manage_profile.in 42.3 KB
Newer Older
1 2
#!/usr/bin/perl -w
#
3
# Copyright (c) 2000-2019 University of Utah and the Flux Group.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
#
use English;
use strict;
use Getopt::Std;
use XML::Simple;
28
use File::Temp qw(tempfile :mktemp :POSIX);
29 30
use Data::Dumper;
use CGI;
31 32
use POSIX ":sys_wait_h";
use POSIX qw(setsid);
33
use Carp qw(cluck);
34 35 36 37 38 39

#
# Back-end script to manage APT profiles.
#
sub usage()
{
40
    print("Usage: manage_profile create [-s uuid | -c uuid] <xmlfile>\n");
41
    print("Usage: manage_profile update <profile> <xmlfile>\n");
42
    print("Usage: manage_profile updatefromrepo <profile>\n");
43
    print("Usage: manage_profile publish <profile>\n");
44 45 46
    print("Usage: manage_profile delete -a <profile>\n");
    print("Usage: manage_profile undelete pid,name:version\n");
    print("Usage: manage_profile listimages <profile>\n");
47 48
    exit(-1);
}
49
my $optlist     = "dvt:m";
50
my $debug       = 0;
51
my $verbose     = 0;
52 53
my $webtask;
my $webtask_id;
54 55 56 57 58 59 60
# VerifyXML sets these, need to declare early. Need to clean this up.
my %new_args    = ();
my %update_args = ();
my %modifiers   = ();
my $rspec;
my $script;
my $project;
61 62
# Temporary testing.
my $usenewgenilib = 0;
63 64 65 66

#
# Configure variables
#
67 68
my $TB		    = "@prefix@";
my $TBOPS           = "@TBOPSEMAIL@";
69
my $TBLOGS	    = "@TBLOGSEMAIL@";
70
my $MANAGEINSTANCE  = "$TB/bin/manage_instance";
71
my $MANAGEGITREPO   = "$TB/bin/manage_gitrepo";
72
my $MANAGEIMAGES    = "$TB/bin/manage_images";
73
my $RUNGENILIB      = "$TB/bin/rungenilib";
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

#
# Untaint the path
#
$ENV{'PATH'} = "$TB/bin:$TB/sbin:/bin:/usr/bin:/usr/bin:/usr/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
# Load the Testbed support stuff.
#
use lib "@prefix@/lib";
use EmulabConstants;
use emdb;
use emutil;
93
use libEmulab;
94
use libtestbed;
95 96
use User;
use Project;
97
use Group;
98
use APT_Profile;
99
use APT_Instance;
100
use APT_Aggregate;
101 102
use GeniXML;
use GeniHRN;
103
use WebTask;
104
use EmulabFeatures;
105 106 107

# Protos
sub fatal($);
108 109 110 111
sub UserError($);
sub CreateProfile();
sub ModifyProfile();
sub UpdateProfileFromRepo();
112 113 114
sub DeleteProfile();
sub UnDeleteProfile($);
sub CanDelete($$);
115
sub PublishProfile($);
116 117
sub InsertImageRecords($);
sub ListImages();
Leigh B Stoller's avatar
Leigh B Stoller committed
118
sub GetScriptParameters($$);
119 120
sub VerifyXML($$);
sub ModifyProfileInternal($$$);
121
sub UseNewGenilib($);
122
		      
123 124 125 126 127 128 129 130 131
# The web interface (and in the future the xmlrpc interface) sets this.
my $this_user = User->ImpliedUser();
if (! defined($this_user)) {
    $this_user = User->ThisUser();
    if (!defined($this_user)) {
	fatal("You ($UID) do not exist!");
    }
}

132 133 134 135 136 137 138 139 140 141 142
#
# Parse command arguments. Once we return from getopts, all that should be
# left are the required arguments.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{"d"})) {
    $debug = 1;
}
143 144
if (defined($options{"v"})) {
    $verbose = 1;
145
}
146 147
if (defined($options{"t"})) {
    $webtask_id = $options{"t"};
148 149 150 151 152 153 154 155
    #
    # Grab the webtask object.
    #
    $webtask = WebTask->Lookup($webtask_id);
    if (!defined($webtask)) {
	fatal("Could not lookup/create webtask for profile");
    }
    $webtask->AutoStore(1);
156
}
157 158 159
usage()
    if (!@ARGV);
my $action = shift(@ARGV);
160 161 162 163 164 165 166

#
# These are the fields that we allow to come in from the XMLfile.
#
my $SLOT_OPTIONAL	= 0x1;	# The field is not required.
my $SLOT_REQUIRED	= 0x2;  # The field is required and must be non-null.
my $SLOT_ADMINONLY	= 0x4;  # Only admins can set this field.
167
my $SLOT_UPDATE 	= 0x8;  # Allowed to update.
168
my $SLOT_MODIFIER 	= 0x10; # Allowed to update.
169 170 171 172 173 174 175 176 177
#
# XXX We should encode all of this in the DB so that we can generate the
# forms on the fly, as well as this checking code.
#
my %xmlfields =
    # XML Field Name        DB slot name         Flags             Default
    ("profile_name"	   => ["name",		$SLOT_REQUIRED],
     "profile_pid"	   => ["pid",		$SLOT_REQUIRED],
     "profile_creator"	   => ["creator",	$SLOT_OPTIONAL],
178
     "profile_listed"      => ["listed",	$SLOT_OPTIONAL|$SLOT_UPDATE],
179
     "profile_public"      => ["public",	$SLOT_OPTIONAL|$SLOT_UPDATE],
Leigh B Stoller's avatar
Leigh B Stoller committed
180
     "profile_shared"      => ["shared",	$SLOT_OPTIONAL|$SLOT_UPDATE],
181
     "profile_project_write"=>["project_write", $SLOT_OPTIONAL|$SLOT_UPDATE],
182 183
     "profile_topdog"      => ["topdog",	$SLOT_OPTIONAL|
			                          $SLOT_UPDATE|$SLOT_ADMINONLY],
184 185
     "profile_disabled"    => ["disabled",	$SLOT_OPTIONAL|
			                          $SLOT_UPDATE|$SLOT_ADMINONLY],
186 187
     "profile_disable_all" => ["disable_all",	$SLOT_OPTIONAL|$SLOT_MODIFIER,
			                          $SLOT_UPDATE|$SLOT_ADMINONLY],
188 189 190 191
     "profile_nodelete"    => ["nodelete",	$SLOT_OPTIONAL|
			                          $SLOT_UPDATE|$SLOT_ADMINONLY],
     "profile_nodelete_all"=> ["nodelete_all",	$SLOT_OPTIONAL|$SLOT_MODIFIER,
			                          $SLOT_UPDATE|$SLOT_ADMINONLY],
192
     "rspec"		   => ["rspec",		$SLOT_OPTIONAL|$SLOT_UPDATE],
193
     "script"		   => ["script",	$SLOT_OPTIONAL|$SLOT_UPDATE],
194
     "repourl"		   => ["repourl",	$SLOT_OPTIONAL],
Leigh B Stoller's avatar
Leigh B Stoller committed
195
     "portal_converted"	   => ["portal_converted", $SLOT_OPTIONAL|$SLOT_UPDATE],
196 197
);

