#!@PYTHON@ # Copyright (C) 2011 Internet Systems Consortium. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SYSTEMS CONSORTIUM # DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL # INTERNET SYSTEMS CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING # FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. import sys; sys.path.append ('@@PYTHONPATH@@') import isc from isc.acl.dns import REQUEST_LOADER import bind10_config from isc.dns import * import isc.ddns.session from isc.ddns.zone_config import ZoneConfig from isc.ddns.logger import ClientFormatter, ZoneFormatter from isc.config.ccsession import * from isc.config.module_spec import ModuleSpecError from isc.cc import SessionError, SessionTimeout, ProtocolError import isc.util.process import isc.util.cio.socketsession from isc.notify.notify_out import ZONE_NEW_DATA_READY_CMD import isc.server_common.tsig_keyring from isc.server_common.dns_tcp import DNSTCPContext from isc.datasrc import DataSourceClient from isc.server_common.auth_command import auth_loadzone_command import select import time import errno from isc.log_messages.ddns_messages import * from optparse import OptionParser, OptionValueError import os import os.path import signal import socket isc.log.init("b10-ddns") logger = isc.log.Logger("ddns") TRACE_BASIC = logger.DBGLVL_TRACE_BASIC # Well known path settings. We need to define # SPECFILE_LOCATION: ddns configuration spec file # SOCKET_FILE: Unix domain socket file to communicate with b10-auth # AUTH_SPECFILE_LOCATION: b10-auth configuration spec file (tentatively # necessarily for sqlite3-only-and-older-datasrc-API stuff). This should be # gone once we migrate to the new API and start using generalized config. # # If B10_FROM_SOURCE is set in the environment, we use data files # from a directory relative to that, otherwise we use the ones # installed on the system if "B10_FROM_SOURCE" in os.environ: SPECFILE_PATH = os.environ["B10_FROM_SOURCE"] + "/src/bin/ddns" else: PREFIX = "@prefix@" DATAROOTDIR = "@datarootdir@" SPECFILE_PATH = "@datadir@/@PACKAGE@".replace("${datarootdir}", DATAROOTDIR) SPECFILE_PATH = SPECFILE_PATH.replace("${prefix}", PREFIX) if "B10_FROM_BUILD" in os.environ: if "B10_FROM_SOURCE_LOCALSTATEDIR" in os.environ: SOCKET_FILE_PATH = os.environ["B10_FROM_SOURCE_LOCALSTATEDIR"] else: SOCKET_FILE_PATH = os.environ["B10_FROM_BUILD"] else: SOCKET_FILE_PATH = bind10_config.DATA_PATH SPECFILE_LOCATION = SPECFILE_PATH + "/ddns.spec" SOCKET_FILE = SOCKET_FILE_PATH + '/ddns_socket' # Cooperating or dependency modules AUTH_MODULE_NAME = 'Auth' XFROUT_MODULE_NAME = 'Xfrout' ZONEMGR_MODULE_NAME = 'Zonemgr' isc.util.process.rename() class DDNSConfigError(Exception): '''An exception indicating an error in updating ddns configuration. This exception is raised when the ddns process encounters an error in handling configuration updates. Not all syntax error can be caught at the module-CC layer, so ddns needs to (explicitly or implicitly) validate the given configuration data itself. When it finds an error it raises this exception (either directly or by converting an exception from other modules) as a unified error in configuration. ''' pass class DDNSSessionError(Exception): '''An exception raised for some unexpected events during a ddns session. ''' pass class DDNSSession: '''Class to handle one DDNS update''' def __init__(self): '''Initialize a DDNS Session''' pass def clear_socket(): ''' Removes the socket file, if it exists. ''' if os.path.exists(SOCKET_FILE): os.remove(SOCKET_FILE) def get_datasrc_client(cc_session): '''Return data source client for update requests. This is supposed to have a very short lifetime and should soon be replaced with generic data source configuration framework. Based on that observation we simply hardcode everything except the SQLite3 database file, which will be retrieved from the auth server configuration (this behavior will also be deprecated). When something goes wrong with it this function still returns a dummy client so that the caller doesn't have to bother to handle the error (which would also have to be replaced anyway). The caller will subsequently call its find_zone method via an update session object, which will result in an exception, and then result in a SERVFAIL response. Once we are ready for introducing the general framework, the whole function will simply be removed. ''' HARDCODED_DATASRC_CLASS = RRClass.IN() file, is_default = cc_session.get_remote_config_value("Auth", "database_file") # See xfrout.py:get_db_file() for this trick: if is_default and "B10_FROM_BUILD" in os.environ: file = os.environ["B10_FROM_BUILD"] + "/bind10_zones.sqlite3" datasrc_config = '{ "database_file": "' + file + '"}' try: return (HARDCODED_DATASRC_CLASS, DataSourceClient('sqlite3', datasrc_config), file) except isc.datasrc.Error as ex: class DummyDataSourceClient: def __init__(self, ex): self.__ex = ex def find_zone(self, zone_name): raise isc.datasrc.Error(self.__ex) return (HARDCODED_DATASRC_CLASS, DummyDataSourceClient(ex), file) def add_pause(sec): '''Pause a specified period for inter module synchronization. This is a trivial wrraper of time.sleep, but defined as a separate function so tests can customize it. ''' time.sleep(sec) class DDNSServer: # The number of TCP clients that can be handled by the server at the same # time (this should be configurable parameter). TCP_CLIENTS = 10 def __init__(self, cc_session=None): ''' Initialize the DDNS Server. This sets up a ModuleCCSession for the BIND 10 system. Parameters: cc_session: If None (default), a new ModuleCCSession will be set up. If specified, the given session will be used. This is mainly used for testing. ''' if cc_session is not None: self._cc = cc_session else: self._cc = isc.config.ModuleCCSession(SPECFILE_LOCATION, self.config_handler, self.command_handler) # Initialize configuration with defaults. Right now 'zones' is the # only configuration, so we simply directly set it here. self._config_data = self._cc.get_full_config() self._zone_config = self.__update_zone_config( self._cc.get_default_value('zones')) self._cc.start() # Internal attributes derived from other modules. They will be # initialized via dd_remote_xxx below and will be kept updated # through their callbacks. They are defined as 'protected' so tests # can examine them; but they are essentially private to the class. # # Datasource client used for handling update requests: when set, # should a tuple of RRClass and DataSourceClient. Constructed and # maintained based on auth configuration. self._datasrc_info = None # A set of secondary zones, retrieved from zonemgr configuration. self._secondary_zones = None # Get necessary configurations from remote modules. for mod in [(AUTH_MODULE_NAME, self.__auth_config_handler), (ZONEMGR_MODULE_NAME, self.__zonemgr_config_handler)]: self.__add_remote_module(mod[0], mod[1]) # This should succeed as long as cfgmgr is up. isc.server_common.tsig_keyring.init_keyring(self._cc) self._shutdown = False # List of the session receivers where we get the requests self._socksession_receivers = {} clear_socket() self._listen_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) self._listen_socket.bind(SOCKET_FILE) self._listen_socket.listen(16) # Create reusable resources self.__request_msg = Message(Message.PARSE) self.__response_renderer = MessageRenderer() # The following attribute(s) are essentially private, but defined as # "protected" so that test code can customize/inspect them. # They should not be overridden/referenced for any other purposes. # # DDNS Protocol handling class. self._UpdateSessionClass = isc.ddns.session.UpdateSession # Outstanding TCP context: fileno=>(context_obj, dst) self._tcp_ctxs = {} class InternalError(Exception): '''Exception for internal errors in an update session. This exception is expected to be caught within the server class, only used for controling the code flow. ''' pass def config_handler(self, new_config): '''Update config data.''' try: if 'zones' in new_config: self._zone_config = \ self.__update_zone_config(new_config['zones']) return create_answer(0) except Exception as ex: # We catch any exception here. That includes any syntax error # against the configuration spec. The config interface is too # complicated and it's not clear how much validation is performed # there, so, while assuming it's unlikely to happen, we act # proactively. logger.error(DDNS_CONFIG_HANDLER_ERROR, ex) return create_answer(1, "Failed to handle new configuration: " + str(ex)) def __update_zone_config(self, new_zones_config): '''Handle zones configuration update.''' new_zones = {} for zone_config in new_zones_config: origin = Name(zone_config['origin']) rrclass = RRClass(zone_config['class']) update_acl = zone_config['update_acl'] new_zones[(origin, rrclass)] = REQUEST_LOADER.load(update_acl) return new_zones def command_handler(self, cmd, args): ''' Handle a CC session command, as sent from bindctl or other BIND 10 modules. ''' # TODO: Handle exceptions and turn them to an error response if cmd == "shutdown": logger.info(DDNS_RECEIVED_SHUTDOWN_COMMAND) self.trigger_shutdown() answer = create_answer(0) else: answer = create_answer(1, "Unknown command: " + str(cmd)) return answer def __add_remote_module(self, mod_name, callback): '''Register interest in other module's config with a callback.''' # Due to startup timing, add_remote_config can fail. We could make it # more sophisticated, but for now we simply retry a few times, each # separated by a short period (3 times and 1 sec, arbitrary chosen, # and hardcoded for now). In practice this should be more than # sufficient, but if it turns out to be a bigger problem we can # consider more elegant solutions. for n_try in range(0, 3): try: # by_name() version can fail with ModuleSpecError in getting # the module spec because cfgmgr returns a "successful" answer # with empty data if it cannot find the specified module. # This seems to be a deviant behavior (see Trac #2039), but # we need to deal with it. self._cc.add_remote_config_by_name(mod_name, callback) return except (ModuleSpecError, ModuleCCSessionError) as ex: logger.warn(DDNS_GET_REMOTE_CONFIG_FAIL, mod_name, n_try + 1, ex) last_ex = ex add_pause(1) raise last_ex def __auth_config_handler(self, new_config, module_config): logger.info(DDNS_RECEIVED_AUTH_UPDATE) # If we've got the config before and the new config doesn't update # the DB file, there's nothing we should do with it. # Note: there seems to be a bug either in bindctl or cfgmgr, and # new_config can contain 'database_file' even if it's not really # updated. We still perform the check so we can avoid redundant # resetting when the bug is fixed. The redundant reset itself is not # good, but such configuration update should not happen so often and # it should be acceptable in practice. if self._datasrc_info is not None and \ not 'database_file' in new_config: return rrclass, client, db_file = get_datasrc_client(self._cc) self._datasrc_info = (rrclass, client) logger.info(DDNS_AUTH_DBFILE_UPDATE, db_file) def __zonemgr_config_handler(self, new_config, module_config): logger.info(DDNS_RECEIVED_ZONEMGR_UPDATE) # If we've got the config before and the new config doesn't update # the secondary zone list, there's nothing we should do with it. # (Same note as that for auth's config applies) if self._secondary_zones is not None and \ not 'secondary_zones' in new_config: return # Get the latest secondary zones. Use get_remote_config_value() so # it can work for both the initial default case and updates. sec_zones, _ = self._cc.get_remote_config_value(ZONEMGR_MODULE_NAME, 'secondary_zones') new_secondary_zones = set() try: # Parse the new config and build a new list of secondary zones. # Unforutnately, in the current implementation, even an observer # module needs to perform full validation. This should be changed # so that only post-validation (done by the main module) config is # delevered to observer modules, but until it's supported we need # to protect ourselves. for zone_spec in sec_zones: zname = Name(zone_spec['name']) # class has the default value in case it's unspecified. # ideally this should be merged within the config module, but # the current implementation doesn't esnure that, so we need to # subsitute it ourselves. if 'class' in zone_spec: zclass = RRClass(zone_spec['class']) else: zclass = RRClass(module_config.get_default_value( 'secondary_zones/class')) new_secondary_zones.add((zname, zclass)) self._secondary_zones = new_secondary_zones logger.info(DDNS_SECONDARY_ZONES_UPDATE, len(self._secondary_zones)) except Exception as ex: logger.error(DDNS_SECONDARY_ZONES_UPDATE_FAIL, ex) def trigger_shutdown(self): '''Initiate a shutdown sequence. This method is expected to be called in various ways including in the middle of a signal handler, and is designed to be as simple as possible to minimize side effects. Actual shutdown will take place in a normal control flow. ''' logger.info(DDNS_SHUTDOWN) self._shutdown = True def shutdown_cleanup(self): ''' Perform any cleanup that is necessary when shutting down the server. Do NOT call this to initialize shutdown, use trigger_shutdown(). Currently, it only causes the ModuleCCSession to send a message that this module is stopping. ''' self._cc.send_stopping() def accept(self): """ Accept another connection and create the session receiver. """ try: (sock, remote_addr) = self._listen_socket.accept() fileno = sock.fileno() logger.debug(TRACE_BASIC, DDNS_NEW_CONN, fileno, remote_addr if remote_addr else '') receiver = isc.util.cio.socketsession.SocketSessionReceiver(sock) self._socksession_receivers[fileno] = (sock, receiver) except (socket.error, isc.util.cio.socketsession.SocketSessionError) \ as e: # These exceptions mean the connection didn't work, but we can # continue with the rest logger.error(DDNS_ACCEPT_FAILURE, e) def __check_request_tsig(self, msg, req_data): '''TSIG checker for update requests. This is a helper method for handle_request() below. It examines the given update request message to see if it contains a TSIG RR, and verifies the signature if it does. It returs the TSIG context used for the verification, or None if the request doesn't contain a TSIG. If the verification fails it simply raises an exception as handle_request() assumes it should succeed. ''' tsig_record = msg.get_tsig_record() if tsig_record is None: return None tsig_ctx = TSIGContext(tsig_record.get_name(), tsig_record.get_rdata().get_algorithm(), isc.server_common.tsig_keyring.get_keyring()) tsig_error = tsig_ctx.verify(tsig_record, req_data) if tsig_error != TSIGError.NOERROR: raise self.InternalError("Failed to verify request's TSIG: " + str(tsig_error)) return tsig_ctx def handle_request(self, req_session): """ This is the place where the actual DDNS processing is done. Other methods are either subroutines of this method or methods doing the uninteresting "accounting" stuff, like accepting socket, initialization, etc. It is called with the request being session as received from SocketSessionReceiver, i.e. tuple (socket, local_address, remote_address, data). In general, this method doesn't propagate exceptions outside the method. Most of protocol or system errors will result in an error response to the update client or dropping the update request. The update session class should also ensure this. Critical exceptions such as memory allocation failure will be propagated, however, and will subsequently terminate the server process. Return: True if a response to the request is successfully sent; False otherwise. The return value wouldn't be useful for the server itself; it's provided mainly for testing purposes. """ # give tuple elements intuitive names (sock, local_addr, remote_addr, req_data) = req_session # The session sender (b10-auth) should have made sure that this is # a validly formed DNS message of OPCODE being UPDATE, and if it's # TSIG signed, its key is known to the system and the signature is # valid. Messages that don't meet these should have been resopnded # or dropped by the sender, so if such error is detected we treat it # as an internal error and don't bother to respond. try: self.__request_msg.clear(Message.PARSE) # specify PRESERVE_ORDER as we need to handle each RR separately. self.__request_msg.from_wire(req_data, Message.PRESERVE_ORDER) if self.__request_msg.get_opcode() != Opcode.UPDATE(): raise self.InternalError('Update request has unexpected ' 'opcode: ' + str(self.__request_msg.get_opcode())) tsig_ctx = self.__check_request_tsig(self.__request_msg, req_data) except Exception as ex: logger.error(DDNS_REQUEST_PARSE_FAIL, ex) return False # Let an update session object handle the request. Note: things around # ZoneConfig will soon be substantially revised. For now we don't # bother to generalize it. zone_cfg = ZoneConfig(self._secondary_zones, self._datasrc_info[0], self._datasrc_info[1], self._zone_config) update_session = self._UpdateSessionClass(self.__request_msg, remote_addr, zone_cfg) result, zname, zclass = update_session.handle() # If the request should be dropped, we're done; otherwise, send the # response generated by the session object. if result == isc.ddns.session.UPDATE_DROP: return False msg = update_session.get_message() self.__response_renderer.clear() if tsig_ctx is not None: msg.to_wire(self.__response_renderer, tsig_ctx) else: msg.to_wire(self.__response_renderer) ret = self.__send_response(sock, self.__response_renderer.get_data(), remote_addr) if result == isc.ddns.session.UPDATE_SUCCESS: self.__notify_auth(zname, zclass) self.__notify_xfrout(zname, zclass) return ret def __send_response(self, sock, data, dest): '''Send DDNS response to the client. Right now, this is a straightforward subroutine of handle_request(), but is intended to be extended evetually so that it can handle more comlicated operations for TCP (which requires asynchronous write). Further, when we support multiple requests over a single TCP connection, this method may even be shared by multiple methods. Parameters: sock: (python socket) the socket to which the response should be sent. data: (binary) the response data dest: (python socket address) the destion address to which the response should be sent. Return: True if the send operation succeds; otherwise False. ''' try: if sock.proto == socket.IPPROTO_UDP: sock.sendto(data, dest) else: tcp_ctx = DNSTCPContext(sock) send_result = tcp_ctx.send(data) if send_result == DNSTCPContext.SENDING: self._tcp_ctxs[sock.fileno()] = (tcp_ctx, dest) elif send_result == DNSTCPContext.CLOSED: raise socket.error("socket error in TCP send") else: tcp_ctx.close() except socket.error as ex: logger.warn(DDNS_RESPONSE_SOCKET_ERROR, ClientFormatter(dest), ex) return False return True def __notify_auth(self, zname, zclass): '''Notify auth of the update, if necessary.''' msg = auth_loadzone_command(self._cc, zname, zclass) if msg is not None: self.__notify_update(AUTH_MODULE_NAME, msg, zname, zclass) def __notify_xfrout(self, zname, zclass): '''Notify xfrout of the update.''' param = {'zone_name': zname.to_text(), 'zone_class': zclass.to_text()} msg = create_command(ZONE_NEW_DATA_READY_CMD, param) self.__notify_update(XFROUT_MODULE_NAME, msg, zname, zclass) def __notify_update(self, modname, msg, zname, zclass): '''Notify other module of the update. Note that we use blocking communication here. While the internal communication bus is generally expected to be pretty responsive and error free, notable delay can still occur, and in worse cases timeouts or connection reset can happen. In these cases, even if the trouble is temporary, the update service will be suspended for a while. For a longer term we'll need to switch to asynchronous communication, but for now we rely on the blocking operation. Note also that we directly refer to the "protected" member of ccsession (_cc._session) rather than creating a separate channel. It's probably not the best practice, but hopefully we can introduce a cleaner way when we support asynchronous communication. At the moment we prefer the brevity with the use of internal channel of the cc session. ''' try: seq = self._cc._session.group_sendmsg(msg, modname) answer, _ = self._cc._session.group_recvmsg(False, seq) rcode, error_msg = parse_answer(answer) except (SessionTimeout, SessionError, ProtocolError) as ex: rcode = 1 error_msg = str(ex) if rcode == 0: logger.debug(TRACE_BASIC, DDNS_UPDATE_NOTIFY, modname, ZoneFormatter(zname, zclass)) else: logger.error(DDNS_UPDATE_NOTIFY_FAIL, modname, ZoneFormatter(zname, zclass), error_msg) def handle_session(self, fileno): """Handle incoming session on the socket with given fileno. Return True if a response (whether positive or negative) has been sent; otherwise False. The return value isn't expected to be used for other purposes than testing. """ logger.debug(TRACE_BASIC, DDNS_SESSION, fileno) (session_socket, receiver) = self._socksession_receivers[fileno] try: req_session = receiver.pop() (sock, remote_addr) = (req_session[0], req_session[2]) # If this is a TCP client, check the quota, and immediately reject # it if we cannot accept more. if sock.proto == socket.IPPROTO_TCP and \ len(self._tcp_ctxs) >= self.TCP_CLIENTS: logger.warn(DDNS_REQUEST_TCP_QUOTA, ClientFormatter(remote_addr), len(self._tcp_ctxs)) sock.close() return False return self.handle_request(req_session) except isc.util.cio.socketsession.SocketSessionError as se: # No matter why this failed, the connection is in unknown, possibly # broken state. So, we close the socket and remove the receiver. del self._socksession_receivers[fileno] session_socket.close() logger.warn(DDNS_DROP_CONN, fileno, se) return False def run(self): ''' Get and process all commands sent from cfgmgr or other modules. This loops waiting for events until self.shutdown() has been called. ''' logger.info(DDNS_RUNNING) cc_fileno = self._cc.get_socket().fileno() listen_fileno = self._listen_socket.fileno() while not self._shutdown: # In this event loop, we propagate most of exceptions, which will # subsequently kill the process. We expect the handling functions # to catch their own exceptions which they can recover from # (malformed packets, lost connections, etc). The rationale behind # this is they know best which exceptions are recoverable there # and an exception may be recoverable somewhere, but not elsewhere. try: (reads, writes, exceptions) = \ select.select([cc_fileno, listen_fileno] + list(self._socksession_receivers.keys()), list(self._tcp_ctxs.keys()), []) except select.error as se: # In case it is just interrupted, we continue like nothing # happened if se.args[0] == errno.EINTR: (reads, writes, exceptions) = ([], [], []) else: raise for fileno in reads: if fileno == cc_fileno: self._cc.check_command(True) elif fileno == listen_fileno: self.accept() else: self.handle_session(fileno) for fileno in writes: ctx = self._tcp_ctxs[fileno] result = ctx[0].send_ready() if result != DNSTCPContext.SENDING: if result == DNSTCPContext.CLOSED: logger.warn(DDNS_RESPONSE_TCP_SOCKET_ERROR, ClientFormatter(ctx[1])) ctx[0].close() del self._tcp_ctxs[fileno] self.shutdown_cleanup() logger.info(DDNS_STOPPED) def create_signal_handler(ddns_server): ''' This creates a signal_handler for use in set_signal_handler, which shuts down the given DDNSServer (or any object that has a shutdown() method) ''' def signal_handler(signal, frame): ''' Handler for process signals. Since only signals to shut down are sent here, the actual signal is not checked and the server is simply shut down. ''' ddns_server.trigger_shutdown() return signal_handler def set_signal_handler(signal_handler): ''' Sets the signal handler(s). ''' signal.signal(signal.SIGTERM, signal_handler) signal.signal(signal.SIGINT, signal_handler) def set_cmd_options(parser): ''' Helper function to set command-line options ''' parser.add_option("-v", "--verbose", dest="verbose", action="store_true", help="display more about what is going on") def main(ddns_server=None): ''' The main function. Parameters: ddns_server: If None (default), a DDNSServer object is initialized. If specified, the given DDNSServer will be used. This is mainly used for testing. cc_session: If None (default), a new ModuleCCSession will be set up. If specified, the given session will be used. This is mainly used for testing. ''' try: parser = OptionParser() set_cmd_options(parser) (options, args) = parser.parse_args() if options.verbose: print("[b10-ddns] Warning: -v verbose option is ignored at this point.") if ddns_server is None: ddns_server = DDNSServer() set_signal_handler(create_signal_handler(ddns_server)) ddns_server.run() except KeyboardInterrupt: logger.info(DDNS_STOPPED_BY_KEYBOARD) except SessionError as e: logger.error(DDNS_CC_SESSION_ERROR, str(e)) except (ModuleSpecError, ModuleCCSessionError) as e: logger.error(DDNS_MODULECC_SESSION_ERROR, str(e)) except DDNSConfigError as e: logger.error(DDNS_CONFIG_ERROR, str(e)) except SessionTimeout as e: logger.error(DDNS_CC_SESSION_TIMEOUT_ERROR) except Exception as e: logger.error(DDNS_UNCAUGHT_EXCEPTION, type(e).__name__, str(e)) clear_socket() if '__main__' == __name__: main()