openstack/charm-glance
Code Issues Proposed changes
charm-glance/charmhelpers/contrib/hardening/audits/apache.py
Corey Bryant 981b86a3a1 V3 authtoken update and glance v1 icehouse 
Update the keystone authtoken template section to explicitly
specify v3 API when it is in use. This prevents errors that
result in "Could not find versioned identity endpoints when
attempting to authenticate".

Along with this change we remove the tests that verify the
keystone_authtoken section as it's generally agreed that
functional testing should catch issues with this config.
Also update requirements to fix pyyaml dep of charm-tools.

Finally get glance v1 client for icehouse. Previously the
image virt type was qemu and the compute node virt type was
kvm. This works for deployments prior to rocky but in rocky
this causes the image type filter to return no valid hosts.
An update to charmhelpers has removed the default behaviour
of setting the virt type to 'qemu' by default. Due to a bug
in icehouse updating glance image properties using the v2 api
fails (See Bug #1371559) so for icehouse deploys get a v1
client.

Change-Id: I4ca604c674bda5d5f7daca6a3e9d13c8b4bd4efa
Closes-Bug: #1794637
2018-10-04 07:48:29 -04:00

101 lines
3.4 KiB
Python
Raw Blame History

# Copyright 2016 Canonical Limited.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import re
import subprocess
import six
from charmhelpers.core.hookenv import (
log,
INFO,
ERROR,
)
from charmhelpers.contrib.hardening.audits import BaseAudit
class DisabledModuleAudit(BaseAudit):
"""Audits Apache2 modules.
Determines if the apache2 modules are enabled. If the modules are enabled
then they are removed in the ensure_compliance.
"""
def __init__(self, modules):
if modules is None:
self.modules = []
elif isinstance(modules, six.string_types):
self.modules = [modules]
else:
self.modules = modules
def ensure_compliance(self):
"""Ensures that the modules are not loaded."""
if not self.modules:
return
try:
loaded_modules = self._get_loaded_modules()
non_compliant_modules = []
for module in self.modules:
if module in loaded_modules:
log("Module '%s' is enabled but should not be." %
(module), level=INFO)
non_compliant_modules.append(module)
if len(non_compliant_modules) == 0:
return
for module in non_compliant_modules:
self._disable_module(module)
self._restart_apache()
except subprocess.CalledProcessError as e:
log('Error occurred auditing apache module compliance. '
'This may have been already reported. '
'Output is: %s' % e.output, level=ERROR)
@staticmethod
def _get_loaded_modules():
"""Returns the modules which are enabled in Apache."""
output = subprocess.check_output(['apache2ctl', '-M'])
if six.PY3:
output = output.decode('utf-8')
modules = []
for line in output.splitlines():
# Each line of the enabled module output looks like:
# module_name (static|shared)
# Plus a header line at the top of the output which is stripped
# out by the regex.
matcher = re.search(r'^ (\S*)_module (\S*)', line)
if matcher:
modules.append(matcher.group(1))
return modules
@staticmethod
def _disable_module(module):
"""Disables the specified module in Apache."""
try:
subprocess.check_call(['a2dismod', module])
except subprocess.CalledProcessError as e:
# Note: catch error here to allow the attempt of disabling
# multiple modules in one go rather than failing after the
# first module fails.
log('Error occurred disabling module %s. '
'Output is: %s' % (module, e.output), level=ERROR)
@staticmethod
def _restart_apache():
"""Restarts the apache process"""
subprocess.check_output(['service', 'apache2', 'restart'])
View Git Blame Copy Permalink