Commit 6b7d5878 authored by Michael Hanselmann's avatar Michael Hanselmann
Browse files

Rightname confd's HMAC key



Currently, the ganeti-confd's HMAC key is called “cluster HMAC key” or
simply “HMAC key” everywhere. With the implementation of inter-cluster
instance moves, another HMAC key will be introduced for signing critical
data. They can not be the same, so this patch clarifies the purpose of the
“cluster HMAC key” by renaming it. The actual file name is not changed.
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarIustin Pop <iustin@google.com>
parent 168c1de2
......@@ -335,8 +335,8 @@ def CheckConfd(_, args):
# TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
# have more than one.
if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
if not os.path.isfile(constants.CONFD_HMAC_KEY):
print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
sys.exit(constants.EXIT_FAILURE)
......
......@@ -183,7 +183,7 @@ def _BuildUploadFileList():
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY,
])
for hv_name in constants.HYPER_TYPES:
......@@ -399,7 +399,7 @@ def LeaveCluster(modify_ssh_setup):
logging.exception("Error while processing ssh files")
try:
utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
utils.RemoveFile(constants.CONFD_HMAC_KEY)
utils.RemoveFile(constants.RAPI_CERT_FILE)
utils.RemoveFile(constants.NODED_CERT_FILE)
except: # pylint: disable-msg=W0702
......
......@@ -111,7 +111,7 @@ def GenerateHmacKey(file_name):
backup=True)
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
......@@ -119,8 +119,8 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type new_hmac_key: bool
@param new_hmac_key: Whether to generate a new HMAC key
@type new_confd_hmac_key: bool
@param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
......@@ -135,10 +135,10 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
constants.NODED_CERT_FILE)
GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
# HMAC key
if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
# confd HMAC key
if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
GenerateHmacKey(constants.CONFD_HMAC_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
......@@ -428,14 +428,14 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
# in the base64 pem encoding, neither '!' nor '.' are valid chars,
# so we use this to detect an invalid certificate; as long as the
# cert doesn't contain this, the here-document will be correctly
# parsed by the shell sequence below. HMAC keys are hexadecimal strings,
# so the same restrictions apply.
for content in (noded_cert, rapi_cert, hmac_key):
for content in (noded_cert, rapi_cert, confd_hmac_key):
if re.search('^!EOF\.', content, re.MULTILINE):
raise errors.OpExecError("invalid SSL certificate or HMAC key")
......@@ -443,8 +443,8 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert += "\n"
if not rapi_cert.endswith("\n"):
rapi_cert += "\n"
if not hmac_key.endswith("\n"):
hmac_key += "\n"
if not confd_hmac_key.endswith("\n"):
confd_hmac_key += "\n"
# set up inter-node password and certificate and restarts the node daemon
# and then connect with ssh to set password and start ganeti-noded
......@@ -461,9 +461,9 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"%s start %s" %
(constants.NODED_CERT_FILE, noded_cert,
constants.RAPI_CERT_FILE, rapi_cert,
constants.HMAC_CLUSTER_KEY, hmac_key,
constants.CONFD_HMAC_KEY, confd_hmac_key,
constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY,
constants.DAEMON_UTIL, constants.NODED))
result = sshrunner.Run(node, 'root', mycommand, batch=False,
......
......@@ -80,7 +80,7 @@ __all__ = [
"MC_OPT",
"NET_OPT",
"NEW_CLUSTER_CERT_OPT",
"NEW_HMAC_KEY_OPT",
"NEW_CONFD_HMAC_KEY_OPT",
"NEW_RAPI_CERT_OPT",
"NEW_SECONDARY_OPT",
"NIC_PARAMS_OPT",
......@@ -878,9 +878,11 @@ NEW_RAPI_CERT_OPT = cli_option("--new-rapi-certificate", dest="new_rapi_cert",
help=("Generate a new self-signed RAPI"
" certificate"))
NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
default=False, action="store_true",
help="Create a new HMAC key")
NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
dest="new_confd_hmac_key",
default=False, action="store_true",
help=("Create a new HMAC key for %s" %
constants.CONFD))
def _ParseArgs(argv, commands, aliases):
......
