Add initial implementation of prepare-node-join

This is a new tool as per the design document “design-ssh-setup”. It receives a JSON data structure on its standard input and configures the SSH daemon and root's SSH keys accordingly. Unit tests are included. Signed-off-by: Michael Hanselmann <hansmi@google.com> Reviewed-by: Iustin Pop <iustin@google.com>

Add initial implementation of prepare-node-join
This is a new tool as per the design document “design-ssh-setup”. It receives a JSON data structure on its standard input and configures the SSH daemon and root's SSH keys accordingly. Unit tests are included. Signed-off-by: Michael Hanselmann <hansmi@google.com> Reviewed-by: Iustin Pop <iustin@google.com>
d12b9f66 · Michael Hanselmann · 8a3c9e8a · d12b9f66 · d12b9f66 · d12b9f66
Commit d12b9f66 authored Oct 16, 2012 by Michael Hanselmann
8 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -94,6 +94,7 @@
 /tools/kvm-ifup
 /tools/ensure-dirs
 /tools/vcluster-setup
+/tools/prepare-node-join

 # scripts
 /scripts/gnt-backup

--- a/Makefile.am
+++ b/Makefile.am
@@ -315,7 +315,8 @@ server_PYTHON = \

 pytools_PYTHON = \
 	lib/tools/__init__.py \
-	lib/tools/ensure_dirs.py
+	lib/tools/ensure_dirs.py \
+	lib/tools/prepare_node_join.py

 utils_PYTHON = \
 	lib/utils/__init__.py \
@@ -578,7 +579,8 @@ PYTHON_BOOTSTRAP_SBIN = \

 PYTHON_BOOTSTRAP = \
 	$(PYTHON_BOOTSTRAP_SBIN) \
-	tools/ensure-dirs
+	tools/ensure-dirs \
+	tools/prepare-node-join

 qa_scripts = \
 	qa/__init__.py \
@@ -690,7 +692,8 @@ pkglib_python_scripts = \
 	tools/check-cert-expired

 nodist_pkglib_python_scripts = \
-	tools/ensure-dirs
+	tools/ensure-dirs \
+	tools/prepare-node-join

 myexeclib_SCRIPTS = \
 	daemons/daemon-util \
@@ -822,6 +825,7 @@ TEST_FILES = \
 	test/data/bdev-drbd-net-ip4.txt \
 	test/data/bdev-drbd-net-ip6.txt \
 	test/data/cert1.pem \
+	test/data/cert2.pem \
 	test/data/ip-addr-show-dummy0.txt \
 	test/data/ip-addr-show-lo-ipv4.txt \
 	test/data/ip-addr-show-lo-ipv6.txt \
@@ -926,6 +930,7 @@ python_tests = \
 	test/ganeti.ssh_unittest.py \
 	test/ganeti.storage_unittest.py \
 	test/ganeti.tools.ensure_dirs_unittest.py \
+	test/ganeti.tools.prepare_node_join_unittest.py \
 	test/ganeti.uidpool_unittest.py \
 	test/ganeti.utils.algo_unittest.py \
 	test/ganeti.utils.filelock_unittest.py \
@@ -1327,6 +1332,7 @@ daemons/ganeti-%: MODULE = ganeti.server.$(patsubst ganeti-%,%,$(notdir $@))
 daemons/ganeti-watcher: MODULE = ganeti.watcher
 scripts/%: MODULE = ganeti.client.$(subst -,_,$(notdir $@))
 tools/ensure-dirs: MODULE = ganeti.tools.ensure_dirs
+tools/prepare-node-join: MODULE = ganeti.tools.prepare_node_join
 $(HS_BUILT_TEST_HELPERS): TESTROLE = $(patsubst htest/%,%,$@)

 $(PYTHON_BOOTSTRAP): Makefile | stamp-directories

--- a/lib/constants.py
+++ b/lib/constants.py
@@ -2049,5 +2049,17 @@ SSHK_RSA = "rsa"
 SSHK_DSA = "dsa"
 SSHK_ALL = frozenset([SSHK_RSA, SSHK_DSA])

