448 lines
13 KiB
Python
448 lines
13 KiB
Python
import datetime
|
|
import enum
|
|
import json
|
|
import logging
|
|
import re
|
|
from functools import lru_cache
|
|
from typing import List, Optional, Tuple
|
|
|
|
from uaclient import event_logger, exceptions, messages, system, util
|
|
from uaclient.data_types import (
|
|
BoolDataValue,
|
|
DataObject,
|
|
Field,
|
|
IncorrectTypeError,
|
|
StringDataValue,
|
|
data_list,
|
|
)
|
|
from uaclient.files import state_files
|
|
from uaclient.http import serviceclient
|
|
|
|
HTTP_PROXY_OPTION = "http-proxy"
|
|
HTTPS_PROXY_OPTION = "https-proxy"
|
|
|
|
LIVEPATCH_CMD = "/snap/bin/canonical-livepatch"
|
|
|
|
LIVEPATCH_API_V1_KERNELS_SUPPORTED = "/v1/api/kernels/supported"
|
|
|
|
event = event_logger.get_event_logger()
|
|
LOG = logging.getLogger(util.replace_top_level_logger_name(__name__))
|
|
|
|
|
|
@enum.unique
|
|
class LivepatchSupport(enum.Enum):
|
|
SUPPORTED = object()
|
|
KERNEL_UPGRADE_REQUIRED = object()
|
|
KERNEL_EOL = object()
|
|
UNSUPPORTED = object()
|
|
UNKNOWN = object()
|
|
|
|
|
|
class LivepatchPatchFixStatus(DataObject):
|
|
fields = [
|
|
Field("name", StringDataValue, required=False, dict_key="Name"),
|
|
Field("patched", BoolDataValue, required=False, dict_key="Patched"),
|
|
]
|
|
|
|
def __init__(
|
|
self,
|
|
name: Optional[str],
|
|
patched: Optional[bool],
|
|
):
|
|
self.name = name
|
|
self.patched = patched
|
|
|
|
|
|
class LivepatchPatchStatus(DataObject):
|
|
fields = [
|
|
Field("state", StringDataValue, required=False, dict_key="State"),
|
|
Field(
|
|
"fixes",
|
|
data_list(LivepatchPatchFixStatus),
|
|
required=False,
|
|
dict_key="Fixes",
|
|
),
|
|
Field("version", StringDataValue, required=False, dict_key="Version"),
|
|
]
|
|
|
|
def __init__(
|
|
self,
|
|
state: Optional[str],
|
|
fixes: Optional[List[LivepatchPatchFixStatus]],
|
|
version: Optional[str],
|
|
):
|
|
self.state = state
|
|
self.fixes = fixes
|
|
self.version = version
|
|
|
|
|
|
class LivepatchStatusStatus(DataObject):
|
|
fields = [
|
|
Field("kernel", StringDataValue, required=False, dict_key="Kernel"),
|
|
Field(
|
|
"livepatch",
|
|
LivepatchPatchStatus,
|
|
required=False,
|
|
dict_key="Livepatch",
|
|
),
|
|
Field(
|
|
"supported",
|
|
StringDataValue,
|
|
required=False,
|
|
dict_key="Supported",
|
|
),
|
|
]
|
|
|
|
def __init__(
|
|
self,
|
|
kernel: Optional[str],
|
|
livepatch: Optional[LivepatchPatchStatus],
|
|
supported: Optional[str],
|
|
):
|
|
self.kernel = kernel
|
|
self.livepatch = livepatch
|
|
self.supported = supported
|
|
|
|
|
|
class LivepatchStatus(DataObject):
|
|
fields = [
|
|
Field(
|
|
"status",
|
|
data_list(LivepatchStatusStatus),
|
|
required=False,
|
|
dict_key="Status",
|
|
),
|
|
]
|
|
|
|
def __init__(
|
|
self,
|
|
status: Optional[List[LivepatchStatusStatus]],
|
|
):
|
|
self.status = status
|
|
|
|
|
|
def status() -> Optional[LivepatchStatusStatus]:
|
|
if not is_livepatch_installed():
|
|
LOG.debug("canonical-livepatch is not installed")
|
|
return None
|
|
|
|
try:
|
|
out, _ = system.subp(
|
|
[LIVEPATCH_CMD, "status", "--verbose", "--format", "json"]
|
|
)
|
|
except exceptions.ProcessExecutionError as e:
|
|
# only raise an error if there is a legitimate problem, not just lack
|
|
# of enablement
|
|
if "Machine is not enabled" in e.stderr:
|
|
LOG.warning(e.stderr)
|
|
return None
|
|
LOG.warning(
|
|
"canonical-livepatch returned error when checking status:\n%s",
|
|
exc_info=e,
|
|
)
|
|
raise e
|
|
|
|
try:
|
|
status_json = json.loads(out)
|
|
except json.JSONDecodeError as e:
|
|
LOG.warning(
|
|
"JSONDecodeError while parsing livepatch status, returning None. "
|
|
'output was: "%s"',
|
|
out,
|
|
exc_info=e,
|
|
)
|
|
return None
|
|
|
|
try:
|
|
status_root = LivepatchStatus.from_dict(status_json)
|
|
except IncorrectTypeError:
|
|
LOG.warning(
|
|
"canonical-livepatch status returned unexpected structure: %s",
|
|
out,
|
|
)
|
|
return None
|
|
|
|
if status_root.status is None or len(status_root.status) < 1:
|
|
LOG.debug("canonical-livepatch has no status")
|
|
return None
|
|
|
|
return status_root.status[0]
|
|
|
|
|
|
def _convert_str_to_livepatch_support_status(
|
|
status_str: Optional[str],
|
|
) -> Optional[LivepatchSupport]:
|
|
if status_str == "supported":
|
|
return LivepatchSupport.SUPPORTED
|
|
if status_str == "kernel-upgrade-required":
|
|
return LivepatchSupport.KERNEL_UPGRADE_REQUIRED
|
|
if status_str == "kernel-end-of-life":
|
|
return LivepatchSupport.KERNEL_EOL
|
|
if status_str == "unsupported":
|
|
return LivepatchSupport.UNSUPPORTED
|
|
if status_str == "unknown":
|
|
return LivepatchSupport.UNKNOWN
|
|
return None
|
|
|
|
|
|
class UALivepatchClient(serviceclient.UAServiceClient):
|
|
cfg_url_base_attr = "livepatch_url"
|
|
|
|
def is_kernel_supported(
|
|
self,
|
|
version: str,
|
|
flavor: str,
|
|
arch: str,
|
|
codename: str,
|
|
build_date: Optional[datetime.datetime],
|
|
) -> Optional[LivepatchSupport]:
|
|
query_params = {
|
|
"kernel-version": version,
|
|
"flavour": flavor,
|
|
"architecture": arch,
|
|
"codename": codename,
|
|
"build-date": (
|
|
build_date.isoformat() if build_date is not None else "unknown"
|
|
),
|
|
}
|
|
headers = self.headers()
|
|
try:
|
|
response = self.request_url(
|
|
LIVEPATCH_API_V1_KERNELS_SUPPORTED,
|
|
query_params=query_params,
|
|
headers=headers,
|
|
)
|
|
except Exception as e:
|
|
LOG.warning("error while checking livepatch supported kernels API")
|
|
LOG.warning(e)
|
|
return None
|
|
|
|
if response.code != 200:
|
|
LOG.warning("livepatch supported kernels API was unsuccessful")
|
|
LOG.warning(response.body)
|
|
return None
|
|
|
|
api_supported_val = response.json_dict.get("Supported")
|
|
if api_supported_val is None or isinstance(api_supported_val, bool):
|
|
# old version, True means supported, None means unsupported
|
|
if api_supported_val:
|
|
return LivepatchSupport.SUPPORTED
|
|
return LivepatchSupport.UNSUPPORTED
|
|
# new version, value is a string
|
|
return _convert_str_to_livepatch_support_status(api_supported_val)
|
|
|
|
|
|
def _on_supported_kernel_cli() -> Optional[LivepatchSupport]:
|
|
try:
|
|
lp_status = status()
