Пример #1
0
    def _miscUpgrade(self):
        self.logger.info(_('Upgrading CA'))

        #
        # LEGACY NOTE
        # Since 3.0 and maybe before the method of
        # allowing user to override AIA was to explict
        # edit files. Until we rewrite the entire PKI
        # we must preserve this approach.
        # The template may change over time, so regenerate.
        #
        aia = None
        template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[
            :-len('.in')
        ]
        if os.path.exists(template):
            with open(template) as f:
                PREFIX = 'caIssuers;URI:'
                for l in f.readlines():
                    if l.startswith('authorityInfoAccess'):
                        aia = l[l.find(PREFIX)+len(PREFIX):]
                        break

        uninstall_files = []
        self._setupUninstall(uninstall_files)
        if aia is not None:
            localtransaction = transaction.Transaction()
            with localtransaction:
                for name in (
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
                ):
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.in')],
                            content=outil.processTemplate(
                                name,
                                {
                                    '@AIA@': aia,
                                }
                            ),
                            modifiedList=uninstall_files,
                        ),
                    )
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.template.in')] + '.conf',
                            content=outil.processTemplate(
                                name,
                                {
                                    '@AIA@': aia,
                                }
                            ),
                            modifiedList=uninstall_files,
                        ),
                    )
Пример #2
0
 def misc(self):
     uninstall_files = []
     self.environment[
         osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
     ].addFiles(
         group='ovirt_reports_files',
         fileList=uninstall_files,
     )
     self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True
     self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
         filetransaction.FileTransaction(
             name=self.environment[
                 oreportscons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE_REPORTS
             ],
             content=outil.processTemplate(
                 template=(
                     oreportscons.FileLocations.
                     HTTPD_CONF_OVIRT_ENGINE_REPORTS_TEMPLATE
                 ),
                 subst={
                     '@JBOSS_AJP_PORT@': self.environment[
                         oreportscons.ConfigEnv.JBOSS_AJP_PORT
                     ],
                 },
             ),
             modifiedList=uninstall_files,
         )
     )
    def process_firewalld_services(self):
        if not self._processed:
            for service in self.environment[
                osetupcons.NetEnv.FIREWALLD_SERVICES
            ]:
                abs_path = service.get('absolute_path')
                directory = service.get('directory')
                name = service['name']

                if abs_path:
                    template_path = abs_path
                    if directory:
                        self._logger.debug(
                            'both absolute_path and directory provided for %s,'
                            ' using absolute_path' % (name,)
                        )
                else:
                    template_path = os.path.join(
                        osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG,
                        directory,
                        '%s.xml.in' % name,
                    )

