemetarequired_capabilitiesr;plevelZ patch_pathexdstcmdrstdoutstderrZ link_namer#r#r$fetch_userspace_patchnsR             rcCsL| t_|sttj|rdndd|r0ttjd|r@dnddS)NFALSEYES)LIBCARE_DISABLEDzlibcare service is enableddisabled) rrlibcare_server_stopr update_configlibcare_server_startr kcarelogr[)rr#r#r$set_libcare_statussrcCs:ztddddg}Wnty*YdS0t|dS)Nservicez /usr/sbin/z/sbin/libcarestopr find_cmdr*rrr#r#r$rs  rcCsttjstjtjr:ttjddgttjddgn6ztddddg}Wnt ydYdS0t|dS)Nz reset-failedrZrestartzlibcare.socketrrstart) rSKIP_SYSTEMCTL_CHECKrrr{ SYSTEMCTLr rrr*rr#r#r$rs rTc sdddt|pgD}ddg}s6|dd|g7}z t|}Wn4tyv}ztd|WYd}~n d}~00g}|d D]0}|rz|t |Wqt yYq0qd d |D}|D]&}t fd d|d  D|d <q|S)N|css|]}d|VqdS)z({0})N)r,)rNprocr#r#r$ rQz _libcare_info..r[z-jz-lz-rz/Gathering userspace libraries info error: '{0}'rKcSs$g|]}|d|d|dqS)commpid)rrr)pop)rNliner#r#r$rPrQz!_libcare_info..c3s&|]\}}d|vss||fVqdS)patchlvlNr#)rNkvpatchedr#r$rrQr)rsortedr)r*rrr,splitrVjsonloads ValueErrordictrW)rlimitZregexprlinesr/resultrr#rr$rSs& & $rSc Cst}|D]0}|dD]\}}||d|dfqq g}tD]j}|D]`\}}t||t|d} tj| rLt | d } | t | WdqL1s0YqLqD|S)Nrr:rz info.jsonr) setrWadd USERSPACE_MAPr%rArrisfileopenrVrload) r[rJrO_datarrrrZpatch_info_filenamefdr#r#r$rTs   2rTcCs ttSr6)rTrSr#r#r#r$libcare_patch_info_basicsrcCs"t}|stdtd|iSNzNo patched processes.r)rr r+rdumpsrr#r#r$libcare_patch_infos rcCs"t}|stdtd|iSr)rSr r+rrrr#r#r$ libcare_infos rcCs*i}tD]}|dd||d<q |S)NrHrGrI)rrU)rrOr#r#r$_libcare_versions rcCs*tD]\}}||r |Sq dS)NrG)rrW startswith)r!rIversionr#r#r$libcare_version s  rcCsddd|DdS)NrQcss|]}t|dVqdS)N)rbstr)rNpr#r#r$rrQz(libcare_client_format..rrM)paramsr#r#r$libcare_client_formatsrcCs,tD]}tj|r|SqtddS)NzLibcare socket is not found.)LIBCARE_SOCKETrrr{rr)Zlibcare_socketr#r#r$get_available_libcare_sockets  rcGstjrtdttjtjd}|dd}z|t |tj t |}t dj|d|||d}|s~q||7}qn|dd }t d j|d |W|S|0dS) NzLibcare is disabled.r rQzLibcare socket send: {cmd}rizutf-8replacez!Libcare socket recieved: {result}r)rrrrsocketAF_UNIX SOCK_STREAM settimeoutconnectrLIBCARE_SOCKET_TIMEOUTrr logdebugr,sendallrecvdecodeclose)rsockresrrrr#r#r$r)s*        r)c Cs|D]}ztdt|Wn4tyN}ztd|WYd}~n d}~00z tdWqty}ztd|WYd}~qd}~00qdS)NZstoragez(Userspace storage switching error: '{0}'rbz%Userspace patch applying error: '{0}')r)r%r*rrr,)rrr/r#r#r$libcare_patch_apply5s& rc CsFz tdWn4ty@}ztd|WYd}~n d}~00dS)Nunloadz&Userspace patch unloading error: '{0}')r)r*rrr,)r/r#r#r$libcare_unloadBs rc Cstt|tjkr"tjs"dS|dur6tt }g}|D]}| t |gq>|snt d|dSt|d\}}}}|rtd|st ddSttjtjdtz t|Wn@tjy}z$t t|tdWYd}~n d}~00t} t| } ttdd | Ds4dSt d j|d t d j| d tdd | D} tdd | D} | | } t!dd | D}t djt"| |d| #D] \}}t d|t"|q| S)z0Patch userspace processes to the latest version.NzNo such userspace patches: {0}rz:There was an errors while patches downloading (unpacking).zNo patches were found.rz+There was an errors while patches applying.css|]}|dVqdS)rNr#)rNitemr#r#r$r}rQz&do_userspace_update..zPatched before: {before})beforezPatched after: {after})aftercss|]}|D] }|Vq qdSr6r#rNrWrr#r#r$rrQcss|]}|D] }|Vq qdSr6r#rr#r#r$rrQcss|]}t|VqdSr6)len)rNrr#r#r$rrQzThe patches have been successfully applied to {count} newly discovered processes. The overall amount of applied patches is {overall}.)countoverallz*Object `{0}` is patched for {1} processes.)$r log_all_parent_processesrotate_libcare_logsrUPDATE_MODE_AUTOrLIB_AUTO_UPDATElistrkeysextendrUr loginfor,check_userspace_updatesrrr restore_selinux_contextrrrr rr+rArS_get_userspace_procsanyrrvaluessumrrW)moderZprocess_filterZuserspace_patchfailedsomething_foundrrrZ data_afterrZuniq_procs_afterZuniq_procs_beforeZdiffrrrr#r#r$do_userspace_updateKsV     rcCsNzt\}}}}Wntjy(YdS0|r2dS|r:dStjddrJdSdS)Nr.libcarestatusfilenamer)rrrrstatus_gap_passed)rrlibs_not_patchedr#r#r$get_userspace_update_statussrcCs\i}|D]N}|dD]<\}}|dr||vr:g||<|||d|dfqq|S)Nrrrr)rWrUrVr[rrr!rOr#r#r$rs rc CsFt}|D]6}|dD]$\}}|||d|ddfqq |S)Nrr:rr)rrWrrUrr#r#r$_get_userspace_libss  rc s,sgfddtDtdd}t|}d}}d}t|D]}|\}}} z t||| d}| dkrrd}WqFtjy} zd}t t | WYd} ~ qFd} ~ 0tj tj fyYqFtj yYqFtjy} zd}tt | WYd} ~ qFd} ~ 00qFtjdd||||fS) Ncsg|]}|qSr#)r)rNrrr#r$rPrQz+check_userspace_updates..F)rrTrrr )rrrSrrrrrzr logwarnrArrrAlreadyTrialedExceptionrr+rtouch_status_gap_file) rZ data_beforerrrr rOr!rrerr#rr$rs4    "& rc s^d}d}tjddd}|rztj|tgdd\}}}Wn0tyf}zd}t|}WYd}~n d}~00|rtjd |dd ntj d dd d t j sdSt jd }zt }tdfdd|D}dd|D}|jddd} |D]8\}} | t j | 7} | |krt | tjd| qWn"tyXtjddd Yn0dS)NrrGZ logrotateF) raise_excT)rjrz5failed to run logrotate for libcare logs, stderr: {0}r'zlogrotate utility wasn't foundz/var/log/libcare/iz ^\d+\.log.*cs$g|]}|rtj|qSr#)matchrrr)rNfnZlibcare_log_directoryZ pidlog_rer#r$rPrQz'rotate_libcare_logs..cSsg|]}tj||fqSr#)rrgetctime)rNfpr#r#r$rPrQ)reversez%Removed %s because of logs size limitz)Failed to cleanup libcare server logfiles)r rrLIBCARE_LOGROTATE_CONFIGr*rAr r+r,rrrrr!LIBCARE_PIDLOGS_MAX_TOTAL_SIZE_MBlistdirrecompilesortr|removerr[logexc) rcrZlogrotate_pathrrZmax_total_sizeZ log_filesZ pidlog_filesZpidlog_files_with_ctZ total_sizefilepathr#rr$rs<       rcCsJztddddg}Wnty*YdS0tj|ddd\}}}|dkS) zKAssume that whenever the service is not running, we did not patch anything.rrrstatusFTrhrr)rrrr#r#r$libcare_server_starteds  r')N)TN)N)?rrrrsrrGrrrrrrr r r r r rrpy23rrrDictListTupleZLIBCARE_CLIENTrrYrZrrorr%r4intr5r_rrrrrSrTrrrrrrrr)rrskip_if_no_selinux_moduleUPDATE_MODE_MANUALrrrrrrr'r#r#r#r$sh< 3       G   "*