Commit af4be19c authored by Helga Velroyen's avatar Helga Velroyen

Renew-crypto: propagate verbose and debug option

This patch enables the user to add --debug and/or --verbose
to the call of 'renew-crypto'. This way, more output is
shown to debug SSL problems easier.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent 4a4da093
......@@ -2941,7 +2941,8 @@ class _RunWhileDaemonsStoppedHelper(object):
"""
def __init__(self, feedback_fn, cluster_name, master_node,
online_nodes, ssh_ports, exclude_daemons):
online_nodes, ssh_ports, exclude_daemons, debug,
verbose):
"""Initializes this class.
@type feedback_fn: callable
......@@ -2958,6 +2959,10 @@ class _RunWhileDaemonsStoppedHelper(object):
@param exclude_daemons: list of daemons to shutdown
@param exclude_daemons: list of daemons that will be restarted after
all others are shutdown
@type debug: boolean
@param debug: show debug output
@type verbose: boolesn
@param verbose: show verbose output
"""
self.feedback_fn = feedback_fn
......@@ -2972,6 +2977,8 @@ class _RunWhileDaemonsStoppedHelper(object):
if name != master_node]
self.exclude_daemons = exclude_daemons
self.debug = debug
self.verbose = verbose
assert self.master_node not in self.nonmaster_nodes
......@@ -3060,7 +3067,7 @@ class _RunWhileDaemonsStoppedHelper(object):
watcher_block.Close()
def RunWhileDaemonsStopped(feedback_fn, exclude_daemons, fn, *args):
def RunWhileDaemonsStopped(feedback_fn, exclude_daemons, fn, *args, **kwargs):
"""Calls a function while all cluster daemons are stopped.
@type feedback_fn: callable
......@@ -3090,9 +3097,12 @@ def RunWhileDaemonsStopped(feedback_fn, exclude_daemons, fn, *args):
if exclude_daemons is None:
exclude_daemons = []
debug = kwargs.get("debug", False)
verbose = kwargs.get("verbose", False)
return _RunWhileDaemonsStoppedHelper(
feedback_fn, cluster_name, master_node, online_nodes, ssh_ports,
exclude_daemons).Call(fn, *args)
exclude_daemons, debug, verbose).Call(fn, *args)
def RunWhileClusterStopped(feedback_fn, fn, *args):
......
......@@ -941,7 +941,7 @@ def _ReadAndVerifyCert(cert_filename, verify_private_key=False):
def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
rapi_cert_filename, new_spice_cert, spice_cert_filename,
spice_cacert_filename, new_confd_hmac_key, new_cds,
cds_filename, force, new_node_cert):
cds_filename, force, new_node_cert, verbose, debug):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
......@@ -967,6 +967,10 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
@param force: Whether to ask user for confirmation
@type new_node_cert: string
@param new_node_cert: Whether to generate new node certificates
@type verbose: boolean
@param verbose: show verbose output
@type debug: boolean
@param debug: show debug output
"""
if new_rapi_cert and rapi_cert_filename:
......@@ -1061,10 +1065,6 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
def _RenewClientCerts(ctx):
ctx.feedback_fn("Updating client SSL certificates.")
# TODO: transport those options outside.
debug = True
verbose = True
cluster_name = ssconf.SimpleStore().GetClusterName()
for node_name in ctx.nonmaster_nodes + [ctx.master_node]:
......@@ -1080,8 +1080,8 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
cluster_name,
node_name,
pathutils.SSL_UPDATE,
debug,
verbose,
ctx.debug,
ctx.verbose,
True, # use cluster key
False, # ask key
True, # strict host check
......@@ -1138,13 +1138,14 @@ def _RenewCrypto(new_cluster_cert, new_rapi_cert, # pylint: disable=R0911
# If only node certficates are recreated, call _RenewClientCerts only.
if new_node_cert and not new_cluster_cert:
RunWhileDaemonsStopped(ToStdout, [constants.NODED, constants.WCONFD],
_RenewClientCerts)
_RenewClientCerts, verbose=verbose, debug=debug)
# If the cluster certificate are renewed, the client certificates need
# to be renewed too.
if new_cluster_cert:
RunWhileDaemonsStopped(ToStdout, [constants.NODED, constants.WCONFD],
_RenewServerAndClientCerts)
_RenewServerAndClientCerts, verbose=verbose,
debug=debug)
ToStdout("All requested certificates and keys have been replaced."
" Running \"gnt-cluster verify\" now is recommended.")
......@@ -1171,7 +1172,9 @@ def RenewCrypto(opts, args):
opts.new_cluster_domain_secret,
opts.cluster_domain_secret,
opts.force,
opts.new_node_cert)
opts.new_node_cert,
opts.verbose,
opts.debug > 0)
def _GetEnabledDiskTemplates(opts):
......@@ -2389,7 +2392,7 @@ commands = {
NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT,
NEW_CLUSTER_DOMAIN_SECRET_OPT, CLUSTER_DOMAIN_SECRET_OPT,
NEW_SPICE_CERT_OPT, SPICE_CERT_OPT, SPICE_CACERT_OPT,
NEW_NODE_CERT_OPT],
NEW_NODE_CERT_OPT, VERBOSE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
"epo": (
......
......@@ -275,7 +275,9 @@ $(genOpCode "OpCode"
, ("OpClusterRenewCrypto",
[t| () |],
OpDoc.opClusterRenewCrypto,
[],
[ pVerbose
, pDebug
],
[])
, ("OpQuery",
[t| QueryResponse |],
......
......@@ -99,6 +99,7 @@ module Ganeti.OpParams
, pBackupCompress
, pStartupPaused
, pVerbose
, pDebug
, pDebugSimulateErrors
, pErrorCodes
, pSkipChecks
......@@ -554,6 +555,11 @@ pVerbose =
withDoc "Verbose mode" $
defaultFalse "verbose"
pDebug :: Field
pDebug =
withDoc "Debug mode" $
defaultFalse "debug"
pOptGroupName :: Field
pOptGroupName =
withDoc "Optional group name" .
......
......@@ -157,7 +157,8 @@ instance Arbitrary OpCodes.OpCode where
"OP_TAGS_DEL" ->
arbitraryOpTagsDel
"OP_CLUSTER_POST_INIT" -> pure OpCodes.OpClusterPostInit
"OP_CLUSTER_RENEW_CRYPTO" -> pure OpCodes.OpClusterRenewCrypto
"OP_CLUSTER_RENEW_CRYPTO" -> OpCodes.OpClusterRenewCrypto <$>
arbitrary <*> arbitrary
"OP_CLUSTER_DESTROY" -> pure OpCodes.OpClusterDestroy
"OP_CLUSTER_QUERY" -> pure OpCodes.OpClusterQuery
"OP_CLUSTER_VERIFY" ->
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment