prepare-node-join: Swap private and public keys

Other places, such as “ssh.GetUserFiles”, use a structure where the
private key comes before the private key. Until now prepare-node-join
did the opposite, that is the public key came first. To avoid confusion
and potential bugs, this is changed.

Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>

diff --git a/doc/design-ssh-setup.rst b/doc/design-ssh-setup.rst
index 7004044..2b3983c 100644 (file)
--- a/doc/design-ssh-setup.rst
+++ b/doc/design-ssh-setup.rst
@@ -66,16 +66,16 @@ Unless specified otherwise, all entries are optional.
   authorization. See below for definition.
 
 Lists of SSH keys use a tuple with three values. The first describes the
-key variant (``rsa`` or ``dsa``). The second and third are the public
-and private part of the key. Example:
+key variant (``rsa`` or ``dsa``). The second and third are the private
+and public part of the key. Example:
 
 .. highlight:: javascript
 
 ::
 
   [
-    ("rsa", "AAAA...", "-----BEGIN RSA PRIVATE KEY-----..."),
-    ("dsa", "AAAA...", "-----BEGIN DSA PRIVATE KEY-----..."),
+    ("rsa", "-----BEGIN RSA PRIVATE KEY-----...", "ssh-rss AAAA..."),
+    ("dsa", "-----BEGIN DSA PRIVATE KEY-----...", "ssh-dss AAAA..."),
   ]
 
 .. vim: set textwidth=72 :

diff --git a/lib/tools/prepare_node_join.py b/lib/tools/prepare_node_join.py
index 0971037..e9e9f77 100644 (file)
--- a/lib/tools/prepare_node_join.py
+++ b/lib/tools/prepare_node_join.py
@@ -60,9 +60,9 @@ _DATA_CHECK = ht.TStrictDict(False, True, {
 
 _SSH_DAEMON_KEYFILES = {
   constants.SSHK_RSA:
-    (pathutils.SSH_HOST_RSA_PUB, pathutils.SSH_HOST_RSA_PRIV),
+    (pathutils.SSH_HOST_RSA_PRIV, pathutils.SSH_HOST_RSA_PUB),
   constants.SSHK_DSA:
-    (pathutils.SSH_HOST_DSA_PUB, pathutils.SSH_HOST_DSA_PRIV),
+    (pathutils.SSH_HOST_DSA_PRIV, pathutils.SSH_HOST_DSA_PUB),
   }
 
 
@@ -229,17 +229,17 @@ def _UpdateKeyFiles(keys, dry_run, keyfiles):
   """
   assert set(keyfiles) == constants.SSHK_ALL
 
-  for (kind, public_key, private_key) in keys:
-    (public_file, private_file) = keyfiles[kind]
-
-    logging.debug("Writing %s ...", public_file)
-    utils.WriteFile(public_file, data=public_key, mode=0644,
-                    backup=True, dry_run=dry_run)
+  for (kind, private_key, public_key) in keys:
+    (private_file, public_file) = keyfiles[kind]
 
     logging.debug("Writing %s ...", private_file)
     utils.WriteFile(private_file, data=private_key, mode=0600,
                     backup=True, dry_run=dry_run)
 
+    logging.debug("Writing %s ...", public_file)
+    utils.WriteFile(public_file, data=public_key, mode=0644,
+                    backup=True, dry_run=dry_run)
+
 
 def UpdateSshDaemon(data, dry_run, _runcmd_fn=utils.RunCmd,
                     _keyfiles=None):
@@ -297,8 +297,8 @@ def UpdateSshRoot(data, dry_run, _homedir_fn=None):
                      kind=constants.SSHK_RSA, _homedir_fn=_homedir_fn)
 
   _UpdateKeyFiles(keys, dry_run, {
-    constants.SSHK_RSA: (rsa_public_file, rsa_private_file),
-    constants.SSHK_DSA: (dsa_public_file, dsa_private_file),
+    constants.SSHK_RSA: (rsa_private_file, rsa_public_file),
+    constants.SSHK_DSA: (dsa_private_file, dsa_public_file),
     })
 
   if dry_run:

diff --git a/test/ganeti.tools.prepare_node_join_unittest.py b/test/ganeti.tools.prepare_node_join_unittest.py
index bbc3634..1cda5d2 100755 (executable)
--- a/test/ganeti.tools.prepare_node_join_unittest.py
+++ b/test/ganeti.tools.prepare_node_join_unittest.py
@@ -159,11 +159,11 @@ class TestUpdateSshDaemon(unittest.TestCase):
 
     self.keyfiles = {
       constants.SSHK_RSA:
-        (utils.PathJoin(self.tmpdir, "rsa.public"),
-         utils.PathJoin(self.tmpdir, "rsa.private")),
+        (utils.PathJoin(self.tmpdir, "rsa.private"),
+         utils.PathJoin(self.tmpdir, "rsa.public")),
       constants.SSHK_DSA:
-        (utils.PathJoin(self.tmpdir, "dsa.public"),
-         utils.PathJoin(self.tmpdir, "dsa.private")),
+        (utils.PathJoin(self.tmpdir, "dsa.private"),
+         utils.PathJoin(self.tmpdir, "dsa.public")),
       }
 
   def tearDown(self):
@@ -190,14 +190,14 @@ class TestUpdateSshDaemon(unittest.TestCase):
   def testDryRunRsa(self):
     self._TestDryRun({
       constants.SSHS_SSH_HOST_KEY: [
-        (constants.SSHK_RSA, "rsapub", "rsapriv"),
+        (constants.SSHK_RSA, "rsapriv", "rsapub"),
         ],
       })
 
   def testDryRunDsa(self):
     self._TestDryRun({
       constants.SSHS_SSH_HOST_KEY: [
-        (constants.SSHK_DSA, "dsapub", "dsapriv"),
+        (constants.SSHK_DSA, "dsapriv", "dsapub"),
         ],
       })
 
@@ -215,8 +215,8 @@ class TestUpdateSshDaemon(unittest.TestCase):
   def _TestUpdate(self, failcmd):
     data = {
       constants.SSHS_SSH_HOST_KEY: [
-        (constants.SSHK_DSA, "dsapub", "dsapriv"),
-        (constants.SSHK_RSA, "rsapub", "rsapriv"),
+        (constants.SSHK_DSA, "dsapriv", "dsapub"),
+        (constants.SSHK_RSA, "rsapriv", "rsapub"),
         ],
       }
     runcmd_fn = compat.partial(self._RunCmd, failcmd)
@@ -228,8 +228,8 @@ class TestUpdateSshDaemon(unittest.TestCase):
       prepare_node_join.UpdateSshDaemon(data, False, _runcmd_fn=runcmd_fn,
                                         _keyfiles=self.keyfiles)
     self.assertEqual(sorted(os.listdir(self.tmpdir)), sorted([
-      "rsa.private", "rsa.public",
-      "dsa.private", "dsa.public",
+      "rsa.public", "rsa.private",
+      "dsa.public", "dsa.private",
       ]))
     self.assertEqual(utils.ReadFile(utils.PathJoin(self.tmpdir, "rsa.public")),
                      "rsapub")
@@ -287,7 +287,7 @@ class TestUpdateSshRoot(unittest.TestCase):
   def testUpdate(self):
     data = {
       constants.SSHS_SSH_ROOT_KEY: [
-        (constants.SSHK_DSA, "ssh-dss pubdsa", "privatedsa"),
+        (constants.SSHK_DSA, "privatedsa", "ssh-dss pubdsa"),
         ]
       }