Alon Bar-Lev has uploaded a new change for review.
Change subject: packaging: setup: add websocket proxy configuration
......................................................................
packaging: setup: add websocket proxy configuration
configuration of websocket proxy on engine machine using setup.
1. enroll certificate.
2. enforce ssl.
3. enforce ticket validation.
Change-Id: I5d5fad4dc61d9c89c4165a74e9922eded483beac
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M Makefile
M packaging/fedora/setup/basedefs.py
M packaging/fedora/setup/engine-setup.py
M packaging/fedora/setup/engine_validators.py
M packaging/fedora/setup/output_messages.py
A packaging/firewalld/base/ovirt-websocket-proxy.xml.in
M packaging/setup/ovirt_engine_setup/config.py.in
M packaging/setup/ovirt_engine_setup/constants.py
M packaging/setup/plugins/ovirt-engine-setup/config/__init__.py
A packaging/setup/plugins/ovirt-engine-setup/config/websocket_proxy.py
10 files changed, 408 insertions(+), 1 deletion(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/14/16014/1
diff --git a/Makefile b/Makefile
index d59a282..9474ed4 100644
--- a/Makefile
+++ b/Makefile
@@ -329,6 +329,7 @@
install -m 644 packaging/firewalld/base/ovirt-nfs.xml.in
"$(DESTDIR)$(DATA_DIR)/firewalld/base/ovirt-nfs.xml.in"
install -m 644 packaging/firewalld/base/ovirt-http.xml.in
"$(DESTDIR)$(DATA_DIR)/firewalld/base/ovirt-http.xml.in"
install -m 644 packaging/firewalld/base/ovirt-https.xml.in
"$(DESTDIR)$(DATA_DIR)/firewalld/base/ovirt-https.xml.in"
+ install -m 644 packaging/firewalld/base/ovirt-websocket-proxy.xml.in
"$(DESTDIR)$(DATA_DIR)/firewalld/base/ovirt-websocket-proxy.xml.in"
install -m 644 packaging/conf/nfs.sysconfig.in
"$(DESTDIR)$(DATA_DIR)/conf"
install -m 644 packaging/conf/ovirt-engine-proxy.conf.v2.in
"$(DESTDIR)$(DATA_DIR)/conf"
diff --git a/packaging/fedora/setup/basedefs.py
b/packaging/fedora/setup/basedefs.py
index be82102..d675d93 100644
--- a/packaging/fedora/setup/basedefs.py
+++ b/packaging/fedora/setup/basedefs.py
@@ -79,6 +79,7 @@
FILE_CERT_TEMPLATE="%s/cert.template"%(DIR_OVIRT_PKI)
FILE_ENGINE_CERT="%s/certs/engine.cer"%(DIR_OVIRT_PKI)
FILE_APACHE_CERT="%s/certs/apache.cer"%(DIR_OVIRT_PKI)
+FILE_WEBSOCKET_PROXY_CERT="%s/certs/websocket-proxy.cer"%(DIR_OVIRT_PKI)
FILE_JBOSSAS_CONF="/etc/%s/%s.conf" % (ENGINE_SERVICE_NAME,
ENGINE_SERVICE_NAME)
FILE_DB_INSTALL_SCRIPT="engine-db-install.sh"
FILE_DB_UPGRADE_SCRIPT="upgrade.sh"
@@ -97,7 +98,9 @@
FILE_ENGINE_KEYSTORE="%s/keys/engine.p12"%(DIR_OVIRT_PKI)
FILE_APACHE_KEYSTORE="%s/keys/apache.p12"%(DIR_OVIRT_PKI)
