We need to hook the post-build action into the main ngcpcfg script,
otherwise we cannot call it standalone, nor get help about it.
Fixes: commit ad0cf94b46
Change-Id: I9a1173ac88d0f13797b50bad7fdaa3539752a903
* instead of dying on non-existing function procedure only a warning
is logged (similar to non-existing table occurrence). This is to
enable correct invokation of the script on proxy nodes 3308 instance
where not all table/procedures might be available.
Change-Id: Ied5e6300c4dcc8c2e08e2152d56298bd2729c611
Rename gpg to pgp or OpenPGP and remove crypted from filenames.
The standard is called OpenPGP, GnuPG (or GPG, gpg) is one of many
implementations (although depending on the context the prevalent one)
so we use that when referring to the specification.
For the encrypted tarball we remove the «-crypted» term which is an
odd wording use for encryted content and it is unnecessary and confusing
when using layered containers (as when the tarball is decrypted the
name becomes invalid); and make it use «.pgp» instead of «.gpg» as
extension, while trying the old filename on decryption for backwards
compatibility.
Change-Id: If5e0349ff0c3d8e3b47ced361e9e77d7d4d2defc
Usage of IP addresses like 1.2.3.4 + 2.3.4.5 is not recommended, as they
might point to actually used and non-reserved IPs.
Quoting from RFC 5737 AKA "IPv4 Address Blocks Reserved for
Documentation" (see https://datatracker.ietf.org/doc/html/rfc5737):
| The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and
| 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.
So use 203.0.113.0/24 in our docs/code/testsuite instead.
Change-Id: Ic786a12c006a1fe11b67b788e01cca377f08771f
In the deployment of our lab carrier, we are heavily using ngcpcfg set
command for example to change the IP addresses of all proxies. The issue is that
execution of a command takes around 1,5 seconds and this seems because every time
"set" is used, we call the check-permissions script, which has some time
penalty to be executed. Most likely nobody uses set quite often, so that is why
the problem was not so visible for a long time.
Change-Id: I47c6c3b88b0f108aadf9d8d9a2b131e0cb76b498
These commands are db-specific, and the constants one involves the
database credentials, so give both better names to make it clear these
are not general purpose commands.
Preserve backwards compatibility symlinks for external callers, or
user muscle memory, which this gets migrated away.
Change-Id: I3baae364e786ebbdc9e386dfc4f8c0bf54333cd1
* check that host on which instance runs exists
* check that instance names are not dupplicated
* check that instance names in connections are not duplicated
Additionally fix an uniqueness of array members in 'dupe_conn'.
Change-Id: I65fc31107d7e784614974ab9992836885ff50d75
* check doesn't work for 'host' type
* check doesn't test 'type' interface
* introduce test for command
Change-Id: I6a9c37a874aa219f33fde10fb0991f7450906443
Use a tree-like formatting similar to ngcp-network-validator, which
mimics the output from pkwalify, which should make it easier to
pin-point where the error happened in the YAML document.
Change-Id: I27c5933e88b392ea473fedae8f3daf87e3bdaf7f
Remove redundant symbol name parts that are clear from the context.
Turn arrays into grammatical plurals, and hash tables into singular,
which are more natural. Use the same "dupe" nomenclature as the
ngcp-network-validator.
Change-Id: I6fb275b4806b7c0e3b71a7bfa943af541d1b3790
Instead of open-coding these functions, use them from List::Util, which
which will be also more performant as they do early exists.
Change-Id: Iab7692f93ece4d66ecc6c1e7d43c5472c0b72835
Introduce a list of checks related to connections:
* check that we don't have instance names duplicates
* prove an existence of a preferred for instnace host
* an instance to which instance gets connected exists
* a host to which instance gets connected exists
* interface via which instance gets connected is defined
Change-Id: I24f43b0fb24e308f571a88f30a72a9b6dd04b94d
Related to previous commit (fa645475), we shouldn't execute
restore-permissions with any actions that aren't modifying system state.
Therefore also skip restore-permissions execution for diff, log + status
actions.
While at it, sort list of actions alphabetically.
Thanks Guillem Jover for raising this.
Change-Id: I803b08eee843d31f12d9810fe33b4327490228da
Execution of `ngcpcfg check` shouldn't modify system state,
and executing the restore-permissions helper script also
takes some notable time (e.g. during ngcp-status execution
it causes ~10% of its runtime).
Change-Id: I8ad861379da3817f0bdf760ea16939c80eae2ce6
This new action concatenates the various configuration files and outputs
the result as YAML. This is useful because they have a determined
ordering, and include optional host specific files that might not be
obvious how to merge.
This will also be the foundation for verifying all the current host
settings against the cfg-schema.
Change-Id: I72a61193f74caf3b2f7a58a47eefad2ed46c973a
The YAML::XS module handles its passed or returned data for Load() and
Dump() as raw UTF-8, irrespective of perl's UTF-8 string markers. When
we use these functions we need to use a «:raw» encoding or we will end
up with doubly encoded strings.
We also need to tell the Template Toolkit to use UTF-8 as encoding, and
then setup the file handles to use the appropriate encodings.
Change-Id: I37a6811f0680763d7177c3ad92ddf9b890869e66
Instead of having to identify the parent process name (ngcpcfg vs.
ngcp-config) inside subprocesses (like "status"), let's provide the
invocation name through the main ngcpcfg binary via variable
NGCPCFG_NAME.
