github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

First release of open-appsec source code

Browse Source
This commit is contained in:
roybarda
2022-10-26 19:33:19 +03:00
parent 3883109caf
commit a883352f79
1353 changed files with 276290 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
nodes/orchestration/CMakeLists.txt Executable file
View File

@@ -0,0 +1,145 @@
add_subdirectory(package)
add_executable(orchestration_comp main.cc)
target_link_libraries(
orchestration_comp
-Wl,--start-group
${COMMON_LIBRARIES}
generic_rulebase
generic_rulebase_evaluators
ip_utilities
http_transaction_data
version
signal_handler
orchestration
health_check
health_check_manager
service_controller
manifest_controller
package_handler
orchestration_modules
details_resolver
orchestration_downloader
update_communication
orchestration_tools
messaging_downloader_client
k8s_policy_gen
curl
-Wl,--end-group
)
install(TARGETS orchestration_comp DESTINATION bin)
install(TARGETS orchestration_comp DESTINATION orchestration/bin)
install(FILES package/certificate/ngen.body.crt DESTINATION orchestration/certificate/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES package/certificate/public-keys/cloud-ngen.pem DESTINATION orchestration/certificate/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES package/certificate/public-keys/dev-i2.pem DESTINATION orchestration/certificate/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES package/certificate/public-keys/i2.pem DESTINATION orchestration/certificate/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES package/certificate/public-keys/stg-i2.pem DESTINATION orchestration/certificate/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_regex.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_regex
)
install(FILES ${boost_regex} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_atomic.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_atomic
)
install(FILES ${boost_atomic} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_chrono.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_chrono
)
install(FILES ${boost_chrono} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_context.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_context
)
install(FILES ${boost_context} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_filesystem.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_filesystem
)
install(FILES ${boost_filesystem} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_iostreams.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_iostreams
)
install(FILES ${boost_iostreams} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_system.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_system
)
install(FILES ${boost_system} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_system.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_system
)
install(FILES ${boost_system} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libboost_thread.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE boost_thread
)
install(FILES ${boost_thread} DESTINATION orchestration/lib/boost)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libcrypto.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE crypto
)
install(FILES ${crypto} DESTINATION orchestration/lib)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libssl.so/{printf $NF\";\"}'"
OUTPUT_VARIABLE ssl
)
install(FILES ${ssl} DESTINATION orchestration/lib)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libcurl.so/{sub(/[^/]*$/,\"\", $NF); path=$NF}END{system(\"ls \"path\"libcurl.so*\")}' | awk '{printf $1\";\"}'"
OUTPUT_VARIABLE curl
)
install(FILES ${curl} DESTINATION orchestration/lib)
execute_process (
COMMAND bash -c "ldconfig -p | awk '/libz.so/{sub(/[^/]*$/,\"\", $NF); path=$NF}END{system(\"ls \"path\"libz.so*\")}' | awk '{printf $1\";\"}'"
OUTPUT_VARIABLE z
)
install(FILES ${z} DESTINATION orchestration/lib)
install(DIRECTORY scripts DESTINATION orchestration USE_SOURCE_PERMISSIONS)
gen_help(
"--token <token>" "Registration token"
"--fog <fog URL>" "Agents Fog Addresss (valid URL)"
"--proxy [user:pass@]<proxy URL>:<proxy port>" "Proxy address"
"--offline_mode" "Run the Orchestration Nano service in offline mode"
"--external_addresses <IPs list>" "List of Agents Host IP Addresses"
"--certs-dir <Trusted CA directory>" "Path to the hosts trusted ca directory"
"--public-key <Public key file path>" "Path to the SSL certificate's public key file (PEM format)"
"--ignore <ignore packages list>" "List of ignored packages"
"-ia" "Ignore access control package"
)
set_package_params("--platform x86")
gen_package(
install-cp-nano-agent.sh
orchestration
"./orchestration_package.sh;--x86"
Check Point Nano Agent Version ${PACKAGE_VERSION} Install Package
)

89
nodes/orchestration/main.cc Executable file
View File

@@ -0,0 +1,89 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <iostream>
#include <vector>
#include <string>
#include <algorithm>
#include <unistd.h>
#include "messaging_downloader_client.h"
#include "time_proxy.h"
#include "shell_cmd.h"
#include "debug.h"
#include "config.h"
#include "config_component.h"
#include "orchestration_comp.h"
#include "mainloop.h"
#include "version.h"
#include "signal_handler.h"
#include "environment.h"
#include "rest_server.h"
#include "logging_comp.h"
#include "rest.h"
#include "proto_message_comp.h"
#include "encryptor.h"
#include "downloader.h"
#include "orchestration_tools.h"
#include "service_controller.h"
#include "manifest_controller.h"
#include "package_handler.h"
#include "update_communication.h"
#include "orchestration_status.h"
#include "details_resolver.h"
#include "agent_details.h"
#include "signal_handler.h"
#include "cpu.h"
#include "memory_consumption.h"
#include "messaging_buffer.h"
#include "agent_details_reporter.h"
#include "instance_awareness.h"
#include "socket_is.h"
#include "health_checker.h"
#include "health_check_manager.h"
#include "generic_metric.h"
#include "tenant_manager.h"
#include "k8s_policy_gen.h"
using namespace std;
#include "components_list.h"
#include "messaging_downloader_server.h"
#include "external_sdk_server.h"
int
main(int argc, char **argv)
{
NodeComponents<
OrchestrationStatus,
OrchestrationTools,
PackageHandler,
Downloader,
ServiceController,
ManifestController,
UpdateCommunication,
AgentDetailsReporter,
DetailsResolver,
OrchestrationComp,
HealthChecker,
HealthCheckManager,
MessagingDownloaderClient,
K8sPolicyGenerator
> comps;
comps.registerGlobalValue<uint>("Nano service API Port Primary", 7777);
comps.registerGlobalValue<uint>("Nano service API Port Alternative", 7778);
comps.registerGlobalValue<string>("Tenant manager type", "server");
return comps.run("Orchestration", argc, argv);
}

27
nodes/orchestration/package/CMakeLists.txt Executable file
View File

@@ -0,0 +1,27 @@
add_subdirectory(cpnano_debug)
add_subdirectory(cpnano_json)
install(FILES EULA.txt DESTINATION ./orchestration/EULA.txt PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES Licenses-for-Third-Party-Components.txt DESTINATION ./orchestration/Licenses-for-Third-Party-Components.txt PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES orchestration_package.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-agent-info.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES k8s-check-update-listener.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES k8s-check-update-trigger.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-agent-uninstall.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-cli.sh DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-package-list DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES service/arm32_openwrt/nano_agent.init DESTINATION ./orchestration/service/arm32_openwrt/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES service/smb/nano_agent.init DESTINATION ./orchestration/service/smb/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES service/x86/ubuntu16/nano_agent.service DESTINATION ./orchestration/service/x86/ubuntu16/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES service/x86/ubuntu14/nano_agent.conf DESTINATION ./orchestration/service/x86/ubuntu14/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES service/x86/ubuntu14/nano_agent.init DESTINATION ./orchestration/service/x86/ubuntu14/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES configuration/orchestration.cfg DESTINATION ./orchestration/configuration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES configuration/cp-nano-orchestration-conf.json DESTINATION ./orchestration/configuration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES configuration/cp-nano-orchestration-debug-conf.json DESTINATION ./orchestration/configuration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/watchdog DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

145
nodes/orchestration/package/EULA.txt Normal file
View File

@@ -0,0 +1,145 @@
Software License Agreement & Limited Hardware Warranty
Check Point Software Technologies Ltd.
PART I - SOFTWARE LICENSE AGREEMENT
This License Agreement (the “Agreement”) is an agreement between you (both the individual installing the Product and any legal entity on whose behalf such individual is acting) (hereinafter “You” or “Your”) and Check Point Software Technologies Ltd. (hereinafter “Check Point”).
TAKING ANY STEP TO SET-UP, USE OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICITATION OF ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL BE CONSTRUED AS AN INFERENCE TO THE CONTRARY. IF YOU HAVE ORDERED THIS PRODUCT SUCH ORDER IS CONSIDERED AN OFFER BY YOU, CHECK POINT'S ACCEPTANCE OF YOUR OFFER IS EXPRESSLY CONDITIONAL ON YOUR ASSENT TO THE TERMS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER TERMS. THIS AGREEMENT SUPERSEDES ANY PREVIOUS VERSIONS. IF THESE TERMS ARE CONSIDERED AN OFFER BY CHECK POINT, YOUR ACCEPTANCE IS EXPRESSLY LIMITED TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, YOU MUST RETURN THIS PRODUCT WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO THE PLACE YOU OBTAINED IT FOR A FULL REFUND.
1. DEFINITIONS
“Affiliate” means any legal entity (i) directly or indirectly owning or controlling You; (ii) under the same direct or indirect ownership or control as You; or (iii) directly or indirectly controlled by You. Ownership or control shall exist through direct or indirect ownership of more than fifty percent (50%) of the nominal value of the issued equity share capital or of more than fifty percent (50%) of the voting rights.
“Licensed Configuration” means to the extent applicable, as indicated on the License Key, the choice of features and the maximum number of users, devices or nodes (an internal computing device with an IP address) on the trusted side of the network or that is trying to traverse the firewall, and the numbers of cores, or the maximum throughput capacity stated, or the code generated from the master installation, or any other hardware or software specifications, as declared by You in Your purchase order, or request for License Key, and upon which the licensing fee was based. If the Product purchased by You does not come with a License Key then the Licensed Configuration shall be the minimum configuration allowed for the Product by Check Point upon which the licensing fee was based.
“Licensed-server” means the server or appliance (defined by the host ID identified by You to Check Point when obtaining the License Key) which enables the Product to operate in accordance with the Licensed Configuration.
“License Key” means the code provided to You by Check Point, which enables the Product to operate on the Licensed-server or appliance for the specified Licensed Configuration.
“Product” means the object code copy of the software program, including Third Party Software, provided to You in association with this Agreement, together with the associated original electronic media and/or associated hardware devices (“Hardware Products”) and all accompanying manuals and other documentation, if available, and together with all enhancements, upgrades, and extensions thereto that may be provided by Check Point to You from time to time.
“Managed Service Provider” means (a) You are in the regular business of managing the functionality of the Product for a fee, to entities that are not Your Affiliates (each a “Service Customer”); or if You are a company that provides such managed services to Standard Users that are a part of your corporation or of your Affiliates or (b) You indicated in Your purchase order or in requesting the License Key, that You intend to use the Products on behalf of Service Customers, and (c) You purchased the managed service provider package, if applicable.
“Standard User” means You indicated in Your purchase order or in requesting the License Key that You intend to use the Products on Your own behalf, or You obtained the products from a Managed Service Provider, reseller, vendor or any other intermediate supplier.
“Third Party Software” means any software programs provided by third parties contained in the Product.
“Third Party Software Provider” means the third party that has the right to provide and grant licenses for the use of Third Party Software.
2. LICENSE AND RESTRICTIONS
2.1 License. Subject to the terms and conditions of this Agreement, and payment of the applicable Product fees, Check Point hereby grants only to You, a non-exclusive, non-sublicensable, non-transferable perpetual license (with the exception of (i) the license shall not be perpetual if the Product is designated for a limited time period only, in which case the license shall terminate at the expiration of the applicable period; and (ii) with regards to any Hardware Product, the license shall be valid only as part of and for the life of the originally designated Hardware Product) to install and use the copy of the Product in accordance with the relevant end user documentation provided by Check Point only on the Licensed-server and only for the Licensed Configuration. You have no right to receive, use or examine any source code or design documentation relating to the Product.
2.2 Standard User Restrictions. If You are a Standard User, the Products are licensed to You solely for use by You to provide policy management for Your own operations. To the extent applicable, You may reproduce the downloaded or installed Product for the purpose of connecting only with a duly licensed Check Point product, in accordance with the functionality, as described in the accompanying documentation for which You have paid the applicable fees to Check Point, and only within the designated limits of Your Product license for which You have purchased and provided to users, according to the restricted, maximum, authorized number of users, computer instances (means a computing unit individuated by an instance of an operation system), or copies of the Product (as the case may be) that can be used and installed at any given time. No Product, nor any portion thereof, may be used by or on behalf of, accessed by, re-sold to, rented to, or distributed to any other party.
2.3 Managed Service Provider Restrictions. If You are a Managed Service Provider, the Products are licensed to You for use by You to manage the functionality of the Product only for the operations of Your Service Customers. You are responsible for the compliance with the applicable terms and conditions set forth in this Agreement by your Service Customers. No Product, nor any portion thereof, may be used by or on behalf of, accessed by, re-sold to, rented to, or distributed to multiple customers, or to any other party, except for the management of Your Service Customers who have made a valid purchase of the Product.
2.4 General Restrictions. Except for copies solely for back-up or disaster recovery purposes or as may be permitted by applicable law, You may not copy the Product, in whole or in part. You must reproduce and include the copyright notice and any other notices that appear on the original Product on any back up copy. You agree not to allow others to use the Product and You will not use the Product for the benefit of third parties. You acknowledge that the source code of the Product, and the underlying ideas or concepts, are valuable intellectual property of Check Point and You agree not to, except as expressly authorized and only to the extent established by applicable statutory law, attempt to (or permit others to) decipher, reverse translate, decompile, disassemble or otherwise reverse engineer or attempt to reconstruct or discover any source code or underlying ideas or algorithms or file formats or programming or interoperability interfaces of the Products by any means whatsoever. You will not develop methods to enable unauthorized parties to use the Product, or to develop any other product containing any of the concepts and ideas contained in the Product not independently developed by You. You will not (and will not direct any third party to) modify Product or incorporate any portion of Product into any other software or create a derivative work of any portion of the Product. You will not (and will not direct any third party to) remove any copyright or other proprietary notices from the Product. Your use of the Product may require the purchase of separate licenses to use particular features, functionalities, operations, or capabilities.
2.5 Specific Restrictions. The Product is licensed to You based on the applicable Licensed Configuration purchased, as set forth in the Licensed Configuration definition in Section 1. The License permits the use of the Product only in accordance with the Product specifications as declared by You in Your purchase order, or request for License Key, and upon which the licensing fee was based. It is a violation of this License Agreement to create, set-up or design any hardware, software or system which alters the number of readable IP addresses, users, number of cores or exceeds the maximum throughput capacity presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.
2.6 Evaluation License. This Section shall only apply if You are licensing the Product for an initial evaluation period. The license is valid only for the designated evaluation period and is designed to allow You to evaluate the Product during such period. In the event that You wish to enter into a longer-term license agreement with Check Point, You may request a License Key from Check Point which if provided to You will allow You to use the Product after such evaluation period, but only subject to all of the terms and conditions of this Agreement. In the event that You determine not to enter into a licensing transaction with Check Point at the end of such evaluation period, or in the event that Check Point advises You that discussions with respect to a licensing transaction have terminated, then Your rights under this Agreement shall terminate and You shall promptly return to Check Point or destroy all copies of the Product.
2.7 Disabled License-server. The License Key You obtain from Check Point enables the Licensed-server which enables You to use the Licensed Configuration of the Product. If your Licensed-server is disabled for any reason, Check Point may, at its sole discretion, issue You another License Key which will enable You to operate this Product on a substitute Licensed-server. In this event, You agree not to use the Product on the original Licensed-server nor its License Key.
2.8 Customization for Product with VPN Functionality. For a Product with VPN functionality, customization is permitted to allow the inclusion of a bitmap on the left side of the authentication challenge/response dialog, and the insertion of text in the authentication success and authentication failure dialog boxes; provided, however, that the Product is used to communicate with a Check Point VPN-1 gateway licensed to the entity using the Product and the customization may not contain any reference to a competitive gateway or to Check Point products or services without Check Points prior written approval.
2.9 Check Point Media Encryption Blade, DLP-1 Product Family and Check Point Capsule Docs Product Family. If you are using any of these products, in many countries you may be required to advise users that their data, actions taken on the data, and web traffic may be inspected. Please consult the Check Point user guide and local laws as applicable.
2.10 Third Party Violation. In purchasing a Product, You are acknowledging that Check Point may need to make a determination for You on the potential effect the identified programs may have on Your system. You agree that the Product may automatically delete and/or restrict access to certain programs and/or provide to You the customized ability to delete and/or restrict access to certain programs. The deletion and/or restriction of access to any of these programs may be in violation with other license agreements that You have knowingly or unknowingly agreed to. The deletion and/or restriction of these programs and the potential violation of a third party license is Your responsibility. Check Point has no ability to verify what, if any, third party agreements You may have agreed to.
2.11 Inspecting Encrypted Traffic. Certain Check Point products and/or features may enable the inspection of encrypted traffic. The ability to define the inspection rules is provided to You and You may define it based on your organizational needs. However, it shall be your sole responsibility to comply with all applicable laws and regulations in defining Your inspection rules and privacy regulations. You understand that this feature enables decrypting the traffic at the gateway in order to inspect it, after which it is re-encrypted before it is sent to the server.
3. MAINTENANCE AND SUPPORT
Check Point has no obligation to provide You with any service (such as, but not limited to, technical support, maintenance, upgrades, modifications, or new releases) under this Agreement. The purchase of services, if applicable, shall be governed by the applicable Service Level Agreement. Any purchase of upgrades shall be subject to this Agreement, unless otherwise indicated by Check Point.
4. TITLE AND INTELLECTUAL PROPERTY
All right, title, and interest in and to the Product shall remain with Check Point and its licensors. The Product is protected under international copyright, trademark and trade secret and patent laws. The license granted herein does not constitute a sale of the Product or any portion or copy of it.
5. TERM AND TERMINATION
This Agreement is effective until terminated. Check Point may terminate this Agreement upon Your breach of any of the provisions hereof that is not cured within thirty (30) days. This Agreement will terminate immediately without notice from Check Point if You (i) fail to comply with any material provision of this Agreement, or (ii) if the license of the Product is terminated for any reason. Upon termination of this Agreement, You agree to cease all use of the Product and to return to Check Point or destroy the Product and all documentation and related materials in your possession, and so certify to Check Point. Except for the license granted herein and as expressly provided herein, the terms of this Agreement shall survive termination.
6. INDEMNIFICATION
Check Point shall have the right, but not the obligation, to defend or settle, at its option, any action at law against You arising from a claim that Your permitted use of the Product under this Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide Check Point with written notice of any such claim within ten (10) days of Your notice thereof and provide reasonable assistance in its defense. Check Point has sole discretion and control over such defense and all negotiations for a settlement or compromise, unless it declines to defend or settle, in which case, You are free to pursue any alternative You may have.
7. LIMITED WARRANTY, WARRANTY DISCLAIMERS AND LIMITATION OF LIABILITY
7.1 Limited Software Warranty. Check Point warrants to You that the encoding of the software program on the media on which the Product is furnished will be free from defects in material and workmanship, and that the Product shall substantially conform to its user manual, as it exists at the date of delivery, for a period of ninety (90) days. Check Point's entire liability and Your exclusive remedy under this warranty shall be, at Check Point's option, either: (i) return of the price paid to Check Point for the Product, resulting in the termination of this Agreement, or (ii) repair or replacement of the Product or media that does not meet this limited warranty. EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN THIS SECTION 7.1, THE PRODUCT AND ANY SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. CHECK POINT DOES NOT WARRANT THAT THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. CHECK POINT DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties or limitations on how long an implied warranty may last, so the above limitations may not apply to You. This warranty gives You specific legal rights. You may have other rights that vary from state to state.
7.2 Limited Hardware Warranty. Check Points warranty for Hardware products is described in the Limited Hardware Warranty page attached to this Agreement.
7.3 Limitation of Liability. You are solely responsible for adequate protection and backup of the data and equipment used in connection with the Product. Check Point does not guarantee that use of the Product will be uninterrupted or error-free. Check Point does not guarantee that the information accessed by the Product will be accurate or complete. You acknowledge that performance of the Product may be affected by any number of factors, including without limitation, technical failure of the Product, the acts or omissions of third parties and other causes reasonably beyond the control of Check Point. Certain features of the Product may not be forward-compatible with future versions of the Product and use of such features with future versions of the Product may require purchase of the applicable future version of the Product.
EXCEPT FOR BODILY INJURY OF A PERSON, IN NO EVENT WILL CHECK POINT BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DAMAGES ARISING OUT OF THE SUBJECT MATTER OF THIS AGREEMENT, THE PRODUCT OR ANY SERVICES UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS), OR FOR LOSS OF OR CORRUPTION OF DATA, OR FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS OR TECHNOLOGY, IRRESPECTIVE OF WHETHER CHECK POINT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CHECK POINT'S MAXIMUM LIABILITY FOR DAMAGES SHALL BE LIMITED TO THE LICENSE FEES RECEIVED BY CHECK POINT UNDER THIS LICENSE FOR THE PARTICULAR PRODUCT(S) WHICH CAUSED THE DAMAGES. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to You.
8. PRE-RELEASE VERSIONS
8.1 License Grant. With respect to any pre-release version of a Check Point product, including a Beta or an Early Availability product (all collectively referred to herein as a “Beta Product”) that may be provided to You by Check Point from time to time, at its sole discretion, Check Point grants You a non-transferable and non-exclusive license to use the Beta Product for evaluation purposes only. The license is designed to provide You with early operational experience with the Beta Product and to provide Check Point with specified information regarding Your experiences with the installation and operation of the Beta Product. The license shall be in effect for a limited period as determined by Check Point and certain other restrictions may apply. You may be asked to sign a separate agreement pertaining to the Beta Product.
8.2 No Obligations. Check Point has no obligation to provide support, maintenance, upgrades, modifications, or new releases for a Beta Product. Owing to the experimental nature of the Beta Product, You are advised not to rely exclusively on the Beta Product for any reason. NOTWITHSTANDING THE AFOREMENTIONED IN THIS AGREEMENT, YOU AGREE THAT THE BETA PRODUCT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL CHECK POINT BE LIABLE TO YOU OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE OR EXPENSES INCURRED BY YOU IN CONNECTION WITH THE BETA TESTING. YOUR SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA TEST AND THIS LICENSE BY WRITTEN NOTICE TO CHECK POINT.
9. GOVERNMENT REGULATION AND EXPORT CONTROL
9.1 Government Regulations. You agree that the Product will not be shipped, transferred, or exported into any country or used in any manner prohibited by law.
9.2 Export. You acknowledge that the Product contains cryptographic features and is subject to international and local country laws governing import, export, distribution and use. The Product is subject to export control laws of the State of Israel and the United States and/or may be subject to additional export control laws applicable to You or in Your jurisdiction, including, without limitation, the United States. If the Product contains any encryption device You must contact Check Point's export regulation information page (checkpoint.com) for specific information. You agree that You will not ship, transfer, or export the Product into any country, or make available or use the Product in any manner, prohibited by law.
9.3 You understand and acknowledge that upon entry of the Product into the United States, it becomes subject to regulation by agencies of the U.S. government, including the U.S. Department of Commerce, which prohibit export or diversion of certain products and technology to certain countries. Any and all of Your obligations with respect to the Product shall be subject in all respects to such United States laws and regulations as shall from time to time govern the license and delivery of technology and products abroad by persons subject to the jurisdiction of the United States, including the Export Administration Act of 1979, as amended, any successor legislation, and the Export Administration Regulations (“EAR”) issued by the Department of Commerce, International Trade Administration, and Bureau of Export Administration. You warrant that You will comply in all respects with the export and reexport restrictions applicable to the Product and will otherwise comply with the EAR or other United States laws and regulations in effect from time to time.
9.4 You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, North Korea, Iran, Syria, Lebanon or Sudan or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Departments Table of Deny Orders.
10. GENERAL
10.1 Miscellaneous. You may not assign your rights or obligations under this Agreement without the prior written consent of Check Point. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, that provision of the Agreement will be enforced to the maximum extent permissible so as to affect the intent of the Agreement, and the remainder of the provisions of this Agreement shall remain in full force and effect. The laws of the State of Israel shall govern all issues arising under or relating to this Agreement, without giving effect to the conflict of laws principles thereof. All disputes arising under or relating to this Agreement shall be resolved exclusively in the appropriate Israeli court sitting in Tel Aviv, Israel. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sales of Goods, the application of which is expressly excluded. This Agreement sets forth the entire understanding and agreement between You and Check Point and may be amended only in writing signed by both parties.
10.2 Third Party Software. Certain Third Party Software may be provided with the Product for use in connection with the Product subject to the licenses of their respective proprietors. The provisions of this Agreement shall apply to all Third Party Software Providers and to Third Party Software as if they were Check Point and the Product, respectively, unless they are specifically listed and addressed at http://www.checkpoint.com/corporate/3rd-party-copyright/index.html, in which case, such Third Party Software Providers licenses terms will apply with respect to those specific Third Party Software products.
10.3 Government Restricted Rights. This provision applies to Products acquired directly or indirectly by or on behalf of any Government. The Product is a commercial product, licensed on the open market at market prices. Any use modification, reproduction, release, performance, display, or disclosure of the Product by any Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement, and no license to the Product is granted to any government requiring different terms.
10.4 Questions? Should You have any questions concerning this Agreement contact the manufacturer at Check Point Software Technologies Ltd., 5 Ha'Solelim Street, Tel Aviv, 67897 Israel.
PART II LIMITED HARDWARE WARRANTY
The warranties provided by Check Point in this Limited Hardware Warranty apply only to Hardware Products you purchase for your use, and not for resale. The term “Hardware Product” means a computing device with a specific function and limited configuration ability. The Hardware Product is sold by Check Point for the purpose of executing the specific Check Point Software supplied with it. NOTHING IN THIS STATEMENT OF LIMITED WARRANTY AFFECTS ANY STATUTORY RIGHTS OF CONSUMERS THAT CANNOT BE WAIVED OR LIMITED BY CONTRACT.
1. LIMITED HARDWARE WARRANTY
Check Point warrants that the hardware components of its Hardware Product shall be free from material defects in design, materials, and workmanship and will function, under normal use and circumstances, in accordance with the documentation provided, for a period of one (1) year from the date of activation of the Hardware Product. If the Hardware Product has not been activated, the warranty will be valid for fifteen (15) months from the date of Check Points shipment of the Hardware Product (“Warranty Period”).
After the Warranty Period, certain return material authorization (“RMA”) services, as provided by Check Point (which are not covered under this warranty), are available for all Hardware Products pursuant to a purchased and active Check Point support agreement.
Your sole and exclusive remedy, and Check Points sole and exclusive liability for defective hardware components, shall be that Check Point, subject to the terms and conditions of this Section 1, and solely upon confirmation of a defect or failure of a hardware component to perform as warranted, shall at its sole option, either repair or replace the nonconforming hardware component or return of the price paid for the Hardware Product. All replacement parts furnished to you under this warranty shall be refurbished and equivalent to new, and shall be warranted as new for the remainder of the original warranty period. If a hardware failure occurs in the first 30 days from the products software activation, Check Point will replace it with new part or full unit as may be needed. All defective parts, which have been replaced, shall become the property of Check Point. All defective parts that have been repaired shall remain Your property. This warranty gives You specific legal rights. You may have other rights that vary from state to state.
2. EXCLUSIONS
The foregoing warranties and remedies shall be void as to any Hardware Products damaged or rendered unserviceable by one or more of the following: (1) improper or inadequate maintenance by anyone other than Check Point or Check Points authorized agents, (2) software or interfacing supplied by anyone other than Check Point, (3) modifications, alterations or additions to the Hardware Products by personnel not certified by Check Point or Check Points authorized agents to perform such acts, or other unauthorized repair, installation or opening or other causes beyond Check Point's control, (4) unreasonable refusal to agree with engineering change notice programs, (5) negligence by any person other than Check Point or Check Point's authorized agents, (6) misuse, abuse, accident, electrical irregularity, theft, vandalism, fire, water or other peril, (7) damage caused by containment and/or operation outside the environmental specifications for the Hardware Products, (8) alteration or connection of the Hardware Products to other systems, equipment or devices (other than those specifically approved by Check Point) without the prior approval of Check Point, or (9) any use that is inconsistent with the user manual supplied with the Hardware Product. The warranty period is not extended if Check Point repairs or replaces a warranted product or any parts. Check Point may change the availability of limited hardware warranties, at its discretion, but any changes will not be retroactive.
3. HARDWARE RETURN PROCEDURES
If a Hardware Product or one of its component parts does not function as warranted during the warranty period, and such nonconformance can be verified by Check Point, Check Point, at its election, will provide either return and replacement service or replacement with a refurbished part/unit for the Hardware Product under the type of warranty service Check Point designates for that Hardware Product. A defective Hardware Product or one of its component parts may only be returned to Check Point upon Check Points prior written approval. Any such approval shall reference an RMA number issued by an authorized Check Point service representative. To request an RMA number, you or your local Check Point Certified Solution Provider (“CCSP/CSP/ACSP”) must contact Check Points Technical Assistance Center (“TAC”) and open a Service Request. You should always register the Hardware Product in your Check Point User Center account. If you do not register the Hardware Product with Check Point, you may be required to present proof of purchase as evidence of your entitlement to warranty service. The Hardware Products identification number will be required for all RMA cases.
Transportation costs, if any, incurred in connection with the return of a defective Hardware Product to Check Point shall be borne by You. Any transportation costs incurred in connection with the redelivery of a repaired or replacement item to You by Check Point shall be borne by Check Point; provided, however, that if Check Point determines, in its sole discretion, that the allegedly defective item is not covered by the terms and conditions of the warranty or that a warranty claim is made after the warranty period, the cost of the repair by Check Point, including all shipping expenses, shall be reimbursed by You.
4. HARDWARE REPLACEMENT PROCEDURES
Check Point will attempt to diagnose and resolve your problem over the phone or web. Upon determination of the hardware issue is related to a malfunction of one of the Hardware Product components, an RMA process will be initiated by Check Points TAC. Check Points TAC will either issue a replacement of the faulty part (like Power Supply, Fan, Hard Disk, etc.) or a full Unit Replacement.
For Warranty Replacement service, it is required that you deliver the faulty unit to a location Check Point designates, and provide courier name and tracking number to Check Points TAC. After the Faulty unit is returned to Check Point, Check Point will use commercially reasonable efforts to ship the replacement hardware within seven (7) business days. Actual delivery times may vary depending on Your location. Check Points TAC will send the required hardware to the Hardware Products physical location, as it appears in your User Center and as verified with You when opening the Support Service Request.
For Hardware Advanced Replacement, support options Standard, Standard Onsite, Premium, and Premium Onsite are available for customers who have purchased the Hardware Product support plan with Check Point. More information on the Check Point support programs is specified on Check Points website.
5. DEAD ON ARRIVAL (DOA)
If a defective Hardware Product covered under warranty fails to operate within thirty (30) days from its activation, but no more than one hundred and twenty (120) days from the date of Check Points shipment of the Hardware Product, Check Point will provide expedited replacement of a new unit within two (2) business days from Check Point fulfillment hub, following confirmation of any such failure. Customers outside of the fulfillment hub region should allow for additional transit time due to international customs clearance.
6. ADDITIONAL RESPONSIBILITIES
You agree:
6.1. Before Check Point or its partner exchanges a Hardware Product or part, to remove all features, parts, options, alterations, data and attachments not under warranty service and ensure that the Hardware Product is free of any legal obligations or restrictions that prevent its exchange.
6.2. To obtain authorization from the owner to have Check Point or its partner service a Hardware Product that you do not own.
6.3. Where applicable, before service is provided:
a. Follow the service request procedures that Check Point or its partner provides;
b. Backup and secure all programs and data in the Hardware Product;
c. Inform Check Point or its partner of changes in the Hardware Product physical location.
6.4. To provide Check Point or its partner with sufficient and safe access to your facilities to permit Check Point to fulfill its obligations.
6.5. To ship back the faulty Hardware Product (or replaceable unit) suitably packaged according to the guidelines as Check Point specified in the letter shipped with the RMA, to the Check Point designated location.
6.6. You shall ship the faulty Hardware Product once TAC approves the RMA and provide the courier name and tracking number to TAC before Check Point processes the RMA.
6.7. If you are a customer who has purchased the support plan with Check Point covering Advanced Replacement Service, You will ship the faulty Hardware Product within five (5) business days of the arrival of the RMA, or pay the standard Check Point list price of replacement Hardware Product.
6.8. To securely erase from any Hardware Product you return to Check Point for any reason all programs and data not provided by Check Point with the Hardware Product. You acknowledge that in order to perform its responsibilities under this Limited Hardware Warranty, Check Point may ship all or part of the Hardware Product or its software to third party locations around the world, and you authorize Check Point to do so.
7. LIMITATION OF LIABILITY
NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT OR OTHERWISE, NEITHER CHECK POINT NOR ITS SUPPLIERS WILL BE LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY, OR OTHER LEGAL OR EQUITABLE THEORY, REGARDLESS OF WHETHER CHECK POINT OR ITS SUPPLIERS WERE ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, FOR: (i) ANY PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST DATA OR LOST PROFITS; OR (ii) FOR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS, TECHNOLOGY OR SERVICES; OR (iii) FOR ANY CLAIMS BASED ON ANY ERROR, DEFECT OR NONCONFORMITY IN THE PRODUCTS OR SERVICE, FOR ANY AMOUNT IN EXCESS OF THE PRICE PAID TO CHECK POINT FOR SUCH DEFECTIVE PRODUCT(S) OR SERVICE; OR (IV) FOR ALL OTHER CLAIMS NOT RELATED TO AN ERROR, DEFECT OR NONCONFORMITY IN THE HARDWARE PRODUCTS, ANY AMOUNTS IN EXCESS IN THE AGGREGATE OF THE AMOUNT PAID TO CHECK POINT HEREUNDER DURING THE THREE (3) MONTHS PRECEDING THE DATE THE CAUSE OF ACTION AROSE.
8. GOVERNMENT REGULATION AND EXPORT CONTROL
8.1 In the course of receiving Limited Hardware Warranty services, You agree that you will not ship, transfer, or export the Hardware Product into any country, or make available or use the Hardware Product in any manner, prohibited by law.
8.2 The Hardware Product is subject to export control laws of the United States of America and/or other countries and/or may be subject to additional export control laws applicable to You or in your jurisdiction.
8.3 You understand and acknowledge that upon entry of the Hardware Product into the United States, it becomes subject to regulation by agencies of the U.S. government, including the U.S. Department of Commerce, which prohibit export or diversion of certain products and technology to certain countries. Any and all of Your obligations with respect to the Hardware Product shall be subject in all respects to such United States laws and regulations as shall from time to time govern the license and delivery of technology and products abroad by persons subject to the jurisdiction of the United States, including the Export Administration Act of 1979, as amended, any successor legislation, and the Export Administration Regulations (“EAR”) issued by the Department of Commerce, International Trade Administration, and Bureau of Export Administration. You warrant that You will comply in all respects with the export and reexport restrictions applicable to the Hardware Product and will otherwise comply with the EAR or other United States laws and regulations in effect from time to time.
8.4 You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, North Korea, Iran, Syria, Lebanon or Sudan, or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Departments Table of Deny Orders.
THESE WARRANTIES GIVE YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE OR JURISDICTION TO JURISDICTION.
WARRANTY DISCLAIMER. EXCEPT AS STATED HEREIN, CHECK POINT MAKES NO WARRANTIES WITH RESPECT TO ANY HARDWARE PRODUCT, LICENSE OR SERVICE AND DISCLAIMS ALL STATUTORY OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING OR USAGE OF TRADE AND ANY WARRANTIES OF NONINFRINGEMENT. CHECK POINT DOES NOT WARRANT THAT THE CHECK POINT HARDWARE PRODUCT(S) WILL MEET ANY REQUIREMENTS OR THAT THE OPERATION OF CHECK POINT HARDWARE PRODUCTS WILL BE UNINTERRUPTED OR ERROR FREE.
9. TECHNICAL SUPPORT CONTACT INFORMATION
You may contact Check Point technical support by web request at: URL:https://usercenter.checkpoint.com. For the United States, Canada, Latin America, European Union and Asia Pacific countries, to reach Check Point by phone, please refer to the technical support phone numbers listed at the above Check Point website for the number covering your region.

67
nodes/orchestration/package/Licenses-for-Third-Party-Components.txt Normal file
View File

@@ -0,0 +1,67 @@
Licenses for Third-Party Components
This section contains licensing information for third-party components that are used by Check Point's Nano agent. We are thankful to all individuals that have created these third-party components.
1. Protobuf
Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
The source is available at https://github.com/protocolbuffers/protobuf
The License is available at https://github.com/protocolbuffers/protobuf/blob/master/LICENSE
2. Nginx
nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server.
The source is available at https://trac.nginx.org/nginx/browser
The License is available at http://nginx.org/LICENSE
3. BusyBox
BusyBox combines tiny versions of many common UNIX utilities into a single small executable.
It provides minimalist replacements for most of the utilities you usually find in bzip2, coreutils, dhcp, diffutils, e2fsprogs, file, findutils, gawk, grep, inetutils, less, modutils, net-tools, procps, sed, shadow, sysklogd, sysvinit, tar, util-linux, and vim.
The utilities in BusyBox often have fewer options than their full-featured cousins, however, the options that are included provide the expected functionality and behave very much like their larger counterparts.
The source is available at https://github.com/mirror/busybox
The License is available at https://github.com/mirror/busybox/blob/master/LICENSE
4. boost
The Boost project provides free peer-reviewed portable C++ source libraries.
The source is available at https://github.com/boostorg/boost
The License is available at https://github.com/boostorg/boost/blob/master/LICENSE_1_0.txt
5. cereal
cereal is a header-only C++11 serialization library.
cereal takes arbitrary data types and reversibly turns them into different representations, such as compact binary encodings, XML, or JSON.
cereal was designed to be fast, light-weight, and easy to extend - it has no external dependencies and can be easily bundled with other code or used standalone.
The source is available at https://github.com/USCiLab/cereal
The License is available at https://github.com/USCiLab/cereal/blob/master/LICENSE
6. picojson
PicoJSON is a tiny JSON parser / serializer for C++.
The source is available at https://github.com/kazuho/picojson
The License is available at https://github.com/kazuho/picojson/blob/master/LICENSE
7. openssl
OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol.
The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone.
The source is available at https://github.com/openssl/openssl
The License is available at https://github.com/openssl/openssl/blob/master/LICENSE.txt
8. yajl
A fast streaming JSON parsing library in C.
The source is available at https://github.com/lloyd/yajl
The License is available at https://github.com/lloyd/yajl/blob/master/COPYING
9. RapidJSON
A fast JSON parser/generator for C++ with both SAX/DOM style API.
The source is available at https://github.com/Tencent/rapidjson
The License is available at https://github.com/Tencent/rapidjson/blob/master/license.txt
10. zlib
A massively spiffy yet delicately unobtrusive compression library.
The source is available at https://github.com/madler/zlib
The License is available at https://zlib.net/zlib_license.html
11. libxml2
Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of the Gnome platform), it is free software available under the MIT License.
The source is available at https://github.com/GNOME/libxml2
The License is available at https://github.com/GNOME/libxml2/blob/master/Copyright
12. pcre2
The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. PCRE has its own native API, as well as a set of wrapper functions that correspond to the POSIX regular expression API.
The source is available at https://github.com/luvit/pcre2
The License is available at https://github.com/luvit/pcre2/blob/master/LICENCE

121
nodes/orchestration/package/certificate/ngen.body.crt Normal file
View File

@@ -0,0 +1,121 @@
-----BEGIN CERTIFICATE-----
MIIHXTCCBkWgAwIBAgIIfjpIlpPDN2gwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTkwMTA4MDk0ODI1WhcN
MjAwMTA4MDk0ODI1WjBJMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxJDAiBgNVBAMMGyouY2xvdWQubmdlbi5jaGVja3BvaW50LmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBALZAsb+mdxHyGA1vlY70i8X3jANd08bC
yRQeZGpYn9ZyP4hCwOMlT+cPZ79w35wZSCzRfS6GjjJh1PhKMcEb9Z7m/y8HjfjP
eMJ2Xo4XTnVwsn8ANnECDTLSIhh24ss6OT+k5aGrrY87EdOhzmjnJCTKR0Ve/B6l
oQhryfX5GYqnJgfe0v9F47qV7+S67ho7VQl2X93goToxcPAW3jzzN1pUlxgg62+g
O6BStfwmpkQ+lfjQg5r3BZl9UE0fYmXLWuTMHgMD87DaS/+lXvW3qc3WztBzBZ+j
LJVx69CvVD19tbp9qTFoDCT8KX7cpDRKOPjiiW9nP/WghXFAuQjjE25RPhTEcOtm
fu7nu+2elOix1IEVR7YXQ30kM4/SrINSnirnUH2vsF7X5rEGtldFQjF/RjINL66F
9dbtp4Uh3jy8DJubY9Fdjazzj5Si3Z3y7nD0M78Nn/Pq0xAWLldd/Er0nrqkbEYq
dXLLAcueytmBLb1xw8algSa00szuLsA/TZyWOUXWiLNSN7ytMg6uoxt44w9n0t0v
5NR2l1ziHa+ZC49dy8DxGpZAmQRWReKweRV5IWBvf7kkqR+tndp5je1C2ku6gbkT
T27LLO0jIdQLs36AWIyD50dmeVu9uvWGyA1DzJYuTSdGIA0oOFEeEIr7WiCYRLX3
1Dwz8FBC9C1hAgMBAAGjggLbMIIC1zAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNwYDVR0fBDAwLjAs
oCqgKIYmaHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTkwNC5jcmwwXQYD
VR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2Vy
dGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2Bggr
BgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29t
LzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9y
ZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPw
tCyAzjBBBgNVHREEOjA4ghsqLmNsb3VkLm5nZW4uY2hlY2twb2ludC5jb22CGWNs
b3VkLm5nZW4uY2hlY2twb2ludC5jb20wHQYDVR0OBBYEFGNTtMEhdEXLHtw9Kaw+
C0Fo20KFMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUApLkJkLQYWBSHuxOizGdw
Cjw1mAT5G9+443fNDsgN3BAAAAFoLN0BGgAABAMARjBEAiB6yRysgF7DRfulmcbp
B+sS5bkKYcfiki6qiWBo2n/sKwIgZqicIn2jvaobhAOWby936BBkpsVMsSzGd+Fk
+gbGA2EAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWgs3Qdu
AAAEAwBHMEUCIHj+f08tJIg58VfpFFO/5luQgCwbPGCb3IAmMSpUh2MMAiEAlKLm
5NJKnoMA98/lLovDZoTzM0UnJ1rtTxpQSQyibk4wDQYJKoZIhvcNAQELBQADggEB
ADgDAwlWhfZJdw55Uo7g+3iBZf1kjTq+w+vLcyWSDRCe8Z+CiHuLqb0b8WiUli+3
HiuGEN9n5/1lyRKa2b4eqDlKsOO72Xbsg7BIhI5Ak9LV2Rw8glH0xE2tuHQVugoe
HTj1uzEZ48biLjx7UxvN+YIHN4LR2+wNLQCGmBO80ktsu7GNwQlqlsQA2a+vNW3/
XLtI/mTsXEHTh7hR/+DBYEhLD+m9ECkA7Qhp2YIndtiG6g0Rph3sy2CZsNlADqGz
FUUbjp6gpkUXSL7BJahXcHzh9mbs+JlozoPJjtKqRnd9e9v9sRTXLFGpLXnbW1UK
smdgGGC64EtwtSX3oK19zYM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----

14
nodes/orchestration/package/certificate/public-keys/cloud-ngen.pem Executable file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtkCxv6Z3EfIYDW+VjvSL
xfeMA13TxsLJFB5kalif1nI/iELA4yVP5w9nv3DfnBlILNF9LoaOMmHU+EoxwRv1
nub/LweN+M94wnZejhdOdXCyfwA2cQINMtIiGHbiyzo5P6TloautjzsR06HOaOck
JMpHRV78HqWhCGvJ9fkZiqcmB97S/0XjupXv5LruGjtVCXZf3eChOjFw8BbePPM3
WlSXGCDrb6A7oFK1/CamRD6V+NCDmvcFmX1QTR9iZcta5MweAwPzsNpL/6Ve9bep
zdbO0HMFn6MslXHr0K9UPX21un2pMWgMJPwpftykNEo4+OKJb2c/9aCFcUC5COMT
blE+FMRw62Z+7ue77Z6U6LHUgRVHthdDfSQzj9Ksg1KeKudQfa+wXtfmsQa2V0VC
MX9GMg0vroX11u2nhSHePLwMm5tj0V2NrPOPlKLdnfLucPQzvw2f8+rTEBYuV138
SvSeuqRsRip1cssBy57K2YEtvXHDxqWBJrTSzO4uwD9NnJY5RdaIs1I3vK0yDq6j
G3jjD2fS3S/k1HaXXOIdr5kLj13LwPEalkCZBFZF4rB5FXkhYG9/uSSpH62d2nmN
7ULaS7qBuRNPbsss7SMh1AuzfoBYjIPnR2Z5W7269YbIDUPMli5NJ0YgDSg4UR4Q
ivtaIJhEtffUPDPwUEL0LWECAwEAAQ==
-----END PUBLIC KEY-----

9
nodes/orchestration/package/certificate/public-keys/dev-i2.pem Executable file
View File

@@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ei7YM3QYv7bHKIZxhFv
b3iu5n6n7q1Z+3c9SP7idAiPbphjf0ksatfNtV2sB6/wkbIeCVnEJMOqE7Axybsc
9zRrjrj3cov6kM77gNIhEwwZSJ9rA/K9RA+vekv2nBMH25B6YIN8a0cPm4gGkFiM
joBZeINrl+EbVUkZhyU2EOMI6EPCfgAfv7wLLk/7gFEQKK1QzLxO6TDrPTqAFjup
B42rW7hAG9m9XvSiRw8u6u+mC9fFtgsYaTdD03qoPTrTRzDOPRKlkYP2luIIzn3d
lgtGdd0EfnclexJPMXPxjgi7UdN5ChkJzToYpiD1mUkIt/oenPGDO4185GkZnvhA
GQIDAQAB
-----END PUBLIC KEY-----

14
nodes/orchestration/package/certificate/public-keys/i2.pem Executable file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9Z5tJ8zT/LJ4r+fHyxL1
r+aNWcgRxqRa4fMj4s71X5qRTivU80ROyViEmt19/kF2+xY4/VEqYMoOeIDpET2a
tjFRQfZ8M8Vi+55CVvcDJ+7q9f6SRvrBPkv3GIY/fUUUGjPsjgQgiJTOZKHL59Zz
NkXo89I0TTHK87YDtuJl4f5EELwQaBxxoB2tsRsWTmt+BjkWs503SMHCXO/XOgKW
KDDkTfenEIvt9zq/JJIAV8VP8Vw2zczWtcBflmo638hlgvubMvGXAPi5hw5i4H4E
u/SKtNFGr4ReuFRd4aIRYe1/rakzeIp9vQmjuRsgiHyhfZ4o1Dimb4IxH9MEYQbg
/wqO/rBhIA767dQXgF2Blv4xp4WOVoszQkTR0PBSkgXolnROeVM36uGmZvOsg7pO
g4Dw5eixQi0nR97omgvHIPFBp8vf+UDeOVad5YzFF/+YoBrzL4/2N5hNqCg6eH6S
GXCgYBT6nRbXYQIb4wNwkEaOn/eVnAeMvWxXAF+hLWHWFWaZDdwG5B3QrHYjMhqW
RmyGeosat+Hw7nX9K00O5eK69F1a1+BuTfk2L4DwgmjN06k1P7R21pqv3PMZ5VrD
AgtfXD4H1QndSvniampaCWB+XS37u6gsrRZ30X7NRgDu4guU+YQhZLm6bhbHdG8q
bQR0bk1i3u7lVgsG/V3mcMECAwEAAQ==
-----END PUBLIC KEY-----

14
nodes/orchestration/package/certificate/public-keys/public-key-general.pem Executable file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtkCxv6Z3EfIYDW+VjvSL
xfeMA13TxsLJFB5kalif1nI/iELA4yVP5w9nv3DfnBlILNF9LoaOMmHU+EoxwRv1
nub/LweN+M94wnZejhdOdXCyfwA2cQINMtIiGHbiyzo5P6TloautjzsR06HOaOck
JMpHRV78HqWhCGvJ9fkZiqcmB97S/0XjupXv5LruGjtVCXZf3eChOjFw8BbePPM3
WlSXGCDrb6A7oFK1/CamRD6V+NCDmvcFmX1QTR9iZcta5MweAwPzsNpL/6Ve9bep
zdbO0HMFn6MslXHr0K9UPX21un2pMWgMJPwpftykNEo4+OKJb2c/9aCFcUC5COMT
blE+FMRw62Z+7ue77Z6U6LHUgRVHthdDfSQzj9Ksg1KeKudQfa+wXtfmsQa2V0VC
MX9GMg0vroX11u2nhSHePLwMm5tj0V2NrPOPlKLdnfLucPQzvw2f8+rTEBYuV138
SvSeuqRsRip1cssBy57K2YEtvXHDxqWBJrTSzO4uwD9NnJY5RdaIs1I3vK0yDq6j
G3jjD2fS3S/k1HaXXOIdr5kLj13LwPEalkCZBFZF4rB5FXkhYG9/uSSpH62d2nmN
7ULaS7qBuRNPbsss7SMh1AuzfoBYjIPnR2Z5W7269YbIDUPMli5NJ0YgDSg4UR4Q
ivtaIJhEtffUPDPwUEL0LWECAwEAAQ==
-----END PUBLIC KEY-----

