def _getSSH(self):
pkihelper = pkissh.PKIHelper()
authorized_keys_line = pkihelper.getSSHkey(
fqdn=self.environment[
ohostedcons.NetworkEnv.OVIRT_HOSTED_ENGINE_FQDN
],
ca_certs=self.environment[
ohostedcons.EngineEnv.TEMPORARY_CERT_FILE
],
)
authorized_keys_file = os.path.join(
os.path.expanduser('~root'),
'.ssh',
'authorized_keys'
)
content = pkihelper.mergeAuthKeysFile(
authorized_keys_file, authorized_keys_line
)
with transaction.Transaction() as localtransaction:
localtransaction.append(
filetransaction.FileTransaction(
name=authorized_keys_file,
content=content,
mode=0o600,
owner='root',
enforcePermissions=True,
modifiedList=self.environment[
otopicons.CoreEnv.MODIFIED_FILES
],
)
)
if self._selinux_enabled:
path = os.path.join(
os.path.expanduser('~root'),
'.ssh'
)
try:
selinux.restorecon(path, recursive=True)
except OSError as ex:
self.logger.error(
_(
'Failed to refresh SELINUX context for {path}: {ex}'
).format(
path=path,
ex=ex.message,
)
)
def _getCA(self):
fqdn = self.environment[
ohostedcons.NetworkEnv.OVIRT_HOSTED_ENGINE_FQDN]
fd, cert = tempfile.mkstemp(
prefix='engine-ca',
suffix='.crt',
)
os.close(fd)
self.environment[ohostedcons.EngineEnv.TEMPORARY_CERT_FILE] = cert
valid = False
interactive = True
if self.environment[ohostedcons.EngineEnv.INSECURE_SSL]:
valid = True
elif self.environment[ohostedcons.EngineEnv.INSECURE_SSL] is False:
interactive = False
pkihelper = pkissh.PKIHelper()
while not valid:
cafile = ohostedcons.FileLocations.SYS_CUSTOMCA_CERT
if not os.path.isfile(ohostedcons.FileLocations.SYS_CUSTOMCA_CERT):
cafile = None
try:
content = pkihelper.getPKICert(
fqdn,
cafile,
)
except RuntimeError as ex:
self.logger.error(
_('Error acquiring CA cert').format(message=ex.message, ))
else:
try:
with open(cert, 'w') as fileobj:
fileobj.write(content)
except EnvironmentError as ex:
raise RuntimeError('Unable to write cert file: ' +
ex.message)
if pkihelper.validateCA(fqdn, cert):
valid = True
if not valid:
if interactive:
if cafile:
catype = _('custom')
else:
catype = _('internal')
insecure = self.dialog.queryString(
name='SSL_VALIDATE_CA',
note=_(
'The REST API cert couldn\'t be trusted with the '
'{catype} CA cert\n'
'Would you like to continue in insecure mode '
'(not recommended)?\n'
'If not, please provide your CA cert at {path} '
'before continuing\n'
'(@VALUES@)[@DEFAULT@]? ').format(
catype=catype,
path=ohostedcons.FileLocations.
SYS_CUSTOMCA_CERT,
),
prompt=True,
validValues=(_('Yes'), _('No')),
caseSensitive=False,
default=_('No')) == _('Yes').lower()
if insecure:
valid = True
self.environment[
ohostedcons.EngineEnv.INSECURE_SSL] = True
cert = self.environment[
ohostedcons.EngineEnv.TEMPORARY_CERT_FILE]
if cert is not None and os.path.exists(cert):
os.unlink(cert)
self.environment[
ohostedcons.EngineEnv.TEMPORARY_CERT_FILE] = None
else:
raise RuntimeError('Failed trusting the REST API cert')