198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220
if ($action eq "update") {
    exit(ModifyProfile());
}
elsif ($action eq "updatefromrepo") {
    exit(UpdateProfileFromRepo());
}
elsif ($action eq "delete") {
    exit(DeleteProfile());
}
elsif ($action eq "undelete") {
    exit(UnDeleteProfile(shift(@ARGV)));
}
elsif ($action eq "publish") {
    exit(PublishProfile(shift(@ARGV)));
}
elsif ($action eq "insertimages") {
    exit(InsertImageRecords(shift(@ARGV)));
}
elsif ($action eq "listimages") {
    exit(ListImages());
}
elsif ($action eq "create") {
    exit(CreateProfile());
221
}
222 223 224
else {
    usage();
}
225 226

#
227
# Create/Update a profile. 
228
#
229 230
sub CreateProfile()
{
231
    my $optlist    = "s:c:Un:e";
232 233
    my $snap       = 0;
    my $copy       = 0;
234
    my $prepare    = 0;
235
    my $wholedisk  = 0;
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251
    my $copyuuid;
    my $fromrepo   = 0;
    my $instance;
    my $aggregate;
    my $parent_profile;
    my $node_id;
    my $usererror;
    my %errors = ();
    
    my %options = ();
    if (! getopts($optlist, \%options)) {
	usage();
    }
    if (defined($options{"s"})) {
	$snap = 1;
	$copyuuid = $options{"s"};
252 253 254
	if (defined($options{"U"})) {
	    $prepare = 1;
	}
255 256 257
	if (defined($options{"e"})) {
	    $wholedisk = 1;
	}
258 259 260
	if (defined($options{"n"})) {
	    $node_id = $options{"n"};
	}
261 262 263 264 265 266 267 268 269 270
    }
    if (defined($options{"c"})) {
	$copy = 1;
	$copyuuid = $options{"c"};
    }
    usage()
	if (@ARGV != 1);
    my $xmlfile = shift(@ARGV);
    # This will exit if there are any errors.
    VerifyXML($xmlfile, 0);
271

272 273 274 275 276 277 278 279 280 281 282
    #
    # We need to make sure the project exists and is a valid project for
    # the creator (current user). 
    #
    $project = Project->Lookup($new_args{"pid"});
    if (!defined($project)) {
	UserError({"profile_pid" => "No such project exists"})
    }
    elsif (!$project->AccessCheck($this_user, TB_PROJECT_MAKEIMAGEID())) {
	UserError({"profile_pid" => "Not enough permission in this project"});
    }
283 284
    $usenewgenilib = UseNewGenilib($project);
    
285 286 287 288 289 290
    # Check datasets.
    if (defined($rspec)) {
	my $errmsg = "Bad dataset";
	if (APT_Profile::CheckDatasets($rspec, \$errmsg)) {
	    UserError($errmsg);
	}
291 292
    }

293 294 295 296 297 298 299
    #
    # Need to do initial clone. 
    #
    if (exists($new_args{'repourl'})) {
	my $repourl  = $new_args{'repourl'};
	my $reponame = NewUUID();
	my $repohash;
300

301 302 303 304 305 306
	my $output =
	    emutil::ExecQuiet("$MANAGEGITREPO clone -n $reponame '$repourl'");
	if ($?) {
	    UserError($output);
	}
	$new_args{'reponame'} = $reponame;
307

308 309 310 311 312 313
	#
	# Get the commit hash for the HEAD commit.
	#
	$output = emutil::ExecQuiet("$MANAGEGITREPO hash -n $reponame");
	if ($?) {
	    UserError($output);	
314
	}
315 316 317 318 319 320 321 322 323 324 325 326 327
	$repohash = $output;
	chomp($repohash);
	$new_args{'repohash'} = $repohash;
	$fromrepo = 1;

	#
	# And an access key for the push webhook.
	#
	my $repokey = TBGenSecretKey();
	if (!defined($repokey)) {
	    fatal("Could not generate a repo access key");
	}
	$new_args{'repokey'} = $repokey;
328
    }
329
    # Script parameters
Leigh B Stoller's avatar
Leigh B Stoller committed
330 331 332 333 334 335 336 337 338
    if (defined($script) && $script ne "" && $script =~ /^import/m) {
	my $paramdefs;
	my $retval = GetScriptParameters($script, \$paramdefs);
	if ($retval) {
	    if ($retval < 0) {
		fatal("Could not get paramdefs: $paramdefs!");
	    }
	    UserError($paramdefs);
	}
339 340
	$new_args{"paramdefs"} =
	    $paramdefs if (defined($paramdefs) && $paramdefs ne "");
341 342 343
    }
    #
    # Are we going to snapshot a node in an experiment? If so we
344
    # sanity check to make sure that node is in the experiment.
345 346 347 348 349 350 351 352
    #
    if ($snap) {
	$instance = APT_Instance->Lookup($copyuuid);
	if (!defined($instance)) {
	    fatal("Could not look up instance $copyuuid");
	}
	if ($instance->status() ne "ready") {
	    UserError("Instance must be in the ready state for cloning");
353
	}
354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375
	foreach my $agg ($instance->AggregateList()) {
	    my $manifest = GeniXML::Parse($agg->manifest());
	    if (! defined($manifest)) {
		fatal("Could not parse manifest");
	    }
	    foreach my $ref (GeniXML::FindNodes("n:node",
						$manifest)->get_nodelist()) {
		my $client_id   = GeniXML::GetVirtualId($ref);
		my $manager_urn = GetManagerId($ref);
		my $urn         = GeniXML::GetSliverId($ref);

		# No sliver urn or a different aggregate.
		next
		    if (! (defined($urn) &&
			   defined($manager_urn) &&
			   $manager_urn eq $agg->aggregate_urn()));

		if ($node_id eq $client_id) {
		    $aggregate = $agg;
		    last;
		}
	    }
376
	}
377 378
	if (!defined($aggregate)) {
	    UserError("$node_id is not in any of the manifests!");
379 380
	}
	$parent_profile = $instance->Profile();
381
    }
382 383 384 385 386
    elsif ($copy) {
	$parent_profile = APT_Profile->Lookup($copyuuid);
	if (!defined($parent_profile)) {
	    fatal("Could not look up copy profile $copyuuid");
	}
387
    }
388 389 390
    if (defined(APT_Profile->Lookup($new_args{"pid"}, $new_args{"name"}))) {
	$errors{"profile_name"} = "Already in use";
	UserError(\%errors);
391
    }
392 393 394 395 396 397 398 399
    my $profile = APT_Profile->Create($parent_profile, $project,
				      $this_user, \%new_args, \$usererror);
    if (!defined($profile)) {
	if (defined($usererror)) {
	    $errors{"profile_name"} = $usererror;
	    UserError(\%errors);
	}
	fatal("Could not create new profile");
400
    }
401 402 403 404 405 406 407 408 409 410 411 412
    # This is deprecated.
    $profile->Publish();
    
    #
    # Now do the snapshot operation.
    #
    if (defined($instance)) {
	my $apt_uuid   = $instance->uuid();
	my $imagename  = $profile->name();
	my $new_uuid   = $profile->uuid();
	# We want to use the webtask associated with the new profile.
	my $pwebtask   = $profile->webtask();
413
	my $ptask_id   = $pwebtask->task_id();
414 415
	# But the image details are stored in the instance webtask.
	my $iwebtask   = $instance->webtask();
416 417
	my $prepopt    = $prepare ? "-U " : "";
	$prepopt      .= $wholedisk ? "-e " : "";
418 419 420 421 422
    
	if ($profile->Lock()) {
	    $profile->Delete(1);
	    fatal("Could not lock new profile");
	}
423 424
	my $command = "$MANAGEINSTANCE -t $ptask_id snapshot " . 
	    "$apt_uuid -c $new_uuid -n $node_id -i $imagename $prepopt";
425

426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460
	if ($verbose) {
	    print "$command\n";
	}
    
	#
	# This returns pretty fast, and then the imaging takes place in
	# the background at the aggregate. The script keeps a process
	# running in the background waiting for the sliver to unlock and
	# the sliverstatus to indicate the node is running again.
	#
	my $output = emutil::ExecQuiet($command);
	if ($?) {
	    my $stat = $? >> 8;
	    
	    $profile->Delete(1);
	    print STDERR $output . "\n";
	    if ($stat < 0) {
		fatal("Failed to create disk image!");
	    }
	    UserError($output);
	}
	print $output;
	#
	# The script helpfully put the new image urn in the webtask.
	#
	$pwebtask->AutoStore(1);
	$pwebtask->Refresh();
	$iwebtask->Refresh();
	my $newimage;

	if (GetSiteVar("protogeni/use_imagetracker") &&	
	    EmulabFeatures->FeatureEnabled("APT_UseImageTracker",
					   $this_user, $project)) {
	    $newimage = $iwebtask->image_urn();
	}
461 462 463
	elsif ($aggregate->OnLocalCluster()) {
	    $newimage = $iwebtask->image_urn();
	}
464 465 466 467 468 469 470
	else {
	    $newimage = $iwebtask->image_url();
	}
	if (!defined($newimage)) {
	    $profile->Delete(1);
	    fatal("Did not get an image for $node_id");
	}
Leigh B Stoller's avatar
Leigh B Stoller committed
471 472 473 474
	#
	# We cannot change a geni-lib script profile, so no need to do this.
	# But we can change a portal converted profile (or rspec).
	#
475 476
	if (defined($profile->rspec()) &&
	    (!defined($profile->script()) || $profile->portal_converted())) {
Leigh B Stoller's avatar
Leigh B Stoller committed
477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497
	    #
	    # See if anything is actually going to change, since the cluster
	    # might not be doing image versioning.
	    #
	    my $changed = $profile->UpdateDiskImage($node_id, $newimage, 0, 1);
	    if ($changed > 0) {
		if ($profile->UpdateDiskImage($node_id, $newimage, 0, 0)) {
		    $profile->Delete(1);
		    fatal("Could not update image in rspec ".
			  "for $node_id; $newimage;");
		}
		#
		# For a portal converted profile, we need to regen the script.
		#
		if ($profile->portal_converted()) {
		    if ($profile->Convert2Genilib() != 0) {
			$profile->Delete(1);
			fatal("Could not convert rspec to geni-lib");
		    }
		}
	    }
498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563
	}
	# Tell web interface cloning has started.
	$pwebtask->cloning(1);
	# And what is being cloned.
	$pwebtask->cloning_instance($instance->uuid());
	$pwebtask->image_name($iwebtask->image_name());
    
	#
	# Exit and leave child to poll.
	#
	if (! $debug) {
	    my $child = fork();
	    if ($child) {
		exit(0);
	    }
	    # Close our descriptors so web server thinks we are disconnected.
	    if ($webtask_id) {
		for (my $i = 0; $i < 1024; $i++) {
		    POSIX::close($i);
		}
	    }
	    # Let parent exit;
	    sleep(2);
	    POSIX::setsid();
	}
	#
	# We are waiting for the backend process to exit. The web interface is
	# reading the webtask structure, but if it fails we want to know that
	# so we can delete the profile. 
	#
	while (1) {
	    sleep(10);
	
	    $pwebtask->Refresh();
	    last
		if (defined($pwebtask->exited()));

	    #
	    # See if the process is still running. If not then it died badly.
	    # Mark the webtask as exited.
	    #
	    my $pid = $pwebtask->process_id();
	    if (! kill(0, $pid)) {
		# Check again in case it just exited.
		$pwebtask->Refresh();
		if (! defined($pwebtask->exited())) {
		    $pwebtask->Exited(-1);
		}
		last;
	    }
	}
	# When the profile is deleted, the web task will be deleted. The
	# web interface will see that of course and return an error to the
	# client JS code. 
	if ($pwebtask->exitcode()) {
	    $profile->Delete(1);
	    exit(1);
	}
	$profile->Refresh();
	$profile->InsertImageRecords();
    
	# Tell web interface cloning has finished. But leave cloning_instance
	# set since otherwise the web interface will no longer be able to
	# figure out what to tell the user.
	$pwebtask->cloning(0);
	$profile->Unlock();
564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588

	#
	# Send email to user when this is a new profile with no rspec, to let
	# them know they can now fill in a topology.
	#
	# URL to profile page.
	# URN of new image. 
	#
	my $profile_name = $profile->name();
	my $profile_pid  = $profile->pid();
	my $creator = User->Lookup($profile->creator_idx());
	my $url = $project->Brand()->wwwBase() .
	    "/manage_profile.php?action=edit&uuid=$new_uuid";
	my $message =
	    "Your disk image for profile '$profile_name' is now ready for use.\n".
	    "The URN for your new disk image is:\n\n".
	    "\t" . $newimage . "\n\n".
	    "The URL for your profile is:\n\n".
	    "\t" . $url . "\n\n".
	    "Click on the link above to edit your new profile.\n";
	
	$project->SendEmail($creator->email(),
			    "Disk image for profile '$profile_name' is ready",
			    $message,
			    $project->Brand()->OpsEmailAddress());
589
    }
590 591 592 593 594 595
    else {
	$profile->InsertImageRecords();
    }
    my $portalLogs =
	($project->isAPT() ? "aptnet-logs\@flux.utah.edu" :
	 $project->isCloud() ? "cloudlab-logs\@flux.utah.edu" : 
596 597 598
	 $project->isPNet() ? "phantomnet-logs\@flux.utah.edu" :
	 $project->isPowder() ? "powder-logs\@flux.utah.edu" :
	 $TBLOGS);
599 600 601 602 603 604 605 606 607 608

    $project->SendEmail($portalLogs, "New Profile Created",
			"Name:     ". $profile->versname() . "\n".
			"User:     ". $profile->creator() . "\n".
			"Project:  ". $profile->pid() .
			" (" . $project->Brand()->brand() . ")\n".
			"UUID:     ". $profile->uuid() . "\n".
			"URL:      ". $profile->AdminURL() . "\n");

    return 0;
609 610 611
}

#
612
# Modify a profile.
613
#
614 615 616 617 618 619
sub ModifyProfile()
{
    my $errmsg;
    
    usage()
	if (@ARGV != 2);
620

621 622 623
    my ($uuid, $xmlfile) = @ARGV;
    
    my $profile = APT_Profile->Lookup($uuid);
624 625 626
    if (!defined($profile)) {
	fatal("Could not lookup profile for update $uuid");
    }
627 628 629 630
    my $creator = User->Lookup($profile->creator_idx());
    if (!defined($creator)) {
	fatal("Could not lookup creator for $profile");
    }
631
    
632 633
    # This will exit if there are any errors.
    VerifyXML($xmlfile, 1);
634 635

    #
636 637
    # We need to make sure the project exists and is a valid project for
    # the creator (current user). 
638
    #
639 640 641
    $project = Project->Lookup($profile->pid_idx());
    if (!defined($project)) {
	UserError({"profile_pid" => "No such project exists"});
642
    }
643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664
    #
    # Project leader can always update profiles in the project. Other
    # members can update the profile when the project_write bit has been
    # set.
    #
    if (! ($this_user->IsAdmin() ||
	   $this_user->SameUser($creator) ||
	   $project->IsLeader($this_user) ||
	   $profile->project_write())) {
	UserError({"profile_pid" =>
		       "Not enough permission to modify profile"});
    }
    #
    # Slightly different test when changing the project_write bit.
    #
    if (exists($update_args{"project_write"}) &&
	$update_args{"project_write"} != $profile->project_write() &&
	!($this_user->IsAdmin() ||
	  $this_user->SameUser($creator) ||
	  $project->IsLeader($this_user))) {
	UserError({"profile_pid" =>
		       "Not enough permission change project write flag"});
665
    }
666 667
    if ($profile->Lock()) {
	UserError("Profile is busy, cannot lock it.");
668
    }
669 670 671 672 673 674 675 676 677 678 679
    my $retval = ModifyProfileInternal($profile, $project, \$errmsg);
    $profile->Unlock();
    if ($retval) {
	if ($retval < 0) {
	    fatal($errmsg);
	}
	else {
	    UserError($errmsg);
	}
    }
    return 0;
680 681
}

682 683 684 685 686
sub ModifyProfileInternal($$$)
{
    my ($profile, $project, $pmsg)  = @_;
    my %errors     = ();
    my $fromrepo   = 0;
687
    $usenewgenilib = UseNewGenilib($project);
688 689 690 691 692 693 694 695 696

    # Check datasets.
    if (defined($rspec)) {
	my $errmsg = "Bad dataset";
	if (APT_Profile::CheckDatasets($rspec, \$errmsg)) {
	    $$pmsg = $errmsg;
	    # User Error
	    return 1;
	}
697
    }
698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717

    if ($profile->IsRepoBased()) {
	my $reponame = $profile->reponame();
	my $repohash;
	# Ignore.
	delete($new_args{'repourl'});

