Matthias Baur
177c45d787
Improve error message for POST queries
...
If the user does a POST query but forgets to add the
'X-HTTP-Method-Override: GET' HTP header, the error message was
misleading. This changes the error message to a more detailed message
which might give the user a better understanding what the problem
could be.
Fixes #7675 .
2019-12-03 11:39:40 +01:00
Michael Insel
859658ab98
Fix TLS context copies in ApiListener
...
This avoids copying the TLS context in the ApiListener class and removes
the obsolete variable.
This is a follow-up from #7654
2019-11-29 16:03:38 +01:00
Michael Insel
8431ea52ee
Make SSL context const again
...
Turns out that the switch to the class member variable inside the lambda
expression is sufficient to fix the issue.
2019-11-25 23:42:32 +01:00
Michael Insel
016a6c3f25
Fix ApiListener const SSL context
...
This makes the SSL context in ApiListener::SpawnCoroutine non-const to
address an issue when an agent recieves an signed certificate from the
master and tries to update the SSL context. This also uses the class
member variable which is captured by `this` in the lamda expression.
fixes #7650
2019-11-25 22:21:09 +01:00
Michael Friedrich
b1787883f7
Merge pull request #7535 from tigercomputing/Icinga/feature/config-stage-activate-parameter
...
API /v1/config/stages 'activate' parameter
2019-11-15 12:58:03 +01:00
Michael Friedrich
38080405df
Merge pull request #7528 from Icinga/bugfix/api-put-error-handling
...
API: Handle permission exceptions soon enough, returning 404
2019-11-15 11:53:59 +01:00
Alexander A. Klimov
f601ba51e0
Revert "Eventqueue: Remove unused code"
...
This reverts commit a7873da89d
.
2019-11-02 14:00:23 +01:00
Michael Friedrich
cb20b4829a
Cluster Config Sync: Check the timestamp prior to config file checksums
...
Otherwise old configuration received from a secondary master/satellite
could always trigger a config change & reload.
2019-10-22 14:07:10 +02:00
Alexander A. Klimov
aa4cad7482
Replace std::shared_ptr<Expression> with Expression::Ptr
...
refs #7361
2019-10-21 17:10:51 +02:00
Alexander A. Klimov
ba1ce9c853
Replace std::shared_ptr<boost::asio::ssl::context> with Shared<boost::asio::ssl::context>::Ptr
2019-10-21 16:12:46 +02:00
Alexander A. Klimov
a1fef92835
Replace std::shared_ptr<boost::asio::ip::tcp::acceptor> with Shared<boost::asio::ip::tcp::acceptor>::Ptr
2019-10-21 16:12:46 +02:00
Alexander A. Klimov
a1683568a1
Replace std::shared_ptr<AsioTlsStream> with Shared<AsioTlsStream>::Ptr
2019-10-21 16:12:35 +02:00
Michael Friedrich
e7c07062f8
Avoid syncing .authorititative marker received from < 2.11 parent nodes
2019-10-02 10:49:02 +02:00
Chris Boot
aece8d61e2
Introduce 'activate' parameter to config stage handling
...
This functionality allows a stage to be uploaded and validated as
normal, but not activated. This is useful to pre-flight an Icinga config
package before it is applied to a monitoring cluster, for example in a
CI pipeline.
2019-09-24 17:17:19 +01:00
Michael Friedrich
f419efd778
API: Handle permission exceptions soon enough, returning 404
...
fixes #7513
2019-09-23 09:48:50 +02:00
Michael Friedrich
eddb40a913
CSR Auto-signing: Add debug logging for skipped signing
2019-09-18 11:53:58 +02:00
Michael Friedrich
d3eb62301e
API: Add AES128-GCM-SHA256 compatible cipher for el6
...
fixes #7501
2019-09-16 14:19:22 +02:00
Michael Friedrich
9ec246a2f4
Revert: Always reset Boost beast buffer in HttpServerConnection#ProcessMessages #7476
...
Not a simple revert but also adds a comment for the buffer.
refs #7476
2019-09-12 17:00:17 +02:00
Michael Friedrich
2c0e0da2d9
Introduce IoEngine::SpawnCoroutine wrapping asio::spawn and Boost exceptions
...
This is required to
- catch all exceptions and wrap them into Boost exceptions. They
are the only ones allowed with Boost.Coroutine.
- set a dedicated coroutine stack size for Windows.
refs #7431
2019-09-09 16:40:35 +02:00
Michael Friedrich
5fa7331cc9
Quality: Replace deprecated Boost IO service code
...
https://github.com/boostorg/asio/issues/110
https://www.boost.org/doc/libs/1_66_0/doc/html/boost_asio/example/cpp03/services/logger_service.hpp
2019-09-09 15:27:57 +02:00
Alexander A. Klimov
0a9563b3db
HttpServerConnection#ProcessMessages(): avoid I/O if shutting down
...
refs #7431
2019-09-09 13:37:44 +02:00
Alexander A. Klimov
b85b8b9697
HttpServerConnection#ProcessMessages(): avoid I/O after boost::asio::error::operation_aborted
...
refs #7431
2019-09-09 13:29:47 +02:00
Alexander A. Klimov
dfaeb88ac3
{HttpServer,JsonRpc}Connection#Disconnect(): cancel I/O ops ASAP
...
refs #7431
2019-09-09 13:11:51 +02:00
Michael Friedrich
b3c48e7520
Merge pull request #7485 from Icinga/bugfix/api-disconnect-defer
...
Avoid the Defer-Disconnect destructor pattern with Boost.Coroutines
2019-09-09 11:41:34 +02:00
Michael Friedrich
c5aa978912
Rewrite error handling in HttpServerConnection#EnsureValidHeaders()
...
Throwing local exceptions unnecessarily pollutes the exception
stack with immediate unwinding. Avoid this pattern at all cost within
Boost.Coroutines. MSVC may handle exceptions differently and cause
problems with stack unwinding.
refs #7431
refs #7351
2019-09-09 11:03:21 +02:00
Michael Friedrich
17d4d17307
Avoid the Defer-Disconnect destructor pattern with Boost.Coroutines
...
Exceptions in Disconnect() might be thrown (this has been reworked
into error_code locally) which are swallowed inside the Destructor
for being dangerous. On the other hand, swallowing them may
corrupt the stack unwinding operation from the coroutine layer.
The best is to avoid Defer inside lib/remote and call Disconnect()
directly after breaking from other operations.
refs #7351
refs #7431
2019-09-09 10:57:13 +02:00
Michael Friedrich
ebb0826be0
JsonRpcConnection: Don't swallow exceptions in Boost.Coroutine
...
refs #7351
2019-09-09 09:26:12 +02:00
Michael Friedrich
cdacd545c6
Merge pull request #7477 from Icinga/bugfix/api-boost-exceptions-errors
...
HttpServerConnection: Prefer error codes over Boost exceptions
2019-09-06 10:22:42 +02:00
Michael Friedrich
a208f7baf0
HttpServerConnection: Prefer error codes over Boost exceptions
...
When run within a coroutine, exceptions on Windows may influence
bad behaviour here. Instead, we'll check for the error code
and extract the message from memory. In contrast to exceptions
which are stored on the stack frame and then return, this costs
a little more memory but simplifies the logic.
This doesn't fix the linked issue, but is related to the analysis.
refs #7431
2019-09-06 10:06:17 +02:00
Michael Friedrich
eabba2de42
Always reset Boost beast buffer in HttpServerConnection#ProcessMessages
...
refs #7431
2019-09-06 09:31:16 +02:00
Michael Friedrich
f62db49d3e
Merge pull request #7451 from Icinga/bugfix/update-docs
...
Update docs: Fix online URL, cipher list
2019-08-28 08:59:28 +02:00
Michael Friedrich
0915c84530
Update doc URL for the API info handler at /v1
2019-08-27 16:47:07 +02:00
Alexander A. Klimov
c24312b870
JsonRpcConnection#Disconnect(): unregister the connection ASAP
...
refs #7444
2019-08-23 17:14:13 +02:00
Michael Friedrich
2760748d78
Fix and improve logging for runtime object sync
...
config::UpdateObject would create a new object, but this may
have been silently ignored with 'ignore_on_error' - downtimes, etc.
Since we cannot simply fetch the error from inside the config compiler,
we'd just check whether there's a config object created at this stage.
This happens synchronously, and once there is, log something.
The previous code always logged the creation, even if the downtime
was ignored, e.g. when the first master sent one for local host objects.
This commit also adds more details: identity, endpoint, zone to extract
the MessageOrigin details into log messages for better troubleshooting
and debugging.
refs #7198
2019-08-15 09:29:05 +02:00
Michael Friedrich
7c1f716dad
Fix cookie with ActivateItems
2019-08-13 16:09:26 +02:00
Michael Friedrich
c30edd0a34
Fix message origin for runtime created config object (create/delete events)
2019-08-13 15:05:47 +02:00
Michael Friedrich
743dcad35d
Improve logging for downtime/ack events (add, remove, expire)
...
fixes #7374
2019-08-06 13:28:58 +02:00
Michael Friedrich
c42a2583f0
Cluster sync: Only sync valid UTF8 content (text config, no binaries)
...
- *.conf files are sanitized automatically.
- Other files detect sanitizing and treat that as unsupported type
refs #7382
2019-08-02 16:06:32 +02:00
Michael Friedrich
ebd6735c70
TLS Ciphers: Add compatibility suites for older agents (el7)
2019-07-30 10:55:29 +02:00
Michael Friedrich
eff6e7662c
Fix style and comments
2019-07-15 09:54:35 +02:00
Diana Flach
5fbc052aba
Cluster Sync: Improve log messages
2019-07-15 09:54:26 +02:00
Michael Friedrich
b00e1d0c67
Config sync: Count the updates and log them
...
```
[2019-07-10 12:34:27 +0200] information/ApiListener: Received configuration updates (2) from endpoint 'master1' are equal to production, not triggering reload.
```
2019-07-15 09:54:09 +02:00
Diana Flach
87d4575af8
Cluster Sync: Ensure that files are synced everytime
2019-07-15 09:53:47 +02:00
Alexander A. Klimov
3f4cb0936c
Add ApiListener::UpdatedObjectAuthority()
...
refs #7086
2019-07-11 12:58:07 +02:00
Michael Friedrich
46287c92e6
Cluster: Avoid checking for checksum length with internal files in use
...
fixes #7282
2019-07-04 13:52:31 +02:00
Janne Heß
3e801fbd5a
Fix Path to staged files
...
The paths in the list are relative, not absolute to the stage directory.
2019-06-26 02:04:06 +02:00
Michael Friedrich
08a47600be
Config sync: Only copy paths to prod which are actually there
...
Stored files may be removed by external sources.
2019-06-19 17:00:50 +02:00
Michael Friedrich
db4cc13770
Config Sync: Only log config files for stage, no metadata
2019-06-19 16:09:16 +02:00
Michael Friedrich
577e42e137
Quality: Comments and logs in cluster config sync
2019-06-19 14:46:11 +02:00
Michael Friedrich
3852c51c9f
Cluster sync: Don't load/sync the .authoritative config file marker
...