FILE_JBOSS_KEYSTORE="%s/keys/jboss.p12"%(DIR_OVIRT_PKI)
+FILE_WEBSOCKET_PROXY_KEYSTORE="%s/keys/websocket-proxy.p12"%(DIR_OVIRT_PKI)
FILE_APACHE_PRIVATE_KEY="%s/keys/apache.key.nopass"%(DIR_OVIRT_PKI)
+FILE_WEBSOCKET_PROXY_PRIVATE_KEY="%s/keys/websocket-proxy.key.nopass"%(DIR_OVIRT_PKI)
FILE_SSH_PRIVATE_KEY="%s/keys/engine_id_rsa"%(DIR_OVIRT_PKI)
FILE_YUM_VERSION_LOCK="/etc/yum/pluginconf.d/versionlock.list"
FILE_PSQL_CONF="/var/lib/pgsql/data/postgresql.conf"
@@ -156,6 +159,9 @@
# engine goes back into normal mode once the upgrade is finished:
FILE_ENGINE_CONF_MAINTENANCE="%s/99-maintenance.conf" % DIR_ENGINE_CONF
+DIR_WEBSOCKET_PROXY_CONF = "/etc/ovirt-engine/ovirt-websocket-proxy.conf.d"
+FILE_WEBSOCKET_PROXY_CONF = "%s/10-setup.conf" % DIR_WEBSOCKET_PROXY_CONF
+
# ISO FILES
VIRTIO_WIN_FILE_LIST = [
"/usr/share/virtio-win/virtio-win_x86.vfd",
@@ -212,6 +218,7 @@
CONST_BASE_MAC_ADDR="00:1A:4A"
CONST_DEFAULT_MAC_RANGE="00:1a:4a:16:84:02-00:1a:4a:16:84:fd"
CONST_MINIMUM_SPACE_ISODOMAIN=350
+CONST_WEBSOCKET_PORXY_PORT=6100
CONST_HTTP_BASE_PORT="8700"
CONST_HTTPS_BASE_PORT="8701"
CONST_AJP_BASE_PORT="8702"
diff --git a/packaging/fedora/setup/engine-setup.py
b/packaging/fedora/setup/engine-setup.py
index 21ece4a..65c555c 100755
--- a/packaging/fedora/setup/engine-setup.py
+++ b/packaging/fedora/setup/engine-setup.py
@@ -157,6 +157,12 @@
'steps' : [ { 'title' :
output_messages.INFO_UPD_CONF % "Postgresql",
'functions' :
[editPostgresConf] } ]
},
+ { 'description' : 'Config WebSocket Proxy',
+ 'condition' : [utils.compareStrIgnoreCase,
controller.CONF["CONFIG_WEBSOCKET_PROXY"], "yes"],
+ 'condition_match' : [True],
+ 'steps' : [ { 'title' :
output_messages.INFO_CFG_WEBSOCKET_PROXY,
+ 'functions' :
[_configWebSocketProxy] } ]
+ },
{ 'description' : 'Config NFS',
'condition' : [utils.compareStrIgnoreCase,
controller.CONF["CONFIG_NFS"], "yes"],
'condition_match' : [True],
@@ -433,6 +439,20 @@
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False},]
+ ,
+ "WEBSOCKET_PROXY": [
+ { "CMD_OPTION" :"config-websocket-proxy",
+ "USAGE"
:output_messages.INFO_CONF_PARAMS_CONFIG_WEBSOCKET_PROXY_USAGE,
+ "PROMPT"
:output_messages.INFO_CONF_PARAMS_CONFIG_WEBSOCKET_PROXY_PROMPT,
+ "OPTION_LIST" :["yes","no"],
+ "VALIDATION_FUNC" :validate.validateOptions,
+ "DEFAULT_VALUE" :"yes",
+ "MASK_INPUT" : False,
+ "LOOSE_VALIDATION": False,
+ "CONF_NAME" : "CONFIG_WEBSOCKET_PROXY",
+ "USE_DEFAULT" : False,
+ "NEED_CONFIRM" : False,
+ "CONDITION" : False} ]
,
"NFS": [
{ "CMD_OPTION" :"nfs-mp",
@@ -506,6 +526,12 @@
"DESCRIPTION" :
output_messages.INFO_GRP_LOCAL_DB,
"PRE_CONDITION" : validate.validateRemoteHost,
"PRE_CONDITION_MATCH" : False,
+ "POST_CONDITION" : False,
+ "POST_CONDITION_MATCH" : True},
+ { "GROUP_NAME" : "WEBSOCKET_PROXY",
+ "DESCRIPTION" :
output_messages.INFO_GRP_WEBSOCKET_PROXY,
+ "PRE_CONDITION" :
validate.validateWebSocketProxy,
+ "PRE_CONDITION_MATCH" : True,
"POST_CONDITION" : False,
"POST_CONDITION_MATCH" : True},
{ "GROUP_NAME" : "NFS",
@@ -914,6 +940,8 @@
# Create Sample configuration files
_createIptablesConfig()
firewalld_services = ['ovirt-http', 'ovirt-https']
+ if utils.compareStrIgnoreCase(controller.CONF['CONFIG_WEBSOCKET_PROXY'],
'yes'):
+ firewalld_services.append('ovirt-websocket-proxy')
if utils.compareStrIgnoreCase(controller.CONF['CONFIG_NFS'], 'yes'):
firewalld_services.append('ovirt-nfs')
if basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES in controller.CONF:
@@ -962,7 +990,8 @@
logging.debug("Creating firewalld configuration")
services_config = {
'@HTTP_PORT@': controller.CONF['HTTP_PORT'],
- '@HTTPS_PORT@': controller.CONF['HTTPS_PORT']
+ '@HTTPS_PORT@': controller.CONF['HTTPS_PORT'],
+ '@WEBSOCKET_PROXY@': basedefs.CONST_WEBSOCKET_PORXY_PORT,
}
for service in services:
template_file = glob.glob(
@@ -1020,6 +1049,12 @@
for port in [controller.CONF["HTTP_PORT"],
controller.CONF["HTTPS_PORT"]]:
ports.append({
'port': port,
+ 'protocol': ['tcp']
+ })
+
+ if
utils.compareStrIgnoreCase(controller.CONF["CONFIG_WEBSOCKET_PROXY"], "yes"):
+ ports.append({
+ 'port': basedefs.CONST_WEBSOCKET_PORXY_PORT,
'protocol': ['tcp']
})
@@ -1801,6 +1836,57 @@
logging.error(traceback.format_exc())
raise Exception(output_messages.ERR_FAILED_CFG_NFS_SHARE)
+def _configWebSocketProxy():
+ utils.execCmd(
+ cmdList=(
+ os.path.join(basedefs.DIR_ENGINE_BIN, "pki-enroll-pkcs12.sh"),
+ "--name=%s" % 'websocket-proxy',
+ "--password=%s" % basedefs.CONST_CA_PASS,
+ "--subject=/C=%s/O=%s/CN=%s" % (
+ basedefs.CONST_CA_COUNTRY,
+ controller.CONF["ORG_NAME"],
+ controller.CONF["HOST_FQDN"],
+ ),
+ ),
+ failOnError=True,
+ msg=output_messages.ERR_RC_CODE,
+ maskList=[basedefs.CONST_CA_PASS],
+ )
+ cmd = [
+ basedefs.EXEC_OPENSSL,
+ "pkcs12",
+ "-in", basedefs.FILE_WEBSOCKET_PROXY_KEYSTORE,
+ "-passin", "pass:" + basedefs.CONST_KEY_PASS,
+ "-nodes",
+ "-nocerts",
+ "-out", basedefs.FILE_WEBSOCKET_PROXY_PRIVATE_KEY
+ ]
+ out, rc = utils.execCmd(cmdList=cmd, failOnError=True,
msg=output_messages.ERR_RC_CODE, maskList=[basedefs.CONST_KEY_PASS])
+ os.chmod(basedefs.FILE_WEBSOCKET_PROXY_PRIVATE_KEY, 0600)
+ utils.chownToEngine(basedefs.FILE_WEBSOCKET_PROXY_PRIVATE_KEY)
+
+ with open(basedefs.FILE_WEBSOCKET_PROXY_CONF, 'w') as f:
+ f.write(
+ (
+ "PROXY_PORT={port}\n"
+ "SSL_CERTIFICATE={certificate}\n"
+ "SSL_KEY={key}\n"
+ "FORCE_DATA_VERIFICATION=True\n"
+ "CERT_FOR_DATA_VERIFICATION={engine_cert}\n"
+ "SSL_ONLY=True\n"
+ ).format(
+ port=basedefs.CONST_WEBSOCKET_PORXY_PORT,
+ certificate=basedefs.FILE_WEBSOCKET_PROXY_CERT,
+ key=basedefs.FILE_WEBSOCKET_PROXY_PRIVATE_KEY,
+ engine_cert=basedefs.FILE_ENGINE_CERT,
+ )
+ )
+
+ utils.updateVDCOption("WebSocketProxy", "Engine")
+ service = utils.Service("ovirt-websocket-proxy")
+ service.start()
+ service.autoStart()
+
def setMaxSharedMemory():
"""
Check and verify that the kernel.shmmax kernel parameter is above 35mb
diff --git a/packaging/fedora/setup/engine_validators.py
b/packaging/fedora/setup/engine_validators.py
index 69fa0e5..5795daf 100644
--- a/packaging/fedora/setup/engine_validators.py
+++ b/packaging/fedora/setup/engine_validators.py
@@ -377,6 +377,11 @@
print "\n" + output_messages.ERR_PING + ".\n"
return False
+def validateWebSocketProxy(param, options=[]):
+ ret = utils.Service('ovirt-websocket-proxy').available()
+ logging.debug("validateWebSocketProxy %s", ret)
+ return ret
+
def _checkDbConnection(dbAdminUser, dbHost, dbPort):
""" _checkDbConnection checks connection to the DB"""
diff --git a/packaging/fedora/setup/output_messages.py
b/packaging/fedora/setup/output_messages.py
index bab9299..5e72467 100644
--- a/packaging/fedora/setup/output_messages.py
+++ b/packaging/fedora/setup/output_messages.py
@@ -40,6 +40,7 @@
INFO_UPD_RHEVM_CONF="Editing %s Configuration" % basedefs.APP_NAME
INFO_UPD_CONF="Editing %s Configuration"
INFO_CFG_NFS="Configuring the Default ISO Domain"
+INFO_CFG_WEBSOCKET_PROXY="Configuring the WebSocket proxy"
INFO_START_ENGINE="Starting ovirt-engine Service"
INFO_START_HTTPD="Starting HTTPD Service"
INFO_CFG_IPTABLES="Configuring Firewall"
@@ -71,6 +72,7 @@
INFO_GRP_REMOTE_DB="Remote DB parameters"
INFO_GRP_LOCAL_DB="Local DB parameters"
INFO_GRP_ISO="ISO Domain parameters"
+INFO_GRP_WEBSOCKET_PROXY="Websocket PRoxy parameters"
INFO_GRP_IPTABLES="Firewall related parameters"
#_addFinalInfoMsg
@@ -131,6 +133,8 @@
INFO_CONF_PARAMS_DC_TYPE_PROMPT="The default storage type you will be using "
INFO_CONF_PARAMS_CONFIG_NFS_USAGE="Whether to configure NFS share on this
server to be used as an ISO domain"
INFO_CONF_PARAMS_CONFIG_NFS_PROMPT="Configure NFS share on this server to be
used as an ISO Domain?"
+INFO_CONF_PARAMS_CONFIG_WEBSOCKET_PROXY_PROMPT="Configure WebSocket proxy on
this server?"
+INFO_CONF_PARAMS_CONFIG_WEBSOCKET_PROXY_USAGE="Whether to configure WebSocket
Porxy on this server"
INFO_CONF_PARAMS_NFS_MP_USAGE="NFS mount point"
INFO_CONF_PARAMS_NFS_MP_PROMPT="Local ISO domain path"
INFO_CONF_PARAMS_NFS_DESC_USAGE="ISO Domain name"
diff --git a/packaging/firewalld/base/ovirt-websocket-proxy.xml.in
b/packaging/firewalld/base/ovirt-websocket-proxy.xml.in
new file mode 100644
index 0000000..f933502
--- /dev/null
+++ b/packaging/firewalld/base/ovirt-websocket-proxy.xml.in
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-websocket-proxy</short>
+ <description>oVirt configured WebSocket Proxy service</description>
+ <port protocol="tcp" port="@WEBSOCKET_PROXY_PORT@"/>
+</service>
diff --git a/packaging/setup/ovirt_engine_setup/config.py.in
b/packaging/setup/ovirt_engine_setup/config.py.in
index 177e9b3..bdb7e0d 100644
--- a/packaging/setup/ovirt_engine_setup/config.py.in
+++ b/packaging/setup/ovirt_engine_setup/config.py.in
@@ -21,6 +21,7 @@
ENGINE_SYSCONFDIR = '@ENGINE_ETC@'
ENGINE_SERVICE_CONFIG = '@ENGINE_VARS@'
+ENGINE_WEBSOCKET_PROXY_CONFIG = '@ENGINE_WSPROXY_VARS@'
ENGINE_NOTIFIER_SERVICE_CONFIG = '@ENGINE_NOTIFIER_VARS@'
ENGINE_PKIDIR = '@ENGINE_PKI@'
ENGINE_DATADIR = '@ENGINE_USR@'
diff --git a/packaging/setup/ovirt_engine_setup/constants.py
b/packaging/setup/ovirt_engine_setup/constants.py
index cb301b5..4bcb7c9 100644
--- a/packaging/setup/ovirt_engine_setup/constants.py
+++ b/packaging/setup/ovirt_engine_setup/constants.py
@@ -70,6 +70,7 @@
OVIRT_ENGINE_LOCALSTATEDIR = config.ENGINE_LOCALSTATEDIR
OVIRT_ENGINE_TMPDIR = config.ENGINE_TMP
OVIRT_ENGINE_SERVICE_CONFIG = config.ENGINE_SERVICE_CONFIG
+ OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIG = config.ENGINE_WEBSOCKET_PROXY_CONFIG
OVIRT_ENGINE_NOTIFIER_SERVICE_CONFIG = \
config.ENGINE_NOTIFIER_SERVICE_CONFIG
@@ -189,6 +190,14 @@
OVIRT_ENGINE_PKIKEYSDIR,
'apache.key.nopass',
)
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_STORE = os.path.join(
+ OVIRT_ENGINE_PKIKEYSDIR,
+ 'websocket-proxy.p12',
+ )
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_KEY = os.path.join(
+ OVIRT_ENGINE_PKIKEYSDIR,
+ 'websocket-proxy.key.nopass',
+ )
OVIRT_ENGINE_PKI_JBOSS_STORE = os.path.join(
OVIRT_ENGINE_PKIKEYSDIR,
'jboss.p12',
@@ -204,6 +213,10 @@
OVIRT_ENGINE_PKI_APACHE_CERT = os.path.join(
OVIRT_ENGINE_PKICERTSDIR,
'apache.cer',
+ )
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_CERT = os.path.join(
+ OVIRT_ENGINE_PKICERTSDIR,
+ 'websocket-proxy.cer',
)
OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE = os.path.join(
OVIRT_ENGINE_PKIDIR,
@@ -248,6 +261,14 @@
OVIRT_ENGINE_SERVICE_CONFIG_PKI = os.path.join(
OVIRT_ENGINE_SERVICE_CONFIGD,
'10-setup-pki.conf',
+ )
+
+ OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIGD = (
+ '%s.d' % OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIG
+ )
+ OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIG_SETUP = os.path.join(
+ OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIGD,
+ '10-setup.conf',
)
OVIRT_ENGINE_NOTIFIER_SERVICE_CONFIGD = (
@@ -397,6 +418,7 @@
DEFAULT_NETWORK_JBOSS_HTTPS_PORT = 8443
DEFAULT_NETWORK_JBOSS_AJP_PORT = 8702
DEFAULT_NETWORK_JBOSS_DEBUG_ADDRESS = '127.0.0.1:8787'
+ DEFAULT_WEBSOCKET_PROXY_PORT = 6100
DEFAULT_CONFIG_APPLICATION_MODE = 'Both'
DEFAULT_CONFIG_STORAGE_TYPE = 'NFS'
@@ -699,6 +721,7 @@
JBOSS_HTTPS_PORT = 'OVESETUP_CONFIG/jbossHttpsPort'
JBOSS_AJP_PORT = 'OVESETUP_CONFIG/jbossAjpPort'
JBOSS_DEBUG_ADDRESS = 'OVESETUP_CONFIG/jbossDebugAddress'
+ WEBSOCKET_PROXY_PORT = 'OVESETUP_CONFIG/websocketProxyPort'
MAC_RANGE_POOL = 'OVESETUP_CONFIG/macRangePool'
@@ -763,6 +786,14 @@
FQDN_REVERSE_VALIDATION = 'OVESETUP_CONFIG/fqdnReverseValidation'
FQDN_NON_LOOPBACK_VALIDATION = 'OVESETUP_CONFIG/fqdnNonLoopback'
+ @osetupattrs(
+ answerfile=True,
+ summary=True,
+ description=_('Configure WebSocket Proxy'),
+ )
+ def WEBSOCKET_PROXY_CONFIG(self):
+ return 'OVESETUP_CONFIG/websocketProxyConfig'
+
@util.export
@util.codegen
diff --git a/packaging/setup/plugins/ovirt-engine-setup/config/__init__.py
b/packaging/setup/plugins/ovirt-engine-setup/config/__init__.py
index 9c28248..52d499b 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/config/__init__.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/config/__init__.py
@@ -34,6 +34,7 @@
from . import tools
from . import iso_domain
from . import macrange
+from . import websocket_proxy
@util.export
@@ -50,6 +51,7 @@
tools.Plugin(context=context)
iso_domain.Plugin(context=context)
macrange.Plugin(context=context)
+ websocket_proxy.Plugin(context=context)
# vim: expandtab tabstop=4 shiftwidth=4
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/config/websocket_proxy.py
b/packaging/setup/plugins/ovirt-engine-setup/config/websocket_proxy.py
new file mode 100644
index 0000000..6292b59
--- /dev/null
+++ b/packaging/setup/plugins/ovirt-engine-setup/config/websocket_proxy.py
@@ -0,0 +1,264 @@
+#
+# ovirt-engine-setup -- ovirt engine setup
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+"""websocket proxy plugin."""
+
+
+import os
+import gettext
+_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup')
+
+
+from otopi import constants as otopicons
+from otopi import filetransaction
+from otopi import util
+from otopi import plugin
+
+
+from ovirt_engine_setup import constants as osetupcons
+from ovirt_engine_setup import dialog
+
+
+@util.export
+class Plugin(plugin.PluginBase):
+ """websocket proxy plugin."""
+
+ def __init__(self, context):
+ super(Plugin, self).__init__(context=context)
+ self._enabled = False
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_INIT,
+ )
+ def _init(self):
+ self.environment.setdefault(
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_CONFIG,
+ None
+ )
+ self.environment.setdefault(
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_PORT,
+ osetupcons.Defaults.DEFAULT_WEBSOCKET_PROXY_PORT
+ )
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_SETUP,
+ )
+ def _setup(self):
+ self.command.detect('openssl')
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_LATE_SETUP,
+ )
+ def _late_setup(self):
+ if not os.path.exists(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_STORE
+ ):
+ if (
+ self.environment[
+ osetupcons.CoreEnv.DEVELOPER_MODE
+ ] or
+ self.services.exists(name='ovirt-websocket-proxy')
+ ):
+ self._enabled = True
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_CUSTOMIZATION,
+ condition=lambda self: self._enabled,
+ before=[
+ osetupcons.Stages.DIALOG_TITLES_E_SYSTEM,
+ ],
+ after=[
+ osetupcons.Stages.DB_CONNECTION_STATUS,
+ osetupcons.Stages.DIALOG_TITLES_S_SYSTEM,
+ ],
+ )
+ def _customization(self):
+
+ if self.environment[
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_CONFIG
+ ] is None:
+ self.environment[
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_CONFIG
+ ] = dialog.queryBoolean(
+ dialog=self.dialog,
+ name='OVESETUP_CONFIG_WEBSOCKET_PROXY',
+ note=_(
+ 'Configure WebSocket Proxy on this machine? '
+ '(@VALUES@) [@DEFAULT@]: '
+ ),
+ prompt=True,
+ default=True,
+ )
+ self._enabled = self.environment[