|
|
except exceptions.ProcessExecutionError:
|
|
return None
|
|
|
|
if lp_status is None:
|
|
return None
|
|
return _convert_str_to_livepatch_support_status(lp_status.supported)
|
|
|
|
|
|
def _on_supported_kernel_cache(
|
|
version: str, flavor: str, arch: str, codename: str
|
|
) -> Tuple[bool, Optional[bool]]:
|
|
"""Check local cache of kernel support
|
|
|
|
:return: (is_cache_valid, result)
|
|
"""
|
|
try:
|
|
cache_data = state_files.livepatch_support_cache.read()
|
|
except Exception:
|
|
cache_data = None
|
|
|
|
if cache_data is not None:
|
|
one_week_ago = datetime.datetime.now(
|
|
datetime.timezone.utc
|
|
) - datetime.timedelta(days=7)
|
|
if all(
|
|
[
|
|
cache_data.cached_at > one_week_ago, # less than one week old
|
|
cache_data.version == version,
|
|
cache_data.flavor == flavor,
|
|
cache_data.arch == arch,
|
|
cache_data.codename == codename,
|
|
]
|
|
):
|
|
if cache_data.supported is None:
|
|
LOG.warning("livepatch kernel support cache has None value")
|
|
return (True, cache_data.supported)
|
|
return (False, None)
|
|
|
|
|
|
def _on_supported_kernel_api(
|
|
version: str,
|
|
flavor: str,
|
|
arch: str,
|
|
codename: str,
|
|
build_date: Optional[datetime.datetime],
|
|
) -> Optional[LivepatchSupport]:
|
|
supported = UALivepatchClient().is_kernel_supported(
|
|
version=version,
|
|
flavor=flavor,
|
|
arch=arch,
|
|
codename=codename,
|
|
build_date=build_date,
|
|
)
|
|
|
|
# cache response as a bool/None before returning
|
|
cache_supported = None
|
|
if supported == LivepatchSupport.SUPPORTED:
|
|
cache_supported = True
|
|
elif supported == LivepatchSupport.UNSUPPORTED:
|
|
cache_supported = False
|
|
state_files.livepatch_support_cache.write(
|
|
state_files.LivepatchSupportCacheData(
|
|
version=version,
|
|
flavor=flavor,
|
|
arch=arch,
|
|
codename=codename,
|
|
supported=cache_supported,
|
|
cached_at=datetime.datetime.now(datetime.timezone.utc),
|
|
)
|
|
)
|
|
|
|
if supported is None:
|
|
LOG.warning("livepatch kernel support API response was ambiguous")
|
|
return supported
|
|
|
|
|
|
@lru_cache(maxsize=None)
|
|
def on_supported_kernel() -> LivepatchSupport:
|
|
"""
|
|
Checks CLI, local cache, and API in that order for kernel support
|
|
If all checks fail to return an authoritative answer, we return None
|
|
"""
|
|
|
|
# first check cli
|
|
cli_says = _on_supported_kernel_cli()
|
|
if cli_says is not None:
|
|
LOG.debug("using livepatch cli for support")
|
|
return cli_says
|
|
|
|
# gather required system info to query support
|
|
kernel_info = system.get_kernel_info()
|
|
if (
|
|
kernel_info.flavor is None
|
|
or kernel_info.major is None
|
|
or kernel_info.minor is None
|
|
):
|
|
LOG.warning(
|
|
"unable to determine enough kernel information to "
|
|
"check livepatch support"
|
|
)
|
|
return LivepatchSupport.UNKNOWN
|
|
|
|
arch = util.standardize_arch_name(kernel_info.uname_machine_arch)
|
|
codename = system.get_release_info().series
|
|
|
|
lp_api_kernel_ver = "{major}.{minor}".format(
|
|
major=kernel_info.major, minor=kernel_info.minor
|
|
)
|
|
|
|
# second check cache
|
