diff --git a/daemons/ganeti-confd b/daemons/ganeti-confd
index d19bfad0618d79187b0699faf3e8947b44a58b99..82734ef1f0b6b9e4b6417123f03ed3cda7c05668 100755
--- a/daemons/ganeti-confd
+++ b/daemons/ganeti-confd
@@ -335,8 +335,8 @@ def CheckConfd(_, args):
# TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
# have more than one.
- if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
- print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
+ if not os.path.isfile(constants.CONFD_HMAC_KEY):
+ print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
sys.exit(constants.EXIT_FAILURE)
diff --git a/daemons/ganeti-noded b/daemons/ganeti-noded
index 4fb244d38747662cecd7896a9086f12418ec1f89..08a0b400db89bd3a07744f27116ae8bdc1ab6c0b 100755
--- a/daemons/ganeti-noded
+++ b/daemons/ganeti-noded
@@ -871,8 +871,8 @@ def main():
dirs.append((constants.LOG_OS_DIR, 0750))
dirs.append((constants.LOCK_DIR, 1777))
daemon.GenericMain(constants.NODED, parser, dirs, CheckNoded, ExecNoded,
- default_ssl_cert=constants.SSL_CERT_FILE,
- default_ssl_key=constants.SSL_CERT_FILE)
+ default_ssl_cert=constants.NODED_CERT_FILE,
+ default_ssl_key=constants.NODED_CERT_FILE)
if __name__ == '__main__':
diff --git a/lib/backend.py b/lib/backend.py
index 5a09b57f01b713baf5f89743824512ee1b02dac3..601a3f3627debdecb8f7ad903485b9d4cc674b3b 100644
--- a/lib/backend.py
+++ b/lib/backend.py
@@ -183,7 +183,7 @@ def _BuildUploadFileList():
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
for hv_name in constants.HYPER_TYPES:
@@ -399,9 +399,9 @@ def LeaveCluster(modify_ssh_setup):
logging.exception("Error while processing ssh files")
try:
- utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
+ utils.RemoveFile(constants.CONFD_HMAC_KEY)
utils.RemoveFile(constants.RAPI_CERT_FILE)
- utils.RemoveFile(constants.SSL_CERT_FILE)
+ utils.RemoveFile(constants.NODED_CERT_FILE)
except: # pylint: disable-msg=W0702
logging.exception("Error while removing cluster secrets")
diff --git a/lib/bdev.py b/lib/bdev.py
index bdfbec7aaa4dbb0942570fb13ebbde1c24230f6e..721f3a6eca3ff3e2af9b4cd4550d3f4d2eadc83c 100644
--- a/lib/bdev.py
+++ b/lib/bdev.py
@@ -389,8 +389,9 @@ class LogicalVolume(BlockDev):
pvlist = [ pv[1] for pv in pvs_info ]
if utils.any(pvlist, lambda v: ":" in v):
- _ThrowError("Some of your PVs have invalid character ':'"
- " in their name")
+ _ThrowError("Some of your PVs have the invalid character ':' in their"
+ " name, this is not supported - please filter them out"
+ " in lvm.conf using either 'filter' or 'preferred_names'")
free_size = sum([ pv[0] for pv in pvs_info ])
current_pvs = len(pvlist)
stripes = min(current_pvs, constants.LVM_STRIPECOUNT)
diff --git a/lib/bootstrap.py b/lib/bootstrap.py
index 4ef199d2746d34ebb1392f789f25edb3be446069..ebfad81f9329cb0e420f112109d5decfc6ca31f6 100644
--- a/lib/bootstrap.py
+++ b/lib/bootstrap.py
@@ -76,7 +76,7 @@ def GenerateHmacKey(file_name):
backup=True)
-def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
+def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
@@ -84,26 +84,26 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
"""
- # SSL certificate
- cluster_cert_exists = os.path.exists(constants.SSL_CERT_FILE)
+ # noded SSL certificate
+ cluster_cert_exists = os.path.exists(constants.NODED_CERT_FILE)
if new_cluster_cert or not cluster_cert_exists:
if cluster_cert_exists:
- utils.CreateBackup(constants.SSL_CERT_FILE)
+ utils.CreateBackup(constants.NODED_CERT_FILE)
logging.debug("Generating new cluster certificate at %s",
- constants.SSL_CERT_FILE)
- utils.GenerateSelfSignedSslCert(constants.SSL_CERT_FILE)
+ constants.NODED_CERT_FILE)
+ utils.GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
- # HMAC key
- if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
- logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
- GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
+ # confd HMAC key
+ if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
+ logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
+ GenerateHmacKey(constants.CONFD_HMAC_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
@@ -391,16 +391,16 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"""
sshrunner = ssh.SshRunner(cluster_name)
- noded_cert = utils.ReadFile(constants.SSL_CERT_FILE)
+ noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
- hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
# in the base64 pem encoding, neither '!' nor '.' are valid chars,
# so we use this to detect an invalid certificate; as long as the
# cert doesn't contain this, the here-document will be correctly
# parsed by the shell sequence below. HMAC keys are hexadecimal strings,
# so the same restrictions apply.
- for content in (noded_cert, rapi_cert, hmac_key):
+ for content in (noded_cert, rapi_cert, confd_hmac_key):
if re.search('^!EOF\.', content, re.MULTILINE):
raise errors.OpExecError("invalid SSL certificate or HMAC key")
@@ -408,8 +408,8 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert += "\n"
if not rapi_cert.endswith("\n"):
rapi_cert += "\n"
- if not hmac_key.endswith("\n"):
- hmac_key += "\n"
+ if not confd_hmac_key.endswith("\n"):
+ confd_hmac_key += "\n"
# set up inter-node password and certificate and restarts the node daemon
# and then connect with ssh to set password and start ganeti-noded
@@ -424,11 +424,11 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"%s!EOF.\n"
"chmod 0400 %s %s %s && "
"%s start %s" %
- (constants.SSL_CERT_FILE, noded_cert,
+ (constants.NODED_CERT_FILE, noded_cert,
constants.RAPI_CERT_FILE, rapi_cert,
- constants.HMAC_CLUSTER_KEY, hmac_key,
- constants.SSL_CERT_FILE, constants.RAPI_CERT_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY, confd_hmac_key,
+ constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
+ constants.CONFD_HMAC_KEY,
constants.DAEMON_UTIL, constants.NODED))
result = sshrunner.Run(node, 'root', mycommand, batch=False,
diff --git a/lib/cli.py b/lib/cli.py
index ed429fbd85aa189557175dcfc79032af81db18ed..2d0c6c27fa967ccdd6f9cab8b7e53039f4ee95ee 100644
--- a/lib/cli.py
+++ b/lib/cli.py
@@ -81,7 +81,7 @@ __all__ = [
"MC_OPT",
"NET_OPT",
"NEW_CLUSTER_CERT_OPT",
- "NEW_HMAC_KEY_OPT",
+ "NEW_CONFD_HMAC_KEY_OPT",
"NEW_RAPI_CERT_OPT",
"NEW_SECONDARY_OPT",
"NIC_PARAMS_OPT",
@@ -892,9 +892,11 @@ NEW_RAPI_CERT_OPT = cli_option("--new-rapi-certificate", dest="new_rapi_cert",
help=("Generate a new self-signed RAPI"
" certificate"))
-NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
- default=False, action="store_true",
- help="Create a new HMAC key")
+NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
+ dest="new_confd_hmac_key",
+ default=False, action="store_true",
+ help=("Create a new HMAC key for %s" %
+ constants.CONFD))
def _ParseArgs(argv, commands, aliases):
diff --git a/lib/cmdlib.py b/lib/cmdlib.py
index a15df39a283d38d2d108b955c4c87f29a878fe1d..f0fc7fad7908d5dab93f6622bc753a7879ebd71a 100644
--- a/lib/cmdlib.py
+++ b/lib/cmdlib.py
@@ -2280,7 +2280,7 @@ def _RedistributeAncillaryFiles(lu, additional_nodes=None):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
diff --git a/lib/confd/server.py b/lib/confd/server.py
index 6c7f24dbbd5b1bfca9b4bd8d717c38a220dd6adf..e3dc58e07ecd796b21e058cb55a11a841bf529af 100644
--- a/lib/confd/server.py
+++ b/lib/confd/server.py
@@ -62,7 +62,7 @@ class ConfdProcessor(object):
"""
self.disabled = True
- self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
self.reader = None
assert \
not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
diff --git a/lib/constants.py b/lib/constants.py
index 0cca534af6af5a39126d757fc733f5ab04a85b4b..3edbd6d1015112429e8d7a98583499ad219cf76e 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -97,9 +97,9 @@ SUB_RUN_DIRS = [ RUN_GANETI_DIR, BDEV_CACHE_DIR, DISK_LINKS_DIR ]
LOCK_DIR = _autoconf.LOCALSTATEDIR + "/lock"
SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
-SSL_CERT_FILE = DATA_DIR + "/server.pem"
+NODED_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
-HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
+CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
@@ -114,7 +114,7 @@ SYSCONFDIR = _autoconf.SYSCONFDIR
TOOLSDIR = _autoconf.TOOLSDIR
CONF_DIR = SYSCONFDIR + "/ganeti"
-ALL_CERT_FILES = frozenset([SSL_CERT_FILE, RAPI_CERT_FILE])
+ALL_CERT_FILES = frozenset([NODED_CERT_FILE, RAPI_CERT_FILE])
MASTER_SOCKET = SOCKET_DIR + "/ganeti-master"
diff --git a/lib/rpc.py b/lib/rpc.py
index d9114f1b17713e11f32d681170a47b9c21b4ca8c..6de365bd150e4ce4cdc478b85e1b6fe815de9fc5 100644
--- a/lib/rpc.py
+++ b/lib/rpc.py
@@ -185,8 +185,8 @@ class Client:
self.nc = {}
self._ssl_params = \
- http.HttpSslParams(ssl_key_path=constants.SSL_CERT_FILE,
- ssl_cert_path=constants.SSL_CERT_FILE)
+ http.HttpSslParams(ssl_key_path=constants.NODED_CERT_FILE,
+ ssl_cert_path=constants.NODED_CERT_FILE)
def ConnectList(self, node_list, address_list=None):
"""Add a list of nodes to the target nodes.
diff --git a/man/gnt-cluster.sgml b/man/gnt-cluster.sgml
index e7947d049ed3870f8256576b2158c2f11aaaf738..450f4048c875360c17ea921ac1ca9db46c6fc29a 100644
--- a/man/gnt-cluster.sgml
+++ b/man/gnt-cluster.sgml
@@ -711,7 +711,7 @@
<arg>-f</arg>
<sbr>
<arg choice="opt">--new-cluster-certificate</arg>
- <arg choice="opt">--new-hmac-key</arg>
+ <arg choice="opt">--new-confd-hmac-key</arg>
<sbr>
<arg choice="opt">--new-rapi-certificate</arg>
<arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
@@ -722,7 +722,7 @@
Ganeti daemons in the cluster and start them again once the new
certificates and keys are replicated. The options
<option>--new-cluster-certificate</option> and
- <option>--new-hmac-key</option> can be used to regenerate the
+ <option>--new-confd-hmac-key</option> can be used to regenerate the
cluster-internal SSL certificate respective the HMAC key used by
<citerefentry>
<refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
diff --git a/qa/qa_cluster.py b/qa/qa_cluster.py
index a5539df3ceb72450a53b158788b4baeca2521c25..5ce6252f78a0b5f753322c72f3984d468d30961e 100644
--- a/qa/qa_cluster.py
+++ b/qa/qa_cluster.py
@@ -151,7 +151,7 @@ def TestClusterRenewCrypto():
# Conflicting options
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate", "--rapi-certificate=/dev/null"]
AssertNotEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
@@ -183,7 +183,7 @@ def TestClusterRenewCrypto():
# Normal case
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate"]
AssertEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
diff --git a/scripts/gnt-cluster b/scripts/gnt-cluster
index 01ecedbc9cf681a2a729a4f97deee8f9a2e2692c..1a58f11e6b584c0c1e2cc730aa1f84ba436cbc28 100755
--- a/scripts/gnt-cluster
+++ b/scripts/gnt-cluster
@@ -495,7 +495,7 @@ def SearchTags(opts, args):
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
- new_hmac_key, force):
+ new_confd_hmac_key, force):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
@@ -504,13 +504,14 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type rapi_cert_filename: string
@param rapi_cert_filename: Path to file containing new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type force: bool
@param force: Whether to ask user for confirmation
"""
- assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
+ assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
+ new_confd_hmac_key)
if new_rapi_cert and rapi_cert_filename:
ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
@@ -548,19 +549,19 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
def _RenewCryptoInner(ctx):
ctx.feedback_fn("Updating certificates and keys")
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
- new_hmac_key,
+ new_confd_hmac_key,
rapi_cert_pem=rapi_cert_pem)
files_to_copy = []
if new_cluster_cert:
- files_to_copy.append(constants.SSL_CERT_FILE)
+ files_to_copy.append(constants.NODED_CERT_FILE)
if new_rapi_cert or rapi_cert_pem:
files_to_copy.append(constants.RAPI_CERT_FILE)
- if new_hmac_key:
- files_to_copy.append(constants.HMAC_CLUSTER_KEY)
+ if new_confd_hmac_key:
+ files_to_copy.append(constants.CONFD_HMAC_KEY)
if files_to_copy:
for node_name in ctx.nonmaster_nodes:
@@ -584,7 +585,7 @@ def RenewCrypto(opts, args):
return _RenewCrypto(opts.new_cluster_cert,
opts.new_rapi_cert,
opts.rapi_cert,
- opts.new_hmac_key,
+ opts.new_confd_hmac_key,
opts.force)
@@ -790,8 +791,8 @@ commands = {
"Alters the parameters of the cluster"),
"renew-crypto": (
RenewCrypto, ARGS_NONE,
- [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
- FORCE_OPT],
+ [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
+ NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
}
diff --git a/tools/cfgupgrade b/tools/cfgupgrade
index 5ecc098d2fd47871de49b405817dcd4d9af6a212..fa6a8194dfc69b0121901dbba8867edbbe403b1c 100755
--- a/tools/cfgupgrade
+++ b/tools/cfgupgrade
@@ -121,7 +121,7 @@ def main():
options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
- options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
+ options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
SetupLogging()