Alon Bar-Lev has uploaded a new change for review. Change subject: pki: re-create truststore during upgrade ......................................................................
pki: re-create truststore during upgrade Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=976671 Change-Id: I618eaa422e21a7ae9c4af2584f37cee89e516771 Signed-off-by: Alon Bar-Lev <alo...@redhat.com> --- M packaging/fedora/setup/engine-upgrade.py 1 file changed, 27 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/11/16011/1 diff --git a/packaging/fedora/setup/engine-upgrade.py b/packaging/fedora/setup/engine-upgrade.py index 64c1501..4de1bfe 100755 --- a/packaging/fedora/setup/engine-upgrade.py +++ b/packaging/fedora/setup/engine-upgrade.py @@ -100,6 +100,7 @@ (basedefs.DB_PASS_FILE, basedefs.ORIG_PASS_FILE) MSG_ERROR_FAILED_CONVERT_ENGINE_KEY = "Error: Can't convert engine key to PKCS#12 format" MSG_ERROR_FAILED_SYNTHESIS_ENGINE_KEY = "Error: Can't synthesis engine key to PKCS#12 format" +MSG_ERROR_FAILED_CREATE_TRUSTSTORE = "Error: Can't create trust store" MSG_ERROR_SSH_KEY_SYMLINK = "Error: SSH key should not be symlink" MSG_ERROR_UUID_VALIDATION_FAILED = ( "Pre-upgade host UUID validation failed\n" @@ -472,8 +473,11 @@ JKSKEYSTORE = "/etc/pki/ovirt-engine/.keystore" TMPAPACHECONF = basedefs.FILE_HTTPD_SSL_CONFIG + ".tmp" + TMPTRUSTSTORE = basedefs.FILE_TRUSTSTORE + ".tmp" def prepare(self): + mask = [basedefs.CONST_KEY_PASS] + if os.path.exists(self.JKSKEYSTORE): logging.debug("PKI: convert JKS to PKCS#12") @@ -482,8 +486,6 @@ fd, tmpPKCS12 = tempfile.mkstemp() os.close(fd) os.unlink(tmpPKCS12) # java does not like empty files as keystore - - mask = [basedefs.CONST_KEY_PASS] cmd = [ basedefs.EXEC_KEYTOOL, @@ -564,6 +566,25 @@ except OSError: logging.error("PKI: Cannot dup ca for jboss") raise + + # re-create truststore see rhbz#976671 + logging.debug('Converting truststore') + if os.path.exists(self.TMPTRUSTSTORE): + os.unlink(self.TMPTRUSTSTORE) + cmd = [ + basedefs.EXEC_KEYTOOL, + "-import", + "-noprompt", + "-keystore", self.TMPTRUSTSTORE, + "-storepass", basedefs.CONST_KEY_PASS, + "-keypass", basedefs.CONST_KEY_PASS, + "-alias", "cacert", + "-trustcacerts", + "-file", basedefs.FILE_CA_CRT_SRC, + ] + utils.execCmd(cmdList=cmd, maskList=mask, failOnError=True, msg=MSG_ERROR_FAILED_CREATE_TRUSTSTORE) + os.chmod(self.TMPTRUSTSTORE, 0644) + logging.debug('Checking if Apache proxy was already enabled') conf_file = basedefs.FILE_ENGINE_CONF_PROTOCOLS if not os.path.exists(conf_file): @@ -598,6 +619,8 @@ def commit(self): if os.path.exists(self.TMPAPACHECONF): shutil.move(self.TMPAPACHECONF, basedefs.FILE_HTTPD_SSL_CONFIG) + if os.path.exists(self.TMPTRUSTSTORE): + shutil.move(self.TMPTRUSTSTORE, basedefs.FILE_TRUSTSTORE) utils.editEngineSysconfigPKI( pkidir=basedefs.DIR_OVIRT_PKI, @@ -632,6 +655,8 @@ os.remove(f) except OSError: logging.error("PKI: cannot remove '%s'" % f) + if os.path.exists(self.TMPTRUSTSTORE): + os.remove(self.TMPTRUSTSTORE) def stopEngine(service=basedefs.ENGINE_SERVICE_NAME): logging.debug("stopping %s service.", service) -- To view, visit http://gerrit.ovirt.org/16011 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I618eaa422e21a7ae9c4af2584f37cee89e516771 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
