dbfdg 3 wh @stddlmZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddlm$Z$ddlm%Z%ddlm&Z&ddlm'Z'ddlm(Z(ddl)m*Z*m+Z+m,Z,m-Z-m.Z.ddl&m/Z/m0Z0m1Z1dZ2dZ3dZ4d!Z5d"Z6dZ7d$Z8d%Z9ej:d&ej;Zj?d(re j>j@dd(ejAd)eBd*ejCjDejEd+d,ZFd-d.ZGd/d0ZHd1d2ZId3d4ZJdd5d6ZKd7d8ZLd9d:ZMd;d<ZNd=d>ZOd?d@ZPdAdBZQGdCdDdDeRZSGdEdFdFe0ZTGdGdHdHe0ZUGdIdJdJe0ZVdKdLZWedMdNZXddOdPZYdQdRZZdSdTZ[iZ\dUdVZ]e]e,j^__e`e dWdsy8ddlaZbddlcZdebjejfedjgebjejfdXkrHehdYWnehk r`Yn8XdZd[Zie,jjZkGd\d]d]elZmGd^d_d_e,jjZnene,_jd`daZoejpfdbdcZqdddeZrdfdgZsGdhdidielZtdjdkZudldmZvddodpZwdqdrZxdsdtZyddudvZzdwdxZ{dydzZ|d{d|Z}d}d~Z~ddZddZddZddZddZddZddZddZddZddZddZdddZddZddZddZddZdddZddZddZddZddZdddZddZddZGdddZddZddZddZddZejejpfddZddZejfddZddZddÄZddńZdddDŽZddɄZdd˄ZdS))print_functionN)ArgumentParser)datetime)contextmanager)config) constants) log_utils)utils) process_utils)platform_utils) http_utils) ipv6_support)auth)serverid)config_handlers)libcare)selinux)fetch) update_utils)errors)kcare) server_info)URLError HTTPErrorhttplib urlencodejson_loads_nstr)SafeExceptionWrapper KcareErrorNotFoundcZv212h24h48htestz./etc/sysconfig/kcare/freezer.modules.blacklistz/usr/libexec/kcare/kcdoctor.sh latest.v2z /etc/sysconfig/kcare/sysctl.conf z$==BLACKLIST== (.*)==END BLACKLIST== z'(kpatch.*|ksplice.*|kpatch_livepatch.*)z/usr/libexec/kcare/pythonignore)categorycCsDt}tjjtr@ttd}x|D]}|j|jq"W|j|S)Nr) setospathisfileFREEZER_BLACKLISTopenaddrstripclose)resultfliner7./usr/libexec/kcare/python/kcarectl/__init__.pyget_freezer_blacklistLs   r9cCsB|jd}|r(dj|d||dg}ndj|d|dg}|S)N.rrr;)splitjoin)ptypefilenameZ name_partsr7r7r8 _apply_ptypeVs  r@cCsJt|tjt_t|tjt_t|tjt_t|tjt_t|tjt_dS)N)r@r PATCH_BIN PATCH_INFOBLACKLIST_FILE FIXUPS_FILE PATCH_DONE)r>r7r7r8 apply_ptype_s rFcCstj\}}}d}t|trbt|t rbyd|jtj|j|jf}Wqt t fk r^YqXnPt|t t t frt|t rd|}n*t|t r|jpt|j}|jpd|j}tj}tjtj|d|dt|dt||djtj|dt|ddd S) Nz[Errno %i] %s: '%s'z%srr__name__dattempts)Z agent_versionZpython_versiondistroZdistro_versionerrordetails tracebackrJ)sysexc_info isinstanceOSErrorrerrnor,strerrorr?AttributeError TypeErrorKeyErrorIOErrorretypetypeinnerrMr get_distrorVERSIONget_python_versiongetattrstrr=rNZ format_tb)rYvaluetbZdetails_sanitizedrKr7r7r8 format_exception_without_detailsgs*  rcc Csvtjr dStjt}tjtjtj |}tj dd|}t j |t j}yt j|Wntk rpYnXdS)Nz/api/kcarectl-tracez?trace=)rUPDATE_FROM_LOCALjsondumpsrcr nstrbase64Zurlsafe_b64encodeZbstrget_patch_server_urlr Z http_requestrZget_http_auth_stringZ urlopen_base Exception)ZtraceZ encoded_traceurlZrequestr7r7r8send_excs rlcCstj}|dkr tj|ddStjtj}|dkrBtjdtjdttjd&}tj |j dtj |j dWdQRX|rt j |y |Wn*t k rtjjdtjdYnXtjddS)z Run func in a fork in an own process group (will stay alive after kcarectl process death). :param func: function to execute :return: rNarzWait exception)r,forkwaitpidsetsid_exitr3r0rZLOG_FILEdup2filenotimesleeprjr kcarelog exception)funcrvpidfdr7r7r8 nohup_forks(      r|cCstjjtjd}tjj|rtt|dH}y,t|j}|t j t j krRt ||Wnt k rhYnXWdQRXtj|tjdS)aCheck the fact that there was a failed patching attempt. If anchor file not exists we should create an anchor with timestamp and schedule its deletion at $timeout. If anchor exists and its timestamp more than $timeout from now we should raise an error. z.kcareprev.lockr*N)r,r-r=r PATCH_CACHEr.r0intreadrSUCCESS_TIMEOUTruPreviousPatchFailedException ValueErrorr atomic_write timestamp_str)Zanchor_filepathZafile timestampr7r7r8 touch_anchors   rcCsxytjtjjtjdWntk r.YnXtd|tj j yt ddWn t k rrt jjdYnXdS)z See touch_anchor() for detailed explanation of anchor mechanics. See KPT-730 for details about action registration. :param state_data: dict with current level, kernel_id etc. z.kcareprev.lockdone)reasonzCannot send update info!N)r,remover-r=rr}rRregister_actionrget_loaded_modulesclearget_latest_patch_levelrjr rwrx) state_datar7r7r8 commit_updates  rcCs(tjtjjtjdtj||dddS)NpatchesrG)Z exclude_path) r clean_directoryr,r-r=rr}rget_cache_path)khashZplevelr7r7r8 clear_cachesrcCs>tjpd}dj||g}tjd|f}|r2||f7}tjj|S)Nnone-modules)rPREFIXr=rr}r,r-)rfnameprefixZ module_dirr4r7r7r8get_current_level_paths    rcCstjt|dt|dddS)NlatestT)Z ensure_dir)r rrr`)r patch_levelr7r7r8save_cache_latestsrc CsVt|d}tjj|rRy"tt|djj}tj ||St t fk rPYnXdS)Nrr*) rr,r-r.r~r0rstriprLegacyKernelPatchLevelrrV)rZpath_with_latestplr7r7r8get_cache_latests   rc@s eZdZdS)CertificateErrorN)rH __module__ __qualname__r7r7r7r8rsrc@seZdZddZdS)UnknownKernelExceptioncCs*tj|djtjdtjtjdS)NzLNew kernel detected ({0} {1} {2}). There are no updates for this kernel yet.r) rj__init__formatr r\platformreleaserget_kernel_hash)selfr7r7r8rszUnknownKernelException.__init__N)rHrrrr7r7r7r8rsrcs$eZdZfddZddZZS)ApplyPatchErrorcsFtt|j||||_||_||_||_tjd|_ t j |_ dS)Nr) superrrcode freezer_stylelevel patch_filer r\rKrr)rrrrrargskwargs) __class__r7r8rszApplyPatchError.__init__c Cs0dj|j|j|j|j|jdjdd|jDS)Nz0Unable to apply patch ({0} {1} {2} {3} {4}, {5})z, cSsg|] }t|qSr7)r`).0ir7r7r8 !sz+ApplyPatchError.__str__..)rrrrrKrr=r)rr7r7r8__str__szApplyPatchError.__str__)rHrrrr __classcell__r7r7)rr8rs rcs$eZdZfddZddZZS)rcs"tt|j||||_||_dS)N)rrrranchor)rrrrr)rr7r8r'sz%PreviousPatchFailedException.__init__cCsd}|j|j|jS)NzIt seems, the latest patch, applying at {0}, crashed, and further attempts will be suspended. To force patch applying, remove `{1}` file)rrr)rmessager7r7r8r,sz$PreviousPatchFailedException.__str__)rHrrrrrr7r7)rr8r&s rcCstjdj|}yrtj|}tjtj|j}t |d}|dkrPt dn2|dkrbt dn |dkrtt dnt d j||St k r}zt j ||WYdd}~XnXd S) Nz"/nagios/register_key.plain?key={0}rrzKey successfully registeredrzWrong key format or sizernz!No KernelCare license for that IPzUnknown error {0}r;)rget_registration_urlrr urlopenr data_as_dictrgrr~printrr print_cln_http_error)keyrkresponseresrer7r7r8!set_monitoring_key_for_ip_license5s      rc cs>tjrtjtjddz dVWdtjr8tjtjddXdS)NT)shell)rZBEFORE_UPDATE_COMMANDr run_commandZAFTER_UPDATE_COMMANDr7r7r7r8 execute_hooksIs  rcCst}|j}|j}tj}|dkrdt|tjtj t j |t t j|d}tdttj|nZtdtt|tdt|ttjttj tt j t|tt jdS)a1 The output will consist of: Ignore output up to the line with "--START--" Line 1: show if update is needed: 0 - updated to latest, 1 - update available, 2 - unknown kernel 3 - kernel doesn't need patches 4 - no license, cannot determine Line 2: licensing message (can be skipped, can be more then one line) Line 3: LICENSE: CODE: 1: license present, 2: trial license present, 0: no license Line 4: Update mode (True - auto-update, False, no auto update) Line 5: Effective kernel version Line 6: Real kernel version Line 7: Patchset Installed # --> If None, no patchset installed Line 8: Uptime (in seconds) If *format* is 'json' return the results in JSON format. Any other output means error retrieving info :return: re)Z updateCodeZ autoUpdateZeffectiveKernelZ realKernelZloadedPatchLevelZuptimelicensez --START--z LICENSE: N)_patch_level_infor applied_lvlr license_infor`r AUTO_UPDATEr kcare_unamerrr~r Z get_uptimerrerf)fmtpliZ update_codeZ loaded_plZlicense_info_resultZresultsr7r7r8 plugin_infoUs,     rc Cs^tj}ytdd}Wntk r4tjr0dSdSX|dkrBdS||krNdStjrZdSdS)Ninfo)rrrrn)rloaded_patch_levelrrrIGNORE_UNKNOWN_KERNELrZstatus_gap_passed) current_levelZlatest_patch_levelr7r7r8get_update_statussrcCs2tjdd\}}|dkr*|jdr*dSdSdS)NrnZ CloudLinuxz7.extrarG)r r\ startswith)rKversionr7r7r8edf_fallback_ptypesrcCsl|j|jf}tj||}tj||j|_|jjtj tj d|tkrZ|jj ddt|<|j rh|j dS)zFunction remembers IP address of host connected to and uses it for later connections. Replaces stdlib version of httplib.HTTPConnection.connect rNrn)hostZportCONNECTION_STICKY_MAPgetsocketZcreate_connectionZtimeoutsockZ setsockoptZ IPPROTO_TCPZ TCP_NODELAYZ getpeername _tunnel_hostZ_tunnel)rZaddrZ resolved_addrr7r7r8sticky_connects  rZHAS_SNIz0.13z%No pyOpenSSL module with SNI ability.cGsdS)NTr7)rr7r7r8dummy_verify_callbacksrc@s,eZdZddZddZddZddZd S) SSLSockcCs||_d|_dS)Nr) _ssl_conn_makefile_refs)rrr7r7r8rszSSLSock.__init__cGs&|jd7_tj|jf|ddiS)Nrr3T)rrZ _fileobjectr)rrr7r7r8makefileszSSLSock.makefilecCs"|j r|jr|jjd|_dS)N)rrr3)rr7r7r8r3s z SSLSock.closecGs |jj|S)N)rsendall)rrr7r7r8rszSSLSock.sendallN)rHrrrrr3rr7r7r7r8rsrc@seZdZddZdS)PyOpenSSLHTTPSConnectioncCstjj|tjjtjj}|jtjjtjj Bt j rJ|j tjj tn|j tjjt|jtjj||j}|j|jp|j}|j|j|jt j rt|j|t||_dS)N)rHTTPConnectionconnectOpenSSLZSSLZContextZ SSLv23_METHODZ set_optionsZ OP_NO_SSLv2Z OP_NO_SSLv3rCHECK_SSL_CERTSZ set_verifyZ VERIFY_PEERrZ VERIFY_NONEZset_default_verify_pathsZ ConnectionrZset_connect_staterrZset_tlsext_host_nameencodeZ do_handshakematch_hostnameZget_peer_certificater)rZctxZconnZ server_hostr7r7r8rs  z PyOpenSSLHTTPSConnection.connectN)rHrrrr7r7r7r8rsrc Cstjr&tj||}tjtj|ddSxd D]}tj ||d}tj|t ||d|}d}|rxt ||krxt j dq,ytjtj|ddStk r}z2|r|jd ks|jd krt j d j|w,WYdd}~Xq,Xq,WdS)NF) check_licenseT)secure_boot_info?iXzZbin_urlrrkr7r7r8 probe_patch.s(**r cCsF|tjkr|jtj}n |j|}|j|}tj||tjtj |dS)N)Z hash_checker) rKMOD_BINZkmod_urlr  cache_pathrZ fetch_urlr USE_SIGNATUREZget_hash_checker)rnamerkZdstr7r7r8fetch_and_verify_kernel_fileGs    rc@s>eZdZdddZddZddZdd Zd d Zd d ZdS) PatchFetcherNcCs ||_dS)N)r)rrr7r7r8rRszPatchFetcher.__init__cCs t|j|S)N)rr)rrr7r7r8_fetchUszPatchFetcher._fetchcCsr|jjtj}|jjtj}|jjtj}|jjtj}tdd||||fDopt j j |dkopt j j |dkS)Ncss|]}tjj|VqdS)N)r,r-r.)rr-r7r7r8 _sz0PatchFetcher.is_patch_fetched..r) rr rrErArBrr allr,r-getsize)rZpatch_done_pathZpatch_bin_pathZpatch_info_pathZ kmod_bin_pathr7r7r8is_patch_fetchedXszPatchFetcher.is_patch_fetchedcCs0|jdkrtd|js|jS|jr6tjd|jStjdt|jtjrytj |jj t j dd}Wnt k r~Yn(X|jjdd}|r|jjtj||_y|jt j Wn,t k rtdj|jt jpdYnX|jt j|jtj|jtj|jjt jd d d tjtj |jS) Nz+Cannot fetch patch as no patch level is setzUpdates already downloadedzDownloading updatesr)rz KC-Base-UrlzfThe `{0}` patch level is not found for `{1}` patch type. Please select valid patch type or patch leveldefaultwb)r)!rrrr rrQrrrrr rrAr rrupgrader rgrrr PATCH_TYPErBrr extract_blacklistrr rErrestore_selinux_contextr})rresprr7r7r8 fetch_patchds8      zPatchFetcher.fetch_patchcCsJt|jjtjdj}|rFtj|}|rFtj |jjtj |j ddS)Nr*r) r0rr rrBr BLACKLIST_REsearchr rrCgroup)rZbufZmor7r7r8rs  zPatchFetcher.extract_blacklistcCs|dkr dSyt|tj}Wntk r0dSX|jjdd}|rT|jtj|}|j tj}t |d}t dd|j D}WdQRXx|D]}t||qWt jtjdS)z Download fixup files for defined patch level :param level: download fixups for this patch level (usually it's a level of loaded patch) :return: None Nz KC-Base-Urlr*cSsg|] }|jqSr7)r)rfixupr7r7r8rsz-PatchFetcher.fetch_fixups..)rrrDr rrrr rgr r0r+ readlinesrrrr})rrrrZ fixups_fnamer5fixupsr#r7r7r8 fetch_fixupss    zPatchFetcher.fetch_fixups)N) rHrrrrrrrr&r7r7r7r8rPs   (rcCs6t}t|j|jtjkr(tjdn tjddS)Nrr)rrmsgrPLIPATCH_NEED_UPDATErOexit)rr7r7r8 kcare_checks    r+c Cst}t|}y tj}Wntk r2i}YnXtj}d}|dk r\tj|dj d}tj }t |j dg}t dd|D}tj}|stdntdtd j|td j||d krtd j||d krtd j|||d krtdtddS)NZUnknowntsz%Y-%m-%drcss|]}t|jdgVqdS)rN)rr)rZrecr7r7r8rsz$show_generic_info..z$KernelCare live patching is disabledz"KernelCare live patching is activez - Last updated on {0}z - Effective kernel version {0}rz* - {0} kernel vulnerabilities live patchedz- - {0} userspace vulnerabilities live patchedz% - This system has no applied patchesz(Type kcarectl --patch-info to learn more)r_kcare_patch_info_jsonrZlibcare_patch_info_basicrrZ get_staterZ fromtimestampZstrftimerrrsumrrr) r kcare_info libcare_infostateZ latest_updateZeffective_versionZkernel_vulnerabilitiesZuserspace_vulnerabilitiesrr7r7r8show_generic_infos4   r2Fc Csytdtjd}|st|jtj}tjt j |j }|rgi}}x>|j dD]0}tj |}|rxd|krx|j|qR|j|qRW||d<tj|}t|WnHtk r}ztj||jdSd}~Xntk rtdYnXd S) z Retrieve and output to STDOUT latest patch info, so it is easy to get list of CVEs in use. More info at https://cloudlinux.atlassian.net/browse/KCARE-952 :return: None r)rpolicyz z kpatch-namerrNzNo patches availabler)rr POLICY_REMOTErr rrBr rgrrrr<rappendupdatererfrrr rrk) is_jsonrrk patch_inforr4chunkdatarr7r7r8kcare_latest_patch_infos,       r;cCsd|ji}|jdk rt|}g}x>|jdD]0}tj|}|rRd|krR|j|q,|j|q,W||d<tj }|r||dnd|d<|S)Nrz z kpatch-namerrunknown) r'r_kcare_patch_infor<r rr5r6rZread_dumped_kernel_patch_level)rr4r8rr9r:Zsaved_patch_levelr7r7r8r-s     r-cCsPtj}tj||jtj}tjj|s.t dt |dj }|rLt j d|}|S)NzvCan't find information due to the absent patch information file. Please, run /usr/bin/kcarectl --update and try again.r*rG)rrrrrrBr,r-r.rr0rr sub)rrr rr7r7r8r=s  r=cCsTt}|s:|jdkrt|j|jdkr,dStt|nttjt|dddS)NrT)Z sort_keys) rrrr'rr=rerfr-)r7rr7r7r8r8s   r8cCs:tjd|g}tj|}tj}d}tj||tj||kS)Nz file-infozkpatch-build-time)r KPATCH_CTLr check_outputr _patch_infoZget_patch_value)new_patch_filerZnew_patch_infoZcurrent_patch_infoZbuild_time_labelr7r7r8 is_same_patch+s   rCcCsL|dkr dS|r||krdS||kr(dStjtj|tj}t|sHdSdS)NrFT)rrrrrArC) applied_level new_levelrBr7r7r8kcare_need_update3s rFcCsptjrltjjtotjttjs6tj j dj tdSt j dddtgdd\}}}|dkrltj j dj |dS) Nz-File {0} does not exist or has no read accessz /sbin/sysctlz-qz-pT) catch_stdoutrz%Unable to load kcare sysctl.conf: {0})rZUPDATE_SYSCTL_CONFIGr,r-r. SYSCTL_CONFIGaccessR_OKr rwwarningrr r)r_r7r7r8 update_sysctlEsrMc stjjtsttdjtjttjs>tj j dj tdSttdj}|j }|j dx,|D]$tfdd|Dsb|jqbWx|D]}|j|dqW|jWdQRXdS) z*Update SYSCTL_CONFIG accordingly the editsrmzFile {0} has no read accessNzr+rc3s|]}j|VqdS)N)r)rr*)r6r7r8rasz#edit_sysctl_conf.. )r,r-r.rHr0r3rIrJr