Commit 4a34c5cf authored by Guido Trotter's avatar Guido Trotter

Generate a shared HMAC key at cluster init time

This key is shared on all nodes (via cmdlib._RedistributeAncillaryFiles)
and will be used for HMAC authentication of confd messages.
Signed-off-by: default avatarGuido Trotter <ultrotter@google.com>
Reviewed-by: default avatarIustin Pop <iustin@google.com>
parent c071c5b3
......@@ -163,6 +163,7 @@ def _BuildUploadFileList():
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
])
for hv_name in constants.HYPER_TYPES:
......
......@@ -116,6 +116,11 @@ def _InitGanetiServerSetup():
if not os.path.exists(constants.RAPI_CERT_FILE):
_GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE)
if not os.path.exists(constants.HMAC_CLUSTER_KEY):
utils.WriteFile(constants.HMAC_CLUSTER_KEY,
data=utils.GenerateSecret(),
mode=0400)
result = utils.RunCmd([constants.NODE_INITD_SCRIPT, "restart"])
if result.failed:
......
......@@ -1642,6 +1642,7 @@ def _RedistributeAncillaryFiles(lu, additional_nodes=None):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
......
......@@ -97,6 +97,7 @@ SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
SSL_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
SSH_KNOWN_HOSTS_FILE = DATA_DIR + "/known_hosts"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment