--- loncom/loncron 2019/07/07 16:15:24 1.103.2.4
+++ loncom/loncron 2018/10/25 02:48:56 1.109
@@ -2,7 +2,7 @@
# Housekeeping program, started by cron, loncontrol and loncron.pl
#
-# $Id: loncron,v 1.103.2.4 2019/07/07 16:15:24 raeburn Exp $
+# $Id: loncron,v 1.109 2018/10/25 02:48:56 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -41,7 +41,8 @@ use IO::File;
use IO::Socket;
use HTML::Entities;
use Getopt::Long;
-use File::Copy;
+use GDBM_File;
+use Storable qw(thaw);
#globals
use vars qw (%perlvar %simplestatus $errors $warnings $notices $totalcount);
@@ -112,21 +113,18 @@ sub checkon_daemon {
my $result;
&log($fh,'
'.$daemon.'
Log
');
printf("%-15s ",$daemon);
- if ($fh) {
- if (-e "$perlvar{'lonDaemons'}/logs/$daemon.log"){
- if (open(DFH,"tail -n25 $perlvar{'lonDaemons'}/logs/$daemon.log|")) {
- while (my $line=) {
- &log($fh,"$line");
- if ($line=~/INFO/) { $notices++; }
- if ($line=~/WARNING/) { $notices++; }
- if ($line=~/CRITICAL/) { $warnings++; }
- }
- close (DFH);
- }
- }
- &log($fh,"
");
+ if (-e "$perlvar{'lonDaemons'}/logs/$daemon.log"){
+ open (DFH,"tail -n25 $perlvar{'lonDaemons'}/logs/$daemon.log|");
+ while (my $line=) {
+ &log($fh,"$line");
+ if ($line=~/INFO/) { $notices++; }
+ if ($line=~/WARNING/) { $notices++; }
+ if ($line=~/CRITICAL/) { $warnings++; }
+ };
+ close (DFH);
}
-
+ &log($fh,"");
+
my $pidfile="$perlvar{'lonDaemons'}/logs/$daemon.pid";
my $restartflag=1;
@@ -167,8 +165,11 @@ sub checkon_daemon {
&log($fh,unlink($pidfile).' - '.
`killall -9 $kadaemon 2>&1`.
'
');
+ if ($kadaemon eq 'loncnew') {
+ &clean_lonc_childpids();
+ }
&log($fh,"$daemon not running, trying to start
");
-
+
if (&start_daemon($fh,$daemon,$pidfile,$args)) {
&log($fh,"$daemon at pid $daemonpid responding
");
$simplestatus{$daemon}='restarted';
@@ -193,20 +194,18 @@ sub checkon_daemon {
&log($fh,"Unable to start $daemon
");
}
}
- if ($fh) {
- if (-e "$perlvar{'lonDaemons'}/logs/$daemon.log"){
- &log($fh,"");
- if (open(DFH,"tail -n100 $perlvar{'lonDaemons'}/logs/$daemon.log|")) {
- while (my $line=) {
- &log($fh,"$line");
- if ($line=~/WARNING/) { $notices++; }
- if ($line=~/CRITICAL/) { $notices++; }
- }
- close (DFH);
- }
- &log($fh,"
");
- }
- }
+
+ if (-e "$perlvar{'lonDaemons'}/logs/$daemon.log"){
+ &log($fh,"");
+ open (DFH,"tail -n100 $perlvar{'lonDaemons'}/logs/$daemon.log|");
+ while (my $line=) {
+ &log($fh,"$line");
+ if ($line=~/WARNING/) { $notices++; }
+ if ($line=~/CRITICAL/) { $notices++; }
+ };
+ close (DFH);
+ &log($fh,"
");
+ }
}
my $fname="$perlvar{'lonDaemons'}/logs/$daemon.log";
@@ -825,87 +824,257 @@ sub write_checksums {
return;
}
-sub write_hostips {
- my $lontabdir = $perlvar{'lonTabDir'};
- my $defdom = $perlvar{'lonDefDomain'};
- my $lonhost = $perlvar{'lonHostID'};
- my $newfile = "$lontabdir/currhostips.tab";
- my $oldfile = "$lontabdir/prevhostips.tab";
- my (%prevhosts,%currhosts,%ipchange);
- if ((-e $newfile) && (-s $newfile)) {
- move($newfile,$oldfile);
- chmod(0644,$oldfile);
- if (open(my $fh,'<',$oldfile)) {
- while (my $line=<$fh>) {
- chomp($line);
- if ($line =~ /^([^:]+):([\d.]+)$/) {
- $prevhosts{$1} = $2;
+sub clean_nosslverify {
+ my ($fh) = @_;
+ my %unlinked;
+ if (-d "$perlvar{'lonSockDir'}/nosslverify") {
+ if (opendir(my $dh,"$perlvar{'lonSockDir'}/nosslverify")) {
+ while (my $fname=readdir($dh)) {
+ next if ($fname =~ /^\.+$/);
+ if (unlink("/home/httpd/sockets/nosslverify/$fname")) {
+ &log($fh,"Unlinking $fname
");
+ $unlinked{$fname} = 1;
}
}
- close($fh);
+ closedir($dh);
}
}
- my ($ip_info,$cached) =
- &Apache::lonnet::is_cached_new('iphost','iphost');
- if (!$cached) {
- &Apache::lonnet::get_iphost();
- ($ip_info,$cached) =
- &Apache::lonnet::is_cached_new('iphost','iphost');
- }
- if (ref($ip_info) eq 'ARRAY') {
- %currhosts = %{$ip_info->[1]};
- if (open(my $fh,'>',$newfile)) {
- foreach my $key (keys(%currhosts)) {
- print $fh "$key:$currhosts{$key}\n";
+ &log($fh,"Removed ".scalar(keys(%unlinked))." nosslverify clients
");
+ return %unlinked;
+}
+sub clean_lonc_childpids {
+ my $childpiddir = "$perlvar{'lonDocRoot'}/lon-status/loncchld";
+ if (-d $childpiddir) {
+ if (opendir(my $dh,$childpiddir)) {
+ while (my $fname=readdir($dh)) {
+ next if ($fname =~ /^\.+$/);
+ unlink("$childpiddir/$fname");
}
- close($fh);
- chmod(0644,$newfile);
+ closedir($dh);
+ }
+ }
+}
+
+sub write_connection_config {
+ my ($isprimary,$domconf,$url,%connectssl,%changes);
+ my $primaryLibServer = &Apache::lonnet::domain($perlvar{'lonDefDomain'},'primary');
+ if ($primaryLibServer eq $perlvar{'lonHostID'}) {
+ $isprimary = 1;
+ } elsif ($primaryLibServer ne '') {
+ my $protocol = $Apache::lonnet::protocol{$primaryLibServer};
+ my $hostname = &Apache::lonnet::hostname($primaryLibServer);
+ unless ($protocol eq 'https') {
+ $protocol = 'http';
+ }
+ $url = $protocol.'://'.$hostname.'/cgi-bin/listdomconfig.pl';
+ }
+ my $domconf = &get_domain_config($perlvar{'lonDefDomain'},$primaryLibServer,$isprimary,
+ $url);
+ if (ref($domconf) eq 'HASH') {
+ if (ref($domconf->{'ssl'}) eq 'HASH') {
+ foreach my $connect ('connto','connfrom') {
+ if (ref($domconf->{'ssl'}->{$connect}) eq 'HASH') {
+ my ($sslreq,$sslnoreq,$currsetting);
+ my %contypes;
+ foreach my $type ('dom','intdom','other') {
+ $connectssl{$connect.'_'.$type} = $domconf->{'ssl'}->{$connect}->{$type};
+ }
+ }
+ }
+ }
+ if (keys(%connectssl)) {
+ my %currconf;
+ if (open(my $fh,'<',"$perlvar{'lonTabDir'}/connectionrules.tab")) {
+ while (my $line = <$fh>) {
+ chomp($line);
+ my ($name,$value) = split(/=/,$line);
+ if ($value =~ /^(?:no|yes|req)$/) {
+ if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
+ $currconf{$name} = $value;
+ }
+ }
+ }
+ close($fh);
+ }
+ if (open(my $fh,'>',"$perlvar{'lonTabDir'}/connectionrules.tab")) {
+ my $count = 0;
+ foreach my $key (sort(keys(%connectssl))) {
+ print $fh "$key=$connectssl{$key}\n";
+ if (exists($currconf{$key})) {
+ unless ($currconf{$key} eq $connectssl{$key}) {
+ $changes{$key} = 1;
+ }
+ } else {
+ $changes{$key} = 1;
+ }
+ $count ++;
+ }
+ close($fh);
+ print "Completed writing SSL options for lonc/lond for $count items.\n";
+ }
+ } else {
+ print "Writing of SSL options skipped - no connection rules in domain configuration.\n";
}
+ } else {
+ print "Retrieval of SSL options for lonc/lond skipped - no configuration data available for domain.\n";
}
- if (keys(%prevhosts) && keys(%currhosts)) {
- foreach my $key (keys(%prevhosts)) {
- unless ($currhosts{$key} eq $prevhosts{$key}) {
- $ipchange{$key} = $prevhosts{$key}.'|'.$currhosts{$key};
+ return %changes;
+}
+
+sub get_domain_config {
+ my ($dom,$primlibserv,$isprimary,$url) = @_;
+ my %confhash;
+ if ($isprimary) {
+ my $lonusersdir = $perlvar{'lonUsersDir'};
+ my $fname = $lonusersdir.'/'.$dom.'/configuration.db';
+ if (-e $fname) {
+ my $dbref=&LONCAPA::locking_hash_tie($fname,&GDBM_READER());
+ if (ref($dbref) eq 'HASH') {
+ foreach my $key (sort(keys(%{$dbref}))) {
+ my $value = $dbref->{$key};
+ if ($value =~ s/^__FROZEN__//) {
+ $value = thaw(&LONCAPA::unescape($value));
+ } else {
+ $value = &LONCAPA::unescape($value);
+ }
+ $confhash{$key} = $value;
+ }
+ &LONCAPA::locking_hash_untie($dbref);
}
}
- foreach my $key (keys(%currhosts)) {
- unless ($currhosts{$key} eq $prevhosts{$key}) {
- $ipchange{$key} = $prevhosts{$key}.' | '.$currhosts{$key};
+ } else {
+ if (open(PIPE,"wget --no-check-certificate '$url?primary=$primlibserv&format=raw' |")) {
+ my $config = '';
+ while () {
+ $config .= $_;
+ }
+ close(PIPE);
+ if ($config) {
+ my @pairs=split(/\&/,$config);
+ foreach my $item (@pairs) {
+ my ($key,$value)=split(/=/,$item,2);
+ my $what = &LONCAPA::unescape($key);
+ if ($value =~ s/^__FROZEN__//) {
+ $value = thaw(&LONCAPA::unescape($value));
+ } else {
+ $value = &LONCAPA::unescape($value);
+ }
+ $confhash{$what}=$value;
+ }
}
}
}
- if (&Apache::lonnet::domain($defdom,'primary') eq $lonhost) {
- if (keys(%ipchange)) {
- if (open(my $fh,'>>',$perlvar{'lonDaemons'}.'/logs/hostip.log')) {
- print $fh "********************\n".localtime(time).' Changes --'."\n".
- "Hostname | Previous IP | New IP\n".
- "--------------------------------\n";
- foreach my $hostname (sort(keys(%ipchange))) {
- print $fh "$hostname | $ipchange{$hostname}\n";
+ return \%confhash;
+}
+
+sub write_hosttypes {
+ my %intdom = &Apache::lonnet::all_host_intdom();
+ my %hostdom = &Apache::lonnet::all_host_domain();
+ my $dom = $hostdom{$perlvar{'lonHostID'}};
+ my $internetdom = $intdom{$perlvar{'lonHostID'}};
+ my %changes;
+ if (($dom ne '') && ($internetdom ne '')) {
+ if (keys(%hostdom)) {
+ my %currhosttypes;
+ if (open(my $fh,'<',"$perlvar{'lonTabDir'}/hosttypes.tab")) {
+ while (my $line = <$fh>) {
+ chomp($line);
+ my ($name,$value) = split(/:/,$line);
+ if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) {
+ $currhosttypes{$name} = $value;
+ }
}
- print $fh "\n*******************\n\n";
close($fh);
}
- my $emailto = &Apache::loncommon::build_recipient_list(undef,
- 'hostipmail',$defdom);
- if ($emailto) {
- my $subject = "LON-CAPA Hostname to IP change ($perlvar{'lonHostID'})";
- my $chgmail = "To: $emailto\n".
- "Subject: $subject\n".
- "Content-type: text/plain\; charset=UTF-8\n".
- "MIME-Version: 1.0\n\n".
- "Host/IP changes\n".
- " \n".
- "Hostname | Previous IP | New IP\n".
- "--------------------------------\n";
- foreach my $hostname (sort(keys(%ipchange))) {
- $chgmail .= "$hostname | $ipchange{$hostname}\n";
+ if (open(my $fh,'>',"$perlvar{'lonTabDir'}/hosttypes.tab")) {
+ my $count = 0;
+ foreach my $lonid (sort(keys(%hostdom))) {
+ my $type = 'other';
+ if ($hostdom{$lonid} eq $dom) {
+ $type = 'dom';
+ } elsif ($intdom{$lonid} eq $internetdom) {
+ $type = 'intdom';
+ }
+ print $fh "$lonid:$type\n";
+ if (exists($currhosttypes{$lonid})) {
+ if ($type ne $currhosttypes{$lonid}) {
+ $changes{$lonid} = 1;
+ }
+ } else {
+ $changes{$lonid} = 1;
+ }
+ $count ++;
}
- $chgmail .= "\n\n";
- if (open(my $mailh, "|/usr/lib/sendmail -oi -t -odb")) {
- print $mailh $chgmail;
- close($mailh);
- print "Sending mail notification of hostname/IP changes.\n";
+ close($fh);
+ print "Completed writing host type data for $count hosts.\n";
+ }
+ } else {
+ print "Writing of host types skipped - no hosts found.\n";
+ }
+ } else {
+ print "Writing of host types skipped - could not determine this host's LON-CAPA domain or 'internet' domain.\n";
+ }
+ return %changes;
+}
+
+sub update_revocation_list {
+ my ($result,$changed) = &Apache::lonnet::fetch_crl_pemfile();
+ if ($result eq 'ok') {
+ print "Certificate Revocation List (from CA) updated.\n";
+ } else {
+ print "Certificate Revocation List from (CA) not updated.\n";
+ }
+ return $changed;
+}
+
+sub reset_nosslverify_pids {
+ my ($fh,%sslrem) = @_;
+ &checkon_daemon($fh,'lond',40000,'USR2');
+ my $loncpidfile="$perlvar{'lonDaemons'}/logs/lonc.pid";
+ my $loncppid;
+ if ((-e $loncpidfile) && (open(my $pfh,'<',$loncpidfile))) {
+ $loncppid=<$pfh>;
+ chomp($loncppid);
+ close($pfh);
+ if ($loncppid =~ /^\d+$/) {
+ my %pids_by_host;
+ my $docdir = $perlvar{'lonDocRoot'};
+ if (-d "$docdir/lon-status/loncchld") {
+ if (opendir(my $dh,"$docdir/lon-status/loncchld")) {
+ while (my $file = readdir($dh)) {
+ next if ($file =~ /^\./);
+ if (open(my $fh,'<',"$docdir/lon-status/loncchld/$file")) {
+ my $record = <$fh>;
+ chomp($record);
+ close($fh);
+ my ($remotehost,$authmode) = split(/:/,$record);
+ $pids_by_host{$remotehost}{$authmode}{$file} = 1;
+ }
+ }
+ closedir($dh);
+ if (keys(%pids_by_host)) {
+ foreach my $host (keys(%pids_by_host)) {
+ if ($sslrem{$host}) {
+ if (ref($pids_by_host{$host}) eq 'HASH') {
+ if (ref($pids_by_host{$host}{'insecure'}) eq 'HASH') {
+ if (keys(%{$pids_by_host{$host}{'insecure'}})) {
+ foreach my $pid (keys(%{$pids_by_host{$host}{'insecure'}})) {
+ if (open(PIPE,"ps -o ppid= -p $pid |")) {
+ my $ppid = ;
+ chomp($ppid);
+ close(PIPE);
+ $ppid =~ s/(^\s+|\s+$)//g;
+ if (($ppid == $loncppid) && (kill 0 => $pid)) {
+ kill QUIT => $pid;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
}
}
@@ -971,23 +1140,19 @@ Options:
do not send emails do not
check if the daemons are running, do not
generate lon-status
- --justiptables Only update the dynamic iptables rules for the
- lond port; do not send emails, do not
- check if the daemons are running, do not
- generate lon-status
+
USAGE
}
# ================================================================ Main Program
sub main () {
my ($help,$justcheckdaemons,$noemail,$justcheckconnections,
- $justreload,$justiptables);
+ $justreload);
&GetOptions("help" => \$help,
"justcheckdaemons" => \$justcheckdaemons,
"noemail" => \$noemail,
"justcheckconnections" => \$justcheckconnections,
- "justreload" => \$justreload,
- "justiptables" => \$justiptables
+ "justreload" => \$justreload
);
if ($help) { &usage(); return; }
# --------------------------------- Read loncapa_apache.conf and loncapa.conf
@@ -1006,8 +1171,8 @@ sub main () {
chop $hostname;
$hostname=~s/[^\w\.]//g; # make sure is safe to pass through shell
my $subj="LON: Unconfigured machine $hostname";
- system("echo 'Unconfigured machine $hostname.' |".
- " mail -s '$subj' $emailto > /dev/null");
+ system("echo 'Unconfigured machine $hostname.' |\
+ mailto $emailto -s '$subj' > /dev/null");
exit 1;
}
@@ -1017,8 +1182,8 @@ sub main () {
print("User ID mismatch. This program must be run as user 'www'.\n");
my $emailto="$perlvar{'lonAdmEMail'},$perlvar{'lonSysEMail'}";
my $subj="LON: $perlvar{'lonHostID'} User ID mismatch";
- system("echo 'User ID mismatch. loncron must be run as user www.' |".
- " mail -s '$subj' $emailto > /dev/null");
+ system("echo 'User ID mismatch. loncron must be run as user www.' |\
+ mailto $emailto -s '$subj' > /dev/null");
exit 1;
}
@@ -1037,11 +1202,9 @@ sub main () {
}
}
}
- if (!$justiptables) {
- &Apache::lonnet::load_hosts_tab(1,$nomemcache);
- &Apache::lonnet::load_domain_tab(1,$nomemcache);
- &Apache::lonnet::get_iphost(1,$nomemcache);
- }
+ &Apache::lonnet::load_hosts_tab(1,$nomemcache);
+ &Apache::lonnet::load_domain_tab(1,$nomemcache);
+ &Apache::lonnet::get_iphost(1,$nomemcache);
# ----------------------------------------- Force firewall update for lond port
@@ -1072,7 +1235,7 @@ sub main () {
my $fh;
- if (!$justcheckdaemons && !$justcheckconnections && !$justreload && !$justiptables) {
+ if (!$justcheckdaemons && !$justcheckconnections && !$justreload) {
$fh=&start_logging();
&log_machine_info($fh);
@@ -1083,7 +1246,7 @@ sub main () {
&rotate_lonnet_logs($fh);
&rotate_other_logs($fh);
}
- if (!$justcheckconnections && !$justreload && !$justiptables) {
+ if (!$justcheckconnections && !$justreload) {
&checkon_daemon($fh,'lonmemcached',40000);
&checkon_daemon($fh,'lonsql',200000);
if ( &checkon_daemon($fh,'lond',40000,'USR1') eq 'running') {
@@ -1094,20 +1257,32 @@ sub main () {
&checkon_daemon($fh,'lonr',40000);
}
if ($justreload) {
+ &clean_nosslverify($fh);
+ &write_connection_config();
+ &write_hosttypes();
+ &update_revocation_list();
&checkon_daemon($fh,'lond',40000,'USR2');
&checkon_daemon($fh,'lonc',40000,'USR2');
}
if ($justcheckconnections) {
&test_connections($fh);
}
- if (!$justcheckdaemons && !$justcheckconnections && !$justreload && !$justiptables) {
+ if (!$justcheckdaemons && !$justcheckconnections && !$justreload) {
&check_delayed_msg($fh);
- &finish_logging($fh);
&log_simplestatus();
&write_loncaparevs();
&write_serverhomeIDs();
&write_checksums();
- &write_hostips();
+ my %sslrem = &clean_nosslverify($fh);
+ my %conchgs = &write_connection_config();
+ my %hosttypechgs = &write_hosttypes();
+ my $hadcrlchg = &update_revocation_list();
+ if ((keys(%conchgs) > 0) || (keys(%hosttypechgs) > 0) ||
+ $hadcrlchg || (keys(%sslrem) > 0)) {
+ &checkon_daemon($fh,'lond',40000,'USR2');
+ &reset_nosslverify_pids($fh,%sslrem);
+ }
+ &finish_logging($fh);
if ($totalcount>200 && !$noemail) { &send_mail(); }
}
}