Merge pull request #12 from ARGOeu/devel

Version 0.1.3-1

MANIFEST.in

@@ -0,0 +1,5 @@
+include src/*
+include pymodule/*
+include nagios-plugins-fedcloud.spec
+
+recursive-exclude pymodule *.pyc

Makefile

@@ -6,13 +6,19 @@ PKGVERSION=$(shell grep -s '^Version:' $(SPECFILE) | sed -e 's/Version: *//')
 
 dist:
 	rm -rf dist
-	mkdir -p dist/${PKGNAME}-${PKGVERSION}
-	cp -pr ${FILES} dist/${PKGNAME}-${PKGVERSION}/.
-	cd dist ; tar cfz ../${PKGNAME}-${PKGVERSION}.tar.gz ${PKGNAME}-${PKGVERSION}
+	python setup.py sdist
+	mv dist/${PKGNAME}-${PKGVERSION}.tar.gz .
 	rm -rf dist
 
+srpm: dist
+	rpmbuild -ts --define='dist .el6' ${PKGNAME}-${PKGVERSION}.tar.gz
+
+rpm: dist
+	rpmbuild -ta ${PKGNAME}-${PKGVERSION}.tar.gz
+
 sources: dist
 
 clean:
 	rm -rf ${PKGNAME}-${PKGVERSION}.tar.gz
+	rm -f MANIFEST
 	rm -rf dist

README.md

@@ -0,0 +1,11 @@
+# Plugin for EGI FedCloud services
+
+This package includes probes for EGI FedCloud services.
+
+Currently it supports the following tests:
+ - AppDB workflow
+ - CDMI
+ - Openstack Nova
+ - FedCloud Accounting Freshness
+ - OCCI compute create
+ - Perun

nagios-plugins-fedcloud.spec

@@ -1,9 +1,11 @@
-%define dir %{_libdir}/nagios/plugins/fedcloud
+# sitelib
+%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%define dir /usr/libexec/argo-monitoring/probes/fedcloud
 
 Summary: Nagios plugins for EGI FedCloud services
 Name: nagios-plugins-fedcloud
-Version: 0.1.0
-Release: 2%{?dist}
+Version: 0.1.3
+Release: 1%{?dist}
 License: ASL 2.0
 Group: Network/Monitoring
 Source0: %{name}-%{version}.tar.gz
@@ -19,20 +21,39 @@ Requires: pyOpenSSL
 %setup -q
 
 %build
+%{__python} setup.py build
 
 %install
 rm -rf $RPM_BUILD_ROOT
+%{__python} setup.py install --skip-build --root %{buildroot} --record=INSTALLED_FILES
 install --directory ${RPM_BUILD_ROOT}%{dir}
 install --mode 755 src/*  ${RPM_BUILD_ROOT}%{dir}
+install -d -m 755 %{buildroot}/%{python_sitelib}/nagios_plugins_fedcloud
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
-%files
+%files -f INSTALLED_FILES
 %defattr(-,root,root,-)
 %{dir}
+%{python_sitelib}/nagios_plugins_fedcloud
 
 %changelog
+* Tue Dec 13 2016 Daniel Vrcic <dvrcic@srce.hr> - 0.1.3-1%{?dist}
+- refactored keystone token and cert check code 
+* Tue Nov 22 2016 Emir Imamagic <eimamagi@srce.hr> - 0.1.1-7%{?dist}
+- Probes location aligned with guidelines
+* Fri May 13 2016 Daniel Vrcic <dvrcic@srce.hr> - 0.1.0-6%{?dist}
+- cdmiprobe: add support for printing error msgs from packed exceptions 
+- cdmiprobe: wait some time before next operation
+- cdmiprobe: fetched token implies that we have supported CDMI Specification version
+- cdmiprobe: merged improvements with proper cleanup procedure by Enol Fernandez
+* Tue Jan 19 2016 Daniel Vrcic <dvrcic@srce.hr> - 0.1.0-5%{?dist}
+- remove Py2.6 deprecations in cdmiprobe and novaprobe
+* Fri Oct 6 2015 Daniel Vrcic <dvrcic@srce.hr> - 0.1.0-4%{?dist}
+- novaprobe: debugging helper leftover removed 
+* Fri Oct 2 2015 Daniel Vrcic <dvrcic@srce.hr> - 0.1.0-3%{?dist}
+- novaprobe: only HTTPS endpoints allowed
 * Wed Sep 23 2015 Daniel Vrcic <dvrcic@srce.hr> - 0.1.0-2%{?dist}
 - cdmiprobe: handle case when endpoint disabled SSLv3
 - novaprobe: added image and flavor cmd options

pymodule/helpers.py

@@ -0,0 +1,170 @@
+import sys
+import re
+import socket
+import requests
+import json
+from time import sleep
+
+from OpenSSL.SSL import TLSv1_METHOD, Context, Connection
+from OpenSSL.SSL import VERIFY_PEER
+from OpenSSL.SSL import Error as SSLError
+from OpenSSL.SSL import WantReadError as SSLWantReadError
+from urlparse import urlparse
+
+strerr = ''
+num_excp_expand = 0
+
+def nagios_out(status, msg, retcode):
+    sys.stdout.write(status+": "+msg+"\n")
+    sys.exit(retcode)
+
+def get_keystone_token(host, userca, capath, timeout):
+    if verify_cert(host, capath, timeout):
+        o = urlparse(host)
+        if o.scheme != 'https':
+            nagios_out('Critical', 'Connection error %s - Probe expects HTTPS endpoint' % (o.scheme+'://'+o.netloc), 2)
+        try:
+            # fetch unscoped token
+            token_suffix = ''
+            if o.netloc.endswith('v2.0'):
+                token_suffix = token_suffix+'/tokens'
+            elif o.netloc.endswith('5000'):
+                token_suffix = token_suffix+'/v2.0/tokens'
+
+            headers, payload, token = {}, {}, None
+            headers.update({'Accept': '*/*'})
+
+            headers = {'content-type': 'application/json', 'accept': 'application/json'}
+            payload = {'auth': {'voms': True}}
+            response = requests.post(o.scheme+'://'+o.netloc+token_suffix, headers=headers,
+                                    data=json.dumps(payload), cert=userca, verify=False, timeout=timeout)
+            response.raise_for_status()
+            token = response.json()['access']['token']['id']
+        except(KeyError, IndexError) as e:
+            nagios_out('Critical', 'Could not fetch unscoped keystone token from response: Key not found %s' % errmsg_from_excp(e), 2)
+        except (requests.exceptions.ConnectionError, requests.exceptions.HTTPError) as e:
+            nagios_out('Critical', 'Connection error %s - %s' % (o.netloc+token_suffix, errmsg_from_excp(e)), 2)
+
+        try:
+            # use unscoped token to get a list of allowed tenants mapped to
+            # ops VO from VOMS proxy cert
+            tenant_suffix= ''
+            if o.netloc.endswith("v2.0"):
+                tenant_suffix = tenant_suffix+'/tenants'
+            else:
+                tenant_suffix = tenant_suffix+'/v2.0/tenants'
+            headers = {'content-type': 'application/json', 'accept': 'application/json'}
+            headers.update({'x-auth-token': token})
+            response = requests.get(o.scheme+'://'+o.netloc+tenant_suffix, headers=headers,
+                                    data=None, cert=userca, verify=False, timeout=timeout)
+            response.raise_for_status()
+            tenants = response.json()['tenants']
+            tenant = ''
+            for t in tenants:
+                if 'ops' in t['name']:
+                    tenant = t['name']
+        except(KeyError, IndexError) as e:
+            nagios_out('Critical', 'Could not fetch allowed tenants from response: Key not found %s' % errmsg_from_excp(e), 2)
+        except (requests.exceptions.ConnectionError, requests.exceptions.HTTPError) as e:
+            nagios_out('Critical', 'Connection error %s - %s' % (o.scheme+'://'+o.netloc+tenant_suffix, errmsg_from_excp(e)), 2)
+
+        try:
+            # get scoped token for allowed tenant
+            headers = {'content-type': 'application/json', 'accept': 'application/json'}
+            payload = {'auth': {'voms': True, 'tenantName': tenant}}
+            response = requests.post(o.scheme+'://'+o.netloc+token_suffix, headers=headers,
+                                    data=json.dumps(payload), cert=userca, verify=False, timeout=timeout)
+            response.raise_for_status()
+            token = response.json()['access']['token']['id']
+        except(KeyError, IndexError) as e:
+            nagios_out('Critical', 'Could not fetch scoped keystone token for %s from response: Key not found %s' % (tenant, errmsg_from_excp(e)), 2)
+        except (requests.exceptions.ConnectionError, requests.exceptions.HTTPError) as e:
+            nagios_out('Critical', 'Connection error %s - %s' % (o.scheme+'://'+o.netloc+token_suffix, errmsg_from_excp(e)), 2)
+
+    return token, tenant, response
+
+def errmsg_from_excp(e, level=5):
+    global strerr, num_excp_expand
+    if isinstance(e, Exception) and getattr(e, 'args', False):
+        num_excp_expand += 1
+        if not errmsg_from_excp(e.args):
+            return strerr
+    elif isinstance(e, dict):
+        for s in e.iteritems():
+            errmsg_from_excp(s)
+    elif isinstance(e, list):
+        for s in e:
+            errmsg_from_excp(s)
+    elif isinstance(e, tuple):
+        for s in e:
+            errmsg_from_excp(s)
+    elif isinstance(e, str):
+        if num_excp_expand <= level:
+            strerr += e + ' '
+
+def verify_cert(host, capath, timeout, cncheck=True):
+    server_ctx = Context(TLSv1_METHOD)
+    server_cert_chain = []
+    server_ctx.load_verify_locations(None, capath)
+
+    host = re.split("/*", host)[1]
+    if ':' in host:
+        host = host.split(':')
+        server = host[0]
+        port = int(host[1] if not '?' in host[1] else host[1].split('?')[0])
+    else:
+        server = host
+        port = 443
+
+    def verify_cb(conn, cert, errnum, depth, ok):
+        server_cert_chain.append(cert)
+        return ok
+    server_ctx.set_verify(VERIFY_PEER, verify_cb)
+
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.setblocking(1)
+        sock.settimeout(timeout)
+        sock.connect((server, port))
+    except (socket.error, socket.timeout) as e:
+        nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port),
+                                                            errmsg_from_excp(e)),
+                                                            2)
+
+    server_conn = Connection(server_ctx, sock)
+    server_conn.set_connect_state()
+
+    def iosock_try():
+        ok = True
+        try:
+            server_conn.do_handshake()
+            sleep(0.5)
+        except SSLWantReadError as e:
+            ok = False
+            pass
+        except Exception as e:
+            raise e
+        return ok
+
+    try:
+        while True:
+            if iosock_try():
+                break
+
+        if cncheck:
+            server_subject = server_cert_chain[-1].get_subject()
+            if server != server_subject.CN:
+                nagios_out('Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2)
+
+    except SSLError as e:
+        if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
+            pass
+        else:
+            nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port),
+                                                                errmsg_from_excp(e, level=1)),
+                                                                2)
+    finally:
+        server_conn.shutdown()
+        server_conn.close()
+
+    return True

setup.py

@@ -0,0 +1,38 @@
+from distutils.core import setup
+import glob, sys
+
+NAME='nagios-plugins-fedcloud'
+DESTDIR='/usr/libexec/argo-monitoring/probes/fedcloud'
+
+def get_ver():
+    try:
+        for line in open(NAME+'.spec'):
+            if "Version:" in line:
+                return line.split()[1]
+    except IOError:
+        print "Make sure that %s is in directory"  % (NAME+'.spec')
+        sys.exit(1)
+
+
+setup(name=NAME,
+      version=get_ver(),
+      license='ASL 2.0',
+      author='SRCE',
+      author_email='dvrcic@srce.hr, eimamagi@srce.hr',
+      description='Package include probes for EGI FedCloud services',
+      platforms='noarch',
+      long_description='''
+      This package includes probes for EGI FedCloud services.
+      Currently it supports the following tests:
+        - AppDB workflow
+        - CDMI
+        - Openstack Nova
+        - FedCloud Accounting Freshness
+        - OCCI compute create
+        - Perun
+      ''',
+      url='https://github.com/ARGOeu/nagios-plugins-fedcloud',
+      data_files=[(DESTDIR, glob.glob('src/*'))],
+      packages=['nagios_plugins_fedcloud'],
+      package_dir={'nagios_plugins_fedcloud': 'pymodule/'},
+      )