home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.ac-grenoble.fr
/
2015.02.ftp.ac-grenoble.fr.tar
/
ftp.ac-grenoble.fr
/
pub
/
slis
/
updates_rsync
/
monitor_v2
< prev
next >
Wrap
Text File
|
2006-04-06
|
10KB
|
276 lines
#!/bin/bash
# $Id: monitor_v2,v 1.2 2005/04/20 08:27:40 bzizou Exp $ #
# This script is part of the SLIS Project initiated by the CARMI-Internet
# (Académie de Grenoble - France 38).
# Ce script fait partie du projet SLIS démarré par le CARMI-Internet
# (Académie de Grenoble - France 38).
#
# SLIS : Serveur de communications Linux pour l'Internet Scolaire.
# Copyright (C) 1998-2005 Bruno Bzeznik
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program (For example ./COPYING);
# if not, write to the Free Software Foundation, Inc., 675 Mass Ave,
# Cambridge, MA 02139, USA.
#
# Please send all comments and bug reports by electronic mail to:
# Bruno Bzeznik <Bruno@ac-grenoble.fr>
# or to <slis@ac-grenoble.fr>
#
# Envoyez vos suggestions et reports de bugs par e-mail Ã# Bruno Bzeznik <Bruno@ac-grenoble.fr>
# ou à <slis@ac-grenoble.fr>
#
# Load the SLIS lib and variables
if [ -f /usr/local/lib/slis-sys.inc.bash ]
then
. /usr/local/lib/slis-sys.inc.bash
load_config
else
. /home/hadmin/slis.conf
fi
if [ "$SLIM_HOST" = "" ]
then
logger -t "monitor[$$]" "ERROR: variable SLIM_HOST not found. Aborting"
echo "ERROR: variable SLIM_HOST not found. Aborting"
exit 1
fi
VERSION=`cat /etc/version_slis_num`
# Get the hostname
export `grep HOSTNAME /etc/sysconfig/network`
HOST=`echo $HOSTNAME|sed "s/\.$DOMAIN//"`
# Slim host variables
if [ "$SLIM_HOST" = "" ]
then
logger -t "monitor[$$]" "ERROR: SLIM_HOST variable not defined"
rm -f /var/lock/monitor
exit 1
fi
if [ "$SLIM_MONITOR_PATH" = "" ]
then
SLIM_MONITOR_PATH="slim/scripts/monitor/get"
logger -t "monitor[$$]" "Warning: SLIM_MONITOR_PATH variable not defined, using slim/scripts/monitor/get"
fi
# Locking
# Updates can be freezed because of rsync or psql waiting infinetely
# for the end of a dead request. So, there's a locking system a bit particular.
MAX_AGE=36000 # This is the maximum number of seconds you think
# a monitor must leave before suspecting it to be
# freezed.
RETRY_TIME=360 # This is the max number of seconds you wait after
# having "refreshed" a freezed monitor for starting
# the new one.
TEST_TIMEOUT=180 # This is the maximum time (s) to wait for the test
# connection that is done before everything
# Locking
LOCK_OUTPUT=`lockfile -1 -r 3 -l $MAX_AGE -s 0 /var/lock/monitor 2>&1`; LOCK_RC=$?
# If unable to lock (recent lock file found)
if [ "$LOCK_RC" != "0" ]
then
logger -t "monitor[$$]" "Error: Unable to lock. Is another monitor running?"
echo "Error: Unable to lock. Is another monitor active?" | mail "$SLISMASTER"
exit 1
fi
# If a very old lock file is found
if [ "`echo $LOCK_OUTPUT | grep -i "forcing lock"`" != "" ]
then
logger -t "monitor[$$]" "Warning: forcing lock and killing probably sleeping monitor"
# Perhaps rsync or psql is freezed
killall rsync 2> /dev/null
killall psql 2> /dev/null
killall wget 2> /dev/null
# Try to lock another time while waiting for the previous monitor to finish
lockfile -5 -r $RETRY_TIME /var/lock/monitor ; LOCK_RC=$?
if [ "$LOCK_RC" != "0" ]
then
logger -t "monitor[$$]" "Error: Second try for locking failed"
echo "Error in monitor: Second try for locking failed" | mail "$SLISMASTER"
exit 1
fi
fi
# Test the connection
# OBSOLETED BY SIGNATURE VERIFICATION, BUT KEPT HERE FOR MEMORY
#logger -t "monitor[$$]" "Downloading test files"
#mkdir -p /tmp/monitoring
#cd /tmp/monitoring
#rsync rsync://$SLIM_HOST/$RSYNC_MODULE/TESTFILE* . &
#RSYNC_PID=$!
#RUNNING=0
#declare -i c=0
#while [ "$RUNNING" = "0" ]
#do
# sleep 1
# let c=$c+1
# if [ $c -ge $TEST_TIMEOUT ]
# then
# logger -t "monitor[$$]" "ERROR: TESTFILE* files could not be downloaded. Aborting monitoring."
# killall rsync
# /bin/rm -f TESTFILE*
# rm -rf /var/lock/monitor
# exit 2
# fi
# ps $RSYNC_PID >/dev/null;
# RUNNING=$?
#done
#logger -t "monitor[$$]" "Verifying checksums"
#/usr/bin/md5sum -c TESTFILE.md5 >/dev/null 2>&1;
#if [ "$?" = "0" ]
#then
# logger -t "monitor[$$]" "Connection test OK, starting monitoring..."
# /bin/rm -f TESTFILE*
#else
# logger -t "monitor[$$]" "ERROR: connection test failed (incorrect md5sum). Aborting monitoring."
# /bin/rm -f TESTFILE*
# rm -rf /var/lock/monitor
# exit 2
#fi
mkdir -p /tmp/monitoring
cd /tmp/monitoring
SECURE=0
# Download the public key of the slim host if not already installed
mkdir -p /usr/local/share/ssl
if [ ! \( -f /usr/local/share/ssl/slimpubkey.pem \) ]
then
logger -t "monitor[$$]" "Server's public key not found. Getting it..."
wget -q -O /tmp/monitoring/slimcert.pem https://$SLIM_HOST/$SLIM_MONITOR_PATH/slimcert.pem
if [ "$?" != "0" ]
then
logger -t "monitor[$$]" "WARNING: Could not download the public key from https://$SLIM_HOST/$SLIM_MONITOR_PATH/slimcert.pem. Trying to download it from rsync."
rsync rsync://$SLIM_HOST/$RSYNC_MODULE/slimcert.pem . 2>/dev/null >/dev/null
if [ "$?" != "0" ]
then
logger -t "monitor[$$]" "ERROR downloading rsync://$SLIM_HOST/$RSYNC_MODULE/slimcert.pem"
logger -t "monitor[$$]" "ERROR: Could not download the server's certificate!"
SECURE=0
else
logger -t "monitor[$$]" "WARNING: Trusting the public key obtained from the rsync server."
/usr/bin/openssl x509 -pubkey -in slimcert.pem > /usr/local/share/ssl/slimpubkey.pem
mv slimcert.pem /usr/local/share/ssl/
SECURE=1
fi
else
logger -t "monitor[$$]" "WARNING: Trusting the public key obtained from the https slim server."
/usr/bin/openssl x509 -pubkey -in slimcert.pem > /usr/local/share/ssl/slimpubkey.pem
mv slimcert.pem /usr/local/share/ssl/
SECURE=1
fi
else
logger -t "monitor[$$]" "SLIM public key found. We're in secure mode."
