From 054d71538da4d3344b03442a103ea039a2e66fdd Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Wed, 28 Sep 2022 17:37:11 +0200 Subject: [PATCH 1/7] Check time sync in prereqs --- lib/prerequisites.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 4e03530..a89aa54 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -65,6 +65,16 @@ if [ -e /etc/bridgehead/vault.conf ]; then fi fi +if ! which timedatectl > /dev/null; then + log ERROR "systemd time sync is missing -- please install package containing timedatectl" + exit 1 +fi + +if ! timedatectl show | grep NTPSynchronized=yes >/dev/null; then + log ERROR "This server's clock is not synchronized with a time server. This will cause Samply.Beam's certificate will fail. Please enter a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." + exit 1 +fi + log INFO "Success - all prerequisites are met!" exit 0 From 7d13eace3233a74fcc4ec5fb7ae02d230bfd9f11 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Fri, 30 Sep 2022 17:02:05 +0200 Subject: [PATCH 2/7] Check clock skew even smarter --- lib/prerequisites.sh | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index a89aa54..b338d7c 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -65,13 +65,28 @@ if [ -e /etc/bridgehead/vault.conf ]; then fi fi -if ! which timedatectl > /dev/null; then - log ERROR "systemd time sync is missing -- please install package containing timedatectl" +log INFO "Checking network access ($BROKER_URL) ..." + +source /etc/bridgehead/${PROJECT}.conf +source ${PROJECT}/vars + +set +e +SERVERTIME=$(curl -I $BROKER_URL) +if [ $? -ne 0 ]; then + log ERROR "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings." exit 1 fi +set -e -if ! timedatectl show | grep NTPSynchronized=yes >/dev/null; then - log ERROR "This server's clock is not synchronized with a time server. This will cause Samply.Beam's certificate will fail. Please enter a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." +log INFO "Checking clock skew ..." + +SERVERTIME=$(echo $SERVERTIME | grep -i ^Date: | cut -d: -f2- | sed 's/^ *\(.*\).*/\1/') +SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s) +MYTIME=$(date +%s) +SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME)) +SKEW=$(echo $SKEW | awk -F- '{print $NF}') +if [ $SKEW -ge 300 ]; then + log ERROR "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." exit 1 fi From 1d05137bb9cb99e56b246512e1936edfb99f9ba7 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Fri, 30 Sep 2022 17:13:28 +0200 Subject: [PATCH 3/7] Use proxy in time check --- lib/prerequisites.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index b338d7c..9a1e39f 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -71,7 +71,7 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME=$(curl -I $BROKER_URL) +SERVERTIME=$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -I $BROKER_URL) if [ $? -ne 0 ]; then log ERROR "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings." exit 1 From f52012008d22d4fab53cb1418234b344e1b6aacf Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Fri, 30 Sep 2022 17:36:07 +0200 Subject: [PATCH 4/7] Update prerequisites.sh --- lib/prerequisites.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 9a1e39f..28958b3 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -71,16 +71,16 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME=$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -I $BROKER_URL) +SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -v $BROKER_URL 2>&1)" if [ $? -ne 0 ]; then - log ERROR "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings." + log ERROR "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\"." exit 1 fi set -e log INFO "Checking clock skew ..." -SERVERTIME=$(echo $SERVERTIME | grep -i ^Date: | cut -d: -f2- | sed 's/^ *\(.*\).*/\1/') +SERVERTIME=$(echo -e "$SERVERTIME" | grep Date | sed -e 's/< Date: //') SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s) MYTIME=$(date +%s) SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME)) @@ -88,6 +88,8 @@ SKEW=$(echo $SKEW | awk -F- '{print $NF}') if [ $SKEW -ge 300 ]; then log ERROR "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." exit 1 +elif [ $SKEW -ge 60 ]; then + log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server." fi log INFO "Success - all prerequisites are met!" From 091402eea03ebab5159cce0eb33eaafdd932ee83 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Fri, 30 Sep 2022 17:42:53 +0200 Subject: [PATCH 5/7] Update prerequisites.sh --- lib/prerequisites.sh | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 28958b3..0bb7882 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -72,24 +72,26 @@ source ${PROJECT}/vars set +e SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -v $BROKER_URL 2>&1)" -if [ $? -ne 0 ]; then - log ERROR "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\"." - exit 1 -fi +RET=$? set -e +if [ $RET -ne 0 ]; then + log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication." + log WARN "Unable to check clock skew due to previous error." +else + log INFO "Checking clock skew ..." -log INFO "Checking clock skew ..." - -SERVERTIME=$(echo -e "$SERVERTIME" | grep Date | sed -e 's/< Date: //') -SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s) -MYTIME=$(date +%s) -SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME)) -SKEW=$(echo $SKEW | awk -F- '{print $NF}') -if [ $SKEW -ge 300 ]; then - log ERROR "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." - exit 1 -elif [ $SKEW -ge 60 ]; then - log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server." + SERVERTIME=$(echo -e "$SERVERTIME" | grep Date | sed -e 's/< Date: //') + SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s) + MYTIME=$(date +%s) + SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME)) + SKEW=$(echo $SKEW | awk -F- '{print $NF}') + SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." + if [ $SKEW -ge 300 ]; then + log ERROR "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT" + exit 1 + elif [ $SKEW -ge 60 ]; then + log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT" + fi fi log INFO "Success - all prerequisites are met!" From 9facafd0c4939e2d6b7fab6a83a9b6593223f139 Mon Sep 17 00:00:00 2001 From: lablans Date: Fri, 28 Jul 2023 11:23:54 +0000 Subject: [PATCH 6/7] Only read headers from Broker to check clock skew --- lib/prerequisites.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 0bb7882..9b2272f 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -71,7 +71,7 @@ source /etc/bridgehead/${PROJECT}.conf source ${PROJECT}/vars set +e -SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -v $BROKER_URL 2>&1)" +SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -I $BROKER_URL 2>&1)" RET=$? set -e if [ $RET -ne 0 ]; then From b7ed90c5c8c2df37be390d631fe9ac935d3b9cc6 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Fri, 28 Jul 2023 11:32:48 +0000 Subject: [PATCH 7/7] Change logging/reporting order --- lib/prerequisites.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index d719aa4..0cec06b 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -84,7 +84,7 @@ else SKEW=$(echo $SKEW | awk -F- '{print $NF}') SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd." if [ $SKEW -ge 300 ]; then - log ERROR "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT" + report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT" exit 1 elif [ $SKEW -ge 60 ]; then log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT" @@ -98,8 +98,6 @@ checkPrivKey() { log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions." return 1 fi - log INFO "Success - all prerequisites are met!" - hc_send log "Success - all prerequisites are met!" return 0 } @@ -110,5 +108,6 @@ else fi log INFO "Success - all prerequisites are met!" +hc_send log "Success - all prerequisites are met!" exit 0