X-Git-Url: https://code.grnet.gr/git/ganeti-local/blobdiff_plain/c41eea6ebec742e9579153666e51fcc5769c2752..489fcbe9d69b4d1d32a82d644d914039d7dfeff0:/lib/bootstrap.py diff --git a/lib/bootstrap.py b/lib/bootstrap.py index 200a978..3e56154 100644 --- a/lib/bootstrap.py +++ b/lib/bootstrap.py @@ -28,6 +28,7 @@ import os.path import sha import re import logging +import tempfile from ganeti import rpc from ganeti import ssh @@ -37,15 +38,15 @@ from ganeti import config from ganeti import constants from ganeti import objects from ganeti import ssconf +from ganeti import hypervisor -def _InitSSHSetup(node): + +def _InitSSHSetup(): """Setup the SSH configuration for the cluster. This generates a dsa keypair for root, adds the pub key to the permitted hosts and adds the hostkey to its own known hosts. - @param node: the name of this host as an FQDN - """ priv_key, pub_key, auth_keys = ssh.GetUserFiles(constants.GANETI_RUNAS) @@ -68,6 +69,37 @@ def _InitSSHSetup(node): f.close() +def _GenerateSelfSignedSslCert(file_name, validity=(365 * 5)): + """Generates a self-signed SSL certificate. + + @type file_name: str + @param file_name: Path to output file + @type validity: int + @param validity: Validity for certificate in days + + """ + (fd, tmp_file_name) = tempfile.mkstemp(dir=os.path.dirname(file_name)) + try: + # Set permissions before writing key + os.chmod(tmp_file_name, 0600) + + result = utils.RunCmd(["openssl", "req", "-new", "-newkey", "rsa:1024", + "-days", str(validity), "-nodes", "-x509", + "-keyout", tmp_file_name, "-out", tmp_file_name, + "-batch"]) + if result.failed: + raise errors.OpExecError("Could not generate SSL certificate, command" + " %s had exitcode %s and error message %s" % + (result.cmd, result.exit_code, result.output)) + + # Make read-only + os.chmod(tmp_file_name, 0400) + + os.rename(tmp_file_name, file_name) + finally: + utils.RemoveFile(tmp_file_name) + + def _InitGanetiServerSetup(): """Setup the necessary configuration for the initial node daemon. @@ -75,16 +107,11 @@ def _InitGanetiServerSetup(): the cluster and also generates the SSL certificate. """ - result = utils.RunCmd(["openssl", "req", "-new", "-newkey", "rsa:1024", - "-days", str(365*5), "-nodes", "-x509", - "-keyout", constants.SSL_CERT_FILE, - "-out", constants.SSL_CERT_FILE, "-batch"]) - if result.failed: - raise errors.OpExecError("could not generate server ssl cert, command" - " %s had exitcode %s and error message %s" % - (result.cmd, result.exit_code, result.output)) + _GenerateSelfSignedSslCert(constants.SSL_CERT_FILE) - os.chmod(constants.SSL_CERT_FILE, 0400) + # Don't overwrite existing file + if not os.path.exists(constants.RAPI_CERT_FILE): + _GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE) result = utils.RunCmd([constants.NODE_INITD_SCRIPT, "restart"]) @@ -178,7 +205,12 @@ def InitCluster(cluster_name, mac_prefix, def_bridge, raise errors.OpPrereqError("Init.d script '%s' missing or not" " executable." % constants.NODE_INITD_SCRIPT) - utils.CheckBEParams(beparams) + utils.ForceDictType(beparams, constants.BES_PARAMETER_TYPES) + # hvparams is a mapping of hypervisor->hvparams dict + for hv_name, hv_params in hvparams.iteritems(): + utils.ForceDictType(hv_params, constants.HVS_PARAMETER_TYPES) + hv_class = hypervisor.GetHypervisor(hv_name) + hv_class.CheckParameterSyntax(hv_params) # set up the inter-node password and certificate _InitGanetiServerSetup() @@ -192,7 +224,7 @@ def InitCluster(cluster_name, mac_prefix, def_bridge, sshkey = sshline.split(" ")[1] utils.AddHostToEtcHosts(hostname.name) - _InitSSHSetup(hostname.name) + _InitSSHSetup() # init of cluster config file cluster_config = objects.Cluster( @@ -219,7 +251,7 @@ def InitCluster(cluster_name, mac_prefix, def_bridge, secondary_ip=secondary_ip, serial_no=1, master_candidate=True, - offline=False, + offline=False, drained=False, ) sscfg = InitConfig(constants.CONFIG_VERSION, @@ -296,15 +328,22 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check): """ sshrunner = ssh.SshRunner(cluster_name) - gntpem = utils.ReadFile(constants.SSL_CERT_FILE) + + noded_cert = utils.ReadFile(constants.SSL_CERT_FILE) + rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE) + # in the base64 pem encoding, neither '!' nor '.' are valid chars, # so we use this to detect an invalid certificate; as long as the # cert doesn't contain this, the here-document will be correctly # parsed by the shell sequence below - if re.search('^!EOF\.', gntpem, re.MULTILINE): + if (re.search('^!EOF\.', noded_cert, re.MULTILINE) or + re.search('^!EOF\.', rapi_cert, re.MULTILINE)): raise errors.OpExecError("invalid PEM encoding in the SSL certificate") - if not gntpem.endswith("\n"): - raise errors.OpExecError("PEM must end with newline") + + if not noded_cert.endswith("\n"): + noded_cert += "\n" + if not rapi_cert.endswith("\n"): + rapi_cert += "\n" # set up inter-node password and certificate and restarts the node daemon # and then connect with ssh to set password and start ganeti-noded @@ -312,8 +351,14 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check): # either by being constants or by the checks above mycommand = ("umask 077 && " "cat > '%s' << '!EOF.' && \n" - "%s!EOF.\n%s restart" % - (constants.SSL_CERT_FILE, gntpem, + "%s!EOF.\n" + "cat > '%s' << '!EOF.' && \n" + "%s!EOF.\n" + "chmod 0400 %s %s && " + "%s restart" % + (constants.SSL_CERT_FILE, noded_cert, + constants.RAPI_CERT_FILE, rapi_cert, + constants.SSL_CERT_FILE, constants.RAPI_CERT_FILE, constants.NODE_INITD_SCRIPT)) result = sshrunner.Run(node, 'root', mycommand, batch=False, @@ -432,8 +477,6 @@ def GatherMasterVotes(node_list): # this should not happen (unless internal error in rpc) logging.critical("Can't complete rpc call, aborting master startup") return [(None, len(node_list))] - positive = negative = 0 - other_masters = {} votes = {} for node in results: nres = results[node]