X-Git-Url: https://code.grnet.gr/git/ganeti-local/blobdiff_plain/e38220e4375276bacfe6f367ddffdf104ed5b60e..5fcc718f5a511fead627c6a5e489b3c3cf5198d1:/lib/bootstrap.py diff --git a/lib/bootstrap.py b/lib/bootstrap.py index f125f2a..def4073 100644 --- a/lib/bootstrap.py +++ b/lib/bootstrap.py @@ -28,6 +28,7 @@ import os.path import sha import re import logging +import tempfile from ganeti import rpc from ganeti import ssh @@ -37,6 +38,7 @@ from ganeti import config from ganeti import constants from ganeti import objects from ganeti import ssconf +from ganeti import hypervisor def _InitSSHSetup(): @@ -67,6 +69,37 @@ def _InitSSHSetup(): f.close() +def _GenerateSelfSignedSslCert(file_name, validity=(365 * 5)): + """Generates a self-signed SSL certificate. + + @type file_name: str + @param file_name: Path to output file + @type validity: int + @param validity: Validity for certificate in days + + """ + (fd, tmp_file_name) = tempfile.mkstemp(dir=os.path.dirname(file_name)) + try: + # Set permissions before writing key + os.chmod(tmp_file_name, 0600) + + result = utils.RunCmd(["openssl", "req", "-new", "-newkey", "rsa:1024", + "-days", str(validity), "-nodes", "-x509", + "-keyout", tmp_file_name, "-out", tmp_file_name, + "-batch"]) + if result.failed: + raise errors.OpExecError("Could not generate SSL certificate, command" + " %s had exitcode %s and error message %s" % + (result.cmd, result.exit_code, result.output)) + + # Make read-only + os.chmod(tmp_file_name, 0400) + + os.rename(tmp_file_name, file_name) + finally: + utils.RemoveFile(tmp_file_name) + + def _InitGanetiServerSetup(): """Setup the necessary configuration for the initial node daemon. @@ -74,16 +107,11 @@ def _InitGanetiServerSetup(): the cluster and also generates the SSL certificate. """ - result = utils.RunCmd(["openssl", "req", "-new", "-newkey", "rsa:1024", - "-days", str(365*5), "-nodes", "-x509", - "-keyout", constants.SSL_CERT_FILE, - "-out", constants.SSL_CERT_FILE, "-batch"]) - if result.failed: - raise errors.OpExecError("could not generate server ssl cert, command" - " %s had exitcode %s and error message %s" % - (result.cmd, result.exit_code, result.output)) + _GenerateSelfSignedSslCert(constants.SSL_CERT_FILE) - os.chmod(constants.SSL_CERT_FILE, 0400) + # Don't overwrite existing file + if not os.path.exists(constants.RAPI_CERT_FILE): + _GenerateSelfSignedSslCert(constants.RAPI_CERT_FILE) result = utils.RunCmd([constants.NODE_INITD_SCRIPT, "restart"]) @@ -177,7 +205,12 @@ def InitCluster(cluster_name, mac_prefix, def_bridge, raise errors.OpPrereqError("Init.d script '%s' missing or not" " executable." % constants.NODE_INITD_SCRIPT) - utils.CheckBEParams(beparams) + utils.ForceDictType(beparams, constants.BES_PARAMETER_TYPES) + # hvparams is a mapping of hypervisor->hvparams dict + for hv_name, hv_params in hvparams.iteritems(): + utils.ForceDictType(hv_params, constants.HVS_PARAMETER_TYPES) + hv_class = hypervisor.GetHypervisor(hv_name) + hv_class.CheckParameterSyntax(hv_params) # set up the inter-node password and certificate _InitGanetiServerSetup() @@ -218,7 +251,7 @@ def InitCluster(cluster_name, mac_prefix, def_bridge, secondary_ip=secondary_ip, serial_no=1, master_candidate=True, - offline=False, + offline=False, drained=False, ) sscfg = InitConfig(constants.CONFIG_VERSION, @@ -249,7 +282,7 @@ def InitConfig(version, cluster_config, master_node_config, @param cfg_file: configuration file path @rtype: L{ssconf.SimpleConfigWriter} - @returns: initialized config instance + @return: initialized config instance """ nodes = { @@ -295,15 +328,22 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check): """ sshrunner = ssh.SshRunner(cluster_name) - gntpem = utils.ReadFile(constants.SSL_CERT_FILE) + + noded_cert = utils.ReadFile(constants.SSL_CERT_FILE) + rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE) + # in the base64 pem encoding, neither '!' nor '.' are valid chars, # so we use this to detect an invalid certificate; as long as the # cert doesn't contain this, the here-document will be correctly # parsed by the shell sequence below - if re.search('^!EOF\.', gntpem, re.MULTILINE): + if (re.search('^!EOF\.', noded_cert, re.MULTILINE) or + re.search('^!EOF\.', rapi_cert, re.MULTILINE)): raise errors.OpExecError("invalid PEM encoding in the SSL certificate") - if not gntpem.endswith("\n"): - raise errors.OpExecError("PEM must end with newline") + + if not noded_cert.endswith("\n"): + noded_cert += "\n" + if not rapi_cert.endswith("\n"): + rapi_cert += "\n" # set up inter-node password and certificate and restarts the node daemon # and then connect with ssh to set password and start ganeti-noded @@ -311,8 +351,14 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check): # either by being constants or by the checks above mycommand = ("umask 077 && " "cat > '%s' << '!EOF.' && \n" - "%s!EOF.\n%s restart" % - (constants.SSL_CERT_FILE, gntpem, + "%s!EOF.\n" + "cat > '%s' << '!EOF.' && \n" + "%s!EOF.\n" + "chmod 0400 %s %s && " + "%s restart" % + (constants.SSL_CERT_FILE, noded_cert, + constants.RAPI_CERT_FILE, rapi_cert, + constants.SSL_CERT_FILE, constants.RAPI_CERT_FILE, constants.NODE_INITD_SCRIPT)) result = sshrunner.Run(node, 'root', mycommand, batch=False,