rwrKrr$seekanywritetruncate)rr5Zsysctllinesrmr7)r6r8edit_sysctl_confPs     rTcCs*x$|D]}tj|rtdj|qWdS)NzDDetected '{0}' kernel module loaded. Please unload that module first)CONFLICTING_MODULES_REmatchrr)rmoduler7r7r8detect_conflicting_modulesis  rXcCsdjtjS)Nz/lib/modules/{0}/extra/kcare.ko)rr Zget_system_unamer7r7r7r8get_kcare_kmod_linkosrYc CsXtdd}tjtj|tj}tjj|s.dSt |d}|j dddkSQRXdS)Nr)rrbs~Module signature appended~ i) rrrrrr r,r-r.r0r)rZ kmod_fileZvfdr7r7r8kmod_is_signedss    r\cKs`d|g}x&|jD]\}}|jdj||qWtj|dd\}}}|dkr\tdj||dS)Nz /sbin/insmodz{0}={1}T)rGrzLUnable to load kmod ({0} {1}). Try to run with `--check-compatibility` flag.)itemsr5rr rr)ZkmodrcmdrrarrLr7r7r8 load_kmod|s r_cCs<tjrt rtdtjs0tjs0tjr8tddS)Nz4Secure boot is enabled. Not supported by KernelCare.zWYou are running inside a container. Kernelcare should be executed on host side instead.)r Zis_secure_bootr\rZinside_vz_containerZinside_lxc_containerZinside_docker_containerr7r7r7r8check_compatibilitysr`cCsPtjd}tj|dgdddddk}|rL|d krLtjdj|tjd dS) NZmodinfoZkmodlveT)rG catch_stderrrfreerz3{0} patch type conflicts with kmodlve kernel moduler)rbr)r Zfind_cmdrr logerrorrrOr*)r>r^Z has_kmodlver7r7r8check_patch_type_compatibilitys   rdcCsPtjddd|g}g}x4|jdD]&}|jr"|jd\}}}|j|q"W|S)Nz /sbin/modinfoz-FZparmrN:)r r@r<r partitionr5) kcare_linkstdoutZavailable_paramsr6Z param_namerLr7r7r8get_kmod_available_paramssricCsLtjr dndtjrdndtjr$tjndttjtr8tjndtjrDdnddS)NrrrG) kpatch_debugZ kmsg_outputZ kcore_outputZ kdumps_dirZenable_crashreporter) r KPATCH_DEBUGZ KMSG_OUTPUTZ KCORE_OUTPUTZKCORE_OUTPUT_SIZErQ KDUMPS_DIRr`ZENABLE_CRASHREPORTERr7r7r7r8make_kmod_new_paramss   rmcCsHtjr"tjjtj r"tjtjx tjD]\}}t||q.WdS)N) rrlr,r-existsmakedirsrmr]update_kmod_param)Zparamvalr7r7r8rs rcCstd}tjj||}tjj|s"dSy(t|d}|jt|WdQRXWn$tk rntj j d||YnXdS)Nz/sys/module/kcare/parameterswz!failed to set %s kmod param to %s) r,r-r=rnr0rQr`rjr rwrL)Zkmod_param_nameZ param_valueZ params_rootZ param_pathr5r7r7r8rps  rpc st}tj||tj}ytj||Wntk r>|}YnXtj rbt j j tj  rbt j tj t}t|tfdd|jD}t|f|tdS)Nc3s"|]\}}|kr||fVqdS)Nr7)rkv)available_kmod_paramsr7r8rsz"load_kcare_kmod..)rYrrrr shutilcopyrjrrlr,r-rnrormridictr]r_ update_depmod)rrrgZ kcare_fileZ kmod_paramsr7)rur8load_kcare_kmods   rzcCsXdg}|dk r|jd|gtj|ddd\}}}|rTtjdjdj|||dddS) Nz /sbin/depmodz-aT)rGraz%Running of `{0}` failed with {1}: {2} F)r)extendr rr rcrr=)unamer^rrLstderrr7r7r8rys rycCs4tjd|gdd\}}}|dkr0tdj||dS)Nz /sbin/rmmodT)rGrzUnable to unload {0} kmod {1})r rrr)modnamerrLr7r7r8 unload_kmodsrcCsTg}xJdg|D]<}tj||dj|}tjj|rt||jdj|qW|S)NZvmlinuxz fixup_{0}.koz fixup_{0})rrrr,r-rnr_r5)rrrZloadedmodZmodpathr7r7r8 apply_fixupss rc CsDx>|D]6}y t|Wqtk r:tjjd|YqXqWdS)Nz$Exception while unloading module %s.)rrjr rwrx)r%rr7r7r8 remove_fixupss   rcCs|r |}n6tjrtj}n(tj|r2d|tjdfSd|tjdfSdddddd}|j}||krj||}ntdj||tjd||tjdfS) NZfreeze_conflictTrFZ freeze_noneZ freeze_all)ZNONEZNOFREEZEZFULLZFREEZEZSMARTz3Unable to detect freezer style ({0}, {1}, {2}, {3}))rZ PATCH_METHODr9 intersectionupperrr)freezerrrZpatch_method_mapr7r7r8get_freezer_styles"  rrGcs|||dtdtj}tj}t|t||}tj||tj}t ||dj |tj t j tj|} d|k} | otj||} |dk } | ot|otj| } j|| d| rtddS| rtdt|||}tdt|td t|| r"td tdd } | sVszkcare_load..)rv)"rrrrrXrrrrArrrr rZ parse_unameZis_kmod_version_changedrCZkcare_update_effective_versionr6rkpatch_ctl_unpatchrrrzrkpatch_ctl_patchrMr