diff --git a/repos/system_upgrade/el7toel8/actors/checklvm2cluster/actor.py b/repos/system_upgrade/el7toel8/actors/checklvm2cluster/actor.py index 41cae252492093e19a6bb3014e8b1be33d6ce92f..7d514c75b1b913785382e66a4220ee016a3ebfb2 100644 --- a/repos/system_upgrade/el7toel8/actors/checklvm2cluster/actor.py +++ b/repos/system_upgrade/el7toel8/actors/checklvm2cluster/actor.py @@ -1,3 +1,5 @@ +import subprocess + from leapp.actors import Actor from leapp.libraries.common.rpms import has_package from leapp.models import InstalledRedHatSignedRPM @@ -5,7 +7,9 @@ from leapp.reporting import Report, create_report from leapp import reporting from leapp.reporting import create_report from leapp.tags import ChecksPhaseTag, IPUWorkflowTag - +from leapp.libraries.stdlib import api +from leapp.dialogs import Dialog +from leapp.dialogs.components import BooleanComponent class Checklvm2cluster(Actor): """ @@ -17,12 +21,40 @@ class Checklvm2cluster(Actor): produces = (Report,) tags = (ChecksPhaseTag, IPUWorkflowTag) + dialogs = ( + Dialog( + scope='remove_lvm2-cluster', + reason='Confirmation', + components=( + BooleanComponent( + key='confirm', + label='Remove lvm2-cluster? ' + 'If no, the upgrade process will be interrupted.', + description='lvm2-cluster must be removed prior the upgrade.', + default=True, + reason='The preun scriptlet of the lvm2-cluster package will cause failure.' + ), + ) + ), + ) + def process(self): if has_package(InstalledRedHatSignedRPM, 'lvm2-cluster'): + command = "yum remove -y lvm2-cluster " + answer = self.get_answers(self.dialogs[0]) + if answer.get('confirm') == True: + try: + subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + api.current_logger().error('remove lvm2-cluster failed: {}'.format(e)) + else: + api.current_logger().info('remove lvm2-cluster succeeded: {}'.format(command)) + return + create_report([ reporting.Title('lvm2-cluster is installed, lvm2-cluster cannot be processed during upgrade'), reporting.Summary('lvm2-cluster affects the upgrade and needs to be uninstalled first'), reporting.Severity(reporting.Severity.HIGH), - reporting.Remediation(hint='Use "yum -y remove lvm2-cluster" before "leapp preupgrade --no-rhsm" '), + reporting.Remediation(hint='Use "yum remove -y lvm2-cluster" before "leapp preupgrade --no-rhsm" '), reporting.Flags([reporting.Flags.INHIBITOR]) ]) diff --git a/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/actor.py b/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/actor.py index 90d6d58b6992f02cd54f3db090b56539f51bec94..13d47234bc92d27ccdb71ed16d4128406bc29d6a 100644 --- a/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/actor.py +++ b/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/actor.py @@ -2,7 +2,8 @@ from leapp.actors import Actor from leapp.libraries.actor import opensshalgorithmscheck from leapp.models import Report, OpenSshConfig from leapp.tags import ChecksPhaseTag, IPUWorkflowTag - +from leapp.dialogs import Dialog +from leapp.dialogs.components import BooleanComponent class OpenSshAlgorithmsCheck(Actor): """ @@ -15,6 +16,45 @@ class OpenSshAlgorithmsCheck(Actor): consumes = (OpenSshConfig,) produces = (Report,) tags = (ChecksPhaseTag, IPUWorkflowTag) + + dialogs = ( + Dialog( + scope='remove_openssh_cipher', + reason='Confirmation', + components=( + BooleanComponent( + key='confirm', + default=True, + label='Remove the disabled ciphers from sshd_config? ' + 'If no, the upgrade process will be interrupted.', + description='OpenSSH configured to use removed ciphers.', + reason='These ciphers were removed from OpenSSH.' + ), + ) + ), + Dialog( + scope='remove_openssh_mac', + reason='Confirmation', + components=( + BooleanComponent( + key='confirm', + default=True, + label='Remove the disabled MACs from sshd_config? ' + 