14
nodes/orchestration/package/certificate/public-keys/stg-i2.pem Executable file
View File

@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6vDWZtY6rVnCUJTykmwa
srL4w/bB9CDuUcUHT6RrORTlH4qLCX8ofWQ5nMjyn305WnFX6EMz27f+IsAysVyM
ZN1lF1r+ZTrpdASS2nFt2AhX2xA/Svt+QHpgUdt7nxZlKKUnYHrrZ0H7T8P86SIw
SqfCGtc9rG2JGlsF39XlpN/msukzap0xbLqKec8C4lglOrbk+f767msXjgvBWxO3
toWgE+IxuFxqE/C73rFnvhORKJhTDAUavyudE4fgWDGyS7W7dTZPfTLC3rqKDXGG
CNFafxdB4Mcf5PXZDSSEQPCD9P51mpSivgtFKCNXKHUKFp2dfE0dPH5OVMbD7L2x
0Hh0RMsgQGzYpPcxpSbCFnvB/7teOkxZqv7Iuh+Ox3AF4dawlgtfaXwRGNUrolYH
iHKLGnBb9fYzAwYBStSjQT/Ujqam8C4QRs4Wl0MNBcANT9uceTGMbI4bRGJb3IJf
7yWmITbdAY/rF9srt3Ce80o1T+G1m2pWYdJTc78FthRtLKwHRNQXEWPiR1aOAeBo
hOHTu/2WXnWSQQRFy2J6+FxgBNeY5js90q47A6Ji5r7vHm7YWD9/LPAlbrU8kf6n
EdaJK8uQZkQ4nKx4JuZ7t28fNgolM+yn79s6E+XRaCNIKX2hDqBCiSTWBhpSf871
yuvzQqKr0v8VkvxgDr0G4K0CAwEAAQ==
-----END PUBLIC KEY-----

21
nodes/orchestration/package/configuration/cp-nano-orchestration-conf.json Executable file
View File

@@ -0,0 +1,21 @@
{
"Logging": {
"Log file name":[
{
"value": "nano_agent/cp-nano-orchestration.log"
}
],
"NanoService": [
{
"value": "Linux nano agent Orchestration service"
}
]
},
"message": {
"Connection timeout":[
{
"value": 10000000
}
]
}
}

11
nodes/orchestration/package/configuration/cp-nano-orchestration-debug-conf.json Executable file
View File

@@ -0,0 +1,11 @@
{
"Debug": [
{
"Streams": [
{
"Output": "nano_agent/cp-nano-orchestration.dbg"
}
]
}
]
}

4
nodes/orchestration/package/configuration/orchestration.cfg Executable file
View File

@@ -0,0 +1,4 @@
# override default flags if needed
# srv_debug_file=""
# srv_log_file=""
# execution_flags=""

256
nodes/orchestration/package/cp-agent-info.sh Executable file
View File

@@ -0,0 +1,256 @@
#!/bin/sh
FILESYSTEM_PATH="/etc/cp"
LOG_FILE_PATH="/var/log"
CP_INFO_DIR="/tmp/cp-agent-info-temp"
CP_UNSPLITED_DIR="/tmp/cp-agent-info-unsplited-temp"
SPLIT_FILE_SIZE="99M"
FILE_PREFIX=
SHORT_VERSION=false
VERBOSE=false
cp_print()
{
printf "%b\n" "$1"
}
listFilesToSave()
{
if [ "$SHORT_VERSION" = "true" ];then
ls -d -p "$1/*" | grep -v .gz | grep -v '/$'
ls -d "$1/*" | grep -E '\S*.[1|2].gz'
return
fi
echo "$1/."
}
checkNginx() {
IS_NGINX_EXISTS=false
if service nginx status | grep -q 'Loaded: loaded' ; then
IS_NGINX_EXISTS=true
fi
}
collectLogs() { # initials - cl
cp_print "---- Collecting log files ----"
cl_LOGS_DIR="$CP_INFO_DIR/logs"
cl_nginx_rpm_dir=${LOG_FILE_PATH}/nano_agent/rpmanager/nginx_log
cl_files_to_save=$(listFilesToSave ${LOG_FILE_PATH}/nano_agent)
mkdir -p "$cl_LOGS_DIR"/nano_agent && cp -r "$cl_files_to_save" "$cl_LOGS_DIR"/nano_agent
cp_print "Saving dmesg logs..."
dmesg >> "$cl_LOGS_DIR/dmesg.log" 2>&1
if [ "$WITH_DUMP" = "true" ]; then
cp_print "Saving crash logs..."
mkdir -p "$cl_LOGS_DIR"/crash && cp -r /var/crash/. "$cl_LOGS_DIR"/crash
fi
if [ "$IS_NGINX_EXISTS" = "true" ]; then
cp_print "Saving nginx logs..."
cl_files_to_save=$(listFilesToSave /var/log/nginx)
mkdir -p "$cl_LOGS_DIR"/nginx && cp -r "$cl_files_to_save" "$cl_LOGS_DIR"/nginx
fi
mkdir -p "$cl_LOGS_DIR"/nginx && cp -r $cl_nginx_rpm_dir/. "$cl_LOGS_DIR"/nginx 2>/dev/null
}
printTopProgress() { # Initials - ptp
ptp_frame_counter=1
ptp_curr_stat="$(stat "$SYSTEM_STATE_FILE")"
ptp_prev_stat="$ptp_curr_stat"
printf "Saving frame number %b out of 20" "$ptp_frame_counter"
while [ $ptp_frame_counter -le 20 ]
do
ptp_curr_stat="$(stat "$SYSTEM_STATE_FILE")"
if [ ! "$ptp_curr_stat" = "$ptp_prev_stat" ]; then
printf "\r\033[0KSaving frame number %b out of 20" "$ptp_frame_counter"
ptp_frame_counter=$((ptp_frame_counter+1))
ptp_prev_stat="$ptp_curr_stat"
fi
done
printf "\n"
}
collectSystemState() {
cp_print "---- Collecting system state ----"
SYSTEM_STATE_FILE="$CP_INFO_DIR/system_state.txt"
printTopProgress &
writeCommandTofile "top -b -n 20" "Saving processes resources status..."
writeCommandTofile "df -h" "Saving filesystem status..."
writeCommandTofile "ps -ef" "Saving running processes status..."
writeCommandTofile "netstat -an" "Saving network connections status..."
writeCommandTofile "ifconfig -a" "Saving network interfaces status..."
writeCommandTofile "cat /proc/cpuinfo" "Saving CPU status..."
writeCommandTofile "cat /proc/meminfo" "Saving memory status..."
writeCommandTofile "cpnano -s" "Saving cpnano status..."
writeCommandTofile "cpnano -pm" "Saving metrics information..."
if [ $IS_NGINX_EXISTS = true ]; then
writeCommandTofile "nginx -V" "Saving nginx details..."
fi
# Get all active interfaces have both an inet entry and a broadcast (brd) address
interfaces=$(ip addr show | awk '/inet.*brd/{print $NF}' | tr '\n' ' ')
for i in ${interfaces}; do
writeCommandTofile "ethtool $i" "Saving network interfaces details for interface $i..."
writeCommandTofile "ethtool -S $i"
done
}
writeCommandTofile() { # Initials - wctf
wctf_msg_to_user=$2
if [ -n "$wctf_msg_to_user" ]; then
cp_print "$wctf_msg_to_user"
fi
cp_print "\n******************************* Command: $1 *******************************\n" >> "$SYSTEM_STATE_FILE"
$1 >> "$SYSTEM_STATE_FILE" 2>&1
}
helpMenu() {
cp_print "Usage: cpnano <--cp-agent-info|-ai> [options]"
cp_print "Options:"
cp_print "-h, --help : This help text."
cp_print "-o, --output : Output file path."
cp_print "-wd, --with_dump : Collect dump files."
cp_print "-sd, --split_dir : Target directory for compressed files with $SPLIT_FILE_SIZE maximum size each."
cp_print "-fms, --file_max_size : Maximum size for each splited file in kb"
cp_print "-an, --additional_name : Additional string for output file name"
cp_print "-sh, --short : Save only the most necessary files"
cp_print "-v, --verbose : Use verbose mode"
}
get_setting() # Initials - gs
{
gs_service_name="$1"
gs_setting_name="$2"
gs_service_settings="$(run_display_settings "$gs_service_name")"
gs_setting_value=$(extract_json_field_value "$gs_service_settings" "$gs_setting_name")
echo "$gs_setting_value"
}
. "/etc/environment"
if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
if [ -n "${CP_ENV_LOG_FILE}" ] ; then
LOG_FILE_PATH=$CP_ENV_LOG_FILE
fi
IS_SMB=0
if [ -f /pfrm2.0/bin/cposd ]; then
IS_SMB=1
SPLIT_FILE_SIZE="99m"
mkdir -p /storage/tmp
CP_INFO_DIR="/storage/tmp/cp-agent-info-temp"
CP_UNSPLITED_DIR="/storage/tmp/cp-agent-info-unsplited-temp"
fi
SPLIT_DIR=""
WITH_DUMP=false
set -- ${cp_nano_info_args}
while true
do
if [ "$1" = "--with_dump" ] || [ "$1" = "-wd" ]; then
WITH_DUMP=true
elif [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
helpMenu
exit 0
elif [ "$1" = "--split_dir" ] || [ "$1" = "-sd" ]; then
shift
SPLIT_DIR=$1
elif [ "$1" = "--file_max_size" ] || [ "$1" = "-fms" ]; then
shift
SPLIT_FILE_SIZE="$1k"
elif [ "$1" = "--additional_name" ] || [ "$1" = "-an" ]; then
shift
FILE_PREFIX="-$1"
elif [ "$1" = "--short" ] || [ "$1" = "-sh" ]; then
SHORT_VERSION=true
elif [ "$1" = "--verbose" ] || [ "$1" = "-v" ]; then
VERBOSE=true
elif [ -z "$1" ]; then
break
else
helpMenu
exit 1
fi
shift
done
cp_print "---- Starting to collect Check Point Nano Agent data ----"
mkdir -p "$CP_INFO_DIR"
mkdir -p "$CP_UNSPLITED_DIR"
checkNginx
collectLogs
collectSystemState
curl_cmd=curl
if cat /etc/*release | grep -q "Gaia"; then
curl_cmd=curl_cli
fi
cp_print "---- Compressing cp-agent-info ----"
CURRENT_TIME=$(date "+%Y.%m.%d-%H.%M.%S")
agent_id=
orch_status=$(${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1)
if echo "$orch_status" | grep -q "update status" ; then
orch_status=$(cat ${FILESYSTEM_PATH}/conf/orchestrations_status.json)
fi
if [ -n "${orch_status}" ]; then
agent_id=$(printf "%b\n" "$orch_status" | grep "Agent ID" | cut -d '"' -f4)
fi
AGENT_INFO_FILE_NAME=cp-nano-info-$agent_id-$CURRENT_TIME$FILE_PREFIX.tar.gz
if [ "$IS_SMB" != "1" ]; then
CP_INFO_PATH=/tmp/$AGENT_INFO_FILE_NAME
else
CP_INFO_PATH=/storage/tmp/$AGENT_INFO_FILE_NAME
fi
TAR_FAILED=false
conf_to_save=${FILESYSTEM_PATH}/conf
inner_conf_file_to_save=""
if [ "$SHORT_VERSION" = "true" ];then
conf_to_save="$(ls -d ${FILESYSTEM_PATH}/conf/* | grep -E '\.json|\.policy')"
inner_conf_file_to_save="$(ls -d ${FILESYSTEM_PATH}/conf/*/* | grep -E '\.json|\.policy|\.conf')"
fi
cp_print "Compressing and saving the next files and directories:\n $CP_INFO_DIR\n ${FILESYSTEM_PATH}/conf\n ${FILESYSTEM_PATH}/watchdog"
verbose_tar=""
if [ "$VERBOSE" = "true" ];then
verbose_tar="v"
fi
if [ -n "${SPLIT_DIR}" ]; then
mkdir -p "$SPLIT_DIR"
unsplited_tar="${CP_UNSPLITED_DIR}/agent-info.tar.gz"
if [ "$IS_SMB" != "1" ]; then
TAR_EXTRA_PARAMS="-P"
else
TAR_EXTRA_PARAMS=""
fi
cmd="tar ${verbose_tar}czf ${unsplited_tar} ${TAR_EXTRA_PARAMS} ${CP_INFO_DIR} ${conf_to_save} ${inner_conf_file_to_save} ${FILESYSTEM_PATH}/watchdog"
if ! ${cmd}; then
TAR_FAILED=true
else
split -b "$SPLIT_FILE_SIZE" "$unsplited_tar" "$SPLIT_DIR/$AGENT_INFO_FILE_NAME."
cat "$SPLIT_DIR"/* > "$CP_INFO_PATH"
fi
else
cmd="tar -${verbose_tar}zcf ${CP_INFO_PATH} ${TAR_EXTRA_PARAMS} ${CP_INFO_DIR} ${conf_to_save} ${inner_conf_file_to_save} ${FILESYSTEM_PATH}/watchdog"
if ! ${cmd}; then
TAR_FAILED=true
fi
fi
rm -rf "$CP_INFO_DIR"
rm -rf "$CP_UNSPLITED_DIR"
if [ $TAR_FAILED = true ]; then
echo "Failed to create $CP_INFO_PATH"
exit 1
fi
cp_print "cp-agent-info was successfully created in $CP_INFO_PATH"
# tar generation completed successfully - returning to cp-nano-cli.sh

172
nodes/orchestration/package/cp-agent-uninstall.sh Executable file
View File

@@ -0,0 +1,172 @@
#!/bin/sh
FILESYSTEM_PATH="/etc/cp"
LOG_FILE_PATH="/var/log"
USR_LIB_PATH="/usr/lib"
USR_SBIN_PATH="/usr/sbin"
INIT_D_PATH="/etc/init.d"
PACKAGES_DIR_PATH="packages"
ORCHESTRATION_NAME="orchestration"
LOG_PATH="nano_agent"
DEFAULT_EVENT_BUFFER_PATH="event_buffer"
CP_NANO_CTL="cpnano"
FORCE_STDOUT=true
CP_NANO_CTL_DEPRECATED="cp-ctl"
UNINSTALLATION_LOG_FILE="cp-nano-agent-uninstall.log"
var_arch="x86"
var_arch_flag=
var_gaia_release=1
var_mds_release=1
get_basename()
{
if command -v basename &>/dev/null; then
echo $(basename $1)
else
echo $(echo $1 | rev | cut -d / -f 1 | rev)
fi
}
load_paths()
{
[ -f /etc/environment ] && . "/etc/environment"
if [ -n "${CP_ENV_FILESYSTEM}" ]; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
if [ -n "${CP_ENV_LOG_FILE}" ]; then
LOG_FILE_PATH=$CP_ENV_LOG_FILE
fi
if [ -n "${CP_USR_LIB_PATH}" ]; then
USR_LIB_PATH=$CP_USR_LIB_PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CP_USR_LIB_PATH/cpnano
fi
if [ -n "${CP_USR_SBIN_PATH}" ]; then
USR_SBIN_PATH=$CP_USR_SBIN_PATH
export PATH=$PATH:$CP_USR_SBIN_PATH
fi
if [ -n "${CP_INIT_D_PATH}" ]; then
INIT_D_PATH=$CP_INIT_D_PATH
fi
}
load_paths
cp_print()
{
if [ -n "$2" ] && [ "$2" = "true" ]; then
printf "%b" "$1"
fi
time_stamp=$(date)
printf "%b" "$1 [$time_stamp]" >>${LOG_FILE_PATH}/${LOG_PATH}/${UNINSTALLATION_LOG_FILE}
}
# Prerequisites for uninstallation
cur_uid=$(id -u)
if [ $cur_uid -ne 0 ]; then
cp_print "Error, cp-nano-agent service uninstallation requires root permissions, please re-run as root" ${FORCE_STDOUT}
exit 1
fi
ls -l /etc/ | grep release > /dev/null 2>&1
retval=$?
if [ $retval -eq 0 ]; then
cat /etc/*release | grep -q "Gaia"
var_gaia_release=$?
cat /etc/*release | grep -q "Multi-Domain Security Management"
var_mds_release=$?
fi
if [ $var_gaia_release -eq 0 ] || [ $var_mds_release -eq 0 ]; then
var_arch="gaia"
var_arch_flag="--gaia"
fi
cp_exec()
{
var_cmd=$1
var_std_out=$2
# Send exec output to RES
RES=$($var_cmd 2>&1)
if ! [ -z "$RES" ]; then
cp_print "$RES" $var_std_out
fi
}
uninstall_services()
{
for service in "${FILESYSTEM_PATH}/$PACKAGES_DIR_PATH"/*; do
SERVICE_NAME=$(get_basename $service)
UNINSTALL_FILE="$service/$SERVICE_NAME"
if [ "$SERVICE_NAME" = "${ORCHESTRATION_NAME}" ]; then
continue
fi
if [ ! -f "$UNINSTALL_FILE" ]; then
cp_print "Uninstall file for service $service does not exist. File: $UNINSTALL_FILE"
else
cp_print "Uninstalling $SERVICE_NAME" ${FORCE_STDOUT}
chmod +x "$UNINSTALL_FILE"
"$UNINSTALL_FILE" --uninstall
fi
done
}
remove_event_buffer()
{
cp_print "Removing event buffer directory.."
if [ -d ${LOG_FILE_PATH}/${LOG_PATH}/$DEFAULT_EVENT_BUFFER_PATH ]; then
cp_exec "rm -rf ${LOG_FILE_PATH}/${LOG_PATH}/$DEFAULT_EVENT_BUFFER_PATH"
else
cp_print "Event buffer directory was not found"
fi
}
is_smb=0
if [ -f /pfrm2.0/bin/cposd ]; then
is_smb=1
fi
INSTALLATION_TIME=$(date)
cp_print "Uninstalling Check Point Nano Agent [$INSTALLATION_TIME]" ${FORCE_STDOUT}
uninstall_services
${FILESYSTEM_PATH}/watchdog/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${ORCHESTRATION_NAME}/cp-nano-orchestration $var_arch_flag
init_type="$INIT_D_PATH/nano_agent.init"
if [ $var_arch = "gaia" ]; then
cp_exec "rm -f ${FWDIR}/bin/curl"
cp_exec "rm -f ${CPDIR}/bin/openssl"
dbset process:cp-nano-watchdog
dbset process:cp-nano-watchdog:path
dbset process:cp-nano-watchdog:arg:1
dbset process:cp-nano-watchdog:runlevel
dbset :save
tellpm cp-nano-watchdog
chkconfig --del $INIT_D_PATH/access_pre_init
elif [ -f "$init_type" ]; then
cp_exec "$init_type stop"
cp_exec "rm -f $init_type"
else
cp_exec "service nano_agent stop"
cp_exec "rm -f /etc/systemd/system/nano_agent.service"
cp_exec "rm /sys/fs/cgroup/pids/system.slice/nano_agent.service"
cp_exec "rm /sys/fs/cgroup/devices/system.slice/nano_agent.service"
cp_exec "rm /etc/systemd/system/multi-user.target.wants/nano_agent.service"
fi
cp_exec "rm -rf ${FILESYSTEM_PATH}"
cp_exec "rm -f $USR_SBIN_PATH/cp_nano_agent_status"
cp_exec "rm -rf $USR_LIB_PATH/cpnano"
cp_exec "rm -f $USR_SBIN_PATH/cp-nano-agent-ctl"
cp_exec "rm -f $USR_SBIN_PATH/${CP_NANO_CTL}"
cp_exec "rm -f $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED}"
if [ "$is_smb" = "1" ]; then
cp_print "Removing SMB specific dirs..."
cp_exec "rm -rf /storage/nano_agent/"
cp_exec "rm -rf /var/log/nano_agent/"
cp_exec "rm -f /pfrm2.0/etc/nano-egg-args"
cp_print "Done."
fi
remove_event_buffer
exit 0

1594
nodes/orchestration/package/cp-nano-cli.sh Executable file
View File

File diff suppressed because it is too large Load Diff

30
nodes/orchestration/package/cp-nano-package-list Normal file
View File

@@ -0,0 +1,30 @@
# If you wish to add a package to the cp-nano-cli.sh shell script,
# just add a variable at the end of the file in the following format
# <variable_name>="<packageName(directory name under /etc/cp/)> <default_port(optional)> <Formatted-Name(optioanl)>"
# ** Please do not change the starting line of the variables (6th)
orchestration="orchestration 7777"
access_control="accessControl 8000"
http_manager="httpManager 8888"
iot_enforce="iot 6981 IoT_Enforce"
iot_gw_sensor="iot 9090 IoT_GW_Sensor"
iot_snmp="iot 8090 IoT_SNMP"
iot_netflows="iot 8092 IoT_Netflows"
iot_dns="iot 8094 IoT_DNS"
iot_cisco_ise="iot 8096 IoT_Cisco_ISE"
iot_ms_dhcp="iot 9192 IoT_MS_DHCP"
iot_unix_dhcp="iot 9096 IoT_Unix_DHCP"
iot_syslog_dhcp="iot 9094 IoT_Syslog_DHCP"
iot_infoblox_dhcp="iot 9098 IoT_Infoblox_DHCP"
attachment_registrator="attachmentRegistrator 8124"
reverse_proxy_manager="rpmanager 8898"
http_transaction_handler="HttpTransactionHandler"
workload_protection="workloadProtection 1337"
dedicated_network_handler="dedicatedNetworkHandler 8901"
agent_intelligence_service="agentIntelligence 9000"
messaging_proxy="messagingProxy 8164"
sdwan="sdwan 1204 SD-WAN"
sdwan_logger="sdwanLogger 2204 SD-WAN_Logger"
cpview_metric_provider="cpviewMetricProvider 8282"
hello_world="hello_world"
# ** Please do not remove this comment - newline at end of file required.

6
nodes/orchestration/package/cpnano_debug/CMakeLists.txt Executable file
View File

@@ -0,0 +1,6 @@
include_directories(${PROJECT_SOURCE_DIR}/attachments/kernel_modules/core/include/common_is)
add_executable(cpnano_debug cpnano_debug.cc)
install(TARGETS cpnano_debug DESTINATION bin)
install(TARGETS cpnano_debug DESTINATION orchestration)

1465
nodes/orchestration/package/cpnano_debug/cpnano_debug.cc Executable file
View File

File diff suppressed because it is too large Load Diff

4
nodes/orchestration/package/cpnano_json/CMakeLists.txt Executable file
View File

@@ -0,0 +1,4 @@
add_executable(cpnano_json cpnano_json.cc)
install(PROGRAMS $<TARGET_FILE:cpnano_json> DESTINATION bin/)
install(PROGRAMS $<TARGET_FILE:cpnano_json> DESTINATION orchestration/)

35
nodes/orchestration/package/cpnano_json/cpnano_json.cc Executable file
View File

@@ -0,0 +1,35 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "picojson.h"
using namespace std;
int
main(int argc, char **argv)
{
if (argc == 2 && (string(argv[1]) == "-h" || string(argv[1]) == "--help")) {
cout << "Use standard input to send the JSON string. "
"Prettified JSON will be sent to the standard output" << endl;
return 1;
}
picojson::value json;
cin >> json;
string maybe_err = picojson::get_last_error();
if (!maybe_err.empty()) {
cerr << maybe_err << endl;
return 1;
}
cout << json.serialize(true, false) << endl;
return 0;
}

79
nodes/orchestration/package/k8s-check-update-listener.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
TOKEN=$(cat ${SERVICEACCOUNT}/token)
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
CACERT=${SERVICEACCOUNT}/ca.crt
PID_LIST_BACKUP_PATH=/etc/cp/orchestration/hybrid-check-update.pid
UPON_UPDATE=/etc/cp/orchestration/k8s-check-update-trigger.sh
ingress_pid=uninitialized
practice_pid=uninitialized
trigger_pid=uninitialized
web_user_respond_pid=uninitialized
exception_pid=uninitialized
policy_pid=uninitialized
function runGetResourceListener()
{
if [ "$1" = "ingress" ]; then
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/networking.k8s.io/v1/ingresses?watch=1 | ${UPON_UPDATE} &
else
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/openappsec.io/v1beta1/${1}?watch=1 | ${UPON_UPDATE} &
fi
}
function saveRuningPids()
{
echo -e "${ingress_pid}\n${practice_pid}\n${trigger_pid}\n${web_user_respond_pid}\n${exception_pid}\n${policy_pid}\n" > ${PID_LIST_BACKUP_PATH}
}
for pid in $(cat ${PID_LIST_BACKUP_PATH}) ; do
if [ -f /proc/${pid}/cmdline ] && [ -n "$(cat /proc/${pid}/cmdline | grep curl)" ] && [ -n "$(cat /proc/${pid}/cmdline | grep kubernetes | grep watch)" ]; then
kill -9 ${pid}
fi
done
while true; do
var_is_hybrid_mode="$(cat /etc/cp/conf/agent_details.json | grep "Orchestration mode" | grep "hybrid_mode")"
var_is_openappsec="$(cat /etc/cp/conf/agent_details.json | grep "Tenant ID" | grep "org_")"
if [ -z "${var_is_hybrid_mode}" ] && [ -z "${var_is_openappsec}" ]; then
sleep 5
continue
fi
if [ ! -d /proc/${ingress_pid} ]; then
runGetResourceListener ingress
ingress_pid=$!
saveRuningPids
fi
if [ ! -d /proc/${practice_pid} ]; then
runGetResourceListener practices
practice_pid=$!
saveRuningPids
fi
if [ ! -d /proc/${trigger_pid} ]; then
runGetResourceListener logtriggers
trigger_pid=$!
saveRuningPids
fi
if [ ! -d /proc/${web_user_respond_pid} ]; then
runGetResourceListener customresponses
web_user_respond_pid=$!
saveRuningPids
fi
if [ ! -d /proc/${exception_pid} ]; then
runGetResourceListener exceptions
exception_pid=$!
saveRuningPids
fi
if [ ! -d /proc/${exception_pid} ]; then
runGetResourceListener policies
policy_pid=$!
saveRuningPids
fi
sleep 5
done

6
nodes/orchestration/package/k8s-check-update-trigger.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
while read line;
do
date > /etc/cp/conf/k8s-policy-check.trigger
done

1053
nodes/orchestration/package/orchestration_package.sh Executable file
View File

File diff suppressed because it is too large Load Diff

96
nodes/orchestration/package/service/arm32_openwrt/nano_agent.init Executable file
View File

@@ -0,0 +1,96 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: nano_agent
# Required-Start: $local_fs $network $named $time $syslog
# Required-Stop: $local_fs $network $named $time $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Check Point Linux Nano Agent
### END INIT INFO
FILESYSTEM_PATH="/etc/cp"
LOG_FILE_PATH="/var/log"
if [ -n "${CP_ENV_FILESYSTEM}" ]; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
if [ -n "${CP_ENV_LOG_FILE}" ]; then
LOG_FILE_PATH=$CP_ENV_FILESYSTEM
fi
START=99
SCRIPT="$FILESYSTEM_PATH/watchdog/cp-nano-watchdog --arm32_openwrt"
PIDFILE=/var/run/nano_agent.pid
LOGFILE=$LOG_FILE_PATH/nano_agent.log
SERVICE_NAME=nano_agent
start()
{
if [ -f $PIDFILE ] && [ -s $PIDFILE ] && kill -0 $(cat $PIDFILE); then
echo 'Service already running' >&2
return 1
fi
echo "Starting service ${SERVICE_NAME}" >&2
$SCRIPT >$LOGFILE 2>&1 &
echo $! >$PIDFILE
sleep 2
PID=$(cat $PIDFILE)
if [ "$(ps w | grep $SERVICE_NAME | head -n-1)" != "" ]; then
echo "${SERVICE_NAME} is now running, the PID is $PID"
else
echo ''
echo "Error! Could not start $SERVICE_NAME!"
fi
}
stop()
{
if [ ! -f "$PIDFILE" ] || ! kill -0 $(cat "$PIDFILE"); then
echo 'Service not running' >&2
return 1
fi
echo "Stopping service ${SERVICE_NAME}" >&2
kill -15 $(cat "$PIDFILE") && rm -f "$PIDFILE"
echo 'Service stopped' >&2
}
status()
{
printf "%-50s" "Checking $SERVICE_NAME"
if [ -f $PIDFILE ] && [ -s $PIDFILE ]; then
PID=$(cat $PIDFILE)
if [ -z "$(ps axf | grep ${PID} | grep -v grep)" ]; then
printf "%s\n" "The process appears to be dead but pidfile still exists"
else
echo "Running, the PID is $PID"
fi
else
printf "%s\n" "Service not running"
fi
}
boot()
{
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
;;
esac

101
nodes/orchestration/package/service/smb/nano_agent.init Executable file
View File

@@ -0,0 +1,101 @@
### BEGIN INIT INFO
# Provides: nano_agent
# Required-Start: $local_fs $network $named $time $syslog
# Required-Stop: $local_fs $network $named $time $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Check Point Linux Nano Agent
### END INIT INFO
START=99
SCRIPT_NAME="cp-nano-watchdog"
SCRIPT="/etc/cp/watchdog/${SCRIPT_NAME} --smb"
PIDFILE=/var/run/nano_agent.pid
LOGFILE=/var/log/nano_agent.log
SERVICE_NAME=nano_agent
if [ ! -d /etc/cp ]; then
ln -sf /storage/nano_agent/etc/cp /etc/cp
fi
if [ ! -d /usr/lib/cpnano ]; then
ln -sf /storage/nano_agent/usr/lib/cpnano /usr/lib/cpnano
fi
if [ ! -f /usr/sbin/cpnano ]; then
ln -sf /etc/cp/scripts/cp-nano-agent-ctl.sh /usr/sbin/cpnano
fi
if [ ! -f /pfrm2.0/bin/nano_pidof ]; then
cat << EOF > /pfrm2.0/bin/nano_pidof
#!/bin/sh
pidof \`basename "\$1"\`
EOF
chmod +rx /pfrm2.0/bin/nano_pidof
fi
mkdir -p /var/log/nano_agent
mkdir -p /storage/tmp
start() {
if [ -f $PIDFILE ] && [ -s $PIDFILE ] && kill -0 $(cat $PIDFILE); then
echo 'Service already running' >&2
return 1
fi
echo 'Starting service ' $SERVICE_NAME >&2
$SCRIPT > /dev/null 2>&1 &
echo $! > $PIDFILE
sleep 2
PID=$(cat $PIDFILE)
if [ -d "/proc/${PID}" ]; then
echo "$SERVICE_NAME is now running, the PID is $PID"
else
echo ''
echo "Error! Could not start $SERVICE_NAME!"
fi
}
stop() {
if [ ! -f "$PIDFILE" ] || ! kill -0 $(cat "$PIDFILE"); then
echo 'Service not running' >&2
return 1
fi
echo 'Stopping service $SERVICE_NAME' >&2
kill -15 $(cat "$PIDFILE") && rm -f "$PIDFILE"
echo 'Service stopped' >&2
}
status() {
printf "%-50s" "Checking $SERVICE_NAME"
if [ -f $PIDFILE ] && [ -s $PIDFILE ]; then
PID=$(cat $PIDFILE)
if [ -z "$(ps axf | grep ${PID} | grep -v grep)" ]; then
printf "%s\n" "The process appears to be dead but pidfile still exists"
else
echo "Running, the PID is $PID"
fi
else
printf "%s\n" "Service not running"
fi
}
boot() {
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
esac

8
nodes/orchestration/package/service/x86/ubuntu14/nano_agent.conf Executable file
View File

@@ -0,0 +1,8 @@
description "CP_Nano_Linux_Agent"
author "NGEN team, Check Point Technologies LTD."
start on filesystem
respawn
exec /etc/cp/watchdog/cp-nano-watchdog

82
nodes/orchestration/package/service/x86/ubuntu14/nano_agent.init Executable file
View File