rrrZtouch_status_gap_filer|r)rrrr use_anchorrrrr descriptionZ kmod_loadedrZ patch_loadedZ same_patchr%r7)rr8 kcare_loadsR              rc Cstjg}tj||tj}tjj|r2|j d|g|j dd|g|j d|dg|j |t j |dd\}}}|dkrt ||||dS)Nz-brz-dz-mrT)rG)rr?rrrrCr,r-rnr|r5r rr) rrrrrrZblacklist_filerrLr7r7r8rYs  rcCsZtjtjdd|dgddd\}}}|dkrVtjdj||ddtd j|t|dS) Nrz-mrT)rGraz4Error unpatching, kpatch_ctl stdout: {0} stderr: {1}F)rzError unpatching [{0}] {1}) r rrr?r rcrrr`)rrrhr~r7r7r8rfs  rcCs8||d<ttj|d<tjtjjtjdt |dS)Nactionr,z kcare.state) r~rur rr,r-r=rr}r`)rrr7r7r8rpsrcCspd}tjj|sdSxVtj|D]H}tjj||dd}tjj|sDq tj|}||kr tj|t|q WdS)Nz/usr/lib/modules/z weak-updateszkcare.ko) r,r-isdirlistdirr=islinkreadlinkunlinkry) kmod_linkZ modules_pathentryZ sym_link_pathZ target_pathr7r7r8update_weak_modulesvs    rc CsBtj}t}y|j|Wn4tk rP}z|s@tdj|WYdd}~XnXtj}t||}t d|kr|dk }|rt tj ||}t j tjdd|dgddd\} } } t|| dkrtjdj| | d d td j| t|tjtjtd td tdt} tjj| r,tj| t| WdQRXdS)NzUnable to retrieve fixups: '{0}'. The unloading of patches has been interrupted. To proceed without fixups, use the --force flag.rrz-mrT)rGraz4Error unpatching, kpatch_ctl stdout: {0} stderr: {1}F)rzError unpatching [{0}] {1}r)countdelay) rrrr&rjrrrrrrrr rrr?rr rcr`r ZretryrZ check_excUNLOAD_RETRY_DELAYrrYr,r-r.rr) rforcerpferrrrZ need_unpatchr%rrhr~rr7r7r8 kcare_unloads8    rcCs8t}|rt|S|jdkr"|jS|jdk r4tjSdS)Nr)r_kcare_info_jsonrr'rrrA)r7rr7r7r8r/s  r/cCsRd|ji}|jdk r>|jtjtj|jtj|jd|j |d<t j |S)Nrzkpatch-descriptionz kpatch-state) r'rr6r rrrAZparse_patch_descriptionrr1rerf)rr4r7r7r8rs    rc@s$eZdZdZdZdZdZddZdS)r(rrrnrcCs"||_||_||_||_||_dS)N)rr' remote_lvlrr1)rrr'rrr1r7r7r8rs z PLI.__init__N)rHrrrr)PATCH_UNAVALIABLEPATCH_NOT_NEEDEDrr7r7r7r8r(s r(c Cstj}ytdd}|rJt||r6tjdd}}}qxtjdd}}}n.|dkrftjdd}}}ntjd d}}}t|||||}Wnltk rtj }t j rd j t j t jdtj}nd j t jdtjtj}t||ddd }YnX|S) Nr)rz*Update available, run 'kcarectl --update'.ZappliedzThe latest patch is applied.rz(This kernel doesn't require any patches.ZunsetzDNo patches applied, but some are available, run 'kcarectl --update'.zuInvalid sticky patch tag {0} for kernel ({1} {2}). Please check /etc/sysconfig/kcare/kcare.conf STICKY_PATCH settingszLNew kernel detected ({0} {1} {2}). There are no updates for this kernel yet.Z unavailable)rrrrFr(r)rrrrr STICKY_PATCHrr r\rrr)Zcurrent_patch_levelZnew_patch_levelrr'r1rr7r7r8rs8   rc Csd}yXtj}td|fd|fg}tjdj|}tj|}tj tj |j }t |dSt k r}ztj||d Sd}~XnZtk r}ztj||d Sd}~Xn0tk r}ztjdj|d Sd}~XnXdS) z Request to tag server from ePortal. See KCARE-947 for more info :param tag: String used to tag the server :return: 0 on success, -1 on wrong server id, other values otherwise N server_idtagz/tag_server.plain?{0}rrzInternal Error {0})r get_serveridrrrrr rr rrgrr~rr rrrjrc) rrkrZqueryrrrZueZeer7r7r8 tag_server s"    rcCstjd}tjdj|t}tj}y:tj ||j }tj t j ||j tj|j ||j }Wn2tk r}ztjdj|WYdd}~XnXtjd|tjgdd\}}}|rtdj||WdQRXdS)Nz doctor.shz#Requesting doctor script from `{0}`z3Kcare doctor error: {0}. Fallback to the local one.ZbashT)razScript failed with '{0}' {1})r rir ZlogdebugrKCDOCTORtempfileZNamedTemporaryFilerZfetch_signaturerZ save_to_filer rZcheck_gpg_signaturerjrcr rrZget_patch_serverr)Z doctor_urlZdoctor_filenameZ doctor_dstZ signaturerrrLr~r7r7r8kcdoctor%s   "rc CsBtjdjt}ytj|Wntk