+# SSH authorized key types
+SSHAK_RSA = "ssh-rsa"
+SSHAK_DSS = "ssh-dss"
+SSHAK_ALL = frozenset([SSHAK_RSA, SSHAK_DSS])
+
+# SSH setup
+SSHS_CLUSTER_NAME = "cluster_name"
+SSHS_FORCE = "force"
+SSHS_SSH_HOST_KEY = "ssh_host_key"
+SSHS_SSH_ROOT_KEY = "ssh_root_key"
+SSHS_NODE_DAEMON_CERTIFICATE = "node_daemon_certificate"
+
 # Do not re-export imported modules
 del re, _vcsversion, _autoconf, socket, pathutils
--- a/lib/ssh.py
+++ b/lib/ssh.py
@@ -49,7 +49,7 @@ def FormatParamikoFingerprint(fingerprint):


 def GetUserFiles(user, mkdir=False, kind=constants.SSHK_DSA,
-                 _homedir_fn=utils.GetHomeDir):
+                 _homedir_fn=None):
  """Return the paths of a user's SSH files.

  @type user: string
@@ -67,6 +67,9 @@ def GetUserFiles(user, mkdir=False, kind=constants.SSHK_DSA,
    exception is raised if C{~$user/.ssh} is not a directory

  """
+  if _homedir_fn is None:
+    _homedir_fn = utils.GetHomeDir
+
  user_dir = _homedir_fn(user)
  if not user_dir:
    raise errors.OpExecError("Cannot resolve home of user '%s'" % user)

--- a/lib/tools/prepare_node_join.py
+++ b/lib/tools/prepare_node_join.py
--- a/lib/utils/io.py
+++ b/lib/utils/io.py
@@ -828,9 +828,6 @@ def ReadLockedPidFile(path):
  return None


-_SSH_KEYS_WITH_TWO_PARTS = frozenset(["ssh-dss", "ssh-rsa"])
-
-
 def _SplitSshKey(key):
  """Splits a line for SSH's C{authorized_keys} file.

@@ -845,7 +842,7 @@ def _SplitSshKey(key):
  """
  parts = key.split()

-  if parts and parts[0] in _SSH_KEYS_WITH_TWO_PARTS:
+  if parts and parts[0] in constants.SSHAK_ALL:
    # If the key has no options in front of it, we only want the significant
    # fields
    return (False, parts[:2])

--- a/test/data/cert2.pem
+++ b/test/data/cert2.pem
+-----BEGIN PRIVATE KEY-----
+MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAt8OZYvvi8noVPlpR
+/SrHcya9ne7RG5DjvMssksUqyGriUs/WGnpZlL4nz+BcLFGwNNntoxqR30Tjk47S
+cmSBRQIDAQABAkAqTP5MCMuPIYcuWUAyVNygpzRS3JyKCepClUpnZreYdo4sUQE3
+/AM7xeb92R06iZ3f9/MPrbaMKTWRh3uCyfKBAiEA5TxdacnVxdS8+ZLyys4p/C1s
+iajrarBb/j+NIAnsdnECIQDNOCDO7Jq/iN5qE4Vbi/3zmnP1Ca5aBo+KJ/hhSjRq
+FQIgIBpWEqybbXsfg+waaGB67MAHxTeM0IImP/LydpwtK2ECIB3SrlHj6Ik1Jr1b
+oOGw8nLYW0mc4o2KrolxTZM16XARAiBKW3aSjY5UrnoEqa8pAeiO8LJaRj73Epmr
+zC89IuLZfg==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIB0zCCAX2gAwIBAgIJAKrAqGX6UolVMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTIxMDE5MTQ1NjA4WhcNMTIxMDIwMTQ1NjA4WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALfD
+mWL74vJ6FT5aUf0qx3MmvZ3u0RuQ47zLLJLFKshq4lLP1hp6WZS+J8/gXCxRsDTZ
+7aMakd9E45OO0nJkgUUCAwEAAaNQME4wHQYDVR0OBBYEFA1Fc/GIVtd6nMocrSsA
+e5bxmVhMMB8GA1UdIwQYMBaAFA1Fc/GIVtd6nMocrSsAe5bxmVhMMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADQQCTUwzDGU+IJTQ3PIJrA3fHMyKbBvc4Rkvi
+ZNFsmgsidWhb+5APlPjtlS7rXlonNHBzDoGb4RNArtxhEx+rBcAE
+-----END CERTIFICATE-----
--- a/test/ganeti.tools.prepare_node_join_unittest.py
+++ b/test/ganeti.tools.prepare_node_join_unittest.py