Current File : //usr/libexec/kcare/python/kcarectl/__pycache__/__init__.cpython-36.pyc
3

��wh�@stddlmZddlZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlZddlmZddlmZddlmZddlmZddlmZdd	lmZdd
lmZddlmZddlmZdd
lmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddlm$Z$ddlm%Z%ddlm&Z&ddlm'Z'ddlm(Z(ddl)m*Z*m+Z+m,Z,m-Z-m.Z.ddl&m/Z/m0Z0m1Z1dZ2dZ3d�Z4d!Z5d"Z6d�Z7d$Z8d%Z9ej:d&ej;�Z<ej:d'�Z=ej>j?d(��rej>j@dd(�ejAd)eBd*�ejCjDejE�d+d,�ZFd-d.�ZGd/d0�ZHd1d2�ZId3d4�ZJd�d5d6�ZKd7d8�ZLd9d:�ZMd;d<�ZNd=d>�ZOd?d@�ZPdAdB�ZQGdCdD�dDeR�ZSGdEdF�dFe0�ZTGdGdH�dHe0�ZUGdIdJ�dJe0�ZVdKdL�ZWedMdN��ZXd�dOdP�ZYdQdR�ZZdSdT�Z[iZ\dUdV�Z]e]e,j^__e`edWd��s�y8ddlaZbddlcZdebjejfedjg�ebjejfdX�k�rHehdY��Wnehk
�r`Yn8XdZd[�Zie,jjZkGd\d]�d]el�ZmGd^d_�d_e,jj�Znene,_jd`da�Zoejpfdbdc�Zqddde�Zrdfdg�ZsGdhdi�diel�Ztdjdk�Zudldm�Zvd�dodp�Zwdqdr�Zxdsdt�Zyd�dudv�Zzdwdx�Z{dydz�Z|d{d|�Z}d}d~�Z~dd��Zd�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d�d��Z�d�d��Z�d�d��Z�Gd�d��d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�ej�ejpfd�d��Z�d�d��Z�ej�fd�d��Z�d�d��Z�d�dÄZ�d�dńZ�d�d�dDŽZ�d�dɄZ�d�d˄Z�dS)��)�print_functionN)�ArgumentParser)�datetime)�contextmanager�)�config)�	constants)�	log_utils)�utils)�
process_utils)�platform_utils)�
http_utils)�ipv6_support)�auth)�serverid)�config_handlers)�libcare)�selinux)�fetch)�update_utils)�errors)�kcare)�server_info)�URLError�	HTTPError�httplib�	urlencode�json_loads_nstr)�SafeExceptionWrapper�
KcareError�NotFound�cZv2�12h�24h�48h�testz./etc/sysconfig/kcare/freezer.modules.blacklistz/usr/libexec/kcare/kcdoctor.sh�	latest.v2z /etc/sysconfig/kcare/sysctl.conf�
z$==BLACKLIST==
(.*)==END BLACKLIST==
z'(kpatch.*|ksplice.*|kpatch_livepatch.*)z/usr/libexec/kcare/python�ignore)�categorycCsDt�}tjjt�r@ttd�}x|D]}|j|j��q"W|j�|S)N�r)	�set�os�path�isfile�FREEZER_BLACKLIST�open�add�rstrip�close)�result�f�line�r7�./usr/libexec/kcare/python/kcarectl/__init__.py�get_freezer_blacklistLs

r9cCsB|jd�}|r(dj|d||dg�}ndj|d|dg�}|S)N�.rr���r;)�split�join)�ptype�filenameZ
name_partsr7r7r8�_apply_ptypeVs

r@cCsJt|tj�t_t|tj�t_t|tj�t_t|tj�t_t|tj�t_dS)N)r@r�	PATCH_BIN�
PATCH_INFO�BLACKLIST_FILE�FIXUPS_FILE�
PATCH_DONE)r>r7r7r8�apply_ptype_s
rFcCstj�\}}}d}t|t�rbt|t�rbyd|jtj|j�|jf}Wq�t	t
fk
r^Yq�XnPt|tt
tf�r�t|t�r�d|}n*t|t
�r�|jp�t|j�}|jp�d|j}tj�}tjtj�|d|dt|dt|��|djtj|d��t|dd�d	�S)
N�z[Errno %i] %s: '%s'z%srr�__name__�d�attempts)Z
agent_versionZpython_version�distroZdistro_version�error�details�	tracebackrJ)�sys�exc_info�
isinstance�OSErrorr�errnor,�strerrorr?�AttributeError�	TypeError�KeyError�IOErrorr�etype�type�innerrMr�
get_distror�VERSION�get_python_version�getattr�strr=rNZ	format_tb)rY�value�tbZdetails_sanitizedrKr7r7r8� format_exception_without_detailsgs*

rccCsvtjr
dStjt��}tjtjtj	|���}tj
d�d|}tj|t
j��}ytj|�Wntk
rpYnXdS)Nz/api/kcarectl-tracez?trace=)r�UPDATE_FROM_LOCAL�json�dumpsrcr
�nstr�base64Zurlsafe_b64encodeZbstr�get_patch_server_urlr
Zhttp_requestrZget_http_auth_stringZurlopen_base�	Exception)ZtraceZ
encoded_trace�urlZrequestr7r7r8�send_exc�srlcCs�tj�}|dkr tj|d�dStj�tj�}|dkrBtjd�tjd�ttjd��&}tj	|j
�d�tj	|j
�d�WdQRX|r�tj|�y
|�Wn*t
k
r�tjjd�tjd�YnXtjd�dS)z�
    Run func in a fork in an own process group
    (will stay alive after kcarectl process death).
    :param func: function to execute
    :return:
    rN�ar�zWait exception)r,�fork�waitpid�setsid�_exitr3r0rZLOG_FILE�dup2�fileno�time�sleeprjr	�kcarelog�	exception)�funcrv�pid�fdr7r7r8�
nohup_fork�s(



r|cCs�tjjtjd�}tjj|�rtt|d��H}y,t|j��}|t	j
tj�krRt||��Wnt
k
rhYnXWdQRXtj|tj��dS)aCheck the fact that there was a failed patching attempt.
    If anchor file not exists we should create an anchor with
    timestamp and schedule its deletion at $timeout.

    If anchor exists and its timestamp more than $timeout from now
    we should raise an error.
    z.kcareprev.lockr*N)r,r-r=r�PATCH_CACHEr.r0�int�readr�SUCCESS_TIMEOUTru�PreviousPatchFailedException�
ValueErrorr
�atomic_write�
timestamp_str)Zanchor_filepathZafile�	timestampr7r7r8�touch_anchor�sr�cCsxytjtjjtjd��Wntk
r.YnXtd|�tj	j
�ytdd�Wn tk
rrt
jjd�YnXdS)z�
    See touch_anchor() for detailed explanation of anchor mechanics.
    See KPT-730 for details about action registration.
    :param state_data: dict with current level, kernel_id etc.
    z.kcareprev.lock�done)�reasonzCannot send update info!N)r,�remover-r=rr}rR�register_actionr�get_loaded_modules�clear�get_latest_patch_levelrjr	rwrx)�
state_datar7r7r8�
commit_update�s

r�cCs(tjtjjtjd�tj||d�d�dS)N�patchesrG)Zexclude_path)	r
�clean_directoryr,r-r=rr}r�get_cache_path)�khashZplevelr7r7r8�clear_cache�sr�cCs>tjpd}dj||g�}tjd|f}|r2||f7}tjj|�S)N�none�-�modules)r�PREFIXr=rr}r,r-)r��fname�prefixZ
module_dirr4r7r7r8�get_current_level_path�s

r�cCstjt|d�t|�dd�dS)N�latestT)Z
ensure_dir)r
r�r�r`)r��patch_levelr7r7r8�save_cache_latest�sr�cCsVt|d�}tjj|�rRy"tt|d�j�j��}tj	||�St
tfk
rPYnXdS)Nr�r*)r�r,r-r.r~r0r�stripr�LegacyKernelPatchLevelr�rV)r�Zpath_with_latest�plr7r7r8�get_cache_latest�s
r�c@seZdZdS)�CertificateErrorN)rH�
__module__�__qualname__r7r7r7r8r�sr�c@seZdZdd�ZdS)�UnknownKernelExceptioncCs*tj|djtj�dtj�tj���dS)NzLNew kernel detected ({0} {1} {2}).
There are no updates for this kernel yet.r)	rj�__init__�formatrr\�platform�releaser�get_kernel_hash)�selfr7r7r8r�szUnknownKernelException.__init__N)rHr�r�r�r7r7r7r8r�sr�cs$eZdZ�fdd�Zdd�Z�ZS)�ApplyPatchErrorcsFtt|�j||�||_||_||_||_tj�d|_	t
j�|_dS)Nr)�superr�r��code�
freezer_style�level�
patch_filerr\rKr�r�)r�r�r�r�r��args�kwargs)�	__class__r7r8r�szApplyPatchError.__init__c	Cs0dj|j|j|j|j|jdjdd�|jD���S)Nz0Unable to apply patch ({0} {1} {2} {3} {4}, {5})z, cSsg|]}t|��qSr7)r`)�.0�ir7r7r8�
<listcomp>!sz+ApplyPatchError.__str__.<locals>.<listcomp>)r�r�r�r�rKr�r=r�)r�r7r7r8�__str__szApplyPatchError.__str__)rHr�r�r�r��
__classcell__r7r7)r�r8r�s	r�cs$eZdZ�fdd�Zdd�Z�ZS)r�cs"tt|�j||�||_||_dS)N)r�r�r�r��anchor)r�r�r�r�r�)r�r7r8r�'sz%PreviousPatchFailedException.__init__cCsd}|j|j|j�S)Nz�It seems, the latest patch, applying at {0}, crashed, and further attempts will be suspended. To force patch applying, remove `{1}` file)r�r�r�)r��messager7r7r8r�,sz$PreviousPatchFailedException.__str__)rHr�r�r�r�r�r7r7)r�r8r�&sr�cCs�tj�dj|�}yrtj|�}tjtj|j���}t	|d�}|dkrPt
d�n2|dkrbt
d�n |dkrtt
d�nt
d	j|��|Stk
r�}ztj
||�WYdd}~XnXd
S)Nz"/nagios/register_key.plain?key={0}r�rzKey successfully registeredrzWrong key format or sizernz!No KernelCare license for that IPzUnknown error {0}r;)r�get_registration_urlr�r
�urlopenr
�data_as_dictrgrr~�printrr	�print_cln_http_error)�keyrk�response�resr��er7r7r8�!set_monitoring_key_for_ip_license5s 



r�c
cs>tjrtjtjdd�z
dVWdtjr8tjtjdd�XdS)NT)�shell)rZBEFORE_UPDATE_COMMANDr�run_commandZAFTER_UPDATE_COMMANDr7r7r7r8�
execute_hooksIs
r�cCs�t�}|j}|j}tj�}|dkrdt|�tjtj	�t
j�|tt
j��|d�}td�ttj|��nZtd�tt|��tdt|��ttj�ttj	��tt
j��t|�tt
j��dS)a1
    The output will consist of:
    Ignore output up to the line with "--START--"
    Line 1: show if update is needed:
        0 - updated to latest,
        1 - update available,
        2 - unknown kernel
        3 - kernel doesn't need patches
        4 - no license, cannot determine
    Line 2: licensing message (can be skipped, can be more then one line)
    Line 3: LICENSE: CODE: 1: license present, 2: trial license present, 0: no license
    Line 4: Update mode (True - auto-update, False, no auto update)
    Line 5: Effective kernel version
    Line 6: Real kernel version
    Line 7: Patchset Installed # --> If None, no patchset installed
    Line 8: Uptime (in seconds)

    If *format* is 'json' return the results in JSON format.

    Any other output means error retrieving info
    :return:
    re)Z
updateCodeZ
autoUpdateZeffectiveKernelZ
realKernelZloadedPatchLevelZuptime�licensez	--START--z	LICENSE: N)�_patch_level_infor��applied_lvlr�license_infor`r�AUTO_UPDATEr�kcare_unamer�r�r~rZ
get_uptimer�rerf)�fmt�pliZupdate_codeZ	loaded_plZlicense_info_resultZresultsr7r7r8�plugin_infoUs,

r�cCs^tj�}ytdd�}Wntk
r4tjr0dSdSX|dkrBdS||krNdStj�rZdSdS)N�info)r�r�rrn)r�loaded_patch_levelr�r�r�IGNORE_UNKNOWN_KERNELrZstatus_gap_passed)�
current_levelZlatest_patch_levelr7r7r8�get_update_status�sr�cCs2tj�dd�\}}|dkr*|jd�r*dSdSdS)NrnZ
CloudLinuxz7.�extrarG)rr\�
startswith)rK�versionr7r7r8�edf_fallback_ptype�sr�cCsl|j|jf}tj||�}tj||j�|_|jjtj	tj
d�|tkrZ|jj�dd�t|<|jrh|j
�dS)z�Function remembers IP address of host connected to
    and uses it for later connections.

    Replaces stdlib version of httplib.HTTPConnection.connect
    rNrn)�hostZport�CONNECTION_STICKY_MAP�get�socketZcreate_connectionZtimeout�sockZ
setsockoptZIPPROTO_TCPZTCP_NODELAYZgetpeername�_tunnel_hostZ_tunnel)r�ZaddrZ
resolved_addrr7r7r8�sticky_connect�sr�ZHAS_SNIz0.13z%No pyOpenSSL module with SNI ability.cGsdS)NTr7)r�r7r7r8�dummy_verify_callback�sr�c@s,eZdZdd�Zdd�Zdd�Zdd�Zd	S)
�SSLSockcCs||_d|_dS)Nr)�	_ssl_conn�_makefile_refs)r�r�r7r7r8r��szSSLSock.__init__cGs&|jd7_tj|jf|�ddi�S)Nrr3T)r�r�Z_fileobjectr�)r�r�r7r7r8�makefile�szSSLSock.makefilecCs"|jr|jr|jj�d|_dS)N)r�r�r3)r�r7r7r8r3�s
z
SSLSock.closecGs|jj|�S)N)r��sendall)r�r�r7r7r8r��szSSLSock.sendallN)rHr�r�r�r�r3r�r7r7r7r8r��sr�c@seZdZdd�ZdS)�PyOpenSSLHTTPSConnectioncCs�tjj|�tjjtjj�}|jtjjtjj	B�t
jrJ|jtjj
t�n|jtjjt�|j�tjj||j�}|j�|jp�|j}|j|j��|j�t
jr�t|j�|�t|�|_dS)N)r�HTTPConnection�connect�OpenSSLZSSLZContextZ
SSLv23_METHODZset_optionsZOP_NO_SSLv2ZOP_NO_SSLv3r�CHECK_SSL_CERTSZ
set_verifyZVERIFY_PEERr�ZVERIFY_NONEZset_default_verify_pathsZ
Connectionr�Zset_connect_stater�r�Zset_tlsext_host_name�encodeZdo_handshake�match_hostnameZget_peer_certificater�)r�ZctxZconnZserver_hostr7r7r8r��sz PyOpenSSLHTTPSConnection.connectN)rHr�r�r�r7r7r7r8r��sr�c	Cs�tjr&tj||�}tjtj�|dd�Sx�dD]�}tj	||d�}tj|t
||��d|}d}|rxt|�|krxtj
d�q,ytjtj�|dd�Stk
r�}z2|r�|jd
ks�|jd
kr�tj
dj|��w,�WYdd}~Xq,Xq,WdS)NF)�
check_licenseT)�secure_boot_info�?iXz<Check-in URL param is too large, discarding secure boot info��i�zJCheck-in request failed with error: {0}, retrying without secure boot info)TF)r�r�)rrdrZget_kernel_prefixed_urlrZwrap_with_cache_keyr�urlopen_authrZbased_server_info�stickyfy�lenr	Zlogwarnrr�r�)	r�r�r��moderkr�Z
request_paramZmax_url_length�exr7r7r8�_fetch_patch_level_request�s"

r�cCstj�}tjdk	r$tj|ttj��Sx�tD]�}y�t||||�}tj	|j
�t�tj
|j��j�}tjdj||�dd�|r�|jd�r�t|�}tj||d|d|d�Stj|t|��Stk
r�Yq*tk
�r}z|jdkr�td
���WYdd}~Xq*Xq*Wt��dS)Nz;fetch patch level, reason: {0}, kernel latest response: {1}F)�	print_msg�{r��baseurlr���zKC licence is required)r�r)rr�r�PATCH_LEVELr�r~�PATCH_LATESTr�rZset_config_from_patchserver�headers�update_all_kmod_paramsr
rgrr�r	�loginfor�r�rZKernelPatchLevelr rr�rr�)r�r�r�r�r�r�Zlatest_infor�r7r7r8�fetch_patch_levels*


rcCs<|jt|tj��}tjjdj|��ytj	|ddd�dSt
k
r^tjjdj|��dStk
r�}ztjjdj|t
|���WYdd}~XnX|jt|tj�tj�}tjjdj|��ytj	|dd�Wnbt
k
�r�tjjdj|��dStk
�r6}ztjjd	j|t
|���WYdd}~XnXdS)
NzProbing patch URL: {0}F�HEAD)r��methodTz{0} is not available: 404zFHEAD request for {0} raised an error, fallback to the GET request: {1})r�z{0} is not available: {1})�file_urlr@rrAr	rwr�r�rr�r rj�debugr`rZSIGr)r�r>Zbin_urlr�rkr7r7r8�probe_patch.s(**rcCsF|tjkr|jtj�}n
|j|�}|j|�}tj||tjtj	|�d�S)N)Zhash_checker)
r�KMOD_BINZkmod_urlr	�
cache_pathrZ	fetch_urlr�
USE_SIGNATUREZget_hash_checker)r��namerkZdstr7r7r8�fetch_and_verify_kernel_fileGs



rc@s>eZdZddd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�ZdS)�PatchFetcherNcCs
||_dS)N)r�)r�r�r7r7r8r�RszPatchFetcher.__init__cCst|j|�S)N)rr�)r�rr7r7r8�_fetchUszPatchFetcher._fetchcCsr|jjtj�}|jjtj�}|jjtj�}|jjtj�}tdd�||||fD��opt	j
j|�dkopt	j
j|�dkS)Ncss|]}tjj|�VqdS)N)r,r-r.)r�r-r7r7r8�	<genexpr>_sz0PatchFetcher.is_patch_fetched.<locals>.<genexpr>r)r�r
rrErArBrr�allr,r-�getsize)r�Zpatch_done_pathZpatch_bin_pathZpatch_info_pathZ
kmod_bin_pathr7r7r8�is_patch_fetchedXszPatchFetcher.is_patch_fetchedcCs0|jdkrtd��|js|jS|j�r6tjd�|jStjd�t|jtj�r�ytj	|jj
tj�dd�}Wnt
k
r~Yn(X|jjdd�}|r�|jjtj|��|_y|jtj�Wn,t
k
r�tdj|jtjp�d���YnX|jtj�|jtj�|j�tj|jjtj�d	d
d�tjtj �|jS)Nz+Cannot fetch patch as no patch level is setzUpdates already downloadedzDownloading updatesr)rzKC-Base-UrlzfThe `{0}` patch level is not found for `{1}` patch type. Please select valid patch type or patch level�default��wb)r�)!r�r�rr	rrQrr�rr�r	rrAr rr��upgrader
rgrrr��
PATCH_TYPErBrr�extract_blacklistr�r
rEr�restore_selinux_contextr})r��respr�r7r7r8�fetch_patchds8


zPatchFetcher.fetch_patchcCsJt|jjtj�d�j�}|rFtj|�}|rFtj	|jjtj
�|jd��dS)Nr*r)r0r�r
rrBr�BLACKLIST_RE�searchr
r�rC�group)r�ZbufZmor7r7r8r�s

zPatchFetcher.extract_blacklistcCs�|dkrdSyt|tj�}Wntk
r0dSX|jjdd�}|rT|jtj|��}|j	tj�}t
|d��}tdd�|j�D��}WdQRXx|D]}t||�q�Wt
jtj�dS)z�
        Download fixup files for defined patch level
        :param level: download fixups for this patch level (usually it's a level of loaded patch)
        :return: None
        NzKC-Base-Urlr*cSsg|]}|j��qSr7)r�)r��fixupr7r7r8r��sz-PatchFetcher.fetch_fixups.<locals>.<listcomp>)rrrDr rr�rr
rgr
r0r+�	readlinesrrrr})r�r�rr�Zfixups_fnamer5�fixupsr#r7r7r8�fetch_fixups�s 
zPatchFetcher.fetch_fixups)N)	rHr�r�r�rrrrr&r7r7r7r8rPs
(rcCs6t�}t|j�|jtjkr(tjd�n
tjd�dS)Nrr)r�r��msgr��PLI�PATCH_NEED_UPDATErO�exit)r�r7r7r8�kcare_check�s

r+c	Cst�}t|�}ytj�}Wntk
r2i}YnXtj�}d}|dk	r\tj|d�j	d�}tj
�}t|jdg��}t
dd�|D��}tj�}|s�td�ntd�td	j|��td
j|��|dkr�tdj|��|dkr�td
j|��||dk�rtd�td�dS)NZUnknown�tsz%Y-%m-%dr�css|]}t|jdg��VqdS)r�N)r�r�)r�Zrecr7r7r8r�sz$show_generic_info.<locals>.<genexpr>z$KernelCare live patching is disabledz"KernelCare live patching is activez - Last updated on {0}z - Effective kernel version {0}rz* - {0} kernel vulnerabilities live patchedz- - {0} userspace vulnerabilities live patchedz% - This system has no applied patchesz(Type kcarectl --patch-info to learn more)r��_kcare_patch_info_jsonrZlibcare_patch_info_basicrrZ	get_staterZ
fromtimestampZstrftimer�r�r��sumr�r�r�)	r��
kcare_info�libcare_info�stateZ
latest_updateZeffective_versionZkernel_vulnerabilitiesZuserspace_vulnerabilitiesr�r7r7r8�show_generic_info�s4

r2Fc	Cs�y�tdtjd�}|st�|jtj�}tjt	j
|�j��}|r�gi}}x>|jd�D]0}tj
|�}|rxd|krx|j|�qR|j|�qRW||d<tj|�}t|�WnHtk
r�}ztj||j�dSd}~Xntk
r�td�YnXd	S)
z�
    Retrieve and output to STDOUT latest patch info, so it is easy to get
    list of CVEs in use. More info at
    https://cloudlinux.atlassian.net/browse/KCARE-952
    :return: None
    r�)r��policyz

zkpatch-namer�rNzNo patches availabler)r�r�
POLICY_REMOTEr�r	rrBr
rgrr�rr<r��append�updatererfr�rr	r�rk)	�is_jsonr�rk�
patch_infor�r4�chunk�datar�r7r7r8�kcare_latest_patch_info�s,


r;cCs�d|ji}|jdk	r�t|�}g}x>|jd�D]0}tj|�}|rRd|krR|j|�q,|j|�q,W||d<tj	�}|r||dnd|d<|S)Nr�z

zkpatch-namer�r��unknown)
r'r��_kcare_patch_infor<r
r�r5r6rZread_dumped_kernel_patch_level)r�r4r8r�r9r:Zsaved_patch_levelr7r7r8r-�s


r-cCsPtj�}tj||jtj�}tjj|�s.t	d��t
|d�j�}|rLtj
d|�}|S)NzvCan't find information due to the absent patch information file. Please, run /usr/bin/kcarectl --update and try again.r*rG)rr�r�r�rrBr,r-r.rr0rr �sub)r�r�r
r�r7r7r8r=sr=cCsTt�}|s:|jdkrt|j�|jdkr,dStt|��nttjt|�dd��dS)NrT)Z	sort_keys)	r�r�r�r'r�r=rerfr-)r7r�r7r7r8r8s


r8cCs:tjd|g}tj|�}tj�}d}tj||�tj||�kS)Nz	file-infozkpatch-build-time)r�
KPATCH_CTLr�check_outputr�_patch_infoZget_patch_value)�new_patch_filer�Znew_patch_infoZcurrent_patch_infoZbuild_time_labelr7r7r8�
is_same_patch+s

rCcCsL|dkrdS|r||krdS||kr(dStjtj�|tj�}t|�sHdSdS)NrFT)rr�r�rrArC)�
applied_level�	new_levelrBr7r7r8�kcare_need_update3srFcCsptjrltjjt�otjttj�s6tj	j
djt��dStj
dddtgdd�\}}}|dkrltj	j
dj|��dS)	Nz-File {0} does not exist or has no read accessz/sbin/sysctlz-qz-pT)�catch_stdoutrz%Unable to load kcare sysctl.conf: {0})rZUPDATE_SYSCTL_CONFIGr,r-r.�
SYSCTL_CONFIG�access�R_OKr	rw�warningr�rr�)r��_r7r7r8�
update_sysctlEsrMcs�tjjt�sttd�j�tjttj�s>tj	j
djt��dSttd��j}|j�}|j
d�x,|D]$�t�fdd�|D��sb|j��qbWx|D]}|j|d�q�W|j�WdQRXdS)	z*Update SYSCTL_CONFIG accordingly the editsrmzFile {0} has no read accessNzr+rc3s|]}�j|�VqdS)N)r�)r�r*)r6r7r8rasz#edit_sysctl_conf.<locals>.<genexpr>�
)r,r-r.rHr0r3rIrJr	rwrKr�r$�seek�any�write�truncate)r�r5Zsysctl�linesrmr7)r6r8�edit_sysctl_confPs


rTcCs*x$|D]}tj|�rtdj|���qWdS)NzDDetected '{0}' kernel module loaded. Please unload that module first)�CONFLICTING_MODULES_RE�matchrr�)r��moduler7r7r8�detect_conflicting_modulesis

rXcCsdjtj��S)Nz/lib/modules/{0}/extra/kcare.ko)r�rZget_system_unamer7r7r7r8�get_kcare_kmod_linkosrYc
CsXtdd�}tjtj�|tj�}tjj|�s.dSt	|d��}|j
�dd�dkSQRXdS)Nr�)r��rb�s~Module signature appended~
i��)r�rr�r�rrr,r-r.r0r)r�Z	kmod_fileZvfdr7r7r8�kmod_is_signedss
r\cKs`d|g}x&|j�D]\}}|jdj||��qWtj|dd�\}}}|dkr\tdj||���dS)Nz/sbin/insmodz{0}={1}T)rGrzLUnable to load kmod ({0} {1}). Try to run with `--check-compatibility` flag.)�itemsr5r�rr�r)Zkmodr��cmdr�rar�rLr7r7r8�	load_kmod|sr_cCs<tj�rt�rtd��tj�s0tj�s0tj�r8td��dS)Nz4Secure boot is enabled. Not supported by KernelCare.zWYou are running inside a container. Kernelcare should be executed on host side instead.)rZis_secure_bootr\rZinside_vz_containerZinside_lxc_containerZinside_docker_containerr7r7r7r8�check_compatibility�sr`cCsPtjd�}tj|dgddd�ddk}|rL|d
krLtjdj|��tjd	�dS)NZmodinfoZkmodlveT)rG�catch_stderrr�freer�z3{0} patch type conflicts with kmodlve kernel moduler)rbr�)rZfind_cmdr�r	�logerrorr�rOr*)r>r^Zhas_kmodlver7r7r8�check_patch_type_compatibility�s

rdcCsPtjddd|g�}g}x4|jd�D]&}|j�r"|jd�\}}}|j|�q"W|S)Nz
/sbin/modinfoz-FZparmrN�:)rr@r<r��	partitionr5)�
kcare_link�stdoutZavailable_paramsr6Z
param_namerLr7r7r8�get_kmod_available_params�sricCsLtjr
dndtjrdndtjr$tjndttjt�r8tjndtjrDdndd�S)NrrrG)�kpatch_debugZkmsg_outputZkcore_outputZ
kdumps_dirZenable_crashreporter)	r�KPATCH_DEBUGZKMSG_OUTPUTZKCORE_OUTPUTZKCORE_OUTPUT_SIZErQ�
KDUMPS_DIRr`ZENABLE_CRASHREPORTERr7r7r7r8�make_kmod_new_params�s
rmcCsHtjr"tjjtj�r"tjtj�x t�j�D]\}}t||�q.WdS)N)	rrlr,r-�exists�makedirsrmr]�update_kmod_param)Zparam�valr7r7r8r�srcCstd}tjj||�}tjj|�s"dSy(t|d��}|jt|��WdQRXWn$tk
rntj	j
d||�YnXdS)Nz/sys/module/kcare/parameters�wz!failed to set %s kmod param to %s)r,r-r=rnr0rQr`rjr	rwrL)Zkmod_param_nameZparam_valueZparams_rootZ
param_pathr5r7r7r8rp�srpcs�t�}tj||tj�}ytj||�Wntk
r>|}YnXtj	rbt
jjtj	�rbt
j
tj	�t�}t|��t�fdd�|j�D��}t|f|�t�dS)Nc3s"|]\}}|�kr||fVqdS)Nr7)r��k�v)�available_kmod_paramsr7r8r�sz"load_kcare_kmod.<locals>.<genexpr>)rYrr�rr�shutil�copyrjrrlr,r-rnrormri�dictr]r_�
update_depmod)r�r�rgZ
kcare_fileZkmod_paramsr7)rur8�load_kcare_kmod�s
rzcCsXdg}|dk	r|jd|g�tj|ddd�\}}}|rTtjdjdj|�||�dd�dS)	Nz/sbin/depmodz-aT)rGraz%Running of `{0}` failed with {1}: {2}� F)r�)�extendrr�r	rcr�r=)�unamer^r�rL�stderrr7r7r8ry�srycCs4tjd|gdd�\}}}|dkr0tdj||���dS)Nz/sbin/rmmodT)rGrzUnable to unload {0} kmod {1})rr�rr�)�modnamer�rLr7r7r8�unload_kmod�sr�cCsTg}xJdg|D]<}tj||dj|��}tjj|�rt|�|jdj|��qW|S)NZvmlinuxzfixup_{0}.koz	fixup_{0})rr�r�r,r-rnr_r5)r�r�r�Zloaded�modZmodpathr7r7r8�apply_fixups�sr�cCsDx>|D]6}yt|�Wqtk
r:tjjd|�YqXqWdS)Nz$Exception while unloading module %s.)r�rjr	rwrx)r%r�r7r7r8�
remove_fixups�s

r�cCs�|r
|}n6tjrtj}n(t�j|�r2d|tjdfSd|tjdfSdddddd�}|j�}||krj||}ntdj||tjd���||tjdfS)	NZfreeze_conflictTrFZfreeze_noneZ
freeze_all)ZNONEZNOFREEZEZFULLZFREEZEZSMARTz3Unable to detect freezer style ({0}, {1}, {2}, {3}))rZPATCH_METHODr9�intersection�upperrr�)�freezerr�rZpatch_method_mapr7r7r8�get_freezer_style�s"
r�rGcs�|||d��td��tj�}tj�}t|�t||�}tj||tj�}t	||�dj
|tjtj
�tj|��}	d|k}
|
o�tj||�}|dk	}|o�t|�o�tj|	�}
�j||d��|
r�td��dS|�rtd��t|||�}td��t|�td	��t|�|�r"td
��td�d}
|
�s<td��t||�|�rHt�td
��t||||	|�t�tjdj
|tj���tj�td��t �fdd�tj!d�dS)N)r�Zfuturer��startz{0}-{1}:{2};{3}r)Zcurrent�kmod_changedr�Zfxp�unpatchZunfxp�unloadF�load�patchz5Patch level {0} applied. Effective kernel version {1}�waitcst��S)N)r�r7)r�r7r8�<lambda>Vszkcare_load.<locals>.<lambda>)rv)"r�rr�r�rXr�r�rrAr�r�rr
r�Zparse_unameZis_kmod_version_changedrCZkcare_update_effective_versionr6r��kpatch_ctl_unpatchr�r�rzr��kpatch_ctl_patchrMr	rr�rZtouch_status_gap_filer|r�)r�r�r�r��
use_anchorr�r�r�r��descriptionZkmod_loadedr�Zpatch_loadedZ
same_patchr%r7)r�r8�
kcare_loadsR











r�c	Cs�tjg}tj||tj�}tjj|�r2|j	d|g�|j	dd|g�|j	d|dg�|j
|�tj|dd�\}}}|dkr�t
||||��dS)Nz-br�z-dz-mrT)rG)rr?rr�rrCr,r-rnr|r5rr�r�)	r�r�r�r�r�r�Zblacklist_filer�rLr7r7r8r�Ys
r�cCsZtjtjdd|dgddd�\}}}|dkrVtjdj||�dd�td	j|t|����dS)
Nr�z-mrT)rGraz4Error unpatching, kpatch_ctl stdout:
{0}
stderr:
{1}F)r�zError unpatching [{0}] {1})	rr�rr?r	rcr�rr`)r�r�rhr~r7r7r8r�fs
 r�cCs8||d<ttj��|d<tjtjjtjd�t	|��dS)N�actionr,zkcare.state)
r~rur
r�r,r-r=rr}r`)r�r�r7r7r8r�psr�cCspd}tjj|�sdSxVtj|�D]H}tjj||dd�}tjj|�sDq tj|�}||kr tj|�t|�q WdS)Nz/usr/lib/modules/zweak-updateszkcare.ko)	r,r-�isdir�listdirr=�islink�readlink�unlinkry)�	kmod_linkZmodules_path�entryZ
sym_link_pathZtarget_pathr7r7r8�update_weak_modulesvs

r�c
CsBtj�}t�}y|j|�Wn4tk
rP}z|s@tdj|���WYdd}~XnXtj�}t||�}t	���d|k�r|dk	}|r�t
tj�||�}tj
tjdd|dgddd�\}	}
}t|�|	dkr�tjdj|
|�d	d
�tdj|	t|����tjtjt�dtd
�t�d�t�}tjj|��r,tj|�t|�WdQRXdS)Nz�Unable to retrieve fixups: '{0}'. The unloading of patches has been interrupted. To proceed without fixups, use the --force flag.rr�z-mrT)rGraz4Error unpatching, kpatch_ctl stdout:
{0}
stderr:
{1}F)r�zError unpatching [{0}] {1}r)�count�delay) rr�rr&rjrr�r�r�r�r�r�rr�rr?r�r	rcr`r
ZretryrZ	check_exc�UNLOAD_RETRY_DELAYr�rYr,r-r.r�r�)
r��forcer��pf�errr�r�Zneed_unpatchr%r�rhr~r�r7r7r8�kcare_unload�s8

 
r�cCs8t�}|rt|�S|jdkr"|jS|jdk	r4tj�SdS)Nr)r��_kcare_info_jsonr�r'r�rrA)r7r�r7r7r8r/�s

r/cCsRd|ji}|jdk	r>|jtjtj���|jtj|jd���|j	|d<t
j|�S)Nr�zkpatch-descriptionzkpatch-state)r'r�r6r
r�rrAZparse_patch_descriptionr�r1rerf)r�r4r7r7r8r��s


