Commit 084aba47 authored by Michael Hanselmann's avatar Michael Hanselmann
Browse files

Merge remote branch 'origin/devel-2.1'



* origin/devel-2.1:
  Rightname confd's HMAC key
  Rename SSL_CERT_FILE to NODED_CERT_FILE
  Clarify the error message for ':' in PV names

Conflicts:
	lib/bootstrap.py: Trivial
	lib/constants.py: Trivial
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
parents b701a5df 6b7d5878
......@@ -335,8 +335,8 @@ def CheckConfd(_, args):
# TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
# have more than one.
if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
if not os.path.isfile(constants.CONFD_HMAC_KEY):
print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
sys.exit(constants.EXIT_FAILURE)
......
......@@ -871,8 +871,8 @@ def main():
dirs.append((constants.LOG_OS_DIR, 0750))
dirs.append((constants.LOCK_DIR, 1777))
daemon.GenericMain(constants.NODED, parser, dirs, CheckNoded, ExecNoded,
default_ssl_cert=constants.SSL_CERT_FILE,
default_ssl_key=constants.SSL_CERT_FILE)
default_ssl_cert=constants.NODED_CERT_FILE,
default_ssl_key=constants.NODED_CERT_FILE)
if __name__ == '__main__':
......
......@@ -183,7 +183,7 @@ def _BuildUploadFileList():
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY,
])
for hv_name in constants.HYPER_TYPES:
......@@ -399,9 +399,9 @@ def LeaveCluster(modify_ssh_setup):
logging.exception("Error while processing ssh files")
try:
utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
utils.RemoveFile(constants.CONFD_HMAC_KEY)
utils.RemoveFile(constants.RAPI_CERT_FILE)
utils.RemoveFile(constants.SSL_CERT_FILE)
utils.RemoveFile(constants.NODED_CERT_FILE)
except: # pylint: disable-msg=W0702
logging.exception("Error while removing cluster secrets")
......
......@@ -389,8 +389,9 @@ class LogicalVolume(BlockDev):
pvlist = [ pv[1] for pv in pvs_info ]
if utils.any(pvlist, lambda v: ":" in v):
_ThrowError("Some of your PVs have invalid character ':'"
" in their name")
_ThrowError("Some of your PVs have the invalid character ':' in their"
" name, this is not supported - please filter them out"
" in lvm.conf using either 'filter' or 'preferred_names'")
free_size = sum([ pv[0] for pv in pvs_info ])
current_pvs = len(pvlist)
stripes = min(current_pvs, constants.LVM_STRIPECOUNT)
......
......@@ -76,7 +76,7 @@ def GenerateHmacKey(file_name):
backup=True)
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
......@@ -84,26 +84,26 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type new_hmac_key: bool
@param new_hmac_key: Whether to generate a new HMAC key
@type new_confd_hmac_key: bool
@param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
"""
# SSL certificate
cluster_cert_exists = os.path.exists(constants.SSL_CERT_FILE)
# noded SSL certificate
cluster_cert_exists = os.path.exists(constants.NODED_CERT_FILE)
if new_cluster_cert or not cluster_cert_exists:
if cluster_cert_exists:
utils.CreateBackup(constants.SSL_CERT_FILE)
utils.CreateBackup(constants.NODED_CERT_FILE)
logging.debug("Generating new cluster certificate at %s",
constants.SSL_CERT_FILE)
utils.GenerateSelfSignedSslCert(constants.SSL_CERT_FILE)
constants.NODED_CERT_FILE)
utils.GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
# HMAC key
if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
# confd HMAC key
if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
GenerateHmacKey(constants.CONFD_HMAC_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
......@@ -391,16 +391,16 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"""
sshrunner = ssh.SshRunner(cluster_name)
noded_cert = utils.ReadFile(constants.SSL_CERT_FILE)
noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
# in the base64 pem encoding, neither '!' nor '.' are valid chars,
# so we use this to detect an invalid certificate; as long as the
# cert doesn't contain this, the here-document will be correctly
# parsed by the shell sequence below. HMAC keys are hexadecimal strings,
# so the same restrictions apply.
for content in (noded_cert, rapi_cert, hmac_key):
for content in (noded_cert, rapi_cert, confd_hmac_key):
if re.search('^!EOF\.', content, re.MULTILINE):
raise errors.OpExecError("invalid SSL certificate or HMAC key")
......@@ -408,8 +408,8 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert += "\n"
if not rapi_cert.endswith("\n"):
rapi_cert += "\n"
if not hmac_key.endswith("\n"):
hmac_key += "\n"
if not confd_hmac_key.endswith("\n"):
confd_hmac_key += "\n"
# set up inter-node password and certificate and restarts the node daemon
# and then connect with ssh to set password and start ganeti-noded
......@@ -424,11 +424,11 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"%s!EOF.\n"
"chmod 0400 %s %s %s && "
"%s start %s" %
(constants.SSL_CERT_FILE, noded_cert,
(constants.NODED_CERT_FILE, noded_cert,
constants.RAPI_CERT_FILE, rapi_cert,
constants.HMAC_CLUSTER_KEY, hmac_key,
constants.SSL_CERT_FILE, constants.RAPI_CERT_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY, confd_hmac_key,
constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
constants.CONFD_HMAC_KEY,
constants.DAEMON_UTIL, constants.NODED))
result = sshrunner.Run(node, 'root', mycommand, batch=False,
......
......@@ -81,7 +81,7 @@ __all__ = [
"MC_OPT",
"NET_OPT",
"NEW_CLUSTER_CERT_OPT",
"NEW_HMAC_KEY_OPT",
"NEW_CONFD_HMAC_KEY_OPT",
"NEW_RAPI_CERT_OPT",
"NEW_SECONDARY_OPT",
"NIC_PARAMS_OPT",
......@@ -892,9 +892,11 @@ NEW_RAPI_CERT_OPT = cli_option("--new-rapi-certificate", dest="new_rapi_cert",
help=("Generate a new self-signed RAPI"
" certificate"))
NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
default=False, action="store_true",
help="Create a new HMAC key")
NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
dest="new_confd_hmac_key",
default=False, action="store_true",
help=("Create a new HMAC key for %s" %
constants.CONFD))
def _ParseArgs(argv, commands, aliases):
......
......@@ -2280,7 +2280,7 @@ def _RedistributeAncillaryFiles(lu, additional_nodes=None):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
......
......@@ -62,7 +62,7 @@ class ConfdProcessor(object):
"""
self.disabled = True
self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
self.reader = None
assert \
not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
......
......@@ -97,9 +97,9 @@ SUB_RUN_DIRS = [ RUN_GANETI_DIR, BDEV_CACHE_DIR, DISK_LINKS_DIR ]
LOCK_DIR = _autoconf.LOCALSTATEDIR + "/lock"
SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
SSL_CERT_FILE = DATA_DIR + "/server.pem"
NODED_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
......@@ -114,7 +114,7 @@ SYSCONFDIR = _autoconf.SYSCONFDIR
TOOLSDIR = _autoconf.TOOLSDIR
CONF_DIR = SYSCONFDIR + "/ganeti"
ALL_CERT_FILES = frozenset([SSL_CERT_FILE, RAPI_CERT_FILE])
ALL_CERT_FILES = frozenset([NODED_CERT_FILE, RAPI_CERT_FILE])
MASTER_SOCKET = SOCKET_DIR + "/ganeti-master"
......
......@@ -185,8 +185,8 @@ class Client:
self.nc = {}
self._ssl_params = \
http.HttpSslParams(ssl_key_path=constants.SSL_CERT_FILE,
ssl_cert_path=constants.SSL_CERT_FILE)
http.HttpSslParams(ssl_key_path=constants.NODED_CERT_FILE,
ssl_cert_path=constants.NODED_CERT_FILE)
def ConnectList(self, node_list, address_list=None):
"""Add a list of nodes to the target nodes.
......
......@@ -711,7 +711,7 @@
<arg>-f</arg>
<sbr>
<arg choice="opt">--new-cluster-certificate</arg>
<arg choice="opt">--new-hmac-key</arg>
<arg choice="opt">--new-confd-hmac-key</arg>
<sbr>
<arg choice="opt">--new-rapi-certificate</arg>
<arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
......@@ -722,7 +722,7 @@
Ganeti daemons in the cluster and start them again once the new
certificates and keys are replicated. The options
<option>--new-cluster-certificate</option> and
<option>--new-hmac-key</option> can be used to regenerate the
<option>--new-confd-hmac-key</option> can be used to regenerate the
cluster-internal SSL certificate respective the HMAC key used by
<citerefentry>
<refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
......
......@@ -151,7 +151,7 @@ def TestClusterRenewCrypto():
# Conflicting options
cmd = ["gnt-cluster", "renew-crypto", "--force",
"--new-cluster-certificate", "--new-hmac-key",
"--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate", "--rapi-certificate=/dev/null"]
AssertNotEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
......@@ -183,7 +183,7 @@ def TestClusterRenewCrypto():
# Normal case
cmd = ["gnt-cluster", "renew-crypto", "--force",
"--new-cluster-certificate", "--new-hmac-key",
"--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate"]
AssertEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
......
......@@ -495,7 +495,7 @@ def SearchTags(opts, args):
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
new_hmac_key, force):
new_confd_hmac_key, force):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
......@@ -504,13 +504,14 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type rapi_cert_filename: string
@param rapi_cert_filename: Path to file containing new RAPI certificate
@type new_hmac_key: bool
@param new_hmac_key: Whether to generate a new HMAC key
@type new_confd_hmac_key: bool
@param new_confd_hmac_key: Whether to generate a new HMAC key
@type force: bool
@param force: Whether to ask user for confirmation
"""
assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
new_confd_hmac_key)
if new_rapi_cert and rapi_cert_filename:
ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
......@@ -548,19 +549,19 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
def _RenewCryptoInner(ctx):
ctx.feedback_fn("Updating certificates and keys")
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
new_hmac_key,
new_confd_hmac_key,
rapi_cert_pem=rapi_cert_pem)
files_to_copy = []
if new_cluster_cert:
files_to_copy.append(constants.SSL_CERT_FILE)
files_to_copy.append(constants.NODED_CERT_FILE)
if new_rapi_cert or rapi_cert_pem:
files_to_copy.append(constants.RAPI_CERT_FILE)
if new_hmac_key:
files_to_copy.append(constants.HMAC_CLUSTER_KEY)
if new_confd_hmac_key:
files_to_copy.append(constants.CONFD_HMAC_KEY)
if files_to_copy:
for node_name in ctx.nonmaster_nodes:
......@@ -584,7 +585,7 @@ def RenewCrypto(opts, args):
return _RenewCrypto(opts.new_cluster_cert,
opts.new_rapi_cert,
opts.rapi_cert,
opts.new_hmac_key,
opts.new_confd_hmac_key,
opts.force)
......@@ -790,8 +791,8 @@ commands = {
"Alters the parameters of the cluster"),
"renew-crypto": (
RenewCrypto, ARGS_NONE,
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
FORCE_OPT],
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
}
......
......@@ -121,7 +121,7 @@ def main():
options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
SetupLogging()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment