- 08 Jul, 2015 1 commit
-
-
Klaus Aehlig authored
...so that it can be used outside the filter test as well. Signed-off-by:
Klaus Aehlig <aehlig@google.com> Reviewed-by:
Petr Pudlak <pudlak@google.com>
-
- 07 Jul, 2015 1 commit
-
-
Helga Velroyen authored
* stable-2.12 Handle SSL setup when downgrading Write SSH ports to ssconf files Noded: Consider certificate chain in callback Cluster-keys-replacement: update documentation Backend: Use timestamp as serial no for server cert UPGRADE: add note about 2.12.5 NEWS: Mention issue 1094 man: mention changes in renew-crypto Verify: warn about self-signed client certs Bootstrap: validate SSL setup before starting noded Clean up configuration of curl request Renew-crypto: remove superflous copying of node certs Renew-crypto: propagate verbose and debug option Noded: log the certificate and digest on noded startup QA: reload rapi cert after renew crypto Prepare-node-join: use common functions Renew-crypto: remove dead code Init: add master client certificate to configuration Renew-crypto: rebuild digest map of all nodes Noded: make "bootstrap" a constant node-daemon-setup: generate client certificate tools: Move (Re)GenerateClientCert to common Renew cluster and client certificates together Init: create the master's client cert in bootstrap Renew client certs using ssl_update tool Run functions while (some) daemons are stopped Back up old client.pem files Introduce ssl_update tool x509 function for creating signed certs Add tools/common.py from 2.13 Consider ECDSA in SSH setup Update documentation of watcher and RAPI daemon Watcher: add option for setting RAPI IP When connecting to Metad fails, log the full stack trace Set up the Metad client with allow_non_master Set up the configuration client properly on non-masters Add the 'allow_non_master' option to the WConfd RPC client Add the option to disable master checks to the RPC client Add 'allow_non_master' to the Luxi test transport class too Add 'allow_non_master' to FdTransport for compatibility Properly document all constructor arguments of Transport Allow the Transport class to be used for non-master nodes Don't define the set of all daemons twice Conflicts: Makefile.am NEWS UPGRADE lib/client/gnt_cluster.py lib/cmdlib/cluster.py lib/tools/common.py lib/tools/prepare_node_join.py lib/watcher/__init__.py man/ganeti-watcher.rst src/Ganeti/OpCodes.hs test/hs/Test/Ganeti/OpCodes.hs test/py/cmdlib/cluster_unittest.py test/py/ganeti.tools.prepare_node_join_unittest.py tools/cfgupgrade Resolutions: Makefile.am: add ssl_update and ssh_update NEWS: add new sections from 2.12 and 2.13 UPGRADE: add notes for both 2.12 and 2.13 lib/client/gnt_cluster.py: add all new options to RenewCluster, remove version-specific downgrade code lib/tools/common.py: split the two mismatching versions of _VerifyCertificate and VerifyCertificate up into [_]VerifyCertifcate{Soft,Strong} and update usages accordingly lib/tools/prepare_node_join.py update usage of correct VerifyCertificate function lib/watcher/__init__.py add both new options, --rapi-ip and --no-verify-disks man/ganeti-watcher.rst update docs for both new options (see above) src/Ganeti/OpCodes.hs add all new options to OpRenewCrypto test/hs/Test/Ganeti/OpCodes.hs add enough 'arbitrary' for all new options of OpRenewCrypto test/py/cmdlib/cluster_unittest.py use changes from 2.12 test/py/ganeti.tools.prepare_node_join_unittest.py remove tests that were moved to common_unittest.py tools/cfgupgrade use only downgrade code of 2.13 Signed-off-by:Helga Velroyen <helgav@google.com> Reviewed-by:
-
- 06 Jul, 2015 32 commits
-
-
Klaus Aehlig authored
While there, also mention that it does more than checking for rebooted nodes. Signed-off-by:
-
Klaus Aehlig authored
In some setups, verification of disks can take a long time, whereas it is still desirable to run the other watcher operations more regularly. Hence support this use case by providing an option to not run disk verification, allowing for more elaborate cron schedules. Fixes issue 1090. Signed-off-by:
-
Helga Velroyen authored
This patch will handle the downgrade of the SSL setup from 2.12 to 2.11. Essentially, all client.pem and ssconf_master_candidates_certs files will be deleted. This will kick the cluster in a pre-2.11 mode wrt to SSL and result in a nagging message to re-run 'gnt-cluster renew-crypto' when as output of 'gnt-cluster verify'. Signed-off-by:
-
Helga Velroyen authored
For the downgrading of the SSL setup from 2.12 to 2.11, we need to be able to SSH into machines while no daemons are running. Unfortunately currently the only way to obtain custom-configured SSH ports is by queries. In order to access this information with daemons being shutdown, this patch adds the SSH port information to an ssconf file. This will also be used to simplify some backend calls for the *SSH* handling in 2.13. Signed-off-by:
-
Helga Velroyen authored
This patch significantly changes the callback that is called upon receiving an incoming SSL connection. Since this callback is called not only with the certificate that the client sends, but also (in some implementations) with the entire certificate chain of the client certificate. In our case, the certficate chain contains the client certificate and the server certificate as the one that signed the client certificate. This means that we have to accept the server certificate, but only if we receive it with the 'depth' greater than 0, meaning that this is part of the chain and not the actual certificate. If the depth value is 0, we can be sure to have received the actual certficate and match it against the list of master candidate certificates as before. Signed-off-by:
-
Helga Velroyen authored
This patch updates the cluster-keys-replacement document which assists user about how to replace the crypto keys for their cluster. This now reflects the changes wrt server/client certificates. Signed-off-by:
-
Helga Velroyen authored
So far, all of Ganeti's server certificates had the serial number '1'. While this works, it makes it hard to distinguish situations where the certificate is renewed from those where it wasn't. This patch uses a timestamp as serial number. While this is still not stricly according to the SSL RFC, it is at least a number that is stricly growing and we can be sure that no two different server certificates will have the same serial number. Signed-off-by:
-
Helga Velroyen authored
This patch adds comments to the upgrade documentation to advise users to rerun renew-crypto if they update to 2.12.5. Signed-off-by:
-
Helga Velroyen authored
This patch updates the NEWS file to advise users to rerun renew-crypto after an update to 2.12.5. Signed-off-by:
-
Helga Velroyen authored
This updates the gnt-cluster man page wrt to the changes about server and client certificates and how they affect the operation 'gnt-cluster renew-crypto'. Signed-off-by:
-
Helga Velroyen authored
Since from this patch series on, there should be no self-sigend certificates in a cluster anymore, add a warning to cluster-verify to nag people to renew their certificates. Signed-off-by:
-
Helga Velroyen authored
This patch adds a few checks which ensure that all files necessary for proper SSL communication are in place before noded is started on the master node. Signed-off-by:
-
Helga Velroyen authored
This is a small patch cleaning up some thing in the composition of the pycurl object for RPC calls. For example, it removes some superfluous 'str' and increases the logging level to warning when the server cert is used. Signed-off-by:
-
Helga Velroyen authored
Since now the server certificates are copied in their own dedicated function, remove adding their file name in the general function for renewing crypto tokens. Signed-off-by:
-
Helga Velroyen authored
This patch enables the user to add --debug and/or --verbose to the call of 'renew-crypto'. This way, more output is shown to debug SSL problems easier. Signed-off-by:
-
Helga Velroyen authored
This patch adds logging of the filename and the digest of the certificate which is loaded by noded on startup. This will help debugging SSL problems as it will make clear whether or not the noded is still using a stale/replaced/old server certificate after a renewal. Signed-off-by:
-
Helga Velroyen authored
When running the QA, we copy the rapi certficate to the machine which steers the QA to use it later in the QA for testing RAPI calls. However, before we get to that part of the QA, the rapi certificate is replaced when 'gnt-renew crypto' is called. This patch makes sure that the new rapi certificate is copied to the steering machine so that later RAPI calls do not fail. It remains mysterious how this worked before. Signed-off-by:
-
Helga Velroyen authored
This patch makes prepare_node_join use some of the functions that were moved to tools/common.py. The respective unittests are removed, because they are already tested in common_unittest.py. Signed-off-by:
-
Helga Velroyen authored
This patch removes the code for renewing the master nodes' client certificate using SSL. This is no longer needed, as the master nodes' certificate is created in gnt_cluster.py already. Signed-off-by:
-
Helga Velroyen authored
This patch adds a few steps to bootstrap.py. After the creation of the server (cluster) certificate and the master node's client certificate, the digest of that client certificate is added to the configuration and by an update of the configuraiton written to the ssconf_master_candidates_certs file. Signed-off-by:
-
Helga Velroyen authored
During a renew-crypto operation, all nodes will create new client certificates. Afterwards, the fingerprints (digests) of the master candidate nodes needs to be collected and added to the configuration. This is done by an RPC call, which will succeed as the master node's certficate digest was propagated to the nodes before. This also removes two unittest which are no longer necessary, because there will be no RPC call from the master to itself anymore. Signed-off-by:
