Juan Hernandez has uploaded a new change for review.
Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem
......................................................................
BZ#856167 - Store engine CA cert in enginecacert.pem
Currently we store the CA certificate downloaded that we get from the
engine for registration purposes in the /etc/pki/vdsm/cacert.pem file.
This file is then replaced by VDSM by its default one during reboot,
making a backup before. This means that after the reboot vdsm-reg can't
use it to download the SSH key, and this means that registration fails.
This patch changes deployUtil.py so that it downloads the engine CA
certificate to a new file: /etc/pki/vdsm/enginecacert.pem. This file is
preserved, so that vdsm-reg can use it to download the SSH key
correctly.
Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M vdsm_reg/deployUtil.py.in
M vdsm_reg/engine.py.in
2 files changed, 24 insertions(+), 20 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/38/8038/1
diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in
index bbda70e..60fda9e 100644
--- a/vdsm_reg/deployUtil.py.in
+++ b/vdsm_reg/deployUtil.py.in
@@ -629,10 +629,10 @@
"""
This functions returns the public ssh key of @ENGINENAME@.
"""
- CACERT, dontcare = certPaths('')
+ dontcare, dontcare, ENGINECACERT = certPaths('')
for cert in REMOTE_SSH_KEY_FILE:
data = getRemoteFile(IP, port, cert,
- timeout=HTTP_TIMEOUT, certPath=CACERT)
+ timeout=HTTP_TIMEOUT, certPath=ENGINECACERT)
if data != None:
break
@@ -1137,8 +1137,9 @@
if fAddID:
VDSMCERT = tsDir + "/certs/vdsm-" +
os.environ.get("SSH_CONNECTION").split()[2] + "-cert.pem"
CACERT = tsDir + "/certs/cacert.pem"
+ ENGINECACERT = tsDir + "/certs/enginecacert.pem"
- return CACERT, VDSMCERT
+ return CACERT, VDSMCERT, ENGINECACERT
def pkiCleanup(key, cert):
"""
@@ -1185,7 +1186,7 @@
nGID = gGroup.gr_gid
uUserInfo = pwd.getpwnam(VDSM_USER)
nUID = uUserInfo.pw_uid
- CACERT, VDSMCERT = certPaths(confFile)
+ CACERT, VDSMCERT, ENGINECACERT = certPaths(confFile)
# Delete old certificates
logging.debug("instCert: try to delete old certificates")
@@ -1447,34 +1448,37 @@
backupTime = dt.strftime("%Y-%m-%d_%H%M%S")
for pemFile in certs:
- certName = os.path.basename(pemFile)
- dirName = os.path.dirname(pemFile)
+ if os.path.exists(pemFile):
+ certName = os.path.basename(pemFile)
+ dirName = os.path.dirname(pemFile)
- bkpCertName = dirName + "/bkp-" + backupTime + '_' + certName
+ bkpCertName = dirName + "/bkp-" + backupTime + '_' +
certName
- shutil.copy2(pemFile, bkpCertName)
- st = os.stat(pemFile)
- os.chown(bkpCertName, st.st_uid, st.st_gid)
- ovirtfunctions.ovirt_store_config(bkpCertName)
+ shutil.copy2(pemFile, bkpCertName)
+ st = os.stat(pemFile)
+ os.chown(bkpCertName, st.st_uid, st.st_gid)
+ ovirtfunctions.ovirt_store_config(bkpCertName)
def nodeCleanup():
if isOvirt():
- CACERT, VDSMCERT = certPaths('')
+ CACERT, VDSMCERT, ENGINECACERT = certPaths('')
- _nodeBackupCerts([CACERT, VDSMCERT])
+ _nodeBackupCerts([CACERT, VDSMCERT, ENGINECACERT])
if os.path.exists(CACERT):
ovirtfunctions.ovirt_safe_delete_config(CACERT)
+ if os.path.exists(ENGINECACERT):
+ ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT)
def getRhevmCert(IP, port):
- CACERT, VDSMCERT = certPaths('')
+ dontcare, VDSMCERT, ENGINECACERT = certPaths('')
RHEVM_CERT_FILE = "/ca.crt"
rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE)
if rhevmCert:
- dirName = os.path.dirname(CACERT)
+ dirName = os.path.dirname(ENGINECACERT)
if not os.path.exists(dirName):
os.makedirs(dirName)
- crt = file(CACERT, "w+")
+ crt = file(ENGINECACERT, "w+")
try:
crt.write(rhevmCert)
finally:
@@ -1542,14 +1546,14 @@
if not getRhevmCert(options.serverIp, options.serverPort):
print 'Failed downloading the @ENGINENAME@ certificate file'
return -1
- CACERT, dontcare = certPaths('')
- fp = generateFingerPrint(CACERT)
+ dontcare, dontcare, ENGINECACERT = certPaths('')
+ fp = generateFingerPrint(ENGINECACERT)
if options.fingerPrint != fp:
print 'Expected fingerprint %s is different from recieved fingerprint
%s' % (options.fingerPrint, fp)
return -1
if isOvirt():
- ovirtfunctions.ovirt_store_config(CACERT)
+ ovirtfunctions.ovirt_store_config(ENGINECACERT)
print '@ENGINENAME@ certificate downloaded and verified successfully.'
return 0
print 'Missing arguments'
diff --git a/vdsm_reg/engine.py.in b/vdsm_reg/engine.py.in
index 15e38b5..8be6940 100644
--- a/vdsm_reg/engine.py.in
+++ b/vdsm_reg/engine.py.in
@@ -283,7 +283,7 @@
if self.verify_engine_cert.selected():
if deployUtil.getRhevmCert(self.engine_server.value(), enginePort):
- path, dontCare = deployUtil.certPaths('')
+ path, dontCare, dontCare = deployUtil.certPaths('')
fp = deployUtil.generateFingerPrint(path)
approval = ButtonChoiceWindow(self.ncs.screen,
"Certificate Fingerprint:",
--
To view, visit
http://gerrit.ovirt.org/8038
To unsubscribe, visit
http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>