def _misc(self):
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS].createGroup(
group='ca_config',
description='PKI configuration',
optional=True,
).addFiles(
'ca_config',
uninstall_files,
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
oenginecons.FileLocations.OVIRT_ENGINE_SERVICE_CONFIG_PKI),
mode=0o640,
owner=self.environment[oengcommcons.SystemEnv.USER_ROOT],
group=self.environment[osetupcons.SystemEnv.GROUP_ENGINE],
enforcePermissions=True,
content=(
'ENGINE_PKI="{pki_dir}"\n'
'ENGINE_PKI_CA="{ca}"\n'
'ENGINE_PKI_ENGINE_CERT="{engine_cert}"\n'
'ENGINE_PKI_TRUST_STORE="{trust_store}"\n'
'ENGINE_PKI_TRUST_STORE_PASSWORD='******'"{trust_store_password}"\n') +
'ENGINE_PKI_ENGINE_STORE="{engine_store}"\n'
'ENGINE_PKI_ENGINE_STORE_PASSWORD='******'"{engine_store_password}"\n') +
'ENGINE_PKI_ENGINE_STORE_ALIAS="{engine_store_alias}"\n'
'ENGINE_HTTPS_PKI_TRUST_STORE=' +
('"${{ENGINE_PKI_TRUST_STORE}}"\n') +
'ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD='******'"${{ENGINE_PKI_TRUST_STORE_PASSWORD}}"\n')).format(
pki_dir=(
oenginecons.FileLocations.OVIRT_ENGINE_PKIDIR),
ca=(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_ENGINE_CA_CERT),
engine_cert=(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_ENGINE_CERT),
trust_store=(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE),
trust_store_password=outil.escape(
oenginecons.Const.PKI_PASSWORD,
'"\\$',
),
engine_store=(oenginecons.FileLocations.
OVIRT_ENGINE_PKI_ENGINE_STORE),
engine_store_password=outil.escape(
oenginecons.Const.PKI_PASSWORD,
'"\\$',
),
engine_store_alias='1',
),
modifiedList=uninstall_files,
))
def getDBConfig(self, prefix):
return (
'{prefix}_DB_HOST="{host}"\n'
'{prefix}_DB_PORT="{port}"\n'
'{prefix}_DB_USER="******"\n'
'{prefix}_DB_PASSWORD="******"\n'
'{prefix}_DB_DATABASE="{database}"\n'
'{prefix}_DB_SECURED="{secured}"\n'
'{prefix}_DB_SECURED_VALIDATION="{hostValidation}"\n'
'{prefix}_DB_DRIVER="org.postgresql.Driver"\n'
'{prefix}_DB_URL="{jdbcUrl}"\n'
).format(
prefix=prefix,
host=_ind_env(self, DEK.HOST),
port=_ind_env(self, DEK.PORT),
user=_ind_env(self, DEK.USER),
password=outil.escape(
_ind_env(self, DEK.PASSWORD),
':\\',
),
database=_ind_env(self, DEK.DATABASE),
secured=_ind_env(self, DEK.SECURED),
hostValidation=_ind_env(self, DEK.HOST_VALIDATION),
jdbcUrl=self.getJdbcUrl(),
)
def createPgPass(self):