......@@ -2280,7 +2280,7 @@ def _RedistributeAncillaryFiles(lu, additional_nodes=None):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
constants.HMAC_CLUSTER_KEY,
constants.CONFD_HMAC_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
......
......@@ -62,7 +62,7 @@ class ConfdProcessor(object):
"""
self.disabled = True
self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
self.reader = None
assert \
not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
......
......@@ -99,7 +99,7 @@ SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
NODED_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
......
......@@ -711,7 +711,7 @@
<arg>-f</arg>
<sbr>
<arg choice="opt">--new-cluster-certificate</arg>
<arg choice="opt">--new-hmac-key</arg>
<arg choice="opt">--new-confd-hmac-key</arg>
<sbr>
<arg choice="opt">--new-rapi-certificate</arg>
<arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
......@@ -722,7 +722,7 @@
Ganeti daemons in the cluster and start them again once the new
certificates and keys are replicated. The options
<option>--new-cluster-certificate</option> and
<option>--new-hmac-key</option> can be used to regenerate the
<option>--new-confd-hmac-key</option> can be used to regenerate the
cluster-internal SSL certificate respective the HMAC key used by
<citerefentry>
<refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
......
......@@ -152,7 +152,7 @@ def TestClusterRenewCrypto():
# Conflicting options
cmd = ["gnt-cluster", "renew-crypto", "--force",
"--new-cluster-certificate", "--new-hmac-key",
"--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate", "--rapi-certificate=/dev/null"]
AssertNotEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
......@@ -184,7 +184,7 @@ def TestClusterRenewCrypto():
# Normal case
cmd = ["gnt-cluster", "renew-crypto", "--force",
"--new-cluster-certificate", "--new-hmac-key",
"--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate"]
AssertEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
......
......@@ -495,7 +495,7 @@ def SearchTags(opts, args):
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
new_hmac_key, force):
new_confd_hmac_key, force):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
......@@ -504,13 +504,14 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type rapi_cert_filename: string
@param rapi_cert_filename: Path to file containing new RAPI certificate
@type new_hmac_key: bool
@param new_hmac_key: Whether to generate a new HMAC key
@type new_confd_hmac_key: bool
@param new_confd_hmac_key: Whether to generate a new HMAC key
@type force: bool
@param force: Whether to ask user for confirmation
"""
assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
new_confd_hmac_key)
if new_rapi_cert and rapi_cert_filename:
ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
......@@ -548,7 +549,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
def _RenewCryptoInner(ctx):
ctx.feedback_fn("Updating certificates and keys")
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
new_hmac_key,
new_confd_hmac_key,
rapi_cert_pem=rapi_cert_pem)
files_to_copy = []
......@@ -559,8 +560,8 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
if new_rapi_cert or rapi_cert_pem:
files_to_copy.append(constants.RAPI_CERT_FILE)
if new_hmac_key:
files_to_copy.append(constants.HMAC_CLUSTER_KEY)
if new_confd_hmac_key:
files_to_copy.append(constants.CONFD_HMAC_KEY)
if files_to_copy:
for node_name in ctx.nonmaster_nodes:
......@@ -584,7 +585,7 @@ def RenewCrypto(opts, args):
return _RenewCrypto(opts.new_cluster_cert,
opts.new_rapi_cert,
opts.rapi_cert,
opts.new_hmac_key,
opts.new_confd_hmac_key,
opts.force)
......@@ -790,8 +791,8 @@ commands = {
"Alters the parameters of the cluster"),
"renew-crypto": (
RenewCrypto, ARGS_NONE,
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
FORCE_OPT],
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
}
......
......@@ -121,7 +121,7 @@ def main():
options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
SetupLogging()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment