def _miscUpgrade(self): self.logger.info(_('Upgrading CA')) # # LEGACY NOTE # Since 3.0 and maybe before the method of # allowing user to override AIA was to explict # edit files. Until we rewrite the entire PKI # we must preserve this approach. # The template may change over time, so regenerate. # aia = None template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[ :-len('.in') ] if os.path.exists(template): with open(template) as f: PREFIX = 'caIssuers;URI:' for l in f.readlines(): if l.startswith('authorityInfoAccess'): aia = l[l.find(PREFIX)+len(PREFIX):] break uninstall_files = [] self._setupUninstall(uninstall_files) if aia is not None: localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': aia, } ), modifiedList=uninstall_files, ), ) localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.template.in')] + '.conf', content=outil.processTemplate( name, { '@AIA@': aia, } ), modifiedList=uninstall_files, ), )
def misc(self): uninstall_files = [] self.environment[ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS ].addFiles( group='ovirt_reports_files', fileList=uninstall_files, ) self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=self.environment[ oreportscons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE_REPORTS ], content=outil.processTemplate( template=( oreportscons.FileLocations. HTTPD_CONF_OVIRT_ENGINE_REPORTS_TEMPLATE ), subst={ '@JBOSS_AJP_PORT@': self.environment[ oreportscons.ConfigEnv.JBOSS_AJP_PORT ], }, ), modifiedList=uninstall_files, ) )
def process_firewalld_services(self): if not self._processed: for service in self.environment[ osetupcons.NetEnv.FIREWALLD_SERVICES ]: abs_path = service.get('absolute_path') directory = service.get('directory') name = service['name'] if abs_path: template_path = abs_path if directory: self._logger.debug( 'both absolute_path and directory provided for %s,' ' using absolute_path' % (name,) ) else: template_path = os.path.join( osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG, directory, '%s.xml.in' % name, ) self.environment[ otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX + name ] = outil.processTemplate( template=template_path, subst=self.environment[osetupcons.NetEnv.FIREWALLD_SUBST], ) self._processed = True
def _jasperConfiguration(self): config = os.path.join(self._temproot, 'config') with open(config, 'w') as f: f.write( outil.processTemplate( template=( oreportscons.FileLocations. JASPER_BUILDOMATIC_CONFIG_TEMPALTE ), subst={ '@PKG_STATE_DIR@': ( oreportscons.FileLocations.PKG_STATE_DIR ), '@REPORTS_DB_HOST@': self.environment[ oreportscons.DBEnv.HOST ], '@REPORTS_DB_PORT@': self.environment[ oreportscons.DBEnv.PORT ], '@REPORTS_DB_USER@': self.environment[ oreportscons.DBEnv.USER ], '@REPORTS_DB_PASSWORD@': self.environment[ oreportscons.DBEnv.PASSWORD ], '@REPORTS_DB_DATABASE@': self.environment[ oreportscons.DBEnv.DATABASE ], }, ) ) return config
def _update_templates(self, aia, templates_map, uninstall_files): localtransaction = transaction.Transaction() with localtransaction: for in_template, outputs in templates_map.items(): if aia is not None: for output_file in outputs: localtransaction.append( filetransaction.FileTransaction( name=output_file, content=outil.processTemplate( in_template, { '@AIA@': aia, }), modifiedList=uninstall_files, ), )
def _get_rules(self): if self._rules is None: self._rules = outil.processTemplate( osetupcons.FileLocations.OVIRT_IPTABLES_DEFAULT, subst={ '@CUSTOM_RULES@': (process_firewalld_services.Process.getInstance( environment=self.environment, ).parseFirewalld( format=('-A INPUT -p {protocol} -m state ' '--state NEW -m {protocol} ' '--dport {port} -j ACCEPT\n'), portSeparator=':', )), }) return self._rules
def process_firewalld_services(self): if not self._processed: for service in self.environment[ osetupcons.NetEnv.FIREWALLD_SERVICES]: self.environment[ otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX + service['name']] = outil.processTemplate( template=os.path.join( osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG, service['directory'], '%s.xml.in' % service['name'], ), subst=self.environment[ osetupcons.NetEnv.FIREWALLD_SUBST], ) self._processed = True
def process_firewalld_services(self): if not self._processed: for service in self.environment[ osetupcons.NetEnv.FIREWALLD_SERVICES ]: self.environment[ otopicons.NetEnv.FIREWALLD_SERVICE_PREFIX + service['name'] ] = outil.processTemplate( template=os.path.join( osetupcons.FileLocations.OVIRT_FIREWALLD_CONFIG, service['directory'], '%s.xml.in' % service['name'], ), subst=self.environment[osetupcons.NetEnv.FIREWALLD_SUBST], ) self._processed = True
def _misc(self): self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=self.environment[ oenginecons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE], content=outil.processTemplate( template=(oenginecons.FileLocations. HTTPD_CONF_OVIRT_ENGINE_TEMPLATE), subst={ '@JBOSS_AJP_PORT@': self.environment[ oengcommcons.ConfigEnv.JBOSS_AJP_PORT], }, ), modifiedList=self.environment[ otopicons.CoreEnv.MODIFIED_FILES], ))
def _misc(self): engine_runtime_dir = ( oenginecons.FileLocations.OVIRT_ENGINE_LOCALSTATEDIR) self.environment[oengcommcons.FapolicydEnv.NEED_RESTART] = True self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=self.environment[ oengcommcons.FapolicydEnv.FAPOLICYD_ALLOW_OVIRT_RULE], content=outil.processTemplate( template=(oengcommcons.FileLocations. FAPOLICYD_ALLOW_OVIRT_ENGINE_RULE_TEMPLATE), subst={ '@ENGINE_RUNTIME_DIR@': engine_runtime_dir, }, ), modifiedList=self.environment[ otopicons.CoreEnv.MODIFIED_FILES], ))
def _get_rules(self): if self._rules is None: self._rules = outil.processTemplate( osetupcons.FileLocations.OVIRT_IPTABLES_DEFAULT, subst={ '@CUSTOM_RULES@': ( process_firewalld_services.Process.getInstance( environment=self.environment, ).parseFirewalld( format=( '-A INPUT -p {protocol} -m state ' '--state NEW -m {protocol} ' '--dport {port} -j ACCEPT\n' ), portSeparator=':', ) ), } ) return self._rules
def misc(self): uninstall_files = [] self.environment[ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS ].addFiles( group='ovirt_reports_files', fileList=uninstall_files, ) self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=os.path.join( osetupcons.FileLocations.OVIRT_ENGINE_LOCALSTATEDIR, 'reports.xml', ), content=outil.processTemplate( template=( oreportscons.FileLocations. OVIRT_ENGINE_REPORTS_UI ), subst={ '@JASPER_IS_CE@': 'true' if self.environment[ oreportscons.JasperEnv.JASPER_NAME ] == 'ce' else 'false', '@JASPER_NAME@': self.environment[ oreportscons.JasperEnv.JASPER_NAME ], }, ), modifiedList=uninstall_files, ) ) self.environment[osetupcons.DBEnv.STATEMENT].updateVdcOptions( options=( { 'name': 'RedirectServletReportsPage', 'value': '/ovirt-engine-reports', }, ), )
def _misc(self): self.environment[oengcommcons.ApacheEnv.NEED_RESTART] = True self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=self.environment[ oenginecons.ApacheEnv.HTTPD_CONF_OVIRT_ENGINE ], content=outil.processTemplate( template=( oenginecons.FileLocations. HTTPD_CONF_OVIRT_ENGINE_TEMPLATE ), subst={ '@JBOSS_AJP_PORT@': self.environment[ oengcommcons.ConfigEnv.JBOSS_AJP_PORT ], }, ), modifiedList=self.environment[ otopicons.CoreEnv.MODIFIED_FILES ], ) )
def _misc(self): # TODO # this implementaiton is not transactional # too many issues with legacy ca implementation # need to work this out to allow transactional # for now just delete files if we fail uninstall_files = [] self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( self.CATransaction( parent=self, uninstall_files=uninstall_files, ) ) # LEGACY NOTE # This is needed for avoiding error in create_ca when supporting # max cn length of 64. # please DON'T increase this size, any value over 55 will fail the # setup. the truncated host-fqdn is concatenated with a random string # to create a unique CN value. self.environment[ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS ].createGroup( group='ca_pki', description='PKI keys', optional=True, ).addFiles( group='ca_pki', fileList=uninstall_files, ) MAX_HOST_FQDN_LEN = 55 self.logger.info(_('Creating CA')) localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': 'http://%s:%s%s' % ( self.environment[ osetupcons.ConfigEnv.FQDN ], self.environment[ oengcommcons.ConfigEnv.PUBLIC_HTTP_PORT ], oenginecons.Const.ENGINE_PKI_CA_URI, ) } ), modifiedList=uninstall_files, ), ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--subject=/C=%s/O=%s/CN=%s.%s' % ( self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[ osetupcons.ConfigEnv.FQDN ][:MAX_HOST_FQDN_LEN], ), random.randint(10000, 99999), ), '--keystore-password=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[ oengcommcons.ConfigEnv.JAVA_HOME ], }, ) for name in ( 'engine', 'apache', 'jboss', 'websocket-proxy', 'reports' ): self.execute( ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL, '--name=%s' % name, '--password=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), '--subject=/C=%s/O=%s/CN=%s' % ( self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[osetupcons.ConfigEnv.FQDN], ), ), ), ) uninstall_files.extend( ( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF, ( oenginecons.FileLocations. OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_CERT ), ( oenginecons.FileLocations. OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_STORE ), ) ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT, '--name=websocket-proxy', '--passin=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), '--key=%s' % ( oenginecons.FileLocations. OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY, ), ), logStreams=False, ) uninstall_files.append( oenginecons.FileLocations. OVIRT_ENGINE_PKI_LOCAL_WEBSOCKET_PROXY_KEY ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT, '--name=reports', '--passin=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), '--key=%s' % ( oenginecons.FileLocations. OVIRT_ENGINE_PKI_REPORTS_KEY, ), ), logStreams=False, ) uninstall_files.append( oenginecons.FileLocations. OVIRT_ENGINE_PKI_REPORTS_KEY ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT, '--name=apache', '--passin=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), '--key=%s' % ( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, ), ), logStreams=False, ) uninstall_files.append( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY ) if not os.path.exists( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ): os.symlink( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) uninstall_files.append( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) for f in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE, ): os.chown( f, osetuputil.getUid( self.environment[osetupcons.SystemEnv.USER_ENGINE] ), -1, )
def _misc(self): self._enabled = True # TODO # this implementaiton is not transactional # too many issues with legacy ca implementation # need to work this out to allow transactional # for now just delete files if we fail uninstall_files = [] self._setupUninstall(uninstall_files) self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( self.CATransaction( parent=self, uninstall_files=uninstall_files, ) ) # LEGACY NOTE # This is needed for avoiding error in create_ca when supporting # max cn length of 64. # please DON'T increase this size, any value over 55 will fail the # setup. the truncated host-fqdn is concatenated with a random string # to create a unique CN value. MAX_HOST_FQDN_LEN = 55 self.logger.info(_('Creating CA')) localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': 'http://%s:%s%s' % ( self.environment[ osetupcons.ConfigEnv.FQDN ], self.environment[ oengcommcons.ConfigEnv.PUBLIC_HTTP_PORT ], oenginecons.Const.ENGINE_PKI_CA_URI, ) } ), modifiedList=uninstall_files, ), ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--subject=/C=%s/O=%s/CN=%s.%s' % ( self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[ osetupcons.ConfigEnv.FQDN ][:MAX_HOST_FQDN_LEN], ), random.randint(10000, 99999), ), '--keystore-password=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[ oengcommcons.ConfigEnv.JAVA_HOME ], }, ) uninstall_files.extend( ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF, ) ) if not os.path.exists( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ): os.symlink( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) uninstall_files.append( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) self._enrollCertificates(False, uninstall_files)
def _miscUpgrade(self): # # In <3.6 setup did not store the organization and # country in post install file. Load it from CA certificate. # if self.environment[oenginecons.PKIEnv.ORG] is None: ca = X509.load_cert( oenginecons.FileLocations. OVIRT_ENGINE_PKI_ENGINE_CA_CERT ) self.environment[ oenginecons.PKIEnv.ORG ] = ca.get_subject().get_entries_by_nid( X509.X509_Name.nid['O'] )[0].get_data().as_text() self.environment[ oenginecons.PKIEnv.COUNTRY ] = ca.get_subject().get_entries_by_nid( X509.X509_Name.nid['C'] )[0].get_data().as_text() self.logger.info(_('Upgrading CA')) # # LEGACY NOTE # Since 3.0 and maybe before the method of # allowing user to override AIA was to explict # edit files. Until we rewrite the entire PKI # we must preserve this approach. # The template may change over time, so regenerate. # aia = None template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[ :-len('.in') ] if os.path.exists(template): with open(template) as f: PREFIX = 'caIssuers;URI:' for l in f.readlines(): if l.startswith('authorityInfoAccess'): aia = l[l.find(PREFIX)+len(PREFIX):] break uninstall_files = [] self._setupUninstall(uninstall_files) if aia is not None: localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': aia, } ), modifiedList=uninstall_files, ), ) localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.template.in')] + '.conf', content=outil.processTemplate( name, { '@AIA@': aia, } ), modifiedList=uninstall_files, ), ) if self._expired( X509.load_cert( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT ) ): self._ca_was_renewed = True self.logger.info(_('Renewing CA')) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--renew', '--keystore-password=%s' % ( self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[ oengcommcons.ConfigEnv.JAVA_HOME ], }, ) self._enrollCertificates(True, uninstall_files)
def daemonSetup(self): if os.geteuid() == 0: raise RuntimeError( _('This service cannot be executed as root') ) if not os.path.exists(self._defaults): raise RuntimeError( _( "The configuration defaults file '{file}' " "required but missing" ).format( file=self._defaults, ) ) self._config = configfile.ConfigFile( ( self._defaults, config.DWH_VARS, ), ) # # the earliest so we can abort early. # self._executable = os.path.join( java.Java().getJavaHome(), 'bin', 'java', ) self._checkInstallation( pidfile=self.pidfile, ) self._tempDir = service.TempDir() self._tempDir.create() settings = os.path.join(self._tempDir.directory, 'settings.properties') with open(settings, 'w') as f: f.write( util.processTemplate( os.path.join( self._config.get('PKG_DATA_DIR'), 'conf', 'settings.properties.in' ), dict( ('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in self._config.values.items() ), ) ) self._serviceArgs = [ 'ovirt-engine-dwhd', '-Dorg.ovirt.engine.dwh.settings=%s' % settings, ] # Add arguments for the java heap size: self._serviceArgs.extend([ '-Xms%s' % self._config.get('DWH_HEAP_MIN'), '-Xmx%s' % self._config.get('DWH_HEAP_MAX'), ]) for engineProperty in shlex.split( self._config.get('DWH_PROPERTIES') ): if not engineProperty.startswith('-D'): engineProperty = '-D' + engineProperty self._serviceArgs.append(engineProperty) for arg in shlex.split(self._config.get('DWH_JVM_ARGS')): self._serviceArgs.append(arg) engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS') if engineDebugAddress: self._serviceArgs.append( ( '-Xrunjdwp:transport=dt_socket,address=%s,' 'server=y,suspend=n' ) % ( engineDebugAddress ) ) if self._config.getboolean('DWH_VERBOSE_GC'): self._serviceArgs.extend([ '-verbose:gc', '-XX:+PrintGCTimeStamps', '-XX:+PrintGCDetails', ]) self._serviceArgs.extend([ '-classpath', '%s:%s' % ( os.path.join( self._config.get('PKG_JAVA_LIB'), '*', ), self._getClasspath(), ), 'ovirt_engine_dwh.historyetl_4_3.HistoryETL', '--context=Default', ]) self._serviceEnv = os.environ.copy() self._serviceEnv.update({ 'PATH': ( '/usr/local/sbin:/usr/local/bin:' '/usr/sbin:/usr/bin:/sbin:/bin' ), 'LANG': 'en_US.UTF-8', 'LC_ALL': 'en_US.UTF-8', })
def daemonSetup(self): if os.geteuid() == 0: raise RuntimeError( _('This service cannot be executed as root') ) if not os.path.exists(self._defaults): raise RuntimeError( _( "The configuration defaults file '{file}' " "required but missing" ).format( file=self._defaults, ) ) self._config = configfile.ConfigFile( ( self._defaults, config.DWH_VARS, ), ) # # the earliest so we can abort early. # self._executable = os.path.join( java.Java().getJavaHome(), 'bin', 'java', ) self._checkInstallation( pidfile=self.pidfile, ) self._tempDir = service.TempDir() self._tempDir.create() settings = os.path.join(self._tempDir.directory, 'settings.properties') with open(settings, 'w') as f: f.write( util.processTemplate( os.path.join( self._config.get('PKG_DATA_DIR'), 'conf', 'settings.properties.in' ), dict( ('@%s@' % k, util.escape(v, ':=\\ ')) for (k, v) in self._config.values.items() ), ) ) self._serviceArgs = [ 'ovirt-engine-dwhd', '-Dorg.ovirt.engine.dwh.settings=%s' % settings, ] # Add arguments for the java heap size: self._serviceArgs.extend([ '-Xms%s' % self._config.get('DWH_HEAP_MIN'), '-Xmx%s' % self._config.get('DWH_HEAP_MAX'), ]) for engineProperty in shlex.split( self._config.get('DWH_PROPERTIES') ): if not engineProperty.startswith('-D'): engineProperty = '-D' + engineProperty self._serviceArgs.append(engineProperty) for arg in shlex.split(self._config.get('DWH_JVM_ARGS')): self._serviceArgs.append(arg) engineDebugAddress = self._config.get('DWH_DEBUG_ADDRESS') if engineDebugAddress: self._serviceArgs.append( ( '-Xrunjdwp:transport=dt_socket,address=%s,' 'server=y,suspend=n' ) % ( engineDebugAddress ) ) if self._config.getboolean('DWH_VERBOSE_GC'): self._serviceArgs.extend([ '-verbose:gc', '-XX:+PrintGCTimeStamps', '-XX:+PrintGCDetails', ]) self._serviceArgs.extend([ '-classpath', '%s:%s' % ( os.path.join( self._config.get('PKG_JAVA_LIB'), '*', ), self._getClasspath(), ), 'ovirt_engine_dwh.historyetl_4_4.HistoryETL', '--context=Default', ]) self._serviceEnv = os.environ.copy() self._serviceEnv.update({ 'PATH': ( '/usr/local/sbin:/usr/local/bin:' '/usr/sbin:/usr/bin:/sbin:/bin' ), 'LANG': 'en_US.UTF-8', 'LC_ALL': 'en_US.UTF-8', })
def _miscUpgrade(self): self.logger.info(_('Upgrading CA')) # # LEGACY NOTE # Since 3.0 and maybe before the method of # allowing user to override AIA was to explict # edit files. Until we rewrite the entire PKI # we must preserve this approach. # The template may change over time, so regenerate. # aia = None template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[:-len( '.in')] if os.path.exists(template): with open(template) as f: PREFIX = 'caIssuers;URI:' for l in f.readlines(): if l.startswith('authorityInfoAccess'): aia = l[l.find(PREFIX) + len(PREFIX):] break uninstall_files = [] self._setupUninstall(uninstall_files) if aia is not None: localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations. OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': aia, }), modifiedList=uninstall_files, ), ) localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.template.in')] + '.conf', content=outil.processTemplate( name, { '@AIA@': aia, }), modifiedList=uninstall_files, ), ) # # LEGACY NOTE # Since 3.0 and maybe before the CA certificate's # notBefore attribute was set using timezone offset # instead of Z # in this case we need to reissue CA certificate. # x509 = X509.load_cert( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT) if x509.get_not_before().get_datetime().tzname() is None: self._ca_was_renewed = True self.logger.info(_('Renewing CA')) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--renew', '--keystore-password=%s' % (self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[oengcommcons.ConfigEnv.JAVA_HOME], }, )
def _miscUpgrade(self): # # In <3.6 setup did not store the organization and # country in post install file. Load it from CA certificate. # if self.environment[oenginecons.PKIEnv.ORG] is None: ca = self._x509_load_cert( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT) self.environment[ oenginecons.PKIEnv.ORG] = ca.get_subject().get_entries_by_nid( X509.X509_Name.nid['O'])[0].get_data().as_text() self.environment[oenginecons.PKIEnv.COUNTRY] = ca.get_subject( ).get_entries_by_nid( X509.X509_Name.nid['C'])[0].get_data().as_text() self.logger.info(_('Upgrading CA')) # # LEGACY NOTE # Since 3.0 and maybe before the method of # allowing user to override AIA was to explict # edit files. Until we rewrite the entire PKI # we must preserve this approach. # The template may change over time, so regenerate. # aia = None template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[:-len( '.in')] if os.path.exists(template): with open(template) as f: PREFIX = 'caIssuers;URI:' for l in f.read().splitlines(): if l.startswith('authorityInfoAccess'): aia = l[l.find(PREFIX) + len(PREFIX):] break uninstall_files = [] self._setupUninstall(uninstall_files) if aia is not None: localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations. OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': aia, }), modifiedList=uninstall_files, ), ) localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.template.in')] + '.conf', content=outil.processTemplate( name, { '@AIA@': aia, }), modifiedList=uninstall_files, ), ) if self.environment[oenginecons.PKIEnv.RENEW]: if self._expired( self._x509_load_cert(oenginecons.FileLocations. OVIRT_ENGINE_PKI_ENGINE_CA_CERT)): self._ca_was_renewed = True self.logger.info(_('Renewing CA')) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--renew', '--keystore-password=%s' % (self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[oengcommcons.ConfigEnv.JAVA_HOME], }, ) self._enrollCertificates(True, uninstall_files) # Also enroll missing parts on upgrade if os.path.exists( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT): self._enrollCertificates(False, uninstall_files)
def _misc(self): self._enabled = True # TODO # this implementaiton is not transactional # too many issues with legacy ca implementation # need to work this out to allow transactional # for now just delete files if we fail uninstall_files = [] self._setupUninstall(uninstall_files) self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( self.CATransaction( parent=self, uninstall_files=uninstall_files, )) # LEGACY NOTE # This is needed for avoiding error in create_ca when supporting # max cn length of 64. # please DON'T increase this size, any value over 55 will fail the # setup. the truncated host-fqdn is concatenated with a random string # to create a unique CN value. MAX_HOST_FQDN_LEN = 55 self.logger.info(_('Creating CA')) localtransaction = transaction.Transaction() with localtransaction: for name in ( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': 'http://%s:%s%s' % ( self.environment[ osetupcons.ConfigEnv.FQDN], self.environment[oengcommcons.ConfigEnv. PUBLIC_HTTP_PORT], oenginecons.Const.ENGINE_PKI_CA_URI, ) }), modifiedList=uninstall_files, ), ) self.execute( args=( oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--subject=/C=%s/O=%s/CN=%s.%s' % ( self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[oenginecons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[osetupcons.ConfigEnv.FQDN] [:MAX_HOST_FQDN_LEN], ), random.randint(10000, 99999), ), '--keystore-password=%s' % (self.environment[oenginecons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[oengcommcons.ConfigEnv.JAVA_HOME], }, ) uninstall_files.extend(( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY, oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF, oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF, )) if not os.path.exists( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT): os.symlink( oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT) uninstall_files.append( oengcommcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT) self._enrollCertificates(False, uninstall_files)
def _misc(self): # TODO # this implementaiton is not transactional # too many issues with legacy ca implementation # need to work this out to allow transactional # for now just delete files if we fail uninstall_files = [] self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( self.CATransaction( parent=self, uninstall_files=uninstall_files, ) ) # LEGACY NOTE # This is needed for avoiding error in create_ca when supporting # max cn length of 64. # please DON'T increase this size, any value over 55 will fail the # setup. the truncated host-fqdn is concatenated with a random string # to create a unique CN value. self.environment[ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS ].createGroup( group='ca_pki', description='PKI keys', optional=True, ).addFiles( group='ca_pki', fileList=uninstall_files, ) MAX_HOST_FQDN_LEN = 55 self.logger.info(_('Creating CA')) localtransaction = transaction.Transaction() with localtransaction: for name in ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE, ): localtransaction.append( filetransaction.FileTransaction( name=name[:-len('.in')], content=outil.processTemplate( name, { '@AIA@': 'http://%s:%s%s' % ( self.environment[ osetupcons.ConfigEnv.FQDN ], self.environment[ osetupcons.ConfigEnv.PUBLIC_HTTP_PORT ], osetupcons.Const.ENGINE_PKI_CA_URI, ) } ), modifiedList=uninstall_files, ), ) self.execute( args=( osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, '--subject=/C=%s/O=%s/CN=%s.%s' % ( self._subjectComponentEscape( self.environment[osetupcons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[osetupcons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[ osetupcons.ConfigEnv.FQDN ][:MAX_HOST_FQDN_LEN], ), random.randint(10000, 99999), ), '--keystore-password=%s' % ( self.environment[osetupcons.PKIEnv.STORE_PASS], ), ), envAppend={ 'JAVA_HOME': self.environment[ osetupcons.ConfigEnv.JAVA_HOME ], }, ) for name in ('engine', 'apache', 'jboss'): self.execute( ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_ENROLL, '--name=%s' % name, '--password=%s' % ( self.environment[osetupcons.PKIEnv.STORE_PASS], ), '--subject=/C=%s/O=%s/CN=%s' % ( self._subjectComponentEscape( self.environment[osetupcons.PKIEnv.COUNTRY], ), self._subjectComponentEscape( self.environment[osetupcons.PKIEnv.ORG], ), self._subjectComponentEscape( self.environment[osetupcons.ConfigEnv.FQDN], ), ), ), ) uninstall_files.extend( ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT, osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_STORE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_KEY, osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CERT, osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_TRUST_STORE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_CA_CERT_CONF, osetupcons.FileLocations.OVIRT_ENGINE_PKI_CERT_CONF, ) ) self.execute( args=( osetupcons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT, '--name=apache', '--passin=%s' % ( self.environment[osetupcons.PKIEnv.STORE_PASS], ), '--key=%s' % ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY, ), ), logStreams=False, ) uninstall_files.append( osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY ) if not os.path.exists( osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ): os.symlink( osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT, osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) uninstall_files.append( osetupcons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CA_CERT ) for f in ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_STORE, osetupcons.FileLocations.OVIRT_ENGINE_PKI_JBOSS_STORE, ): os.chown( f, osetuputil.getUid( self.environment[osetupcons.SystemEnv.USER_ENGINE] ), -1, )