r�c@s$eZdZdZdZdZdZdd�ZdS)r(rrrnr�cCs"||_||_||_||_||_dS)N)r�r'�
remote_lvlr�r1)r�r�r'r�r�r1r7r7r8r��s
zPLI.__init__N)rHr�r�rr)�PATCH_UNAVALIABLE�PATCH_NOT_NEEDEDr�r7r7r7r8r(�s
r(cCs�tj�}y�tdd�}|rJt||�r6tjdd}}}qxtjdd}}}n.|dkrftjdd}}}ntjd	d}}}t|||||�}Wnltk
r�tj	}t
jr�d
jt
jt
j�dtj��}ndjt
j�dtj�tj��}t||ddd�}YnX|S)
Nr�)r�z*Update available, run 'kcarectl --update'.ZappliedzThe latest patch is applied.rz(This kernel doesn't require any patches.ZunsetzDNo patches applied, but some are available, run 'kcarectl --update'.zuInvalid sticky patch tag {0} for kernel ({1} {2}). Please check /etc/sysconfig/kcare/kcare.conf STICKY_PATCH settingszLNew kernel detected ({0} {1} {2}).
There are no updates for this kernel yet.Zunavailable)rr�r�rFr(r)rr�r�r�r�STICKY_PATCHr�rr\r�r�r�)Zcurrent_patch_levelZnew_patch_levelr�r'r1r�r7r7r8r��s8

r�c	Cs�d}yXtj�}td|fd|fg�}tj�dj|�}tj|�}tj	tj
|j���}t|d�St
k
r�}ztj||�d
Sd}~XnZtk
r�}ztj||�dSd}~Xn0tk
r�}ztjdj|��dSd}~XnXdS)
z�
    Request to tag server from ePortal. See KCARE-947 for more info

    :param tag: String used to tag the server
    :return: 0 on success, -1 on wrong server id, other values otherwise
    N�	server_id�tagz/tag_server.plain?{0}r�r��zInternal Error {0}����������)r�get_serveridrrr�r�r
r�r
r�rgrr~rr	r�rrjrc)	r�rkr�Zqueryr�r�r�ZueZeer7r7r8�
tag_server
s"
r�cCs�tjd�}tjdj|��t}tj���}y:tj	||j
�}tjtj
|�|j
�tj|j
|�|j
}Wn2tk
r�}ztjdj|��WYdd}~XnXtjd|tj�gdd�\}}}|r�tdj||���WdQRXdS)Nz	doctor.shz#Requesting doctor script from `{0}`z3Kcare doctor error: {0}. Fallback to the local one.ZbashT)razScript failed with '{0}' {1})r
rir	Zlogdebugr��KCDOCTOR�tempfileZNamedTemporaryFilerZfetch_signaturerZsave_to_filer
r�Zcheck_gpg_signaturerjrcrr�rZget_patch_serverr)Z
doctor_urlZdoctor_filenameZ
doctor_dstZ	signaturer�r�rLr~r7r7r8�kcdoctor%s


"r�cCsBtjdjt��}ytj|�Wntk
r2dSXtjd�dS)Nz{0}-new-versionFzwA new version of the KernelCare package is available. To continue to get kernel updates, please install the new versionT)	r
rir��EFFECTIVE_LATESTr
r�rr	r)rkr7r7r8�check_new_kc_version6sr�c	Cs�tj�}t|�}|tjkp*|tjko*|dk}yt||�}Wn<tk
rv}z |rT�ntj	j
dj|��WYdd}~XnX|tjkr�|}n<|}|dkr�|tjkr�tj
|d�}n|tjkr�|}ntd��|S)a�
    Get patch level to apply.
    :param reason: what was the source of request (update, info etc.)
    :param policy: REMOTE -- get latest patch_level from patchserver,
                   LOCAL -- use cached latest,
                   LOCAL_FIRST -- if cached level is None get latest from patchserver, use cache otherwise
    :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART
    :return: patch_level string
    NzUnable to send data: {0}rz9Unknown policy, choose one of: REMOTE, LOCAL, LOCAL_FIRST)rr�r�rr4ZPOLICY_LOCAL_FIRSTrrjr	rwrKr�ZPOLICY_LOCALr�r)	r�r3r�r�Zcached_levelZconsider_remote_exZremote_levelr�r�r7r7r8r�Cs&$


r�cCs�|dkrdS|dkrdn|t_ttdd�tj�r�tjtjd�tjdkrntj�rntjpXt	}t
dddj|�f�tj
d
j|��ntdj|���dS)N�edfrrGZprobe)r�)rrbr��fs.enforce_symlinksifowner�fs.symlinkown_gidzfs.enforce_symlinksifowner=1zfs.symlinkown_gid={0}z'{0}' patch type selectedz/'{0}' patch type is unavailable for your kernel)rbr�)r�r�)rrrrr�
update_configrZ	is_cpanelZ	FORCE_GID�
CPANEL_GIDrTr�r	rr)r>Zgidr7r7r8�update_patch_typehs
r�c	$Csntj�ttj�|tjkr"t�ytd||d�}WnRt	k
r�}z6|tj
tjfkrttjrtt
|�}tjj|�dS�WYdd}~XnXtj�}t|�}|j�t||d�s�tjd�dSy(tjtjddd�tjtjdd	d�Wn"tk
�rtjjd
�YnXtj�}|tj
k�s"tj�rVt��(|j|�t |||||tjkd�WdQRXtj!|�t"||�dS)ax
    :param mode: constants.UPDATE_MODE_MANUAL, constants.UPDATE_MODE_AUTO or constants.UPDATE_MODE_SMART
    :param policy: REMOTE -- download latest and patches from patchserver,
                   LOCAL -- use cached files,
                   LOCAL_FIRST -- download latest and patches if cached level is None, use cache in other cases
    :param freezer: freezer mode
    r6)r�r3r�N)rDrEz%No updates are needed for this kernelr�zkcore*.dump)Zkeep_nZpatternz	kmsg*.logz#Error during crash reporter cleanup)r�)#rZlog_all_parent_processesrdrrrr4r�r�r��UPDATE_MODE_AUTO�UPDATE_MODE_SMARTr�r`r	rwrKrr�rrrFrr
r�rlrjrxr�r�r�r&r�Zdump_kernel_patch_levelr�)	r�r�r3r�r�r'r�r�r�r7r7r8�	do_update~s<



"
r�cCs�tttj�ttjptj�ttjp$tj�f�}|dkr<td��tjrHtjS|t	j
krltjp\tj}tjphtj}ntj}tj}|r�|S|r�d|SdS)Nrz�Invalid configuration: conflicting settings STICKY_PATCH, [AUTO_]UPDATE_DELAY or [AUTO_]STICKY_PATCHSET. There should be only one of themzrelease-)r.�boolrr�ZUPDATE_DELAYZAUTO_UPDATE_DELAYZSTICKY_PATCHSETZAUTO_STICKY_PATCHSETrr�UPDATE_MODE_MANUAL)r�r�r�Zpatchsetr7r7r8�
get_sticky�s$
r�cCs|d|S)Nr:r7)r�r�r7r7r8�	_stickyfy�sr�cCs t|�}|s|S|dkr"t||�Stj�}|sDtjjd�tjd�yt	j
tj�dj
|��}Wn:tk
r�}ztj||j�tjd�WYdd}~XnXtjtj|j���}t|d�}|dkr�t|d	|�S|d
kr�|S|dk�r�tjjd�tjd�tjjd
|d�tjd�dS)z�
    Used to add sticky prefix to satisfy KCARE-953
    :param file: name of the file to stickify
    :return: stickified file.
    �KEYzHPatch set to STICKY_PATCH=KEY, but server is not registered with the keyr�z!/sticky_patch.plain?server_id={0}r�Nr�rr�rrnzEServer ID is not recognized. Please check if the server is registeredzError: r�r�r�r�r;r�)r�r�rr�r	rwr�rOr*r
r�rr�r�rr�rkr
r�rgrr~)�filer��sr�r�r�r�r�r7r7r8r��s2



r�c
Cs�g}|sdS|jd�}|d}|dd�}|jd�}||krLtdt|���|s`|j�|j�kS|dkrt|jd�n>|jd	�s�|jd	�r�|jtj|��n|jtj|�j	d
d��x|D]}|jtj|��q�Wtj
dd
j|�dtj�}	|	j
|�S)zhMatching according to RFC 6125, section 6.4.3

    http://tools.ietf.org/html/rfc6125#section-6.4.3
    Fr:rrN�*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)r<r�r��repr�lowerr5r��re�escape�replace�compiler=Z
IGNORECASErV)
Zdn�hostnameZ
max_wildcardsZpats�piecesZleftmostZ	remainderZ	wildcardsZfragZpatr7r7r8�_dnsname_matchs(


r�c	Cs
g}xBt|j��D]2}|j|�}|j�dkrdd�t|�jd�D�}qW|sTtd��g}x0|D](\}}|dkr^t||�r|dS|j|�q^W|s�|j	�j
}t||�r�dS|j|�t|�dkr�tdj
|d	jtt|�����n,t|�dk�r�td
j
||d���ntd��dS)
NZsubjectAltNamecSsg|]}|j�jdd��qS)rer)r�r<)r��itr7r7r8r�<sz"match_hostname.<locals>.<listcomp>�,ztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZDNSrz(hostname {0} doesn't match either of {1}z, zhostname {0} doesn't match {1}rz=no appropriate commonName or subjectAltName fields were found)�rangeZget_extension_countZ
get_extensionZget_short_namer`r<r�r�r5Zget_subjectZ
commonNamer�r�r�r=�mapr�)	Zcertr�Zsanr�r�Zdnsnamesr�raZcnr7r7r8r�7s0




r�cCs$
tddd�}|jdddd�|jdd	d
dd�|jdddd�|jd
dddd�|jdddd�|jdddd�|jdddd�|jdddd�|jdddd�|jdddd�|jdd dd�|jd!d"dd�|jd#d$dd�|jd%d&dd�|jd'd(d)d�|jd*d+dd�|jd,d-dd�|jd.d/dd�|jd0d1dd�|jd2d3dd�|jd4d5d6d�|jd7d8d9d�|jd:d;dd�|jd<d=d)d�|jd>d?dd�|jd@dAdd�|jdBdCdd�|jdDdEdd�|jdFdGdd�|jdHdIdd�|jdJdKdd�|jdLdMdd�|jdNdOdPtddQdR�|jdSdTdd�|jdUdVdd�|j�}|jdWdXdPd�|jdYdZdd�|jd[d\dd�|jd]d^dPddQd_�|jd`dadbddQdc�|jdddedf�|jdgdhdd�|jdidjdkdldm�tj�s�|jdndodpdqdQdr�|jdsdtdpdqdudr�|jdvdwdd�|jdxdydzdd�|jd{ddd�|jd|d}d~dd�|jdd�d�dd�|jd�d�d�d�d�|jd�d�d�dd�d��|jd�d�dd�|jd�d�dd�|j�}tjjt	j
��tj�s�tjd�g7_|jdk	�rt
td|jjd����jtj��rd�Sd�S|j�s|j�r2tj�r(tjt_ntjt_n|j�rBtjt_|j�sjtj�d�k�rjtd�tjd��d�St j!}|j�r�t j"}n|j�r�t j#}t$j%|�|j&�r�t'j(�|j)�r�|j)d�k�r�t*|j)�t_+t	j,tj+d��ndt_+t	j,dd��|j-dk	�rt	j,|j-d��|j-t_.|j/�rdQt_0|j1�r(dQt_2|j3�r6dut_4|j5�rDt5�|j6�rZt7j8d�t9�n8|j:�r�tj;d�k�r�tj<d�k�r~dntj<�p�d�|_=du|_|j>�r�|j>t_?|j@�r�t7j8d�t9�d�t_?tj?jAd��t_?tj?�r�tj?tBk�r�t$jCjDd�jEtj?d�jFtB���|jG�rdut_Hd�|jGt_I|j=�r&tJ|j=�tj;d�k�rTtK�t_;t7j8d�jEtj;�pLd��t9�|jL�rrttMjL|jNd���dStOtj;�|jP�r�tQ�dS|jR�r�|jN�r�tRd�d��ntR�dS|jS�r�t	j,d�d��dS|jT�r�t	j,d�d��dS|jU�r�t	jV|jU�dS|jW�rtX|jW�S|jY�rtZjY�|j[�rNtj;d�k�r>t	j,d�d��tZj[|j[|j\�S|j]�rltZj]�d�k�rhd�Sd�S|j^dk	�r�t_|j^�S|j`�r�ttja�tb|dpd�dk	�r�tcjd|je�d�Stj�s�|jf�r�tcjg�S|jh�r�tcji�dk	�r�t$jjd��|jk�rtcjitjld��n|jm�r tcjn�t$jjd��|jo�r4ttcjp��|jq�rHttcjr��|js�rjtcjt��rjttcju|js��|jvdk	�r�|jvdk�r�tjw�p�txtcjyjz��}nd�d��|jvjd��D�}tcjit{|�d��dk	�r�t$jjd��|j|�r�tcjitjldd��|j}�	rtt~|jNd���d}|j�	rt7j8d�t9�d�}|j��	r*|j�}|j��	rDt�|tj�tj�d��|j�	rdt�|tj�d��t$jjd��|j�	rxtt�j���|j��	r�t�||j�d��t$jjd��|j�	r�dQt_�t�j�t�j�d�d���t�|tjld��|j��	r�t�|jNd��|j��	r�t��S|j��	r�t�|jNd��|j��
r
t��t�tj��d�k�
r t��dS)�NZkcarectlz)Manage KernelCare patches for your kernel)Zprogr�z--debugrGZ
store_true)�helpr�z-iz--infoz]Display information about KernelCare. Use with --json parameter to get result in JSON format.z
--app-infozcDisplay information about KernelCare agent. Use with --json parameter to get result in JSON format.z-uz--updatez<Download latest patches and apply them to the current kernelz--unloadzUnload patchesz--smart-updatez,Patch kernel based on UPDATE POLICY settingsz
--auto-updatez-Check if update is available, if so -- updatez--localzNUpdate from a server local directory; accepts a path where patches are located�PATH)r��metavarz--patch-infoz"Return the list of applied patchesz	--freezerz)Freezer type: full (default), smart, noner�z
--nofreezez/[deprecated] Don't freeze tasks before patchingz--unamezReturn safe kernel versionz--license-infozReturn current license infoz--statuszReturn status of updatesz
--registerzRegister using KernelCare Keyr�z--register-autoretryz=Retry registering indefinitely if failed on the first attemptz--unregisterz7Unregister from KernelCare (for key-based servers only)z--checkzCheck if new update availablez--latest-patch-infoziReturn patch info for the latest available patch. Use with --json parameter to get result in JSON format.z--testz&[deprecated] Use --prefix=test insteadz--tagz7Tag server with custom metadata, for ePortal users onlyZTAGz--prefixzpPatch source prefix used to test different builds by downloading builds from different locations based on prefixr�z
--nosignaturezDo not check signaturez--set-monitoring-keyzPSet monitoring key for IP based licenses. 16 to 32 characters, alphanumeric onlyz--doctorz@Submits a vitals report to CloudLinux for analysis and bug-fixesz--enable-auto-updatezEnable auto updatesz--disable-auto-updatezDisable auto updatesz
--plugin-infozProvides the information shown in control panel plugins for KernelCare. Use with --json parameter to get result in JSON format.z--jsonzoReturn '--plugin-info', '--latest-patch-info', '--patch-info', '--app-info' and '--info' results in JSON formatz	--versionz(Return the current version of KernelCarez--kpatch-debugzEnable the debug modez--no-check-certz2Disable the patch server SSL certificates checkingz--set-patch-levelzBSet patch level to be applied. To select latest patch level set -1ZstoreF)r�r�rZr�requiredz--check-compatibilityzCheck compatibility.z
--clear-cachezClear all cached filesz--set-patch-typez@Set patch type feed. To select default feed use 'default' optionz
--edf-enabledz"Enable exploit detection frameworkz--edf-disabledz#Disable exploit detection frameworkz--set-sticky-patchzjSet patch to stick to date in DDMMYY format, or retrieve it from KEY if set to KEY. Leave empty to unstick)r�r�rr�z-qz--quietz=Suppress messages, provide only errors and warnings to stderr)r�r�r�z--has-flagszCheck agent features)r�z--forcez-Force action and ignore several restristions.z--set-configzChange configuration optionr5z	KEY=VALUE)r�r�r�z--disable-libcarezDisable libcare services�enable_libcareZstore_const)r�Zdestr��constz--enable-libcarezEnable libcare servicesTz--lib-updatezIDownload latest patches and apply them to the current userspace librariesz--lib-unloadz--userspace-unloadzUnload userspace patchesz--lib-auto-updatez
--lib-infoz--userspace-infoz&Display information about KernelCare+.z--lib-patch-infoz--userspace-patch-infoz,Return the list of applied userspace patchesz
--lib-versionz--userspace-versionzReturn safe package versionZPACKAGENAMEz--userspace-update�USERSPACE_PATCHESr�zODownload latest patches and apply them to the corresponding userspace processes)r�Znargsr�r�z--userspace-auto-updatez--userspace-statusz"Return status of userspace updateszlibcare-enabledr�rrzPlease run as root)r�)r)r�zTFlag --edf-enabled has been deprecated and will be not available in future releases.r�rzMFlag --test has been deprecated and will be not available in future releases.r%�/z(Prefix `{0}` is not in expected one {1}.r{zfile:z+edf patches are deprecated. Fallback to {0})r7re)r�ZYES)r�ZNOrbr�)rzUserspace patches are applied.)r�zUserspace patches are unloaded.cSsg|]}|j�j��qSr7)r�r�)r�Zptchr7r7r8r��szmain.<locals>.<listcomp>)�limit)r�r�zQFlag --nofreeze has been deprecated and will be not available in future releases.r�)r�r3zKernel is safe)r�z=KernelCare protection disabled. Your kernel might not be safe�<)�rZadd_argumentr~Zadd_mutually_exclusive_grouprZLIBCARE_DISABLEDZ
parse_args�__dict__r6rZget_config_settingsZFLAGSZ	has_flagsr+�filterr<�issubset�quietZauto_updateZSILENCE_ERRORSrZPRINT_CRITICALZPRINT_LEVELZPRINT_ERRORr
ZPRINT_DEBUGr}r,�getuidr�rOr~�loggingZINFOZWARNING�DEBUGr	Zinitialize_loggingr�r
Zclear_all_cacheZset_patch_levelr`rr�Zset_sticky_patchr�ZnosignaturerZ
no_check_certr�rjrkr`Zedf_enabled�warnings�warn�DeprecationWarningZedf_disabledrZPREV_PATCH_TYPEZset_patch_typer�r�r%r��EXPECTED_PREFIXrwrKr�r=ZlocalrdZPATCH_SERVERr�r�Zapp_inforrerFZdoctorr�r�Zenable_auto_updateZdisable_auto_updateZ
set_configZupdate_config_from_argsZset_monitoring_keyr�Z
unregisterr�registerZregister_autoretryr�r�r�r�r]r_rZset_libcare_statusr�Zuserspace_statusZget_userspace_update_statusZ
lib_updateZdo_userspace_updaterZlib_auto_updater�Z
lib_unloadZlibcare_unloadZlib_infor0Zlib_patch_infoZlibcare_patch_infoZlib_versionZlibcare_server_startedZlibcare_versionZuserspace_updater��listZ
USERSPACE_MAP�keys�sortedZuserspace_auto_updater�r/Znofreezer�Zsmart_updater�r�Z
UPDATE_POLICYr�rr�r�r�r�ZCHECK_CLN_LICENSE_STATUSrurv�randomZuniformr8Zstatusr�Zlatest_patch_infor;Zcheckr+r��argvr2)ZparserZexclusive_groupr�r�r�r�r7r7r8�main`s 












r�)r"r#r$r%)r&)N)N)F)F)N)rGF)rGF)r)�Z
__future__rrhrer�r,r�r�r�rvr�ZsslrOr�rurNr�Zargparserr�
contextlibrrGrrr	r
rrr
rrrrrrrrrrrZpy23rrrrrrrr r�r�r�r/r�rrHr�r�ZDOTALLr rUr-r��insert�filterwarningsr�rwZsetLevelr�r9r@rFrcrlr|r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r_Zdistutils.versionZ	distutilsZOpenSSL.SSLr�r�Z
StrictVersionZ__version__�ImportErrorr�ZHTTPSConnectionZPureHTTPSConnection�objectr�r�r�r�rrrrr+r2r;r-r=r8rCrFrMrTrXrYr\r_r`rdrirmrrprzryr�r�r�r�r�r�r�r�r�r�r/r�r(r�r�r�r�r4r�r�r�r�r�r�r�r�r�r7r7r7r8�<module>s

	
&	


4
	a	#
 
		




?


,2
%7,
3)
Page not found – Hello World !