This would influence everything else, and it isn't needed anywhere
but the master instance (zones.d -> var-zones).
2019-06-19 14:46:11 +02:00
Michael Friedrich
0aa6f1a3b3
Use boost::filesystem & Utility classes for file IO
2019-06-19 14:46:11 +02:00
Michael Friedrich
6add9f9ecb
Avoid concurrent cluster config sync transactions
...
fixes #6660
2019-06-19 14:46:11 +02:00
Michael Friedrich
af8624dcf1
Apply ReloadTimeout for 2.11
2019-06-19 14:46:11 +02:00
Michael Friedrich
b3b7abdfe8
Spam the log with config file copies from stage to prod
2019-06-19 14:46:11 +02:00
Michael Friedrich
4c6150b254
Improve checksum logic and logging
2019-06-19 14:46:11 +02:00
Michael Friedrich
f92f6f7f8c
Improve checksum checks for each file content
2019-06-19 14:46:11 +02:00
Michael Friedrich
a6ddef17d9
Enhace logging when config change yes/no will trigger further reload actions
2019-06-19 14:46:11 +02:00
Michael Friedrich
c230e503e6
Fix global checksum calculation
2019-06-19 14:46:11 +02:00
Michael Friedrich
7a02990ef8
Refactor the client sync, part II (WIP, currently checksums generate an endless loop)
2019-06-19 14:46:11 +02:00
Michael Friedrich
6105ace50f
Improve variable names in ApiListener::SendConfigUpdate()
2019-06-19 14:46:11 +02:00
Michael Friedrich
a4b48fc7f4
Update code docs
2019-06-19 14:46:11 +02:00
Michael Friedrich
fcc1799a5d
Split config file sync updates, part I
...
This commit also introduces a playground for checksums,
whilst refactoring the code in large parts.
2019-06-19 14:46:11 +02:00
Michael Friedrich
9df389a843
Improve logging for ignored config updates where we are authoritative for (config master)
2019-06-19 14:46:11 +02:00
Michael Friedrich
efc2289178
Remove duplicated validation paths in function signatures
2019-06-19 14:46:11 +02:00
Michael Friedrich
043824a6a9
Leave partial deletes as is, this is dealt with stage purge later
2019-06-19 14:46:11 +02:00
Michael Friedrich
b3fa51a5dc
Code Documentation: Config file sync
...
Adds headers to all functions including parameters. This unveils
certain unused ones too.
2019-06-19 14:46:11 +02:00
Michael Friedrich
604a8a041d
Update log message and implement recursive diff delete
2019-06-19 14:46:11 +02:00
Michael Friedrich
2acf3a6941
Indicate a warning in the 'icinga' check when cluster stage validation failed
...
- success: clear the last failed attribute
- failed: populate it with the output and current timestamp
This can be used to highlight this in the 'icinga' check task.
Since 2.9 we don't have problems with circular library dependencies
with just one linked binary, therefore it is safe to include libremote
in libmethods here.
2019-06-19 14:46:11 +02:00
Michael Friedrich
46cb806b3f
Add a note for config updates V1 and V2
...
Old clients sync !.conf via update_v2 message, we cannot
remove this handling for the time being.
2019-06-19 14:46:11 +02:00
Michael Friedrich
83c11962b2
Only remove directories if they exist during sync
2019-06-19 14:46:11 +02:00
Michael Friedrich
4e9439f2d8
Ensure that config master zones.d -> var-api-zones sync removes deleted files
2019-06-19 14:46:11 +02:00
Michael Friedrich
9d53db1401
Purge stage and production directories before copying files
...
The cluster-message -> production diff is still intact, we're
just taking care of unwanted/deleted files here.
2019-06-19 14:46:11 +02:00
Michael Friedrich
86108e6a1e
Improve logging and code quality
2019-06-19 14:46:11 +02:00
Michael Friedrich
fb367e12cc
Store the last failed zone stage sync validation as runtime ApiListener attribute
2019-06-19 14:46:11 +02:00
Michael Friedrich
a91bbe8acd
Fix constant value for zone var override
2019-06-19 14:46:11 +02:00
Michael Friedrich
e3e68caaa3
Inherit parent process arguments for defined path constants
2019-06-19 14:46:11 +02:00
Michael Friedrich
e545884952
Improve logging for staged config sync
2019-06-19 14:46:11 +02:00
Michael Friedrich
1853254201
Pass the zonesVar override around
2019-06-19 14:46:11 +02:00
Michael Friedrich
2ed56b50a4
Ensure directory paths are created from stage -> prod
2019-06-19 14:46:11 +02:00
Michael Friedrich
c2d7063ae7
Better signal for checking the cluster config sync stage (ignore production)
2019-06-19 14:46:11 +02:00
Michael Friedrich
506eee2f7d
Fix crash
2019-06-19 14:46:11 +02:00
Michael Friedrich
2c39d69428
Implement first draft for cluster config staged sync
2019-06-19 14:46:11 +02:00
Alexander A. Klimov
42a33cdc7d
Fix build errors with Boost v1.70
...
refs #7237
2019-06-07 16:30:34 +02:00
Michael Friedrich
b32d818d1b
CLI: Allow to list removed CSRs with 'ca list'
2019-06-07 10:33:55 +02:00
Andrew Jaffie
429f1ed317
Ignore repeated requests from client after using ca remove command
2019-06-07 10:33:55 +02:00
Michael Friedrich
6a8823f879
Avoid concurrent cluster config sync transactions
...
fixes #6660
2019-06-05 15:23:28 +02:00
Michael Friedrich
ef72cd4442
Merge pull request #7220 from Icinga/bugfix/asio-error-handling
...