#
# we need client side psql library
# version as at least in rhel for 8.4
# the password within pgpassfile is
# not escaped.
# the simplest way is to checkout psql
# utility version.
#
if type(self)._plainPassword is None:
rc, stdout, stderr = self._plugin.execute(args=(
self.command.get('psql'),
'-V',
), )
type(self)._plainPassword = '******' in stdout[0]
fd, pgpass = tempfile.mkstemp()
atexit.register(os.unlink, pgpass)
with os.fdopen(fd, 'w') as f:
f.write(('# DB USER credentials.\n'
'{host}:{port}:{database}:{user}:{password}\n').format(
host=_ind_env(self, DEK.HOST),
port=_ind_env(self, DEK.PORT),
database=_ind_env(self, DEK.DATABASE),
user=_ind_env(self, DEK.USER),
password=(_ind_env(self, DEK.PASSWORD) if
type(self)._plainPassword else outil.escape(
_ind_env(self, DEK.PASSWORD),
':\\',
)),
), )
self.environment[self._dbenvkeys[DEK.PGPASSFILE]] = pgpass
def getDBConfig(self, prefix, localhost_replacement=None):
return (
'{prefix}_DB_HOST="{host}"\n'
'{prefix}_DB_PORT="{port}"\n'
'{prefix}_DB_USER="******"\n'
'{prefix}_DB_PASSWORD="******"\n'
'{prefix}_DB_DATABASE="{database}"\n'
'{prefix}_DB_SECURED="{secured}"\n'
'{prefix}_DB_SECURED_VALIDATION="{hostValidation}"\n'
'{prefix}_DB_DRIVER="org.postgresql.Driver"\n'
'{prefix}_DB_URL="{jdbcUrl}"\n'
).format(
prefix=prefix,
host=self.replaced_localhost(localhost_replacement),
port=_ind_env(self, DEK.PORT),
user=_ind_env(self, DEK.USER),
password=outil.escape(
_ind_env(self, DEK.PASSWORD),
':\\',
),
database=_ind_env(self, DEK.DATABASE),
secured=_ind_env(self, DEK.SECURED),
hostValidation=_ind_env(self, DEK.HOST_VALIDATION),
jdbcUrl=self.getJdbcUrl(localhost_replacement),
)
def _handle_rename(self, entity):
rc, stdout, stderr = self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % entity['name'],
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--cert=-',
), )
cert = x509.load_pem_x509_certificate(
'\n'.join(stdout).encode('ascii'),
backend=default_backend(),
)
new_subject = ''
for rdn in cert.subject.rdns:
for name_attribute in rdn:
type_text = _NAMEOID_TO_NAME[name_attribute.oid]
value_text = name_attribute.value
if name_attribute.oid == x509.oid.NameOID.COMMON_NAME:
value_text = self.environment[osetupcons.RenameEnv.FQDN]
new_subject += '/{typ}={val}'.format(
typ=type_text,
val=outil.escape(value_text, '/\\'),
)
self.execute((
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
'--name=%s' % entity['name'],
'--password=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--subject=%s' % new_subject,
'--san=DNS:%s' % (self._subjectComponentEscape(
self.environment[osetupcons.RenameEnv.FQDN], ), ),
), )
self.uninstall_files.extend(
(os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.p12'.format(name=entity['name'])),
os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKICERTSDIR,
'{name}.cer'.format(name=entity['name']))))
if entity['extract_key']:
self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % entity['name'],
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' % (os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.key.nopass'.format(name=entity['name']))),
), )
self.uninstall_files.append(
os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.key.nopass'.format(name=entity['name'])))
if entity['extra_action']:
entity['extra_action'](self)
def _misc(self):
uninstall_files = []
self.environment[osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS].createGroup(
group="ca_config", description="PKI configuration", optional=True
).addFiles("ca_config", uninstall_files)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(oenginecons.FileLocations.OVIRT_ENGINE_SERVICE_CONFIG_PKI),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ENGINE_PKI="{pki_dir}"\n'
'ENGINE_PKI_CA="{ca}"\n'
'ENGINE_PKI_ENGINE_CERT="{engine_cert}"\n'
'ENGINE_PKI_TRUST_STORE="{trust_store}"\n'
"ENGINE_PKI_TRUST_STORE_PASSWORD="******"{trust_store_password}"\n')
+ 'ENGINE_PKI_ENGINE_STORE="{engine_store}"\n'
"ENGINE_PKI_ENGINE_STORE_PASSWORD="******"{engine_store_password}"\n')
+ 'ENGINE_PKI_ENGINE_STORE_ALIAS="{engine_store_alias}"\n'
"ENGINE_HTTPS_PKI_TRUST_STORE="
+ ('"${{ENGINE_PKI_TRUST_STORE}}"\n')
+ "ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="******"${{ENGINE_PKI_TRUST_STORE_PASSWORD}}"\n')
).format(
pki_dir=(oenginecons.FileLocations.OVIRT_ENGINE_PKIDIR),
ca=(oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT),
