Yedidyah Bar David has uploaded a new change for review.
Change subject: packaging: setup: PKI fixes
......................................................................
packaging: setup: PKI fixes
Change-Id: I74f44c46e6720ca8c62af1afa6df4a5d7c013b49
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M src/ovirt_hosted_engine_setup/constants.py
M src/ovirt_hosted_engine_setup/mixins.py
M src/plugins/ovirt-hosted-engine-setup/core/conf.py
M src/plugins/ovirt-hosted-engine-setup/pki/vdsmpki.py
M src/plugins/ovirt-hosted-engine-setup/system/vdsmenv.py
5 files changed, 127 insertions(+), 21 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-hosted-engine-setup
refs/changes/42/25142/1
diff --git a/src/ovirt_hosted_engine_setup/constants.py
b/src/ovirt_hosted_engine_setup/constants.py
index 8558338..345b74b 100644
--- a/src/ovirt_hosted_engine_setup/constants.py
+++ b/src/ovirt_hosted_engine_setup/constants.py
@@ -136,6 +136,19 @@
'vdsm',
'vdsm-gencerts.sh'
)
+ VDSM_CA_CERT = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'vdsm',
+ 'certs'
+ 'cacert.pem'
+ )
+ SYS_CA_CERT = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'CA',
+ 'cacert.pem'
+ )
VDSMCERT = os.path.join(
SYSCONFDIR,
'pki',
@@ -143,24 +156,57 @@
'certs'
'vdsmcert.pem'
)
+ VDSMKEY = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'vdsm',
+ 'keys'
+ 'vdsmkey.pem'
+ )
VDSM_CONF = os.path.join(
SYSCONFDIR,
'vdsm',
'vdsm.conf'
)
- LIBVIRT_SERVER_CERT = os.path.join(
+ LIBVIRT_SPICE_SERVER_CERT = os.path.join(
SYSCONFDIR,
'pki',
'vdsm',
'libvirt-spice',
'server-cert.pem'
)
- LIBVIRT_CA_CERT = os.path.join(
+ LIBVIRT_SPICE_CA_CERT = os.path.join(
SYSCONFDIR,
'pki',
'vdsm',
'libvirt-spice',
'ca-cert.pem'
+ )
+ LIBVIRT_CLIENT_CERT = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'libvirt',
+ 'clientcert.pem'
+ )
+ LIBVIRT_CLIENT_KEY = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'libvirt',
+ 'private',
+ 'clientkey.pem'
+ )
+ LIBVIRT_SERVER_CERT = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'libvirt',
+ 'servercert.pem'
+ )
+ LIBVIRT_SERVER_KEY = os.path.join(
+ SYSCONFDIR,
+ 'pki',
+ 'libvirt',
+ 'private',
+ 'serverkey.pem'
)
LIBVIRT_QEMU_CONF = os.path.join(
SYSCONFDIR,
@@ -483,6 +529,12 @@
@ohostedattrs(
answerfile=True,
+ )
+ def CA_SUBJECT(self):
+ return 'OVEHOSTED_VDSM/caSubject'
+
+ @ohostedattrs(
+ answerfile=True,
summary=True,
description=_('CPU Type'),
)
@@ -566,6 +618,7 @@
VDSMD_CONF_LOADED = 'ohosted.vdsm.conf.loaded'
HOST_ADDED = 'ohosted.engine.host.added'
HA_START = 'ohosted.engine.ha.start'
+ VDSM_LIBVIRT_CONFIGURED = 'ohosted.vdsm.libvirt.configured'
DIALOG_TITLES_S_VM = 'ohosted.dialog.titles.vm.start'
DIALOG_TITLES_E_VM = 'ohosted.dialog.titles.vm.end'
@@ -595,6 +648,7 @@
DEFAULT_BRIDGE_IF = 'em1'
DEFAULT_BRIDGE_NAME = 'ovirtmgmt'
DEFAULT_PKI_SUBJECT = '/C=EN/L=Test/O=Test/CN=Test'
+ DEFAULT_CA_SUBJECT = '/C=EN/L=Test/O=Test/CN=TestCA' # must be != above
DEFAULT_VM_PASSWD_VALIDITY_SECS = "10800" # 3 hours to for engine install
DEFAULT_VM_VCPUS = 2 # based on minimum requirements.
