Revision 6b7d5878 lib/bootstrap.py
b/lib/bootstrap.py | ||
---|---|---|
111 | 111 |
backup=True) |
112 | 112 |
|
113 | 113 |
|
114 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_hmac_key, |
|
114 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_confd_hmac_key,
|
|
115 | 115 |
rapi_cert_pem=None): |
116 | 116 |
"""Updates the cluster certificates, keys and secrets. |
117 | 117 |
|
... | ... | |
119 | 119 |
@param new_cluster_cert: Whether to generate a new cluster certificate |
120 | 120 |
@type new_rapi_cert: bool |
121 | 121 |
@param new_rapi_cert: Whether to generate a new RAPI certificate |
122 |
@type new_hmac_key: bool |
|
123 |
@param new_hmac_key: Whether to generate a new HMAC key |
|
122 |
@type new_confd_hmac_key: bool
|
|
123 |
@param new_confd_hmac_key: Whether to generate a new HMAC key
|
|
124 | 124 |
@type rapi_cert_pem: string |
125 | 125 |
@param rapi_cert_pem: New RAPI certificate in PEM format |
126 | 126 |
|
... | ... | |
135 | 135 |
constants.NODED_CERT_FILE) |
136 | 136 |
GenerateSelfSignedSslCert(constants.NODED_CERT_FILE) |
137 | 137 |
|
138 |
# HMAC key |
|
139 |
if new_hmac_key or not os.path.exists(constants.HMAC_CLUSTER_KEY):
|
|
140 |
logging.debug("Writing new HMAC key to %s", constants.HMAC_CLUSTER_KEY)
|
|
141 |
GenerateHmacKey(constants.HMAC_CLUSTER_KEY)
|
|
138 |
# confd HMAC key
|
|
139 |
if new_confd_hmac_key or not os.path.exists(constants.CONFD_HMAC_KEY):
|
|
140 |
logging.debug("Writing new confd HMAC key to %s", constants.CONFD_HMAC_KEY)
|
|
141 |
GenerateHmacKey(constants.CONFD_HMAC_KEY)
|
|
142 | 142 |
|
143 | 143 |
# RAPI |
144 | 144 |
rapi_cert_exists = os.path.exists(constants.RAPI_CERT_FILE) |
... | ... | |
428 | 428 |
|
429 | 429 |
noded_cert = utils.ReadFile(constants.NODED_CERT_FILE) |
430 | 430 |
rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE) |
431 |
hmac_key = utils.ReadFile(constants.HMAC_CLUSTER_KEY)
|
|
431 |
confd_hmac_key = utils.ReadFile(constants.CONFD_HMAC_KEY)
|
|
432 | 432 |
|
433 | 433 |
# in the base64 pem encoding, neither '!' nor '.' are valid chars, |
434 | 434 |
# so we use this to detect an invalid certificate; as long as the |
435 | 435 |
# cert doesn't contain this, the here-document will be correctly |
436 | 436 |
# parsed by the shell sequence below. HMAC keys are hexadecimal strings, |
437 | 437 |
# so the same restrictions apply. |
438 |
for content in (noded_cert, rapi_cert, hmac_key): |
|
438 |
for content in (noded_cert, rapi_cert, confd_hmac_key):
|
|
439 | 439 |
if re.search('^!EOF\.', content, re.MULTILINE): |
440 | 440 |
raise errors.OpExecError("invalid SSL certificate or HMAC key") |
441 | 441 |
|
... | ... | |
443 | 443 |
noded_cert += "\n" |
444 | 444 |
if not rapi_cert.endswith("\n"): |
445 | 445 |
rapi_cert += "\n" |
446 |
if not hmac_key.endswith("\n"): |
|
447 |
hmac_key += "\n" |
|
446 |
if not confd_hmac_key.endswith("\n"):
|
|
447 |
confd_hmac_key += "\n"
|
|
448 | 448 |
|
449 | 449 |
# set up inter-node password and certificate and restarts the node daemon |
450 | 450 |
# and then connect with ssh to set password and start ganeti-noded |
... | ... | |
461 | 461 |
"%s start %s" % |
462 | 462 |
(constants.NODED_CERT_FILE, noded_cert, |
463 | 463 |
constants.RAPI_CERT_FILE, rapi_cert, |
464 |
constants.HMAC_CLUSTER_KEY, hmac_key,
|
|
464 |
constants.CONFD_HMAC_KEY, confd_hmac_key,
|
|
465 | 465 |
constants.NODED_CERT_FILE, constants.RAPI_CERT_FILE, |
466 |
constants.HMAC_CLUSTER_KEY,
|
|
466 |
constants.CONFD_HMAC_KEY,
|
|
467 | 467 |
constants.DAEMON_UTIL, constants.NODED)) |
468 | 468 |
|
469 | 469 |
result = sshrunner.Run(node, 'root', mycommand, batch=False, |
Also available in: Unified diff