engine_cert=(oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT),
trust_store=(oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE),
trust_store_password=outil.escape(oenginecons.Const.PKI_PASSWORD, '"\\$'),
engine_store=(oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE),
engine_store_password=outil.escape(oenginecons.Const.PKI_PASSWORD, '"\\$'),
engine_store_alias="1",
),
modifiedList=uninstall_files,
)
)
def _getDBConfig(
self,
prefix,
host,
port,
user,
password,
database,
secured,
hostValidation,
):
return (
'{prefix}_DB_HOST="{host}"\n'
'{prefix}_DB_PORT="{port}"\n'
'{prefix}_DB_USER="******"\n'
'{prefix}_DB_PASSWORD="******"\n'
'{prefix}_DB_DATABASE="{database}"\n'
'{prefix}_DB_SECURED="{secured}"\n'
'{prefix}_DB_SECURED_VALIDATION="{hostValidation}"\n'
'{prefix}_DB_DRIVER="org.postgresql.Driver"\n'
'{prefix}_DB_URL=' + (
'"'
'jdbc:postgresql://'
'${{{prefix}_DB_HOST}}:${{{prefix}_DB_PORT}}'
'/${{{prefix}_DB_DATABASE}}'
'?{jdbcTlsOptions}'
'"\n'
) +
''
).format(
prefix=prefix,
host=host,
port=port,
user=user,
password=outil.escape(
password,
'"\\$',
),
database=database,
secured=secured,
hostValidation=hostValidation,
jdbcTlsOptions='&'.join(
s for s in (
'ssl=true' if secured else '',
(
'sslfactory='
'org.postgresql.ssl.NonValidatingFactory'
) if not hostValidation else ''
) if s
),
)
def _misc(self):
# TODO
# this implementation is not transactional
# too many issues with legacy ca implementation
# need to work this out to allow transactional
rc, stdout, stderr = self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % 'apache',
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--cert=-',
), )
x509 = X509.load_cert_string(
string='\n'.join(stdout).encode('ascii'),
format=X509.FORMAT_PEM,
)
subject = x509.get_subject()
subject.get_entries_by_nid(X509.X509_Name.nid['CN'])[0].set_data(
self.environment[osetupcons.RenameEnv.FQDN])
self.execute((
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
'--name=%s' % 'apache',
'--password=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--subject=%s' % '/' + '/'.join(
outil.escape(s, '/\\') for s in subject.as_text(
flags=XN_FLAG_SEP_MULTILINE, ).splitlines()),
'--san=DNS:%s' % (self._subjectComponentEscape(
self.environment[osetupcons.RenameEnv.FQDN], ), ),
), )
self.uninstall_files.extend((
oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
))
self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % 'apache',
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' %
(oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, ),
), )
self.uninstall_files.append(
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, )
self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True
def _handle_rename(self, entity):
rc, stdout, stderr = self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % entity['name'],
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--cert=-',
), )
x509 = X509.load_cert_string(
string='\n'.join(stdout).encode('ascii'),
format=X509.FORMAT_PEM,
)
subject = x509.get_subject()
subject.get_entries_by_nid(X509.X509_Name.nid['CN'])[0].set_data(
self.environment[osetupcons.RenameEnv.FQDN].encode('utf8'))
self.execute((
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
'--name=%s' % entity['name'],
'--password=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--subject=%s' % '/' + '/'.join(
outil.escape(s, '/\\') for s in subject.as_text(
flags=XN_FLAG_SEP_MULTILINE, ).splitlines()),
'--san=DNS:%s' % (self._subjectComponentEscape(
self.environment[osetupcons.RenameEnv.FQDN], ), ),
), )
self.uninstall_files.extend(
(os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.p12'.format(name=entity['name'])),
os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKICERTSDIR,
'{name}.cer'.format(name=entity['name']))))
if entity['extract_key']:
self.execute(args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
'--name=%s' % entity['name'],
'--passin=%s' %
(self.environment[oenginecons.PKIEnv.STORE_PASS], ),
'--key=%s' % (os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.key.nopass'.format(name=entity['name']))),
), )
self.uninstall_files.append(
os.path.join(oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
'{name}.key.nopass'.format(name=entity['name'])))
if entity['extra_action']:
entity['extra_action'](self)
def _misc(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(oenginecons.FileLocations.
OVIRT_ENGINE_SERVICE_CONFIG_DATABASE),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=('ENGINE_DB_HOST="{host}"\n'
'ENGINE_DB_PORT="{port}"\n'
'ENGINE_DB_USER="******"\n'
'ENGINE_DB_PASSWORD="******"\n'
'ENGINE_DB_DATABASE="{db}"\n'
'ENGINE_DB_SECURED="{secured}"\n'
'ENGINE_DB_SECURED_VALIDATION="{securedValidation}"\n'
'ENGINE_DB_DRIVER="org.postgresql.Driver"\n'
'ENGINE_DB_URL=' +
('"'
'jdbc:postgresql://'
'${{ENGINE_DB_HOST}}:${{ENGINE_DB_PORT}}'
'/${{ENGINE_DB_DATABASE}}'
'?{jdbcTlsOptions}'
'"\n') + '').
format(
host=self.environment[oenginecons.EngineDBEnv.HOST],
port=self.environment[oenginecons.EngineDBEnv.PORT],
user=self.environment[oenginecons.EngineDBEnv.USER],
password=outil.escape(
self.environment[oenginecons.EngineDBEnv.PASSWORD],
'"\\$',
),
db=self.environment[oenginecons.EngineDBEnv.DATABASE],
secured=self.environment[oenginecons.EngineDBEnv.SECURED],
securedValidation=self.environment[
oenginecons.EngineDBEnv.SECURED_HOST_VALIDATION],
jdbcTlsOptions='&'.join(s for s in (
'ssl=true' if self.environment[oenginecons.EngineDBEnv.
SECURED] else '',
('sslfactory='
'org.postgresql.ssl.NonValidatingFactory') if
not self.environment[oenginecons.EngineDBEnv.
SECURED_HOST_VALIDATION] else '')
if s),
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES],
))
def _misc(self):
# TODO
# this implementation is not transactional
# too many issues with legacy ca implementation
# need to work this out to allow transactional
rc, stdout, stderr = self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
"--name=%s" % "apache",
"--passin=%s" % (self.environment[oenginecons.PKIEnv.STORE_PASS],),
"--cert=-",
)
)
x509 = X509.load_cert_string(string="\n".join(stdout).encode("ascii"), format=X509.FORMAT_PEM)
subject = x509.get_subject()
subject.get_entries_by_nid(X509.X509_Name.nid["CN"])[0].set_data(self.environment[osetupcons.RenameEnv.FQDN])
self.execute(
(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
"--name=%s" % "apache",
"--password=%s" % (self.environment[oenginecons.PKIEnv.STORE_PASS],),
"--subject=%s" % "/"
+ "/".join(outil.escape(s, "/\\") for s in subject.as_text(flags=XN_FLAG_SEP_MULTILINE).splitlines()),
)
)
self.uninstall_files.extend(
(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
)
)
self.execute(
args=(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
"--name=%s" % "apache",
"--passin=%s" % (self.environment[oenginecons.PKIEnv.STORE_PASS],),
"--key=%s" % (oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY,),
)
)
self.uninstall_files.append(oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY)
self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True
def _misc(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
oenginecons.FileLocations.
OVIRT_ENGINE_SERVICE_CONFIG_DATABASE
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ENGINE_DB_HOST="{host}"\n'
'ENGINE_DB_PORT="{port}"\n'
'ENGINE_DB_USER="******"\n'
'ENGINE_DB_PASSWORD="******"\n'
'ENGINE_DB_DATABASE="{db}"\n'
'ENGINE_DB_SECURED="{secured}"\n'
'ENGINE_DB_SECURED_VALIDATION="{securedValidation}"\n'
'ENGINE_DB_DRIVER="org.postgresql.Driver"\n'
'ENGINE_DB_URL="{jdbcUrl}"\n'
).format(
host=self.environment[oenginecons.EngineDBEnv.HOST],
port=self.environment[oenginecons.EngineDBEnv.PORT],
user=self.environment[oenginecons.EngineDBEnv.USER],
password=outil.escape(
self.environment[oenginecons.EngineDBEnv.PASSWORD],
'"\\$',
),
db=self.environment[oenginecons.EngineDBEnv.DATABASE],
secured=self.environment[oenginecons.EngineDBEnv.SECURED],
securedValidation=self.environment[
oenginecons.EngineDBEnv.SECURED_HOST_VALIDATION
],
jdbcUrl=database.OvirtUtils(
plugin=self,
dbenvkeys=oenginecons.Const.ENGINE_DB_ENV_KEYS,
).getJdbcUrl(),
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
def _misc(self):
uninstall_files = []
self.environment[
osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
].addFiles(
group='ovirt_reports_files',
fileList=uninstall_files,
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
oreportscons.FileLocations.
REPORTS_SERVICE_CONFIG_DATABASE
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'DWH_DB_HOST="{host}"\n'
'DWH_DB_PORT="{port}"\n'
'DWH_DB_USER="******"\n'
'DWH_DB_PASSWORD="******"\n'
'DWH_DB_DATABASE="{db}"\n'
'DWH_DB_SECURED="{secured}"\n'
'DWH_DB_SECURED_VALIDATION="{securedValidation}"\n'
).format(
host=self.environment[oreportscons.DWHDBEnv.HOST],
port=self.environment[oreportscons.DWHDBEnv.PORT],
user=self.environment[oreportscons.DWHDBEnv.USER],
password=outil.escape(
self.environment[oreportscons.DWHDBEnv.PASSWORD],
'"\\$',
),
db=self.environment[oreportscons.DWHDBEnv.DATABASE],
secured=self.environment[oreportscons.DWHDBEnv.SECURED],
securedValidation=self.environment[
oreportscons.DWHDBEnv.SECURED_HOST_VALIDATION
],
),
modifiedList=uninstall_files,
)
)
def createPgPass(self):
#
# we need client side psql library
# version as at least in rhel for 8.4
# the password within pgpassfile is
# not escaped.
# the simplest way is to checkout psql
# utility version.
#
if type(self)._plainPassword is None:
rc, stdout, stderr = self._plugin.execute(
args=(
self.command.get('psql'),
'-V',
),
)
type(self)._plainPassword = '******' in stdout[0]
fd, pgpass = tempfile.mkstemp()
atexit.register(os.unlink, pgpass)
with os.fdopen(fd, 'w') as f:
f.write(
(
'# DB USER credentials.\n'
'{host}:{port}:{database}:{user}:{password}\n'
).format(
host=self.environment[self._dbenvkeys['host']],
port=self.environment[self._dbenvkeys['port']],
database=self.environment[self._dbenvkeys['database']],
user=self.environment[self._dbenvkeys['user']],
password=(
self.environment[self._dbenvkeys['password']]
if type(self)._plainPassword
else outil.escape(
self.environment[self._dbenvkeys['password']],
':\\',
)
),
),
)
self.environment[self._dbenvkeys['pgpassfile']] = pgpass
def _misc(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(oenginecons.FileLocations.
OVIRT_ENGINE_SERVICE_CONFIG_DATABASE),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=('ENGINE_DB_HOST="{host}"\n'
'ENGINE_DB_PORT="{port}"\n'
'ENGINE_DB_USER="******"\n'
'ENGINE_DB_PASSWORD="******"\n'
'ENGINE_DB_DATABASE="{db}"\n'
'ENGINE_DB_SECURED="{secured}"\n'
'ENGINE_DB_SECURED_VALIDATION="{securedValidation}"\n'
'ENGINE_DB_DRIVER="org.postgresql.Driver"\n'
'ENGINE_DB_URL="{jdbcUrl}"\n').
format(
host=self.environment[oenginecons.EngineDBEnv.HOST],
port=self.environment[oenginecons.EngineDBEnv.PORT],
user=self.environment[oenginecons.EngineDBEnv.USER],
password=outil.escape(
self.environment[oenginecons.EngineDBEnv.PASSWORD],
'"\\$',
),
db=self.environment[oenginecons.EngineDBEnv.DATABASE],
secured=self.environment[oenginecons.EngineDBEnv.SECURED],
securedValidation=self.environment[
oenginecons.EngineDBEnv.SECURED_HOST_VALIDATION],
jdbcUrl=database.OvirtUtils(
plugin=self,
dbenvkeys=oenginecons.Const.ENGINE_DB_ENV_KEYS,
).getJdbcUrl(),
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES],
))
def _subjectComponentEscape(self, s):
return outil.escape(s, '/\\')
def daemonSetup(self):
if os.geteuid() == 0:
raise RuntimeError(
_('This service cannot be executed as root')
)
if not os.path.exists(self._defaults):
raise RuntimeError(
_(
"The configuration defaults file '{file}' "
"required but missing"
).format(
file=self._defaults,
)
)
self._config = configfile.ConfigFile(
(
self._defaults,
config.DWH_VARS,
),
)
