Revision 60cc531d
b/lib/bootstrap.py | ||
---|---|---|
92 | 92 |
|
93 | 93 |
|
94 | 94 |
def GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, new_spice_cert, |
95 |
new_confd_hmac_key, new_cds, |
|
95 |
new_confd_hmac_key, new_cds, new_node_client_cert,
|
|
96 | 96 |
rapi_cert_pem=None, spice_cert_pem=None, |
97 | 97 |
spice_cacert_pem=None, cds=None, |
98 | 98 |
nodecert_file=pathutils.NODED_CERT_FILE, |
99 |
nodecert_client_file=pathutils.NODED_CLIENT_CERT_FILE, |
|
99 | 100 |
rapicert_file=pathutils.RAPI_CERT_FILE, |
100 | 101 |
spicecert_file=pathutils.SPICE_CERT_FILE, |
101 | 102 |
spicecacert_file=pathutils.SPICE_CACERT_FILE, |
... | ... | |
113 | 114 |
@param new_confd_hmac_key: Whether to generate a new HMAC key |
114 | 115 |
@type new_cds: bool |
115 | 116 |
@param new_cds: Whether to generate a new cluster domain secret |
117 |
@type new_node_client_cert: bool |
|
118 |
@param new_node_client_cert: Whether to generate a new node (SSL) |
|
119 |
client certificate |
|
116 | 120 |
@type rapi_cert_pem: string |
117 | 121 |
@param rapi_cert_pem: New RAPI certificate in PEM format |
118 | 122 |
@type spice_cert_pem: string |
... | ... | |
124 | 128 |
@param cds: New cluster domain secret |
125 | 129 |
@type nodecert_file: string |
126 | 130 |
@param nodecert_file: optional override of the node cert file path |
131 |
@type nodecert_client_file: string |
|
132 |
@param nodecert_client_file: optional override of the node client certificate |
|
133 |
file path |
|
127 | 134 |
@type rapicert_file: string |
128 | 135 |
@param rapicert_file: optional override of the rapi cert file path |
129 | 136 |
@type spicecert_file: string |
... | ... | |
135 | 142 |
|
136 | 143 |
""" |
137 | 144 |
# noded SSL certificate |
138 |
cluster_cert_exists = os.path.exists(nodecert_file) |
|
139 |
if new_cluster_cert or not cluster_cert_exists: |
|
140 |
if cluster_cert_exists: |
|
141 |
utils.CreateBackup(nodecert_file) |
|
145 |
utils.GenerateNewSslCert( |
|
146 |
new_cluster_cert, nodecert_file, |
|
147 |
"Generating new cluster certificate at %s" % nodecert_file) |
|
142 | 148 |
|
143 |
logging.debug("Generating new cluster certificate at %s", nodecert_file) |
|
144 |
utils.GenerateSelfSignedSslCert(nodecert_file) |
|
149 |
# noded client SSL certificate (to be used only by this very node) |
|
150 |
utils.GenerateNewSslCert( |
|
151 |
new_node_client_cert, nodecert_client_file, |
|
152 |
"Generating new node client certificate at %s" % nodecert_client_file) |
|
145 | 153 |
|
146 | 154 |
# confd HMAC key |
147 | 155 |
if new_confd_hmac_key or not os.path.exists(hmackey_file): |
148 | 156 |
logging.debug("Writing new confd HMAC key to %s", hmackey_file) |
149 | 157 |
GenerateHmacKey(hmackey_file) |
150 | 158 |
|
151 |
# RAPI |
|
152 |
rapi_cert_exists = os.path.exists(rapicert_file) |
|
153 |
|
|
154 | 159 |
if rapi_cert_pem: |
155 | 160 |
# Assume rapi_pem contains a valid PEM-formatted certificate and key |
156 | 161 |
logging.debug("Writing RAPI certificate at %s", rapicert_file) |
157 | 162 |
utils.WriteFile(rapicert_file, data=rapi_cert_pem, backup=True) |
158 | 163 |
|
159 |
elif new_rapi_cert or not rapi_cert_exists: |
|
160 |
if rapi_cert_exists: |
|
161 |
utils.CreateBackup(rapicert_file) |
|
162 |
|
|
163 |
logging.debug("Generating new RAPI certificate at %s", rapicert_file) |
|
164 |
utils.GenerateSelfSignedSslCert(rapicert_file) |
|
164 |
else: |
|
165 |
utils.GenerateNewSslCert( |
|
166 |
new_rapi_cert, rapicert_file, |
|
167 |
"Generating new RAPI certificate at %s" % rapicert_file) |
|
165 | 168 |
|
166 | 169 |
# SPICE |
167 | 170 |
spice_cert_exists = os.path.exists(spicecert_file) |
... | ... | |
209 | 212 |
|
210 | 213 |
""" |
211 | 214 |
# Generate cluster secrets |
212 |
GenerateClusterCrypto(True, False, False, False, False) |
|
215 |
GenerateClusterCrypto(True, False, False, False, False, True)
|
|
213 | 216 |
|
214 | 217 |
result = utils.RunCmd([pathutils.DAEMON_UTIL, "start", constants.NODED]) |
215 | 218 |
if result.failed: |
b/lib/client/gnt_cluster.py | ||
---|---|---|
961 | 961 |
|
962 | 962 |
def _RenewCryptoInner(ctx): |
963 | 963 |
ctx.feedback_fn("Updating certificates and keys") |
964 |
# FIXME: add separate option for client certs |
|
964 | 965 |
bootstrap.GenerateClusterCrypto(new_cluster_cert, |
965 | 966 |
new_rapi_cert, |
966 | 967 |
new_spice_cert, |
967 | 968 |
new_confd_hmac_key, |
968 | 969 |
new_cds, |
970 |
new_cluster_cert, |
|
969 | 971 |
rapi_cert_pem=rapi_cert_pem, |
970 | 972 |
spice_cert_pem=spice_cert_pem, |
971 | 973 |
spice_cacert_pem=spice_cacert_pem, |
b/lib/pathutils.py | ||
---|---|---|
106 | 106 |
|
107 | 107 |
#: Node daemon certificate path |
108 | 108 |
NODED_CERT_FILE = DATA_DIR + "/server.pem" |
109 |
NODED_CLIENT_CERT_FILE = DATA_DIR + "/client.pem" |
|
109 | 110 |
|
110 | 111 |
#: Node daemon certificate file permissions |
111 | 112 |
NODED_CERT_MODE = 0440 |
b/lib/utils/security.py | ||
---|---|---|
24 | 24 |
|
25 | 25 |
import logging |
26 | 26 |
import OpenSSL |
27 |
import os |
|
27 | 28 |
|
28 | 29 |
from ganeti.utils import io |
30 |
from ganeti.utils import x509 |
|
29 | 31 |
from ganeti import pathutils |
30 | 32 |
|
31 | 33 |
|
... | ... | |
92 | 94 |
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, |
93 | 95 |
cert_plain) |
94 | 96 |
return cert.digest("sha1") |
97 |
|
|
98 |
|
|
99 |
def GenerateNewSslCert(new_cert, cert_filename, log_msg): |
|
100 |
"""Creates a new SSL certificate and backups the old one. |
|
101 |
|
|
102 |
@type new_cert: boolean |
|
103 |
@param new_cert: whether a new certificate should be created |
|
104 |
@type cert_filename: string |
|
105 |
@param cert_filename: filename of the certificate file |
|
106 |
@type log_msg: string |
|
107 |
@param log_msg: log message to be written on certificate creation |
|
108 |
|
|
109 |
""" |
|
110 |
cert_exists = os.path.exists(cert_filename) |
|
111 |
if new_cert or not cert_exists: |
|
112 |
if cert_exists: |
|
113 |
io.CreateBackup(cert_filename) |
|
114 |
|
|
115 |
logging.debug(log_msg) |
|
116 |
x509.GenerateSelfSignedSslCert(cert_filename) |
b/tools/cfgupgrade | ||
---|---|---|
571 | 571 |
backup=True) |
572 | 572 |
|
573 | 573 |
if not options.dry_run: |
574 |
# FIXME: fix node client certificate |
|
574 | 575 |
bootstrap.GenerateClusterCrypto( |
575 |
False, False, False, False, False, |
|
576 |
False, False, False, False, False, False,
|
|
576 | 577 |
nodecert_file=options.SERVER_PEM_PATH, |
577 | 578 |
rapicert_file=options.RAPI_CERT_FILE, |
578 | 579 |
spicecert_file=options.SPICE_CERT_FILE, |
Also available in: Unified diff