Commit aeefe835 authored by Iustin Pop's avatar Iustin Pop

Fix cfgupgrade with non-default DATA_DIR

Commit 43575108 added bootstrap.GenerateclusterCrypto and commit
7506a7f1 changed cfgupgrade to use it. However, this lost the
functionality of upgrading in non-default DATA_DIR.

To fix this, we enhance bootstrap.GenerateclusterCrypto to accept custom
file paths for the three files it modifies. If more files will be needed
in the future, we could just pass in modified DATA_DIR, but for now it
suffices.
Signed-off-by: default avatarIustin Pop <iustin@google.com>
Reviewed-by: default avatarRené Nussbaumer <rn@google.com>
parent 88394aa7
......@@ -112,7 +112,10 @@ def GenerateHmacKey(file_name):
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
rapi_cert_pem=None,
nodecert_file=constants.NODED_CERT_FILE,
rapicert_file=constants.RAPI_CERT_FILE,
hmackey_file=constants.CONFD_HMAC_KEY):
"""Updates the cluster certificates, keys and secrets.
@type new_cluster_cert: bool
......@@ -123,39 +126,42 @@ def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
@param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
@type nodecert_file: string
@param nodecert_file: optional override of the node cert file path
@type rapicert_file: string
@param rapicert_file: optional override of the rapi cert file path
@type hmackey_file: string
@param hmackey_file: optional override of the hmac key file path
"""
# noded SSL certificate
cluster_cert_exists = os.path.exists(constants.NODED_CERT_FILE)
cluster_cert_exists = os.path.exists(nodecert_file)
if new_cluster_cert or not cluster_cert_exists:
if cluster_cert_exists:
utils.CreateBackup(constants.NODED_CERT_FILE)
utils.CreateBackup(nodecert_file)
logging.debug("Generating new cluster certificate at %s",
constants.NODED_CERT_FILE)
GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
logging.debug("Generating new cluster certificate at %s", nodecert_file)
GenerateSelfSignedSslCert(nodecert_file)
# confd HMAC key
if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
GenerateHmacKey(constants.CONFD_HMAC_KEY)
if new_confd_hmac_key or not os.path.exists(hmackey_file):
logging.debug("Writing new confd HMAC key to %s", hmackey_file)
GenerateHmacKey(hmackey_file)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
rapi_cert_exists = os.path.exists(rapicert_file)
if rapi_cert_pem:
# Assume rapi_pem contains a valid PEM-formatted certificate and key
logging.debug("Writing RAPI certificate at %s",
constants.RAPI_CERT_FILE)
utils.WriteFile(constants.RAPI_CERT_FILE, data=rapi_cert_pem, backup=True)
logging.debug("Writing RAPI certificate at %s", rapicert_file)
utils.WriteFile(rapicert_file, data=rapi_cert_pem, backup=True)
elif new_rapi_cert or not rapi_cert_exists:
if rapi_cert_exists:
utils.CreateBackup(constants.RAPI_CERT_FILE)
utils.CreateBackup(rapicert_file)
logging.debug("Generating new RAPI certificate at %s",
constants.RAPI_CERT_FILE)
GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE)
logging.debug("Generating new RAPI certificate at %s", rapicert_file)
GenerateSelfSignedSslCert(rapicert_file)
def _InitGanetiServerSetup(master_name):
......
#!/usr/bin/python
#
# Copyright (C) 2007, 2008, 2009 Google Inc.
# Copyright (C) 2007, 2008, 2009, 2010 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -174,7 +174,10 @@ def main():
backup=True)
if not options.dry_run:
bootstrap.GenerateClusterCrypto(False, False, False)
bootstrap.GenerateClusterCrypto(False, False, False,
nodecert_file=options.SERVER_PEM_PATH,
rapicert_file=options.RAPI_CERT_FILE,
hmackey_file=options.CONFD_HMAC_KEY)
except:
logging.critical("Writing configuration failed. It is probably in an"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment