#!/usr/bin/python """ Script to register a new host to Foreman/Satellite or move it from Satellite 5 to 6. Use `pydoc ./bootstrap.py` to get the documentation. Use `awk -F'# >' 'NF>1 {print $2}' ./bootstrap.py` to see the flow. Use `/usr/libexec/platform-python bootstrap.py` on RHEL8 """ import getpass try: # pylint:disable=invalid-name import urllib2 from urllib import urlencode urllib_urlopen = urllib2.urlopen urllib_urlerror = urllib2.URLError urllib_httperror = urllib2.HTTPError urllib_basehandler = urllib2.BaseHandler urllib_request = urllib2.Request urllib_build_opener = urllib2.build_opener urllib_install_opener = urllib2.install_opener except ImportError: # pylint:disable=invalid-name,no-member import urllib import urllib.request import urllib.error from urllib.parse import urlencode urllib_urlopen = urllib.request.urlopen urllib_urlerror = urllib.error.URLError urllib_httperror = urllib.error.HTTPError urllib_basehandler = urllib.request.BaseHandler urllib_request = urllib.request.Request urllib_build_opener = urllib.request.build_opener urllib_install_opener = urllib.request.install_opener import base64 import sys try: from commands import getstatusoutput NEED_STATUS_SHIFT = True except ImportError: from subprocess import getstatusoutput NEED_STATUS_SHIFT = False import platform import socket import os import pwd import glob import shutil import tempfile from datetime import datetime from optparse import OptionParser # pylint:disable=deprecated-module try: from ConfigParser import SafeConfigParser except ImportError: from configparser import ConfigParser as SafeConfigParser try: import yum # pylint:disable=import-error USE_YUM = True except ImportError: import dnf # pylint:disable=import-error USE_YUM = False import rpm # pylint:disable=import-error VERSION = '1.7.9' # Python 2.4 only supports octal numbers by prefixing '0' # Python 3 only support octal numbers by prefixing '0o' # Therefore use the decimal notation for file permissions OWNER_ONLY_DIR = 448 # octal: 700 OWNER_ONLY_FILE = 384 # octal: 600 def get_architecture(): """ Helper function to get the architecture x86_64 vs. x86. """ return os.uname()[4] ERROR_COLORS = { """Colors to be used by the multiple `print_*` functions.""" 'HEADER': '\033[95m', 'OKBLUE': '\033[94m', 'OKGREEN': '\033[92m', 'WARNING': '\033[93m', 'FAIL': '\033[91m', 'ENDC': '\033[0m', } SUBSCRIPTION_MANAGER_SERVER_TIMEOUT_VERSION = '1.18.2' SUBSCRIPTION_MANAGER_MIGRATION_MINIMAL_VERSION = '1.14.2' SUBSCRIPTION_MANAGER_MIGRATION_REMOVE_PKGS_VERSION = '1.18.2' def filter_string(string): """Helper function to filter out passwords from strings""" if options.password: string = string.replace(options.password, '******') if options.legacy_password: string = string.replace(options.legacy_password, '******') return string def print_error(msg): """Helper function to output an ERROR message.""" print_message(color_string('ERROR', 'FAIL'), 'EXITING: [%s] failed to execute properly.' % msg) def print_warning(msg): """Helper function to output a WARNING message.""" print_message(color_string('WARNING', 'WARNING'), 'NON-FATAL: [%s] failed to execute properly.' % msg) def print_success(msg): """Helper function to output a SUCCESS message.""" print_message(color_string('SUCCESS', 'OKGREEN'), '[%s], completed successfully.' % msg) def print_running(msg): """Helper function to output a RUNNING message.""" print_message(color_string('RUNNING', 'OKBLUE'), '[%s]' % msg) def print_generic(msg): """Helper function to output a NOTIFICATION message.""" print_message('NOTIFICATION', '[%s]' % msg) def print_message(prefix, msg): """Helper function to output a message with a prefix""" print("[%s], [%s], %s" % (prefix, datetime.now().strftime('%Y-%m-%d %H:%M:%S'), msg)) def color_string(msg, color): """Helper function to add ANSII colors to a message""" return '%s%s%s' % (ERROR_COLORS[color], msg, ERROR_COLORS['ENDC']) def exec_failok(command): """Helper function to call a command with only warning if failing.""" return exec_command(command, True) def exec_failexit(command): """Helper function to call a command with error and exit if failing.""" return exec_command(command, False) def exec_command(command, failok=False): """Helper function to call a command and handle errors and output.""" filtered_command = filter_string(command) print_running(filtered_command) retcode, output = getstatusoutput(command) if NEED_STATUS_SHIFT: retcode = os.WEXITSTATUS(retcode) print(output) if retcode != 0: if failok: print_warning(filtered_command) else: print_error(filtered_command) sys.exit(retcode) else: print_success(filtered_command) return retcode def delete_file(filename): """Helper function to delete files.""" if not os.path.exists(filename): print_generic("%s does not exist - not removing" % filename) return try: os.remove(filename) print_success("Removing %s" % filename) except OSError: exception = sys.exc_info()[1] print_generic("Error when removing %s - %s" % (filename, exception.strerror)) print_error("Removing %s" % filename) sys.exit(1) def delete_directory(directoryname): """Helper function to delete directories.""" if not os.path.exists(directoryname): print_generic("%s does not exist - not removing" % directoryname) return try: shutil.rmtree(directoryname) print_success("Removing %s" % directoryname) except OSError: exception = sys.exc_info()[1] print_generic("Error when removing %s - %s" % (directoryname, exception.strerror)) print_error("Removing %s" % directoryname) sys.exit(1) def call_yum(command, params="", failonerror=True): """ Helper function to call a yum command on a list of packages. pass failonerror = False to make yum commands non-fatal """ exec_command("/usr/bin/yum -y %s %s" % (command, params), not failonerror) def check_migration_version(required_version): """ Verify that the command 'subscription-manager-migration' isn't too old. """ status, err = check_package_version('subscription-manager-migration', required_version) return (status, err) def check_subman_version(required_version): """ Verify that the command 'subscription-manager' isn't too old. """ status, _ = check_package_version('subscription-manager', required_version) return status def check_package_version(package_name, package_version): """ Verify that the version of a package """ required_version = ('0', package_version, '1') err = "%s not found" % package_name transaction_set = rpm.TransactionSet() db_result = transaction_set.dbMatch('name', package_name) for package in db_result: try: p_name = package['name'].decode('ascii') p_version = package['version'].decode('ascii') except AttributeError: p_name = package['name'] p_version = package['version'] if rpm.labelCompare(('0', p_version, '1'), required_version) < 0: err = "%s %s is too old" % (p_name, p_version) else: err = None return (err is None, err) def setup_yum_repo(url, gpg_key): """ Configures a yum repository at /etc/yum.repos.d/katello-client-bootstrap-deps.repo """ submanrepoconfig = SafeConfigParser() submanrepoconfig.add_section('kt-bootstrap') submanrepoconfig.set('kt-bootstrap', 'name', 'Subscription-manager dependencies for katello-client-bootstrap') submanrepoconfig.set('kt-bootstrap', 'baseurl', url) submanrepoconfig.set('kt-bootstrap', 'enabled', '1') submanrepoconfig.set('kt-bootstrap', 'gpgcheck', '1') submanrepoconfig.set('kt-bootstrap', 'gpgkey', gpg_key) submanrepoconfig.write(open('/etc/yum.repos.d/katello-client-bootstrap-deps.repo', 'w')) print_generic('Building yum metadata cache. This may take a few minutes') call_yum('makecache') def install_prereqs(): """ Install subscription manager and its prerequisites. If subscription-manager is installed already, check to see if we are migrating. If yes, install subscription-manager-migration. Else if subscription-manager and subscription-manager-migration are available in a configured repo, install them both. Otherwise, exit and inform user that we cannot proceed """ print_generic("Checking subscription manager prerequisites") if options.deps_repository_url: print_generic("Enabling %s as a repository for dependency RPMs" % options.deps_repository_url) setup_yum_repo(options.deps_repository_url, options.deps_repository_gpg_key) if USE_YUM: yum_base = yum.YumBase() pkg_list = yum_base.doPackageLists(patterns=['subscription-manager']) subman_installed = pkg_list.installed subman_available = pkg_list.available else: dnf_base = dnf.Base() dnf_base.conf.read() dnf_base.conf.substitutions.update_from_etc('/') dnf_base.read_all_repos() dnf_base.fill_sack() pkg_list = dnf_base.sack.query().filter(name='subscription-manager') subman_installed = pkg_list.installed().run() subman_available = pkg_list.available().run() call_yum("remove", "subscription-manager-gnome", False) if subman_installed: if check_rhn_registration() and 'migration' not in options.skip: print_generic("installing subscription-manager-migration") call_yum("install", "'subscription-manager-migration-*'", False) print_generic("subscription-manager is installed already. Attempting update") call_yum("update", "subscription-manager", False) call_yum("update", "'subscription-manager-migration-*'", False) elif subman_available: print_generic("subscription-manager NOT installed. Installing.") call_yum("install", "subscription-manager") call_yum("install", "'subscription-manager-migration-*'", False) else: print_error("Cannot find subscription-manager in any configured repository. Consider using the --deps-repository-url switch to specify a repository with the subscription-manager RPMs") sys.exit(1) if 'prereq-update' not in options.skip: call_yum("update", "yum openssl python", False) if options.deps_repository_url: delete_file('/etc/yum.repos.d/katello-client-bootstrap-deps.repo') def is_fips(): """ Checks to see if the system is FIPS enabled. """ try: fips_file = open("/proc/sys/crypto/fips_enabled", "r") fips_status = fips_file.read(1) except IOError: fips_status = "0" return fips_status == "1" def get_rhsm_proxy(): """ Return the proxy server settings from /etc/rhsm/rhsm.conf as dictionary proxy_config. """ rhsmconfig = SafeConfigParser() rhsmconfig.read('/etc/rhsm/rhsm.conf') proxy_options = [option for option in rhsmconfig.options('server') if option.startswith('proxy')] proxy_config = {} for option in proxy_options: proxy_config[option] = rhsmconfig.get('server', option) return proxy_config def set_rhsm_proxy(proxy_config): """ Set proxy server settings in /etc/rhsm/rhsm.conf from dictionary saved_proxy_config. """ rhsmconfig = SafeConfigParser() rhsmconfig.read('/etc/rhsm/rhsm.conf') for option in proxy_config.keys(): rhsmconfig.set('server', option, proxy_config[option]) rhsmconfig.write(open('/etc/rhsm/rhsm.conf', 'w')) def get_bootstrap_rpm(clean=False, unreg=True): """ Retrieve Client CA Certificate RPMs from the Satellite 6 server. Uses --insecure options to curl(1) if instructed to download via HTTPS This function is usually called with clean=options.force, which ensures clean_katello_agent() is called if --force is specified. You can optionally pass unreg=False to bypass unregistering a system (e.g. when moving between capsules. """ if clean: clean_katello_agent() if os.path.exists('/etc/rhsm/ca/katello-server-ca.pem'): print_generic("A Katello CA certificate is already installed. Assuming system is registered.") print_generic("If you want to move the system to a different Content Proxy in the same setup, please use --new-capsule.") print_generic("If you want to remove the old host record and all data associated with it, please use --force.") print_generic("Exiting.") sys.exit(1) if os.path.exists('/etc/pki/consumer/cert.pem') and unreg: print_generic('System appears to be registered via another entitlement server. Attempting unregister') unregister_system() if options.download_method == "https": print_generic("Writing custom cURL configuration to allow download via HTTPS without certificate verification") curl_config_dir = tempfile.mkdtemp() curl_config = open(os.path.join(curl_config_dir, '.curlrc'), 'w') curl_config.write("insecure") curl_config.close() os.environ["CURL_HOME"] = curl_config_dir print_generic("Retrieving Client CA Certificate RPMs") exec_failexit("rpm -Uvh https://%s/pub/katello-ca-consumer-latest.noarch.rpm" % options.foreman_fqdn) print_generic("Deleting cURL configuration") delete_directory(curl_config_dir) os.environ.pop("CURL_HOME", None) else: print_generic("Retrieving Client CA Certificate RPMs") exec_failexit("rpm -Uvh http://%s/pub/katello-ca-consumer-latest.noarch.rpm" % options.foreman_fqdn) def disable_rhn_plugin(): """ Disable the RHN plugin for Yum """ if os.path.exists('/etc/yum/pluginconf.d/rhnplugin.conf'): rhnpluginconfig = SafeConfigParser() rhnpluginconfig.read('/etc/yum/pluginconf.d/rhnplugin.conf') if rhnpluginconfig.get('main', 'enabled') == '1': print_generic("RHN yum plugin was enabled. Disabling...") rhnpluginconfig.set('main', 'enabled', '0') rhnpluginconfig.write(open('/etc/yum/pluginconf.d/rhnplugin.conf', 'w')) if os.path.exists('/etc/sysconfig/rhn/systemid'): os.rename('/etc/sysconfig/rhn/systemid', '/etc/sysconfig/rhn/systemid.bootstrap-bak') def enable_rhsmcertd(): """ Enable and restart the rhsmcertd service """ enable_service("rhsmcertd") exec_service("rhsmcertd", "restart") def is_registered(): """ Check if all required certificates are in place (i.e. a system is registered to begin with) before we start changing things """ return (os.path.exists('/etc/rhsm/ca/katello-server-ca.pem') and os.path.exists('/etc/pki/consumer/cert.pem')) def migrate_systems(org_name, activationkey): """ Call `rhn-migrate-classic-to-rhsm` to migrate the machine from Satellite 5 to 6 using the organization name/label and the given activation key, and configure subscription manager with the baseurl of Satellite6's pulp. This allows the administrator to override the URL provided in the katello-ca-consumer-latest RPM, which is useful in scenarios where the Capsules/Servers are load-balanced or using subjectAltName certificates. If called with "--legacy-purge", uses "legacy-user" and "legacy-password" to remove the machine. Option "--force" is always passed so that `rhn-migrate-classic-to-rhsm` does not fail on channels which cannot be mapped either because they are cloned channels, custom channels, or do not exist in the destination. """ if 'foreman' in options.skip: org_label = org_name else: org_label = return_matching_katello_key('organizations', 'name="%s"' % org_name, 'label', False) print_generic("Calling rhn-migrate-classic-to-rhsm") options.rhsmargs += " --force --destination-url=https://%s:%s/rhsm" % (options.foreman_fqdn, RHSM_PORT) if options.legacy_purge: options.rhsmargs += " --legacy-user '%s' --legacy-password '%s'" % (options.legacy_login, options.legacy_password) if options.removepkgs and check_migration_version(SUBSCRIPTION_MANAGER_MIGRATION_REMOVE_PKGS_VERSION)[0]: options.rhsmargs += " --remove-rhn-packages" else: options.rhsmargs += " --keep" if check_subman_version(SUBSCRIPTION_MANAGER_SERVER_TIMEOUT_VERSION): exec_failok("/usr/sbin/subscription-manager config --server.server_timeout=%s" % options.timeout) exec_command("/usr/sbin/rhn-migrate-classic-to-rhsm --org %s --activation-key '%s' %s" % (org_label, activationkey, options.rhsmargs), options.ignore_registration_failures) exec_command("subscription-manager config --rhsm.baseurl=https://%s/pulp/repos" % options.foreman_fqdn, options.ignore_registration_failures) if options.release: exec_failexit("subscription-manager release --set %s" % options.release) enable_rhsmcertd() # When rhn-migrate-classic-to-rhsm is called with --keep, it will leave the systemid # file intact, which might confuse the (not yet removed) yum-rhn-plugin. # Move the file to a backup name & disable the RHN plugin, so the user can still restore it if needed. disable_rhn_plugin() def register_systems(org_name, activationkey): """ Register the host to Satellite 6's organization using `subscription-manager` and the given activation key. Option "--force" is given further. """ if 'foreman' in options.skip: org_label = org_name else: org_label = return_matching_katello_key('organizations', 'name="%s"' % org_name, 'label', False) print_generic("Calling subscription-manager") options.smargs += " --serverurl=https://%s:%s/rhsm --baseurl=https://%s/pulp/repos" % (options.foreman_fqdn, RHSM_PORT, options.foreman_fqdn) if options.force: options.smargs += " --force" if options.release: options.smargs += " --release %s" % options.release if check_subman_version(SUBSCRIPTION_MANAGER_SERVER_TIMEOUT_VERSION): exec_failok("/usr/sbin/subscription-manager config --server.server_timeout=%s" % options.timeout) exec_command("/usr/sbin/subscription-manager register --org '%s' --name '%s' --activationkey '%s' %s" % (org_label, FQDN, activationkey, options.smargs), options.ignore_registration_failures) enable_rhsmcertd() def unregister_system(): """Unregister the host using `subscription-manager`.""" print_generic("Cleaning old yum metadata") call_yum("clean", "metadata dbcache", False) print_generic("Unregistering") exec_failok("/usr/sbin/subscription-manager unregister") exec_failok("/usr/sbin/subscription-manager clean") def clean_katello_agent(): """Remove old Katello agent (aka Gofer) and certificate RPMs.""" print_generic("Removing old Katello agent and certs") call_yum("remove", "'katello-ca-consumer-*' katello-agent gofer katello-host-tools katello-host-tools-fact-plugin", False) delete_file("/etc/rhsm/ca/katello-server-ca.pem") def install_katello_agent(): """Install Katello agent (aka Gofer) and activate /start it.""" print_generic("Installing the Katello agent") call_yum("install", "katello-agent") enable_service("goferd") exec_service("goferd", "restart") def install_katello_host_tools(): """Install Katello Host Tools""" print_generic("Installing the Katello Host Tools") call_yum("install", "katello-host-tools") def clean_puppet(): """Remove old Puppet Agent and its configuration""" print_generic("Cleaning old Puppet Agent") call_yum("remove", "puppet-agent", False) delete_directory("/var/lib/puppet/") delete_directory("/opt/puppetlabs/puppet/cache") delete_directory("/etc/puppetlabs/puppet/ssl") def clean_environment(): """ Undefine `GEM_PATH`, `LD_LIBRARY_PATH` and `LD_PRELOAD` as many environments have it defined non-sensibly. """ for key in ['GEM_PATH', 'LD_LIBRARY_PATH', 'LD_PRELOAD']: os.environ.pop(key, None) def generate_katello_facts(): """ Write katello_facts file based on FQDN. Done after installation of katello-ca-consumer RPM in case the script is overriding the FQDN. Place the location if the location option is included """ print_generic("Writing FQDN katello-fact") katellofacts = open('/etc/rhsm/facts/katello.facts', 'w') katellofacts.write('{"network.hostname-override":"%s"}\n' % (FQDN)) katellofacts.close() if options.location and 'foreman' in options.skip: print_generic("Writing LOCATION RHSM fact") locationfacts = open('/etc/rhsm/facts/location.facts', 'w') locationfacts.write('{"foreman_location":"%s"}\n' % (options.location)) locationfacts.close() def install_puppet_agent(): """Install and configure, then enable and start the Puppet Agent""" puppet_env = return_puppetenv_for_hg(return_matching_foreman_key('hostgroups', 'title="%s"' % options.hostgroup, 'id', False)) # If there is no Puppet environment, skip configuring Puppet if puppet_env is None: print_generic("No Puppet environment found, skipping Puppet setup.") return print_generic("Installing the Puppet Agent") call_yum("install", "puppet-agent") enable_service("puppet") puppet_conf_file = '/etc/puppetlabs/puppet/puppet.conf' main_section = """[main] vardir = /opt/puppetlabs/puppet/cache logdir = /var/log/puppetlabs/puppet rundir = /var/run/puppetlabs ssldir = /etc/puppetlabs/puppet/ssl """ if is_fips(): main_section += "digest_algorithm = sha256" print_generic("System is in FIPS mode. Setting digest_algorithm to SHA256 in puppet.conf") puppet_conf = open(puppet_conf_file, 'w') # set puppet.conf certname to lowercase FQDN, as capitalized characters would # get translated anyway generating our certificate # * https://puppet.com/docs/puppet/3.8/configuration.html#certname # * https://puppet.com/docs/puppet/4.10/configuration.html#certname # * https://puppet.com/docs/puppet/5.5/configuration.html#certname # other links mentioning capitalized characters related issues: # * https://grokbase.com/t/gg/puppet-users/152s27374y/forcing-a-variable-to-be-lower-case # * https://groups.google.com/forum/#!topic/puppet-users/vRAu092ppzs puppet_conf.write(""" %s [agent] pluginsync = true report = true ignoreschedules = true daemon = false ca_server = %s certname = %s environment = %s server = %s """ % (main_section, options.puppet_ca_server, FQDN.lower(), puppet_env, options.puppet_server)) if options.puppet_ca_port: puppet_conf.write("""ca_port = %s """ % (options.puppet_ca_port)) if options.puppet_noop: puppet_conf.write("""noop = true """) puppet_conf.close() noop_puppet_signing_run() if 'puppet-enable' not in options.skip: enable_service("puppet") exec_service("puppet", "restart") def noop_puppet_signing_run(): """ Execute Puppet with --noop to generate and sign certs """ print_generic("Running Puppet in noop mode to generate SSL certs") print_generic("Visit the UI and approve this certificate via Infrastructure->Capsules") print_generic("if auto-signing is disabled") exec_failexit("/opt/puppetlabs/puppet/bin/puppet agent --test --noop --tags no_such_tag --waitforcert 10") if 'puppet-enable' not in options.skip: enable_service("puppet") exec_service("puppet", "restart") def remove_obsolete_packages(): """Remove old RHN packages""" print_generic("Removing old RHN packages") call_yum("remove", "rhn-setup rhn-client-tools yum-rhn-plugin rhnsd rhn-check rhnlib spacewalk-abrt spacewalk-oscap osad 'rh-*-rhui-client' 'candlepin-cert-consumer-*'", False) def fully_update_the_box(): """Call `yum -y update` to upgrade the host.""" print_generic("Fully Updating The Box") call_yum("update") # curl https://satellite.example.com:9090/ssh/pubkey >> ~/.ssh/authorized_keys # sort -u ~/.ssh/authorized_keys def install_ssh_key_from_url(remote_url): """ Download and install Foreman's SSH public key. """ print_generic("Fetching Remote Execution SSH key from %s" % remote_url) try: if sys.version_info >= (2, 6): foreman_ssh_key_req = urllib_urlopen(remote_url, timeout=options.timeout) else: foreman_ssh_key_req = urllib_urlopen(remote_url) foreman_ssh_key = foreman_ssh_key_req.read() if sys.version_info >= (3, 0): foreman_ssh_key = foreman_ssh_key.decode(foreman_ssh_key_req.headers.get_content_charset('utf-8')) except urllib_httperror: exception = sys.exc_info()[1] print_generic("The server was unable to fulfill the request. Error: %s - %s" % (exception.code, exception.reason)) print_generic("Please ensure the Remote Execution feature is configured properly") print_warning("Installing Foreman SSH key") return except urllib_urlerror: exception = sys.exc_info()[1] print_generic("Could not reach the server. Error: %s" % exception.reason) return install_ssh_key_from_string(foreman_ssh_key) def install_ssh_key_from_api(): """ Download and install all Foreman's SSH public keys. """ print_generic("Fetching Remote Execution SSH keys from the Foreman API") url = "https://" + options.foreman_fqdn + ":" + str(API_PORT) + "/api/v2/smart_proxies/" smart_proxies = get_json(url) for smart_proxy in smart_proxies['results']: if 'remote_execution_pubkey' in smart_proxy: install_ssh_key_from_string(smart_proxy['remote_execution_pubkey']) def install_ssh_key_from_string(foreman_ssh_key): """ Install Foreman's SSH public key into the foreman user's authorized keys file location, so that remote execution becomes possible. If not set default is ~/.ssh/authorized_keys """ print_generic("Installing Remote Execution SSH key for user %s" % options.remote_exec_user) foreman_ssh_key = foreman_ssh_key.strip() userpw = pwd.getpwnam(options.remote_exec_user) if not options.remote_exec_authpath: options.remote_exec_authpath = os.path.join(userpw.pw_dir, '.ssh', 'authorized_keys') foreman_ssh_dir = os.path.join(userpw.pw_dir, '.ssh') if not os.path.isdir(foreman_ssh_dir): os.mkdir(foreman_ssh_dir, OWNER_ONLY_DIR) os.chown(foreman_ssh_dir, userpw.pw_uid, userpw.pw_gid) elif os.path.exists(options.remote_exec_authpath) and not os.path.isfile(options.remote_exec_authpath): print_error("Foreman's SSH key not installed. You need to provide a full path to an authorized_keys file, you provided: '%s'" % options.remote_exec_authpath) return if os.path.isfile(options.remote_exec_authpath): if foreman_ssh_key in open(options.remote_exec_authpath, 'r').read(): print_generic("Foreman's SSH key already present in %s" % options.remote_exec_authpath) return output = os.fdopen(os.open(options.remote_exec_authpath, os.O_WRONLY | os.O_CREAT, OWNER_ONLY_FILE), 'a') output.write("\n") output.write(foreman_ssh_key) output.write("\n") os.chown(options.remote_exec_authpath, userpw.pw_uid, userpw.pw_gid) print_generic("Foreman's SSH key added to %s" % options.remote_exec_authpath) output.close() class BetterHTTPErrorProcessor(urllib_basehandler): """ A substitute/supplement class to HTTPErrorProcessor that doesn't raise exceptions on status codes 201,204,206 """ # pylint:disable=unused-argument,no-self-use,no-init def http_error_201(self, request, response, code, msg, hdrs): """Handle HTTP 201""" return response def http_error_204(self, request, response, code, msg, hdrs): """Handle HTTP 204""" return response def http_error_206(self, request, response, code, msg, hdrs): """Handle HTTP 206""" return response def call_api(url, data=None, method='GET'): """ Helper function to place an API call returning JSON results and doing some error handling. Any error results in an exit. """ try: request = urllib_request(url) if options.verbose: print('url: %s' % url) print('method: %s' % method) print('data: %s' % json.dumps(data, sort_keys=False, indent=2)) auth_string = '%s:%s' % (options.login, options.password) base64string = base64.b64encode(auth_string.encode('utf-8')).decode().strip() request.add_header("Authorization", "Basic %s" % base64string) request.add_header("Content-Type", "application/json") request.add_header("Accept", "application/json") if data: if hasattr(request, 'add_data'): request.add_data(json.dumps(data)) else: request.data = json.dumps(data).encode() request.get_method = lambda: method if sys.version_info >= (2, 6): result = urllib_urlopen(request, timeout=options.timeout) else: result = urllib_urlopen(request) jsonresult = json.load(result) if options.verbose: print('result: %s' % json.dumps(jsonresult, sort_keys=False, indent=2)) return jsonresult except urllib_urlerror: exception = sys.exc_info()[1] print('An error occurred: %s' % exception) print('url: %s' % url) if isinstance(exception, urllib_httperror): print('code: %s' % exception.code) # pylint:disable=no-member if data: print('data: %s' % json.dumps(data, sort_keys=False, indent=2)) try: jsonerr = json.load(exception) print('error: %s' % json.dumps(jsonerr, sort_keys=False, indent=2)) except: # noqa: E722, pylint:disable=bare-except print('error: %s' % exception) sys.exit(1) except Exception: # pylint:disable=broad-except exception = sys.exc_info()[1] print("FATAL Error - %s" % (exception)) sys.exit(2) def get_json(url): """Use `call_api` to place a "GET" REST API call.""" return call_api(url) def post_json(url, jdata): """Use `call_api` to place a "POST" REST API call.""" return call_api(url, data=jdata, method='POST') def delete_json(url): """Use `call_api` to place a "DELETE" REST API call.""" return call_api(url, method='DELETE') def put_json(url, jdata=None): """Use `call_api` to place a "PUT" REST API call.""" return call_api(url, data=jdata, method='PUT') def update_host_capsule_mapping(attribute, capsule_id, host_id): """ Update the host entry to point a feature to a new proxy """ url = "https://" + options.foreman_fqdn + ":" + str(API_PORT) + "/api/v2/hosts/" + str(host_id) if attribute == 'content_source_id': jdata = {"host": {"content_facet_attributes": {"content_source_id": capsule_id}, "content_source_id": capsule_id}} else: jdata = {"host": {attribute: capsule_id}} return put_json(url, jdata) def get_capsule_features(capsule_id): """ Fetch all features available on a proxy """ url = "https://" + options.foreman_fqdn + ":" + str(API_PORT) + "/api/smart_proxies/%s" % str(capsule_id) return [feature['name'] for feature in get_json(url)['features']] def update_host_config(attribute, value, host_id): """ Update a host config """ attribute_id = return_matching_foreman_key(attribute + 's', 'title="%s"' % value, 'id', False) json_key = attribute + "_id" jdata = {"host": {json_key: attribute_id}} put_json("https://" + options.foreman_fqdn + ":" + API_PORT + "/api/hosts/%s" % host_id, jdata) def return_matching_foreman_key(api_name, search_key, return_key, null_result_ok=False): """ Function uses `return_matching_key` to make an API call to Foreman. """ return return_matching_key("/api/v2/" + api_name, search_key, return_key, null_result_ok) def return_matching_katello_key(api_name, search_key, return_key, null_result_ok=False): """ Function uses `return_matching_key` to make an API call to Katello. """ return return_matching_key("/katello/api/" + api_name, search_key, return_key, null_result_ok) def return_matching_key(api_path, search_key, return_key, null_result_ok=False): """ Search in API given a search key, which must be unique, then returns the field given in "return_key" as ID. api_path is the path in url for API name, search_key must contain also the key for search (name=, title=, ...). The search_key must be quoted in advance. """ myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + api_path + "/?" + urlencode([('search', '' + str(search_key))]) return_values = get_json(myurl) result_len = len(return_values['results']) if result_len == 1: return_values_return_key = return_values['results'][0][return_key] elif result_len == 0 and null_result_ok is True: return_values_return_key = None else: print_error("%d element in array for search key '%s' in API '%s'. Please note that all searches are case-sensitive." % (result_len, search_key, api_path)) print_error("Please also ensure that the user has permissions to view the searched objects. Fatal error.") sys.exit(2) return return_values_return_key def return_puppetenv_for_hg(hg_id): """ Return the Puppet environment of the given hostgroup ID, either directly or inherited through its hierarchy. If no environment is found, `None` is returned. """ myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + "/api/v2/hostgroups/" + str(hg_id) hostgroup = get_json(myurl) environment_name = hostgroup.get('environment_name') if not environment_name and hostgroup.get('ancestry'): parent = hostgroup['ancestry'].split('/')[-1] environment_name = return_puppetenv_for_hg(parent) return environment_name def create_domain(domain, orgid, locid): """ Call Foreman API to create a network domain associated with the given organization and location. """ myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + "/api/v2/domains" domid = return_matching_foreman_key('domains', 'name="%s"' % domain, 'id', True) if not domid: jsondata = {"domain": {"name": domain, "organization_ids": [orgid], "location_ids": [locid]}} print_running("Calling Foreman API to create domain %s associated with the org & location" % domain) post_json(myurl, jsondata) def create_host(): # pylint:disable=too-many-branches # pylint:disable=too-many-statements """ Call Foreman API to create a host entry associated with the host group, organization & location, domain and architecture. """ myhgid = return_matching_foreman_key('hostgroups', 'title="%s"' % options.hostgroup, 'id', False) if options.location: mylocid = return_matching_foreman_key('locations', 'title="%s"' % options.location, 'id', False) else: mylocid = None myorgid = return_matching_foreman_key('organizations', 'name="%s"' % options.org, 'id', False) if DOMAIN: if options.add_domain: create_domain(DOMAIN, myorgid, mylocid) mydomainid = return_matching_foreman_key('domains', 'name="%s"' % DOMAIN, 'id', True) if not mydomainid: print_generic("Domain %s doesn't exist in Foreman, consider using the --add-domain option." % DOMAIN) sys.exit(2) domain_available_search = 'name="%s"&organization_id=%s' % (DOMAIN, myorgid) if mylocid: domain_available_search += '&location_id=%s' % (mylocid) mydomainid = return_matching_foreman_key('domains', domain_available_search, 'id', True) if not mydomainid: print_generic("Domain %s exists in Foreman, but is not assigned to the requested Organization or Location." % DOMAIN) sys.exit(2) else: mydomainid = None if options.force_content_source: my_content_src_id = return_matching_foreman_key(api_name='smart_proxies', search_key='name="%s"' % options.foreman_fqdn, return_key='id', null_result_ok=True) if my_content_src_id is None: print_warning("You requested to set the content source to %s, but we could not find such a Smart Proxy configured. The content source WILL NOT be updated!" % (options.foreman_fqdn,)) else: my_content_src_id = None architecture_id = return_matching_foreman_key('architectures', 'name="%s"' % ARCHITECTURE, 'id', False) host_id = return_matching_foreman_key('hosts', 'name="%s"' % FQDN, 'id', True) # create the starting json, to be filled below jsondata = {"host": {"name": HOSTNAME, "hostgroup_id": myhgid, "organization_id": myorgid, "mac": MAC, "architecture_id": architecture_id, "build": False, "compute_resource_id": None}} # optional parameters if my_content_src_id: jsondata['host']['content_facet_attributes'] = {'content_source_id': my_content_src_id} if options.operatingsystem is not None: operatingsystem_id = return_matching_foreman_key('operatingsystems', 'title="%s"' % options.operatingsystem, 'id', False) jsondata['host']['operatingsystem_id'] = operatingsystem_id if options.partitiontable is not None: partitiontable_id = return_matching_foreman_key('ptables', 'name="%s"' % options.partitiontable, 'id', False) jsondata['host']['ptable_id'] = partitiontable_id if not options.unmanaged: jsondata['host']['managed'] = 'true' else: jsondata['host']['managed'] = 'false' if mylocid: jsondata['host']['location_id'] = mylocid if mydomainid: jsondata['host']['domain_id'] = mydomainid if options.ip: jsondata['host']['ip'] = options.ip if options.comment: jsondata['host']['comment'] = options.comment myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + "/api/v2/hosts/" if options.force and host_id is not None: disassociate_host(host_id) delete_host(host_id) print_running("Calling Foreman API to create a host entry associated with the group & org") post_json(myurl, jsondata) print_success("Successfully created host %s" % FQDN) def delete_host(host_id): """Call Foreman API to delete the current host.""" myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + "/api/v2/hosts/" print_running("Deleting host id %s for host %s" % (host_id, FQDN)) delete_json("%s/%s" % (myurl, host_id)) def disassociate_host(host_id): """ Call Foreman API to disassociate host from content host before deletion. """ myurl = "https://" + options.foreman_fqdn + ":" + API_PORT + "/api/v2/hosts/" + str(host_id) + "/disassociate" print_running("Disassociating host id %s for host %s" % (host_id, FQDN)) put_json(myurl) def configure_subscription_manager(): """ Configure subscription-manager plugins in Yum """ productidconfig = SafeConfigParser() productidconfig.read('/etc/yum/pluginconf.d/product-id.conf') if productidconfig.get('main', 'enabled') == '0': print_generic("Product-id yum plugin was disabled. Enabling...") productidconfig.set('main', 'enabled', '1') productidconfig.write(open('/etc/yum/pluginconf.d/product-id.conf', 'w')) submanconfig = SafeConfigParser() submanconfig.read('/etc/yum/pluginconf.d/subscription-manager.conf') if submanconfig.get('main', 'enabled') == '0': print_generic("subscription-manager yum plugin was disabled. Enabling...") submanconfig.set('main', 'enabled', '1') submanconfig.write(open('/etc/yum/pluginconf.d/subscription-manager.conf', 'w')) def check_rhn_registration(): """Helper function to check if host is registered to legacy RHN.""" if os.path.exists('/etc/sysconfig/rhn/systemid'): retcode = getstatusoutput('rhn-channel -l')[0] if NEED_STATUS_SHIFT: retcode = os.WEXITSTATUS(retcode) return retcode == 0 return False def enable_repos(): """Enable necessary repositories using subscription-manager.""" repostoenable = " ".join(['--enable=%s' % i for i in options.enablerepos.split(',')]) print_running("Enabling repositories - %s" % options.enablerepos) exec_failok("subscription-manager repos %s" % repostoenable) def install_packages(): """Install user-provided packages""" packages = options.install_packages.replace(',', " ") print_running("Installing the following packages %s" % packages) call_yum("install", packages, False) def get_api_port(foreman_fqdn): """ Helper function to get the API port. This tries to access the `/api/ping` endoint in Foreman which exists since 1.22 and does not require any authentication. The detection can fail if the TLS certificate of the remote isn't trusted, so this has to be called *after* katello-ca-consumer RPM has been installed and added the CA to the system trust store. The detection can also fail if there is no API reverse proxy available on the Foreman Proxy. If the detection fails we still return a fallback of "443" to allow the "normal" error handling to catch the issue later on - or ignore it if API access it not required. """ for port in ['443', '8443']: try: request = urllib_request('https://' + foreman_fqdn + ':' + port + '/api/ping') request.add_header("Content-Type", "application/json") request.add_header("Accept", "application/json") urllib_urlopen(request, timeout=options.timeout) return port except: # noqa: E722, pylint:disable=bare-except pass return "443" def get_rhsm_port(): """Helper function to get the RHSM port from Subscription Manager.""" configparser = SafeConfigParser() configparser.read('/etc/rhsm/rhsm.conf') try: return configparser.get('server', 'port') except: # noqa: E722, pylint:disable=bare-except return "443" def check_rpm_installed(): """Check if the machine already has Katello/Spacewalk RPMs installed""" rpm_sat = ['katello', 'foreman-proxy-content', 'katello-capsule', 'spacewalk-proxy-common', 'spacewalk-backend'] transaction_set = rpm.TransactionSet() db_results = transaction_set.dbMatch() for package in db_results: try: package_name = package['name'].decode('ascii') except AttributeError: package_name = package['name'] if package_name in rpm_sat: print_error("%s RPM found. bootstrap.py should not be used on a Katello/Spacewalk/Satellite host." % (package_name)) sys.exit(1) def prepare_rhel5_migration(): """ Execute specific preparations steps for RHEL 5. Older releases of RHEL 5 did not have a version of rhn-classic-migrate-to-rhsm which supported activation keys. This function allows those systems to get a proper product certificate. """ install_prereqs() # only do the certificate magic if 69.pem is not present # and we have active channels if check_rhn_registration() and not os.path.exists('/etc/pki/product/69.pem'): # pylint:disable=W,C,R _LIBPATH = "/usr/share/rhsm" # add to the path if need be if _LIBPATH not in sys.path: sys.path.append(_LIBPATH) from subscription_manager.migrate import migrate # pylint:disable=import-error class MEOptions: force = True me = migrate.MigrationEngine() me.options = MEOptions() subscribed_channels = me.get_subscribed_channels_list() me.print_banner(("System is currently subscribed to these RHNClassic Channels:")) for channel in subscribed_channels: print(channel) me.check_for_conflicting_channels(subscribed_channels) me.deploy_prod_certificates(subscribed_channels) me.clean_up(subscribed_channels) # at this point we should have at least 69.pem available, but lets # doublecheck and copy it manually if not if not os.path.exists('/etc/pki/product/'): os.mkdir("/etc/pki/product/") mapping_file = "/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt" if not os.path.exists('/etc/pki/product/69.pem') and os.path.exists(mapping_file): for line in open(mapping_file): if line.startswith('rhel-%s-server-5' % ARCHITECTURE): cert = line.split(" ")[1] shutil.copy('/usr/share/rhsm/product/RHEL-5/' + cert.strip(), '/etc/pki/product/69.pem') break # cleanup disable_rhn_plugin() def enable_service(service, failonerror=True): """ Helper function to enable a service using proper init system. pass failonerror = False to make init system's commands non-fatal """ if os.path.exists("/run/systemd"): exec_command("/usr/bin/systemctl enable %s" % (service), not failonerror) else: exec_command("/sbin/chkconfig %s on" % (service), not failonerror) def exec_service(service, command, failonerror=True): """ Helper function to call a service command using proper init system. Available command values = start, stop, restart pass failonerror = False to make init system's commands non-fatal """ if os.path.exists("/run/systemd"): exec_command("/usr/bin/systemctl %s %s" % (command, service), not failonerror) else: exec_command("/sbin/service %s %s" % (service, command), not failonerror) def release_from_etc(): """ Parse /etc/os-release and get the release version (7, 7.9, 8, etc) from it. Used on systems with Python 3.8+ which doesn't provide that in the platform module anymore. """ release = "8" os_release = open('/etc/os-release') for line in os_release.readlines(): if line.startswith('VERSION_ID='): release = line.replace('VERSION_ID=', '').replace('"', '').strip() return release if __name__ == '__main__': # pylint:disable=invalid-name print("Foreman Bootstrap Script") print("This script is designed to register new systems or to migrate an existing system to a Foreman server with Katello") # > Register our better HTTP processor as default opener for URLs. opener = urllib_build_opener(BetterHTTPErrorProcessor) urllib_install_opener(opener) # > Gather MAC Address. MAC = None try: import uuid mac1 = uuid.getnode() mac2 = uuid.getnode() if mac1 == mac2: MAC = ':'.join(("%012X" % mac1)[i:i + 2] for i in range(0, 12, 2)) except ImportError: if os.path.exists('/sys/class/net/eth0/address'): address_files = ['/sys/class/net/eth0/address'] else: address_files = glob.glob('/sys/class/net/*/address') for f in address_files: MAC = open(f).readline().strip().upper() if MAC != "00:00:00:00:00:00": break if not MAC: MAC = "00:00:00:00:00:00" # > Gather API port (HTTPS), ARCHITECTURE and (OS) RELEASE API_PORT = "443" RHSM_PORT = "443" ARCHITECTURE = get_architecture() try: # pylint:disable=deprecated-method RELEASE = platform.linux_distribution()[1] except AttributeError: try: # pylint:disable=deprecated-method,no-member RELEASE = platform.dist()[1] except AttributeError: RELEASE = release_from_etc() IS_EL5 = int(RELEASE[0]) == 5 IS_EL8 = int(RELEASE[0]) == 8 if not IS_EL5: DEFAULT_DOWNLOAD_METHOD = 'https' else: DEFAULT_DOWNLOAD_METHOD = 'http' SKIP_STEPS = ['foreman', 'puppet', 'migration', 'prereq-update', 'katello-agent', 'remove-obsolete-packages', 'puppet-enable', 'katello-host-tools'] # > Define and parse the options usage_string = "Usage: %prog -l admin -s foreman.example.com -o 'Default Organization' -L 'Default Location' -g My_Hostgroup -a My_Activation_Key" parser = OptionParser(usage=usage_string, version="%%prog %s" % VERSION) parser.add_option("-s", "--server", dest="foreman_fqdn", help="FQDN of Foreman OR Capsule - omit https://", metavar="foreman_fqdn") parser.add_option("-l", "--login", dest="login", default='admin', help="Login user for API Calls", metavar="LOGIN") parser.add_option("-p", "--password", dest="password", help="Password for specified user. Will prompt if omitted", metavar="PASSWORD") parser.add_option("--fqdn", dest="fqdn", help="Set an explicit FQDN, overriding detected FQDN from socket.getfqdn(), currently detected as %default", metavar="FQDN", default=socket.getfqdn()) parser.add_option("--legacy-login", dest="legacy_login", default='admin', help="Login user for Satellite 5 API Calls", metavar="LOGIN") parser.add_option("--legacy-password", dest="legacy_password", help="Password for specified Satellite 5 user. Will prompt if omitted", metavar="PASSWORD") parser.add_option("--legacy-purge", dest="legacy_purge", action="store_true", help="Purge system from the Legacy environment (e.g. Sat5)") parser.add_option("-a", "--activationkey", dest="activationkey", help="Activation Key to register the system", metavar="ACTIVATIONKEY") parser.add_option("-P", "--skip-puppet", dest="no_puppet", action="store_true", default=False, help="Do not install Puppet") parser.add_option("--skip-foreman", dest="no_foreman", action="store_true", default=False, help="Do not create a Foreman host. Implies --skip-puppet. When using --skip-foreman, you MUST pass the Organization's LABEL, not NAME") parser.add_option("--force-content-source", dest="force_content_source", action="store_true", default=False, help="Force the content source to be the registration capsule (it overrides the value in the host group if any is defined)") parser.add_option("--content-only", dest="content_only", action="store_true", default=False, help="Setup host for content only. Alias to --skip foreman. Implies --skip-puppet. When using --content-only, you MUST pass the Organization's LABEL, not NAME") parser.add_option("-g", "--hostgroup", dest="hostgroup", help="Title of the Hostgroup in Foreman that the host is to be associated with", metavar="HOSTGROUP") parser.add_option("-L", "--location", dest="location", help="Title of the Location in Foreman that the host is to be associated with", metavar="LOCATION") parser.add_option("-O", "--operatingsystem", dest="operatingsystem", default=None, help="Title of the Operating System in Foreman that the host is to be associated with", metavar="OPERATINGSYSTEM") parser.add_option("--partitiontable", dest="partitiontable", default=None, help="Name of the Partition Table in Foreman that the host is to be associated with", metavar="PARTITIONTABLE") parser.add_option("-o", "--organization", dest="org", default='Default Organization', help="Name of the Organization in Foreman that the host is to be associated with", metavar="ORG") parser.add_option("-S", "--subscription-manager-args", dest="smargs", default="", help="Which additional arguments shall be passed to subscription-manager", metavar="ARGS") parser.add_option("--rhn-migrate-args", dest="rhsmargs", default="", help="Which additional arguments shall be passed to rhn-migrate-classic-to-rhsm", metavar="ARGS") parser.add_option("-u", "--update", dest="update", action="store_true", help="Fully Updates the System") parser.add_option("-v", "--verbose", dest="verbose", action="store_true", help="Verbose output") parser.add_option("-f", "--force", dest="force", action="store_true", help="Force registration (will erase old katello and puppet certs)") parser.add_option("--add-domain", dest="add_domain", action="store_true", help="Automatically add the clients domain to Foreman") parser.add_option("--puppet-noop", dest="puppet_noop", action="store_true", help="Configure Puppet agent to only run in noop mode") parser.add_option("--puppet-server", dest="puppet_server", action="store", help="Configure Puppet agent to use this server as master (defaults to the Foreman server)") parser.add_option("--puppet-ca-server", dest="puppet_ca_server", action="store", help="Configure Puppet agent to use this server as CA (defaults to the Foreman server)") parser.add_option("--puppet-ca-port", dest="puppet_ca_port", action="store", help="Configure Puppet agent to use this port to connect to the CA") parser.add_option("--remove", dest="remove", action="store_true", help="Instead of registering the machine to Foreman remove it") parser.add_option("-r", "--release", dest="release", help="Specify release version") parser.add_option("-R", "--remove-obsolete-packages", dest="removepkgs", action="store_true", help="Remove old Red Hat Network and RHUI Packages (default)", default=True) parser.add_option("--download-method", dest="download_method", default=DEFAULT_DOWNLOAD_METHOD, help="Method to download katello-ca-consumer package (e.g. http or https)", metavar="DOWNLOADMETHOD", choices=['http', 'https']) parser.add_option("--no-remove-obsolete-packages", dest="removepkgs", action="store_false", help="Don't remove old Red Hat Network and RHUI Packages") parser.add_option("--unmanaged", dest="unmanaged", action="store_true", help="Add the server as unmanaged. Useful to skip provisioning dependencies.") parser.add_option("--rex", dest="remote_exec", action="store_true", help="Install Foreman's SSH key for remote execution.", default=False) parser.add_option("--rex-user", dest="remote_exec_user", default="root", help="Local user used by Foreman's remote execution feature.") parser.add_option("--rex-proxies", dest="remote_exec_proxies", help="Comma separated list of proxies to install Foreman's SSH keys for remote execution.") parser.add_option("--rex-urlkeyfile", dest="remote_exec_url", help="HTTP/S location of a file containing one or more Foreman's SSH keys for remote execution.") parser.add_option("--rex-apikeys", dest="remote_exec_apikeys", action="store_true", help="Fetch Foreman's SSH keys from the API.") parser.add_option("--rex-authpath", dest="remote_exec_authpath", help="Full path to local authorized_keys file in order to install Foreman's SSH keys for remote execution. Default ~/.ssh/authorized_keys") parser.add_option("--enablerepos", dest="enablerepos", help="Repositories to be enabled via subscription-manager - comma separated", metavar="enablerepos") parser.add_option("--skip", dest="skip", action="append", help="Skip the listed steps (choices: %s)" % SKIP_STEPS, choices=SKIP_STEPS, default=[]) parser.add_option("--ip", dest="ip", help="IPv4 address of the primary interface in Foreman (defaults to the address used to make request to Foreman)") parser.add_option("--deps-repository-url", dest="deps_repository_url", help="URL to a repository that contains the subscription-manager RPMs") parser.add_option("--deps-repository-gpg-key", dest="deps_repository_gpg_key", help="GPG Key to the repository that contains the subscription-manager RPMs", default="file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release") parser.add_option("--install-packages", dest="install_packages", help="List of packages to be additionally installed - comma separated", metavar="installpackages") parser.add_option("--new-capsule", dest="new_capsule", action="store_true", help="Switch the server to a new capsule for content and Puppet. Pass --server with the Capsule FQDN as well.") parser.add_option("-t", "--timeout", dest="timeout", type="int", help="Timeout (in seconds) for API calls and subscription-manager registration. Defaults to %default", metavar="timeout", default=900) parser.add_option("-c", "--comment", dest="comment", help="Add a host comment") parser.add_option("--ignore-registration-failures", dest="ignore_registration_failures", action="store_true", help="Continue running even if registration via subscription-manager/rhn-migrate-classic-to-rhsm returns a non-zero return code.") parser.add_option("--preserve-rhsm-proxy", dest="preserve_rhsm_proxy", action="store_true", help="Preserve proxy settings in /etc/rhsm/rhsm.conf when migrating RHSM -> RHSM") parser.add_option("--install-katello-agent", dest="install_katello_agent", action="store_true", help="Installs the Katello Agent", default=False) (options, args) = parser.parse_args() if options.no_foreman: print_warning("The --skip-foreman option is deprecated, please use --skip foreman.") options.skip.append('foreman') if options.no_puppet: print_warning("The --skip-puppet option is deprecated, please use --skip puppet.") options.skip.append('puppet') if not options.removepkgs: options.skip.append('remove-obsolete-packages') if options.content_only: print_generic("The --content-only option was provided. Adding --skip foreman") options.skip.append('foreman') if not options.puppet_server: options.puppet_server = options.foreman_fqdn if not options.puppet_ca_server: options.puppet_ca_server = options.foreman_fqdn # > Validate that the options make sense or exit with a message. # the logic is as follows: # if mode = create: # foreman_fqdn # org # activation_key # if foreman: # hostgroup # else if mode = remove: # if removing from foreman: # foreman_fqdn if not ((options.remove and ('foreman' in options.skip or options.foreman_fqdn)) or (options.foreman_fqdn and options.org and options.activationkey and ('foreman' in options.skip or options.hostgroup)) or (options.foreman_fqdn and options.new_capsule)): if not options.remove and not options.new_capsule: print("Must specify server, login, organization, hostgroup and activation key. See usage:") elif options.new_capsule: print("Must use both --new-capsule and --server. See usage:") else: print("Must specify server. See usage:") parser.print_help() sys.exit(1) # > Gather FQDN, HOSTNAME and DOMAIN using options.fqdn # > If socket.fqdn() returns an FQDN, derive HOSTNAME & DOMAIN using FQDN # > else, HOSTNAME isn't an FQDN # > if user passes --fqdn set FQDN, HOSTNAME and DOMAIN to the parameter that is given. FQDN = options.fqdn if FQDN.find(".") != -1: HOSTNAME = FQDN.split('.')[0] DOMAIN = FQDN[FQDN.index('.') + 1:] else: HOSTNAME = FQDN DOMAIN = None # > Exit if DOMAIN isn't set and Puppet must be installed (without force) if not DOMAIN and not (options.force or 'puppet' in options.skip): print("We could not determine the domain of this machine, most probably `hostname -f` does not return the FQDN.") print("This can lead to Puppet misbehaviour and thus the script will terminate now.") print("You can override this by passing one of the following") print("\t--force - to disable all checking") print("\t--skip puppet - to omit installing the puppet agent") print("\t--fqdn - to set an explicit FQDN, overriding detected FQDN") sys.exit(1) # > Gather primary IP address if none was given # we do this *after* parsing options to find the IP on the interface # towards the Foreman instance in the case the machine has multiple if not options.ip: try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((options.foreman_fqdn, 80)) options.ip = s.getsockname()[0] s.close() except: # noqa: E722, pylint:disable=bare-except options.ip = None # > Ask for the password if not given as option if not options.password and 'foreman' not in options.skip: options.password = getpass.getpass("%s's password:" % options.login) # > If user wants to purge profile from RHN/Satellite 5, credentials are needed. if options.legacy_purge and not options.legacy_password: options.legacy_password = getpass.getpass("Legacy User %s's password:" % options.legacy_login) # > Puppet won't be installed if Foreman Host shall not be created if 'foreman' in options.skip: options.skip.append('puppet') options.skip = set(options.skip) # > Output all parameters if verbose. if options.verbose: print("HOSTNAME - %s" % HOSTNAME) print("DOMAIN - %s" % DOMAIN) print("FQDN - %s" % FQDN) print("OS RELEASE - %s" % RELEASE) print("MAC - %s" % MAC) print("IP - %s" % options.ip) print("foreman_fqdn - %s" % options.foreman_fqdn) print("LOGIN - %s" % options.login) print("PASSWORD - %s" % options.password) print("HOSTGROUP - %s" % options.hostgroup) print("LOCATION - %s" % options.location) print("OPERATINGSYSTEM - %s" % options.operatingsystem) print("PARTITIONTABLE - %s" % options.partitiontable) print("ORG - %s" % options.org) print("ACTIVATIONKEY - %s" % options.activationkey) print("CONTENT RELEASE - %s" % options.release) print("UPDATE - %s" % options.update) print("LEGACY LOGIN - %s" % options.legacy_login) print("LEGACY PASSWORD - %s" % options.legacy_password) print("DOWNLOAD METHOD - %s" % options.download_method) print("SKIP - %s" % options.skip) print("TIMEOUT - %s" % options.timeout) print("PUPPET SERVER - %s" % options.puppet_server) print("PUPPET CA SERVER - %s" % options.puppet_ca_server) print("PUPPET CA PORT - %s" % options.puppet_ca_port) print("IGNORE REGISTRATION FAILURES - %s" % options.ignore_registration_failures) print("PRESERVE RHSM PROXY CONFIGURATION - %s" % options.preserve_rhsm_proxy) print("REX - %s" % options.remote_exec) if options.remote_exec: print("REX USER - %s" % options.remote_exec_user) print("REX PROXIES - %s" % options.remote_exec_proxies) print("REX KEY URL - %s" % options.remote_exec_url) print("REX KEYS FROM API - %s" % options.remote_exec_apikeys) print("REX AUTHPATH - %s" % options.remote_exec_authpath) # > Exit if the user isn't root. # Done here to allow an unprivileged user to run the script to see # its various options. if os.getuid() != 0: print_error("This script requires root-level access") sys.exit(1) # > Check if Katello/Spacewalk/Satellite are installed already check_rpm_installed() # > Try to import json or simplejson. # do it at this point in the code to have our custom print and exec # functions available try: import json except ImportError: try: import simplejson as json except ImportError: print_warning("Could neither import json nor simplejson, will try to install simplejson and re-import") call_yum("install", "python-simplejson") try: import simplejson as json except ImportError: print_error("Could not install python-simplejson") sys.exit(1) # > Clean the environment from LD_... variables clean_environment() # > IF RHEL 5, not removing, and not moving to new capsule prepare the migration. if not options.remove and IS_EL5 and not options.new_capsule: if options.legacy_purge: print_warning("Purging the system from the Legacy environment is not supported on EL5.") prepare_rhel5_migration() if options.preserve_rhsm_proxy: saved_proxy_config = get_rhsm_proxy() if options.remove: # > IF remove, disassociate/delete host, unregister, # > uninstall katello and optionally puppet agents API_PORT = get_api_port(options.foreman_fqdn) RHSM_PORT = get_rhsm_port() unregister_system() if 'foreman' not in options.skip: hostid = return_matching_foreman_key('hosts', 'name="%s"' % FQDN, 'id', True) if hostid is not None: disassociate_host(hostid) delete_host(hostid) if 'katello-agent' in options.skip: print_warning("Skipping the installation of the Katello Agent is now the default behavior. passing --skip katello-agent is deprecated") if 'katello-agent' not in options.skip or 'katello-host-tools' not in options.skip: clean_katello_agent() if 'puppet' not in options.skip: clean_puppet() elif check_rhn_registration() and 'migration' not in options.skip and not IS_EL8: # > ELIF registered to RHN, install subscription-manager prerequs # > get CA RPM, optionally create host, # > migrate via rhn-classic-migrate-to-rhsm print_generic('This system is registered to RHN. Attempting to migrate via rhn-classic-migrate-to-rhsm') install_prereqs() _, versionerr = check_migration_version(SUBSCRIPTION_MANAGER_MIGRATION_MINIMAL_VERSION) if versionerr: print_error(versionerr) sys.exit(1) get_bootstrap_rpm(clean=options.force) generate_katello_facts() API_PORT = get_api_port(options.foreman_fqdn) RHSM_PORT = get_rhsm_port() if 'foreman' not in options.skip: create_host() configure_subscription_manager() migrate_systems(options.org, options.activationkey) if options.enablerepos: enable_repos() elif options.new_capsule: # > ELIF new_capsule and foreman_fqdn set, will migrate to other capsule # # > will replace CA certificate, reinstall katello-agent, gofer # > will optionally update hostgroup and location # > wil update system definition to point to new capsule for content, # > Puppet, OpenSCAP and update Puppet configuration (if applicable) # > MANUAL SIGNING OF CSR OR MANUALLY CREATING AUTO-SIGN RULE STILL REQUIRED! # > API doesn't have a public endpoint for creating auto-sign entries yet! if not is_registered(): print_error("This system doesn't seem to be registered to a Capsule at this moment.") sys.exit(1) # Make system ready for switch, gather required data install_prereqs() get_bootstrap_rpm(clean=True, unreg=False) install_katello_host_tools() if options.install_katello_agent: install_katello_agent() if 'katello-agent' in options.skip: print_warning("Skipping the installation of the Katello Agent is now the default behavior. passing --skip katello-agent is deprecated") enable_rhsmcertd() API_PORT = get_api_port(options.foreman_fqdn) RHSM_PORT = get_rhsm_port() if 'foreman' not in options.skip: current_host_id = return_matching_foreman_key('hosts', 'name="%s"' % FQDN, 'id', False) # Optionally configure new hostgroup, location if options.hostgroup: print_running("Calling Foreman API to switch hostgroup for %s to %s" % (FQDN, options.hostgroup)) update_host_config('hostgroup', options.hostgroup, current_host_id) if options.location: print_running("Calling Foreman API to switch location for %s to %s" % (FQDN, options.location)) update_host_config('location', options.location, current_host_id) # Configure new proxy_id for Puppet (if available and not skipped), and OpenSCAP (if available and not skipped) smart_proxy_id = return_matching_foreman_key('smart_proxies', 'name="%s"' % options.foreman_fqdn, 'id', True) if smart_proxy_id: capsule_features = get_capsule_features(smart_proxy_id) if 'puppet' not in options.skip: if 'Puppet' in capsule_features: print_running("Calling Foreman API to update Puppet server and Puppet CA for %s to %s" % (FQDN, options.foreman_fqdn)) update_host_capsule_mapping("puppet_proxy_id", smart_proxy_id, current_host_id) update_host_capsule_mapping("puppet_ca_proxy_id", smart_proxy_id, current_host_id) else: print_warning("New capsule doesn't have Puppet capability, not switching / configuring Puppet server and Puppet CA") if 'Openscap' in capsule_features: print_running("Calling Foreman API to update OpenSCAP proxy for %s to %s" % (FQDN, options.foreman_fqdn)) update_host_capsule_mapping("openscap_proxy_id", smart_proxy_id, current_host_id) else: print_warning("New capsule doesn't have OpenSCAP capability, not switching / configuring openscap_proxy_id") print_running("Calling Foreman API to update content source for %s to %s" % (FQDN, options.foreman_fqdn)) update_host_capsule_mapping("content_source_id", smart_proxy_id, current_host_id) else: print_warning("Could not find Smart Proxy '%s'! Will not inform Foreman about the new Puppet/OpenSCAP/content source for %s." % (options.foreman_fqdn, FQDN)) puppet_conf_path = '/etc/puppetlabs/puppet/puppet.conf' if 'puppet' not in options.skip and os.path.exists(puppet_conf_path): var_dir = '/opt/puppetlabs/puppet/cache' ssl_dir = '/etc/puppetlabs/puppet/ssl' print_running("Stopping the Puppet agent for configuration update") exec_service("puppet", "stop") # Not using clean_puppet() and install_puppet_agent() here, because # that would nuke custom /etc/puppet/puppet.conf files, which might # yield undesirable results. print_running("Updating Puppet configuration") exec_failexit("sed -i '/^[[:space:]]*server.*/ s/=.*/= %s/' %s" % (options.puppet_server, puppet_conf_path)) exec_failok("sed -i '/^[[:space:]]*ca_server.*/ s/=.*/= %s/' %s" % (options.puppet_ca_server, puppet_conf_path)) # For RHEL5 stock puppet.conf delete_directory(ssl_dir) delete_file("%s/client_data/catalog/%s.json" % (var_dir, FQDN)) noop_puppet_signing_run() print_generic("Puppet agent is not running; please start manually if required.") print_generic("You also need to manually revoke the certificate on the old capsule.") else: # > ELSE get CA RPM, optionally create host, # > register via subscription-manager print_generic('This system is not registered to RHN. Attempting to register via subscription-manager') install_prereqs() get_bootstrap_rpm(clean=options.force) generate_katello_facts() API_PORT = get_api_port(options.foreman_fqdn) RHSM_PORT = get_rhsm_port() if 'foreman' not in options.skip: create_host() configure_subscription_manager() if options.preserve_rhsm_proxy: set_rhsm_proxy(saved_proxy_config) register_systems(options.org, options.activationkey) if options.enablerepos: enable_repos() if options.location and 'foreman' in options.skip: delete_file('/etc/rhsm/facts/location.facts') if not options.remove and not options.new_capsule: # > IF not removing, install Katello agent, optionally update host, # > optionally clean and install Puppet agent # > optionally remove legacy RHN packages if options.install_katello_agent: install_katello_agent() if 'katello-agent' in options.skip: print_warning("Skipping the installation of the Katello Agent is now the default behavior. passing --skip katello-agent is deprecated") if 'katello-host-tools' not in options.skip: install_katello_host_tools() if options.update: fully_update_the_box() if 'puppet' not in options.skip: if options.force: clean_puppet() install_puppet_agent() if options.install_packages: install_packages() if 'remove-obsolete-packages' not in options.skip: remove_obsolete_packages() if options.remote_exec: if options.remote_exec_proxies: listproxies = options.remote_exec_proxies.split(",") for proxy_fqdn in listproxies: remote_exec_url = "https://" + str(proxy_fqdn) + ":9090/ssh/pubkey" install_ssh_key_from_url(remote_exec_url) elif options.remote_exec_url: install_ssh_key_from_url(options.remote_exec_url) elif options.remote_exec_apikeys: install_ssh_key_from_api() else: remote_exec_url = "https://" + str(options.foreman_fqdn) + ":9090/ssh/pubkey" install_ssh_key_from_url(remote_exec_url)