// newDialInfo returns mgo.DialInfo with the given address using the minimal
// possible setup.
func newDialInfo(privateAddr string, conf agent.Config) (*mgo.DialInfo, error) {
dialOpts := mongo.DialOpts{Direct: true}
ssi, ok := conf.StateServingInfo()
if !ok {
return nil, errors.Errorf("cannot get state serving info to dial")
}
info := mongo.Info{
Addrs: []string{net.JoinHostPort(privateAddr, strconv.Itoa(ssi.StatePort))},
CACert: conf.CACert(),
}
dialInfo, err := mongo.DialInfo(info, dialOpts)
if err != nil {
return nil, errors.Annotate(err, "cannot produce a dial info")
}
oldPassword := conf.OldPassword()
if oldPassword != "" {
dialInfo.Username = "******"
dialInfo.Password = conf.OldPassword()
} else {
dialInfo.Username, dialInfo.Password, err = tagUserCredentials(conf)
if err != nil {
return nil, errors.Trace(err)
}
}
return dialInfo, nil
}
// OpenAPIState opens the API using the given information. The agent's
// password is changed if the fallback password was used to connect to
// the API.
func OpenAPIState(agentConfig agent.Config, a Agent) (_ *api.State, _ *apiagent.Entity, outErr error) {
info := agentConfig.APIInfo()
st, usedOldPassword, err := openAPIStateUsingInfo(info, a, agentConfig.OldPassword())
if err != nil {
return nil, nil, err
}
defer func() {
if outErr != nil && st != nil {
st.Close()
}
}()
entity, err := st.Agent().Entity(a.Tag())
if err == nil && entity.Life() == params.Dead {
logger.Errorf("agent terminating - entity %q is dead", a.Tag())
return nil, nil, worker.ErrTerminateAgent
}
if params.IsCodeUnauthorized(err) {
logger.Errorf("agent terminating due to error returned during entity lookup: %v", err)
return nil, nil, worker.ErrTerminateAgent
}
if err != nil {
return nil, nil, err
}
if !usedOldPassword {
// Call set password with the current password. If we've recently
// become a state server, this will fix up our credentials in mongo.
if err := entity.SetPassword(info.Password); err != nil {
return nil, nil, errors.Annotate(err, "can't reset agent password")
}
} else {
// We succeeded in connecting with the fallback
// password, so we need to create a new password
// for the future.
newPassword, err := utils.RandomPassword()
if err != nil {
return nil, nil, err
}
err = setAgentPassword(newPassword, info.Password, a, entity)
if err != nil {
return nil, nil, err
}
// Reconnect to the API with the new password.
st.Close()
info.Password = newPassword
st, err = apiOpen(info, api.DialOpts{})
if err != nil {
return nil, nil, err
}
}
return st, entity, err
}
// newDialInfo returns mgo.DialInfo with the given address using the minimal
// possible setup.
func newDialInfo(privateAddr string, conf agent.Config) (*mgo.DialInfo, error) {
dialOpts := mongo.DialOpts{Direct: true}
ssi, ok := conf.StateServingInfo()
if !ok {
return nil, errors.Errorf("cannot get state serving info to dial")
}
info := mongo.Info{
Addrs: []string{fmt.Sprintf("%s:%d", privateAddr, ssi.StatePort)},
CACert: conf.CACert(),
}
dialInfo, err := mongo.DialInfo(info, dialOpts)
if err != nil {
return nil, errors.Annotate(err, "cannot produce a dial info")
}
dialInfo.Username = "******"
dialInfo.Password = conf.OldPassword()
return dialInfo, nil
}
// newDialInfo returns mgo.DialInfo with the given address using the minimal
// possible setup.
func newDialInfo(privateAddr string, conf agent.Config) (*mgo.DialInfo, error) {
dialOpts := mongo.DialOpts{Direct: true}
ssi, ok := conf.StateServingInfo()
if !ok {
return nil, errors.Errorf("cannot get state serving info to dial")
}
info := mongo.Info{
Addrs: []string{net.JoinHostPort(privateAddr, strconv.Itoa(ssi.StatePort))},
CACert: conf.CACert(),
}
dialInfo, err := mongo.DialInfo(info, dialOpts)
if err != nil {
return nil, errors.Annotate(err, "cannot produce a dial info")
}
oldPassword := conf.OldPassword()
if oldPassword != "" {
dialInfo.Username = "******"
dialInfo.Password = conf.OldPassword()
} else {
dialInfo.Username = conf.Tag().String()
// TODO(perrito) we might need an accessor for the actual state password
// just in case it ever changes from the same as api password.
apiInfo, ok := conf.APIInfo()
if ok {
dialInfo.Password = apiInfo.Password
logger.Infof("using API password to access state server.")
} else {
// There seems to be no way to reach this inconsistence other than making a
// backup on a machine where these fields are corrupted and even so I find
// no reasonable way to reach this state, yet since APIInfo has it as a
// possibility I prefer to handle it, we cannot recover from this since
// it would mean that the agent.conf is corrupted.
return nil, errors.New("cannot obtain password to access the state server")
}
}
return dialInfo, nil
}
// openAPIState opens the API using the given information, and
// returns the opened state and the api entity with
// the given tag. The given changeConfig function is
// called if the password changes to set the password.
func openAPIState(agentConfig agent.Config, a Agent) (_ *api.State, _ *apiagent.Entity, resultErr error) {
// We let the API dial fail immediately because the
// runner's loop outside the caller of openAPIState will
// keep on retrying. If we block for ages here,
// then the worker that's calling this cannot
// be interrupted.
info := agentConfig.APIInfo()
st, err := apiOpen(info, api.DialOpts{})
usedOldPassword := false
if params.IsCodeUnauthorized(err) {
// We've perhaps used the wrong password, so
// try again with the fallback password.
infoCopy := *info
info = &infoCopy
info.Password = agentConfig.OldPassword()
usedOldPassword = true
st, err = apiOpen(info, api.DialOpts{})
}
// The provisioner may take some time to record the agent's
// machine instance ID, so wait until it does so.
if params.IsCodeNotProvisioned(err) {
for a := checkProvisionedStrategy.Start(); a.Next(); {
st, err = apiOpen(info, api.DialOpts{})
if !params.IsCodeNotProvisioned(err) {
break
}
}
}
if err != nil {
if params.IsCodeNotProvisioned(err) {
return nil, nil, worker.ErrTerminateAgent
}
if params.IsCodeUnauthorized(err) {
return nil, nil, worker.ErrTerminateAgent
}
return nil, nil, err
}
defer func() {
if resultErr != nil && st != nil {
st.Close()
}
}()
entity, err := st.Agent().Entity(a.Tag())
if err == nil && entity.Life() == params.Dead {
return nil, nil, worker.ErrTerminateAgent
}
if err != nil {
if params.IsCodeUnauthorized(err) {
return nil, nil, worker.ErrTerminateAgent
}
return nil, nil, err
}
if usedOldPassword {
// We succeeded in connecting with the fallback
// password, so we need to create a new password
// for the future.
newPassword, err := utils.RandomPassword()
if err != nil {
return nil, nil, err
}
// Change the configuration *before* setting the entity
// password, so that we avoid the possibility that
// we might successfully change the entity's
// password but fail to write the configuration,
// thus locking us out completely.
if err := a.ChangeConfig(func(c agent.ConfigSetter) error {
c.SetPassword(newPassword)
c.SetOldPassword(info.Password)
return nil
}); err != nil {
return nil, nil, err
}
if err := entity.SetPassword(newPassword); err != nil {
return nil, nil, err
}
st.Close()
info.Password = newPassword
st, err = apiOpen(info, api.DialOpts{})
if err != nil {
return nil, nil, err
}
}
return st, entity, nil
}