Improve error handling with network connections (Boost ASIO)
2019-06-05 14:43:31 +02:00
Michael Friedrich
18211ddd23
Merge pull request #7209 from Icinga/bugfix/immediately-close-sockets
...
Close server connections and shutdown coroutines immediately on disconnect
2019-06-05 14:40:24 +02:00
Alexander A. Klimov
ad28380884
Close server connections and shutdown coroutines immediately on disconnect
2019-06-05 10:42:03 +02:00
Michael Friedrich
fd9887c5af
API: Harden default cipher list
...
According to https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
2019-06-05 09:55:43 +02:00
Michael Friedrich
3798089642
Improve error handling with network connections (Boost ASIO)
...
refs #7041
2019-06-05 09:42:51 +02:00
Michael Friedrich
146b337d4d
Merge pull request #7211 from Icinga/feature/asio-tls-version
...
Require TLS 1.2 for Cluster & REST API
2019-06-03 16:19:22 +02:00
Michael Friedrich
d82c067555
Require TLS 1.2 for Cluster & REST API
...
refs #7041
2019-05-29 17:08:36 +02:00
Michael Friedrich
438da67209
Merge pull request #7210 from Icinga/bugfix/boost-asio-deprecated
...
Quality: Replace deprecated get_io_service() with get_executor().context() for Boost ASIO
2019-05-29 15:40:19 +02:00
Michael Friedrich
59b95ed1f0
Quality: Replace deprecated get_io_service() with get_executor().context() for Boost ASIO
...
refs #7041
2019-05-29 14:36:10 +02:00
Michael Friedrich
120aba3919
Quality: Removed unused HttpChunkedEncoding class
2019-05-28 13:46:19 +02:00
Michael Friedrich
e606d14705
Quality: Clean JsonRPC class and add function docs
2019-05-24 15:50:43 +02:00
Michael Friedrich
f933aafd29
Quality: Purge old HTTP code in lib/remote
2019-05-24 15:50:43 +02:00
Michael Friedrich
af42e2dfc0
Merge pull request #7178 from Icinga/bugfix/api-package-repair
...
API: Automatically repair broken _api package
2019-05-10 14:40:48 +02:00
Michael Friedrich
6c9c65323e
Workaround for boost::filesystem and Visual Studio on Windows
2019-05-10 13:38:12 +02:00
Michael Friedrich
6cce9c0fdd
API: Automatically repair broken packages
...
This partially reverts #7150 and avoids exceptions
inside the flow. Each time an empty active stage
is detected, Icinga tries to repair it from the
the given directory tree.
Also, the code now takes into account that it should
create the package storage on startup, whether within
the API object, or if disabled, inside the application.
Caching the active stages for packages in memory
only is in effect with the API feature being enabled.
This is useful for other deployed config packages,
not only the internal one.
fixes #7173
refs #7150
refs #7119
fixes #6959
2019-05-10 12:48:34 +02:00
Elias Ohm
4c86c370bb
fixup errbuf length in the other files and avoid using the static buffer in one place (for thread safety and code consistency reasons)
2019-05-09 09:30:12 +02:00
Michael Friedrich
03324b2fb6
Config packages: Catch active stage exceptions in rare cases
...
Typically this already is detected on startup.
2019-05-08 16:43:27 +02:00
Michael Friedrich
704aabcb63
Avoid dead-lock with config packages and active stages
2019-05-08 16:06:46 +02:00
Elias Ohm
c10ff9dd72
try without initialization of frame Locals which are not used for permissions filter and as far as I can see also not for query filters
2019-05-02 09:03:30 +02:00
Elias Ohm
53febdea81
use current frame scope for permission filter function calls
2019-05-02 07:35:19 +02:00
Michael Friedrich
502c43fb12
Active packages: Don't try to fix broken config packages which are not cached yet
2019-04-30 12:19:35 +02:00
Michael Friedrich
2bca7a5bb5
Repair broken API config packages at runtime
...
This means a new timer which checks every 5m whether the
active-stage can be read, and if not, it overwrites the
file on disk with the details from memory.
2019-04-26 14:53:36 +02:00
Michael Friedrich
f92c134b0a
Cluster: Don't try to sync objects from broken _api package
2019-04-26 14:43:38 +02:00
Michael Friedrich
c821e73364
Cache the API package stage name with a active-stage fallback
...
This prevents reading the file everytime the stageName is required
for when creating a runtime object via REST API.
2019-04-26 13:40:27 +02:00
Michael Friedrich
37de1a919b
Merge pull request #7088 from Icinga/feature/asio-event-queue
...
Implement new event queue for ASIO consumers
2019-04-25 16:54:43 +02:00
Michael Friedrich
a7873da89d
Eventqueue: Remove unused code
2019-04-25 16:21:07 +02:00
Alexander A. Klimov
e86e3cc234
EventsFilter#Push(): ensure not to modify the global namespace
2019-04-25 15:56:38 +02:00
Alexander A. Klimov
c209cf830b
/v1/events: don't over-consume CPU-bound threads
2019-04-25 15:56:38 +02:00
Alexander A. Klimov
5e8b4280bc
New event queue: handle empty filter
2019-04-25 15:56:38 +02:00
Alexander A. Klimov
94db282fd1
/v1/events: remove anti-deadlock hack
2019-04-25 15:56:38 +02:00
Alexander A. Klimov
81713d0509
/v1/events: use new event queue
2019-04-25 15:56:38 +02:00
Alexander A. Klimov
7688994601
Implement new event queue for ASIO consumers
2019-04-25 15:56:38 +02:00
Michael Friedrich
0438c866f8
Merge pull request #7102 from Icinga/feature/boost-fs-7101
...
Replace self-written filesystem ops with boost.filesystem
2019-04-25 15:53:55 +02:00
Alexander A. Klimov
5afef1015d
Replace unlink() with boost::filesystem::remove()
...
refs #7101
2019-04-25 09:53:02 +02:00
Alexander A. Klimov
5a17722c1f
Replace _unlink() + rename() with boost::filesystem::rename()
...
refs #7101
2019-04-25 09:53:02 +02:00
Alexander A. Klimov
ba842403ce
Fix circular #include
...
refs #6985
2019-04-25 08:25:28 +02:00
Michael Friedrich
1ac693bf13
Merge pull request #7137 from Icinga/bugfix/disconnect-log-more-spam
...
JsonRpcConnection: reduce log spam on disconnect
2019-04-23 14:50:18 +02:00
Michael Friedrich
0f804d126b
Merge pull request #7133 from Icinga/feature/boost-asio-pki
...
Use new I/O engine in PkiUtility::FetchCert() and PkiUtility::RequestCertificate()
2019-04-23 14:27:48 +02:00
Alexander A. Klimov
a6cd3e65cb
JsonRpcConnection: reduce log spam on disconnect
2019-04-23 14:09:07 +02:00
Michael Friedrich
20d51d21dc
Merge pull request #7127 from Icinga/bugfix/replay-log
...
ApiListener#RotateLogFile(): don't overwrite previous log
2019-04-23 12:08:12 +02:00
Michael Friedrich
5fb191bbeb
Merge pull request #7126 from Icinga/bugfix/replay-logs-6932
...
ApiListener#ApiTimerHandler(): delete all replayed logs
2019-04-23 12:07:02 +02:00
Alexander A. Klimov
407e77883c
ApiListener#ReplayLog(): read current log file too instead of rotating
2019-04-18 17:22:36 +02:00
Alexander A. Klimov
997d84bfa0
ApiListener#RotateLogFile(): don't overwrite previous log
2019-04-18 17:22:33 +02:00
Alexander A. Klimov
9b489cf9b9
ApiListener#ApiTimerHandler(): delete all replayed logs
...
refs #6932
2019-04-18 17:00:40 +02:00
Alexander A. Klimov
f44e847717
Rotate replay log on shutdown, not on startup
2019-04-17 14:18:20 +02:00
Michael Friedrich
64568f5966
Merge pull request #7121 from Icinga/bugfix/concurrent-checks
...
Fix that MaxConcurrentChecks constant is overridden from 'checker' feature
2019-04-17 13:14:32 +02:00
Michael Friedrich
ab97d606db
Merge pull request #7122 from Icinga/bugfix/evaluatefilter-change-globals
...
FilterUtility::EvaluateFilter(): ensure not to modify the global namespace
2019-04-16 17:40:20 +02:00
Alexander A. Klimov
bdadb53940
FilterUtility::EvaluateFilter(): ensure not to modify the global namespace
2019-04-16 15:53:44 +02:00
Michael Friedrich
b906714254
Fix that MaxConcurrentChecks constant is overridden from 'checker' feature
...
Note: This drops the deprecated concurrent_checks setting from the checker feature
entirely and refactors the underlaying code handling.
Also affects ReloadTimeout which is new for 2.11.
fixes #7111
2019-04-16 15:04:57 +02:00
Elias Ohm
1e7cd4afc8
* use dedicated permissions namespace for scriptframe in filterutility to allow proper parallel execution
...
* fixes issue https://github.com/Icinga/icinga2/issues/6785 where permission checks get wrong result because permissions checks are done within a shared namespaces without using only unique keys
* mitigates issue https://github.com/Icinga/icinga2/issues/6874 where segmentation faults occur because of concurrent access to non threadsafe parts of namespace (a fix for thread safety of namespaces which would be an alternative approach to get rid of these segfaults is out of scope of this fix as 6785 needs to be fixed anyway and this is the straight-forwards) way to fix that
* do the same for eventqueue (not certain whether events can be processed in parallel but I expect it is the case)
2019-04-12 08:10:57 +02:00
Michael Friedrich
973b03dcb2
Merge pull request #7109 from Icinga/feature/enhance-cluster-message-send-code-docs
...
Improve code docs for cluster message routing conditions
2019-04-11 11:20:46 +02:00
Michael Friedrich
b24a3be083
Improve code docs for cluster message routing conditions
...
refs #6781
2019-04-10 14:17:36 +02:00
Alexander A. Klimov
de04bb13a8
JsonRpcConnection: reduce log spam on disconnect
2019-04-09 13:53:41 +02:00
Michael Friedrich
f177d8786d
HttpServerConnection: Log the user agent field for new requests too
...
refs #7041
2019-04-05 15:08:09 +02:00
Michael Friedrich
b1042c3689
Merge pull request #7076 from Icinga/bugfix/eventqueue-leak
...
/v1/events: terminate on disconnect
2019-04-05 10:31:30 +02:00
Alexander A. Klimov
2e4e2e1a79
/v1/events: don't deadlock other coroutines
2019-04-05 09:22:42 +02:00
Michael Friedrich
5c3a9b77d7
Always update object authority, even w/o API feature
...
Regression from #7062
Thanks @nilmerg :)
2019-04-03 13:48:24 +02:00
Alexander A. Klimov
2e5af2922b
/v1/events: terminate on disconnect
2019-04-03 09:59:45 +02:00
Alexander A. Klimov
4c5ee0dbbf
EventQueue#WaitForEvent(): re-add timeout
2019-04-03 09:53:45 +02:00
Alexander A. Klimov
28d46052b0
HttpServerConnection#StartStreaming(): auto-detect disconnection
2019-04-03 09:50:52 +02:00
Alexander A. Klimov
c284cf0b68
HttpServerConnection: encapsulate streaming start indicator
2019-04-02 17:37:29 +02:00
Alexander A. Klimov
09a2e04f4b
EventQueue#WaitForEvent(): don't lock I/O thread while locking mutex
2019-04-02 14:38:06 +02:00
Alexander A. Klimov
00d859234e
Use new I/O engine in PkiUtility::FetchCert() and PkiUtility::RequestCertificate()
2019-04-01 17:18:00 +02:00
Alexander A. Klimov
6e7932f157
Add non-async overloads for JsonRpc::ReadMessage() and JsonRpc::SendMessage()
2019-04-01 17:11:10 +02:00
Alexander A. Klimov
f2d9d91e83
Introduce UnbufferedAsioTlsStream#GetPeerCertificate()
2019-04-01 17:11:09 +02:00
Michael Friedrich
5c2aaf6380
Improve error logging on connection failure (cluster)
2019-04-01 16:13:37 +02:00
Alexander A. Klimov
64b2ac4b30
ApiListener: drop unused thread pool
2019-04-01 15:06:17 +02:00
Alexander A. Klimov
3a6caa2800
Respect Accept:application/json where possible
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
24c9542b5b
HttpServerConnection: fix side effect of HTTP parser's default body limit
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
d428bdf384
Add missing includes
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
5b2c1f023d
Rename preventGc to keepAlive
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
5208448b76
Restore the previous performance of replaying logs
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
79e95d2355
Introduce JsonRpcConnection#SendMessageInternal()
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
e6d78bf361
Move some TCP/TLS logic out of ApiListener
...
... for re-using it
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
8b3efe5759
Introduce AsioConditionVariable
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
e129c561d5
HttpServerConnection: don't disconnect during sending response
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
326bf66255
ApiListener: use setsockopt(), not tcp::acceptor#set_option()
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
b5fddaf3ce
ApiListener: log why bind(2) failed
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
19625e62ef
ApiListener: fix self-made security hole
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
87b0c452db
HttpServerConnection: re-add automatic disconnect
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
f029fd4884
Re-add HttpServerConnection#Disconnect()
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
16913cb977
JsonRpcConnection: add missing CpuBoundWork
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
a451327b81
JsonRpcConnection: re-add num_json_rpc_work_queue_item_rate
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
a54bd9d5c4
JsonRpcConnection: re-add automatic disconnect
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
7aae8bd265
JsonRpcConnection: re-add heartbeats
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
84b411501b
Re-add JsonRpcConnection#Disconnect()
2019-04-01 13:31:16 +02:00
Alexander A. Klimov
2d16b02520
ApiListener#NewClientHandlerInternal(): shut down TLS stream
2019-04-01 13:30:42 +02:00
Alexander A. Klimov
c46157d552
ApiListener: fix self-made security hole
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
f9fff54da2
ApiListener: don't require a valid certificate for the TLS handshake to complete
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
6c86c127f1
Port JsonRpcConnection to Boost ASIO
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
c76947e8b9
JsonRpc::ReadMessage(): add Boost ASIO overload
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
48b5824e37
ApiListener: send icinga::Hello message
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
49ac7777e0
JsonRpc::SendMessage(): add Boost ASIO overload
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
832365195d
ApiListener: connect(2) via Boost ASIO
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
e9a64abd09
ApiListener#ListenerCoroutineProc(): catch more edge cases
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
a6813ec786
ApiListener: restore previous bind(2) behavior
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
493a97f4f3
EnsureAcceptHeader(): fix wrong condition
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
8c5d629d35
/v1/events: don't truncate any events
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
7681ec10a4
/v1/events: don't lock I/O thread
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
fd239ba3fe
Adjust /v1/events, too
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
1941c1da28
Adjust all HTTP handlers (ex. /v1/events)
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
9ae1d732af
HttpServerConnection: actually handle requests
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
7fe0431ada
HttpServerConnection: verify requests via Boost ASIO + Beast
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
04a9879acc
Add HttpUtility::SendJsonError() overload for Boost/Beast
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
fc22cbaf09
Add HttpUtility::SendJsonBody() overload for Boost/Beast
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
e21956e26e
ApiListener: detect protocol
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
539855bac1
ApiListener: verify peer
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
720c53ab77
ApiListener: perform TLS handshake
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
2615967e7f
Make ApiListener#m_SSLContext a Boost ASIO SSL context
2019-04-01 11:40:14 +02:00
Alexander A. Klimov
e4f3422b3a
ApiListener: listen(2) via Boost ASIO
2019-04-01 11:40:14 +02:00
Michael Friedrich
4a26a48778
Code Quality: Move authority.cpp into the ApiListener class scope
2019-04-01 08:51:18 +02:00
Michael Friedrich
149f640fd8
Improve DB IDO HA failover behaviour
...
- Decrease Object Authority updates to 10s (was 30s)
- Decrease failover timeout to 30s (was 60s)
- Decrease cold startup (after (re)start) with no OA updates to 30s (was 60s)
- Immediately connect on Resume()
- Fix query priority which got broken with #6970
- Add more logging when a failover is in progress
```
[2019-03-29 16:13:53 +0100] information/IdoMysqlConnection: Last update by endpoint 'master1' was 8.33246s ago (< failover timeout of 30s). Retrying.
[2019-03-29 16:14:23 +0100] information/IdoMysqlConnection: Last update by endpoint 'master1' was 38.3288s ago. Taking over 'ido-mysql' in HA zone 'master'.
```
- Add more logging for reconnect and disconnect handling
- Add 'last_failover' attribute to IDO*Connection objects
refs #6970
2019-04-01 08:50:00 +02:00
Michael Friedrich
804c00ece5
Merge pull request #6999 from Icinga/bugfix/compiler-warnings
...
Suppress or fix compiler warnings
2019-03-18 08:44:30 +01:00
Alexander A. Klimov
bf92e32496
Suppress or fix compiler warnings
2019-03-08 14:07:29 +01:00
Alexander A. Klimov
37b044ecda
PkiUtility::NewCa(): just warn if the CA files already exist
2019-03-01 14:37:45 +01:00
Michael Friedrich
e2df11520e
Merge pull request #6970 from Icinga/bugfix/perfdata-gaps
...
Improve reload handling for features (metric & queue flush, activation priority)
2019-02-26 15:38:15 +01:00
Michael Friedrich
458f997a18
Replace Copyright header with a short version, part II
2019-02-25 15:09:36 +01:00
Michael Friedrich
d14a88235d
Replace Copyright header with a short version, part I
...
CLion -> replace in path
2019-02-25 14:48:22 +01:00
Michael Friedrich
ab7a799369
Implement ReloadTimeout constant and wait for enqueued checks on Stop()
2019-02-25 09:03:47 +01:00
Alexander A. Klimov
9558ebc0f4
Secure ApiUser::GetByAuthHeader() against timing attacks
2019-02-22 16:59:36 +01:00
Michael Friedrich
b08d485a41
Merge pull request #6857 from Icinga/bugfix/check_nscp_api-query-sorted-6536
...
Url#m_Query: preserve order
2019-02-11 17:57:32 +01:00
Peter Eckel
5d59863725
Avoid duplicating non-zero count message replay messages in the debug log
2019-02-11 13:54:17 +01:00
Michael Friedrich
b16c22448e
Cluster: Delete object message should log that
...
Atm it is a copy-paste error and irritates during debugging.
Coming from my analysis of existing cluster messages.
2019-01-28 17:39:22 +01:00
Jean Flach
2aff6a5887
Don't run UpdateObjectAuthority for Comments and Downtimes
2019-01-10 11:44:14 +01:00
Michael Friedrich
e1a941e5c7
Merge pull request #6880 from Icinga/bugfix/pki-requestcertificate-no-cert
...
pki::RequestCertificate: handle missing certificate/CSR
2019-01-09 09:30:27 +01:00
Alexander A. Klimov
4a7960f21b
pki::RequestCertificate: handle missing certificate/CSR
2019-01-08 11:49:44 +01:00
Alexander A. Klimov
f4ab0737d1
HttpServerConnection#DataAvailableHandler(): reduce log spam
2019-01-07 15:32:19 +01:00
Alexander A. Klimov
eeb609d4ae
Url#m_Query: preserve order
...
refs #6536
2018-12-21 11:52:37 +01:00
Michael Friedrich
b58ce84b0e
Merge pull request #6817 from Icinga/bugfix/stalled-tls-connections-6816
...
HttpServerConnection#DataAvailableHandler(): be aware of being called multiple times concurrently
2018-12-05 11:35:35 +01:00
Alexander A. Klimov
7e630c7732
HttpServerConnection#DataAvailableHandler(): be aware of being called multiple times concurrently
...
refs #6816
2018-12-03 19:05:41 +01:00
Michael Friedrich
5f25eb6b2d
Add a code comment for connection: close handling
2018-12-03 14:40:50 +01:00
Sven Wegener
a83dbc9de5
Restore 'Connection: close' behaviour in HTTP responses
...
Actually the `corked` functionality caused problems with
not closing connections properly.
Full Analysis: https://github.com/Icinga/icinga2/issues/6799#issuecomment-443710338
Full credits to @swegener :)
fixes #6799
2018-12-03 14:27:37 +01:00
Alexander A. Klimov
8de5326d23
Remove redundand check for object existence on creation via API
...
refs #3937
2018-11-29 17:51:53 +01:00
Michael Friedrich
5406ce6540
Ensure that API/JSON-RPC messages in the same session are processed and not stalled
...
This basically drops the "corked" implementation which just stalled the
TLS IO polling after some requests. If you need sort of rate limiting
for these events, use an external TLS proxy which terminates that in front
of Icinga.
fixes #6635
2018-10-29 12:57:24 +01:00
Michael Friedrich
6de4cef3ae
Merge pull request #6719 from Icinga/fix/finished-reconnect-message
...
Do not send 'finished reconnecting...' if failed
2018-10-24 11:51:34 +02:00
Michael Friedrich
bd8e9f55da
Merge pull request #6662 from Icinga/bugfix/keep-http-connection-open-until-stream-eof
...
Keep the HTTP server connection open until the stream is EOF
2018-10-24 11:31:06 +02:00
Michael Friedrich
3cb2c1d143
icinga.com: Update everything else
2018-10-18 09:50:53 +02:00
Michael Friedrich
dea5ec614e
icinga.com: Update CMakeLists.txt
2018-10-18 09:35:18 +02:00
Michael Friedrich
44c3b83769
icinga.com: Update '*.ti'
2018-10-18 09:30:00 +02:00
Michael Friedrich
dab53448bc
icinga.com: Update *.{h,c}pp
2018-10-18 09:27:04 +02:00
Michael Friedrich
34de8104b8
Fix regression with API permission filters and namespaces in v2.10
...
fixes #6682
2018-10-15 15:47:11 +02:00
Michael Friedrich
85e161ea1e
Silence config compiler logging for runtime created objects
...
This is especially problematic with many single creation requests,
e.g. many downtimes created via Icinga Web 2 & the REST API.
In addition to the config compiler messages, apply rule matches are
also in there which are removed by this patch.
2018-10-09 16:41:17 +02:00
Michael Friedrich
83a428c1ba
Keep the HTTP server connection open until the stream is EOF
...
fixes #4968
2018-10-09 16:01:43 +02:00
Michael Friedrich
e6eb703b36
Merge pull request #6661 from Icinga/bugfix/cache-http-peer-address
...
Cache the peer address in the HTTP server
2018-10-09 16:00:27 +02:00
Michael Friedrich
5c32a5a7dc
Cache the peer address in the HTTP server
...
Later socket calls are expensive and might lead
into a race condition on close when logging it.
refs #6655
2018-10-09 15:40:16 +02:00
Michael Friedrich
58cfc3955d
Merge pull request #6658 from Icinga/bugfix/api-connection-close-req-by-client
...
Ensure that HTTP/1.0 or 'Connection: close' headers are properly disconnecting the client
2018-10-09 13:49:22 +02:00
Michael Friedrich
9352f4bfb3
Merge pull request #6657 from Icinga/feature/api-debug-log-request-body
...
Enable the HTTP request body debug log entry for release builds
2018-10-09 13:29:00 +02:00
Michael Friedrich
13239c3172
Ensure that HTTP/1.0 or Connection: close headers are properly disconnecting the client
...
Test results: https://github.com/Icinga/icinga2/issues/6514#issuecomment-428155731
fixes #6514
2018-10-09 13:23:23 +02:00
Michael Friedrich
73263b7702
Enable the HTTP request body debug log entry for release builds
...
fixes #4282
2018-10-09 12:55:53 +02:00
Michael Friedrich
57081176de
Improve logging for disconnected HTTP clients
...
Previously this was inside the debug log, with the
new socket printers we can enhance checking for proper
connects and disconnects.
refs #6514
2018-10-09 12:22:19 +02:00
Michael Friedrich
82178e3b33
Don't inherit daemonize parameter from parent process
2018-09-27 20:30:19 +02:00
Thomas Forrer
816cae98fa
Fix config validation problem (startup.log) during /v1/config/stages API call
...
copy all arguments of parent process in AsyncTryActivateStage
2018-09-27 20:27:09 +02:00
Michael Friedrich
64e273afdd
Merge pull request #6639 from Icinga/fix/windows-api-log-rename
...
Ensure to _unlink before renaming replay log on Windows
2018-09-27 08:02:00 +02:00
Michael Friedrich
c979f86e4e
Merge pull request #6632 from Icinga/feature/cluster-faster-reconnect
...
Increase the cluster reconnect frequency to 10s
2018-09-25 17:07:01 +02:00
Michael Friedrich
cbde35ff22
Use a dynamic thread pool for API connections
...
The full analysis is located in #6517 .
fixes #6517
2018-09-25 12:43:10 +02:00
Michael Friedrich
cd819f74f4
Increase the cluster reconnect frequency to 10s
...
This is blocked by #6517 .
refs #6234
2018-09-25 12:36:30 +02:00
Michael Friedrich
29701b4db5
Add ApiListener#tls_handshake_timeout option
...
This allows to specify the previously hardcoded
timeout of 10s.
refs #6517
2018-09-14 09:20:09 +02:00
Michael Friedrich
dd59964702
Merge pull request #6596 from Icinga/bugfix/gcc-8-f28-hardening-crash
...
Fix crash on API queries with Fedora 28 hardening and GCC 8
2018-09-11 20:44:12 +02:00
Noah Hilverling
3854ed683b
Improve TLS handshake exception logging
2018-09-06 15:58:42 +02:00
Michael Friedrich
1f4f6282c7
Fix crash on API queries with Fedora 28 hardening and GCC 8
...
The actual fix is to handle nullptr references differently
for an empty filter expression. The other changes include
oob checks not necesarily involved.
fixes #6533
2018-09-06 09:56:04 +02:00
Michael Friedrich
9a75f47fc5
Allow to configure anonymous clients limit inside the ApiListener object
...
Previously this was hardcoded, and for security reasons users might want
to adjust this value. This affects CSR signing requests as well as
clients which have not yet been configured as endpoints on the current
node.
refs #6566
2018-09-05 17:45:35 +02:00
Michael Friedrich
a1ec919f5b
Raise the message size for anonymous client and pki request calls to 1MB
...
If one sends the full certificate chain, this previous limit of 64KB
could be hit.
2018-09-05 17:44:05 +02:00
Michael Friedrich
237fd520db
Merge pull request #6509 from gunnarbeutner/feature/real-constants
...
Implement support for namespaces
2018-08-24 12:10:10 +02:00
Michael Friedrich
7a22113f86
Merge pull request #6570 from Icinga/bugfix/tls-anonymous-clients-limit
...
Increase limit for simultaneously connected anonymous TLS clients
2018-08-23 17:13:41 +02:00