@@ -0,0 +1,82 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: nano_agent
# Required-Start: $local_fs $network $named $time $syslog
# Required-Stop: $local_fs $network $named $time $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Check Point Linux Nano Agent
### END INIT INFO
START=99
SCRIPT="/etc/cp/watchdog/cp-nano-watchdog"
PIDFILE=/var/run/nano_agent.pid
LOGFILE=/var/log/nano_agent.log
SERVICE_NAME=nano_agent
start() {
if [ -f $PIDFILE ] && [ -s $PIDFILE ] && kill -0 $(cat $PIDFILE); then
echo 'Service already running' >&2
return 1
fi
echo 'Starting service ' $SERVICE_NAME >&2
$SCRIPT > $LOGFILE 2>&1 &
echo $! > $PIDFILE
sleep 2
PID=$(cat $PIDFILE)
if pgrep -f $SERVICE_NAME > /dev/null
then
echo "$SERVICE_NAME is now running, the PID is $PID"
else
echo ''
echo "Error! Could not start $SERVICE_NAME!"
fi
}
stop() {
if [ ! -f "$PIDFILE" ] || ! kill -0 $(cat "$PIDFILE"); then
echo 'Service not running' >&2
return 1
fi
echo 'Stopping service $SERVICE_NAME' >&2
kill -15 $(cat "$PIDFILE") && rm -f "$PIDFILE"
echo 'Service stopped' >&2
}
status() {
printf "%-50s" "Checking $SERVICE_NAME"
if [ -f $PIDFILE ] && [ -s $PIDFILE ]; then
PID=$(cat $PIDFILE)
if [ -z "$(ps axf | grep ${PID} | grep -v grep)" ]; then
printf "%s\n" "The process appears to be dead but pidfile still exists"
else
echo "Running, the PID is $PID"
fi
else
printf "%s\n" "Service not running"
fi
}
boot() {
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
esac

11
nodes/orchestration/package/service/x86/ubuntu16/nano_agent.service Executable file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=CP_Nano_Linux_Agent
Before=network-pre.target
Wants=network-pre.target
[Install]
WantedBy=multi-user.target
[Service]
Restart=on-failure
EnvironmentFile=/etc/environment

36
nodes/orchestration/package/watchdog/access_pre_init Executable file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
#
# chkconfig: 2345 16 99
# description: Blcoks traffic until Access Control is ready.
#
FILESYSTEM_PATH="/etc/cp"
. "/etc/environment"
if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
CPNANO_KERNEL_MONITOR=${FILESYSTEM_PATH}/accessControl/cp-nano-access-control-kernel-modules-monitor.sh
case "$1" in
start)
grep "process:cp-nano-watchdog t" /config/active 1>/dev/null 2>/dev/null
if [ $? -eq 0 ] ; then
if [ -x ${CPNANO_KERNEL_MONITOR} ]; then
${CPNANO_KERNEL_MONITOR} --init
fi
fi
;;
stop)
;;
restart)
;;
status)
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
esac
exit 0

20
nodes/orchestration/package/watchdog/wait-for-networking-inspection-modules.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
FILESYSTEM_PATH="/etc/cp"
. "/etc/environment"
if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
AC_MODULES_MONITOR_NAME=cp-nano-access-control-kernel-modules-monitor.sh
WD_SERVICES=${FILESYSTEM_PATH}/watchdog/wd.services
if [ -z "$(grep $AC_MODULES_MONITOR_NAME $WD_SERVICES)" ]; then
exit 0
fi
sleep 60 && kill "$$" &
while [ -z "$(lsmod | grep cp_nano)" ]; do
continue
done
exit 0