#
# the earliest so we can abort early.
#
self._executable = os.path.join(
java.Java().getJavaHome(),
'bin',
'java',
)
self._checkInstallation(
pidfile=self.pidfile,
)
self._tempDir = service.TempDir()
self._tempDir.create()
settings = os.path.join(self._tempDir.directory, 'settings.properties')
with open(settings, 'w') as f:
f.write(
util.processTemplate(
os.path.join(
self._config.get('PKG_DATA_DIR'),
'conf',
'settings.properties.in'
),
dict(
('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in
self._config.values.items()
),
)
)
self._serviceArgs = [
'ovirt-engine-dwhd',
'-Dorg.ovirt.engine.dwh.settings=%s' % settings,
]
# Add arguments for the java heap size:
self._serviceArgs.extend([
'-Xms%s' % self._config.get('DWH_HEAP_MIN'),
'-Xmx%s' % self._config.get('DWH_HEAP_MAX'),
])
for engineProperty in shlex.split(
self._config.get('DWH_PROPERTIES')
):
if not engineProperty.startswith('-D'):
engineProperty = '-D' + engineProperty
self._serviceArgs.append(engineProperty)
for arg in shlex.split(self._config.get('DWH_JVM_ARGS')):
self._serviceArgs.append(arg)
engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS')
if engineDebugAddress:
self._serviceArgs.append(
(
'-Xrunjdwp:transport=dt_socket,address=%s,'
'server=y,suspend=n'
) % (
engineDebugAddress
)
)
if self._config.getboolean('DWH_VERBOSE_GC'):
self._serviceArgs.extend([
'-verbose:gc',
'-XX:+PrintGCTimeStamps',
'-XX:+PrintGCDetails',
])
self._serviceArgs.extend([
'-classpath', '%s:%s' % (
os.path.join(
self._config.get('PKG_JAVA_LIB'),
'*',
),
self._getClasspath(),
),
'ovirt_engine_dwh.historyetl_4_3.HistoryETL',
'--context=Default',
])
self._serviceEnv = os.environ.copy()
self._serviceEnv.update({
'PATH': (
'/usr/local/sbin:/usr/local/bin:'
'/usr/sbin:/usr/bin:/sbin:/bin'
),
'LANG': 'en_US.UTF-8',
'LC_ALL': 'en_US.UTF-8',
})
def _setupAuth(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'config.datasource.jdbcurl={jdbcUrl}\n'
'config.datasource.dbuser={user}\n'
'config.datasource.dbpassword={password}\n'
'config.datasource.jdbcdriver=org.postgresql.Driver\n'
'config.datasource.schemaname={schemaName}\n'
).format(
jdbcUrl=database.OvirtUtils(
plugin=self,
dbenvkeys=oenginecons.Const.ENGINE_DB_ENV_KEYS,
).getJdbcUrl(),
user=self.environment[oenginecons.EngineDBEnv.USER],
password=outil.escape(
self.environment[oenginecons.EngineDBEnv.PASSWORD],
'"\\$',
),
schemaName=self._AAA_JDBC_SCHEMA
),
visibleButUnsafe=True,
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
profile = self.environment[
oenginecons.ConfigEnv.ADMIN_USER
].rsplit('@', 1)[1]
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_EXTENSIONS_DIR,
'%s-authn.properties' % profile
)
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ovirt.engine.extension.name = internal-authn\n'
'ovirt.engine.extension.bindings.method = jbossmodule\n'
'ovirt.engine.extension.binding.jbossmodule.module = '
'org.ovirt.engine.extension.aaa.jdbc\n'
'ovirt.engine.extension.binding.jbossmodule.class = '
'org.ovirt.engine.extension.aaa.jdbc.binding.api.'
'AuthnExtension\n'
'ovirt.engine.extension.provides = '
'org.ovirt.engine.api.extensions.aaa.Authn\n'
'ovirt.engine.aaa.authn.profile.name = {profile}\n'
'ovirt.engine.aaa.authn.authz.plugin = {authzName}\n'
'config.datasource.file = {dbConfigFile}\n'
).format(
profile=profile,
authzName=self.environment[
oenginecons.ConfigEnv.ADMIN_USER_AUTHZ_NAME
],
dbConfigFile=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_EXTENSIONS_DIR,
'%s-authz.properties' % profile
)
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ovirt.engine.extension.name = {authzName}\n'
'ovirt.engine.extension.bindings.method = jbossmodule\n'
'ovirt.engine.extension.binding.jbossmodule.module = '
'org.ovirt.engine.extension.aaa.jdbc\n'
'ovirt.engine.extension.binding.jbossmodule.class = '
'org.ovirt.engine.extension.aaa.jdbc.binding.api.'
'AuthzExtension\n'
'ovirt.engine.extension.provides = '
'org.ovirt.engine.api.extensions.aaa.Authz\n'
'config.datasource.file = {dbConfigFile}\n'
).format(
profile=profile,
authzName=self.environment[
oenginecons.ConfigEnv.ADMIN_USER_AUTHZ_NAME
],
dbConfigFile=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
def _setupAuth(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'config.datasource.jdbcurl={jdbcUrl}\n'
'config.datasource.dbuser={user}\n'
'config.datasource.dbpassword={password}\n'
'config.datasource.jdbcdriver=org.postgresql.Driver\n'
'config.datasource.schemaname={schemaName}\n'
).format(
jdbcUrl=database.OvirtUtils(
plugin=self,
dbenvkeys=oenginecons.Const.ENGINE_DB_ENV_KEYS,
).getJdbcUrl(),
user=self.environment[oenginecons.EngineDBEnv.USER],
password=outil.escape(
self.environment[oenginecons.EngineDBEnv.PASSWORD],
'"\\$',
),
schemaName=self._AAA_JDBC_SCHEMA
),
visibleButUnsafe=True,
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
profile = self.environment[
oenginecons.ConfigEnv.ADMIN_USER
].rsplit('@', 1)[1]
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_EXTENSIONS_DIR,
'%s-authn.properties' % profile
)
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ovirt.engine.extension.name = internal-authn\n'
'ovirt.engine.extension.bindings.method = jbossmodule\n'
'ovirt.engine.extension.binding.jbossmodule.module = '
'org.ovirt.engine.extension.aaa.jdbc\n'
'ovirt.engine.extension.binding.jbossmodule.class = '
'org.ovirt.engine.extension.aaa.jdbc.binding.api.'
'AuthnExtension\n'
'ovirt.engine.extension.provides = '
'org.ovirt.engine.api.extensions.aaa.Authn\n'
'ovirt.engine.aaa.authn.profile.name = {profile}\n'
'ovirt.engine.aaa.authn.authz.plugin = {authzName}\n'
'config.datasource.file = {dbConfigFile}\n'
).format(
profile=profile,
authzName=self.environment[
oenginecons.ConfigEnv.ADMIN_USER_AUTHZ_NAME
],
dbConfigFile=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
os.path.join(
oenginecons.FileLocations.OVIRT_ENGINE_EXTENSIONS_DIR,
'%s-authz.properties' % profile
)
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ovirt.engine.extension.name = {authzName}\n'
'ovirt.engine.extension.bindings.method = jbossmodule\n'
'ovirt.engine.extension.binding.jbossmodule.module = '
'org.ovirt.engine.extension.aaa.jdbc\n'
'ovirt.engine.extension.binding.jbossmodule.class = '
'org.ovirt.engine.extension.aaa.jdbc.binding.api.'
'AuthzExtension\n'
'ovirt.engine.extension.provides = '
'org.ovirt.engine.api.extensions.aaa.Authz\n'
'config.datasource.file = {dbConfigFile}\n'
).format(
profile=profile,
authzName=self.environment[
oenginecons.ConfigEnv.ADMIN_USER_AUTHZ_NAME
],
dbConfigFile=oenginecons.FileLocations.AAA_JDBC_CONFIG_DB,
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
def daemonSetup(self):
if os.geteuid() == 0:
raise RuntimeError(
_('This service cannot be executed as root')
)
if not os.path.exists(self._defaults):
raise RuntimeError(
_(
"The configuration defaults file '{file}' "
"required but missing"
).format(
file=self._defaults,
)
)
self._config = configfile.ConfigFile(
(
self._defaults,
config.DWH_VARS,
),
)
#
# the earliest so we can abort early.
#
self._executable = os.path.join(
java.Java().getJavaHome(),
'bin',
'java',
)
self._checkInstallation(
pidfile=self.pidfile,
)
self._tempDir = service.TempDir()
self._tempDir.create()
settings = os.path.join(self._tempDir.directory, 'settings.properties')
with open(settings, 'w') as f:
f.write(
util.processTemplate(
os.path.join(
self._config.get('PKG_DATA_DIR'),
'conf',
'settings.properties.in'
),
dict(
('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in
self._config.values.items()
),
)
)
self._serviceArgs = [
'ovirt-engine-dwhd',
'-Dorg.ovirt.engine.dwh.settings=%s' % settings,
]
# Add arguments for the java heap size:
self._serviceArgs.extend([
'-Xms%s' % self._config.get('DWH_HEAP_MIN'),
'-Xmx%s' % self._config.get('DWH_HEAP_MAX'),
])
for engineProperty in shlex.split(
self._config.get('DWH_PROPERTIES')
):
if not engineProperty.startswith('-D'):
engineProperty = '-D' + engineProperty
self._serviceArgs.append(engineProperty)
for arg in shlex.split(self._config.get('DWH_JVM_ARGS')):
self._serviceArgs.append(arg)
engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS')
if engineDebugAddress:
self._serviceArgs.append(
(
'-Xrunjdwp:transport=dt_socket,address=%s,'
'server=y,suspend=n'
) % (
engineDebugAddress
)
)
if self._config.getboolean('DWH_VERBOSE_GC'):
self._serviceArgs.extend([
'-verbose:gc',
'-XX:+PrintGCTimeStamps',
'-XX:+PrintGCDetails',
])
self._serviceArgs.extend([
'-classpath', '%s:%s' % (
os.path.join(
self._config.get('PKG_JAVA_LIB'),
'*',
),
self._getClasspath(),
),
'ovirt_engine_dwh.historyetl_4_4.HistoryETL',
'--context=Default',
])
self._serviceEnv = os.environ.copy()
self._serviceEnv.update({
'PATH': (
'/usr/local/sbin:/usr/local/bin:'
'/usr/sbin:/usr/bin:/sbin:/bin'
),
'LANG': 'en_US.UTF-8',
'LC_ALL': 'en_US.UTF-8',
})
def _subjectComponentEscape(self, s):
return outil.escape(s, '/\\')
def _misc(self):
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=(
osetupcons.FileLocations.
OVIRT_ENGINE_SERVICE_CONFIG_DATABASE
),
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
content=(
'ENGINE_DB_HOST="{host}"\n'
'ENGINE_DB_PORT="{port}"\n'
'ENGINE_DB_USER="******"\n'
'ENGINE_DB_PASSWORD="******"\n'
'ENGINE_DB_DATABASE="{db}"\n'
'ENGINE_DB_SECURED="{secured}"\n'
'ENGINE_DB_SECURED_VALIDATION="{securedValidation}"\n'
'ENGINE_DB_DRIVER="org.postgresql.Driver"\n'
'ENGINE_DB_URL=' + (
'"'
'jdbc:postgresql://'
'${{ENGINE_DB_HOST}}:${{ENGINE_DB_PORT}}'
'/${{ENGINE_DB_DATABASE}}'
'?{jdbcTlsOptions}'
'"\n'
) +
''
).format(
host=self.environment[osetupcons.DBEnv.HOST],
port=self.environment[osetupcons.DBEnv.PORT],
user=self.environment[osetupcons.DBEnv.USER],
password=outil.escape(
self.environment[osetupcons.DBEnv.PASSWORD],
'"\\$',
),
db=self.environment[osetupcons.DBEnv.DATABASE],
secured=self.environment[osetupcons.DBEnv.SECURED],
securedValidation=self.environment[
osetupcons.DBEnv.SECURED_HOST_VALIDATION
],
jdbcTlsOptions='&'.join(
s for s in (
'ssl=true'
if self.environment[
osetupcons.DBEnv.SECURED
] else '',
(
'sslfactory='
'org.postgresql.ssl.NonValidatingFactory'
)
if not self.environment[
osetupcons.DBEnv.SECURED_HOST_VALIDATION
] else ''
) if s
),
),
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