SECURE=1
fi
# Get the monitor script from SLIM and revert to the rsync script if SLIM is not found
wget -q -O /tmp/monitoring/monitor_rawfile https://$SLIM_HOST/$SLIM_MONITOR_PATH/monitor_getscript.php?slis_name=$HOST
if [ $? != 0 ]
then
logger -t "monitor[$$]" "ERROR getting https://$SLIM_HOST/$SLIM_MONITOR_PATH/monitor_getscript.php?slis_name=$HOST"
logger -t "monitor[$$]" "Reverting to the old rsync monitoring script."
cd /tmp/monitoring
rsync rsync://$SLIM_HOST/$RSYNC_MODULE/monitor . 2>/dev/null >/dev/null
if [ "$?" != "0" ]
then
logger -t "monitor[$$]" "ERROR getting rsync://$SLIM_HOST/$RSYNC_MODULE/monitor. Aborting."
rm -rf /var/lock/monitor
exit 3
else
if [ "$SECURE" = "1" ]
then
rsync rsync://$SLIM_HOST/$RSYNC_MODULE/monitor.sighash . 2>/dev/null >/dev/null
if [ "$?" != "0" ]
then
logger -t "monitor[$$]" "ERROR: Signature rsync://$SLIM_HOST/$RSYNC_MODULE/monitor.sighash could not be downloaded. Aborting."
rm -rf /var/lock/monitor
exit 4
else
VERIFY=`/usr/bin/openssl md5 -verify /usr/local/share/ssl/slimpubkey.pem -signature monitor.sighash < monitor`
if [ "$VERIFY" != "Verified OK" ]
then
logger -t "monitor[$$]" "ERROR: INVALID SIGNATURE!"
logger -t "monitor[$$]" "ERROR: We can not trust the server, monitoring aborted."
rm -rf /var/lock/monitor
exit 5
fi
fi
else
logger -t "monitor[$$]" "Warning: will start the rsync monitor script in NON SECURE MODE (old method)"
fi
logger -t "monitor[$$]" "Warning: Starting the rsync monitoring script (not SLIM)"
/bin/bash ./monitor
rm -rf /var/lock/monitor
exit 0
fi
fi
# extract sign
cat /tmp/monitoring/monitor_rawfile | grep \#SIGN: | cut -d: -f2 > /tmp/monitoring/monitor.sig.base64
# extract timestamp
TIMESTAMP=`cat /tmp/monitoring/monitor_rawfile | grep \#TIMESTAMP: | cut -d: -f2`
# suppress sign from page
awk '{if (NR > 2) print}' /tmp/monitoring/monitor_rawfile > /tmp/monitoring/monitor_script
# Decode the signature
perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' < /tmp/monitoring/monitor.sig.base64 > /tmp/monitoring/monitor.sig
#openssl base64 -d -a -in /tmp/monitoring/monitor.sig.base64 > /tmp/monitoring/monitor.sig
# Verification of the signature
if [ -s /tmp/monitoring/monitor.sig.base64 ]
then
VERIFY=`/usr/bin/openssl sha1 -verify /usr/local/share/ssl/slimpubkey.pem -signature /tmp/monitoring/monitor.sig < /tmp/monitoring/monitor_script `
if [ "$VERIFY" != "Verified OK" ]
then
logger -t "monitor[$$]" "ERROR: INVALID SIGNATURE!"
logger -t "monitor[$$]" "ERROR: We can not trust the server, monitoring aborted."
rm -f /var/lock/monitor
exit 3
else
export TIMESTAMP
# Start the monitoring script
logger -t "monitor[$$]" "Starting the monitoring script..."
/bin/bash /tmp/monitoring/monitor_script
if [ $? != 0 ]
then
wget -q -O /tmp/hop https://$SLIM_HOST/$SLIM_MONITOR_PATH/monitor_ackscript.php?slis_name=$HOST\×tamp=$TIMESTAMP\&status=KO
logger -t "monitor[$$]" "WARNING: Monitoring script ended with error(s)"
else
wget -q -O /tmp/hop https://$SLIM_HOST/$SLIM_MONITOR_PATH/monitor_ackscript.php?slis_name=$HOST\×tamp=$TIMESTAMP\&status=OK
logger -t "monitor[$$]" "Monitoring script ended successfully."
fi
fi
else
logger -t "monitor[$$]" "ERROR: Signature could not be extracted! Aborting."
fi
# Remove the lock
rm -f /var/lock/monitor