-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant loop #77
Tenant loop #77
Conversation
add to an existing node just prints an error added new udpate command that will delete and then re-add the node with new paramaters delete will now confirm that the node was deleted before returning fixes keylime#45
add to an existing node just prints an error added new udpate command that will delete and then re-add the node with new paramaters delete will now confirm that the node was deleted before returning fixes keylime#45
@lukehinds i don't seem to be able to tag this PR or assign it. Also this is my first foray into doing this the proper git/contributor way. go easy on me =) . i already managed to reference the wrong issue and make a bunch of typos. i really hate these new mac keyboards |
No worries, I think the issue was that you commit message had four spaces in front of each sentence, which resulted in it being formatted as code (you can see where I removed the 4 spaces from 'fixes'). I just need to work out how this has side stepped travis :) |
Ha! the reason for the spaces is that i've tried probably 5 different ways of getting this pushed. I kept copying my commit message from git log (which puts in the spaces). I tried doing it directly to the keylime repo. made my own fork. then fought with ssh and https auth. finally i found that my local repo was corrupt. I had to go and re-pull it and start all over. |
Seeing a few things wrong (unless I am mistaken)... I see the node register:
I then try to add again:
Good, that's as expected. A small nit: Is it possible to only output the Exception (last line) and not the python stack trace (or maybe that's because its in I then try to delete:
|
keylime/tenant.py
Outdated
deleted = False | ||
for _ in range(12): | ||
response = tornado_requests.request("GET", "http://%s:%s/instances/%s"%(self.cloudverifier_ip,self.cloudverifier_port,self.node_uuid),context=self.context) | ||
if response.status_code == 404: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should be looking for a 200
here?
DELETE returning 200 response for instance id: D432FBB3-D2F1-4A97-9EF7-75BD81C00000
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually that call is to get the status of the node, so i want i to show a 404 to confirm that the node's been deleted from the database. do you see any logs on the verifier that show that the status request is being serviced?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually the verifier doesn't log 404s i think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the delete is actually failing somehow:
[root@localhost ~]# keylime_tenant -v 127.0.0.1 -t 127.0.0.1 --uuid D432FBB3-D2F1-4A97-9EF7-75BD81C00000 -c delete
Using config file /etc/keylime.conf
2019-03-11 17:09:29.664 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-03-11 17:09:29.664 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
2019-03-11 17:09:34.739 - keylime.tenant - ERROR - Timed out waiting for delete of node D432FBB3-D2F1-4A97-9EF7-75BD81C00000 to complete at CV
verifier:
2019-03-11 17:09:29.685 - keylime.cloudverifier - INFO - DELETE returning 200 response for instance id: D432FBB3-D2F1-4A97-9EF7-75BD81C00000
I then make up a UUID:
[root@localhost ~]# keylime_tenant -v 127.0.0.1 -t 127.0.0.1 --uuid D432FBB3-D2F1-4A97-9EF7-75BD81CXXXXX -c delete
Using config file /etc/keylime.conf
2019-03-11 17:09:45.092 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-03-11 17:09:45.092 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
2019-03-11 17:09:45.106 - keylime.tenant - ERROR - Delete command response: 404 Unexpected response from Cloud Verifier.
2019-03-11 17:09:45.106 - keylime.tenant - ERROR - Response code 404: instance id not found
2019-03-11 17:09:45.104 - keylime.cloudverifier - INFO - DELETE returning 404 response. instance id: D432FBB3-D2F1-4A97-9EF7-75BD81CXXXXX not found.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message "Timed out waiting for delete of node D432FBB3-D2F1-4A97-9EF7-75BD81C00000 to complete at CV" actually comes from the status check. the made up uuid works as expected. can you try doing an add after the the failed delete?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we might be able to ignore the above, this is from when a failed tenant quote state exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more details.
Get the node into a failed quote state:
2019-03-11 17:46:28.144 - keylime.cloudverifier - WARNING - Instance D432FBB3-D2F1-4A97-9EF7-75BD81C00000 has failed tenant quote. stopping polling
Try to delete the node:
keylime_tenant -v 127.0.0.1 -t 127.0.0.1 --uuid D432FBB3-D2F1-4A97-9EF7-75BD81C00000 -c delete
Using config file /etc/keylime.conf
2019-03-11 17:50:00.290 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-03-11 17:50:00.290 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
2019-03-11 17:50:05.409 - keylime.tenant - ERROR - Timed out waiting for delete of node D432FBB3-D2F1-4A97-9EF7-75BD81C00000 to complete at CV
If its a registered node not in a failed quote state, it deletes ok:
keylime_tenant -v 127.0.0.1 -t 127.0.0.1 --uuid D432FBB3-D2F1-4A97-9EF7-75BD81C00000 -c delete
Using config file /etc/keylime.conf
2019-03-11 17:48:25.801 - keylime.tenant - WARNING - CAUTION: using default password for private key, please set private_key_pw to a strong password
2019-03-11 17:48:25.801 - keylime.tenant - INFO - Setting up client TLS in /var/lib/keylime/cv_ca
2019-03-11 17:48:25.844 - keylime.tenant - INFO - Node D432FBB3-D2F1-4A97-9EF7-75BD81C00000 deleted from the CV
The verifier is not giving us much more than the 200 each time:
2019-03-11 17:51:46.945 - keylime.cloudverifier - INFO - DELETE returning 200 response for instance id: D432FBB3-D2F1-4A97-9EF7-75BD81C00000
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, the verifier just marks the node for deletion and returns 200. I thought that this code would just immediately delete it if it was already failed
https://github.com/keylime/python-keylime/blob/7b0a5b4c57e0efd7add2cac88a7ad0eca95e9a90/keylime/cloud_verifier_tornado.py#L151-L154
I'll debug a little and see what's going on
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hrm, i wasn't able to reproduce this one. when it is in a failed state it does delete for me.
@lukehinds try this version. behaves differently depending on the state of the node on the verifier |
@lukehinds i wasn't sure if you'd checked this latest branch for your problem when you posted this comment? let me know if you're still having trouble. |
Thanks buddy, should be testing it shortly. I want to get this one in for the next release too |
hi @nabilschear this still fails for me here is the complete session: https://gist.github.com/lukehinds/a624d1672628adbccf5a95a83252fb20 I am testing this out on a fresh install everytime (that passes Just let me know if you would like me to try anything else. |
Is this being run on a machine with an emulated TPM? If so, it looks like EK cert checking is not turned off: "Error processing ek/ekcert". This is throwing an exception which might be causing other issues, too.
|
Good point, will check first thing in the morning! |
Apologies for wasting a few cycles. I thought my set up script was toggling off require ek, but it seems not. So this works better for me now, the last point I have is why use
I don't think you need to change it in this patch. I will create a new issue and we can discuss removing them all from |
fixes #75