|
is_cache_valid, cache_says = _on_supported_kernel_cache(
|
|
lp_api_kernel_ver, kernel_info.flavor, arch, codename
|
|
)
|
|
if is_cache_valid:
|
|
LOG.debug("using livepatch support cache")
|
|
if cache_says is None:
|
|
return LivepatchSupport.UNKNOWN
|
|
if cache_says:
|
|
return LivepatchSupport.SUPPORTED
|
|
if not cache_says:
|
|
return LivepatchSupport.UNSUPPORTED
|
|
|
|
# finally check api
|
|
LOG.debug("using livepatch support api")
|
|
api_says = _on_supported_kernel_api(
|
|
lp_api_kernel_ver,
|
|
kernel_info.flavor,
|
|
arch,
|
|
codename,
|
|
kernel_info.build_date,
|
|
)
|
|
if api_says is None:
|
|
return LivepatchSupport.UNKNOWN
|
|
return api_says
|
|
|
|
|
|
def unconfigure_livepatch_proxy(
|
|
protocol_type: str, retry_sleeps: Optional[List[float]] = None
|
|
) -> None:
|
|
"""
|
|
Unset livepatch configuration settings for http and https proxies.
|
|
|
|
:param protocol_type: String either http or https
|
|
:param retry_sleeps: Optional list of sleep lengths to apply between
|
|
retries. Specifying a list of [0.5, 1] tells subp to retry twice
|
|
on failure; sleeping half a second before the first retry and 1 second
|
|
before the second retry.
|
|
"""
|
|
if not is_livepatch_installed():
|
|
return
|
|
system.subp(
|
|
[LIVEPATCH_CMD, "config", "{}-proxy=".format(protocol_type)],
|
|
retry_sleeps=retry_sleeps,
|
|
)
|
|
|
|
|
|
def configure_livepatch_proxy(
|
|
http_proxy: Optional[str] = None,
|
|
https_proxy: Optional[str] = None,
|
|
retry_sleeps: Optional[List[float]] = None,
|
|
) -> None:
|
|
"""
|
|
Configure livepatch to use http and https proxies.
|
|
|
|
:param http_proxy: http proxy to be used by livepatch. If None, it will
|
|
not be configured
|
|
:param https_proxy: https proxy to be used by livepatch. If None, it will
|
|
not be configured
|
|
:@param retry_sleeps: Optional list of sleep lengths to apply between
|
|
snap calls
|
|
"""
|
|
from uaclient.entitlements import LivepatchEntitlement
|
|
|
|
if http_proxy or https_proxy:
|
|
event.info(
|
|
messages.SETTING_SERVICE_PROXY.format(
|
|
service=LivepatchEntitlement.title
|
|
)
|
|
)
|
|
|
|
if http_proxy:
|
|
system.subp(
|
|
[LIVEPATCH_CMD, "config", "http-proxy={}".format(http_proxy)],
|
|
retry_sleeps=retry_sleeps,
|
|
)
|
|
|
|
if https_proxy:
|
|
system.subp(
|
|
[LIVEPATCH_CMD, "config", "https-proxy={}".format(https_proxy)],
|
|
retry_sleeps=retry_sleeps,
|
|
)
|
|
|
|
|
|
def get_config_option_value(key: str) -> Optional[str]:
|
|
"""
|
|
Gets the config value from livepatch.
|
|
:param key: can be any valid livepatch config option
|
|
:return: the value of the livepatch config option, or None if not set
|
|
"""
|
|
out, _ = system.subp([LIVEPATCH_CMD, "config"])
|
|
match = re.search("^{}: (.*)$".format(key), out, re.MULTILINE)
|
|
value = match.group(1) if match else None
|
|
if value:
|
|
# remove quotes if present
|
|
value = re.sub(r"\"(.*)\"", r"\g<1>", value)
|
|
return value.strip() if value else None
|
|
|
|
|
|
def is_livepatch_installed() -> bool:
|
|
return system.which(LIVEPATCH_CMD) is not None
|