'If no, the upgrade process will be interrupted.', + description='OpenSSH configured to use removed mac.', + reason='This MAC was removed from OpenSSH.' + ), + ) + ), + ) + + def is_confirm_ciphers(self): + answer = self.get_answers(self.dialogs[0]) + return answer.get('confirm', False) + + def is_confirm_mac(self): + answer = self.get_answers(self.dialogs[1]) + return answer.get('confirm', False) def process(self): - opensshalgorithmscheck.process(self.consume(OpenSshConfig)) + opensshalgorithmscheck.process(self.consume(OpenSshConfig), self.is_confirm_ciphers, self.is_confirm_mac) diff --git a/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/libraries/opensshalgorithmscheck.py b/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/libraries/opensshalgorithmscheck.py index 5f863763b3b94f0d0f02fe24c211e3ca88fd9ca1..43411e6f0b5823ac50dc01016f5eb5469d13b9e3 100644 --- a/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/libraries/opensshalgorithmscheck.py +++ b/repos/system_upgrade/el7toel8/actors/opensshalgorithmscheck/libraries/opensshalgorithmscheck.py @@ -1,9 +1,10 @@ +import subprocess + from leapp.exceptions import StopActorExecutionError from leapp.libraries.stdlib import api from leapp import reporting - -def process(openssh_messages): +def process(openssh_messages, is_confirm_ciphers, is_confirm_mac): removed_ciphers = [ "blowfish-cbc", "cast128-cbc", @@ -37,46 +38,71 @@ def process(openssh_messages): reporting.RelatedResource('file', '/etc/ssh/sshd_config') ] if found_ciphers: - reporting.create_report([ - reporting.Title('OpenSSH configured to use removed ciphers'), - reporting.Summary( - 'OpenSSH is configured to use removed ciphers {}. ' - 'These ciphers were removed from OpenSSH and if ' - 'present the sshd daemon will not start in Anolis 8' - ''.format(','.join(found_ciphers)) - ), - reporting.Severity(reporting.Severity.HIGH), - reporting.Tags([ - reporting.Tags.AUTHENTICATION, - reporting.Tags.SECURITY, - reporting.Tags.NETWORK, - reporting.Tags.SERVICES - ]), - reporting.Remediation( - hint='Remove the following ciphers from sshd_config: ' - '{}'.format(','.join(found_ciphers)) - ), - reporting.Flags([reporting.Flags.INHIBITOR]) - ] + resources) + report_ciphers_pass = False + command = "sed -i '/^[^#]*Cipher/ s/\(arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\)\,\?//g;s/,$//' /etc/ssh/sshd_config" + if is_confirm_ciphers() == True: + try: + subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + api.current_logger().error('Remove OpenSSH Ciphers failed: {}'.format(e)) + else: + api.current_logger().info('Remove OpenSSH Ciphers succeeded: {}'.format(command)) + report_ciphers_pass = True + + if not report_ciphers_pass: + reporting.create_report([ + reporting.Title('OpenSSH configured to use removed ciphers'), + reporting.Summary( + 'OpenSSH is configured to use removed ciphers {}. ' + 'These ciphers were removed from OpenSSH and if ' + 'present the sshd daemon will not start in Anolis 8' + ''.format(','.join(found_ciphers)) + ), + reporting.Severity(reporting.Severity.HIGH), + reporting.Tags([ + reporting.Tags.AUTHENTICATION, + reporting.Tags.SECURITY, + reporting.Tags.NETWORK, + reporting.Tags.SERVICES + ]), + reporting.Remediation( + hint='Remove the following ciphers from sshd_config: ' + '{}'.format(','.join(found_ciphers)) + ), + reporting.Flags([reporting.Flags.INHIBITOR]) + ] + resources) if found_macs: - reporting.create_report([ - reporting.Title('OpenSSH configured to use removed mac'), - reporting.Summary( - 'OpenSSH is configured to use removed mac {}. ' - 'This MAC was removed from OpenSSH and if present ' - 'the sshd daemon will not start in Anolis 8' - ''.format(','.join(found_macs)) - ), - reporting.Severity(reporting.Severity.HIGH), - reporting.Tags([ - reporting.Tags.AUTHENTICATION, - reporting.Tags.SECURITY, - reporting.Tags.NETWORK, - reporting.Tags.SERVICES - ]), - reporting.Remediation( - hint='Remove the following MACs from sshd_config: {}'.format(','.join(found_macs)) - ), - reporting.Flags([reporting.Flags.INHIBITOR]) - ] + resources) + report_mac_pass = False + command = "sed -i '/^[^#]*MAC/ s/\(hmac-ripemd160\)\,\?