-
Helga Velroyen authored
Noded uses the constant "bootstrap" when starting without client certificates. This patch moves the constant to Constants.hs. Signed-off-by:
-
Helga Velroyen authored
So far, the client certificate of a node that is added to the cluster was created in LUNodeAdd using an RPC call. This is now simplified by creating the certificate already in tools/node_daemon_setup.py and only retrieving its fingerprint by RPC to add it to the configuration. This simplifies the backend function from only reading the fingerprint instead of creating the certificate. Signed-off-by:
-
Helga Velroyen authored
So far the generation of client certificates was only called from ssl_update.py used in when calling 'gnt-cluster renew-crypto'. This patch moves the function from ssl_update.py to tools/common.py, because it will also be needed by prepare_node_join.py when adding nodes (see next patch in the series). Signed-off-by:
-
Helga Velroyen authored
So far, the cluster certificate and the individual node certificate could be renewed independent of each other. This is no longer possible, because when renewing the server certificate, all node certificates need to be renewed as well, because they are signed by the server certificate. This patch couples the two operations together. Signed-off-by:
-
Helga Velroyen authored
This patch extends bootstrap.py to not only create the cluster certificate but also the master node's client certificate. Signed-off-by:
-
Helga Velroyen authored
This patch integrates renewing the client certificate of non-master nodes using the new ssl_update tool. Signed-off-by:
-
Helga Velroyen authored
For the new renew-crypto operation, we need to run functions while most of the daemons are stopped, except for WConfd. This refactors our code a bit and generalizes the method that runs functions while *all* daemons are stopped to one that accepts a list of daemons to not be stopped. Signed-off-by:
-
Helga Velroyen authored
For post-mortems, let's make a backup of the client certificate before renewing them. Signed-off-by:
-
Helga Velroyen authored
In order to renew client certificates via SSH (rather than on the fly via SSL as it was before), we need a new tool which can be called on remote nodes via SSH. Signed-off-by:
-
Helga Velroyen authored
So far, all our SSL certficates were self-signed. As from this patch series on client certificates will be signed by the cluster certificate, we need a utility function for creation of not self-signed certificates. Signed-off-by:
-
Helga Velroyen authored
We will need some functions from tools/common.py, which are only present from 2.13 on. Unfortunately there were not clear commits for that, so cherry-picking is not an option. This patch simply copies the file and one has to be careful with the next merge. Signed-off-by:
-
- 03 Jul, 2015 6 commits
-
-
Helga Velroyen authored
So far, Ganeti did only care about DSA and RSA host keys. With the rising popularity of ECDSA, we should support this key type as well, as it is already enabled by default in many common distributions. This fixes Issue 1098. Signed-off-by:
-
Helga Velroyen authored
.. to reflect the relationship between the RAPI daemons' -b option and the watchers --rapi-ip option. Signed-off-by:
-
Helga Velroyen authored
Per default, the RAPI daemon binds to 0.0.0.0 when being started. This means it serves from any IP the machine is configured for. This works well together with the watcher which always polls the RAPI daemons on 127.0.0.1 and restarts it when it is not reachable. If a user decides to start the RAPI daemon with a particular IP other than 127.0.0.1 (using the option -b, for example set in /etc/default/ganeti), RAPI will only serve from that IP and thus it will not be reachable from 127.0.0.1. Since the watcher only polls on this IP, it will inevitably fail to connect to the RAPI daemon and thus restart it every five minutes. To solve this, this patch adds an option --rapi-ip to the watcher. Whenever -b of the RAPI daemon is set, the watcher needs to be fed the same IP with --rapi-ip (which means editing /etc/cron.d/ganeti for example). This is not optimal regarding user experience (as it is easy to forget one of the two places), but the alternative would be to make this a ganeti configuration parameter which is fed to both, RAPI daemon and watcher, but this would be significantly more effort for this relatively rarely used feature. Signed-off-by:
-
Petr Pudlak authored
Signed-off-by:
-
Petr Pudlak authored
.. since the communication takes place on non-master nodes. This ensures the client properly retries if there is a communication failure. Signed-off-by:
-
Petr Pudlak authored
If the configuration client is opened in the 'accept_foreign' mode, meaning it is running on a non-master node temporarily, the option needs to be propagated to the RPC client as well. This fixes issue #1115. Signed-off-by:
-
