Commit d12b9f66 authored by Michael Hanselmann's avatar Michael Hanselmann

Add initial implementation of prepare-node-join

This is a new tool as per the design document “design-ssh-setup”. It
receives a JSON data structure on its standard input and configures the
SSH daemon and root's SSH keys accordingly. Unit tests are included.
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarIustin Pop <iustin@google.com>
parent 8a3c9e8a
......@@ -94,6 +94,7 @@
/tools/kvm-ifup
/tools/ensure-dirs
/tools/vcluster-setup
/tools/prepare-node-join
# scripts
/scripts/gnt-backup
......
......@@ -315,7 +315,8 @@ server_PYTHON = \
pytools_PYTHON = \
lib/tools/__init__.py \
lib/tools/ensure_dirs.py
lib/tools/ensure_dirs.py \
lib/tools/prepare_node_join.py
utils_PYTHON = \
lib/utils/__init__.py \
......@@ -578,7 +579,8 @@ PYTHON_BOOTSTRAP_SBIN = \
PYTHON_BOOTSTRAP = \
$(PYTHON_BOOTSTRAP_SBIN) \
tools/ensure-dirs
tools/ensure-dirs \
tools/prepare-node-join
qa_scripts = \
qa/__init__.py \
......@@ -690,7 +692,8 @@ pkglib_python_scripts = \
tools/check-cert-expired
nodist_pkglib_python_scripts = \
tools/ensure-dirs
tools/ensure-dirs \
tools/prepare-node-join
myexeclib_SCRIPTS = \
daemons/daemon-util \
......@@ -822,6 +825,7 @@ TEST_FILES = \
test/data/bdev-drbd-net-ip4.txt \
test/data/bdev-drbd-net-ip6.txt \
test/data/cert1.pem \
test/data/cert2.pem \
test/data/ip-addr-show-dummy0.txt \
test/data/ip-addr-show-lo-ipv4.txt \
test/data/ip-addr-show-lo-ipv6.txt \
......@@ -926,6 +930,7 @@ python_tests = \
test/ganeti.ssh_unittest.py \
test/ganeti.storage_unittest.py \
test/ganeti.tools.ensure_dirs_unittest.py \
test/ganeti.tools.prepare_node_join_unittest.py \
test/ganeti.uidpool_unittest.py \
test/ganeti.utils.algo_unittest.py \
test/ganeti.utils.filelock_unittest.py \
......@@ -1327,6 +1332,7 @@ daemons/ganeti-%: MODULE = ganeti.server.$(patsubst ganeti-%,%,$(notdir $@))
daemons/ganeti-watcher: MODULE = ganeti.watcher
scripts/%: MODULE = ganeti.client.$(subst -,_,$(notdir $@))
tools/ensure-dirs: MODULE = ganeti.tools.ensure_dirs
tools/prepare-node-join: MODULE = ganeti.tools.prepare_node_join
$(HS_BUILT_TEST_HELPERS): TESTROLE = $(patsubst htest/%,%,$@)
$(PYTHON_BOOTSTRAP): Makefile | stamp-directories
......
......@@ -2049,5 +2049,17 @@ SSHK_RSA = "rsa"
SSHK_DSA = "dsa"
SSHK_ALL = frozenset([SSHK_RSA, SSHK_DSA])
# SSH authorized key types
SSHAK_RSA = "ssh-rsa"
SSHAK_DSS = "ssh-dss"
SSHAK_ALL = frozenset([SSHAK_RSA, SSHAK_DSS])
# SSH setup
SSHS_CLUSTER_NAME = "cluster_name"
SSHS_FORCE = "force"
SSHS_SSH_HOST_KEY = "ssh_host_key"
SSHS_SSH_ROOT_KEY = "ssh_root_key"
SSHS_NODE_DAEMON_CERTIFICATE = "node_daemon_certificate"
# Do not re-export imported modules
del re, _vcsversion, _autoconf, socket, pathutils
......@@ -49,7 +49,7 @@ def FormatParamikoFingerprint(fingerprint):
def GetUserFiles(user, mkdir=False, kind=constants.SSHK_DSA,
_homedir_fn=utils.GetHomeDir):
_homedir_fn=None):
"""Return the paths of a user's SSH files.
@type user: string
......@@ -67,6 +67,9 @@ def GetUserFiles(user, mkdir=False, kind=constants.SSHK_DSA,
exception is raised if C{~$user/.ssh} is not a directory
"""
if _homedir_fn is None:
_homedir_fn = utils.GetHomeDir
user_dir = _homedir_fn(user)
if not user_dir:
raise errors.OpExecError("Cannot resolve home of user '%s'" % user)
......
This diff is collapsed.
......@@ -828,9 +828,6 @@ def ReadLockedPidFile(path):
return None
_SSH_KEYS_WITH_TWO_PARTS = frozenset(["ssh-dss", "ssh-rsa"])
def _SplitSshKey(key):
"""Splits a line for SSH's C{authorized_keys} file.
......@@ -845,7 +842,7 @@ def _SplitSshKey(key):
"""
parts = key.split()
if parts and parts[0] in _SSH_KEYS_WITH_TWO_PARTS:
if parts and parts[0] in constants.SSHAK_ALL:
# If the key has no options in front of it, we only want the significant
# fields
return (False, parts[:2])
......
-----BEGIN PRIVATE KEY-----
MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAt8OZYvvi8noVPlpR
/SrHcya9ne7RG5DjvMssksUqyGriUs/WGnpZlL4nz+BcLFGwNNntoxqR30Tjk47S
cmSBRQIDAQABAkAqTP5MCMuPIYcuWUAyVNygpzRS3JyKCepClUpnZreYdo4sUQE3
/AM7xeb92R06iZ3f9/MPrbaMKTWRh3uCyfKBAiEA5TxdacnVxdS8+ZLyys4p/C1s
iajrarBb/j+NIAnsdnECIQDNOCDO7Jq/iN5qE4Vbi/3zmnP1Ca5aBo+KJ/hhSjRq
FQIgIBpWEqybbXsfg+waaGB67MAHxTeM0IImP/LydpwtK2ECIB3SrlHj6Ik1Jr1b
oOGw8nLYW0mc4o2KrolxTZM16XARAiBKW3aSjY5UrnoEqa8pAeiO8LJaRj73Epmr
zC89IuLZfg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIB0zCCAX2gAwIBAgIJAKrAqGX6UolVMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTIxMDE5MTQ1NjA4WhcNMTIxMDIwMTQ1NjA4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALfD
mWL74vJ6FT5aUf0qx3MmvZ3u0RuQ47zLLJLFKshq4lLP1hp6WZS+J8/gXCxRsDTZ
7aMakd9E45OO0nJkgUUCAwEAAaNQME4wHQYDVR0OBBYEFA1Fc/GIVtd6nMocrSsA
e5bxmVhMMB8GA1UdIwQYMBaAFA1Fc/GIVtd6nMocrSsAe5bxmVhMMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADQQCTUwzDGU+IJTQ3PIJrA3fHMyKbBvc4Rkvi
ZNFsmgsidWhb+5APlPjtlS7rXlonNHBzDoGb4RNArtxhEx+rBcAE
-----END CERTIFICATE-----
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment