Revision 6b7d5878

b/daemons/ganeti-confd
335 335

  
336 336
  # TODO: collapse HMAC daemons handling in daemons GenericMain, when we'll
337 337
  # have more than one.
338
  if not os.path.isfile(constants.HMAC_CLUSTER_KEY):
339
    print >> sys.stderr, "Need HMAC key %s to run" % constants.HMAC_CLUSTER_KEY
338
  if not os.path.isfile(constants.CONFD_HMAC_KEY):
339
    print >> sys.stderr, "Need HMAC key %s to run" % constants.CONFD_HMAC_KEY
340 340
    sys.exit(constants.EXIT_FAILURE)
341 341

  
342 342

  
b/lib/backend.py
183 183
    constants.VNC_PASSWORD_FILE,
184 184
    constants.RAPI_CERT_FILE,
185 185
    constants.RAPI_USERS_FILE,
186
    constants.HMAC_CLUSTER_KEY,
186
    constants.CONFD_HMAC_KEY,
187 187
    ])
188 188

  
189 189
  for hv_name in constants.HYPER_TYPES:
......
399 399
      logging.exception("Error while processing ssh files")
400 400

  
401 401
  try:
402
    utils.RemoveFile(constants.HMAC_CLUSTER_KEY)
402
    utils.RemoveFile(constants.CONFD_HMAC_KEY)
403 403
    utils.RemoveFile(constants.RAPI_CERT_FILE)
404 404
    utils.RemoveFile(constants.NODED_CERT_FILE)
405 405
  except: # pylint: disable-msg=W0702
b/lib/bootstrap.py
111 111
                  backup=True)
112 112

  
113 113

  
114
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key,
114
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
115 115
                          rapi_cert_pem=None):
116 116
  """Updates the cluster certificates, keys and secrets.
117 117

  
......
119 119
  @param new_cluster_cert: Whether to generate a new cluster certificate
120 120
  @type new_rapi_cert: bool
121 121
  @param new_rapi_cert: Whether to generate a new RAPI certificate
122
  @type new_hmac_key: bool
123
  @param new_hmac_key: Whether to generate a new HMAC key
122
  @type new_confd_hmac_key: bool
123
  @param new_confd_hmac_key: Whether to generate a new HMAC key
124 124
  @type rapi_cert_pem: string
125 125
  @param rapi_cert_pem: New RAPI certificate in PEM format
126 126

  
......
135 135
                  constants.NODED_CERT_FILE)
136 136
    GenerateSelfSignedSslCert(constants.NODED_CERT_FILE)
137 137

  
138
  # HMAC key
139
  if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
140
    logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
141
    GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
138
  # confd HMAC key
139
  if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
140
    logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
141
    GenerateHmacKey(constants.CONFD_HMAC_KEY)
142 142

  
143 143
  # RAPI
144 144
  rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE)
......
428 428

  
429 429
  noded_cert = utils.ReadFile(constants.NODED_CERT_FILE)
430 430
  rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
431
  hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
431
  confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
432 432

  
433 433
  # in the base64 pem encoding, neither '!' nor '.' are valid chars,
434 434
  # so we use this to detect an invalid certificate; as long as the
435 435
  # cert doesn't contain this, the here-document will be correctly
436 436
  # parsed by the shell sequence below. HMAC keys are hexadecimal strings,
437 437
  # so the same restrictions apply.
438
  for content in (noded_cert, rapi_cert, hmac_key):
438
  for content in (noded_cert, rapi_cert, confd_hmac_key):
439 439
    if re.search('^!EOF\.', content, re.MULTILINE):
440 440
      raise errors.OpExecError("invalid SSL certificate or HMAC key")
441 441

  
......
443 443
    noded_cert += "\n"
444 444
  if not rapi_cert.endswith("\n"):
445 445
    rapi_cert += "\n"
446
  if not hmac_key.endswith("\n"):
447
    hmac_key += "\n"
446
  if not confd_hmac_key.endswith("\n"):
447
    confd_hmac_key += "\n"
448 448

  
449 449
  # set up inter-node password and certificate and restarts the node daemon
450 450
  # and then connect with ssh to set password and start ganeti-noded
......
461 461
               "%s start %s" %
462 462
               (constants.NODED_CERT_FILE, noded_cert,
463 463
                constants.RAPI_CERT_FILE, rapi_cert,
464
                constants.HMAC_CLUSTER_KEY, hmac_key,
464
                constants.CONFD_HMAC_KEY, confd_hmac_key,
465 465
                constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE,
466
                constants.HMAC_CLUSTER_KEY,
466
                constants.CONFD_HMAC_KEY,
467 467
                constants.DAEMON_UTIL, constants.NODED))
468 468

  
469 469
  result = sshrunner.Run(node, 'root', mycommand, batch=False,
b/lib/cli.py
80 80
  "MC_OPT",
81 81
  "NET_OPT",
82 82
  "NEW_CLUSTER_CERT_OPT",
83
  "NEW_HMAC_KEY_OPT",
83
  "NEW_CONFD_HMAC_KEY_OPT",
84 84
  "NEW_RAPI_CERT_OPT",
85 85
  "NEW_SECONDARY_OPT",
86 86
  "NIC_PARAMS_OPT",
......
878 878
                               help=("Generate a new self-signed RAPI"
879 879
                                     " certificate"))
880 880

  
881
NEW_HMAC_KEY_OPT = cli_option("--new-hmac-key", dest="new_hmac_key",
882
                              default=False, action="store_true",
883
                              help="Create a new HMAC key")
881
NEW_CONFD_HMAC_KEY_OPT = cli_option("--new-confd-hmac-key",
882
                                    dest="new_confd_hmac_key",
883
                                    default=False, action="store_true",
884
                                    help=("Create a new HMAC key for %s" %
885
                                          constants.CONFD))
884 886

  
885 887

  
886 888
def _ParseArgs(argv, commands, aliases):
b/lib/cmdlib.py
2280 2280
                    constants.SSH_KNOWN_HOSTS_FILE,
2281 2281
                    constants.RAPI_CERT_FILE,
2282 2282
                    constants.RAPI_USERS_FILE,
2283
                    constants.HMAC_CLUSTER_KEY,
2283
                    constants.CONFD_HMAC_KEY,
2284 2284
                   ])
2285 2285

  
2286 2286
  enabled_hypervisors = lu.cfg.GetClusterInfo().enabled_hypervisors
b/lib/confd/server.py
62 62

  
63 63
    """
64 64
    self.disabled = True
65
    self.hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
65
    self.hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
66 66
    self.reader = None
67 67
    assert \
68 68
      not constants.CONFD_REQS.symmetric_difference(self.DISPATCH_TABLE), \
b/lib/constants.py
99 99
CLUSTER_CONF_FILE = DATA_DIR + "/config.data"
100 100
NODED_CERT_FILE = DATA_DIR + "/server.pem"
101 101
RAPI_CERT_FILE = DATA_DIR + "/rapi.pem"
102
HMAC_CLUSTER_KEY = DATA_DIR + "/hmac.key"
102
CONFD_HMAC_KEY = DATA_DIR + "/hmac.key"
103 103
WATCHER_STATEFILE = DATA_DIR + "/watcher.data"
104 104
WATCHER_PAUSEFILE = DATA_DIR + "/watcher.pause"
105 105
INSTANCE_UPFILE = RUN_GANETI_DIR + "/instance-status"
b/man/gnt-cluster.sgml
711 711
        <arg>-f</arg>
712 712
        <sbr>
713 713
        <arg choice="opt">--new-cluster-certificate</arg>
714
        <arg choice="opt">--new-hmac-key</arg>
714
        <arg choice="opt">--new-confd-hmac-key</arg>
715 715
        <sbr>
716 716
        <arg choice="opt">--new-rapi-certificate</arg>
717 717
        <arg choice="opt">--rapi-certificate <replaceable>rapi-cert</replaceable></arg>
......
722 722
        Ganeti daemons in the cluster and start them again once the new
723 723
        certificates and keys are replicated. The options
724 724
        <option>--new-cluster-certificate</option> and
725
        <option>--new-hmac-key</option> can be used to regenerate the
725
        <option>--new-confd-hmac-key</option> can be used to regenerate the
726 726
        cluster-internal SSL certificate respective the HMAC key used by
727 727
        <citerefentry>
728 728
        <refentrytitle>ganeti-confd</refentrytitle><manvolnum>8</manvolnum>
b/qa/qa_cluster.py
152 152

  
153 153
  # Conflicting options
154 154
  cmd = ["gnt-cluster", "renew-crypto", "--force",
155
         "--new-cluster-certificate", "--new-hmac-key",
155
         "--new-cluster-certificate", "--new-confd-hmac-key",
156 156
         "--new-rapi-certificate", "--rapi-certificate=/dev/null"]
157 157
  AssertNotEqual(StartSSH(master["primary"],
158 158
                          utils.ShellQuoteArgs(cmd)).wait(), 0)
......
184 184

  
185 185
  # Normal case
186 186
  cmd = ["gnt-cluster", "renew-crypto", "--force",
187
         "--new-cluster-certificate", "--new-hmac-key",
187
         "--new-cluster-certificate", "--new-confd-hmac-key",
188 188
         "--new-rapi-certificate"]
189 189
  AssertEqual(StartSSH(master["primary"],
190 190
                       utils.ShellQuoteArgs(cmd)).wait(), 0)
b/scripts/gnt-cluster
495 495

  
496 496

  
497 497
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename,
498
                 new_hmac_key, force):
498
                 new_confd_hmac_key, force):
499 499
  """Renews cluster certificates, keys and secrets.
500 500

  
501 501
  @type new_cluster_cert: bool
......
504 504
  @param new_rapi_cert: Whether to generate a new RAPI certificate
505 505
  @type rapi_cert_filename: string
506 506
  @param rapi_cert_filename: Path to file containing new RAPI certificate
507
  @type new_hmac_key: bool
508
  @param new_hmac_key: Whether to generate a new HMAC key
507
  @type new_confd_hmac_key: bool
508
  @param new_confd_hmac_key: Whether to generate a new HMAC key
509 509
  @type force: bool
510 510
  @param force: Whether to ask user for confirmation
511 511

  
512 512
  """
513
  assert new_cluster_cert or new_rapi_cert or rapi_cert_filename or new_hmac_key
513
  assert (new_cluster_cert or new_rapi_cert or rapi_cert_filename or
514
          new_confd_hmac_key)
514 515

  
515 516
  if new_rapi_cert and rapi_cert_filename:
516 517
    ToStderr("Only one of the --new-rapi-certficate and --rapi-certificate"
......
548 549
  def _RenewCryptoInner(ctx):
549 550
    ctx.feedback_fn("Updating certificates and keys")
550 551
    bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert,
551
                                    new_hmac_key,
552
                                    new_confd_hmac_key,
552 553
                                    rapi_cert_pem=rapi_cert_pem)
553 554

  
554 555
    files_to_copy = []
......
559 560
    if new_rapi_cert or rapi_cert_pem:
560 561
      files_to_copy.append(constants.RAPI_CERT_FILE)
561 562

  
562
    if new_hmac_key:
563
      files_to_copy.append(constants.HMAC_CLUSTER_KEY)
563
    if new_confd_hmac_key:
564
      files_to_copy.append(constants.CONFD_HMAC_KEY)
564 565

  
565 566
    if files_to_copy:
566 567
      for node_name in ctx.nonmaster_nodes:
......
584 585
  return _RenewCrypto(opts.new_cluster_cert,
585 586
                      opts.new_rapi_cert,
586 587
                      opts.rapi_cert,
587
                      opts.new_hmac_key,
588
                      opts.new_confd_hmac_key,
588 589
                      opts.force)
589 590

  
590 591

  
......
790 791
    "Alters the parameters of the cluster"),
791 792
  "renew-crypto": (
792 793
    RenewCrypto, ARGS_NONE,
793
    [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, NEW_HMAC_KEY_OPT,
794
     FORCE_OPT],
794
    [NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT,
795
     NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT],
795 796
    "[opts...]",
796 797
    "Renews cluster certificates, keys and secrets"),
797 798
  }
b/tools/cfgupgrade
121 121
  options.SERVER_PEM_PATH = options.data_dir + "/server.pem"
122 122
  options.KNOWN_HOSTS_PATH = options.data_dir + "/known_hosts"
123 123
  options.RAPI_CERT_FILE = options.data_dir + "/rapi.pem"
124
  options.HMAC_CLUSTER_KEY = options.data_dir + "/hmac.key"
124
  options.CONFD_HMAC_KEY = options.data_dir + "/hmac.key"
125 125

  
126 126
  SetupLogging()
127 127

  

Also available in: Unified diff