	#
	# Get the commit hash for the HEAD commit.
	#
	my $output = emutil::ExecQuiet("$MANAGEGITREPO hash -n $reponame");
	if ($?) {
	    $$pmsg = $output;
	    # User Error
	    return 1;
	}
	$repohash = $output;
	chomp($repohash);
	$update_args{'repohash'} = $repohash;
	$fromrepo = 1;
718
    }
719 720 721 722 723 724
    # Script parameters
    if (defined($script) && $script ne "" && $script =~ /^import/m) {
	#
	# For a Parameterized Profile, need to generate and store the form
	# data. Only python scripts of course.
	#
Leigh B Stoller's avatar
Leigh B Stoller committed
725 726 727 728 729 730 731
	my $output;
	my $retval = GetScriptParameters($script, \$output);
	if ($retval) {
	    if ($retval < 0) {
		fatal("Could not get paramdefs: $output!");
	    }
	    UserError($output);
732 733 734
	}
	# No versioning so need to clear existing paramdefs.
	$update_args{"paramdefs"} = ($output ne "" ? $output : undef);
735 736
    }

737
    # Kill the description.. No longer used.
738 739
    delete($update_args{"description"});

740 741 742 743 744 745 746
    #
    # Check for version feature.
    #
    my $doversions =
	EmulabFeatures->FeatureEnabled("APT_ProfileVersions",
				       $this_user, $project);

747
    #
748
    # If the rspec/script changed, then make a new version of the profile.
749 750
    # Everything else is metadata.
    #
751 752 753
    if (exists($update_args{"rspec"}) ||
	exists($update_args{"script"}) ||
	exists($update_args{"repohash"})) {
754 755 756
	if ((exists($update_args{"rspec"}) &&
	     $update_args{"rspec"} ne $profile->rspec()) ||
	    (exists($update_args{"script"}) &&
757 758 759 760 761
	     $update_args{"script"} ne $profile->script()) ||
	    (defined($profile->repourl()) &&
	     exists($update_args{"repohash"}) &&
	     $update_args{"repohash"} ne $profile->repohash())) {
	    if ($doversions && !$fromrepo) {
762 763
		$profile = $profile->NewVersion($this_user);
		if (!defined($profile)) {
764 765
		    $$pmsg = "Could not create new version of the profile";
		    return -1;
766
		}
767 768 769
		# Tell the web interface we created a new version.
		$webtask->newProfile($profile->uuid())
		    if (defined($webtask));
770
	    }
Leigh B Stoller's avatar
Leigh B Stoller committed
771 772
	    foreach my $key ("rspec", "script", "paramdefs",
			     "repohash", "portal_converted") {
773 774 775 776
		$profile->UpdateVersion({$key => $update_args{$key}})
		    if (exists($update_args{$key}));
	    }
	}
Leigh B Stoller's avatar
Leigh B Stoller committed
777 778
	foreach my $key ("rspec", "script", "paramdefs",
			 "repohash", "portal_converted") {
779 780
	    delete($update_args{$key})
		if (exists($update_args{$key}));
781 782
	}
    }
783
    if (keys(%update_args)) {
784 785 786 787
	if ($profile->UpdateMetaData(\%update_args)) {
	    $$pmsg = "Could not update profile record";
	    return -1;
	}
788
    }
789

790
    #
791
    # Disable operates on current version or all versions.
792 793 794
    #
    if ($this_user->IsAdmin() &&
	exists($update_args{"disabled"})) {
795 796 797
	if (exists($modifiers{"disable_all"}) && $modifiers{"disable_all"}) {
	    $profile->UpdateAll({"disabled" => $update_args{"disabled"}});
	}
798 799
	$profile->UpdateVersion({"disabled" => $update_args{"disabled"}});
    }
800 801 802 803 804 805 806 807 808 809
    #
    # Ditto the nodelete flag.
    #
    if ($this_user->IsAdmin() &&
	exists($update_args{"nodelete"})) {
	if (exists($modifiers{"nodelete_all"}) && $modifiers{"nodelete_all"}) {
	    $profile->UpdateAll({"nodelete" => $update_args{"nodelete"}});
	}
	$profile->UpdateVersion({"nodelete" => $update_args{"nodelete"}});
    }
810
    $profile->InsertImageRecords();
811

812
    return 0;
813
}
814

815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848
#
# Verify the XML file. Return various arrays to drive the create/update.
#
sub VerifyXML($$)
{
    my ($xmlfile, $isupdate) = @_;

    #
    # Must wrap the parser in eval since it exits on error.
    #
    my $xmlparse = eval { XMLin($xmlfile,
				VarAttr => 'name',
				ContentKey => '-content',
				SuppressEmpty => undef); };
    fatal($@)
	if ($@);

    #
    # Process and dump the errors (formatted for the web interface).
    # We should probably XML format the errors instead but not sure I want
    # to go there yet.
    #
    my %errors = ();

    #
    # Make sure all the required arguments were provided.
    #
    my $key;
    foreach $key (keys(%xmlfields)) {
	my (undef, $required, undef) = @{$xmlfields{$key}};

	$errors{$key} = "Required value not provided"
	    if ($required & $SLOT_REQUIRED  &&
		! exists($xmlparse->{'attribute'}->{"$key"}));
849
    }
850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907
    UserError(\%errors)
	if (keys(%errors));

    foreach $key (keys(%{ $xmlparse->{'attribute'} })) {
	my $value = $xmlparse->{'attribute'}->{"$key"}->{'value'};
	if (!defined($value)) {	# Empty string comes from XML as an undef value.
	    $xmlparse->{'attribute'}->{"$key"}->{'value'} = $value = "";
	}

	print STDERR "User attribute: '$key' -> '$value'\n"
	    if ($verbose);

	my $field = $key;
	if (!exists($xmlfields{$field})) {
	    next; # Skip it.
	}
	my ($dbslot, $required, $default) = @{$xmlfields{$field}};

	if ($required & $SLOT_REQUIRED) {
	    # A slot that must be provided, so do not allow a null value.
	    if (!defined($value)) {
		$errors{$key} = "Must provide a non-null value";
		next;
	    }
	}
	if ($required & $SLOT_OPTIONAL) {
	    # Optional slot. If value is null skip it. Might not be the correct
	    # thing to do all the time?
	    if (!defined($value)) {
		next
		    if (!defined($default));
		$value = $default;
	    }
	}
	if ($required & $SLOT_ADMINONLY) {
	    # Admin implies optional, but thats probably not correct approach.
	    $errors{$key} = "Administrators only"
		if (! $this_user->IsAdmin());
	}
	if ($required & $SLOT_MODIFIER) {
	    $modifiers{$dbslot} = $value;
	    next;
	}
	# Now check that the value is legal.
	if (! TBcheck_dbslot($value, "apt_profiles",
			     $dbslot, TBDB_CHECKDBSLOT_ERROR)) {
	    $errors{$key} = TBFieldErrorString();
	    next;
	}
	$new_args{$dbslot} = $value;
	$update_args{$dbslot} = $value
	    if ($isupdate && ($required & $SLOT_UPDATE));

	if ($key eq "rspec") {
	    $rspec = $value;
	}
	elsif ($key eq "script") {
	    $script = $value;
908
	}
909
    }
910 911 912 913
    UserError(\%errors)
	if (keys(%errors));

    return 0;
914
}
915 916

#
917
# Update a profile from a repository; this is invoked from the web hook.
918
#
919 920 921 922 923 924 925 926 927 928
sub UpdateProfileFromRepo()
{
    my $errmsg;
    usage()
	if (@ARGV != 1);

    my ($uuid)  = @ARGV;
    my $profile = APT_Profile->Lookup($uuid);
    if (!defined($profile)) {
	fatal("Could not lookup profile for update $uuid");
929
    }
930 931 932 933 934
    if (!defined($profile->repourl())) {
	fatal("Not a repo based profile");
    }
    my $repourl = $profile->repourl();

935
    #
936 937
    # We need to make sure the project exists and is a valid project for
    # the creator (current user). 
938
    #
939 940 941
    $project = Project->Lookup($profile->pid_idx());
    if (!defined($project)) {
	fatal("No such project exists");
942
    }
943 944 945
    elsif (!$project->AccessCheck($this_user, TB_PROJECT_MAKEIMAGEID())) {
	fatal("Not enough permission in this project");
    }
946
    if ($profile->WaitForLock(10)) {
947 948 949
	print STDERR "Profile is busy, cannot lock it.\n";
	exit(1);
    }
950
    $usenewgenilib = UseNewGenilib($project);
951
    
952
    #
953 954
    # We want to update the profile from its URL, and get back the
    # new source code.
955
    #
956 957 958 959 960
    my $output = emutil::ExecQuiet("$MANAGEGITREPO update -o - -p $uuid");
    if ($?) {
	print STDERR $output;
	$profile->Unlock();
	fatal("Could not update repo from $repourl");
961
    }
962 963
    if ($verbose) {
	print $output . "\n";
964
    }
965
    if ($output =~ /\<rspec/) {
966
	$rspec = $output;
967
    }
968 969
    else {
	$script = $output;
970
    }
971
    #
972
    # Convert the script. If it fails we are not going to change the profile.
973
    #
974
    if (defined($script)) {
975
	my ($fh, $filename) = tempfile(UNLINK => 1);
976 977 978
	if (!defined($fh)) {
	    $profile->Unlock();
	    fatal("Could not open temporary file for script");
979
	}
980
	my $opts = ($usenewgenilib ? "-N" : "");
981
	print $fh $script;
982
	$output = emutil::ExecQuiet("$RUNGENILIB $opts $filename");
983 984 985
	if ($?) {
	    print STDERR $output;
	    $profile->Unlock();
Leigh B Stoller's avatar
Leigh B Stoller committed
986
	    print STDERR "UpdateProfileFromRepo: $RUNGENILIB failed\n";
987 988
	    # Pass along the exit value.
	    exit($? >> 8);
989
	}
990
	$rspec = $output;
991
    }
992
    
993
    #
994
    # We mimic what VerifyXML() does, we have to set just a few things.
995
    #
996 997
    $new_args{"rspec"}  = $update_args{"rspec"}  = $rspec;
    $new_args{"script"} = $update_args{"script"} = $script if(defined($script));
998

999 1000 1001 1002 1003 1004 1005 1006 1007
    my $retval = ModifyProfileInternal($profile, $project, \$errmsg);
    $profile->Unlock();
    if ($retval) {
	if ($retval < 0) {
	    fatal($errmsg);
	}
	else {
	    print STDERR "$errmsg\n";
	    exit(1);
1008
	}
1009
    }
1010 1011 1012 1013 1014 1015 1016 1017 1018 1019
    my $profile_name = $profile->name();
    my $profile_pid  = $profile->pid();
    my $creator = User->Lookup($profile->creator_idx());
    $project->SendEmail($creator->email(),
	"Profile updated from Git repository",
	"Profile $profile_pid,$profile_name has been updated ".
	"from its git repository\n".
	"as the result of a push webhook.",
	$project->Brand()->OpsEmailAddress(),
	# Temporary.
1020
	"BCC: " . $project->Brand()->LogsEmailAddress());
1021
    
1022
    return 0;
1023
}
1024 1025 1026 1027 1028

#
# For a Parameterized Profile, need to generate and store the form
# data. Only python scripts of course. Does not return on error.
#
Leigh B Stoller's avatar
Leigh B Stoller committed
1029
sub GetScriptParameters($$)
1030
{
Leigh B Stoller's avatar
Leigh B Stoller committed
1031
    my ($script, $pref) = @_;
1032

1033
    my ($fh, $filename) = tempfile(UNLINK => 1);
Leigh B Stoller's avatar
Leigh B Stoller committed
1034 1035 1036 1037
    if (!defined($fh)) {
	$$pref = "Could not open temporary file for script";
	return -1;
    }
1038
    my $opts = ($usenewgenilib ? "-N" : "");
1039
    print $fh $script;
Leigh B Stoller's avatar
Leigh B Stoller committed
1040

1041
    my $output = emutil::ExecQuiet("$RUNGENILIB $opts -p $filename");
Leigh B Stoller's avatar
Leigh B Stoller committed
1042 1043 1044 1045 1046 1047 1048 1049
    if ($?) {
	$$pref = $output;
	return $? >> 8;
    }
    chomp($output);

    $$pref = $output;
    return 0;
1050 1051
}

1052 1053 1054 1055 1056 1057
exit(0);

sub fatal($)
{
    my ($mesg) = @_;

1058 1059 1060
    if (defined($webtask_id)) {
	$webtask->output($mesg);
	$webtask->Exited(-1);
1061
    }
1062 1063 1064 1065 1066 1067 1068 1069
    print STDERR "*** $0:\n".
	         "    $mesg\n";
    # Exit with negative status so web interface treats it as system error.
    exit(-1);
}

#
# Generate a simple XML file that PHP can parse. The web interface
1070 1071
# relies on using the same name attributes for the errors, as for the
# incoming values. This makes sense to use from Create/Update only.
1072
#
1073
sub UserError($)
1074
{
1075 1076 1077 1078
    my ($ref) = @_;
    my $errors = {};

    if (ref($ref) eq "SCALAR") {
1079 1080 1081
	$errors->{"error"} = $$ref;
    }
    elsif (ref($ref) eq "") {
1082
	$errors->{"error"} = $ref;
1083
    }
1084 1085 1086
    elsif (ref($ref) eq "") {
	$errors->{"error"} = $ref;
    }
1087 1088 1089 1090 1091
    else {
	$errors = $ref;
    }
    if (defined($webtask_id)) {
	my $xml = "<errors>\n";
1092
	    
1093 1094 1095
	foreach my $key (keys(%$errors)) {
	    $xml .= "<error name='$key'>" . CGI::escapeHTML($errors->{$key});
	    $xml .= "</error>\n";
1096
	}
1097 1098 1099 1100 1101 1102 1103 1104
	$xml .= "</errors>\n";

	$webtask->Exited(1);
	$webtask->output($xml);
    }
    else {
	foreach my $key (keys(%$errors)) {
	    print "$key: " . $errors->{$key} . "\n";
1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117
	}
    }
    # Exit with positive status so web interface treats it as user error.
    exit(1);
}

sub escapeshellarg($)
{
    my ($str) = @_;

    $str =~ s/[^[:alnum:]]/\\$&/g;
    return $str;
}
1118 1119 1120 1121

#
# Delete a profile.
#
1122
sub DeleteProfile()
1123
{
1124
    my $optlist    = "akfn";
1125 1126 1127
    my $all        = 0;
    my $keepimages = 0;
    my $force      = 0;
1128
    my $impotent   = 0;
1129
    my $errmsg;
1130
    my %images;
1131
    my %snapnames  = ();
1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153
    my @versions;

    my %options = ();
    if (! getopts($optlist, \%options)) {
	usage();
    }
    if (defined($options{"a"})) {
	$all = 1;
    }
    if (defined($options{"k"})) {
	$keepimages = 1;
    }
    if (defined($options{"f"})) {
	$force = 1;
    }
    if (defined($options{"n"})) {
	$impotent = 1;
    }
    usage()
	if (!@ARGV);

    my $profile = APT_Profile->Lookup($ARGV[0]);
1154
    if (!defined($profile)) {
1155
	fatal("No such profile exists: " . $ARGV[0]);
1156
    }
1157 1158
    if ($profile->isLocked()) {
	$errmsg = "This profile has its nodelete flag set.";
1159
	goto uerror;
1160
    }
1161
    if (!CanDelete($profile, $this_user)) {
1162 1163
	$errmsg = "Not allowed to delete this profile (version)";
	goto uerror;
1164
    }
1165
    # For now, mere users do not see new image deletion stuff unless
1166 1167
    # feature enabled.
    if (0) {
1168 1169 1170 1171 1172 1173 1174
    if (! ($this_user->admin() || $this_user->stud())) {
	my $project = Project->Lookup($profile->pid_idx());
	if (! EmulabFeatures->FeatureEnabled("APT_ImageDeletion",
					     $this_user, $project)) {
	    $keepimages = 1;
	}
    }
1175
    }
1176 1177 1178 1179 1180

    # If deleting the only version of a profile, then force $all.
    if ($profile->VersionCount() == 1) {
	$all = 1;
    }
1181
    
1182
    #
1183 1184
    # Get all the image references for this profile. If we are deleting all
    # of the version, we need all image references across all versions.
1185
    #
1186 1187 1188 1189 1190 1191
    if ($keepimages) {
	# We do not care who is using the images if we are not deleting them.
	@versions = ();
    }
    elsif ($all) {
	@versions = $profile->AllVersions();
1192 1193
    }
    else {
1194 1195 1196 1197
	@versions = ($profile);
    }

    #
1198 1199
    # Images do not matter if $keepimages is set; we just delete the
    # profile. 
1200
    #
1201
    if (!$keepimages) {
1202 1203
	my $ilist;
	
1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283
	#
	# If we are deleting all versions of the profile we have to
	# find any other profiles using any possible image associated
	# with this profile. That includes any version of the image
	# named by the profile, plus any version of images named by
	# the node ids (snapshots).
	#
	# XXX: There is no way to know for sure what images to delete,
	# since none of the profile versions might actually be using
	# the associated images. We cannot just make up a urn unless
	# we want to try it at every cluster. We might end up doing that
	# but for now, these missed images can be culled from the image
	# management page instead.
	#
	# Aside; the above problem is specific to the Cloudlab Portal
	# that talks to multiple clusters. The Emulab portal talks to
	# to just one, so we could figure this out. We could also ask
	# the image server. Revist this later.
	#
	if ($all) {
	    my %imagenames = ($profile->name() => $profile->name());

	    #
	    # We need to know the names of all the clients so that we can
	    # find node snapshots.
	    #
	    foreach my $version (@versions) {
		my @clients = $version->NodeClientIDs();
		foreach my $id (@clients) {
		    my $name = $profile->name() . "." . $id;
		    $imagenames{$name} = $name;
		}
	    }

	    #
	    # Now search everything.
	    #
	    my $sentinel = 0;
	    
	    foreach my $name (values(%imagenames)) {
		last if ($sentinel);
		
		my $pid = $profile->pid();
		my @others;
		
		if (APT_Profile::ImageInfo->FindImagesByName($pid,
							     $name,
							     \@others)) {
		    fatal("Could not look up named image use for $name");
		}
		foreach my $imageinfo (@others) {
		    if ($force) {
			#
			# If forceibly deleting images, then we really just
			# want to operate on the naked images so that all
			# versions are removed. Its slow enough, doing them
			# individually will be much worse. So now that we
			# have one, we now where the images live, and can
			# generate the proper urns.
			#
			#
			my $hrn = GeniHRN->new($imageinfo->image());

			foreach my $name (values(%imagenames)) {
			    my $urn = GeniHRN::Generate($hrn->authority(),
							$hrn->type(),
							$imageinfo->ospid() .
							"//" . $name);
			    $images{$urn} = $urn;
			    print "$urn\n";
			}
			$sentinel = 1;
			last;
		    }
		    else {
			$images{$imageinfo->image()} = $imageinfo->image();
		    }

		}
	    }
1284
	}
1285
	else {
1286
	    #
1287 1288 1289 1290 1291
	    # For a specific version of the profile, we need to find
	    # other profiles using images defined in this profile, since
	    # those are the only ones we are going to delete. If the
	    # to be deleted profile is not using any associated images,
	    # then nothing will be deleted.
1292
	    #
1293 1294 1295 1296
	    if (APT_Profile::ImageInfo->LookupForProfile($profile, \$ilist)) {
		fatal("Could not get image reference list for $profile");
	    }
	    if (keys(%{ $ilist })) {
1297
		#
1298 1299 1300 1301 1302 1303 1304 1305 1306
		# We want to know which images are from snapshots of this
		# profile or nodes in this profile.
		#
		foreach my $client_id (keys(%{ $ilist })) {
		    my $imageinfo = $ilist->{$client_id};   

		    # We do not ever care about system images.
		    next
			if ($imageinfo->ospid() eq "emulab-ops");
1307

1308 1309 1310 1311 1312 1313 1314
		    #
		    # Skip the naked image; we do not want to delete the
		    # naked image since that would delete the entire image,
		    # all versions. 
		    #
		    next
			if (!defined($imageinfo->osvers()));
1315

1316 1317 1318 1319 1320 1321 1322
		    # Per-node snapshot image name.
		    my $snapname = $profile->name() . "." . $client_id;

		    if ($imageinfo->os() eq $profile->name() ||
			$imageinfo->os() eq $snapname) {
			$images{$imageinfo->image()} = $imageinfo->image();
		    }
1323 1324 1325 1326
		}
	    }
	}
    }
1327

1328 1329 1330 1331 1332 1333
    #
    # Now find other profiles using these images. 
    #
    if (keys(%images) && !$force) {
	my %using = ();

1334
	foreach my $imageurn (values(%images)) {
1335
	    my @profiles;
1336
	    APT_Profile::ImageInfo::FindProfilesUsing($imageurn, \@profiles);
1337 1338 1339 1340 1341 1342 1343 1344
	    foreach my $tmp (@profiles) {
		#
		# Skip the profile version we are working on.
		#
		next
		    if ($tmp->profileid() == $profile->profileid() &&
			($all || $tmp->version() == $profile->version()));

1345 1346
		if (!exists($using{$imageurn})) {
		    $using{$imageurn} = [];
1347
		}
1348
		push(@{ $using{$imageurn} }, $tmp);
1349 1350 1351 1352 1353 1354 1355 1356
	    }
	}
	#
	# Generate a return blob that that lists the images and any
	# profiles using them. We list all the images so we can tell
	# the user exactly what is going to happen.
	#
	my $blob = {};
1357
	foreach my $imageurn (values(%images)) {
1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381
	    my @profiles = ();
	    if (exists($using{$imageurn})) {
		@profiles = map { $_->uuid() } @{ $using{$imageurn} };
	    }
	    $blob->{$imageurn} = \@profiles;
	    if (!defined($webtask)) {
		print "$imageurn\n";
		foreach my $p (@{ $using{$imageurn} }) {
		    print "--> $p\n";
		}
	    }
	}
	if (defined($webtask)) {
	    $webtask->images($blob);
	    $webtask->Exited(2);
	    print Dumper($blob);
	}
	exit(2);
    }
    #
    # Okay, if we have images and in force mode, we want to delete
    # them at the target cluster.
    #
    if (keys(%images) && $force) {
1382 1383 1384
	foreach my $imageurn (values(%images)) {
	    my $hrn = GeniHRN->new($imageurn);
	    my $agg = APT_Aggregate->LookupByDomain($hrn->domain());
1385
	    if (!defined($agg)) {
1386
		print STDERR "Skipping $imageurn cause no aggregate.\n";
1387 1388 1389
		next;
	    }
	    my $aggurn = $agg->urn();
1390
	    my $urn    = $imageurn;
1391 1392
	    my $opt    = ($impotent ? "-n" : "");

1393 1394
	    print "Deleting $imageurn\n";

1395 1396 1397 1398
	    my $output =
		emutil::ExecQuiet("$MANAGEIMAGES delete -a $aggurn $opt $urn");
	    print STDERR $output;
	    if ($?) {
1399
		fatal("Could not delete $imageurn");
1400 1401 1402 1403
	    }
	}
    }
    if ($impotent) {
1404
	print "Not deleting profile, as requested.\n";
1405 1406 1407
	return 0;
    }
    if ($all || $profile->VersionCount() == 1) {
1408
	$profile->Delete(0) == 0 or
1409 1410
	    fatal("Could not delete profile");
    }
1411 1412 1413 1414
    else {
	$profile->DeleteVersion() == 0 or
	    fatal("Could not delete profile version");
    }
1415
    # The web UI will delete the anonymous webtask.