def _set_security(rabbitmq_ssl_enabled, rabbitmq_cert_private, rabbitmq_cert_public): # Deploy certificates if both have been provided. # Complain loudly if one has been provided and the other hasn't. if rabbitmq_ssl_enabled: if rabbitmq_cert_private and rabbitmq_cert_public: utils.deploy_ssl_certificate( 'private', '/etc/rabbitmq/rabbit-priv.pem', 'rabbitmq', rabbitmq_cert_private) utils.deploy_ssl_certificate( 'public', '/etc/rabbitmq/rabbit-pub.pem', 'rabbitmq', rabbitmq_cert_public) # Configure for SSL utils.deploy_blueprint_resource( '{0}/rabbitmq.config-ssl'.format(CONFIG_PATH), '/etc/rabbitmq/rabbitmq.config', RABBITMQ_SERVICE_NAME, user_resource=True) else: ctx.abort_operation('When providing a certificate for rabbitmq, ' 'both public and private certificates must be ' 'supplied.') else: utils.deploy_blueprint_resource( '{0}/rabbitmq.config-nossl'.format(CONFIG_PATH), '/etc/rabbitmq/rabbitmq.config', RABBITMQ_SERVICE_NAME, user_resource=True) if rabbitmq_cert_private or rabbitmq_cert_public: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def _set_security(rabbitmq_ssl_enabled, rabbitmq_cert_private, rabbitmq_cert_public): # Deploy certificates if both have been provided. # Complain loudly if one has been provided and the other hasn't. if rabbitmq_ssl_enabled: if rabbitmq_cert_private and rabbitmq_cert_public: utils.deploy_ssl_certificate('private', '/etc/rabbitmq/rabbit-priv.pem', 'rabbitmq', rabbitmq_cert_private) utils.deploy_ssl_certificate('public', '/etc/rabbitmq/rabbit-pub.pem', 'rabbitmq', rabbitmq_cert_public) # Configure for SSL utils.deploy_blueprint_resource( '{0}/rabbitmq.config-ssl'.format(CONFIG_PATH), '/etc/rabbitmq/rabbitmq.config', RABBITMQ_SERVICE_NAME, user_resource=True) else: ctx.abort_operation('When providing a certificate for rabbitmq, ' 'both public and private certificates must be ' 'supplied.') else: utils.deploy_blueprint_resource( '{0}/rabbitmq.config-nossl'.format(CONFIG_PATH), '/etc/rabbitmq/rabbitmq.config', RABBITMQ_SERVICE_NAME, user_resource=True) if rabbitmq_cert_private or rabbitmq_cert_public: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def deploy_broker_configuration(): # Set broker port for rabbit broker_port_ssl = 5671 broker_port_no_ssl = 5672 # injected as an input to the script ctx.instance.runtime_properties['es_endpoint_ip'] = \ os.environ['ES_ENDPOINT_IP'] ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip() rabbitmq_ssl_enabled = ctx.node.properties['rabbitmq_ssl_enabled'] rabbitmq_cert_public = ctx.node.properties['rabbitmq_cert_public'] # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem') utils.deploy_ssl_certificate('public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def _deploy_broker_configuration(amqpinflux_group): rabbit_props = utils.ctx_factory.get('rabbitmq') rabbitmq_cert_enabled = rabbit_props['rabbitmq_ssl_enabled'] rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] if rabbitmq_cert_enabled: broker_cert_path = os.path.join(AMQPINFLUX_HOME, 'amqp_pub.pem') # If no certificate was supplied, the deploy function will raise # an error. utils.deploy_ssl_certificate('public', broker_cert_path, amqpinflux_group, rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path elif rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def _deploy_broker_configuration(amqpinflux_group): rabbit_props = utils.ctx_factory.get('rabbitmq') rabbitmq_cert_enabled = rabbit_props['rabbitmq_ssl_enabled'] rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] if rabbitmq_cert_enabled: broker_cert_path = os.path.join(AMQPINFLUX_HOME, 'amqp_pub.pem') # If no certificate was supplied, the deploy function will raise # an error. utils.deploy_ssl_certificate( 'public', broker_cert_path, amqpinflux_group, rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path elif rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def deploy_broker_configuration(): # Set broker port for rabbit broker_port_ssl = 5671 broker_port_no_ssl = 5672 # injected as an input to the script ctx.instance.runtime_properties['es_endpoint_ip'] = \ os.environ['ES_ENDPOINT_IP'] es_props = utils.ctx_factory.get('elasticsearch') ctx.instance.runtime_properties['es_endpoint_port'] = \ es_props['es_endpoint_port'] rabbit_props = utils.ctx_factory.get('rabbitmq') ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip( rabbit_props.get('rabbitmq_endpoint_ip')) rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled'] rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \ rabbitmq_ssl_enabled ctx.instance.runtime_properties['rabbitmq_username'] = \ rabbit_props.get('rabbitmq_username') ctx.instance.runtime_properties['rabbitmq_password'] = \ rabbit_props.get('rabbitmq_password') ctx.logger.info('Retrieving postgresql input configuration') postgresql_props = utils.ctx_factory.get('postgresql-9.5') ctx.instance.runtime_properties['postgresql_db_name'] = \ postgresql_props.get('postgresql_db_name') ctx.instance.runtime_properties['postgresql_host'] = \ postgresql_props.get('postgresql_host') # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem') utils.deploy_ssl_certificate('public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def deploy_broker_configuration(): # Set broker port for rabbit broker_port_ssl = 5671 broker_port_no_ssl = 5672 # injected as an input to the script rabbit_props = utils.ctx_factory.get('rabbitmq') ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip( rabbit_props.get('rabbitmq_endpoint_ip')) rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled'] rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \ rabbitmq_ssl_enabled ctx.instance.runtime_properties['rabbitmq_username'] = \ rabbit_props.get('rabbitmq_username') ctx.instance.runtime_properties['rabbitmq_password'] = \ rabbit_props.get('rabbitmq_password') ctx.logger.info('Retrieving postgresql input configuration') postgresql_props = utils.ctx_factory.get('postgresql-9.5') ctx.instance.runtime_properties['postgresql_db_name'] = \ postgresql_props.get('postgresql_db_name') ctx.instance.runtime_properties['postgresql_host'] = \ postgresql_props.get('postgresql_host') # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = os.path.join(REST_SERVICE_HOME, 'amqp_pub.pem') utils.deploy_ssl_certificate( 'public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).')
def install_mgmtworker(): management_worker_rpm_source_url = \ ctx_properties['management_worker_rpm_source_url'] # these must all be exported as part of the start operation. # they will not persist, so we should use the new agent # don't forget to change all localhosts to the relevant ips mgmtworker_home = '/opt/mgmtworker' mgmtworker_venv = '{0}/env'.format(mgmtworker_home) celery_work_dir = '{0}/work'.format(mgmtworker_home) celery_log_dir = "/var/log/cloudify/mgmtworker" broker_port_ssl = '5671' broker_port_no_ssl = '5672' rabbit_props = utils.ctx_factory.get('rabbitmq') rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled'] ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled)) rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip( rabbit_props.get('rabbitmq_endpoint_ip')) # Fix possible injections in json of rabbit credentials # See json.org for string spec for key in ['rabbitmq_username', 'rabbitmq_password']: # We will not escape newlines or other control characters, # we will accept them breaking # things noisily, e.g. on newlines and backspaces. # TODO: add: # sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/' ctx.instance.runtime_properties[key] = ctx_properties[key] # Make the ssl enabled flag work with json (boolean in lower case) # TODO: check if still needed: # broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \ rabbitmq_ssl_enabled ctx.logger.info('Installing Management Worker...') utils.set_selinux_permissive() utils.copy_notice(MGMT_WORKER_SERVICE_NAME) utils.mkdir(mgmtworker_home) utils.mkdir('{0}/config'.format(mgmtworker_home)) utils.mkdir(celery_log_dir) utils.mkdir(celery_work_dir) # this create the mgmtworker_venv and installs the relevant # modules into it. utils.yum_install(management_worker_rpm_source_url, service_name=MGMT_WORKER_SERVICE_NAME) _install_optional(mgmtworker_venv) # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home) utils.deploy_ssl_certificate( 'public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).') ctx.logger.info("broker_port: {0}".format( ctx.instance.runtime_properties['broker_port'])) ctx.logger.info('Configuring Management worker...') # Deploy the broker configuration # TODO: This will break interestingly if mgmtworker_venv is empty. # Some sort of check for that would be sensible. # To sandy: I don't quite understand this check... # there is no else here.. # for python_path in ${mgmtworker_venv}/lib/python*; do if os.path.isfile(os.path.join(mgmtworker_venv, 'bin/python')): broker_conf_path = os.path.join(celery_work_dir, 'broker_config.json') utils.deploy_blueprint_resource( '{0}/broker_config.json'.format(CONFIG_PATH), broker_conf_path, MGMT_WORKER_SERVICE_NAME) # The config contains credentials, do not let the world read it utils.sudo(['chmod', '440', broker_conf_path]) utils.systemd.configure(MGMT_WORKER_SERVICE_NAME) utils.logrotate(MGMT_WORKER_SERVICE_NAME)
def install_mgmtworker(): management_worker_rpm_source_url = \ ctx_properties['management_worker_rpm_source_url'] # these must all be exported as part of the start operation. # they will not persist, so we should use the new agent # don't forget to change all localhosts to the relevant ips mgmtworker_home = '/opt/mgmtworker' mgmtworker_venv = '{0}/env'.format(mgmtworker_home) celery_work_dir = '{0}/work'.format(mgmtworker_home) celery_log_dir = "/var/log/cloudify/mgmtworker" broker_port_ssl = '5671' broker_port_no_ssl = '5672' rabbitmq_ssl_enabled = ctx_properties['rabbitmq_ssl_enabled'] ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled)) rabbitmq_cert_public = ctx_properties['rabbitmq_cert_public'] ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip( ctx_properties.get('rabbitmq_endpoint_ip')) # Fix possible injections in json of rabbit credentials # See json.org for string spec for key in ['rabbitmq_username', 'rabbitmq_password']: # We will not escape newlines or other control characters, # we will accept them breaking # things noisily, e.g. on newlines and backspaces. # TODO: add: # sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/' ctx.instance.runtime_properties[key] = ctx_properties[key] # Make the ssl enabled flag work with json (boolean in lower case) # TODO: check if still needed: # broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \ rabbitmq_ssl_enabled ctx.logger.info('Installing Management Worker...') utils.set_selinux_permissive() utils.copy_notice(MGMT_WORKER_SERVICE_NAME) utils.mkdir(mgmtworker_home) utils.mkdir('{0}/config'.format(mgmtworker_home)) utils.mkdir(celery_log_dir) utils.mkdir(celery_work_dir) # this create the mgmtworker_venv and installs the relevant # modules into it. utils.yum_install(management_worker_rpm_source_url, service_name=MGMT_WORKER_SERVICE_NAME) _install_optional(mgmtworker_venv) # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home) utils.deploy_ssl_certificate('public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).') ctx.logger.info("broker_port: {0}".format( ctx.instance.runtime_properties['broker_port'])) ctx.logger.info('Configuring Management worker...') # Deploy the broker configuration # TODO: This will break interestingly if mgmtworker_venv is empty. # Some sort of check for that would be sensible. # To sandy: I don't quite understand this check... # there is no else here.. # for python_path in ${mgmtworker_venv}/lib/python*; do if os.path.isfile(os.path.join(mgmtworker_venv, 'bin/python')): broker_conf_path = os.path.join(celery_work_dir, 'broker_config.json') utils.deploy_blueprint_resource( '{0}/broker_config.json'.format(CONFIG_PATH), broker_conf_path, MGMT_WORKER_SERVICE_NAME) # The config contains credentials, do not let the world read it utils.sudo(['chmod', '440', broker_conf_path]) utils.systemd.configure(MGMT_WORKER_SERVICE_NAME) utils.logrotate(MGMT_WORKER_SERVICE_NAME)
def install_mgmtworker(): management_worker_rpm_source_url = \ ctx_properties['management_worker_rpm_source_url'] # these must all be exported as part of the start operation. # they will not persist, so we should use the new agent # don't forget to change all localhosts to the relevant ips mgmtworker_home = '/opt/mgmtworker' mgmtworker_venv = '{0}/env'.format(mgmtworker_home) celery_work_dir = '{0}/work'.format(mgmtworker_home) celery_log_dir = "/var/log/cloudify/mgmtworker" broker_port_ssl = '5671' broker_port_no_ssl = '5672' rabbit_props = utils.ctx_factory.get('rabbitmq') rabbitmq_ssl_enabled = rabbit_props['rabbitmq_ssl_enabled'] ctx.logger.info("rabbitmq_ssl_enabled: {0}".format(rabbitmq_ssl_enabled)) rabbitmq_cert_public = rabbit_props['rabbitmq_cert_public'] ctx.instance.runtime_properties['rabbitmq_endpoint_ip'] = \ utils.get_rabbitmq_endpoint_ip( rabbit_props.get('rabbitmq_endpoint_ip')) # Fix possible injections in json of rabbit credentials # See json.org for string spec for key in ['rabbitmq_username', 'rabbitmq_password']: # We will not escape newlines or other control characters, # we will accept them breaking # things noisily, e.g. on newlines and backspaces. # TODO: add: # sed 's/"/\\"/' | sed 's/\\/\\\\/' | sed s-/-\\/- | sed 's/\t/\\t/' ctx.instance.runtime_properties[key] = ctx_properties[key] # Make the ssl enabled flag work with json (boolean in lower case) # TODO: check if still needed: # broker_ssl_enabled = "$(echo ${rabbitmq_ssl_enabled} | tr '[:upper:]' '[:lower:]')" # NOQA ctx.instance.runtime_properties['rabbitmq_ssl_enabled'] = \ rabbitmq_ssl_enabled ctx.logger.info('Installing Management Worker...') utils.set_selinux_permissive() utils.copy_notice(MGMT_WORKER_SERVICE_NAME) utils.mkdir(mgmtworker_home) utils.mkdir('{0}/config'.format(mgmtworker_home)) utils.mkdir(celery_log_dir) utils.mkdir(celery_work_dir) # this create the mgmtworker_venv and installs the relevant # modules into it. utils.yum_install(management_worker_rpm_source_url, service_name=MGMT_WORKER_SERVICE_NAME) _install_optional(mgmtworker_venv) # Add certificate and select port, as applicable if rabbitmq_ssl_enabled: broker_cert_path = '{0}/amqp_pub.pem'.format(mgmtworker_home) utils.deploy_ssl_certificate('public', broker_cert_path, 'root', rabbitmq_cert_public) ctx.instance.runtime_properties['broker_cert_path'] = broker_cert_path # Use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_ssl else: # No SSL, don't use SSL port ctx.instance.runtime_properties['broker_port'] = broker_port_no_ssl if rabbitmq_cert_public is not None: ctx.logger.warn('Broker SSL cert supplied but SSL not enabled ' '(broker_ssl_enabled is False).') ctx.logger.info("broker_port: {0}".format( ctx.instance.runtime_properties['broker_port']))