                self.environment[
                    otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX +
                    name
                ] = outil.processTemplate(
                    template=template_path,
                    subst=self.environment[osetupcons.NetEnv.FIREWALLD_SUBST],
                )
            self._processed = True
Пример #4
0
 def _jasperConfiguration(self):
     config = os.path.join(self._temproot, 'config')
     with open(config, 'w') as f:
         f.write(
             outil.processTemplate(
                 template=(
                     oreportscons.FileLocations.
                     JASPER_BUILDOMATIC_CONFIG_TEMPALTE
                 ),
                 subst={
                     '@PKG_STATE_DIR@': (
                         oreportscons.FileLocations.PKG_STATE_DIR
                     ),
                     '@REPORTS_DB_HOST@': self.environment[
                         oreportscons.DBEnv.HOST
                     ],
                     '@REPORTS_DB_PORT@': self.environment[
                         oreportscons.DBEnv.PORT
                     ],
                     '@REPORTS_DB_USER@': self.environment[
                         oreportscons.DBEnv.USER
                     ],
                     '@REPORTS_DB_PASSWORD@': self.environment[
                         oreportscons.DBEnv.PASSWORD
                     ],
                     '@REPORTS_DB_DATABASE@': self.environment[
                         oreportscons.DBEnv.DATABASE
                     ],
                 },
             )
         )
     return config
Пример #5
0
 def _update_templates(self, aia, templates_map, uninstall_files):
     localtransaction = transaction.Transaction()
     with localtransaction:
         for in_template, outputs in templates_map.items():
             if aia is not None:
                 for output_file in outputs:
                     localtransaction.append(
                         filetransaction.FileTransaction(
                             name=output_file,
                             content=outil.processTemplate(
                                 in_template, {
                                     '@AIA@': aia,
                                 }),
                             modifiedList=uninstall_files,
                         ), )
Пример #6
0
 def _get_rules(self):
     if self._rules is None:
         self._rules = outil.processTemplate(
             osetupcons.FileLocations.OVIRT_IPTABLES_DEFAULT,
             subst={
                 '@CUSTOM_RULES@':
                 (process_firewalld_services.Process.getInstance(
                     environment=self.environment, ).parseFirewalld(
                         format=('-A INPUT -p {protocol} -m state '
                                 '--state NEW -m {protocol} '
                                 '--dport {port} -j ACCEPT\n'),
                         portSeparator=':',
                     )),
             })
     return self._rules
Пример #7
0
 def process_firewalld_services(self):
     if not self._processed:
         for service in self.environment[
                 osetupcons.NetEnv.FIREWALLD_SERVICES]:
             self.environment[
                 otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX +
                 service['name']] = outil.processTemplate(
                     template=os.path.join(
                         osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG,
                         service['directory'],
                         '%s.xml.in' % service['name'],
                     ),
                     subst=self.environment[
                         osetupcons.NetEnv.FIREWALLD_SUBST],
                 )
         self._processed = True
Пример #8
0
 def process_firewalld_services(self):
     if not self._processed:
         for service in self.environment[
             osetupcons.NetEnv.FIREWALLD_SERVICES
         ]:
             self.environment[
                 otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX +
                 service['name']
             ] = outil.processTemplate(
                 template=os.path.join(
                     osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG,
                     service['directory'],
                     '%s.xml.in' % service['name'],
                 ),
                 subst=self.environment[osetupcons.NetEnv.FIREWALLD_SUBST],
             )
         self._processed = True
Пример #9
0
 def _misc(self):
     self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True
     self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
         filetransaction.FileTransaction(
             name=self.environment[
                 oenginecons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE],
             content=outil.processTemplate(
                 template=(oenginecons.FileLocations.
                           HTTPD_CONF_OVIRT_ENGINE_TEMPLATE),
                 subst={
                     '@JBOSS_AJP_PORT@':
                     self.environment[
                         oengcommcons.ConfigEnv.JBOSS_AJP_PORT],
                 },
             ),
             modifiedList=self.environment[
                 otopicons.CoreEnv.MODIFIED_FILES],
         ))
Пример #10
0
    def _misc(self):
        engine_runtime_dir = (
            oenginecons.FileLocations.OVIRT_ENGINE_LOCALSTATEDIR)

        self.environment[oengcommcons.FapolicydEnv.NEED_RESTART] = True
        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            filetransaction.FileTransaction(
                name=self.environment[
                    oengcommcons.FapolicydEnv.FAPOLICYD_ALLOW_OVIRT_RULE],
                content=outil.processTemplate(
                    template=(oengcommcons.FileLocations.
                              FAPOLICYD_ALLOW_OVIRT_ENGINE_RULE_TEMPLATE),
                    subst={
                        '@ENGINE_RUNTIME_DIR@': engine_runtime_dir,
                    },
                ),
                modifiedList=self.environment[
                    otopicons.CoreEnv.MODIFIED_FILES],
            ))
 def _get_rules(self):
     if self._rules is None:
         self._rules = outil.processTemplate(
             osetupcons.FileLocations.OVIRT_IPTABLES_DEFAULT,
             subst={
                 '@CUSTOM_RULES@': (
                     process_firewalld_services.Process.getInstance(
                         environment=self.environment,
                     ).parseFirewalld(
                         format=(
                             '-A INPUT -p {protocol} -m state '
                             '--state NEW -m {protocol} '
                             '--dport {port} -j ACCEPT\n'
                         ),
                         portSeparator=':',
                     )
                 ),
             }
         )
     return self._rules
Пример #12
0
    def misc(self):
        uninstall_files = []
        self.environment[
            osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
        ].addFiles(
            group='ovirt_reports_files',
            fileList=uninstall_files,
        )

        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            filetransaction.FileTransaction(
                name=os.path.join(
                    osetupcons.FileLocations.OVIRT_ENGINE_LOCALSTATEDIR,
                    'reports.xml',
                ),
                content=outil.processTemplate(
                    template=(
                        oreportscons.FileLocations.
                        OVIRT_ENGINE_REPORTS_UI
                    ),
                    subst={
                        '@JASPER_IS_CE@': 'true' if self.environment[
                            oreportscons.JasperEnv.JASPER_NAME
                        ] == 'ce' else 'false',
                        '@JASPER_NAME@': self.environment[
                            oreportscons.JasperEnv.JASPER_NAME
                        ],
                    },
                ),
                modifiedList=uninstall_files,
            )
        )

        self.environment[osetupcons.DBEnv.STATEMENT].updateVdcOptions(
            options=(
                {
                    'name': 'RedirectServletReportsPage',
                    'value': '/ovirt-engine-reports',
                },
            ),
        )
Пример #13
0
 def _misc(self):
     self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True
     self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
         filetransaction.FileTransaction(
             name=self.environment[
                 oenginecons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE
             ],
             content=outil.processTemplate(
                 template=(
                     oenginecons.FileLocations.
                     HTTPD_CONF_OVIRT_ENGINE_TEMPLATE
                 ),
                 subst={
                     '@JBOSS_AJP_PORT@': self.environment[
                         oengcommcons.ConfigEnv.JBOSS_AJP_PORT
                     ],
                 },
             ),
             modifiedList=self.environment[
                 otopicons.CoreEnv.MODIFIED_FILES
             ],
         )
     )
Пример #14
0
    def _misc(self):
        # TODO
        # this implementaiton is not transactional
        # too many issues with legacy ca implementation
        # need to work this out to allow transactional
        # for now just delete files if we fail
        uninstall_files = []
        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            self.CATransaction(
                parent=self,
                uninstall_files=uninstall_files,
            )
        )

        # LEGACY NOTE
        # This is needed for avoiding error in create_ca when supporting
        # max cn length of 64.
        # please DON'T increase this size, any value over 55 will fail the
        # setup. the truncated host-fqdn is concatenated with a random string
        # to create a unique CN value.
        self.environment[
            osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
        ].createGroup(
            group='ca_pki',
            description='PKI keys',
            optional=True,
        ).addFiles(
            group='ca_pki',
            fileList=uninstall_files,
        )
        MAX_HOST_FQDN_LEN = 55

        self.logger.info(_('Creating CA'))

        localtransaction = transaction.Transaction()
        with localtransaction:
            for name in (
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
            ):
                localtransaction.append(
                    filetransaction.FileTransaction(
                        name=name[:-len('.in')],
                        content=outil.processTemplate(
                            name,
                            {
                                '@AIA@': 'http://%s:%s%s' % (
                                    self.environment[
                                        osetupcons.ConfigEnv.FQDN
                                    ],
                                    self.environment[
                                        oengcommcons.ConfigEnv.PUBLIC_HTTP_PORT
                                    ],
                                    oenginecons.Const.ENGINE_PKI_CA_URI,
                                )
                            }
                        ),
                        modifiedList=uninstall_files,
                    ),
                )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                '--subject=/C=%s/O=%s/CN=%s.%s' % (
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.COUNTRY],
                    ),
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.ORG],
                    ),
                    self._subjectComponentEscape(
                        self.environment[
                            osetupcons.ConfigEnv.FQDN
                        ][:MAX_HOST_FQDN_LEN],
                    ),
                    random.randint(10000, 99999),
                ),
                '--keystore-password=%s' % (
                    self.environment[oenginecons.PKIEnv.STORE_PASS],
                ),
            ),
            envAppend={
                'JAVA_HOME': self.environment[
                    oengcommcons.ConfigEnv.JAVA_HOME
                ],
            },
        )

        for name in (
            'engine',
            'apache',
            'jboss',
            'websocket-proxy',
            'reports'
        ):
            self.execute(
                (
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
                    '--name=%s' % name,
                    '--password=%s' % (
                        self.environment[oenginecons.PKIEnv.STORE_PASS],
                    ),
                    '--subject=/C=%s/O=%s/CN=%s' % (
                        self._subjectComponentEscape(
                            self.environment[oenginecons.PKIEnv.COUNTRY],
                        ),
                        self._subjectComponentEscape(
                            self.environment[oenginecons.PKIEnv.ORG],
                        ),
                        self._subjectComponentEscape(
                            self.environment[osetupcons.ConfigEnv.FQDN],
                        ),
                    ),
                ),
            )

        uninstall_files.extend(
            (
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_CERT,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
                (
                    oenginecons.FileLocations.
                    OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_CERT
                ),
                (
                    oenginecons.FileLocations.
                    OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE
                ),
            )
        )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
                '--name=websocket-proxy',
                '--passin=%s' % (
                    self.environment[oenginecons.PKIEnv.STORE_PASS],
                ),
                '--key=%s' % (
                    oenginecons.FileLocations.
                    OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY,
                ),
            ),
            logStreams=False,
        )
        uninstall_files.append(
            oenginecons.FileLocations.
            OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY
        )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
                '--name=reports',
                '--passin=%s' % (
                    self.environment[oenginecons.PKIEnv.STORE_PASS],
                ),
                '--key=%s' % (
                    oenginecons.FileLocations.
                    OVIRT_ENGINE_PKI_REPORTS_KEY,
                ),
            ),
            logStreams=False,
        )
        uninstall_files.append(
            oenginecons.FileLocations.
            OVIRT_ENGINE_PKI_REPORTS_KEY
        )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
                '--name=apache',
                '--passin=%s' % (
                    self.environment[oenginecons.PKIEnv.STORE_PASS],
                ),
                '--key=%s' % (
                    oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY,
                ),
            ),
            logStreams=False,
        )
        uninstall_files.append(
            oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
        )

        if not os.path.exists(
            oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
        ):
            os.symlink(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )
            uninstall_files.append(
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )

        for f in (
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
        ):
            os.chown(
                f,
                osetuputil.getUid(
                    self.environment[osetupcons.SystemEnv.USER_ENGINE]
                ),
                -1,
            )
Пример #15
0
    def _misc(self):
        self._enabled = True

        # TODO
        # this implementaiton is not transactional
        # too many issues with legacy ca implementation
        # need to work this out to allow transactional
        # for now just delete files if we fail
        uninstall_files = []
        self._setupUninstall(uninstall_files)
        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            self.CATransaction(
                parent=self,
                uninstall_files=uninstall_files,
            )
        )

        # LEGACY NOTE
        # This is needed for avoiding error in create_ca when supporting
        # max cn length of 64.
        # please DON'T increase this size, any value over 55 will fail the
        # setup. the truncated host-fqdn is concatenated with a random string
        # to create a unique CN value.
        MAX_HOST_FQDN_LEN = 55

        self.logger.info(_('Creating CA'))

        localtransaction = transaction.Transaction()
        with localtransaction:
            for name in (
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
            ):
                localtransaction.append(
                    filetransaction.FileTransaction(
                        name=name[:-len('.in')],
                        content=outil.processTemplate(
                            name,
                            {
                                '@AIA@': 'http://%s:%s%s' % (
                                    self.environment[
                                        osetupcons.ConfigEnv.FQDN
                                    ],
                                    self.environment[
                                        oengcommcons.ConfigEnv.PUBLIC_HTTP_PORT
                                    ],
                                    oenginecons.Const.ENGINE_PKI_CA_URI,
                                )
                            }
                        ),
                        modifiedList=uninstall_files,
                    ),
                )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                '--subject=/C=%s/O=%s/CN=%s.%s' % (
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.COUNTRY],
                    ),
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.ORG],
                    ),
                    self._subjectComponentEscape(
                        self.environment[
                            osetupcons.ConfigEnv.FQDN
                        ][:MAX_HOST_FQDN_LEN],
                    ),
                    random.randint(10000, 99999),
                ),
                '--keystore-password=%s' % (
                    self.environment[oenginecons.PKIEnv.STORE_PASS],
                ),
            ),
            envAppend={
                'JAVA_HOME': self.environment[
                    oengcommcons.ConfigEnv.JAVA_HOME
                ],
            },
        )

        uninstall_files.extend(
            (
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
            )
        )

        if not os.path.exists(
            oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
        ):
            os.symlink(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )
            uninstall_files.append(
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )

        self._enrollCertificates(False, uninstall_files)
Пример #16
0
    def _miscUpgrade(self):
        #
        # In <3.6 setup did not store the organization and
        # country in post install file. Load it from CA certificate.
        #
        if self.environment[oenginecons.PKIEnv.ORG] is None:
            ca = X509.load_cert(
                oenginecons.FileLocations.
                OVIRT_ENGINE_PKI_ENGINE_CA_CERT
            )
            self.environment[
                oenginecons.PKIEnv.ORG
            ] = ca.get_subject().get_entries_by_nid(
                X509.X509_Name.nid['O']
            )[0].get_data().as_text()
            self.environment[
                oenginecons.PKIEnv.COUNTRY
            ] = ca.get_subject().get_entries_by_nid(
                X509.X509_Name.nid['C']
            )[0].get_data().as_text()

        self.logger.info(_('Upgrading CA'))

        #
        # LEGACY NOTE
        # Since 3.0 and maybe before the method of
        # allowing user to override AIA was to explict
        # edit files. Until we rewrite the entire PKI
        # we must preserve this approach.
        # The template may change over time, so regenerate.
        #
        aia = None
        template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[
            :-len('.in')
        ]
        if os.path.exists(template):
            with open(template) as f:
                PREFIX = 'caIssuers;URI:'
                for l in f.readlines():
                    if l.startswith('authorityInfoAccess'):
                        aia = l[l.find(PREFIX)+len(PREFIX):]
                        break

        uninstall_files = []
        self._setupUninstall(uninstall_files)
        if aia is not None:
            localtransaction = transaction.Transaction()
            with localtransaction:
                for name in (
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
                ):
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.in')],
                            content=outil.processTemplate(
                                name,
                                {
                                    '@AIA@': aia,
                                }
                            ),
                            modifiedList=uninstall_files,
                        ),
                    )
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.template.in')] + '.conf',
                            content=outil.processTemplate(
                                name,
                                {
                                    '@AIA@': aia,
                                }
                            ),
                            modifiedList=uninstall_files,
                        ),
                    )

        if self._expired(
            X509.load_cert(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
            )
        ):
            self._ca_was_renewed = True
            self.logger.info(_('Renewing CA'))
            self.execute(
                args=(
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                    '--renew',
                    '--keystore-password=%s' % (
                        self.environment[oenginecons.PKIEnv.STORE_PASS],
                    ),
                ),
                envAppend={
                    'JAVA_HOME': self.environment[
                        oengcommcons.ConfigEnv.JAVA_HOME
                    ],
                },
            )

        self._enrollCertificates(True, uninstall_files)
Пример #17
0
    def daemonSetup(self):

        if os.geteuid() == 0:
            raise RuntimeError(
                _('This service cannot be executed as root')
            )

        if not os.path.exists(self._defaults):
            raise RuntimeError(
                _(
                    "The configuration defaults file '{file}' "
                    "required but missing"
                ).format(
                    file=self._defaults,
                )
            )

        self._config = configfile.ConfigFile(
            (
                self._defaults,
                config.DWH_VARS,
            ),
        )

        #
        # the earliest so we can abort early.
        #
        self._executable = os.path.join(
            java.Java().getJavaHome(),
            'bin',
            'java',
        )

        self._checkInstallation(
            pidfile=self.pidfile,
        )

        self._tempDir = service.TempDir()
        self._tempDir.create()

        settings = os.path.join(self._tempDir.directory, 'settings.properties')
        with open(settings, 'w') as f:
            f.write(
                util.processTemplate(
                    os.path.join(
                        self._config.get('PKG_DATA_DIR'),
                        'conf',
                        'settings.properties.in'
                    ),
                    dict(
                        ('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in
                        self._config.values.items()
                    ),
                )
            )

        self._serviceArgs = [
            'ovirt-engine-dwhd',
            '-Dorg.ovirt.engine.dwh.settings=%s' % settings,
        ]

        # Add arguments for the java heap size:
        self._serviceArgs.extend([
            '-Xms%s' % self._config.get('DWH_HEAP_MIN'),
            '-Xmx%s' % self._config.get('DWH_HEAP_MAX'),
        ])

        for engineProperty in shlex.split(
            self._config.get('DWH_PROPERTIES')
        ):
            if not engineProperty.startswith('-D'):
                engineProperty = '-D' + engineProperty
            self._serviceArgs.append(engineProperty)

        for arg in shlex.split(self._config.get('DWH_JVM_ARGS')):
            self._serviceArgs.append(arg)

        engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS')
        if engineDebugAddress:
            self._serviceArgs.append(
                (
                    '-Xrunjdwp:transport=dt_socket,address=%s,'
                    'server=y,suspend=n'
                ) % (
                    engineDebugAddress
                )
            )

        if self._config.getboolean('DWH_VERBOSE_GC'):
            self._serviceArgs.extend([
                '-verbose:gc',
                '-XX:+PrintGCTimeStamps',
                '-XX:+PrintGCDetails',
            ])

        self._serviceArgs.extend([
            '-classpath', '%s:%s' % (
                os.path.join(
                    self._config.get('PKG_JAVA_LIB'),
                    '*',
                ),
                self._getClasspath(),
            ),
            'ovirt_engine_dwh.historyetl_4_3.HistoryETL',
            '--context=Default',
        ])

        self._serviceEnv = os.environ.copy()
        self._serviceEnv.update({
            'PATH': (
                '/usr/local/sbin:/usr/local/bin:'
                '/usr/sbin:/usr/bin:/sbin:/bin'
            ),
            'LANG': 'en_US.UTF-8',
            'LC_ALL': 'en_US.UTF-8',
        })
Пример #18
0
    def daemonSetup(self):

        if os.geteuid() == 0:
            raise RuntimeError(
                _('This service cannot be executed as root')
            )

        if not os.path.exists(self._defaults):
            raise RuntimeError(
                _(
                    "The configuration defaults file '{file}' "
                    "required but missing"
                ).format(
                    file=self._defaults,
                )
            )

        self._config = configfile.ConfigFile(
            (
                self._defaults,
                config.DWH_VARS,
            ),
        )