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_CONFIG
+ ]
+
+ if self._enabled:
+ self.environment[osetupcons.NetEnv.FIREWALLD_SERVICES].extend([
+ {
+ 'name': 'ovirt-websocket-proxy',
+ 'directory': 'base'
+ },
+ ])
+ self.environment[
+ osetupcons.NetEnv.FIREWALLD_SUBST
+ ].update({
+ '@WEBSOCKET_PROXY_PORT@': self.environment[
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_PORT
+ ],
+ })
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_MISC,
+ condition=lambda self: self._enabled,
+ after=[
+ osetupcons.Stages.DB_CONNECTION_AVAILABLE,
+ osetupcons.Stages.CA_AVAILABLE,
+ ],
+ )
+ def _misc(self):
+
+ self.logger.info(_('Configurating WebSocket Proxy'))
+
+ self.environment[osetupcons.DBEnv.STATEMENT].updateVdcOptions(
+ options=[
+ {
+ 'name': 'WebSocketProxy',
+ 'value': 'Engine',
+ },
+ ]
+ )
+
+ self.execute(
+ args=(
+ osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
+ '--name=%s' % 'websocket-proxy',
+ '--password=%s' % (
+ self.environment[osetupcons.PKIEnv.STORE_PASS],
+ ),
+ '--subject=/C=%s/O=%s/CN=%s' % (
+ self.environment[osetupcons.PKIEnv.COUNTRY],
+ self.environment[osetupcons.PKIEnv.ORG],
+ self.environment[osetupcons.ConfigEnv.FQDN],
+ ),
+ ),
+ )
+ self.environment[
+ otopicons.CoreEnv.MODIFIED_FILES
+ ].extend(
+ (
+ (
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_CERT
+ ),
+ (
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_STORE
+ ),
+ )
+ )
+
+ rc, stdout, stderr = self.execute(
+ args=(
+ self.command.get('openssl'),
+ 'pkcs12',
+ '-in', (
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_STORE
+ ),
+ '-passin', 'pass:%s' % self.environment[
+ osetupcons.PKIEnv.STORE_PASS
+ ],
+ '-nodes',
+ '-nocerts',
+ ),
+ logStreams=False,
+ )
+
+ self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
+ filetransaction.FileTransaction(
+ osetupcons.FileLocations.OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_KEY,
+ mode=0o600,
+ owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
+ enforcePermissions=True,
+ content=stdout,
+ modifiedList=self.environment[
+ otopicons.CoreEnv.MODIFIED_FILES
+ ],
+ )
+ )
+
+ self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
+ filetransaction.FileTransaction(
+ name=(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_WEBSOCKET_PROXY_CONFIG_SETUP
+ ),
+ content=(
+ "PROXY_PORT={port}\n"
+ "SSL_CERTIFICATE={certificate}\n"
+ "SSL_KEY={key}\n"
+ "FORCE_DATA_VERIFICATION=True\n"
+ "CERT_FOR_DATA_VERIFICATION={engine_cert}\n"
+ "SSL_ONLY=True\n"
+ ).format(
+ port=self.environment[
+ osetupcons.ConfigEnv.WEBSOCKET_PROXY_PORT
+ ],
+ certificate=(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_CERT
+ ),
+ key=(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_WEBSOCKET_PROXY_KEY
+ ),
+ engine_cert=(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_ENGINE_CERT
+ ),
+ ),
+ modifiedList=self.environment[
+ otopicons.CoreEnv.MODIFIED_FILES
+ ],
+ )
+ )
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_CLOSEUP,
+ condition=lambda self: (
+ self._enabled and
+ not self.environment[
+ osetupcons.CoreEnv.DEVELOPER_MODE
+ ]
+ ),
+ )
+ def _closeup(self):
+ for state in (False, True):
+ self.services.state(
+ name='ovirt-websocket-proxy',
+ state=state,
+ )
+ self.services.startup(
+ name='ovirt-websocket-proxy',
+ state=True,
+ )
+
+
+# vim: expandtab tabstop=4 shiftwidth=4
--
To view, visit http://gerrit.ovirt.org/16014
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5d5fad4dc61d9c89c4165a74e9922eded483beac
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
