コード例 #1
0
    def _getSSH(self):
        pkihelper = pkissh.PKIHelper()
        authorized_keys_line = pkihelper.getSSHkey(
            fqdn=self.environment[
                ohostedcons.NetworkEnv.OVIRT_HOSTED_ENGINE_FQDN
            ],
            ca_certs=self.environment[
                ohostedcons.EngineEnv.TEMPORARY_CERT_FILE
            ],
        )

        authorized_keys_file = os.path.join(
            os.path.expanduser('~root'),
            '.ssh',
            'authorized_keys'
        )

        content = pkihelper.mergeAuthKeysFile(
            authorized_keys_file, authorized_keys_line
        )
        with transaction.Transaction() as localtransaction:
            localtransaction.append(
                filetransaction.FileTransaction(
                    name=authorized_keys_file,
                    content=content,
                    mode=0o600,
                    owner='root',
                    enforcePermissions=True,
                    modifiedList=self.environment[
                        otopicons.CoreEnv.MODIFIED_FILES
                    ],
                )
            )

        if self._selinux_enabled:
            path = os.path.join(
                os.path.expanduser('~root'),
                '.ssh'
            )
            try:
                selinux.restorecon(path, recursive=True)
            except OSError as ex:
                self.logger.error(
                    _(
                        'Failed to refresh SELINUX context for {path}: {ex}'
                    ).format(
                        path=path,
                        ex=ex.message,
                    )
                )
コード例 #2
0
    def _getCA(self):
        fqdn = self.environment[
            ohostedcons.NetworkEnv.OVIRT_HOSTED_ENGINE_FQDN]
        fd, cert = tempfile.mkstemp(
            prefix='engine-ca',
            suffix='.crt',
        )
        os.close(fd)
        self.environment[ohostedcons.EngineEnv.TEMPORARY_CERT_FILE] = cert
        valid = False
        interactive = True
        if self.environment[ohostedcons.EngineEnv.INSECURE_SSL]:
            valid = True
        elif self.environment[ohostedcons.EngineEnv.INSECURE_SSL] is False:
            interactive = False
        pkihelper = pkissh.PKIHelper()

        while not valid:
            cafile = ohostedcons.FileLocations.SYS_CUSTOMCA_CERT
            if not os.path.isfile(ohostedcons.FileLocations.SYS_CUSTOMCA_CERT):
                cafile = None
            try:
                content = pkihelper.getPKICert(
                    fqdn,
                    cafile,
                )
            except RuntimeError as ex:
                self.logger.error(
                    _('Error acquiring CA cert').format(message=ex.message, ))
            else:
                try:
                    with open(cert, 'w') as fileobj:
                        fileobj.write(content)
                except EnvironmentError as ex:
                    raise RuntimeError('Unable to write cert file: ' +
                                       ex.message)
                if pkihelper.validateCA(fqdn, cert):
                    valid = True
            if not valid:
                if interactive:
                    if cafile:
                        catype = _('custom')
                    else:
                        catype = _('internal')
                    insecure = self.dialog.queryString(
                        name='SSL_VALIDATE_CA',
                        note=_(
                            'The REST API cert couldn\'t be trusted with the '
                            '{catype} CA cert\n'
                            'Would you like to continue in insecure mode '
                            '(not recommended)?\n'
                            'If not, please provide your CA cert at {path} '
                            'before continuing\n'
                            '(@VALUES@)[@DEFAULT@]? ').format(
                                catype=catype,
                                path=ohostedcons.FileLocations.
                                SYS_CUSTOMCA_CERT,
                            ),
                        prompt=True,
                        validValues=(_('Yes'), _('No')),
                        caseSensitive=False,
                        default=_('No')) == _('Yes').lower()
                    if insecure:
                        valid = True
                        self.environment[
                            ohostedcons.EngineEnv.INSECURE_SSL] = True
                        cert = self.environment[
                            ohostedcons.EngineEnv.TEMPORARY_CERT_FILE]
                        if cert is not None and os.path.exists(cert):
                            os.unlink(cert)
                        self.environment[
                            ohostedcons.EngineEnv.TEMPORARY_CERT_FILE] = None
                else:
                    raise RuntimeError('Failed trusting the REST API cert')