def _generate_client(parent_path):
prefix = os.path.join(parent_path, "client")
os.makedirs(prefix)
util.runlocal(
['openssl', 'genrsa', '-out',
os.path.join(prefix, 'key.pem'), '4096'])
try:
util.runlocal([
'openssl', 'req', '-subj', '/CN=client', '-new', '-key',
os.path.join(prefix, 'key.pem'), '-out',
os.path.join(prefix, 'client.csr')
])
util.write_file(os.path.join(prefix, './extfile.cnf'),
'extendedKeyUsage = clientAuth')
util.runlocal([
'openssl', 'x509', '-req', '-sha256', '-days',
"%d" % (CERTIFICATE_DAYSTOBEVALID), '-in',
os.path.join(prefix, 'client.csr'), '-CA',
os.path.join(parent_path, 'ca.pem'), '-CAkey',
os.path.join(parent_path, 'ca-key.pem'), '-CAcreateserial', '-out',
os.path.join(prefix, 'cert.pem'), '-extfile',
os.path.join(prefix, 'extfile.cnf')
])
finally:
_delete_if_exists(prefix, ['extfile.cnf', 'client.csr'])
shutil.copyfile(os.path.join(parent_path, 'ca.pem'),
os.path.join(prefix, 'ca.pem'))
def create_config_drive_iso(session, userdata_template, vmuuid):
log.info("create_config_drive_iso for vm %s" % (vmuuid))
umountrequired = False
temptoolsisodir = None
userdatafile = None
latestfolder = None
openstackfolder = None
agentfilepaths = []
agentpath = None
tempisodir = None
try:
tempisodir = tempfile.mkdtemp()
tempisofile = tempfile.mkstemp()[1]
# add the userdata-file
openstackfolder = os.path.join(tempisodir, 'openstack')
latestfolder = os.path.join(openstackfolder, 'latest')
os.makedirs(latestfolder)
userdatafile = os.path.join(latestfolder, 'user_data')
userdatatemplatefile = "%s.template" % userdatafile
template_data = get_template_data(session, vmuuid)
userdata = customize_userdata(userdata_template, template_data)
util.write_file(userdatafile, userdata)
util.write_file(userdatatemplatefile, userdata_template)
log.debug("Userdata: %s" % (userdata))
# Also add the Linux guest agent
temptoolsisodir = tempfile.mkdtemp()
tools_iso_path = find_latest_tools_iso_path()
cmd = ['mount', '-o', 'loop', tools_iso_path, temptoolsisodir]
util.runlocal(cmd)
umountrequired = True
agentpath = os.path.join(tempisodir, 'agent')
os.makedirs(agentpath)
agentfiles = [
'xe-daemon', 'xe-linux-distribution',
'xe-linux-distribution.service', 'xen-vcpu-hotplug.rules',
'install.sh', 'versions.deb', 'versions.rpm', "versions.tgz"
]
for filename in agentfiles:
path = os.path.join(temptoolsisodir, 'Linux', filename)
shutil.copy(path, agentpath)
agentfilepaths.append(os.path.join(agentpath, filename))
# Finally wrap up the iso
util.make_iso('config-2', tempisodir, tempisofile)
finally:
# And tidy
if umountrequired:
cmd = ['umount', temptoolsisodir]
util.runlocal(cmd)
for path in [temptoolsisodir, userdatafile, userdatatemplatefile,
latestfolder, openstackfolder] + agentfilepaths + \
[agentpath, tempisodir]:
if path is not None:
if os.path.isdir(path):
os.rmdir(path)
elif os.path.isfile(path):
os.remove(path)
else:
log.debug("create_config_drive_iso: Not tidying %s because"
" it could not be found" % (path))
return tempisofile
def _generate_server(parent_path, ips):
prefix = os.path.join(parent_path, "server")
os.makedirs(prefix)
util.runlocal(['openssl', 'genrsa',
'-out', os.path.join(prefix, 'server-key.pem'), '4096'])
# hostname is ignored as XS will connect using the IPs
hostname = "_ignored_"
util.runlocal(['openssl', 'req', '-subj', '/CN=%s' % (hostname),
'-days', "%d" % (CERTIFICATE_DAYSTOBEVALID),
'-sha256', '-new', '-key', os.path.join(
prefix, 'server-key.pem'),
'-out', os.path.join(prefix, 'server.csr')])
ipstring = ""
for ip in ips:
ipstring = ipstring + "IP:" + ip + ","
# remove trailing comma
ipstring = ipstring[:-1]
try:
util.write_file(
os.path.join(prefix, './extfile.cnf'),
'subjectAltName = ' + (ipstring))
util.runlocal(['openssl', 'x509', '-req', '-sha256',
'-in', os.path.join(prefix, 'server.csr'),
'-CA', os.path.join(parent_path, 'ca.pem'),
'-CAkey', os.path.join(parent_path, 'ca-key.pem'),
'-CAcreateserial',
'-out', os.path.join(prefix, 'server-cert.pem'),
'-extfile', os.path.join(prefix, 'extfile.cnf')])
finally:
_delete_if_exists(prefix, ['extfile.cnf', 'server.csr'])
_delete_if_exists(parent_path, ['ca.srl'])
shutil.copyfile(
os.path.join(parent_path, 'ca.pem'), os.path.join(prefix, 'ca.pem'))
def create_config_drive_iso(session, userdata_template, vmuuid):
log.info("create_config_drive_iso for vm %s" % (vmuuid))
umountrequired = False
temptoolsisodir = None
userdatafile = None
latestfolder = None
openstackfolder = None
agentfilepaths = []
agentpath = None
tempisodir = None
try:
tempisodir = tempfile.mkdtemp()
tempisofile = tempfile.mkstemp()[1]
# add the userdata-file
openstackfolder = os.path.join(tempisodir, 'openstack')
latestfolder = os.path.join(openstackfolder, 'latest')
os.makedirs(latestfolder)
userdatafile = os.path.join(latestfolder, 'user_data')
userdatatemplatefile = "%s.template" % userdatafile
template_data = get_template_data(session, vmuuid)
userdata = customize_userdata(userdata_template, template_data)
util.write_file(userdatafile, userdata)
util.write_file(userdatatemplatefile, userdata_template)
log.debug("Userdata: %s" % (userdata))
# Also add the Linux guest agent
temptoolsisodir = tempfile.mkdtemp()
tools_iso_path = find_latest_tools_iso_path()
cmd = ['mount', '-o', 'loop',
tools_iso_path, temptoolsisodir]
util.runlocal(cmd)
umountrequired = True
agentpath = os.path.join(tempisodir, 'agent')
os.makedirs(agentpath)
agentfiles = ['xe-daemon', 'xe-linux-distribution',
'xe-linux-distribution.service',
'xen-vcpu-hotplug.rules', 'install.sh',
'versions.deb', 'versions.rpm', "versions.tgz"]
for filename in agentfiles:
path = os.path.join(temptoolsisodir, 'Linux', filename)
shutil.copy(path, agentpath)
agentfilepaths.append(os.path.join(agentpath, filename))
# Finally wrap up the iso
util.make_iso('config-2', tempisodir, tempisofile)
finally:
# And tidy
if umountrequired:
cmd = ['umount', temptoolsisodir]
util.runlocal(cmd)
for path in [temptoolsisodir, userdatafile, userdatatemplatefile,
latestfolder, openstackfolder] + agentfilepaths + \
[agentpath, tempisodir]:
if path is not None:
if os.path.isdir(path):
os.rmdir(path)
elif os.path.isfile(path):
os.remove(path)
else:
log.debug("create_config_drive_iso: Not tidying %s because"
" it could not be found" % (path))
