def _existsUserGroup(log, user, group):
try:
osetuputil.getUid(user)
except (KeyError, IndexError):
log.warn(_("User {user} does not exist.".format(user=user)))
return False
try:
osetuputil.getGid(group)
except (KeyError, IndexError):
log.warn(_("Group {group} does not exist.".format(group=group)))
return False
return True
def _misc(self):
uid = osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE])
gid = osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_ENGINE])
if os.path.exists(osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR):
# clean the directory only if it contains at least one file
# not owned by engine
rm_tmp_dir = False
for root, dirs, files in os.walk(
top=osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR,
followlinks=False,
):
for name in dirs + files:
if os.stat(os.path.join(root, name)).st_uid != uid:
rm_tmp_dir = True
break
if rm_tmp_dir:
break
if rm_tmp_dir:
self.logger.debug('Cleaning {tmpdir}'.format(
tmpdir=osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR, ))
shutil.rmtree(osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR)
for root, dirs, files in os.walk(
top=osetupcons.FileLocations.OVIRT_ENGINE_DEPLOYMENTS_DIR,
followlinks=False,
):
os.chown(root, uid, gid)
for name in dirs + files:
os.chown(os.path.join(root, name), uid, gid)
def _misc(self):
self.logger.info(_('Backing up PKI configuration and keys'))
fd, self._bkpfile = tempfile.mkstemp(
prefix=('engine-pki-%s' %
datetime.datetime.now().strftime('%Y%m%d%H%M%S')),
suffix='.tar.gz',
dir=self.environment[
oenginecons.ConfigEnv.OVIRT_ENGINE_DB_BACKUP_DIR],
)
os.fchown(
fd,
osetuputil.getUid(
self.environment[oengcommcons.SystemEnv.USER_ROOT]), -1)
os.fchmod(fd, 0o600)
with os.fdopen(fd, 'wb') as fileobj:
# fileobj is not closed, when TarFile is closed
# cannot use with tarfile.open() <python-2.7
tar = None
try:
tar = tarfile.open(mode='w:gz', fileobj=fileobj)
for n in (
oenginecons.FileLocations.
OVIRT_ENGINE_SERVICE_CONFIG_PKI,
oenginecons.FileLocations.OVIRT_ENGINE_PKIDIR,
):
if os.path.exists(n):
tar.add(n)
finally:
if tar is not None:
tar.close()
def _copyiso(self):
self.logger.debug('Copying Iso Files')
targetPath = os.path.join(
self.environment[
oenginecons.ConfigEnv.ISO_DOMAIN_NFS_MOUNT_POINT
],
self.environment[
oenginecons.ConfigEnv.ISO_DOMAIN_SD_UUID
],
'images',
oenginecons.Const.ISO_DOMAIN_IMAGE_UID
)
self.logger.debug('target path' + targetPath)
# FIXME don't hardcode paths
for filename in glob.glob('/home/liveuser/oVirtLiveFiles/iso/*.iso'):
self.logger.debug(filename)
shutil.move(filename, targetPath)
os.chown(
os.path.join(targetPath, os.path.basename(filename)),
osetuputil.getUid(
oengcommcon.Defaults.DEFAULT_SYSTEM_USER_VDSM
),
osetuputil.getGid(
oengcommcon.Defaults.DEFAULT_SYSTEM_GROUP_KVM
)
)
def _enrollCertificates(self, renew, uninstall_files):
for entry in self._PKI_ENTRIES:
self.logger.debug(
"processing: '%s'[renew=%s]",
entry['name'],
renew,
)
pkcs12 = os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'%s.p12' % entry['name'],
)
if not os.path.exists(pkcs12):
enroll = True
self.logger.debug(
"'%s' does not exist, enrolling",
pkcs12,
)
else:
enroll = not renew
if not enroll:
enroll = self._ok_to_renew_cert(
pkcs12,
entry['name'],
entry['extract']
)
if enroll:
self.logger.info(
_('Renewing {name} certificate').format(
name=entry['name'],
)
)
if enroll:
self._enrollCertificate(