Thanks to Guillem Jover for the suggestion.
Change-Id: Iafbac535bedb9cc9dc73f3d95861a5bc735cc739
Even though this has no current functional difference, as we always have
a hosts definition, we should key the copy action on the copy hash in
the grants.yml file.
Change-Id: I45b6d4100910e600979b187a769a92753a8e7a2f
* drop: '!localhost' can remove all user@host where host is not
'localhost'
* drop: '%' now correctly drops user as user@% where host = '%'
Change-Id: I9c294979a73816ec76c217e9e7e83458cea1b0c1
* ngcpcfg: obey SKIP_UPDATE_PERMS
* t/fixtures/programs.py: set SKIP_*_PERMS to true by default
* t/test_ngcpcfg_apply.py:
touching the file was not producing a change in git
Change-Id: Id8317ff09fee2a9a3d4d2015d1cd782c3f9b62e7
NGCP has two VPN connections (types in network.yml):
- openvpn
- openvpn_vip
The second one should have identical IP on sp1 and sp2,
therefor we have to disable validation for 'tun' interface
(like we have for 'dummy' already).
Change-Id: Ia49d22d4c448a2d77db6a6cd7e755ec2f19a8d7b
* bin/ngcpcfg: SKIP_RESTORE_PERMS so we can skip that on tests
* scripts/status: use NGCPCTL_BASE and NGCPCTL_MAIN so it would work
in test environment
Change-Id: I8ba80bbb2ea3adf1b8cc2a4229568a87f9508cbd
The command 'decrypt' produced an error:
> root@sp1:~# ngcp-config decrypt
> /usr/sbin/ngcp-config: line 12: NGCPCTL_MAIN: unbound variable
> root@sp1:~#
It happens due to the missing load of '"${FUNCTIONS}"/main'
inside 'scripts/decrypt' which is required for 'ngcpcfg_update_perms()'.
The '"${FUNCTIONS}"/main' cannot be loaded here as explained inside 'scripts/decrypt':
> # sadly we can't source ${FUNCTIONS}/main as we are missing a bunch of
> # configuration files that are supposed to be available, therefore
> # provide the main functions we need for successful execution of the
> # decrypt function
The fix here is to extract action 'decrypt' from ngcpcfg_update_perms()
as it is not necessary here as we are unpacking files from archive anyway.
Change-Id: Ic3117f585c2ff4af555fb7600a5b331cf7425e3c
Normally it is necessary to press TAB multiple times, e.g:
> vim /etc/ngcp-conf<TAB>/con<TAB>f<TAB>...
For new NGCP users it is even longer.
In the same time we have a nice usability experience for ngcp-ppa,
where users are just pressing "ngcp-ppa<ENTER>1<ENTER>1<ENTER>".
Let's add the same concept here as the order of the main files is static:
> 1) /etc/ngcp-config/config.yml
> 2) /etc/ngcp-config/network.yml
> 3) /etc/ngcp-config/constants.yml
if I need to edit network.yml I will type:
> ngcpc<TAB> e<TAB><ENTER>2<ENTER>
or even:
> ngcpc<TAB> e<TAB>2<ENTER>
Change-Id: Id20fec8c931c15c73a73689a3f8b552a72ef11f7
Quoting from "man bash" about `-E` (AKA errtrace):
| If set, any trap on ERR is inherited by shell functions, command
| substitutions, and commands executed in a subshell environment.
| The ERR trap is normally not inherited in such cases.
To demonstrate the problem see this short shell script:
| % cat foo
| set -eu -o pipefail
|
| bailout() {
| echo "Bailing out because of error" >&2
| exit 1
| }
| trap bailout 1 2 3 6 9 14 15 ERR
|
| foo() {
| echo "Executing magic"
| magic
| }
|
| foo
| echo end
If "magic" can't be executed, then this fails as follows:
| % bash ./foo
| Executing magic
| ./foo: line 11: magic: command not found
But it doesn't invoke the bailout function via trap.
When using `set -eE` (AKA errexit + errtrace), instead of only
`set -e` (errexit), then it behaves as expected though:
| % bash ./foo
| Executing magic
| ./foo: line 11: magic: command not found
| Bailing out because of error
Change-Id: I9f05355716551cd8fc8f22bd2fa16bbc9d0b7247
* ngcp-sync-grants uses "SET PASSWORD" now as mysql.user is a view
* ngcp-sync-constants rework to use either mysql.global_priv (10.4+)
or else mysql.user to fetch matched passwords. use user@host to
update passwords per. Improve "changed" passwords detection.
Change-Id: I72025f1d1b58304638a3b2444989061648fedb6c
* set_user_protected_password() is renamed to
create_protected_user() to better match its purpose
* the temporary user to help with grants is now created only once
and dropped when the script finishes
Change-Id: I30755617859f43fa6c1acd68f46d473c495a36b8
* check only mode enables only checking if there
are differences with users/grants
* remove flush privileges from a temporary user as
those privileges are only created to retrieve a
MariaDB sorted content, no real access is meant
by them
Change-Id: Ifcbda45e1bf53bb983da0ce005285c00965ea92f
Guillem Jover
Richard Fuchs
Kirill Solomko
Michael Prokop
Volodymyr Fedorov
ngcp-config
dzenichev
Mykola Malkov
Alexander Lutay