# TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
# have more than one.
- if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
- print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
+ if not os.path.isfile(constants.CONFD_HMAC_KEY):
+ print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
sys.exit(constants.EXIT_FAILURE)
constants.VNC_PASSWORD_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
for hv_name in constants.HYPER_TYPES:
logging.exception("Error while processing ssh files")
try:
- utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
+ utils.RemoveFile(constants.CONFD_HMAC_KEY)
utils.RemoveFile(constants.RAPI_CERT_FILE)
utils.RemoveFile(constants.NODED_CERT_FILE)
except: # pylint: disable-msg=W0702
backup=True)
-def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
+def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
rapi_cert_pem=None):
"""Updates the cluster certificates, keys and secrets.
@param new_cluster_cert: Whether to generate a new cluster certificate
@type new_rapi_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type rapi_cert_pem: string
@param rapi_cert_pem: New RAPI certificate in PEM format
constants.NODED_CERT_FILE)
GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
- # HMAC key
- if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
- logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
- GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
+ # confd HMAC key
+ if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
+ logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
+ GenerateHmacKey(constants.CONFD_HMAC_KEY)
# RAPI
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
- hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
# in the base64 pem encoding, neither '!' nor '.' are valid chars,
# so we use this to detect an invalid certificate; as long as the
# cert doesn't contain this, the here-document will be correctly
# parsed by the shell sequence below. HMAC keys are hexadecimal strings,
# so the same restrictions apply.
- for content in (noded_cert, rapi_cert, hmac_key):
+ for content in (noded_cert, rapi_cert, confd_hmac_key):
if re.search('^!EOF\.', content, re.MULTILINE):
raise errors.OpExecError("invalid SSL certificate or HMAC key")
noded_cert += "\n"
if not rapi_cert.endswith("\n"):
rapi_cert += "\n"
- if not hmac_key.endswith("\n"):
- hmac_key += "\n"
+ if not confd_hmac_key.endswith("\n"):
+ confd_hmac_key += "\n"
# set up inter-node password and certificate and restarts the node daemon
# and then connect with ssh to set password and start ganeti-noded
"%s start %s" %
(constants.NODED_CERT_FILE, noded_cert,
constants.RAPI_CERT_FILE, rapi_cert,
- constants.HMAC_CLUSTER_KEY, hmac_key,
+ constants.CONFD_HMAC_KEY, confd_hmac_key,
constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
constants.DAEMON_UTIL, constants.NODED))
result = sshrunner.Run(node, 'root', mycommand, batch=False,
"MC_OPT",
"NET_OPT",
"NEW_CLUSTER_CERT_OPT",
- "NEW_HMAC_KEY_OPT",
+ "NEW_CONFD_HMAC_KEY_OPT",
"NEW_RAPI_CERT_OPT",
"NEW_SECONDARY_OPT",
"NIC_PARAMS_OPT",
help=("Generate a new self-signed RAPI"
" certificate"))
-NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
- default=False, action="store_true",
- help="Create a new HMAC key")
+NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
+ dest="new_confd_hmac_key",
+ default=False, action="store_true",
+ help=("Create a new HMAC key for %s" %
+ constants.CONFD))
def _ParseArgs(argv, commands, aliases):
constants.SSH_KNOWN_HOSTS_FILE,
constants.RAPI_CERT_FILE,
constants.RAPI_USERS_FILE,
- constants.HMAC_CLUSTER_KEY,
+ constants.CONFD_HMAC_KEY,
])
enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
"""
self.disabled = True
- self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
+ self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
self.reader = None
assert \
not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
NODED_CERT_FILE = DATA_DIR + "/server.pem"
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
-HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
+CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
<arg>-f</arg>
<sbr>
<arg choice="opt">--new-cluster-certificate</arg>
- <arg choice="opt">--new-hmac-key</arg>
+ <arg choice="opt">--new-confd-hmac-key</arg>
<sbr>
<arg choice="opt">--new-rapi-certificate</arg>
<arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
Ganeti daemons in the cluster and start them again once the new
certificates and keys are replicated. The options
<option>--new-cluster-certificate</option> and
- <option>--new-hmac-key</option> can be used to regenerate the
+ <option>--new-confd-hmac-key</option> can be used to regenerate the
cluster-internal SSL certificate respective the HMAC key used by
<citerefentry>
<refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
# Conflicting options
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate", "--rapi-certificate=/dev/null"]
AssertNotEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
# Normal case
cmd = ["gnt-cluster", "renew-crypto", "--force",
- "--new-cluster-certificate", "--new-hmac-key",
+ "--new-cluster-certificate", "--new-confd-hmac-key",
"--new-rapi-certificate"]
AssertEqual(StartSSH(master["primary"],
utils.ShellQuoteArgs(cmd)).wait(), 0)
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
- new_hmac_key, force):
+ new_confd_hmac_key, force):
"""Renews cluster certificates, keys and secrets.
@type new_cluster_cert: bool
@param new_rapi_cert: Whether to generate a new RAPI certificate
@type rapi_cert_filename: string
@param rapi_cert_filename: Path to file containing new RAPI certificate
- @type new_hmac_key: bool
- @param new_hmac_key: Whether to generate a new HMAC key
+ @type new_confd_hmac_key: bool
+ @param new_confd_hmac_key: Whether to generate a new HMAC key
@type force: bool
@param force: Whether to ask user for confirmation
"""
- assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
+ assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
+ new_confd_hmac_key)
if new_rapi_cert and rapi_cert_filename:
ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
def _RenewCryptoInner(ctx):
ctx.feedback_fn("Updating certificates and keys")
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
- new_hmac_key,
+ new_confd_hmac_key,
rapi_cert_pem=rapi_cert_pem)
files_to_copy = []
if new_rapi_cert or rapi_cert_pem:
files_to_copy.append(constants.RAPI_CERT_FILE)
- if new_hmac_key:
- files_to_copy.append(constants.HMAC_CLUSTER_KEY)
+ if new_confd_hmac_key:
+ files_to_copy.append(constants.CONFD_HMAC_KEY)
if files_to_copy:
for node_name in ctx.nonmaster_nodes:
return _RenewCrypto(opts.new_cluster_cert,
opts.new_rapi_cert,
opts.rapi_cert,
- opts.new_hmac_key,
+ opts.new_confd_hmac_key,
opts.force)
"Alters the parameters of the cluster"),
"renew-crypto": (
RenewCrypto, ARGS_NONE,
- [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
- FORCE_OPT],
+ [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
+ NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
"[opts...]",
"Renews cluster certificates, keys and secrets"),
}
options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
- options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
+ options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
SetupLogging()