860
nodes/orchestration/package/watchdog/watchdog Executable file
View File

@@ -0,0 +1,860 @@
#!/bin/sh
[ -z ${FILESYSTEM_PATH} ] && FILESYSTEM_PATH="/etc/cp"
LOG_FILE_PATH="/var/log"
USR_LIB_PATH="/usr/lib"
INIT_D_PATH="/etc/init.d"
WATCHDOG_PROCESS_RESTART_COUNTER="/etc/cp/watchdog/watchdog_process_restart"
LOG_FILE=nano_agent/cp-nano-watchdog.dbg
AGENT_RUN_STATUS_FILE=/tmp/agent-status.txt
SRVS_FILE=watchdog/wd.services
TMP_SRVS_FILE=watchdog/wd.temp
VOL_SRVS_FILE=watchdog/wd.volatile_services
SRVS_CONTAINER_FILE=watchdog/wd.container_services_startup
SRVS_TO_RESTART_FILE=watchdog/wd.services.restart
TMP_VOL_SRVS_FILE_PRE_STOP=watchdog/wd.volatile_services.stop
TMP_VOL_SRVS_FILE_PRE_DEL=watchdog/wd.volatile_services.del
SRVS_HALTED=watchdog/wd.services.halt
SERVICE_LOG_FILE_TTL_MINUTES=10080
PIDOF_CMD_EXISTS=0
env_details_file=conf/environment-details.cfg
#default raw log file size in K-Bytes before rotation
DEFAULT_MAX_FILE_SIZE=4096
#default amount of archived log files to rotate
DEFAULT_MAX_ROTATION=10
get_basename()
{
is_basename="$(command -v basename)"
if [ -n ${is_basename} ]; then
echo $(basename $1)
else
echo $(echo $1 | rev | cut -d / -f 1 | rev)
fi
}
load_paths()
{
[ -f /etc/environment ] && . "/etc/environment"
if [ -f "${FILESYSTEM_PATH}/$env_details_file" ]; then
. ${FILESYSTEM_PATH}/$env_details_file
fi
if [ -n "${CP_ENV_FILESYSTEM}" ]; then
FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
if [ -n "${CP_ENV_LOG_FILE}" ]; then
LOG_FILE_PATH=$CP_ENV_LOG_FILE
fi
if [ -n "${CP_USR_LIB_PATH}" ]; then
USR_LIB_PATH=$CP_USR_LIB_PATH
fi
if [ -n "${CP_INIT_D_PATH}" ]; then
INIT_D_PATH=$CP_INIT_D_PATH
fi
if [ -z "${MAX_FILE_SIZE}" ]; then
MAX_FILE_SIZE=$DEFAULT_MAX_FILE_SIZE
fi
if [ -z "${MAX_ROTATION}" ]; then
MAX_ROTATION=$DEFAULT_MAX_ROTATION
fi
}
load_paths
NGEN_LIB_PATH=${USR_LIB_PATH}/cpnano/
pidof_cmd="pidof -x"
if command -v pidof > /dev/null 2>&1; then
PIDOF_CMD_EXISTS=1
fi
ARCH="x86"
if [ -f ${FILESYSTEM_PATH}/watchdog/platform ]; then
ARCH=$(cat ${FILESYSTEM_PATH}/watchdog/platform)
else
for m in "$@"; do
if [ $m = --arm32_openwrt ]; then
ARCH="arm"
MAX_FILE_SIZE=50
echo "arm" >${FILESYSTEM_PATH}/watchdog/platform
elif [ $m = --gaia ]; then
ARCH="gaia"
echo "gaia" >${FILESYSTEM_PATH}/watchdog/platform
fi
done
if [ ! -f ${FILESYSTEM_PATH}/watchdog/platform ]; then
if [ -n "$(uname -a | awk '{print $(NF -1) }' | grep arm)" ]; then
ARCH="arm"
echo "arm" >${FILESYSTEM_PATH}/watchdog/platform
fi
fi
fi
ls -l /etc/ | grep release > /dev/null 2>&1
retval=$?
if [ $retval -eq 0 ]; then
if [ ! -z "$(cat /etc/*release | grep alpine)" ]; then
pidof_cmd="pidof"
ARCH="alpine"
echo "alpine" >${FILESYSTEM_PATH}/watchdog/platform
fi
fi
is_smb_release=0
if [ -f /pfrm2.0/bin/cposd ]; then
is_smb_release=1
ARCH="smb"
echo "smb" >${FILESYSTEM_PATH}/watchdog/platform
pidof_cmd="/pfrm2.0/bin/nano_pidof"
MAX_FILE_SIZE=50
if [ ! -d /storage/tmp/orchestration_downloads -o ! -h /tmp/orchestration_downloads ]; then
rm -rf /tmp/orchestration_downloads
mkdir -p /storage/tmp/orchestration_downloads
ln -sf /storage/tmp/orchestration_downloads /tmp/orchestration_downloads
fi
SUB_HW_VER=`fw_printenv -n sub_hw_ver`
# Clear TMPDIR(set by nano-egg in SMB),
# so the nano-agent will use the default tmp dir(/tmp).
export TMPDIR=
fi
log()
{
curr_date_time=$(date +%Y-%m-%dT%H:%M:%S)
callee_function=${1}
echo "[${curr_date_time}@${callee_function}] ${2}" >>${LOG_FILE_PATH}/$LOG_FILE
}
sigterm()
{
# Should be replaced with proper ending
log "sigterm" "Terminating cp-nano-agent watchdog service"
for service in $(cat ${FILESYSTEM_PATH}/${SRVS_FILE}); do
if [ $ARCH = "arm" ]; then
cmd_pid=$(ps | awk -v srv=${service} '{if($5==srv) print $1}')
if [ "${cmd_pid:-null}" = null ] && [ $PIDOF_CMD_EXISTS -eq 1 ]; then
base_name=$(get_basename $service)
cmd_pid=$(pidof $base_name)
fi
elif [ $ARCH = "alpine" ]; then
cmd_pid=$(ps -ef | awk -v srv=${service} '{if($4 ~ srv || $3 ~ srv || $6 ~ srv) print $1}')
else
cmd_pid=$(ps -eo pid,cmd | awk -v srv=${service} '{if($2 == srv || $3 == srv) print $1}')
fi
if ! [ "${cmd_pid:-null}" = null ]; then
log "sigterm" "stopping $service (pid=$cmd_pid)"
kill_processes_by_pid $cmd_pid
fi
done
if [ -f ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ]; then
mv ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
for service_line in $(cat ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}); do
service=$(echo $service_line | cut -f1 -d ';')
family=$(echo $service_line | cut -f2 -d ';')
instance_id=$(echo $service_line | cut -f3 -d ';')
stop_instance $service $instance_id $family
done
rm ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
fi
echo "down" >>$AGENT_RUN_STATUS_FILE
log "sigterm" "cp-nano-agent watchdog service was successfully stopped "
exit 0
}
stop()
{
sigterm
}
trap 'sigterm' TERM
trap 'sigterm' INT
register()
{
log "register" "enter"
load_paths
service_name=$1
family_size=$2
family_name=$3
if [ -z $service_name ]; then
echo "Error! no service provided for registration"
exit 1
fi
if [ ! -z $IS_CONTAINER_ENV ]; then
touch ${FILESYSTEM_PATH}/${SRVS_CONTAINER_FILE}
echo "$service_name" >>${FILESYSTEM_PATH}/${SRVS_CONTAINER_FILE}
fi
if [ -z $family_size ]; then
#handle single instance services
if ! [ -z "$(cat ${FILESYSTEM_PATH}/${SRVS_FILE} | grep ^${service_name}$)" ]; then
echo "Warning! service '$service_name' is already registered"
exit 0
fi
echo "$service_name" >>${FILESYSTEM_PATH}/${SRVS_FILE}
else
touch ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}
# handle multiple instances services
family_prev_size=$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep "^$service_name;${family_name};" | wc -l)
if [ $family_size -eq $family_prev_size ]; then
echo "Service '$service_name' already registered with $family_size instances for family '${family_name}'"
exit 0
fi
mv ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
if [ $family_prev_size -gt $family_size ]; then
for i in $(seq ${family_prev_size} -1 $((family_size - 1))); do
stop_instance $service_name ${i} ${family_name}
done
fi
grep -v -e "^${service_name};${family_name};" ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} >${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL}
for i in $(seq 1 ${family_size}); do
echo "$service_name;$family_name;$i" >>${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL}
done
mv ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL} ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}
rm ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
fi
}
# IMPORTANT - assumes /etc/cp/watchdog/wd.volatile_services was moved to
# /etc/cp/watchdog/wd.volatile_services.tmp in order to avoid race condition
stop_instance()
{
service_name=$1
instance_id=$2
family_name=$3
service=$(cat ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} | grep "^${service_name};${family_name};${instance_id}$")
if [ -z $service ]; then
log "stop_instance" "Warning! service '$service_name' with ID $instance_id in family $family_name is already un-registered"
return
fi
family_arg=""
if [ -n "${family_name}" ]; then
family_arg="--family=${family_name}"
fi
if [ $ARCH = "arm" ]; then
cmd_pid=$(ps | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${1} '{if($5==srv) print $1}')
elif [ $ARCH = "alpine" ]; then
cmd_pid=$(ps -ef | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${1} '{if($4 ~ srv || $3 ~ srv) print $1}')
else
cmd_pid=$(ps -eo pid,cmd,args | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${1} '{if($2 ~ srv || $3 ~ srv) print $1}')
fi
if ! [ "${cmd_pid:-null}" = null ]; then
log "stop_instance" "stopping $service_name (pid=$cmd_pid)"
echo "Stopping registered service '$service_name', family $family_name, instance $instance_id with pid=$cmd_pid"
kill_processes_by_pid $cmd_pid &
fi
}
kill_processes_by_pid()
{
for pid in "$@"; do
kill -15 ${pid}
done
sleep 0.5
for pid in "$@"; do
if [ -d /proc/$pid ]; then
sleep 2
break
fi
done
for pid in "$@"; do
if [ -d /proc/$pid ]; then
kill -9 ${pid}
log "kill_processes_by_pid" "Terminating ${pid} with sigkill signal"
fi
done
}
kill_services_if_needed()
{
for service_name in $(cat ${FILESYSTEM_PATH}/${SRVS_TO_RESTART_FILE}); do
kill_processes_by_pid $(${pidof_cmd} ${service_name})
done
echo "" >${FILESYSTEM_PATH}/${SRVS_TO_RESTART_FILE}
sleep 0.3
}
trigger_restart_service()
{
service_name=$1
vol_service=$([ -f ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ] && cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep "^${service_name};")
service=$([ -f ${FILESYSTEM_PATH}/${SRVS_FILE} ] && cat ${FILESYSTEM_PATH}/${SRVS_FILE} | grep "^${service_name}$")
if [ -z "$service" ] && [ -z "$vol_service" ]; then
log "trigger_restart_service" "Requested to restart service '$service_name', but it is not registered"
echo "Requested to restart service '$service_name', but it is not registered"
return
fi
echo "$service_name" >>${FILESYSTEM_PATH}/$SRVS_TO_RESTART_FILE
}
unregister()
{
service_name=$1
to_kill=$2
family_name=$3
kill_flag=1
if [ -z $service_name ]; then
echo "Error! no service provided for un-registration"
exit 1
fi
if test "$to_kill" = "without_kill"; then
kill_flag=0
fi
touch ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}
if [ -z "$family_name" ]; then
no_family=$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep "^$service_name;;" | wc -l)
fi
if test "$to_kill" = "--all"; then
# unregister volatile service family
if [ -z "$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep ${service_name})" ]; then
log "unregister" "Warning! service '$service_name' is already un-registered"
exit 0
fi
mv ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
grep -v -e "${service_name}" ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} >${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL}
family_size=$(cat ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} | grep "^$service_name;${family_name};" | wc -l)
mv ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL} ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}
kill_processes_by_pid $(${pidof_cmd} ${service_name})
rm ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
elif [ -n "$family_name" ] || [ $no_family -ne 0 ]; then
# unregister volatile service family
if [ -z "$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep ^${service_name}\;${family_name}\;)" ]; then
log "unregister" "Warning! family '$family_name' of service '$service_name' is already un-registered"
exit 0
fi
mv ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
grep -v -e "^${service_name};${family_name};" ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} >${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL}
family_size=$(cat ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP} | grep "^$service_name;${family_name};" | wc -l)
mv ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_DEL} ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}
if [ ${kill_flag} -eq 1 ]; then
for i in $(seq 1 $family_size); do
stop_instance $service_name $i $family_name
done
fi
rm ${FILESYSTEM_PATH}/${TMP_VOL_SRVS_FILE_PRE_STOP}
else
# unregister standard service
service="$(cat ${FILESYSTEM_PATH}/${SRVS_FILE} | grep ^${service_name}$)"
if [ -z $service ]; then
log "unregister" "Warning! service '$service_name' is already un-registered"
exit 0
fi
if [ $ARCH = "arm" ]; then
cmd_pid=$(ps | awk -v srv=${service} '{if($5==srv) print $1}')
if [ "${cmd_pid:-null}" = null ] && [ $PIDOF_CMD_EXISTS -eq 1 ]; then
base_name=$(get_basename $service)
cmd_pid=$(pidof $base_name)
fi
elif [ $ARCH = "alpine" ]; then
cmd_pid=$(ps -ef | awk -v srv=${service} '{if($4 ~ srv || $3 ~ srv || $6 ~ srv) print $1}')
else
cmd_pid=$(ps -eo pid,cmd | awk -v srv=${service} '{if($2 == srv || $3 == srv) print $1}')
fi
if ! [ "${cmd_pid:-null}" = null ]; then
log "unregister" "Unregistering $service (pid=$cmd_pid)"
if [ ${kill_flag} -eq 1 ]; then
echo "Stopping registered service '$service' with pid=$cmd_pid"
kill_processes_by_pid $cmd_pid
fi
fi
grep -v -e "^$service_name$" ${FILESYSTEM_PATH}/${SRVS_FILE} >${FILESYSTEM_PATH}/${TMP_SRVS_FILE}
mv ${FILESYSTEM_PATH}/${TMP_SRVS_FILE} ${FILESYSTEM_PATH}/${SRVS_FILE}
fi
}
rotate_service_file()
{
log_file_name=$1
touch $log_file_name
file_size=$(du -a $log_file_name | tr -s '\t' ' ' | cut -d' ' -f1)
if [ $file_size -gt $MAX_FILE_SIZE ]; then
log "Run log rotation on ${log_file_name}"
cp $log_file_name "$log_file_name.0" && echo >$log_file_name
for file_num in $(seq $((MAX_ROTATION - 1)) -1 0); do
if [ -f "$log_file_name.$file_num.gz" ]; then
mv "$log_file_name.$file_num.gz" "$log_file_name.$((file_num + 1)).gz"
fi
done
gzip "$log_file_name.0"
fi
}
rotate_service_log()
{
if [ -f ${FILESYSTEM_PATH}/${SRVS_FILE} ]; then
for service in $(cat ${FILESYSTEM_PATH}/${SRVS_FILE}); do
base_name=$(get_basename $service)
srv_debug_file=${LOG_FILE_PATH}/nano_agent/$base_name.dbg
srv_log_file=${LOG_FILE_PATH}/nano_agent/$base_name.log
rotate_service_file ${srv_debug_file}
rotate_service_file ${srv_log_file}
done
fi
if [ -f ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ]; then
for service_line in $(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}); do
service=$(echo $service_line | cut -f1 -d ';')
family=$(echo $service_line | cut -f2 -d ';')
instance_id=$(echo $service_line | cut -f3 -d ';')
if [ -z $family ]; then
debug_file_suffix=${instance_id}
else
debug_file_suffix=${family}_${instance_id}
fi
base_name=$(get_basename $service)
srv_debug_file=${LOG_FILE_PATH}/nano_agent/$base_name.dbg${debug_file_suffix}
srv_log_file=${LOG_FILE_PATH}/nano_agent/$base_name.log${debug_file_suffix}
rotate_service_file ${srv_debug_file}
rotate_service_file ${srv_log_file}
done
fi
rotate_service_file ${LOG_FILE_PATH}/$LOG_FILE
}
remove_file_if_expired()
{
file=$1
file_ttl_minutes=$2
if test "$(find $file -mmin +$file_ttl_minutes)" = "$file"; then
rm $file
fi
}
remove_old_service_logs()
{
if [ -f ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ]; then
for service_line in $(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}); do
service=$(echo $service_line | cut -f1 -d ';')
service=$(get_basename $service)
family=$(echo $service_line | cut -f2 -d ';')
if [ -z $family ]; then
continue
fi
for service_log_file in $(ls -d ${LOG_FILE_PATH}/nano_agent/* | grep $service); do
family_and_id=$(echo $service_log_file | cut -f2 -d '.')
if [ -z $(echo $family_and_id | grep '_') ]; then
continue
fi
family=$(echo $family_and_id | cut -f1 -d '_')
family=${family#dbg}
family=${family#log}
relevant_services=$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep "$service;$family")
if [ -z "$relevant_services" ]; then
remove_file_if_expired $service_log_file $SERVICE_LOG_FILE_TTL_MINUTES
for buffered_log in $(ls -d ${LOG_FILE_PATH}/nano_agent/event_buffer/* | grep $family); do
remove_file_if_expired $buffered_log $SERVICE_LOG_FILE_TTL_MINUTES
done
fi
done
done
fi
for buffered_log in $(ls -d ${LOG_FILE_PATH}/nano_agent/event_buffer/* | grep cpz); do
log_id=$(echo $buffered_log | cut -f2 -d '.')
if [ $log_id -ge 10 ]; then
rm $buffered_log
fi
done
}
daily_log_files_cleanup()
{
minutes_in_day=1440
last_cleanup_flag_file=${FILESYSTEM_PATH}/${VOL_SRVS_FILE}.log_cleanup
remove_file_if_expired ${last_cleanup_flag_file} $minutes_in_day
if [ ! -f ${last_cleanup_flag_file} ]; then
remove_old_service_logs
touch ${last_cleanup_flag_file}
fi
}
is_service_running()
{
service=$1
if [ $ARCH = "arm" ]; then
cmd_pid=$(ps w | grep $service | head -n-1 | awk '{ print $1 }')
if [ "${cmd_pid:-null}" = null ] && [ $PIDOF_CMD_EXISTS -eq 1 ]; then
base_name=$(get_basename $service)
cmd_pid=$(pidof $base_name)
fi
elif [ $ARCH = "alpine" ]; then
cmd_pid=$(ps -ef | awk -v srv="$service" '{if(($4 ~ srv || $3 ~ srv || $6 ~ srv) && ($4 != "awk" && $4 != "grep" )) print $1}')
else
cmd_pid=$(ps -eo pid,cmd | awk -v srv="$service" '{if($2 ~ srv || $3 ~ srv) print $1}')
fi
if [ "${cmd_pid:-null}" = null ]; then
echo false
else
echo true
fi
}
# is_volatile_service_running arguments: (service name, instance ID, family name)
is_volatile_service_running()
{
service=$1
instance_id=$2
family_name=$3
family_arg=""
if [ -n "${family_name}" ]; then
family_arg="--family=${family_name}"
fi
if [ $ARCH = "arm" ]; then
cmd_pid=$(ps | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${service} '{if($5==srv) print $1}')
elif [ $ARCH = "alpine" ]; then
cmd_pid=$(ps -ef | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${service} '{if($4 ~ srv || $3 ~ srv) print $1}')
else
cmd_pid=$(ps -eo pid,cmd | grep -- "${family_arg}" | grep -- "--id=$instance_id" | awk -v srv=${service} '{if($2 ~ srv || $3 ~ srv) print $1}')
fi
if [ "${cmd_pid:-null}" = null ]; then
echo false
else
echo true
fi
}
increment_watchdog_process_restart_counter()
{
if [ -f $WATCHDOG_PROCESS_RESTART_COUNTER ]; then
counter=$(cat ${WATCHDOG_PROCESS_RESTART_COUNTER})
else
counter=0
fi
counter=$((counter+1))
echo ${counter}> ${WATCHDOG_PROCESS_RESTART_COUNTER}
}
load_volatile_services()
{
if [ -f ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} ]; then
for service_line in $(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE}); do
service=$(echo $service_line | cut -f1 -d ';')
family=$(echo $service_line | cut -f2 -d ';')
instance_id=$(echo $service_line | cut -f3 -d ';')
already_running="0"
execution_flags=
srv_debug_file=
gaia_ld_path=
if [ -n "$(cat ${FILESYSTEM_PATH}/$SRVS_HALTED | grep $service)" ]; then
continue
fi
if [ -f ${service}.cfg ]; then
. "${service}.cfg"
fi
if [ -z $family ]; then
debug_file_suffix=${instance_id}
else
debug_file_suffix=${family}_${instance_id}
fi
if [ -z ${srv_debug_file} ]; then
base_name=$(get_basename $service)
srv_debug_file=${LOG_FILE_PATH}/nano_agent/$base_name.dbg${debug_file_suffix}
fi
if ! [ -z ${gaia_ld_path} ]; then
NGEN_LIB_PATH="${USR_LIB_PATH}/cpnano/:${gaia_ld_path}"
if [ "$is_smb" = "1" -a "$SUB_HW_VER" = "THX2" ]; then
NGEN_LIB_PATH="/lib64:/pfrm2.0/lib64:${NGEN_LIB_PATH}"
fi
fi
if test "$(is_volatile_service_running $service $instance_id $family)" = "false"; then
family_arg=""
if [ -n "${family}" ]; then
family_arg="--family=${family}"
fi
log "load_volatile_services" "Respawn ${service} ($family : $instance_id)"
echo -en "["$(date)"]" >> ${srv_debug_file}
eval "LD_LIBRARY_PATH=${NGEN_LIB_PATH} ${service} ${execution_flags} --filesystem_path=${FILESYSTEM_PATH} --log_files_path=${LOG_FILE_PATH} ${family_arg} --id=${instance_id} &"
increment_watchdog_process_restart_counter
echo "running" >> $AGENT_RUN_STATUS_FILE
already_running="1"
fi
if test "$already_running" = "0" && [ -f /tmp/agent-status.txt ]; then
echo "already running" >>$AGENT_RUN_STATUS_FILE
fi
done
fi
}
load_services()
{
load_paths
is_startup_mode=false
if [ -f ${FILESYSTEM_PATH}/watchdog/wd.startup ]; then
rm -f ${FILESYSTEM_PATH}/watchdog/wd.startup
echo "" >${FILESYSTEM_PATH}/$SRVS_HALTED
is_startup_mode=true
fi
already_running="0"
for service in $(cat ${FILESYSTEM_PATH}/${SRVS_FILE}); do
execution_flags=
srv_debug_file=
gaia_ld_path=
if test "$is_startup_mode" = "false" && [ -n "$(cat ${FILESYSTEM_PATH}/$SRVS_HALTED | grep $service)" ]; then
continue
fi
if [ -f ${service}.cfg ]; then
. "${service}.cfg"
fi
if [ -z ${srv_debug_file} ]; then
base_name=$(get_basename $service)
srv_debug_file=${LOG_FILE_PATH}/nano_agent/${base_name}.dbg
fi
if ! [ -z ${gaia_ld_path} ]; then
NGEN_LIB_PATH="${USR_LIB_PATH}/cpnano/:${gaia_ld_path}"
fi
if test "$(is_service_running $service)" = "false"; then
if [ ! -z $IS_CONTAINER_ENV ] && [ -f ${FILESYSTEM_PATH}/$SRVS_CONTAINER_FILE ]; then
if grep -q "$service" ${FILESYSTEM_PATH}/$SRVS_CONTAINER_FILE; then
sed -i "/$service/d" ${FILESYSTEM_PATH}/$SRVS_CONTAINER_FILE
is_startup_mode=true
fi
fi
if [ ! -z $IS_CONTAINER_ENV ] && test "$is_startup_mode" = "false"; then
echo "Error: Nano service $service stopped running"
exit 1
fi
log "load_services" "Respawn ${service}"
if [ "${service}" == "/etc/cp/agentIntelligence/redis/redis-server" ]; then
eval "LD_LIBRARY_PATH=${NGEN_LIB_PATH} ${service} ${execution_flags} &"
else
eval "LD_LIBRARY_PATH=${NGEN_LIB_PATH} ${service} ${execution_flags} --filesystem_path=${FILESYSTEM_PATH} --log_files_path=${LOG_FILE_PATH} &"
fi
increment_watchdog_process_restart_counter
echo "running" >> $AGENT_RUN_STATUS_FILE
already_running="1"
fi
if test "$already_running" = "0" && [ -f /tmp/agent-status.txt ]; then
echo "already running" >>$AGENT_RUN_STATUS_FILE
fi
done
}
get_service_status()
{
service=''
fid=''
uid=''
verbose=false
registration_status="not-registered"
running_status="not-running"
while true; do
if test "$1" = "--service"; then
shift
service=$1
elif test "$1" = "--family"; then
shift
fid=$1
elif test "$1" = "--id"; then
shift
uid=$1
elif test "$1" = "--verbose"; then
verbose=true
elif [ -z $1 ]; then
break
fi
shift
done
if [ -z $service ]; then
echo "Error: service name was not provided"
exit 1
fi
if [ -z "$uid" ]; then
is_running=$(is_service_running ${service})
if [ "$is_running" = "true" ]; then
running_status="running"
fi
if ! [ -z "$(cat ${FILESYSTEM_PATH}/${SRVS_FILE} | grep ${service}$)" ]; then
registration_status="registered"
fi
if [ "$verbose" = "true" ]; then
echo "service '$service' is ${registration_status} and ${running_status}"
else
echo "service '$service' is ${registration_status}"
fi
else
if [ "$(is_volatile_service_running ${service} ${uid} ${fid})" = "true" ]; then
running_status="running"
fi
family_size=$(cat ${FILESYSTEM_PATH}/${VOL_SRVS_FILE} | grep "${service};${fid};" | wc -l)
if ! { [ -z "$family_size" ] || [ $family_size -lt $uid ]; }; then
registration_status="registered"
fi
# handle multiple instances services
if [ "$verbose" = "true" ]; then
echo "service '$service' (Family '$fid', uid '$uid') is ${registration_status} and ${running_status}"
else
echo "service '$service' (Family '$fid', uid '$uid') is ${registration_status}"
fi
fi
}
#read_config
load_paths
if test "$1" = "--status" || test "$1" = "-s"; then
shift
get_service_status "${@}"
exit 0
elif test "$1" = "--restart_count" || test "$1" = "-rc"; then
if [ -f $WATCHDOG_PROCESS_RESTART_COUNTER ]; then
counter=$(cat ${WATCHDOG_PROCESS_RESTART_COUNTER})
else
echo 0> ${WATCHDOG_PROCESS_RESTART_COUNTER}
counter=0
fi
echo ${counter}
exit 0
elif test "$1" = "--register" || test "$1" = "-r"; then
if test "$3" = "--family" || test "$3" = "-f"; then
family_name=$4
if test "$5" = "--count" || test "$5" = "-c"; then
family_size=$6
else
log "main" "Registering a family requires size argument"
fi
elif test "$3" = "--count" || test "$3" = "-c"; then
family_size=$4
fi
register $2 $family_size $family_name
exit 0
elif test "$1" = "--un-register" || test "$1" = "-u"; then
if test "$3" = "--family" || test "$3" = "-f"; then
family_name=$4
kill_arg="kill"
else
kill_arg=$3
if test "$4" = "--family" || test "$4" = "-f"; then
family_name=$5
kill_arg="kill"
fi
fi
unregister $2 $kill_arg $family_name
exit 0
elif test "$1" = "--restart"; then
trigger_restart_service $2
exit 0
elif test "$1" = "--stop" || test "$1" = "-q"; then
if test "$2" = "--persistent" || test "$2" = "-p"; then
echo "$3" >>${FILESYSTEM_PATH}/$SRVS_HALTED
unregister $3
exit 0
fi
echo "$2" >>${FILESYSTEM_PATH}/$SRVS_HALTED
kill_processes_by_pid $(${pidof_cmd} ${2})
retry_counter=0
while [ $retry_counter -lt 10 ]; do
if [ -z "$(${pidof_cmd} ${2})" ]; then
exit 0
fi
sleep 0.3
retry_counter=$(($retry_counter + 1))
done
if [ -n "$(${pidof_cmd} ${2})" ]; then
log "main" "Service $2 is in 'stopped' state but have not exited for 3 seconds"
exit 1
fi
exit 0
elif test "$1" = "--start" || test "$1" = "-r"; then
if test "$2" = "--persistent" || test "$2" = "-p"; then
register $3
shift
fi
if [ -z "$(cat ${FILESYSTEM_PATH}/$SRVS_FILE | grep $2)" ] && [ -z "$(cat ${FILESYSTEM_PATH}/$VOL_SRVS_FILE | grep $2)" ]; then
exit 3
fi
if [ -n "$(cat ${FILESYSTEM_PATH}/$SRVS_HALTED | grep $2)" ]; then
sed -i "\|$2|d" ${FILESYSTEM_PATH}/$SRVS_HALTED
exit $?
fi
exit 2
fi
if [ -z $IS_CONTAINER_ENV ]; then
log "main" "Starting cp-nano-agent watchdog as service mode"
else
log "main" "Starting cp-nano-agent watchdog as container mode"
fi
IS_SERVICE_STARTED=false
echo "" >${FILESYSTEM_PATH}/$SRVS_HALTED
while $(true); do
if [ -z $IS_CONTAINER_ENV ] && [ -f /tmp/restart_watchdog ]; then
rm -f /tmp/restart_watchdog
if [ $ARCH = "arm" ]; then
cp_exec "$INIT_D_PATH/nano_agent.init restart"
else
service nano_agent restart
fi
fi
$IS_SERVICE_STARTED && kill_services_if_needed
IS_SERVICE_STARTED=true
load_services
load_volatile_services
rotate_service_log
daily_log_files_cleanup
sleep 5
done

