def _set_security(rabbitmq_ssl_enabled,
rabbitmq_cert_private,
rabbitmq_cert_public):
# Deploy certificates if both have been provided.
# Complain loudly if one has been provided and the other hasn't.
if rabbitmq_ssl_enabled:
if rabbitmq_cert_private and rabbitmq_cert_public:
utils.deploy_ssl_certificate(
'private', '/etc/rabbitmq/rabbit-priv.pem',
'rabbitmq', rabbitmq_cert_private)
utils.deploy_ssl_certificate(
'public', '/etc/rabbitmq/rabbit-pub.pem',
'rabbitmq', rabbitmq_cert_public)
# Configure for SSL
utils.deploy_blueprint_resource(
'{0}/rabbitmq.config-ssl'.format(CONFIG_PATH),
'/etc/rabbitmq/rabbitmq.config',
RABBITMQ_SERVICE_NAME, user_resource=True)
else:
ctx.abort_operation('When providing a certificate for rabbitmq, '
'both public and private certificates must be '
'supplied.')
else:
utils.deploy_blueprint_resource(
'{0}/rabbitmq.config-nossl'.format(CONFIG_PATH),
'/etc/rabbitmq/rabbitmq.config',
RABBITMQ_SERVICE_NAME, user_resource=True)
if rabbitmq_cert_private or rabbitmq_cert_public:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def _set_security(rabbitmq_ssl_enabled, rabbitmq_cert_private,
rabbitmq_cert_public):
# Deploy certificates if both have been provided.
# Complain loudly if one has been provided and the other hasn't.
if rabbitmq_ssl_enabled:
if rabbitmq_cert_private and rabbitmq_cert_public:
utils.deploy_ssl_certificate('private',
'/etc/rabbitmq/rabbit-priv.pem',
'rabbitmq', rabbitmq_cert_private)
utils.deploy_ssl_certificate('public',
'/etc/rabbitmq/rabbit-pub.pem',
'rabbitmq', rabbitmq_cert_public)
# Configure for SSL
utils.deploy_blueprint_resource(
'{0}/rabbitmq.config-ssl'.format(CONFIG_PATH),
'/etc/rabbitmq/rabbitmq.config',
RABBITMQ_SERVICE_NAME,
user_resource=True)
else:
ctx.abort_operation('When providing a certificate for rabbitmq, '
'both public and private certificates must be '
'supplied.')
else:
utils.deploy_blueprint_resource(
'{0}/rabbitmq.config-nossl'.format(CONFIG_PATH),
'/etc/rabbitmq/rabbitmq.config',
RABBITMQ_SERVICE_NAME,
user_resource=True)
if rabbitmq_cert_private or rabbitmq_cert_public:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def deploy_broker_configuration():
# Set broker port for rabbit
broker_port_ssl = 5671
broker_port_no_ssl = 5672
# injected as an input to the script
ctx.instance.runtime_properties['es_endpoint_ip'] = \
os.environ['ES_ENDPOINT_IP']
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip()
rabbitmq_ssl_enabled = ctx.node.properties['rabbitmq_ssl_enabled']
rabbitmq_cert_public = ctx.node.properties['rabbitmq_cert_public']
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem')
utils.deploy_ssl_certificate('public', broker_cert_path, 'root',
rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def _deploy_broker_configuration(amqpinflux_group):
rabbit_props = utils.ctx_factory.get('rabbitmq')
rabbitmq_cert_enabled = rabbit_props['rabbitmq_ssl_enabled']
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
if rabbitmq_cert_enabled:
broker_cert_path = os.path.join(AMQPINFLUX_HOME, 'amqp_pub.pem')
# If no certificate was supplied, the deploy function will raise
# an error.
utils.deploy_ssl_certificate('public', broker_cert_path,
amqpinflux_group, rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
elif rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def _deploy_broker_configuration(amqpinflux_group):
rabbit_props = utils.ctx_factory.get('rabbitmq')
rabbitmq_cert_enabled = rabbit_props['rabbitmq_ssl_enabled']
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
if rabbitmq_cert_enabled:
broker_cert_path = os.path.join(AMQPINFLUX_HOME, 'amqp_pub.pem')
# If no certificate was supplied, the deploy function will raise
# an error.
utils.deploy_ssl_certificate(
'public', broker_cert_path, amqpinflux_group, rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
elif rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def deploy_broker_configuration():
# Set broker port for rabbit
broker_port_ssl = 5671
broker_port_no_ssl = 5672
# injected as an input to the script
ctx.instance.runtime_properties['es_endpoint_ip'] = \
os.environ['ES_ENDPOINT_IP']
es_props = utils.ctx_factory.get('elasticsearch')
ctx.instance.runtime_properties['es_endpoint_port'] = \
es_props['es_endpoint_port']
rabbit_props = utils.ctx_factory.get('rabbitmq')
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip(
rabbit_props.get('rabbitmq_endpoint_ip'))
rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled']
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \
rabbitmq_ssl_enabled
ctx.instance.runtime_properties['rabbitmq_username'] = \
rabbit_props.get('rabbitmq_username')
ctx.instance.runtime_properties['rabbitmq_password'] = \
rabbit_props.get('rabbitmq_password')
ctx.logger.info('Retrieving postgresql input configuration')
postgresql_props = utils.ctx_factory.get('postgresql-9.5')
ctx.instance.runtime_properties['postgresql_db_name'] = \
postgresql_props.get('postgresql_db_name')
ctx.instance.runtime_properties['postgresql_host'] = \
postgresql_props.get('postgresql_host')
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem')
utils.deploy_ssl_certificate('public', broker_cert_path, 'root',
rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def deploy_broker_configuration():
# Set broker port for rabbit
broker_port_ssl = 5671
broker_port_no_ssl = 5672
# injected as an input to the script
rabbit_props = utils.ctx_factory.get('rabbitmq')
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip(
rabbit_props.get('rabbitmq_endpoint_ip'))
rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled']
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \
rabbitmq_ssl_enabled
ctx.instance.runtime_properties['rabbitmq_username'] = \
rabbit_props.get('rabbitmq_username')
ctx.instance.runtime_properties['rabbitmq_password'] = \
rabbit_props.get('rabbitmq_password')
ctx.logger.info('Retrieving postgresql input configuration')
postgresql_props = utils.ctx_factory.get('postgresql-9.5')
ctx.instance.runtime_properties['postgresql_db_name'] = \
postgresql_props.get('postgresql_db_name')
ctx.instance.runtime_properties['postgresql_host'] = \
postgresql_props.get('postgresql_host')
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem')
utils.deploy_ssl_certificate(
'public', broker_cert_path, 'root', rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
def install_mgmtworker():
management_worker_rpm_source_url = \
ctx_properties['management_worker_rpm_source_url']
# these must all be exported as part of the start operation.
# they will not persist, so we should use the new agent
# don't forget to change all localhosts to the relevant ips
mgmtworker_home = '/opt/mgmtworker'
mgmtworker_venv = '{0}/env'.format(mgmtworker_home)
celery_work_dir = '{0}/work'.format(mgmtworker_home)
celery_log_dir = "/var/log/cloudify/mgmtworker"
broker_port_ssl = '5671'
broker_port_no_ssl = '5672'
rabbit_props = utils.ctx_factory.get('rabbitmq')
rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled']
ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled))
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip(
rabbit_props.get('rabbitmq_endpoint_ip'))
# Fix possible injections in json of rabbit credentials
# See json.org for string spec
for key in ['rabbitmq_username', 'rabbitmq_password']:
# We will not escape newlines or other control characters,
# we will accept them breaking
# things noisily, e.g. on newlines and backspaces.
# TODO: add:
# sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/'
ctx.instance.runtime_properties[key] = ctx_properties[key]
# Make the ssl enabled flag work with json (boolean in lower case)
# TODO: check if still needed:
# broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA
ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \
rabbitmq_ssl_enabled
ctx.logger.info('Installing Management Worker...')
utils.set_selinux_permissive()
utils.copy_notice(MGMT_WORKER_SERVICE_NAME)
utils.mkdir(mgmtworker_home)
utils.mkdir('{0}/config'.format(mgmtworker_home))
utils.mkdir(celery_log_dir)
utils.mkdir(celery_work_dir)
# this create the mgmtworker_venv and installs the relevant
# modules into it.
utils.yum_install(management_worker_rpm_source_url,
service_name=MGMT_WORKER_SERVICE_NAME)
_install_optional(mgmtworker_venv)
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home)
utils.deploy_ssl_certificate(
'public', broker_cert_path, 'root', rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
ctx.logger.info("broker_port: {0}".format(
ctx.instance.runtime_properties['broker_port']))
ctx.logger.info('Configuring Management worker...')
# Deploy the broker configuration
# TODO: This will break interestingly if mgmtworker_venv is empty.
# Some sort of check for that would be sensible.
# To sandy: I don't quite understand this check...
# there is no else here..
# for python_path in ${mgmtworker_venv}/lib/python*; do
if os.path.isfile(os.path.join(mgmtworker_venv, 'bin/python')):
broker_conf_path = os.path.join(celery_work_dir, 'broker_config.json')
utils.deploy_blueprint_resource(
'{0}/broker_config.json'.format(CONFIG_PATH), broker_conf_path,
MGMT_WORKER_SERVICE_NAME)
# The config contains credentials, do not let the world read it
utils.sudo(['chmod', '440', broker_conf_path])
utils.systemd.configure(MGMT_WORKER_SERVICE_NAME)
utils.logrotate(MGMT_WORKER_SERVICE_NAME)
def install_mgmtworker():
management_worker_rpm_source_url = \
ctx_properties['management_worker_rpm_source_url']
# these must all be exported as part of the start operation.
# they will not persist, so we should use the new agent
# don't forget to change all localhosts to the relevant ips
mgmtworker_home = '/opt/mgmtworker'
mgmtworker_venv = '{0}/env'.format(mgmtworker_home)
celery_work_dir = '{0}/work'.format(mgmtworker_home)
celery_log_dir = "/var/log/cloudify/mgmtworker"
broker_port_ssl = '5671'
broker_port_no_ssl = '5672'
rabbitmq_ssl_enabled = ctx_properties['rabbitmq_ssl_enabled']
ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled))
rabbitmq_cert_public = ctx_properties['rabbitmq_cert_public']
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip(
ctx_properties.get('rabbitmq_endpoint_ip'))
# Fix possible injections in json of rabbit credentials
# See json.org for string spec
for key in ['rabbitmq_username', 'rabbitmq_password']:
# We will not escape newlines or other control characters,
# we will accept them breaking
# things noisily, e.g. on newlines and backspaces.
# TODO: add:
# sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/'
ctx.instance.runtime_properties[key] = ctx_properties[key]
# Make the ssl enabled flag work with json (boolean in lower case)
# TODO: check if still needed:
# broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA
ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \
rabbitmq_ssl_enabled
ctx.logger.info('Installing Management Worker...')
utils.set_selinux_permissive()
utils.copy_notice(MGMT_WORKER_SERVICE_NAME)
utils.mkdir(mgmtworker_home)
utils.mkdir('{0}/config'.format(mgmtworker_home))
utils.mkdir(celery_log_dir)
utils.mkdir(celery_work_dir)
# this create the mgmtworker_venv and installs the relevant
# modules into it.
utils.yum_install(management_worker_rpm_source_url,
service_name=MGMT_WORKER_SERVICE_NAME)
_install_optional(mgmtworker_venv)
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home)
utils.deploy_ssl_certificate('public', broker_cert_path, 'root',
rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
ctx.logger.info("broker_port: {0}".format(
ctx.instance.runtime_properties['broker_port']))
ctx.logger.info('Configuring Management worker...')
# Deploy the broker configuration
# TODO: This will break interestingly if mgmtworker_venv is empty.
# Some sort of check for that would be sensible.
# To sandy: I don't quite understand this check...
# there is no else here..
# for python_path in ${mgmtworker_venv}/lib/python*; do
if os.path.isfile(os.path.join(mgmtworker_venv, 'bin/python')):
broker_conf_path = os.path.join(celery_work_dir, 'broker_config.json')
utils.deploy_blueprint_resource(
'{0}/broker_config.json'.format(CONFIG_PATH), broker_conf_path,
MGMT_WORKER_SERVICE_NAME)
# The config contains credentials, do not let the world read it
utils.sudo(['chmod', '440', broker_conf_path])
utils.systemd.configure(MGMT_WORKER_SERVICE_NAME)
utils.logrotate(MGMT_WORKER_SERVICE_NAME)
def install_mgmtworker():
management_worker_rpm_source_url = \
ctx_properties['management_worker_rpm_source_url']
# these must all be exported as part of the start operation.
# they will not persist, so we should use the new agent
# don't forget to change all localhosts to the relevant ips
mgmtworker_home = '/opt/mgmtworker'
mgmtworker_venv = '{0}/env'.format(mgmtworker_home)
celery_work_dir = '{0}/work'.format(mgmtworker_home)
celery_log_dir = "/var/log/cloudify/mgmtworker"
broker_port_ssl = '5671'
broker_port_no_ssl = '5672'
rabbit_props = utils.ctx_factory.get('rabbitmq')
rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled']
ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled))
rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public']
ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \
utils.get_rabbitmq_endpoint_ip(
rabbit_props.get('rabbitmq_endpoint_ip'))
# Fix possible injections in json of rabbit credentials
# See json.org for string spec
for key in ['rabbitmq_username', 'rabbitmq_password']:
# We will not escape newlines or other control characters,
# we will accept them breaking
# things noisily, e.g. on newlines and backspaces.
# TODO: add:
# sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/'
ctx.instance.runtime_properties[key] = ctx_properties[key]
# Make the ssl enabled flag work with json (boolean in lower case)
# TODO: check if still needed:
# broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA
ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \
rabbitmq_ssl_enabled
ctx.logger.info('Installing Management Worker...')
utils.set_selinux_permissive()
utils.copy_notice(MGMT_WORKER_SERVICE_NAME)
utils.mkdir(mgmtworker_home)
utils.mkdir('{0}/config'.format(mgmtworker_home))
utils.mkdir(celery_log_dir)
utils.mkdir(celery_work_dir)
# this create the mgmtworker_venv and installs the relevant
# modules into it.
utils.yum_install(management_worker_rpm_source_url,
service_name=MGMT_WORKER_SERVICE_NAME)
_install_optional(mgmtworker_venv)
# Add certificate and select port, as applicable
if rabbitmq_ssl_enabled:
broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home)
utils.deploy_ssl_certificate('public', broker_cert_path, 'root',
rabbitmq_cert_public)
ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path
# Use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_ssl
else:
# No SSL, don't use SSL port
ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl
if rabbitmq_cert_public is not None:
ctx.logger.warn('Broker SSL cert supplied but SSL not enabled '
'(broker_ssl_enabled is False).')
ctx.logger.info("broker_port: {0}".format(
ctx.instance.runtime_properties['broker_port']))