entry['name'],
uninstall_files,
keepKey=entry['keepKey'] and renew,
)
os.chown(
pkcs12,
osetuputil.getUid(self.environment[entry['user']]),
-1,
)
if entry['extract']:
self._expandPKCS12(
pkcs12,
entry['name'],
self.environment[entry['user']],
uninstall_files,
)
def _enrollCertificates(self, renew, uninstall_files):
for entry in self.environment[oenginecons.PKIEnv.ENTITIES]:
self.logger.debug(
"processing: '%s'[renew=%s]",
entry['name'],
renew,
)
pkcs12 = os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'%s.p12' % entry['name'],
)
enroll = False
if not os.path.exists(pkcs12):
enroll = True
self.logger.debug(
"'%s' does not exist, enrolling",
pkcs12,
)
elif renew:
enroll = self._ok_to_renew_cert(
pkcs12,
entry['name'],
entry['extract']
)
if enroll:
self.logger.info(
_('Renewing {name} certificate').format(
name=entry['name'],
)
)
if enroll:
self._enrollCertificate(
entry['name'],
uninstall_files,
keepKey=entry['keepKey'] and renew,
shortLife=entry['shortLife'],
)
os.chown(
pkcs12,
osetuputil.getUid(self.environment[entry['user']]),
-1,
)
if entry['extract']:
self._expandPKCS12(
pkcs12,
entry['name'],
self.environment[entry['user']],
uninstall_files,
)
def _misc(self):
"""
Load files (iso, vfd) from existing rpms to the NFS ISO domain
TODO: use engine-iso-uploader when it will support local destinations
"""
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS].createGroup(
group='iso_images',
description='Uploaded ISO images',
optional=True).addFiles(
group='iso_images',
fileList=uninstall_files,
)
targetDir = self.environment[
oenginecons.ConfigEnv.ISO_DOMAIN_STORAGE_DIR]
# Iterate the list and copy all the files.
for filename in self.environment[
osetupcons.ConfigEnv.ISO_PATHS_TO_UPLOAD]:
if os.path.exists(filename):
try:
targetFile = os.path.join(targetDir,
os.path.basename(filename))
if os.path.exists(targetFile):
shutil.move(
targetFile, '%s.%s' %
(targetFile,
datetime.datetime.now().strftime('%Y%m%d%H%M%S')))
shutil.copyfile(filename, targetFile)
uninstall_files.append(targetFile)
os.chmod(targetFile, 0o644)
os.chown(
targetFile,
osetuputil.getUid(self.environment[
oengcommcons.SystemEnv.USER_VDSM]),
osetuputil.getGid(self.environment[
oengcommcons.SystemEnv.GROUP_KVM]))
except (OSError, shutil.Error) as e:
self.logger.warning(
_("Cannot copy '{filename}' to iso domain "
"'{directory}', error: {error}").format(
filename=filename,
directory=targetDir,
error=e,
))
def _closeupEngineAccess(self):
# Doing this at closeup and not misc, because if using
# remote_engine style manual_files, we prompt the user,
# which might take a long time (until the user notices
# and handles), and we'd rather not block the transaction
# waiting. Downside is that if we fail during closeup
# but before this event, it will not run, also on next
# attempt.
with open(
odwhcons.FileLocations.
OVIRT_ENGINE_ENGINE_SERVICE_CONFIG_DWH_DATABASE_EXAMPLE
) as f:
self._remote_engine.copy_to_engine(
file_name=(
odwhcons.FileLocations.
OVIRT_ENGINE_ENGINE_SERVICE_CONFIG_DWH_DATABASE
),
content=f.read(),
uid=osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE]
),
gid=osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_ENGINE]
),
mode=0o600,
)
self._configured_now = True
self.dialog.note(
text=_(
'Please restart the engine by running the following '
'on {fqdn} :\n'
'# service {service} restart\n'
'This is required for the dashboard to work.'
).format(
fqdn=self.environment[
oenginecons.ConfigEnv.ENGINE_FQDN
],
service=oenginecons.Const.ENGINE_SERVICE_NAME,
)
)
def _misc(self):
self.logger.info(
_('Backing up PKI configuration and keys')
)
fd, self._bkpfile = tempfile.mkstemp(
prefix=(
'engine-pki-%s' %
datetime.datetime.now().strftime('%Y%m%d%H%M%S')
),
suffix='.tar.gz',
dir=self.environment[
oenginecons.ConfigEnv.OVIRT_ENGINE_DB_BACKUP_DIR
],
)
os.fchown(
fd,
osetuputil.getUid(
self.environment[oengcommcons.SystemEnv.USER_ROOT]
),
-1
)
os.fchmod(fd, 0o600)
with os.fdopen(fd, 'wb') as fileobj:
# fileobj is not closed, when TarFile is closed
# cannot use with tarfile.open() <python-2.7
tar = None
try:
tar = tarfile.open(
mode='w:gz',
fileobj=fileobj
)
for n in (
oenginecons.FileLocations.OVIRT_ENGINE_SERVICE_CONFIG_PKI,
oenginecons.FileLocations.OVIRT_ENGINE_PKIDIR,
):
if os.path.exists(n):
tar.add(n)
finally:
if tar is not None:
tar.close()
def _misc(self):
rc, privkey, stderr = self.execute(
(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=engine',
'--passin=%s' %
self.environment[oenginecons.PKIEnv.STORE_PASS],
'--key=-',
),
logStreams=False,
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_SSH_KEY,
content=privkey,
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES],
))
if os.path.exists(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_SSH_KEY):
# Previous versions created it as root:root 0600.
# We now want to use it also from the engine (for ansible).
# The filetransaction above will not change ownership
# if content is not changed. So do this here. We do not
# do this in a transaction, should be ok.
os.chown(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_SSH_KEY,
osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE], ),
osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_ENGINE], ),
)
self.environment[
oenginecons.PKIEnv.ENGINE_SSH_PUBLIC_KEY] = self._getSSHPublicKey(
self._getEnginePublicKey())
def _misc(self):
uid = osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE]
)
gid = osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_ENGINE]
)
if os.path.exists(osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR):
# clean the directory only if it contains at least one file
# not owned by engine
rm_tmp_dir = False
for root, dirs, files in os.walk(
top=osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR,
followlinks=False,
):
for name in dirs + files:
if os.stat(os.path.join(root, name)).st_uid != uid:
rm_tmp_dir = True
break
if rm_tmp_dir:
break
if rm_tmp_dir:
self.logger.debug(
'Cleaning {tmpdir}'.format(
tmpdir=osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR,
)
)
shutil.rmtree(osetupcons.FileLocations.OVIRT_ENGINE_TMPDIR)
for root, dirs, files in os.walk(
top=osetupcons.FileLocations.OVIRT_ENGINE_DEPLOYMENTS_DIR,
followlinks=False,
):
os.chown(root, uid, gid)
for name in dirs + files:
os.chown(os.path.join(root, name), uid, gid)
def _artifacts(self):
#
# Remove embedded psql resources
#
for f in glob.glob(
os.path.join(
oreportscons.FileLocations.OVIRT_ENGINE_REPORTS_JASPER_WAR,
'WEB-INF',
'lib',
'postgresql-*.jar',
)
):
os.unlink(f)
#
# Files contain password
#
for f in (
'WEB-INF/js-jboss7-ds.xml',
'META-INF/context.xml',
):
f = os.path.join(
oreportscons.FileLocations.OVIRT_ENGINE_REPORTS_JASPER_WAR,
