Sandro Bonazzola has uploaded a new change for review. Change subject: packaging: setup: use public key for ssh authentication ......................................................................
packaging: setup: use public key for ssh authentication Use public key for ssh authentication instead of root password wich is now a deprecated authentication method. Require sdk >= 3.3.0.4 for having API support. Related-To: http://gerrit.ovirt.org/18002 Change-Id: I4ba78d92d961fe763208f10a725876a4c081a70f Signed-off-by: Sandro Bonazzola <sbona...@redhat.com> --- M ovirt-hosted-engine-setup.spec.in M src/ovirt_hosted_engine_setup/constants.py M src/plugins/ovirt-hosted-engine-setup/engine/add_host.py M src/plugins/ovirt-hosted-engine-setup/system/Makefile.am M src/plugins/ovirt-hosted-engine-setup/system/__init__.py D src/plugins/ovirt-hosted-engine-setup/system/super_user.py 6 files changed, 46 insertions(+), 131 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-hosted-engine-setup refs/changes/13/18213/1 diff --git a/ovirt-hosted-engine-setup.spec.in b/ovirt-hosted-engine-setup.spec.in index f735007..d2128e8 100644 --- a/ovirt-hosted-engine-setup.spec.in +++ b/ovirt-hosted-engine-setup.spec.in @@ -45,7 +45,6 @@ Requires: vdsm-gluster >= 4.11.0 Requires: ovirt-host-deploy >= 1.1.0 Requires: openssh-server -Requires: python-paramiko Requires: virt-viewer Requires: openssl Requires: sudo @@ -58,7 +57,7 @@ BuildRequires: otopi-devel >= 1.1.0 BuildRequires: python2-devel -Requires: %{engine}-sdk-python >= 3.3.0 +Requires: %{engine}-sdk-python >= 3.3.0.4 %description Hosted engine tool for oVirt project. diff --git a/src/ovirt_hosted_engine_setup/constants.py b/src/ovirt_hosted_engine_setup/constants.py index 9094f86..91dd1e1 100644 --- a/src/ovirt_hosted_engine_setup/constants.py +++ b/src/ovirt_hosted_engine_setup/constants.py @@ -243,13 +243,6 @@ @util.export @util.codegen -class HostEnv(object): - - ROOT_PASSWORD = 'OVEHOSTED_HOST/rootPassword' - - -@util.export -@util.codegen @ohostedattrsclass class EngineEnv(object): diff --git a/src/plugins/ovirt-hosted-engine-setup/engine/add_host.py b/src/plugins/ovirt-hosted-engine-setup/engine/add_host.py index fc39a52..27c566f 100644 --- a/src/plugins/ovirt-hosted-engine-setup/engine/add_host.py +++ b/src/plugins/ovirt-hosted-engine-setup/engine/add_host.py @@ -39,6 +39,8 @@ from otopi import util from otopi import plugin from otopi import constants as otopicons +from otopi import transaction +from otopi import filetransaction from ovirt_hosted_engine_setup import constants as ohostedcons @@ -96,6 +98,45 @@ os.fchmod(fd, 0o600) with os.fdopen(fd, 'w') as fileobj: fileobj.write(content) + + def _getSSHkey(self): + self.logger.debug('Acquiring SSH key from the engine') + with contextlib.closing( + urllib2.urlopen( + 'http://{fqdn}/engine.ssh.key.txt'.format( + fqdn=self.environment[ + ohostedcons.NetworkEnv.OVIRT_HOSTED_ENGINE_FQDN + ] + ) + ) + ) as urlObj: + authorized_keys_line = urlObj.read() + if authorized_keys_line: + self.logger.debug(authorized_keys_line) + authorized_keys_file = os.path.join( + os.path.expanduser('~root'), + '.ssh', + 'authorized_keys' + ) + content = [] + if os.path.exists(authorized_keys_file): + with open(authorized_keys_file, 'r') as f: + content = f.read().splitlines() + if not authorized_keys_line in content: + content.append(authorized_keys_line) + with transaction.Transaction() as localtransaction: + localtransaction.append( + filetransaction.FileTransaction( + name=authorized_keys_file, + content=content, + mode=0o600, + owner='root', + enforcePermissions=True, + modifiedList=self.environment[ + otopicons.CoreEnv.MODIFIED_FILES + ], + ) + ) def _getIPAddress(self): self.logger.debug('Acquiring bridge address') @@ -294,9 +335,9 @@ address=self._getIPAddress(), reboot_after_installation=False, cluster=engine_api.clusters.get('Default'), - root_password=self.environment[ - ohostedcons.HostEnv.ROOT_PASSWORD - ] + ssh=self._ovirtsdk_xml.params.SSH( + authentication_method='publickey', + ), ) ) except ovirtsdk.infrastructure.errors.RequestError as e: @@ -326,6 +367,7 @@ ], ) ) + engine_api.disconnect() @plugin.event( stage=plugin.Stages.STAGE_CLEANUP, diff --git a/src/plugins/ovirt-hosted-engine-setup/system/Makefile.am b/src/plugins/ovirt-hosted-engine-setup/system/Makefile.am index 8da7373..1bd38a1 100644 --- a/src/plugins/ovirt-hosted-engine-setup/system/Makefile.am +++ b/src/plugins/ovirt-hosted-engine-setup/system/Makefile.am @@ -28,7 +28,6 @@ __init__.py \ vdsmenv.py \ sshd.py \ - super_user.py \ $(NULL) clean-local: \ diff --git a/src/plugins/ovirt-hosted-engine-setup/system/__init__.py b/src/plugins/ovirt-hosted-engine-setup/system/__init__.py index ae9b9ff..0801ab8 100644 --- a/src/plugins/ovirt-hosted-engine-setup/system/__init__.py +++ b/src/plugins/ovirt-hosted-engine-setup/system/__init__.py @@ -26,14 +26,11 @@ from . import vdsmenv from . import sshd -from . import super_user @util.export def createPlugins(context): vdsmenv.Plugin(context=context) sshd.Plugin(context=context) - super_user.Plugin(context=context) - # vim: expandtab tabstop=4 shiftwidth=4 diff --git a/src/plugins/ovirt-hosted-engine-setup/system/super_user.py b/src/plugins/ovirt-hosted-engine-setup/system/super_user.py deleted file mode 100644 index 287c7f5..0000000 --- a/src/plugins/ovirt-hosted-engine-setup/system/super_user.py +++ /dev/null @@ -1,115 +0,0 @@ -# -# ovirt-hosted-engine-setup -- ovirt hosted engine setup -# Copyright (C) 2013 Red Hat, Inc. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -# - - -""" -super user password plugin. -""" - - -import gettext - - -import paramiko - - -from otopi import util -from otopi import plugin -from otopi import constants as otopicons - - -from ovirt_hosted_engine_setup import constants as ohostedcons - - -_ = lambda m: gettext.dgettext(message=m, domain='ovirt-hosted-engine-setup') - - -@util.export -class Plugin(plugin.PluginBase): - """ - super user password plugin. - """ - - def __init__(self, context): - super(Plugin, self).__init__(context=context) - - def _validateUserPasswd(self, host, user, password): - valid = False - try: - cli = paramiko.SSHClient() - cli.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - cli.connect( - hostname=host, - username=user, - password=password - ) - valid = True - except paramiko.AuthenticationException: - pass - finally: - cli.close() - return valid - - @plugin.event( - stage=plugin.Stages.STAGE_INIT, - ) - def _init(self): - self.environment.setdefault( - ohostedcons.HostEnv.ROOT_PASSWORD, - None - ) - - @plugin.event( - stage=plugin.Stages.STAGE_CUSTOMIZATION, - after=( - ohostedcons.Stages.DIALOG_TITLES_S_SYSTEM, - ), - before=( - ohostedcons.Stages.DIALOG_TITLES_E_SYSTEM, - ), - ) - def _customization(self): - interactive = ( - self.environment[ohostedcons.HostEnv.ROOT_PASSWORD] is None - ) - while self.environment[ohostedcons.HostEnv.ROOT_PASSWORD] is None: - password = self.dialog.queryString( - name='HOST_ROOT_PASSWORD', - note=_("Enter 'root' user password: "), - prompt=True, - hidden=True, - ) - if self._validateUserPasswd( - host='localhost', - user='root', - password=password - ): - self.environment[ohostedcons.HostEnv.ROOT_PASSWORD] = password - else: - if interactive: - self.logger.error(_('Wrong root password, try again')) - else: - raise RuntimeError(_('Wrong root password')) - - self.environment[otopicons.CoreEnv.LOG_FILTER].append( - self.environment[ohostedcons.HostEnv.ROOT_PASSWORD] - ) - - -# vim: expandtab tabstop=4 shiftwidth=4 -- To view, visit http://gerrit.ovirt.org/18213 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4ba78d92d961fe763208f10a725876a4c081a70f Gerrit-PatchSet: 1 Gerrit-Project: ovirt-hosted-engine-setup Gerrit-Branch: master Gerrit-Owner: Sandro Bonazzola <sbona...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