        #
        # the earliest so we can abort early.
        #
        self._executable = os.path.join(
            java.Java().getJavaHome(),
            'bin',
            'java',
        )

        self._checkInstallation(
            pidfile=self.pidfile,
        )

        self._tempDir = service.TempDir()
        self._tempDir.create()

        settings = os.path.join(self._tempDir.directory, 'settings.properties')
        with open(settings, 'w') as f:
            f.write(
                util.processTemplate(
                    os.path.join(
                        self._config.get('PKG_DATA_DIR'),
                        'conf',
                        'settings.properties.in'
                    ),
                    dict(
                        ('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in
                        self._config.values.items()
                    ),
                )
            )

        self._serviceArgs = [
            'ovirt-engine-dwhd',
            '-Dorg.ovirt.engine.dwh.settings=%s' % settings,
        ]

        # Add arguments for the java heap size:
        self._serviceArgs.extend([
            '-Xms%s' % self._config.get('DWH_HEAP_MIN'),
            '-Xmx%s' % self._config.get('DWH_HEAP_MAX'),
        ])

        for engineProperty in shlex.split(
            self._config.get('DWH_PROPERTIES')
        ):
            if not engineProperty.startswith('-D'):
                engineProperty = '-D' + engineProperty
            self._serviceArgs.append(engineProperty)

        for arg in shlex.split(self._config.get('DWH_JVM_ARGS')):
            self._serviceArgs.append(arg)

        engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS')
        if engineDebugAddress:
            self._serviceArgs.append(
                (
                    '-Xrunjdwp:transport=dt_socket,address=%s,'
                    'server=y,suspend=n'
                ) % (
                    engineDebugAddress
                )
            )

        if self._config.getboolean('DWH_VERBOSE_GC'):
            self._serviceArgs.extend([
                '-verbose:gc',
                '-XX:+PrintGCTimeStamps',
                '-XX:+PrintGCDetails',
            ])

        self._serviceArgs.extend([
            '-classpath', '%s:%s' % (
                os.path.join(
                    self._config.get('PKG_JAVA_LIB'),
                    '*',
                ),
                self._getClasspath(),
            ),
            'ovirt_engine_dwh.historyetl_4_4.HistoryETL',
            '--context=Default',
        ])

        self._serviceEnv = os.environ.copy()
        self._serviceEnv.update({
            'PATH': (
                '/usr/local/sbin:/usr/local/bin:'
                '/usr/sbin:/usr/bin:/sbin:/bin'
            ),
            'LANG': 'en_US.UTF-8',
            'LC_ALL': 'en_US.UTF-8',
        })
Пример #19
0
    def _miscUpgrade(self):
        self.logger.info(_('Upgrading CA'))

        #
        # LEGACY NOTE
        # Since 3.0 and maybe before the method of
        # allowing user to override AIA was to explict
        # edit files. Until we rewrite the entire PKI
        # we must preserve this approach.
        # The template may change over time, so regenerate.
        #
        aia = None
        template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[:-len(
            '.in')]
        if os.path.exists(template):
            with open(template) as f:
                PREFIX = 'caIssuers;URI:'
                for l in f.readlines():
                    if l.startswith('authorityInfoAccess'):
                        aia = l[l.find(PREFIX) + len(PREFIX):]
                        break

        uninstall_files = []
        self._setupUninstall(uninstall_files)
        if aia is not None:
            localtransaction = transaction.Transaction()
            with localtransaction:
                for name in (
                        oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                        oenginecons.FileLocations.
                        OVIRT_ENGINE_PKI_CERT_TEMPLATE,
                ):
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.in')],
                            content=outil.processTemplate(
                                name, {
                                    '@AIA@': aia,
                                }),
                            modifiedList=uninstall_files,
                        ), )
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.template.in')] + '.conf',
                            content=outil.processTemplate(
                                name, {
                                    '@AIA@': aia,
                                }),
                            modifiedList=uninstall_files,
                        ), )

        #
        # LEGACY NOTE
        # Since 3.0 and maybe before the CA certificate's
        # notBefore attribute was set using timezone offset
        # instead of Z
        # in this case we need to reissue CA certificate.
        #
        x509 = X509.load_cert(
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT)
        if x509.get_not_before().get_datetime().tzname() is None:
            self._ca_was_renewed = True
            self.logger.info(_('Renewing CA'))
            self.execute(
                args=(
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                    '--renew',
                    '--keystore-password=%s' %
                    (self.environment[oenginecons.PKIEnv.STORE_PASS], ),
                ),
                envAppend={
                    'JAVA_HOME':
                    self.environment[oengcommcons.ConfigEnv.JAVA_HOME],
                },
            )
Пример #20
0
    def _miscUpgrade(self):
        #
        # In <3.6 setup did not store the organization and
        # country in post install file. Load it from CA certificate.
        #
        if self.environment[oenginecons.PKIEnv.ORG] is None:
            ca = self._x509_load_cert(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT)
            self.environment[
                oenginecons.PKIEnv.ORG] = ca.get_subject().get_entries_by_nid(
                    X509.X509_Name.nid['O'])[0].get_data().as_text()
            self.environment[oenginecons.PKIEnv.COUNTRY] = ca.get_subject(
            ).get_entries_by_nid(
                X509.X509_Name.nid['C'])[0].get_data().as_text()

        self.logger.info(_('Upgrading CA'))

        #
        # LEGACY NOTE
        # Since 3.0 and maybe before the method of
        # allowing user to override AIA was to explict
        # edit files. Until we rewrite the entire PKI
        # we must preserve this approach.
        # The template may change over time, so regenerate.
        #
        aia = None
        template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[:-len(
            '.in')]
        if os.path.exists(template):
            with open(template) as f:
                PREFIX = 'caIssuers;URI:'
                for l in f.read().splitlines():
                    if l.startswith('authorityInfoAccess'):
                        aia = l[l.find(PREFIX) + len(PREFIX):]
                        break

        uninstall_files = []
        self._setupUninstall(uninstall_files)
        if aia is not None:
            localtransaction = transaction.Transaction()
            with localtransaction:
                for name in (
                        oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                        oenginecons.FileLocations.
                        OVIRT_ENGINE_PKI_CERT_TEMPLATE,
                ):
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.in')],
                            content=outil.processTemplate(
                                name, {
                                    '@AIA@': aia,
                                }),
                            modifiedList=uninstall_files,
                        ), )
                    localtransaction.append(
                        filetransaction.FileTransaction(
                            name=name[:-len('.template.in')] + '.conf',
                            content=outil.processTemplate(
                                name, {
                                    '@AIA@': aia,
                                }),
                            modifiedList=uninstall_files,
                        ), )

        if self.environment[oenginecons.PKIEnv.RENEW]:
            if self._expired(
                    self._x509_load_cert(oenginecons.FileLocations.
                                         OVIRT_ENGINE_PKI_ENGINE_CA_CERT)):
                self._ca_was_renewed = True
                self.logger.info(_('Renewing CA'))
                self.execute(
                    args=(
                        oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                        '--renew',
                        '--keystore-password=%s' %
                        (self.environment[oenginecons.PKIEnv.STORE_PASS], ),
                    ),
                    envAppend={
                        'JAVA_HOME':
                        self.environment[oengcommcons.ConfigEnv.JAVA_HOME],
                    },
                )

            self._enrollCertificates(True, uninstall_files)

        # Also enroll missing parts on upgrade
        if os.path.exists(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT):
            self._enrollCertificates(False, uninstall_files)
Пример #21
0
    def _misc(self):
        self._enabled = True

        # TODO
        # this implementaiton is not transactional
        # too many issues with legacy ca implementation
        # need to work this out to allow transactional
        # for now just delete files if we fail
        uninstall_files = []
        self._setupUninstall(uninstall_files)
        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            self.CATransaction(
                parent=self,
                uninstall_files=uninstall_files,
            ))

        # LEGACY NOTE
        # This is needed for avoiding error in create_ca when supporting
        # max cn length of 64.
        # please DON'T increase this size, any value over 55 will fail the
        # setup. the truncated host-fqdn is concatenated with a random string
        # to create a unique CN value.
        MAX_HOST_FQDN_LEN = 55

        self.logger.info(_('Creating CA'))

        localtransaction = transaction.Transaction()
        with localtransaction:
            for name in (
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
            ):
                localtransaction.append(
                    filetransaction.FileTransaction(
                        name=name[:-len('.in')],
                        content=outil.processTemplate(
                            name, {
                                '@AIA@':
                                'http://%s:%s%s' % (
                                    self.environment[
                                        osetupcons.ConfigEnv.FQDN],
                                    self.environment[oengcommcons.ConfigEnv.
                                                     PUBLIC_HTTP_PORT],
                                    oenginecons.Const.ENGINE_PKI_CA_URI,
                                )
                            }),
                        modifiedList=uninstall_files,
                    ), )

        self.execute(
            args=(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                '--subject=/C=%s/O=%s/CN=%s.%s' % (
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.COUNTRY], ),
                    self._subjectComponentEscape(
                        self.environment[oenginecons.PKIEnv.ORG], ),
                    self._subjectComponentEscape(
                        self.environment[osetupcons.ConfigEnv.FQDN]
                        [:MAX_HOST_FQDN_LEN], ),
                    random.randint(10000, 99999),
                ),
                '--keystore-password=%s' %
                (self.environment[oenginecons.PKIEnv.STORE_PASS], ),
            ),
            envAppend={
                'JAVA_HOME':
                self.environment[oengcommcons.ConfigEnv.JAVA_HOME],
            },
        )

        uninstall_files.extend((
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
            oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
        ))

        if not os.path.exists(
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT):
            os.symlink(
                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT)
            uninstall_files.append(
                oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT)

        self._enrollCertificates(False, uninstall_files)
Пример #22
0
    def _misc(self):
        # TODO
        # this implementaiton is not transactional
        # too many issues with legacy ca implementation
        # need to work this out to allow transactional
        # for now just delete files if we fail
        uninstall_files = []
        self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
            self.CATransaction(
                parent=self,
                uninstall_files=uninstall_files,
            )
        )

        # LEGACY NOTE
        # This is needed for avoiding error in create_ca when supporting
        # max cn length of 64.
        # please DON'T increase this size, any value over 55 will fail the
        # setup. the truncated host-fqdn is concatenated with a random string
        # to create a unique CN value.
        self.environment[
            osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
        ].createGroup(
            group='ca_pki',
            description='PKI keys',
            optional=True,
        ).addFiles(
            group='ca_pki',
            fileList=uninstall_files,
        )
        MAX_HOST_FQDN_LEN = 55

        self.logger.info(_('Creating CA'))

        localtransaction = transaction.Transaction()
        with localtransaction:
            for name in (
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
            ):
                localtransaction.append(
                    filetransaction.FileTransaction(
                        name=name[:-len('.in')],
                        content=outil.processTemplate(
                            name,
                            {
                                '@AIA@': 'http://%s:%s%s' % (
                                    self.environment[
                                        osetupcons.ConfigEnv.FQDN
                                    ],
                                    self.environment[
                                        osetupcons.ConfigEnv.PUBLIC_HTTP_PORT
                                    ],
                                    osetupcons.Const.ENGINE_PKI_CA_URI,
                                )
                            }
                        ),
                        modifiedList=uninstall_files,
                    ),
                )

        self.execute(
            args=(
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
                '--subject=/C=%s/O=%s/CN=%s.%s' % (
                    self._subjectComponentEscape(
                        self.environment[osetupcons.PKIEnv.COUNTRY],
                    ),
                    self._subjectComponentEscape(
                        self.environment[osetupcons.PKIEnv.ORG],
                    ),
                    self._subjectComponentEscape(
                        self.environment[
                            osetupcons.ConfigEnv.FQDN
                        ][:MAX_HOST_FQDN_LEN],
                    ),
                    random.randint(10000, 99999),
                ),
                '--keystore-password=%s' % (
                    self.environment[osetupcons.PKIEnv.STORE_PASS],
                ),
            ),
            envAppend={
                'JAVA_HOME': self.environment[
                    osetupcons.ConfigEnv.JAVA_HOME
                ],
            },
        )

        for name in ('engine', 'apache', 'jboss'):
            self.execute(
                (
                    osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL,
                    '--name=%s' % name,
                    '--password=%s' % (
                        self.environment[osetupcons.PKIEnv.STORE_PASS],
                    ),
                    '--subject=/C=%s/O=%s/CN=%s' % (
                        self._subjectComponentEscape(
                            self.environment[osetupcons.PKIEnv.COUNTRY],
                        ),
                        self._subjectComponentEscape(
                            self.environment[osetupcons.PKIEnv.ORG],
                        ),
                        self._subjectComponentEscape(
                            self.environment[osetupcons.ConfigEnv.FQDN],
                        ),
                    ),
                ),
            )

        uninstall_files.extend(
            (
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF,
            )
        )

        self.execute(
            args=(
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT,
                '--name=apache',
                '--passin=%s' % (
                    self.environment[osetupcons.PKIEnv.STORE_PASS],
                ),
                '--key=%s' % (
                    osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY,
                ),
            ),
            logStreams=False,
        )
        uninstall_files.append(
            osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
        )

        if not os.path.exists(
            osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
        ):
            os.symlink(
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT,
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )
            uninstall_files.append(
                osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT
            )

        for f in (
            osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE,
            osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE,
        ):
            os.chown(
                f,
                osetuputil.getUid(
                    self.environment[osetupcons.SystemEnv.USER_ENGINE]
                ),
                -1,
            )