f
)
os.chown(
f,
osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE]
),
osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_ENGINE],
),
)
os.chmod(f, 0o600)
def _prepare_new_domain(self, path):
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
].createGroup(
group='iso_domain',
description='ISO domain layout',
optional=True
).addFiles(
group='iso_domain',
fileList=uninstall_files,
)
if os.path.exists(path):
self.logger.debug(
'Enforcing ownership and access bits on {path}'.format(
path=path,
)
)
os.chown(
path,
osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_VDSM]
),
osetuputil.getGid(
self.environment[osetupcons.SystemEnv.GROUP_KVM]
)
)
os.chmod(path, 0o755)
self.logger.debug('Generating a new uuid for ISO domain')
sdUUID = str(uuid.uuid4())
description = self.environment[
osetupcons.ConfigEnv.ISO_DOMAIN_NAME
]
self.logger.debug(
'Creating ISO domain for {path}. uuid: {uuid}'.format(
path=path,
uuid=sdUUID
)
)
#Create images directory tree
basePath = os.path.join(path, sdUUID)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=os.path.join(
basePath,
'images',
osetupcons.Const.ISO_DOMAIN_IMAGE_UID,
'.keep',
),
content=[],
mode=0o644,
dmode=0o755,
owner=self.environment[osetupcons.SystemEnv.USER_VDSM],
group=self.environment[osetupcons.SystemEnv.GROUP_KVM],
downer=self.environment[
osetupcons.SystemEnv.USER_VDSM
],
dgroup=self.environment[osetupcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
)
)
#Create dom_md directory tree
domMdDir = os.path.join(basePath, 'dom_md')
for name in ('ids', 'inbox', 'outbox'):
filename = os.path.join(domMdDir, name)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=filename,
content=[],
mode=0o660,
dmode=0o755,
owner=self.environment[osetupcons.SystemEnv.USER_VDSM],
group=self.environment[osetupcons.SystemEnv.GROUP_KVM],
downer=self.environment[
osetupcons.SystemEnv.USER_VDSM
],
dgroup=self.environment[osetupcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
)
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=os.path.join(domMdDir, 'leases'),
content=b'\x00' * 512,
binary=True,
mode=0o660,
dmode=0o755,
owner=self.environment[osetupcons.SystemEnv.USER_VDSM],
group=self.environment[osetupcons.SystemEnv.GROUP_KVM],
downer=self.environment[
osetupcons.SystemEnv.USER_VDSM
],
dgroup=self.environment[osetupcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
)
)
metadata = os.path.join(domMdDir, 'metadata')
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=metadata,
mode=0o644,
dmode=0o755,
owner=self.environment[osetupcons.SystemEnv.USER_VDSM],
group=self.environment[osetupcons.SystemEnv.GROUP_KVM],
downer=self.environment[osetupcons.SystemEnv.USER_VDSM],
dgroup=self.environment[osetupcons.SystemEnv.GROUP_KVM],
content=self._generate_md_content(sdUUID, description),
modifiedList=uninstall_files,
)
)
return sdUUID
def _misc(self):
"""
Load files (iso, vfd) from existing rpms to the NFS ISO domain
TODO: use engine-iso-uploader when it will support local destinations
"""
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
].createGroup(
group='iso_images',
description='Uploaded ISO images',
optional=True
).addFiles(
group='iso_images',
fileList=uninstall_files,
)
targetDir = self.environment[
oenginecons.ConfigEnv.ISO_DOMAIN_STORAGE_DIR
]
# Iterate the list and copy all the files.
for filename in self.environment[
osetupcons.ConfigEnv.ISO_PATHS_TO_UPLOAD
]:
if os.path.exists(filename):
try:
targetFile = os.path.join(
targetDir,
os.path.basename(filename)
)
if os.path.exists(targetFile):
shutil.move(
targetFile,
'%s.%s' % (
targetFile,
datetime.datetime.now().strftime(
'%Y%m%d%H%M%S'
)
)
)
shutil.copyfile(filename, targetFile)
uninstall_files.append(targetFile)
os.chmod(targetFile, 0o644)
os.chown(
targetFile,
osetuputil.getUid(
self.environment[oengcommcons.SystemEnv.USER_VDSM]
),
osetuputil.getGid(
self.environment[oengcommcons.SystemEnv.GROUP_KVM]
)
)
except (OSError, shutil.Error) as e:
self.logger.warning(
_(
"Cannot copy '{filename}' to iso domain "
"'{directory}', error: {error}"
).format(
filename=filename,
directory=targetDir,
error=e,
)
)
def __init__(self, user):
self._user = osetuputil.getUid(user)
def _prepare_new_domain(self, path):
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS].createGroup(
group='iso_domain',
description='ISO domain layout',
optional=True).addFiles(
group='iso_domain',
fileList=uninstall_files,
)
if os.path.exists(path):
self.logger.debug(
'Enforcing ownership and access bits on {path}'.format(
path=path, ))
os.chown(
path,
osetuputil.getUid(
self.environment[oengcommcons.SystemEnv.USER_VDSM]),
osetuputil.getGid(
self.environment[oengcommcons.SystemEnv.GROUP_KVM]))
os.chmod(path, 0o755)
self.logger.debug('Generating a new uuid for ISO domain')
sdUUID = str(uuid.uuid4())
description = self.environment[oenginecons.ConfigEnv.ISO_DOMAIN_NAME]
self.logger.debug(
'Creating ISO domain for {path}. uuid: {uuid}'.format(path=path,
uuid=sdUUID))
# Create images directory tree
basePath = os.path.join(path, sdUUID)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=os.path.join(
basePath,
'images',
oenginecons.Const.ISO_DOMAIN_IMAGE_UID,
'.keep',
),
content=[],
mode=0o644,
dmode=0o755,
owner=self.environment[oengcommcons.SystemEnv.USER_VDSM],
group=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
downer=self.environment[oengcommcons.SystemEnv.USER_VDSM],
dgroup=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
))
# Create dom_md directory tree
domMdDir = os.path.join(basePath, 'dom_md')
for name in ('ids', 'inbox', 'outbox'):
filename = os.path.join(domMdDir, name)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=filename,
content=[],
mode=0o660,
dmode=0o755,
owner=self.environment[oengcommcons.SystemEnv.USER_VDSM],
group=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
downer=self.environment[oengcommcons.SystemEnv.USER_VDSM],
dgroup=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
))
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=os.path.join(domMdDir, 'leases'),
content=b'\x00' * 512,
binary=True,
mode=0o660,
dmode=0o755,
owner=self.environment[oengcommcons.SystemEnv.USER_VDSM],
group=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
downer=self.environment[oengcommcons.SystemEnv.USER_VDSM],
dgroup=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
modifiedList=uninstall_files,
))
metadata = os.path.join(domMdDir, 'metadata')
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=metadata,
mode=0o644,
dmode=0o755,
owner=self.environment[oengcommcons.SystemEnv.USER_VDSM],
group=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
downer=self.environment[oengcommcons.SystemEnv.USER_VDSM],
dgroup=self.environment[oengcommcons.SystemEnv.GROUP_KVM],
content=self._generate_md_content(sdUUID, description),
modifiedList=uninstall_files,
))
return sdUUID
def _enrollCertificates(self, renew, uninstall_files):
for entry in (
{
'name': 'engine',
'extract': False,
'user': osetupcons.SystemEnv.USER_ENGINE,
'keepKey': True,
},
{
'name': 'jboss',
'extract': False,
'user': osetupcons.SystemEnv.USER_ENGINE,
'keepKey': False,
},
{
'name': 'websocket-proxy',
'extract': True,
'user': osetupcons.SystemEnv.USER_ENGINE,
'keepKey': False,
},
{
'name': 'apache',
'extract': True,
'user': oengcommcons.SystemEnv.USER_ROOT,
'keepKey': False,
},
{
'name': 'reports',
'extract': True,
'user': oengcommcons.SystemEnv.USER_ROOT,
'keepKey': False,
},
):
self.logger.debug(
"processing: '%s'[renew=%s]",
entry['name'],
renew,
)
pkcs12 = os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'%s.p12' % entry['name'],
)
if not os.path.exists(pkcs12):
enroll = True
self.logger.debug(
"'%s' does not exist, enrolling",
pkcs12,
)
else:
enroll = not renew
if not enroll:
x509 = self._extractPKCS12Certificate(pkcs12)
if self._expired(x509):
if not entry['extract']:
enroll = True
else:
if x509.verify(
X509.load_cert(
oenginecons.FileLocations.
OVIRT_ENGINE_PKI_ENGINE_CA_CERT
).get_pubkey()
):
self.logger.debug(
'certificate is an internal certificate'
)
# sanity check, make sure user did not manually
# change cert
x509x = X509.load_cert(
os.path.join(
(
oenginecons.FileLocations.
OVIRT_ENGINE_PKICERTSDIR
),
'%s.cer' % entry['name'],
)
)
if x509x.as_pem() == x509.as_pem():
self.logger.debug('certificate is sane')
enroll = True
if enroll:
self.logger.info(
_('Renewing {name} certificate').format(
name=entry['name'],
)
)
if enroll:
self._enrollCertificate(
entry['name'],
uninstall_files,
keepKey=entry['keepKey'] and renew,
)
os.chown(
pkcs12,
osetuputil.getUid(self.environment[entry['user']]),
-1,
)
if entry['extract']:
self._expandPKCS12(
pkcs12,
entry['name'],
self.environment[entry['user']],
uninstall_files,
)
def __init__(self, user):
self._user = osetuputil.getUid(user)
def _misc(self):
# TODO
# this implementaiton is not transactional
# too many issues with legacy ca implementation
# need to work this out to allow transactional
# for now just delete files if we fail
uninstall_files = []
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
self.CATransaction(
parent=self,
uninstall_files=uninstall_files,
)
)
# LEGACY NOTE
# This is needed for avoiding error in create_ca when supporting
# max cn length of 64.
# please DON'T increase this size, any value over 55 will fail the
# setup. the truncated host-fqdn is concatenated with a random string
# to create a unique CN value.
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
].createGroup(
group='ca_pki',
description='PKI keys',
optional=True,
).addFiles(
group='ca_pki',
fileList=uninstall_files,
)
MAX_HOST_FQDN_LEN = 55
self.logger.info(_('Creating CA'))
localtransaction = transaction.Transaction()
with localtransaction:
for name in (
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
):
localtransaction.append(
filetransaction.FileTransaction(
name=name[:-len('.in')],
content=outil.processTemplate(
name,
{
'@AIA@': 'http://%s:%s%s' % (
self.environment[
osetupcons.ConfigEnv.FQDN
],
self.environment[
osetupcons.ConfigEnv.PUBLIC_HTTP_PORT
],
osetupcons.Const.ENGINE_PKI_CA_URI,
)
}
),
modifiedList=uninstall_files,
),
)
self.execute(
args=(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
'--subject=/C=%s/O=%s/CN=%s.%s' % (
self._subjectComponentEscape(
self.environment[osetupcons.PKIEnv.COUNTRY],
),
self._subjectComponentEscape(
self.environment[osetupcons.PKIEnv.ORG],
),
self._subjectComponentEscape(
self.environment[
osetupcons.ConfigEnv.FQDN
][:MAX_HOST_FQDN_LEN],
),
random.randint(10000, 99999),
),
'--keystore-password=%s' % (
self.environment[osetupcons.PKIEnv.STORE_PASS],
),
),
envAppend={
'JAVA_HOME': self.environment[
osetupcons.ConfigEnv.JAVA_HOME
],
},
)
for name in ('engine', 'apache', 'jboss'):
self.execute(
(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
'--name=%s' % name,
'--password=%s' % (
self.environment[osetupcons.PKIEnv.STORE_PASS],
),
'--subject=/C=%s/O=%s/CN=%s' % (
self._subjectComponentEscape(
self.environment[osetupcons.PKIEnv.COUNTRY],
),
self._subjectComponentEscape(
self.environment[osetupcons.PKIEnv.ORG],
),
self._subjectComponentEscape(
self.environment[osetupcons.ConfigEnv.FQDN],
),
),
),
)
uninstall_files.extend(
(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
)
)
self.execute(
args=(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=apache',
'--passin=%s' % (
self.environment[osetupcons.PKIEnv.STORE_PASS],
),
'--key=%s' % (
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY,
),
),
logStreams=False,
)
uninstall_files.append(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
)
if not os.path.exists(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
):
os.symlink(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
)
uninstall_files.append(
osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
)
for f in (
osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
):
os.chown(
f,
osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE]
),
-1,
)
def _misc(self):
self._enabled = True
# TODO
# this implementaiton is not transactional
# too many issues with legacy ca implementation
# need to work this out to allow transactional
# for now just delete files if we fail
uninstall_files = []
self._setupUninstall(uninstall_files)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
self.CATransaction(
parent=self,
uninstall_files=uninstall_files,
))
# LEGACY NOTE
# This is needed for avoiding error in create_ca when supporting
# max cn length of 64.
# please DON'T increase this size, any value over 55 will fail the
# setup. the truncated host-fqdn is concatenated with a random string
# to create a unique CN value.
MAX_HOST_FQDN_LEN = 55
self.logger.info(_('Creating CA'))
localtransaction = transaction.Transaction()
with localtransaction:
for name in (
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
):
localtransaction.append(
filetransaction.FileTransaction(
name=name[:-len('.in')],
content=outil.processTemplate(
name, {
'@AIA@':
'http://%s:%s%s' % (
self.environment[
osetupcons.ConfigEnv.FQDN],
self.environment[oengcommcons.ConfigEnv.
PUBLIC_HTTP_PORT],
oenginecons.Const.ENGINE_PKI_CA_URI,
)
}),
modifiedList=uninstall_files,
), )
self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
'--subject=/C=%s/O=%s/CN=%s.%s' % (
self._subjectComponentEscape(
self.environment[oenginecons.PKIEnv.COUNTRY], ),
self._subjectComponentEscape(
self.environment[oenginecons.PKIEnv.ORG], ),
self._subjectComponentEscape(
self.environment[osetupcons.ConfigEnv.FQDN]
[:MAX_HOST_FQDN_LEN], ),
random.randint(10000, 99999),
),
'--keystore-password=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
),
envAppend={
'JAVA_HOME':
self.environment[oengcommcons.ConfigEnv.JAVA_HOME],
},
)
for name in ('engine', 'apache', 'jboss', 'websocket-proxy',
'reports'):
self.execute((
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
'--name=%s' % name,
'--password=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--subject=/C=%s/O=%s/CN=%s' % (
self._subjectComponentEscape(
self.environment[oenginecons.PKIEnv.COUNTRY], ),
self._subjectComponentEscape(
self.environment[oenginecons.PKIEnv.ORG], ),
self._subjectComponentEscape(
self.environment[osetupcons.ConfigEnv.FQDN], ),
),
), )
uninstall_files.extend((
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_CERT,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_CERT),
(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE),
))
self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=websocket-proxy',
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' % (oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY, ),
),
logStreams=False,
)
uninstall_files.append(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY)
self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=reports',
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' %
(oenginecons.FileLocations.OVIRT_ENGINE_PKI_REPORTS_KEY, ),
),
logStreams=False,
)
uninstall_files.append(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_REPORTS_KEY)
self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=apache',
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' %
(oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, ),
),
logStreams=False,
)
uninstall_files.append(
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY)
if not os.path.exists(
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT):
os.symlink(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT)
uninstall_files.append(
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT)
for f in (
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY,
oenginecons.FileLocations.
OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE,
):
os.chown(
f,
osetuputil.getUid(
self.environment[osetupcons.SystemEnv.USER_ENGINE]),
-1,
)