369
nodes/orchestration/scripts/cp-nano-makefile-generator.sh Executable file
View File

@@ -0,0 +1,369 @@
#!/bin/bash
initializeEnviroment()
{
TMP_ENCODE=""
CURRENT_TIME=""
PACKAGE_VERSION=""
CUR_NGINX_ALREADY_SUPPORTED=false
NUMBER_OF_CONFIGURATION_FLAGS=0
TMP_NGINX_UNPARSED_CONFIGURATION="/tmp/nginx_unparsed_tmp_conf.txt"
TMP_NGINX_PARSED_CONFIGURATION_FLAGS="/tmp/nginx_parsed_conf_flags.txt"
TMP_DECODED_FILE_PATH="/tmp/decoded_file.txt"
IS_ALPINE=false
if [ ! -z "$(cat /etc/*release | grep alpine)" ]; then
IS_ALPINE=true
fi
}
usage()
{
local IS_ERROR=$1
local option=$2
if [[ ${IS_ERROR} == true ]]; then
echo "Error: unsupported option '${option}'"
fi
echo "Usage:"
line_padding=" "
local debug_print_option="-h, --help"
printf "%s %s Print (this) help message\n" "$debug_print_option" "${line_padding:${#debug_print_option}}"
debug_print_option="-d, --debug"
printf "%s %s Enable debug mode\n" "$debug_print_option" "${line_padding:${#debug_print_option}}"
debug_print_option="-v, --verbose"
printf "%s %s show version and configure options\n" "$debug_print_option" "${line_padding:${#debug_print_option}}"
debug_print_option="-o, --output"
printf "%s %s change output file name into '${option}'\n" "$debug_print_option" "${line_padding:${#debug_print_option}}"
debug_print_option="-f, --force"
printf "%s %s force creation of makefile'\n" "$debug_print_option" "${line_padding:${#debug_print_option}}"
if [[ ${IS_ERROR} == true ]]; then
exit -1
else
exit 1
fi
}
debug()
{
local debug_message=$1
if [[ $IS_DEBUG_MODE_ACTIVE == true ]]; then
echo -e $debug_message
fi
}
check_flags_options()
{
local argc=$#
for (( i = 1; i <= $argc; i++ )); do
local option=${!i}
local IS_ERROR=false
if [[ "$option" == "--debug" || "$option" == "-d" ]]; then
IS_DEBUG_MODE_ACTIVE=true
elif [[ "$option" == "--verbose" || "$option" == "-v" ]]; then
IS_VERBOSE_MODE_ACTIVE=true
elif [[ "$option" == "--force" || "$option" == "-f" ]]; then
IS_FORCE_OUTPUT=true
elif [[ "$option" == "--output" || "$option" == "-o" ]]; then
IS_OUTPUT_NAME_MODE_ACTIVE=true
i=$((i+1))
FILE_NAME=${!i}
if [[ -z ${FILE_NAME} ]]; then
echo "Error: No file name was given for ${option} option."
exit -1
fi
elif [[ "$option" == "--help" || "$option" == "-h" ]]; then
usage ${IS_ERROR} ${option}
elif [[ ! -z $option ]]; then
IS_ERROR=true
usage ${IS_ERROR} ${option}
fi
done
}
_main()
{
echo "Starting verification of Check Point support with local nginx server"
initializeEnviroment
getNginxVersion
nginx -V &> "$TMP_NGINX_UNPARSED_CONFIGURATION"
if [[ $IS_VERBOSE_MODE_ACTIVE == true ]]; then
echo ""
cat ${TMP_NGINX_UNPARSED_CONFIGURATION}
echo ""
fi
while IFS= read -ra UNPARSED_CONFIGURATION_LINE <&3; do
if [[ ${UNPARSED_CONFIGURATION_LINE} =~ ^"nginx version:" ]]; then
openFile
elif [[ ${UNPARSED_CONFIGURATION_LINE} =~ ^"built by gcc" ]]; then
addBuiltConfiguration "${UNPARSED_CONFIGURATION_LINE}"
elif [[ ${UNPARSED_CONFIGURATION_LINE} =~ ^"configure arguments:" ]]; then
IFS="'"
addAndCutOptionalFlags ${UNPARSED_CONFIGURATION_LINE}
IFS=" "
addRequiredFlags ${CONFIGURATION_FLAGES_NEED_TO_BE_PARSED}
fi
done 3<"$TMP_NGINX_UNPARSED_CONFIGURATION"
if [[ ${COMBINED_CONFIGURATION_FLAGS} =~ "--with-cc="* ]]; then
PARSED_CONFIGURATION="CONFIGURE_OPT=${COMBINED_CONFIGURATION_FLAGS}"
NUMBER_OF_CONFIGURATION_FLAGS=$((NUMBER_OF_CONFIGURATION_FLAGS-1))
else
PARSED_CONFIGURATION="CONFIGURE_OPT=${BUILT_BY_GCC_FLAG}${COMBINED_CONFIGURATION_FLAGS}"
fi
local local_pwd=$(pwd)
if [[ ${local_pwd:0:2} == "//" ]]; then
local_pwd=${local_pwd:1}
fi
debug "Moving parsed configuration to target ${local_pwd}/${FILE_NAME} configuration file"
echo -e ${PARSED_CONFIGURATION} > ${FILE_NAME}
add_nginx_and_release_versions
if [[ $IS_FORCE_OUTPUT != true ]]; then
checkFile
fi
if [[ $CUR_NGINX_ALREADY_SUPPORTED == true ]]; then
tearDown
echo -e "Check Point Nano Agent already supported on this environment"
else
tearDown
echo -e "Extracted environment data to $(pwd)/${FILE_NAME} \nPlease send file to nano-agent-attachments-support@checkpoint.com"
fi
}
tearDown()
{
rm -f ${TMP_NGINX_UNPARSED_CONFIGURATION}
rm -f ${TMP_NGINX_PARSED_CONFIGURATION_FLAGS}
rm -f ${TMP_DECODED_FILE_PATH}
rm -f ${TMP_NGINX_VERSION_FILE}
}
getNginxVersion()
{
TMP_NGINX_VERSION_FILE="/tmp/nginx_version_file.txt"
nginx -v &> "$TMP_NGINX_VERSION_FILE"
if [[ $IS_ALPINE == true ]]; then
NGINX_VERSION=`cat ${TMP_NGINX_VERSION_FILE} | grep -oE [0-9]+.[0-9]+.[0-9]+`
else
NGINX_VERSION=`cat ${TMP_NGINX_VERSION_FILE} | grep -oP [0-9]+.[0-9]+.[0-9]+`
fi
}
openFile()
{
if [[ ${IS_OUTPUT_NAME_MODE_ACTIVE} != true ]]; then
FILE_NAME="${NGINX_VERSION}.mk"
debug "Trying to create an empty ${NGINX_VERSION} file"
FILE_NAME_PATH="$(pwd)/${FILE_NAME}"
if [[ -z ${FILE_NAME_PATH} || ! ( ${FILE_NAME} =~ [0-9]+.[0-9]+.[0-9]+.mk ) ]]; then
echo "ERROR: can't find nginx version."
exit -1
fi
if [[ -f "${FILE_NAME_PATH}" ]]; then
echo "The output file: ${FILE_NAME} already exists. Do you want to overwrite this file? [y/N]"
read answer
if [[ ${answer} != "y" ]]; then
echo -e "Stopping after the operation was cancelled.\nIf you wish to use other output file name you can use option -o or --output"
exit -1
fi
fi
else
debug "Trying to create an empty ${FILE_NAME} file"
FILE_NAME_PATH="${FILE_NAME}"
fi
touch ${FILE_NAME_PATH} &> /dev/null
if [ ! -e ${FILE_NAME_PATH} ];then
echo "Failed to create ${FILE_NAME_PATH}"
exit -1
fi
debug "Created an empty ${FILE_NAME} file"
}
checkFile()
{
echo -e ${BUILT_BY_GCC_FLAG} > ${TMP_NGINX_PARSED_CONFIGURATION_FLAGS}
echo -e ${CONFIGURATION_FLAGS} >> ${TMP_NGINX_PARSED_CONFIGURATION_FLAGS}
echo "$TMP_ENCODE" | base64 --decode > ${TMP_DECODED_FILE_PATH}
while IFS='|' read -a db_line; do
local parsed_db_gcc_version=`echo ${db_line[1]} | tr -d -c 0-9`
local parsed_db_optional_flag=`echo ${db_line[2]}`
if [[ ${NGINX_VERSION} != ${db_line[0]} ]]; then
continue
elif [[ ${GCC_VERSION##*gcc-} != "" ]] && [[ ${GCC_VERSION##*gcc-} != ${parsed_db_gcc_version} ]]; then
continue
elif [[ ${CC_OPTIONAL_FLAGS} != ${parsed_db_optional_flag} ]]; then
continue
else
if [[ ${GCC_VERSION##*gcc-} == "" ]] && [[ ${db_line[1]} == 5 ]]; then
NUMBER_OF_CONFIGURATION_FLAGS=$((NUMBER_OF_CONFIGURATION_FLAGS+1))
fi
IFS='|'
checkAllDBLineFlags ${db_line[@]}
if [[ ${EQUAL_FLAGS} == true ]]; then
CUR_NGINX_ALREADY_SUPPORTED=true
break
fi
fi
done < ${TMP_DECODED_FILE_PATH}
}
checkAllDBLineFlags()
{
local argc=$#
local argv=("$@")
local number_of_db_line_flags=$((argc-3))
local gcc_version_prefix="--with-cc="
if [[ ${number_of_db_line_flags} == ${NUMBER_OF_CONFIGURATION_FLAGS} ]]; then
for ((i = 3; i < ${argc}; i++)); do
if [[ ${argv[i]} =~ ^"${gcc_version_prefix}"* ]]; then
continue
fi
checkFlag ${argv[i]}
if [[ ${found_equal_flag} == false ]]; then
EQUAL_FLAGS=false
return
fi
done
else return
fi
EQUAL_FLAGS=true
}
checkFlag()
{
found_equal_flag=false
db_flag=$1
while IFS='\' read -ra flag; do
if [[ "${flag}" == "${db_flag}" ]] || [[ "${flag} " == "${db_flag}" ]]; then
found_equal_flag=true
break
fi
done < ${TMP_NGINX_PARSED_CONFIGURATION_FLAGS}
}
addBuiltConfiguration()
{
BUILT_BY_GCC_FLAG_PREFIX="--with-cc=/usr/bin/"
if [[ $IS_ALPINE == true ]]; then
GCC_VERSION=`echo "$1" | grep -oE "gcc "[0-9]+ | tr ' ' '-'`
else
GCC_VERSION=`echo "$1" | grep -oP "gcc "[0-9]+ | tr ' ' '-'`
fi
if [[ "$GCC_VERSION" == "gcc-4" ]]; then
GCC_VERSION=gcc-5
elif [[ "$GCC_VERSION" == "gcc-10" ]] || [[ "$GCC_VERSION" == "gcc-11" ]]; then
GCC_VERSION=gcc-8
fi
BUILT_BY_GCC_FLAG=" \\\\\n${BUILT_BY_GCC_FLAG_PREFIX}${GCC_VERSION}"
NUMBER_OF_CONFIGURATION_FLAGS=$((NUMBER_OF_CONFIGURATION_FLAGS+1))
}
addAndCutOptionalFlags()
{
debug "Parsing all nginx configuration flags"
CC_EXTRA_PREFIX="EXTRA_CC_OPT="
CC_OPTIONAL_FLAG_PREFIX="--with-cc-opt="
LD_OPTIONAL_FLAG_PREFIX="--with-ld-opt="
local argc=$#
local argv=("$@")
for (( i = 0; i < $argc; i++ )); do
if [[ ${argv[i]} == *"${CC_OPTIONAL_FLAG_PREFIX}"* ]]; then
debug "Successfully added compilation flags"
CONFIGURATION_FLAGES_NEED_TO_BE_PARSED="${CONFIGURATION_FLAGES_NEED_TO_BE_PARSED}${argv[i]}"
i=$((i+1))
IFS=" "
addCCFlagsWithoutSpecsLocalFlag ${argv[i]}
CC_OPTIONAL_FLAGS="${CC_EXTRA_PREFIX}${CC_OPTIONAL_FLAGS}"
elif [[ ${argv[i]} == *"${LD_OPTIONAL_FLAG_PREFIX}"* ]]; then
CONFIGURATION_FLAGES_NEED_TO_BE_PARSED="${CONFIGURATION_FLAGES_NEED_TO_BE_PARSED}${argv[i]}"
i=$((i+1))
else CONFIGURATION_FLAGES_NEED_TO_BE_PARSED="${CONFIGURATION_FLAGES_NEED_TO_BE_PARSED}${argv[i]}"
fi
done
debug "Successfully finished adding optional flags"
}
addCCFlagsWithoutSpecsLocalFlag()
{
local argc=$#
local argv=("$@")
SPECS_FLAG_PREFIX="-specs="
NO_ERROR_PREFIX="-Wno-error="
FCF_PROTECTION_PREFIX="-fcf-protection"
FSTACK_PREFIX="-fstack-clash-protection"
for (( j = 0; j < $argc; j++ )); do
if [[ ! ${argv[j]} =~ ^${SPECS_FLAG_PREFIX} ]] && \
[[ ! ${argv[j]} =~ ^${NO_ERROR_PREFIX} ]] && \
[[ ! ${argv[j]} =~ ^${FSTACK_PREFIX} ]] && \
[[ ! ${argv[j]} =~ ^${FCF_PROTECTION_PREFIX} ]]; \
then
CC_OPTIONAL_FLAGS="${CC_OPTIONAL_FLAGS} ${argv[j]}"
fi
done
CC_OPTIONAL_FLAGS=`echo $CC_OPTIONAL_FLAGS | grep ^"-"`
}
addRequiredFlags()
{
local argc=$#
local argv=("$@")
CC_OPTIONAL_FLAG_PREFIX="--with-cc-opt="
LD_OPTIONAL_FLAG_PREFIX="--with-ld-opt="
ADDITIONAL_MODULE_FLAG_PREFIX="--add-module="
DYNAMIC_MODULE_FLAG_PREFIX="--add-dynamic-module="
BUILD_FLAG_PREFIX="--build="
OPENSSL_VERSION_PREFIX="--with-openssl="
OPENSSL_OPT_PREFIX="--with-openssl-opt="
HPACK_ENC_PREFIX="--with-http_v2_hpack_enc"
AUTH_JWT_PREFIX="--with-http_auth_jwt_module"
F4F_PREFIX="--with-http_f4f_module"
HLS_PREFIX="--with-http_hls_module"
SESSION_LOG_PREFIX="--with-http_session_log_module"
COMMON_PREFIX="--"
for (( i = 1; i < $argc; i++ )); do
if [[ "${argv[i]}" =~ ^${COMMON_PREFIX} ]] && \
[[ ! ("${argv[i]}" =~ ^${CC_OPTIONAL_FLAG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ^${LD_OPTIONAL_FLAG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${ADDITIONAL_MODULE_FLAG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${OPENSSL_VERSION_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${OPENSSL_OPT_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${DYNAMIC_MODULE_FLAG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${BUILD_FLAG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${AUTH_JWT_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${F4F_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${HLS_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${SESSION_LOG_PREFIX}) ]] && \
[[ ! ("${argv[i]}" =~ ${HPACK_ENC_PREFIX}) ]] ; \
then
debug "Adding configuration flag: ${argv[i]}\n"
NUMBER_OF_CONFIGURATION_FLAGS=$((NUMBER_OF_CONFIGURATION_FLAGS+1))
CONFIGURATION_FLAGS="${CONFIGURATION_FLAGS} \\\\\n${argv[i]}"
fi
done
COMBINED_CONFIGURATION_FLAGS="${CONFIGURATION_FLAGS}\n\n${CC_OPTIONAL_FLAGS}"
debug "Successfully added nginx configuration flags"
}
add_nginx_and_release_versions()
{
echo -e "NGINX_VERSION=${NGINX_VERSION}" >> ${FILE_NAME}
RELEASE_VERSION=`cat /etc/*-release | grep -i "PRETTY_NAME\|Gaia" | cut -d"\"" -f2`
echo -e "RELEASE_VERSION=${RELEASE_VERSION}" >> ${FILE_NAME}
}
initializeEnviroment
echo -e "Check Point Nano Agent Nginx compatibility verifier version ${PACKAGE_VERSION}\n"
check_flags_options "$@"
_main