r2dSXtjddS)Nz{0}-new-versionFzwA new version of the KernelCare package is available. To continue to get kernel updates, please install the new versionT) r rirEFFECTIVE_LATESTr rrr r)rkr7r7r8check_new_kc_version6src Cstj}t|}|tjkp*|tjko*|dk}yt||}Wn<tk rv}z |rTntj j dj |WYdd}~XnX|tjkr|}n<|}|dkr|tj krtj |d}n|tjkr|}ntd|S)a Get patch level to apply. :param reason: what was the source of request (update, info etc.) :param policy: REMOTE -- get latest patch_level from patchserver, LOCAL -- use cached latest, LOCAL_FIRST -- if cached level is None get latest from patchserver, use cache otherwise :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART :return: patch_level string NzUnable to send data: {0}rz9Unknown policy, choose one of: REMOTE, LOCAL, LOCAL_FIRST)rrrrr4ZPOLICY_LOCAL_FIRSTrrjr rwrKrZ POLICY_LOCALrr) rr3rrZ cached_levelZconsider_remote_exZ remote_levelrrr7r7r8rCs& $   rcCs|dkr dS|dkrdn|t_ttddtjrtjtjdtjdkrntjrntjpXt }t dd d j |ft j d j |ntdj |dS)NedfrrGZprobe)r)rrbrfs.enforce_symlinksifownerfs.symlinkown_gidzfs.enforce_symlinksifowner=1zfs.symlinkown_gid={0}z'{0}' patch type selectedz/'{0}' patch type is unavailable for your kernel)rbr)rr)rrr rr update_configr Z is_cpanelZ FORCE_GID CPANEL_GIDrTrr rr)r>Zgidr7r7r8update_patch_typehs rc $Csntjttj|tjkr"tytd||d}WnRt k r}z6|tj tj fkrttj rtt |}tjj|dSWYdd}~XnXtj}t|}|jt||dstjddSy(tjtjdddtjtjdd dWn"tk rtjjd YnXtj}|tj ks"tjrVt(|j|t |||||tj kd WdQRXtj!|t"||dS) ax :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART :param policy: REMOTE -- download latest and patches from patchserver, LOCAL -- use cached files, LOCAL_FIRST -- download latest and patches if cached level is None, use cache in other cases :param freezer: freezer mode r6)rr3rN)rDrEz%No updates are needed for this kernelrz kcore*.dump)Zkeep_nZpatternz kmsg*.logz#Error during crash reporter cleanup)r)#r Zlog_all_parent_processesrdrrrr4rrrUPDATE_MODE_AUTOUPDATE_MODE_SMARTrr`r rwrKrrrrrFrr rrlrjrxrrrr&rZdump_kernel_patch_levelr) rrr3rrr'rrrr7r7r8 do_update~s<      " rcCstttjttjptjttjp$tjf}|dkr|jd s|jd r|jtj|n|jtj|j d d x|D]}|jtj|qWtj d d j |dtj } | j |S)zhMatching according to RFC 6125, section 6.4.3 http://tools.ietf.org/html/rfc6125#section-6.4.3 Fr:rrN*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)r<rrreprlowerr5rreescapereplacecompiler=Z IGNORECASErV) ZdnhostnameZ max_wildcardsZpatspiecesZleftmostZ remainderZ wildcardsZfragZpatr7r7r8_dnsname_matchs(     rc Cs g}xBt|jD]2}|j|}|jdkrddt|jdD}qW|sTtdg}x0|D](\}}|dkr^t||r|dS|j|q^W|s|j j }t||rdS|j|t |dkrt dj |d jtt|n,t |dkrt d j ||d nt d dS) NZsubjectAltNamecSsg|]}|jjddqS)rer)rr<)ritr7r7r8r<sz"match_hostname..,ztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZDNSrz(hostname {0} doesn't match either of {1}z, zhostname {0} doesn't match {1}rz=no appropriate commonName or subjectAltName fields were found)rangeZget_extension_countZ get_extensionZget_short_namer`r<rrr5Z get_subjectZ commonNamerrrr=mapr) ZcertrZsanrrZdnsnamesrraZcnr7r7r8r7s0       rcCs$ tddd}|jdddd|jdd d dd|jd d dd|jd dddd|jdddd|jdddd|jdddd|jdddd|jdddd|jdddd|jdd dd|jd!d"dd|jd#d$dd|jd%d&dd|jd'd(d)d|jd*d+dd|jd,d-dd|jd.d/dd|jd0d1dd|jd2d3dd|jd4d5d6d|jd7d8d9d|jd:d;dd|jdd?dd|jd@dAdd|jdBdCdd|jdDdEdd|jdFdGdd|jdHdIdd|jdJdKdd|jdLdMdd|jdNdOdPtddQdR|jdSdTdd|jdUdVdd|j}|jdWdXdPd|jdYdZdd|jd[d\dd|jd]d^dPddQd_|jd`dadbddQdc|jdddedf|jdgdhdd|jdidjdkdldmtjs|jdndodpdqdQdr|jdsdtdpdqdudr|jdvdwdd|jdxdydzdd|jd{ddd|jd|d}d~dd|jddddd|jddddd|jdddddd|jdddd|jdddd|j}tjjt j tjstj dg7_ |j dk rt td|j jdjtj rdSdS|js|jr2tjr(tjt_ntjt_n|jrBtjt_|jsjtjdkrjtdtjddSt j!}|jrt j"}n|jrt j#}t$j%||j&rt'j(|j)r|j)dkrt*|j)t_+t j,tj+dndt_+t j,dd|j-dk r t j,|j-d|j-t_.|j/rdQt_0|j1r(dQt_2|j3r6dut_4|j5rDt5|j6rZt7j8dt9n8|j:rtj;dkrtjr|j>t_?|j@rt7j8dt9dt_?tj?jAdt_?tj?rtj?tBkrt$jCjDdjEtj?djFtB|jGrdut_Hd|jGt_I|j=r&tJ|j=tj;dkrTtKt_;t7j8djEtj;pLdt9|jLrrttMjL|jNddStOtj;|jPrtQdS|jRr|jNrtRddntRdS|jSrt j,dddS|jTrt j,dddS|jUrt jV|jUdS|jWrtX|jWS|jYrtZjY|j[rNtj;dkr>t j,ddtZj[|j[|j\S|j]rltZj]dkrhdSdS|j^dk rt_|j^S|j`rttjatb|dpddk rtcjd|jedStjs|jfrtcjgS|jhrtcjidk rt$jjd|jkrtcjitjldn|jmr tcjnt$jjd|jor4ttcjp|jqrHttcjr|jsrjtcjtrjttcju|js|jvdk r|jvdkrtjwptxtcjyjz}ndd|jvjdD}tcjit{|ddk rt$jjd|j|rtcjitjldd|j} rtt~|jNdd}|j rt7j8dt9d}|j r*|j}|j rDt|tjtjd|j rdt|tjdt$jjd|j rxttj|j rt||jdt$jjd|j rdQt_tjtjddt|tjld|j rt|jNd|j rtS|j rt|jNd|j r tttjdk r tdS)NZkcarectlz)Manage KernelCare patches for your kernel)Zprogrz--debugrGZ store_true)helprz-iz--infoz]Display information about KernelCare. Use with --json parameter to get result in JSON format.z --app-infozcDisplay information about KernelCare agent. Use with --json parameter to get result in JSON format.z-uz--updatez.)limit)rrzQFlag --nofreeze has been deprecated and will be not available in future releases.r)rr3zKernel is safe)rz=KernelCare protection disabled. Your kernel might not be safe<)rZ add_argumentr~Zadd_mutually_exclusive_grouprZLIBCARE_DISABLEDZ parse_args__dict__r6rZget_config_settingsZFLAGSZ has_flagsr+filterr<issubsetquietZ auto_updateZSILENCE_ERRORSrZPRINT_CRITICALZ PRINT_LEVELZ PRINT_ERRORr Z PRINT_DEBUGr}r,getuidrrOr~loggingZINFOZWARNINGDEBUGr Zinitialize_loggingrr Zclear_all_cacheZset_patch_levelr`rrZset_sticky_patchrZ nosignaturerZ no_check_certrrjrkr`Z edf_enabledwarningswarnDeprecationWarningZ edf_disabledrZPREV_PATCH_TYPEZset_patch_typerrr%rEXPECTED_PREFIXrwrKrr=ZlocalrdZ PATCH_SERVERrrZapp_infor rerFZdoctorrrZenable_auto_updateZdisable_auto_updateZ set_configZupdate_config_from_argsZset_monitoring_keyrZ unregisterrregisterZregister_autoretryrrrrr]r_rZset_libcare_statusrZuserspace_statusZget_userspace_update_statusZ lib_updateZdo_userspace_updaterZlib_auto_updaterZ lib_unloadZlibcare_unloadZlib_infor0Zlib_patch_infoZlibcare_patch_infoZ lib_versionZlibcare_server_startedZlibcare_versionZuserspace_updaterlistZ USERSPACE_MAPkeyssortedZuserspace_auto_updaterr/ZnofreezerZ smart_updaterrZ UPDATE_POLICYrrrrrrZCHECK_CLN_LICENSE_STATUSrurvrandomZuniformr8ZstatusrZlatest_patch_infor;Zcheckr+rargvr2)ZparserZexclusive_grouprrrrr7r7r8main`s                                             r)r"r#r$r%)r&)N)N)F)F)N)rGF)rGF)r)Z __future__rrhrerr,rrrrvrZsslrOrrurNrZargparserr contextlibrrGrrr r r r r rrrrrrrrrrrZpy23rrrrrrrr rrrr/rrrHrrZDOTALLr rUr-rinsertfilterwarningsrrwZsetLevelrr9r@rFrcrlr|rrrrrrrrrrrrrrrrrrrrr_Zdistutils.versionZ distutilsZ OpenSSL.SSLrrZ StrictVersionZ __version__ ImportErrorrZHTTPSConnectionZPureHTTPSConnectionobjectrrrrrr rrr+r2r;r-r=r8rCrFrMrTrXrYr\r_r`rdrirmrrprzryrrrrrrrrrrr/rr(rrrrr4rrrrrrrrrr7r7r7r8s                          &    4   a #           ?   ,  2 %7, 3)