def setup_keyserver(ops: Operations) -> None:
config = configuration.get_config()
for node in config.nodes:
if node.kind != "supervisor":
continue
ops.ssh_mkdir("create directories on @HOST", node, AUTHORITY_DIR,
STATICS_DIR, CONFIG_DIR)
for name, data in authority.iterate_keys_decrypted():
# TODO: keep these keys in memory
if "/" in name:
command.fail("found key in upload list with invalid filename")
# TODO: avoid keeping these keys in memory for this long
ops.ssh_upload_bytes("upload authority %s to @HOST" % name, node,
data, os.path.join(AUTHORITY_DIR, name))
ops.ssh_upload_bytes("upload cluster config to @HOST", node,
configuration.get_cluster_conf().encode(),
STATICS_DIR + "/cluster.conf")
ops.ssh_upload_bytes("upload machine list to @HOST", node,
configuration.get_machine_list_file().encode(),
STATICS_DIR + "/machine.list")
ops.ssh_upload_bytes("upload keyserver config to @HOST", node,
configuration.get_keyserver_yaml().encode(),
CONFIG_DIR + "/keyserver.yaml")
ops.ssh("enable keyserver on @HOST", node, "systemctl", "enable",
"keyserver.service")
ops.ssh("start keyserver on @HOST", node, "systemctl", "restart",
"keyserver.service")
def check_keystatics():
machine_list = query.get_keyurl_data("/static/machine.list")
expected_machine_list = configuration.get_machine_list_file()
if not compare_multiline(machine_list, expected_machine_list):
command.fail("MISMATCH: machine.list")
cluster_conf = query.get_keyurl_data("/static/cluster.conf")
expected_cluster_conf = configuration.get_cluster_conf()
if not compare_multiline(cluster_conf, expected_cluster_conf):
command.fail("MISMATCH: cluster.conf")
print("pass: keyserver serving correct static files")
def update_known_hosts():
# uses local copies of machine list and ssh-host pubkey
# TODO: eliminate now-redundant machine.list download from keyserver
machines = configuration.get_machine_list_file().strip()
cert_authority_pubkey = authority.get_pubkey_by_filename("./ssh_host_ca.pub")
homedir = os.getenv("HOME")
if homedir is None:
command.fail("could not determine home directory, so could not find ~/.ssh/known_hosts")
known_hosts_path = os.path.join(homedir, ".ssh", "known_hosts")
known_hosts_old = util.readfile(known_hosts_path).decode().split("\n") if os.path.exists(known_hosts_path) else []
if known_hosts_old and not known_hosts_old[-1]:
known_hosts_old.pop()
known_hosts_new = _replace_cert_authority(known_hosts_old, machines, cert_authority_pubkey)
util.writefile(known_hosts_path, ("\n".join(known_hosts_new) + "\n").encode())
print("~/.ssh/known_hosts updated")
def update_known_hosts():
# uses local copies of machine list and ssh-host pubkey
# TODO: eliminate now-redundant machine.list download from keyserver
machines = configuration.get_machine_list_file().strip()
cert_authority_pubkey = authority.get_pubkey_by_filename(
"./ssh_host_ca.pub")
known_hosts_path = get_known_hosts_path()
known_hosts_old = util.readfile(known_hosts_path).decode().split(
"\n") if os.path.exists(known_hosts_path) else []
if known_hosts_old and not known_hosts_old[-1]:
known_hosts_old.pop()
known_hosts_new = _replace_cert_authority(known_hosts_old, machines,
cert_authority_pubkey)
util.writefile(known_hosts_path,
("\n".join(known_hosts_new) + "\n").encode())
print("~/.ssh/known_hosts updated")
def setup_keyserver(ops: Operations, config: configuration.Config) -> None:
for node in config.nodes:
if node.kind != "supervisor":
continue
ops.ssh_mkdir("create directories on @HOST", node, AUTHORITY_DIR,
STATICS_DIR, CONFIG_DIR)
ops.ssh_upload_path("upload authorities to @HOST", node,
authority.get_targz_path(),
AUTHORITY_DIR + "/authorities.tgz")
ops.ssh_raw("extract authorities on @HOST",
node,
"tar -xzf authorities.tgz && rm authorities.tgz",
in_directory=AUTHORITY_DIR)
ops.ssh_upload_bytes("upload cluster config to @HOST", node,
configuration.get_cluster_conf().encode(),
STATICS_DIR + "/cluster.conf")
ops.ssh_upload_bytes("upload machine list to @HOST", node,
configuration.get_machine_list_file().encode(),
STATICS_DIR + "/machine.list")
ops.ssh_upload_bytes("upload keyserver config to @HOST", node,
configuration.get_keyserver_yaml().encode(),
CONFIG_DIR + "/keyserver.yaml")
ops.ssh("start keyserver on @HOST", node, "systemctl", "restart",
"keyserver.service")