//g;s/,$//' /etc/ssh/sshd_config" + if is_confirm_mac() == True: + try: + subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + api.current_logger().error('Remove OpenSSH MACs failed: {}'.format(e)) + else: + api.current_logger().info('Remove OpenSSH MACs succeeded: {}'.format(command)) + report_mac_pass = True + + if not report_mac_pass: + reporting.create_report([ + reporting.Title('OpenSSH configured to use removed mac'), + reporting.Summary( + 'OpenSSH is configured to use removed mac {}. ' + 'This MAC was removed from OpenSSH and if present ' + 'the sshd daemon will not start in Anolis 8' + ''.format(','.join(found_macs)) + ), + reporting.Severity(reporting.Severity.HIGH), + reporting.Tags([ + reporting.Tags.AUTHENTICATION, + reporting.Tags.SECURITY, + reporting.Tags.NETWORK, + reporting.Tags.SERVICES + ]), + reporting.Remediation( + hint='Remove the following MACs from sshd_config: {}'.format(','.join(found_macs)) + ), + reporting.Flags([reporting.Flags.INHIBITOR]) + ] + resources) + diff --git a/repos/system_upgrade/el7toel8/actors/tcpwrapperscheck/actor.py b/repos/system_upgrade/el7toel8/actors/tcpwrapperscheck/actor.py index 7d863df38e123d3df038b3079dc97e20f52758d5..2deda0afffe3cf1568edaa2ad21c88cca4d2dec3 100644 --- a/repos/system_upgrade/el7toel8/actors/tcpwrapperscheck/actor.py +++ b/repos/system_upgrade/el7toel8/actors/tcpwrapperscheck/actor.py @@ -1,3 +1,4 @@ +import subprocess from leapp.actors import Actor from leapp.exceptions import StopActorExecutionError from leapp.models import Report, TcpWrappersFacts, InstalledRedHatSignedRPM @@ -7,6 +8,8 @@ from leapp.libraries.actor.tcpwrapperscheck import config_affects_daemons from leapp.libraries.common.rpms import create_lookup from leapp.reporting import create_report from leapp import reporting +from leapp.dialogs import Dialog +from leapp.dialogs.components import BooleanComponent DAEMONS = [ ("audit", ["auditd"]), @@ -41,7 +44,24 @@ class TcpWrappersCheck(Actor): consumes = (TcpWrappersFacts, InstalledRedHatSignedRPM,) produces = (Report,) tags = (ChecksPhaseTag, IPUWorkflowTag) - + + dialogs = ( + Dialog( + scope='remove_tcp_wrappers_configuration', + reason='Confirmation', + components=( + BooleanComponent( + key='confirm', + label='Remove tcp wrappers configuration? ' + 'If no, the upgrade process will be interrupted.', + description='TCP Wrappers support has been removed in Anolis 8.', + default=True, + reason='There is some configuration affecting installed packages in /etc/hosts.deny or /etc/hosts.allow, which is no longer going to be effective after update' + ), + ) + ), + ) + def process(self): # Consume a single TCP Wrappers message tcp_wrappers_messages = self.consume(TcpWrappersFacts) @@ -59,6 +79,17 @@ class TcpWrappersCheck(Actor): found_packages = config_affects_daemons(tcp_wrappers_facts, packages, DAEMONS) if found_packages: + command = "sed -i 's/^[^#]/# &/g' /etc/hosts.allow /etc/hosts.deny " + answer = self.get_answers(self.dialogs[0]) + if answer.get('confirm') == True: + try: + subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + api.current_logger().error('remove TCP Wrappers configuration failed: {}'.format(e)) + else: + api.current_logger().info('remove TCP Wrappers Configuration succeeded: {}'.format(command)) + return + create_report([ reporting.Title('TCP Wrappers configuration affects some installed packages'), reporting.Summary(