tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-08-26 20:18:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
12,038 Commits 275 Branches 124 Tags
Commit Graph

953 Commits

Author SHA1 Message Date
Noah Hilverling
2cb995e937
Merge pull request from GHSA-pcmr-2p2f-r7j6 
Verify certificates against CRL before renewing them (2.12)
 2020-12-15 12:30:19 +01:00
Julian Brost
cae22a89da Verify certificates against CRL before renewing them 
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
 2020-12-15 10:33:38 +01:00
Julian Brost
c868010884 Use ERR_error_string_n() instead of ERR_error_string() 
Explicitly pass the actual length of the buffer to avoid overflows.
 2020-12-15 08:29:37 +01:00
Noah Hilverling
11486faeba Fix runtime config updates not working for objects without zone 
refs #8533
 2020-12-11 09:36:39 +01:00
Julian Brost
9dab8644d1 ApiListener: merge new config validation and actication functions 
Merge AsyncTryActivateZonesStage and TryActivateZonesStageCallback and
name the result TryActivateZonesStage. The old split was a leftover from
the one being a callback function with no actual meaningful separation.
 2020-11-27 11:32:11 +01:00
Julian Brost
07b9c62c98 Use std::mutex instead of Spinlock 2020-11-27 11:32:11 +01:00
Julian Brost
c5d8248e78 API filesync: wait for validation process to exit 
This avoid having to pass a lock implictly using the captured variables
of a lambda.
 2020-11-27 11:32:10 +01:00
Julian Brost
9f8ff26d88
Merge pull request #8496 from Icinga/bugfix/replay-log-blocks 
Start ApiListener#SyncClient() in the thread pool
 2020-11-23 13:28:46 +01:00
Julian Brost
e589257d1b
Merge pull request #8495 from Icinga/bugfix/config-sync-only-remove-files-if-timestamp-changed 
Config sync: Only remove files, if timestamp changed
 2020-11-23 12:37:20 +01:00
Alexander A. Klimov
748993af8a Start ApiListener#SyncClient() in the thread pool 
... not hosting the coroutines not to block them.

Otherwise a large replay log would block messages sending
until the peer disconnects us.
 2020-11-23 12:07:08 +01:00
Julian Brost
91119c8946
Merge pull request #8465 from Icinga/feature/one-connection 
ApiListener#NewClientHandlerInternal(): reject connections from already connected endpoints
 2020-11-23 12:03:18 +01:00
Julian Brost
611aa39468
Merge pull request #8467 from Icinga/feature/http-status-codes-in-icinga-mainlog-7053 
Include HTTP status codes in log
 2020-11-23 11:59:05 +01:00
Alexander Aleksandrovič Klimov
a5dc71ebab
Merge pull request #8474 from Icinga/bugfix/message-routing-for-global-zones-2.12 
Fix cluster message routing for global zones
 2020-11-23 11:55:23 +01:00
Alexander Aleksandrovič Klimov
9fb776bb0f
Merge pull request #8461 from Icinga/bugfix/do-not-accept-api-updates-for-unknown-zone-2.12.2 
API: Don't accept object updates for unknown zone
 2020-11-23 11:54:08 +01:00
Noah Hilverling
7f232d6007 Config sync: Only remove files, if timestamp changed 2020-11-23 11:39:46 +01:00
Julian Brost
b9f0f6ed40 Close anonymous connections after 10 seconds 
Anonymous connections are normally only used for requesting a
certificate and are closed after this request is received. However, the
request is only sent if the child has successfully verified the
certificate of its parent so that it is an authenticated connection from
its perspective. In case this verification fails, both ends view it as
an anonymous connection and never actually use it but attempt a
reconnect after 10 seconds leaking the connection. Therefore close it
after a timeout.
 2020-11-13 16:33:40 +01:00
Julian Brost
0e98a52763 Fix cluster message routing for global zones 
RelayMessageOne used to relay the message only to one other endpoint for
other zones, which is fine, as long as the target zone is a child/parent
zone but breaks if the target zone is a global one. In this case, the
message has to be forwarded within the local zone as well as to one node
in each child zone.
 2020-11-12 09:50:35 +01:00
Julian Brost
5cf90805c8 Log config object deletions to replay log 
The initial config object sync for each new connection (in
`ApiListener::SendRuntimeConfigObjects()`) only considers currently
existing objects and has no way to pass the information that objects
were deleted in the meantime.

This commit logs config object deletions to the replay log if required
so that there is a chance that it will be propagated to nodes that were
offline when the deletion happened.

Note that this can only be considered a workaround as the replay log
might be pruned or could even be completely disabled. Also, there still
seems to be a race-condition between the config sync and replay log of
multiple new connections at the same time.
 2020-11-10 17:42:43 +01:00
Noah Hilverling
a2d14dcdd2 API: Don't accept object updates for unknown zone 2020-11-09 16:37:25 +01:00
Alexander A. Klimov
29e5d7def7 Include HTTP status codes in log 
refs #7053
 2020-11-09 10:20:13 +01:00
Alexander A. Klimov
38110e55d3 ApiListener#NewClientHandlerInternal(): reject connections from already connected endpoints 2020-10-26 15:20:58 +01:00
Noah Hilverling
47a6daf341
Merge pull request #8293 from Icinga/bugfix/icinga2-doesn-t-close-connections-7203 
Add timeout for boost::asio::ssl::stream#async_shutdown()
 2020-10-14 09:44:12 +02:00
Alexander Aleksandrovič Klimov
912a63d089
Merge pull request #8345 from Icinga/bugfix/exceptions-in-config-sync-2.12 
Catch exceptions in the thread running HandleConfigUpdate
 2020-10-14 09:09:08 +02:00
Alexander A. Klimov
b559bf1735 Make ApiListener::m_ConfigSyncStageLock a SpinLock 2020-10-13 17:45:37 +02:00
Julian Brost
7d22cdf81e Catch exceptions in the thread running HandleConfigUpdate 
With dc3062a9b06fed69cdbb1508ace6eb2f77f87553, exceptions in this code
path were no longer caught properly. This commit restores exception
handling for this function.
 2020-10-13 17:38:01 +02:00
Alexander A. Klimov
934fb89e03 Clear ApiListener#last_failed_zones_stage_validation on config::Update if config not changed 
refs #7642
 2020-09-11 13:38:35 +02:00
Noah Hilverling
a615b2126e
Merge pull request #8142 from Icinga/bugfix/don-not-close-connection-on-missing-heartbeat-8095 
Remove all codes related to the heartbeat timeout
 2020-07-29 15:33:22 +02:00
Noah Hilverling
97fc70ccb2
Merge pull request #7836 from Icinga/bugfix/jsonrpcconnection-m_seen 
Consider a JsonRpcConnection being seen on a single byte of TLS payload, not only a whole message
 2020-07-29 15:02:48 +02:00
Yonas Habteab
964a90fa4b Remove all codes related to the heartbeat timeout 
until now, if the timeout is exceeded, the connection is immediately terminated.
But since we do not want to disconnect even if the timeout is exceeded, it is
better to send the messages without timeout and have deleted everything that
related to the heartbeat timeout. We also have another mechanism in
JRPC::CheckLiveness that does the disconnect.
 2020-07-29 14:27:55 +02:00
Noah Hilverling
9f57e895f1
Merge pull request #8102 from Icinga/bugfix/send-heartbeat-less-often-8098 
Send heartbeat every 20s and not 10s
 2020-07-21 09:46:33 +02:00
Yonas Habteab
cf5ec5e341 Send heartbeat every 20s and not 10s 2020-07-09 13:22:08 +02:00
Alexander A. Klimov
19c632e44b Add timeout for boost::asio::ssl::stream#async_shutdown() 
refs #7203
 2020-06-17 10:33:35 +02:00
Alexander A. Klimov
647f1547a9 Generalize I/O timeout emulation 2020-06-17 10:31:40 +02:00
Noah Hilverling
84b052b314
Merge pull request #7926 from Icinga/bugfix/jsonrpcconnection-handleandwriteheartbeats-m_endpoint-getname 
JsonRpcConnection#HandleAndWriteHeartbeats(): check !!#m_Endpoint
 2020-06-03 15:46:38 +02:00
Noah Hilverling
d5d89b7f39
Merge pull request #7970 from Icinga/bugfix/reconnect-loop 
RequestCertificateHandler(): don't disconnect nodes already integrated into the cluster
 2020-04-27 13:05:22 +02:00
Alexander A. Klimov
5a5cf1a2eb RequestCertificateHandler(): don't disconnect nodes already integrated into the cluster 
... not to cause a reconnect loop.
 2020-04-08 13:29:55 +02:00
Alexander Aleksandrovič Klimov
2e22ceb23e
Merge pull request #7936 from Icinga/bugfix/config-sync-failed-reload-7742 
ApiListener::ConfigUpdateHandler(): make the whole process mutually exclusive
 2020-04-07 15:55:14 +02:00
Michael Insel
51e534ff4c Fix CA verification regression 
Uninitialized bool values may evaluate to true while it should be false.
 2020-03-29 16:05:29 +02:00
Alexander A. Klimov
38f3108c1a ApiListener::HandleConfigUpdate(): make the whole process mutually exclusive 
refs #7742
 2020-03-23 17:33:14 +01:00
Alexander A. Klimov
dc3062a9b0 ApiListener::ConfigUpdateHandler(): block as less as possible 
refs #7742
 2020-03-23 17:31:59 +01:00
Alexander A. Klimov
5e7a675009 JsonRpcConnection#HandleAndWriteHeartbeats(): check !!#m_Endpoint 2020-03-18 11:58:27 +01:00
Noah Hilverling
4c9e4959f3
Merge pull request #7823 from Icinga/bugfix/unify-application-start-times 
Fix timing point for Application::GetStartTime() (related to command endpoint grace period)
 2020-03-09 09:45:57 +01:00
Noah Hilverling
c9ab04d511
Merge pull request #7841 from Icinga/bugfix/jsonrpcconnection-sendmessage-keepalive 
JsonRpcConnection#Send*Message(): keep this alive
 2020-03-03 10:46:33 +01:00
Michael Friedrich
13d2416e29 Fix regression from JsonRPC PKI CA verification checks 
refs #7835
 2020-02-27 12:31:02 +01:00
Michael Friedrich
456b0779bb JsonRpcConnection PKI: Document swalled exception 2020-02-20 15:15:54 +01:00
Alexander A. Klimov
0f84ce0470 Consider a JsonRpcConnection being seen on a single byte of TLS payload, not only a whole message 2020-02-19 11:11:53 +01:00
Michael Friedrich
a91b9f2ddf Pki: Extend GetCertificateInformation() with version, serial, signature algorithm, SANs 2020-02-17 17:44:10 +01:00
Michael Friedrich
24397fbee8 CA Proxy: Catch exceptions from VerifyCertificate() 2020-02-17 17:43:11 +01:00
Alexander A. Klimov
fbce756007 JsonRpcConnection#Send*Message(): keep this alive 2020-02-17 16:12:07 +01:00
Michael Friedrich
d53eb34520 Unify Application::GetStartTime() and drop GetMainTime() 
This essentially moves the start time into the scope when main
starts to "do something", after the reload and configuration handling
is done.
 2020-02-11 17:26:15 +01:00