DEFAULT_SSHD_PORT = 22
diff --git a/src/ovirt_hosted_engine_setup/mixins.py
b/src/ovirt_hosted_engine_setup/mixins.py
index a8d4dbc..ad2029b 100644
--- a/src/ovirt_hosted_engine_setup/mixins.py
+++ b/src/ovirt_hosted_engine_setup/mixins.py
@@ -102,7 +102,7 @@
'"{password}" to connect to spice console.'
).format(
remote=self.command.get('remote-viewer'),
- ca_cert=ohostedcons.FileLocations.LIBVIRT_CA_CERT,
+ ca_cert=ohostedcons.FileLocations.LIBVIRT_SPICE_CA_CERT,
subject=self.environment[ohostedcons.VDSMEnv.SPICE_SUBJECT],
password=self.environment[
ohostedcons.VMEnv.VM_PASSWD
diff --git a/src/plugins/ovirt-hosted-engine-setup/core/conf.py
b/src/plugins/ovirt-hosted-engine-setup/core/conf.py
index 456edb2..68f6d05 100644
--- a/src/plugins/ovirt-hosted-engine-setup/core/conf.py
+++ b/src/plugins/ovirt-hosted-engine-setup/core/conf.py
@@ -85,7 +85,7 @@
'@CONNECTION_UUID@': self.environment[
ohostedcons.StorageEnv.CONNECTION_UUID
],
- '@CA_CERT@': ohostedcons.FileLocations.LIBVIRT_CA_CERT,
+ '@CA_CERT@': ohostedcons.FileLocations.LIBVIRT_SPICE_CA_CERT,
'@CA_SUBJECT@': self.environment[
ohostedcons.VDSMEnv.SPICE_SUBJECT
],
diff --git a/src/plugins/ovirt-hosted-engine-setup/pki/vdsmpki.py
b/src/plugins/ovirt-hosted-engine-setup/pki/vdsmpki.py
index 8cf5e4c..03c5022 100644
--- a/src/plugins/ovirt-hosted-engine-setup/pki/vdsmpki.py
+++ b/src/plugins/ovirt-hosted-engine-setup/pki/vdsmpki.py
@@ -67,6 +67,34 @@
raiseOnError=True
)
+ def _safecopy(self, s, d):
+ suffix = datetime.datetime.now().strftime('%Y%m%d%H%M%S'),
+ if os.path.exists(d):
+ os.rename(d, "%s.%s" % (d, suffix))
+ shutil.copyfile(s, d)
+
+ def _copy_vdsm_pki(self):
+ for s, d in {
+ ohostedcons.FileLocations.VDSM_CA_CERT:
+ ohostedcons.FileLocations.SYS_CA_CERT,
+ ohostedcons.FileLocations.VDSMCERT:
+ ohostedcons.FileLocations.LIBVIRT_CLIENT_CERT,
+ ohostedcons.FileLocations.VDSMKEY:
+ ohostedcons.FileLocations.LIBVIRT_CLIENT_KEY,
+ ohostedcons.FileLocations.LIBVIRT_CLIENT_CERT:
+ ohostedcons.FileLocations.LIBVIRT_SERVER_CERT,
+ ohostedcons.FileLocations.LIBVIRT_CLIENT_KEY:
+ ohostedcons.FileLocations.LIBVIRT_SERVER_KEY,
+ }.items():
+ self._safecopy(s, d)
+ os.chown(d, 0, 0)
+
+ for f in (
+ ohostedcons.FileLocations.LIBVIRT_CLIENT_KEY,
+ ohostedcons.FileLocations.LIBVIRT_SERVER_KEY,
+ ):
+ os.chmod(f, 0o600)
+
def _getSPICEcerts(self):
subject = None
rc, stdout, stderr = self.execute(
@@ -75,7 +103,7 @@
'x509',
'-noout',
'-text',
- '-in', ohostedcons.FileLocations.LIBVIRT_SERVER_CERT
+ '-in', ohostedcons.FileLocations.LIBVIRT_SPICE_SERVER_CERT
),
raiseOnError=True
)
@@ -95,7 +123,6 @@
self.logger.info(_('Generating libvirt-spice certificates'))
self._tmpdir = tempfile.mkdtemp()
expire = '1095' # FIXME: configurable?
- subj = self.environment[ohostedcons.VDSMEnv.PKI_SUBJECT]
# FIXME: configurable?
for key in ('ca-key.pem', 'server-key.pem'):
self.execute(
@@ -116,7 +143,7 @@
'-days', expire,
'-key', os.path.join(self._tmpdir, 'ca-key.pem'),
'-out', os.path.join(self._tmpdir, 'ca-cert.pem'),
- '-subj', subj
+ '-subj', self.environment[ohostedcons.VDSMEnv.CA_SUBJECT]
),
raiseOnError=True
)
@@ -127,7 +154,7 @@
'-new',
'-key', os.path.join(self._tmpdir, 'server-key.pem'),
'-out', os.path.join(self._tmpdir, 'server-key.csr'),
- '-subj', subj
+ '-subj', self.environment[ohostedcons.VDSMEnv.PKI_SUBJECT]
),
raiseOnError=True
)
@@ -147,7 +174,7 @@
)
pem_files = glob.glob(os.path.join(self._tmpdir, '*.pem'))
cert_dir = os.path.dirname(
- ohostedcons.FileLocations.LIBVIRT_SERVER_CERT
+ ohostedcons.FileLocations.LIBVIRT_SPICE_SERVER_CERT
)
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
@@ -164,6 +191,19 @@
ohostedcons.VDSMEnv.KVM_GID
]
)
+ rc, stdout, stderr = self.execute(
+ (
+ self.command.get('restorecon'),
+ '-r',
+ cert_dir
+ )
+ )
+ if rc != 0:
+ self.logger.error(
+ _('Failed to refresh SELINUX context for {path}').format(
+ path=cert_dir
+ )
+ )
@plugin.event(
stage=plugin.Stages.STAGE_INIT,
@@ -172,6 +212,10 @@
self.environment.setdefault(
ohostedcons.VDSMEnv.PKI_SUBJECT,
ohostedcons.Defaults.DEFAULT_PKI_SUBJECT
+ )
+ self.environment.setdefault(
+ ohostedcons.VDSMEnv.CA_SUBJECT,
+ ohostedcons.Defaults.DEFAULT_CA_SUBJECT
)
self.environment.setdefault(
ohostedcons.VDSMEnv.SPICE_SUBJECT,
@@ -186,24 +230,31 @@
# remove when we understand how to replace the openssl command
# with m2crypto code
self.command.detect('openssl')
+ self.command.detect('restorecon')
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_LATE_SETUP,
+ name=ohostedcons.Stages.VDSMD_PKI,
+ before=(
+ ohostedcons.Stages.VDSM_LIBVIRT_CONFIGURED,
+ ),
+ )
+ def _late_setup(self):
+ if not os.path.exists(ohostedcons.FileLocations.VDSMCERT):
+ self._generateVDSMcerts()
+ self._copy_vdsm_pki()
+ if not os.path.exists(
+ ohostedcons.FileLocations.LIBVIRT_SPICE_SERVER_CERT
+ ):
+ self._generateSPICEcerts()
+ self._getSPICEcerts()
@plugin.event(
stage=plugin.Stages.STAGE_VALIDATION,
)
def _validation(self):
- if os.path.exists(ohostedcons.FileLocations.LIBVIRT_SERVER_CERT):
+ if os.path.exists(ohostedcons.FileLocations.LIBVIRT_SPICE_SERVER_CERT):
self._getSPICEcerts()
-
- @plugin.event(
- stage=plugin.Stages.STAGE_MISC,
- name=ohostedcons.Stages.VDSMD_PKI,
- )
- def _misc(self):
- if not os.path.exists(ohostedcons.FileLocations.VDSMCERT):
- self._generateVDSMcerts()
- if not os.path.exists(ohostedcons.FileLocations.LIBVIRT_SERVER_CERT):
- self._generateSPICEcerts()
- self._getSPICEcerts()
@plugin.event(
stage=plugin.Stages.STAGE_CLEANUP,
diff --git a/src/plugins/ovirt-hosted-engine-setup/system/vdsmenv.py
b/src/plugins/ovirt-hosted-engine-setup/system/vdsmenv.py
index a14bb23..837bac1 100644
--- a/src/plugins/ovirt-hosted-engine-setup/system/vdsmenv.py
+++ b/src/plugins/ovirt-hosted-engine-setup/system/vdsmenv.py
@@ -115,6 +115,7 @@
@plugin.event(
stage=plugin.Stages.STAGE_LATE_SETUP,
+ name=ohostedcons.Stages.VDSM_LIBVIRT_CONFIGURED,
after=(
ohostedcons.Stages.VDSMD_CONF_LOADED,
),
--
To view, visit http://gerrit.ovirt.org/25142
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I74f44c46e6720ca8c62af1afa6df4a5d7c013b49
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-hosted-engine-setup
Gerrit-Branch: master
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
