Build lightwave-1.3.1-7.

Merge remote-tracking branch 'origin/dev'.

Change-Id: I34a727ffcc54ace10616c8b6fd94a9cd7af229ff

HyperMake

@@ -50,6 +50,24 @@ targets:
     cmds:
       - ./support/scripts/pack.sh
 
+  docker-lightwave-base:
+    description: build lightwave-base docker image
+    build: ./support/docker/base
+    image: 'vmware/lightwave-base:1.0.0'
+
+  docker-lightwave-pre:
+    description: Prepare for container build
+    cmds:
+      - ./support/scripts/prep-container-build.sh
+    always: true
+
+  docker-lightwave:
+    description: build lightwave docker image
+    build: ./build/docker
+    image: 'vmware/lightwave-sts'
+    after:
+      - docker-lightwave-pre
+
   clean:
     description: Cleanup
     always: true
@@ -61,4 +79,4 @@ settings:
     - build
     - pack
   docker:
-    image: 'vmware/lightwave-toolchain-photon:0.0.1'
+    image: 'vmware/lightwave-toolchain-photon:0.0.3'

build/package/rpm/lightwave.spec

@@ -8,8 +8,8 @@ License: VMware
 URL:     http://www.vmware.com
 BuildArch: x86_64
 
-Requires: openssl >= 1.0.2, coreutils >= 8.22, cyrus-sasl >= 2.1, likewise-open >= 6.2.11, gawk >= 4.1.3, boost = 1.60.0, lightwave-server = %{_version}, lightwave-client = %{_version}
-BuildRequires: openssl-devel >= 1.0.2, coreutils >= 8.22, likewise-open-devel >= 6.2.11, python2-devel >= 2.7.8, boost-devel = 1.60.0
+Requires: openssl >= 1.0.2, coreutils >= 8.22, cyrus-sasl >= 2.1, c-rest-engine = 1.1, likewise-open >= 6.2.11, gawk >= 4.1.3, boost = 1.60.0, lightwave-server = %{_version}, lightwave-client = %{_version}
+BuildRequires: openssl-devel >= 1.0.2, coreutils >= 8.22, likewise-open-devel >= 6.2.11, python2-devel >= 2.7.8, boost-devel = 1.60.0, c-rest-engine-devel = 1.1
 
 %if 0%{?fedora} >= 21
 Requires: java-1.8.0-openjdk >= 1.8.0.131, krb5-libs >= 1.14, sqlite >= 3.14, tomcat >= 8.5.16, apache-commons-daemon >= 1.0.15, apache-commons-daemon-jsvc >= 1.0.15
@@ -1032,7 +1032,6 @@ Lightwave POST service
 %{_bindir}/vdcupgrade
 %{_bindir}/vmkdc_admin
 %{_bindir}/vdcmetric
-%{_bindir}/vdcschema
 %{_bindir}/vmdir_upgrade.sh
 %{_bindir}/vdcresetMachineActCred
 
@@ -1077,6 +1076,8 @@ Lightwave POST service
 %{_bindir}/vmdns-cli
 %{_bindir}/vdcaclmgr
 %{_bindir}/vdcpromo
+%{_bindir}/vdcschema
+%{_bindir}/postschema
 %{_bindir}/vecs-cli
 %{_lib64dir}/libkrb5crypto.so*
 %{_lib64dir}/libcsrp.so*
@@ -1156,7 +1157,6 @@ Lightwave POST service
 
 %{_bindir}/postadmintool
 %{_bindir}/postaclmgr
-%{_bindir}/postschema
 %{_bindir}/post-cli
 
 %{_lib64dir}/sasl2/libsaslpostdb.so*
@@ -1172,6 +1172,7 @@ Lightwave POST service
 %{_configdir}/lw-firewall-post.json
 
 %config %attr(750, root, root) %{_datadir}/config/post-demote-deads.sh
+%config %attr(750, root, root) %{_datadir}/config/refresh-resolve-conf.sh
 
 %files devel
 

lwraft/client/client.c

@@ -125,10 +125,12 @@ VmDirRefreshActPassword(
         BAIL_ON_VMDIR_ERROR(dwError);
     }
 
-    dwError = VmDirSafeLDAPBind( &pLD,
-                                 pszHost,
-                                 pszActUPN,
-                                 pszActPassword);
+    dwError = VmDirSafeLDAPBindExt1(
+        &pLD,
+        pszHost,
+        pszActUPN,
+        pszActPassword,
+        MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
     BAIL_ON_VMDIR_ERROR(dwError);
 
     dwError = VmDirDomainNameToDN( pszDomain, &pszDomainDN);
@@ -2415,10 +2417,12 @@ _VmDirModDcPassword(
     DWORD    dwError = 0;
     LDAP*    pLD     = NULL;
 
-    dwError = VmDirSafeLDAPBind(&pLD,
-                                pszHostName,
-                                pszUPN,
-                                pszPassword);
+    dwError = VmDirSafeLDAPBindExt1(
+        &pLD,
+        pszHostName,
+        pszUPN,
+        pszPassword,
+        MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
     BAIL_ON_VMDIR_ERROR(dwError);
 
     dwError = VmDirLdapModReplaceAttribute(pLD,

lwraft/client/defines.h

@@ -322,6 +322,8 @@ the buffer size will always be adequate.
         "Invalid ACE"}, \
     {VMDIR_ERROR_ACE_NOT_FOUND, \
         "ACE not found"}, \
+    {VMDIR_ERROR_NO_LEADER, \
+        "No leader"}, \
 };
 
 #define VMDIR_RPC_ERROR_TABLE_INITIALIZER \

lwraft/client/ldaputil.c

@@ -542,10 +542,12 @@ VmDirConnectLDAPServer(
     dwError = VmDirAllocateStringPrintf(&pszUPN, "%s@%s", pszUserName, pszDomain);
     BAIL_ON_VMDIR_ERROR(dwError);
 
-    dwError = VmDirSafeLDAPBind( &pLocalLd,
-                                 pszHostName,
-                                 pszUPN,
-                                 pszPassword);
+    dwError = VmDirSafeLDAPBindExt1(
+        &pLocalLd,
+        pszHostName,
+        pszUPN,
+        pszPassword,
+        MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
     BAIL_ON_VMDIR_ERROR(dwError);
 
     *ppLd = pLocalLd;

lwraft/client/repadmin.c

@@ -80,7 +80,7 @@ DWORD VmDirCreateLdAtHostViaMachineAccount(
     dwError = VmDirStringPrintFA( bufUPN, sizeof(bufUPN)-1,  "%s@%s", pszDCAccount, pszDomain);
     BAIL_ON_VMDIR_ERROR(dwError);
 
-    dwError = VmDirSafeLDAPBind( &pLd, pszServerName, bufUPN, pszDCAccountPassword);
+    dwError = VmDirSafeLDAPBindExt1( &pLd, pszServerName, bufUPN, pszDCAccountPassword, MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
     BAIL_ON_VMDIR_ERROR(dwError);
 
     *ppLd = pLd;

lwraft/common/ldapbind.c

@@ -99,6 +99,18 @@ VmDirSASLSRPBind(
      PCSTR      pszUPN,
      PCSTR      pszPass
      )
+{
+    return VmDirSASLSRPBindExt1(ppLd, pszURI, pszUPN, pszPass, -1);  // -1 == no timeout
+}
+
+DWORD
+VmDirSASLSRPBindExt1(
+     LDAP**     ppLd,
+     PCSTR      pszURI,
+     PCSTR      pszUPN,
+     PCSTR      pszPass,
+     int        iTimeout
+     )
 {
     DWORD       dwError = 0;
     int         retVal = 0;
@@ -108,6 +120,10 @@ VmDirSASLSRPBind(
     const int   iSaslNoCanon = 1;
     VMDIR_SASL_INTERACTIVE_DEFAULT srpDefault = {0};
     int         iCnt = 0;
+    struct timeval  optTimeout={0};
+
+    optTimeout.tv_usec = 0;
+    optTimeout.tv_sec = iTimeout;
 
     if ( ppLd == NULL || pszURI == NULL || pszUPN == NULL || pszPass == NULL )
     {
@@ -133,6 +149,14 @@ VmDirSASLSRPBind(
         retVal = ldap_set_option(pLd, LDAP_OPT_X_SASL_NOCANON, &iSaslNoCanon);
         BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
 
+        // timeout connect
+        retVal = ldap_set_option(pLd, LDAP_OPT_TIMEOUT, (void *)&optTimeout);
+        BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
+
+        // timeout poll
+        retVal = ldap_set_option(pLd, LDAP_OPT_NETWORK_TIMEOUT, (void *)&optTimeout);
+        BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
+
         retVal = ldap_sasl_interactive_bind_s( pLd,
                                                 NULL,
                                                 "SRP",
@@ -141,6 +165,7 @@ VmDirSASLSRPBind(
                                                 LDAP_SASL_QUIET,
                                                 _VmDirSASLSRPInteraction,
                                                 &srpDefault);
+#ifndef LIGHTWAVE_BUILD
         if (retVal == LDAP_SERVER_DOWN)
         {
             VmDirSleep(50); // pause 50 ms
@@ -152,6 +177,7 @@ VmDirSASLSRPBind(
             continue;   // if transient network error, retry once.
         }
         else
+#endif
         {
             break;
         }
@@ -288,18 +314,29 @@ VmDirSSLBind(
     goto cleanup;
 }
 
+DWORD
+VmDirSafeLDAPBind(
+    LDAP**      ppLd,
+    PCSTR       pszHost,
+    PCSTR       pszUPN,
+    PCSTR       pszPassword
+    )
+{
+   return VmDirSafeLDAPBindExt1(ppLd, pszHost, pszUPN, pszPassword, -1);   // -1 == no timeout
+}
 /*
  * Bind to partner via "SRP" mechanism.
  */
 DWORD
-VmDirSafeLDAPBind(
+VmDirSafeLDAPBindExt1(
     LDAP**      ppLd,
     PCSTR       pszHost,
     PCSTR       pszUPN,
-    PCSTR       pszPassword
+    PCSTR       pszPassword,
+    int         iTimeout
     )
 {
-    return VmDirSafeLDAPBindToPort(ppLd, pszHost, 0, pszUPN, pszPassword);
+    return VmDirSafeLDAPBindToPort(ppLd, pszHost, 0, pszUPN, pszPassword, iTimeout);
 }
 
 DWORD
@@ -308,7 +345,8 @@ VmDirSafeLDAPBindToPort(
     PCSTR       pszHost,
     DWORD       dwPort,
     PCSTR       pszUPN,
-    PCSTR       pszPassword
+    PCSTR       pszPassword,
+    int         iTimeout
     )
 {
     DWORD       dwError = 0;
@@ -349,7 +387,7 @@ VmDirSafeLDAPBindToPort(
     }
     BAIL_ON_VMDIR_ERROR(dwError);
 
-    dwError = VmDirSASLSRPBind( &pLd, &(ldapURI[0]), pszUPN, pszPassword);
+    dwError = VmDirSASLSRPBindExt1( &pLd, &(ldapURI[0]), pszUPN, pszPassword, iTimeout);
     BAIL_ON_VMDIR_ERROR(dwError);
 
     *ppLd = pLd;
@@ -360,8 +398,8 @@ VmDirSafeLDAPBindToPort(
 
 error:
 
-    VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "VmDirSafeLDAPBind to (%s) failed. SRP(%d)",
-                     ldapURI, dwError );
+    VMDIR_LOG_ERROR( VMDIR_LOG_MASK_ALL, "%s to (%s) failed. SRP(%d)",
+                     __FUNCTION__, ldapURI, dwError );
 
     if ( pLd )
     {
@@ -384,7 +422,7 @@ VmDirAnonymousLDAPBind(
     PCSTR       pszLdapURI
     )
 {
-    return VmDirAnonymousLDAPBindWithTimeout(ppLd, pszLdapURI, 0);
+    return VmDirAnonymousLDAPBindWithTimeout(ppLd, pszLdapURI, MAX_LDAP_CONNECT_NETWORK_TIMEOUT);
 }
 
 
@@ -418,6 +456,12 @@ VmDirAnonymousLDAPBindWithTimeout(
     if (timeout > 0)
     {
         nettimeout.tv_sec = timeout;
+
+        // timeout connect
+        retVal = ldap_set_option( pLocalLd, LDAP_OPT_TIMEOUT, (void *)&nettimeout);
+        BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
+
+        // timeout poll
         retVal = ldap_set_option( pLocalLd, LDAP_OPT_NETWORK_TIMEOUT, (void *)&nettimeout);
         BAIL_ON_SIMPLE_LDAP_ERROR(retVal);
     }
@@ -642,6 +686,8 @@ VmDirMapLdapError(
             return VMDIR_ERROR_DATA_CONSTRAINT_VIOLATION;
         case LDAP_BUSY:
             return VMDIR_ERROR_BUSY;
+        case LDAP_TIMEOUT:
+            return VMDIR_ERROR_NETWORK_TIMEOUT;
         default:
             return VMDIR_ERROR_GENERIC;
     }

lwraft/config/Makefile.am

@@ -6,6 +6,7 @@ lwraftconf_DATA = \
     saslpostd.conf \
     post-rest.json \
     post-telegraf.conf \
-    post-demote-deads.sh
+    post-demote-deads.sh \
+    refresh-resolve-conf.sh
 
 bin_SCRIPTS = 

lwraft/config/deployment/aws/appspec.yml

@@ -8,10 +8,6 @@ files:
   - source: /
     destination: /var/vmware/lightwave
 hooks:
-  BeforeBlockTraffic:
-    - location: scripts/before_block_traffic.sh
-      timeout: 300
-      runas: root
   ApplicationStop:
     - location: scripts/application_stop.sh
       timeout: 300

lwraft/config/deployment/aws/crontab/post-cron.txt

@@ -1,2 +1,2 @@
 */3 * * * *    /opt/vmware/share/config/post-demote-deads.sh
-*/5 * * * *    systemctl restart systemd-networkd systemd-resolved
+*/5 * * * *    /opt/vmware/share/config/refresh-resolve-conf.sh

lwraft/config/deployment/aws/scripts/after_allow_traffic.sh

@@ -6,7 +6,7 @@ source $(dirname $(realpath $0))/common.sh
 
 echo "Step 1: Check if localhost is the leader (if yes, continue)"
 
-get_tag_value "POST_PASSWORD" POST_PASSWORD
+get_post_password POST_PASSWORD
 
 LOCALHOST=`hostname -f | awk '{print tolower($0)}'`
 LEADER=$(/opt/vmware/bin/post-cli node state --server-name localhost --login administrator --password ${POST_PASSWORD} | grep Leader | awk '{print $1}')

lwraft/config/deployment/aws/scripts/after_install.sh

@@ -26,6 +26,7 @@ tdnf makecache
 tdnf install -y lightwave-post lightwave-client
 
 
+# TODO - this should not be necessary when DNS is stabilized
 echo "Step 4: Set proxy curl timeout"
 
 /opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Services\post\Parameters]' CurlTimeoutSec REG_DWORD 10 || echo "CurTimeoutSec is already set"

lwraft/config/deployment/aws/scripts/application_start.sh

@@ -7,12 +7,11 @@ echo "Step 1: Get domain, password, and existing partners from AWS"
 get_tag_value "LW_DOMAIN" LW_DOMAIN
 echo "LW_DOMAIN=${LW_DOMAIN}"
 
-get_tag_value "POST_PASSWORD" POST_PASSWORD
-echo "POST_PASSWORD=<censored>"
-
 find_post_partners PARTNERS
 echo "PARTNERS=${PARTNERS[*]}"
 
+get_post_password POST_PASSWORD
+
 
 echo "Step 2: Start POST"
 

lwraft/config/deployment/aws/scripts/before_install.sh

@@ -3,7 +3,7 @@
 echo "Step 1: Upgrade/install createrepo and its dependencies"
 
 tdnf makecache
-tdnf install -y sed zip unzip createrepo c-rest-engine-1.0.4-2.ph1
+tdnf install -y sed zip unzip createrepo c-rest-engine-1.1-1.ph1
 
 echo "Install patched version of cyrus-sasl"