From 6b7d5878dc782a5de13d4dc0dee3712930a0cb20 Mon Sep 17 00:00:00 2001
From: Michael Hanselmann <hansmi@google.com>
Date: Mon, 15 Mar 2010 16:53:22 +0100
Subject: [PATCH] Rightname confd's HMAC key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently, the ganeti-confd's HMAC key is called βcluster HMAC keyβ or
simply βHMAC keyβ everywhere. With the implementation of inter-cluster
instance moves, another HMAC key will be introduced for signing critical
data. They can not be the same, so this patch clarifies the purpose of the
βcluster HMAC keyβ by renaming it. The actual file name is not changed.
Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>
---
daemons/ganeti-confd | 4 ++--
lib/backend.py | 4 ++--
lib/bootstrap.py | 26 +++++++++++++-------------
lib/cli.py | 10 ++++++----
lib/cmdlib.py | 2 +-
lib/confd/server.py | 2 +-
lib/constants.py | 2 +-
man/gnt-cluster.sgml | 4 ++--
qa/qa_cluster.py | 4 ++--
scripts/gnt-cluster | 21 +++++++++++----------
tools/cfgupgrade | 2 +-
11 files changed, 42 insertions(+), 39 deletions(-)
diff --git a/daemons/ganeti-confd b/daemons/ganeti-confd
index d19bfad06..82734ef1f 100755
--- a/daemons/ganeti-confd
+++ b/daemons/ganeti-confd
@@ -335,8 +335,8 @@ def CheckConfd(_, args):
# TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
# have more than one.
- if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
- print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
+ if not os.path.isfile(constants.CONFD_HMAC_KEY):
+ print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
sys.exit(constants.EXIT_FAILURE)
diff --git a/lib/backend.py b/lib/backend.py
index e16a321c8..601a3f362 100644
--- a/lib/backend.py
+++ b/lib/backend.py
@@ -183,7 +183,7 @@ def _BuildUploadFileList():
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
for hv_name in constants.HYPER_TYPES:
@@ -399,7 +399,7 @@ def LeaveCluster(modify_ssh_setup):
logging.exception("Error while processing ssh files")
try:
- utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
+ utils.RemoveFile(constants.CONFD_HMAC_KEY)
utils.RemoveFile(constants.RAPI_CERT_FILE)
utils.RemoveFile(constants.NODED_CERT_FILE)
except: # pylint: disable-msg=W0702
diff --git a/lib/bootstrap.py b/lib/bootstrap.py
index 3647ad842..9f997c07e 100644
--- a/lib/bootstrap.py
+++ b/lib/bootstrap.py
@@ -111,7 +111,7 @@ def GenerateHmacKey(file_name):
backup=True)
-def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
+def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
@@ -119,8 +119,8 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
@@ -135,10 +135,10 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
constants.NODED_CERT_FILE)
GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
- # HMAC key
- if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
- logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
- GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
+ # confd HMAC key
+ if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
+ logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
+ GenerateHmacKey(constants.CONFD_HMAC_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
@@ -428,14 +428,14 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
- hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
# in the base64 pem encoding, neither '!' nor '.' are valid chars,
# so we use this to detect an invalid certificate; as long as the
# cert doesn't contain this, the here-document will be correctly
# parsed by the shell sequence below. HMAC keys are hexadecimal strings,
# so the same restrictions apply.
- for content in (noded_cert, rapi_cert, hmac_key):
+ for content in (noded_cert, rapi_cert, confd_hmac_key):
if re.search('^!EOF\.', content, re.MULTILINE):
raise errors.OpExecError("invalid SSL certificate or HMAC key")
@@ -443,8 +443,8 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
noded_cert += "\n"
if not rapi_cert.endswith("\n"):
rapi_cert += "\n"
- if not hmac_key.endswith("\n"):
- hmac_key += "\n"
+ if not confd_hmac_key.endswith("\n"):
+ confd_hmac_key += "\n"
# set up inter-node password and certificate and restarts the node daemon
# and then connect with ssh to set password and start ganeti-noded
@@ -461,9 +461,9 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
"%s start %s" %
(constants.NODED_CERT_FILE, noded_cert,
constants.RAPI_CERT_FILE, rapi_cert,
- constants.HMAC_CLUSTER_KEY, hmac_key,
+ constants.CONFD_HMAC_KEY, confd_hmac_key,
constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
constants.DAEMON_UTIL, constants.NODED))
result = sshrunner.Run(node, 'root', mycommand, batch=False,
diff --git a/lib/cli.py b/lib/cli.py
index 51c239c09..e4e0fe808 100644
--- a/lib/cli.py
+++ b/lib/cli.py
@@ -80,7 +80,7 @@ __all__ = [
"MC_OPT",
"NET_OPT",
"NEW_CLUSTER_CERT_OPT",
- "NEW_HMAC_KEY_OPT",
+ "NEW_CONFD_HMAC_KEY_OPT",
"NEW_RAPI_CERT_OPT",
"NEW_SECONDARY_OPT",
"NIC_PARAMS_OPT",
@@ -878,9 +878,11 @@ NEW_RAPI_CERT_OPT = cli_option("--new-rapi-certificate", dest="new_rapi_cert",
help=("Generate a new self-signed RAPI"
" certificate"))
-NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
- default=False, action="store_true",
- help="Create a new HMAC key")
+NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
+ dest="new_confd_hmac_key",
+ default=False, action="store_true",
+ help=("Create a new HMAC key for %s" %
+ constants.CONFD))
def _ParseArgs(argv, commands, aliases):
diff --git a/lib/cmdlib.py b/lib/cmdlib.py
index b898469d6..32fdef9af 100644
--- a/lib/cmdlib.py
+++ b/lib/cmdlib.py
@@ -2280,7 +2280,7 @@ def _RedistributeAncillaryFiles(lu, additional_nodes=None):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
diff --git a/lib/confd/server.py b/lib/confd/server.py
index 6c7f24dbb..e3dc58e07 100644
--- a/lib/confd/server.py
+++ b/lib/confd/server.py
@@ -62,7 +62,7 @@ class ConfdProcessor(object):
"""
self.disabled = True
- self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
self.reader = None
assert \
not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
diff --git a/lib/constants.py b/lib/constants.py
index 1174d5b87..49fca781c 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -99,7 +99,7 @@ SSCONF_LOCK_FILE = LOCK_DIR + "/ganeti-ssconf.lock"
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
NODED_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
-HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
+CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
diff --git a/man/gnt-cluster.sgml b/man/gnt-cluster.sgml
index e7947d049..450f4048c 100644
--- a/man/gnt-cluster.sgml
+++ b/man/gnt-cluster.sgml
@@ -711,7 +711,7 @@
<arg>-f</arg>
<sbr>
<arg choice="opt">--new-cluster-certificate</arg>
- <arg choice="opt">--new-hmac-key</arg>
+ <arg choice="opt">--new-confd-hmac-key</arg>
<sbr>
<arg choice="opt">--new-rapi-certificate</arg>
<arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
@@ -722,7 +722,7 @@
Ganeti daemons in the cluster and start them again once the new
certificates and keys are replicated. The options
<option>--new-cluster-certificate</option> and
- <option>--new-hmac-key</option> can be used to regenerate the
+ <option>--new-confd-hmac-key</option> can be used to regenerate the
cluster-internal SSL certificate respective the HMAC key used by
<citerefentry>
<refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
diff --git a/qa/qa_cluster.py b/qa/qa_cluster.py
index d4efc50de..5c88a04e9 100644
--- a/qa/qa_cluster.py
+++ b/qa/qa_cluster.py
@@ -152,7 +152,7 @@ def TestClusterRenewCrypto():
# Conflicting options
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate", "--rapi-certificate=/dev/null"]
AssertNotEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
@@ -184,7 +184,7 @@ def TestClusterRenewCrypto():
# Normal case
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate"]
AssertEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
diff --git a/scripts/gnt-cluster b/scripts/gnt-cluster
index 0a4cc5cc7..1a58f11e6 100755
--- a/scripts/gnt-cluster
+++ b/scripts/gnt-cluster
@@ -495,7 +495,7 @@ def SearchTags(opts, args):
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
- new_hmac_key, force):
+ new_confd_hmac_key, force):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
@@ -504,13 +504,14 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type rapi_cert_filename: string
@param rapi_cert_filename: Path to file containing new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type force: bool
@param force: Whether to ask user for confirmation
"""
- assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
+ assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
+ new_confd_hmac_key)
if new_rapi_cert and rapi_cert_filename:
ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
@@ -548,7 +549,7 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
def _RenewCryptoInner(ctx):
ctx.feedback_fn("Updating certificates and keys")
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
- new_hmac_key,
+ new_confd_hmac_key,
rapi_cert_pem=rapi_cert_pem)
files_to_copy = []
@@ -559,8 +560,8 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
if new_rapi_cert or rapi_cert_pem:
files_to_copy.append(constants.RAPI_CERT_FILE)
- if new_hmac_key:
- files_to_copy.append(constants.HMAC_CLUSTER_KEY)
+ if new_confd_hmac_key:
+ files_to_copy.append(constants.CONFD_HMAC_KEY)
if files_to_copy:
for node_name in ctx.nonmaster_nodes:
@@ -584,7 +585,7 @@ def RenewCrypto(opts, args):
return _RenewCrypto(opts.new_cluster_cert,
opts.new_rapi_cert,
opts.rapi_cert,
- opts.new_hmac_key,
+ opts.new_confd_hmac_key,
opts.force)
@@ -790,8 +791,8 @@ commands = {
"Alters the parameters of the cluster"),
"renew-crypto": (
RenewCrypto, ARGS_NONE,
- [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
- FORCE_OPT],
+ [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
+ NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
}
diff --git a/tools/cfgupgrade b/tools/cfgupgrade
index 5ecc098d2..fa6a8194d 100755
--- a/tools/cfgupgrade
+++ b/tools/cfgupgrade
@@ -121,7 +121,7 @@ def main():
options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
- options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
+ options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
SetupLogging()
--
GitLab