/ - Diff - snf-ganeti - Greek Research and Technology Network's projects

     way, specifiying the smaller version on the ``--to`` argument.
 .11
     ----
     When upgrading to 2.11, first apply the instructions of ``2.11 and
     above``. 2.11 comes with the new feature of enhanced RPC security
     through client certificates. This features needs to be enabled after the
     upgrade by::
        $ gnt-cluster renew-crypto --new-node-certificates
     Note that new node certificates are generated automatically without
     warning when upgrading with ``gnt-cluster upgrade``.
 .1 and above
     -------------

b/lib/cmdlib/cluster.py
3189	3189
3190	3190	feedback_fn("* Verifying configuration file consistency")
3191	3191
	3192	self._VerifyClientCertificates(self.my_node_info.values(), all_nvinfo)
3192	3193	# If not all nodes are being checked, we need to make sure the master node
3193	3194	# and a non-checked vm_capable node are in the list.
3194	3195	absent_node_uuids = set(self.all_node_info).difference(self.my_node_info)

         if ssl_verify_peer:
           ctx.set_verify(OpenSSL.SSL.VERIFY_PEER |
                          OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
                          self._SSLVerifyCallback)
                          ssl_verify_callback)
           # Also add our certificate as a trusted CA to be sent to the client.
           # This is required at least for GnuTLS clients to work.

     import pycurl
     import threading
     import copy
     import os
     from ganeti import utils
     from ganeti import objects
-...
     def _ConfigRpcCurl(curl):
       noded_cert = str(pathutils.NODED_CERT_FILE)
       noded_client_cert = str(pathutils.NODED_CLIENT_CERT_FILE)
       # FIXME: The next two lines are necessary to ensure upgradability from
       # 2.10 to 2.11. Remove in 2.12, because this slows down RPC calls.
       if not os.path.exists(noded_client_cert):
         logging.info("Using server certificate as client certificate for RPC"
                      "call.")
         noded_client_cert = noded_cert
       curl.setopt(pycurl.FOLLOWLOCATION, False)
       curl.setopt(pycurl.CAINFO, noded_cert)
       curl.setopt(pycurl.SSL_VERIFYHOST, 0)
       curl.setopt(pycurl.SSL_VERIFYPEER, True)
       curl.setopt(pycurl.SSLCERTTYPE, "PEM")
       curl.setopt(pycurl.SSLCERT, noded_cert)
       curl.setopt(pycurl.SSLCERT, noded_client_cert)
       curl.setopt(pycurl.SSLKEYTYPE, "PEM")
       curl.setopt(pycurl.SSLKEY, noded_cert)
       curl.setopt(pycurl.SSLKEY, noded_client_cert)
       curl.setopt(pycurl.CONNECTTIMEOUT, constants.RPC_CONNECT_TIMEOUT)

     ~~~~~~~~~~~~
     | **renew-crypto** [-f]
     | [\--new-cluster-certificate]
     | [\--new-cluster-certificate] | [\--new-node-certificates]
     | [\--new-confd-hmac-key]
     | [\--new-rapi-certificate] [\--rapi-certificate *rapi-cert*]
     | [\--new-spice-certificate | \--spice-certificate *spice-cert*
-...
     can be used to regenerate respectively the cluster-internal SSL
     certificate and the HMAC key used by **ganeti-confd**\(8).
     The option ``--new-node-certificates`` will generate new node SSL
     certificates for all nodes. Note that the regeneration of the node
     certificates takes place after the other certificates are created
     and distributed and the ganeti daemons are restarted again.
     To generate a new self-signed RAPI certificate (used by
     **ganeti-rapi**\(8)) specify ``--new-rapi-certificate``. If you want to
     use your own certificate, e.g. one signed by a certificate

     import qualified Text.JSON as J
     import Text.JSON.Pretty (pp_value)
     import qualified Data.ByteString.Base64.Lazy as Base64
     import System.Directory
     import Network.Curl hiding (content)
     import qualified Ganeti.Path as P
-...
     executeRpcCalls :: (Rpc a b) => [(Node, a)] -> IO [(Node, ERpcError b)]
     executeRpcCalls nodeCalls = do
       cert_file <- P.nodedCertFile
       let (nodes, calls) = unzip nodeCalls
           opts = map (getOptionsForCall cert_file cert_file) calls
       client_cert_file_name <- P.nodedClientCertFile
       client_file_exists <- doesFileExist client_cert_file_name
       -- FIXME: This is needed to ensure upgradability to 2.11
       -- Remove in 2.12.
       let client_cert_file = if client_file_exists
                              then client_cert_file_name
                              else cert_file
           (nodes, calls) = unzip nodeCalls
           opts = map (getOptionsForCall cert_file client_cert_file) calls
           opts_urls = zipWith3 (\n c o ->
                              case prepareHttpRequest o n c of
                                Left v -> Left v

         self.ExecOpCode(op)
     class TestLUClusterVerifyClientCerts(CmdlibTestCase):
       def _AddNormalNode(self):
         self.normalnode = copy.deepcopy(self.master)
         self.normalnode.master_candidate = False
         self.normalnode.uuid = "normal-node-uuid"
         self.cfg.AddNode(self.normalnode, None)
       def testVerifyMasterCandidate(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {self.master.uuid: client_cert}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
       def testVerifyMasterCandidateInvalid(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {self.master.uuid: client_cert}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (666, "Invalid Certificate")}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("Client certificate")
         self.mcpu.assertLogContainsRegex("failed validation")
       def testVerifyNoMasterCandidateMap(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex(
           "list of master candidate certificates is empty")
       def testVerifyNoSharingMasterCandidates(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {
           self.master.uuid: client_cert,
           "some-other-master-candidate-uuid": client_cert}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex(
           "two master candidates configured to use the same")
       def testVerifyMasterCandidateCertMismatch(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {self.master.uuid: "different-cert-digest"}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("does not match its entry")
       def testVerifyMasterCandidateUnregistered(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {"other-node-uuid": "different-cert-digest"}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("does not have an entry")
       def testVerifyMasterCandidateOtherNodesCert(self):
         client_cert = "client-cert-digest"
         self.cluster.candidate_certs = {"other-node-uuid": client_cert}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("using a certificate of another node")
       def testNormalNodeStillInList(self):
         self._AddNormalNode()
         client_cert_master = "client-cert-digest-master"
         client_cert_normal = "client-cert-digest-normal"
         self.cluster.candidate_certs = {
           self.normalnode.uuid: client_cert_normal,
           self.master.uuid: client_cert_master}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.normalnode,
               {constants.NV_CLIENT_CERT: (None, client_cert_normal)}) \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("not a master candidate")
         self.mcpu.assertLogContainsRegex("still listed")
       def testNormalNodeStealingMasterCandidateCert(self):
         self._AddNormalNode()
         client_cert_master = "client-cert-digest-master"
         self.cluster.candidate_certs = {
           self.master.uuid: client_cert_master}
         self.rpc.call_node_verify.return_value = \
           RpcResultsBuilder() \
             .AddSuccessfulNode(self.normalnode,
               {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
             .AddSuccessfulNode(self.master,
               {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
             .Build()
         op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
         self.ExecOpCode(op)
         self.mcpu.assertLogContainsRegex("not a master candidate")
         self.mcpu.assertLogContainsRegex(
           "certificate of another node which is master candidate")
     class TestLUClusterVerifyGroupMethods(CmdlibTestCase):
       """Base class for testing individual methods in LUClusterVerifyGroup.

       version = utils.version.ParseVersion(versionstring)
       if utils.version.IsBefore(version, 2, 11, 0):
         # FIXME: Add client certificate handling here when resolving issue 692.
         pass
         result = utils.RunCmd(["gnt-cluster", "renew-crypto",
                                "--new-node-certificates", "-f"])
         if result.failed:
           cli.ToStderr("Failed to create node certificates: %s; Output %s" %
                        (result.fail_reason, result.output))
       return 0
     if __name__ == "__main__":

Synnefo » snf-ganeti

Revision d5104ca4