return tempisofile
def ensure_idrsa(session):
neednewfile = False
if os.path.exists(IDRSAFILENAME):
mtime = os.path.getmtime(IDRSAFILENAME)
if time.time() - mtime > 60:
neednewfile = True
else:
neednewfile = True
if neednewfile:
util.write_file(IDRSAFILENAME,
api_helper.get_idrsa_secret_private(session))
def ensure_idrsa(session):
neednewfile = False
if os.path.exists(IDRSAFILENAME):
mtime = os.path.getmtime(IDRSAFILENAME)
if time.time() - mtime > 60:
neednewfile = True
else:
neednewfile = True
if neednewfile:
util.write_file(IDRSAFILENAME,
api_helper.get_idrsa_secret_private(session))
def _generate_client(parent_path):
prefix = os.path.join(parent_path, "client")
os.makedirs(prefix)
util.runlocal(['openssl', 'genrsa',
'-out', os.path.join(prefix, 'key.pem'), '4096'])
try:
util.runlocal(['openssl', 'req', '-subj', '/CN=client',
'-new', '-key', os.path.join(prefix, 'key.pem'),
'-out', os.path.join(prefix, 'client.csr')])
util.write_file(os.path.join(prefix, './extfile.cnf'),
'extendedKeyUsage = clientAuth')
util.runlocal(['openssl', 'x509', '-req', '-sha256',
'-days', "%d" % (CERTIFICATE_DAYSTOBEVALID),
'-in', os.path.join(prefix, 'client.csr'),
'-CA', os.path.join(parent_path, 'ca.pem'),
'-CAkey', os.path.join(parent_path, 'ca-key.pem'),
'-CAcreateserial',
'-out', os.path.join(prefix, 'cert.pem'),
'-extfile', os.path.join(prefix, 'extfile.cnf')])
finally:
_delete_if_exists(prefix, ['extfile.cnf', 'client.csr'])
shutil.copyfile(
os.path.join(parent_path, 'ca.pem'), os.path.join(prefix, 'ca.pem'))
def _generate_server(parent_path, ips):
prefix = os.path.join(parent_path, "server")
os.makedirs(prefix)
util.runlocal([
'openssl', 'genrsa', '-out',
os.path.join(prefix, 'server-key.pem'), '4096'
])
# hostname is ignored as XS will connect using the IPs
hostname = "_ignored_"
util.runlocal([
'openssl', 'req', '-subj',
'/CN=%s' % (hostname), '-days',
"%d" % (CERTIFICATE_DAYSTOBEVALID), '-sha256', '-new', '-key',
os.path.join(prefix, 'server-key.pem'), '-out',
os.path.join(prefix, 'server.csr')
])
ipstring = ""
for ip in ips:
ipstring = ipstring + "IP:" + ip + ","
# remove trailing comma
ipstring = ipstring[:-1]
try:
util.write_file(os.path.join(prefix, './extfile.cnf'),
'subjectAltName = ' + (ipstring))
util.runlocal([
'openssl', 'x509', '-req', '-sha256', '-in',
os.path.join(prefix, 'server.csr'), '-CA',
os.path.join(parent_path, 'ca.pem'), '-CAkey',
os.path.join(parent_path, 'ca-key.pem'), '-CAcreateserial', '-out',
os.path.join(prefix, 'server-cert.pem'), '-extfile',
os.path.join(prefix, 'extfile.cnf')
])
finally:
_delete_if_exists(prefix, ['extfile.cnf', 'server.csr'])
_delete_if_exists(parent_path, ['ca.srl'])
shutil.copyfile(os.path.join(parent_path, 'ca.pem'),
os.path.join(prefix, 'ca.pem'))
def export_for_vm(session, vm_uuid):
other_config = api_helper.get_vm_other_config(session, vm_uuid)
secretdict = {}
for key, value in other_config.items():
if key in XSCONTAINER_TLS_KEYS:
secret_uuid = value
secret_ref = session.xenapi.secret.get_by_uuid(secret_uuid)
secret_record = session.xenapi.secret.get_record(secret_ref)
secretdict[key] = secret_record['value']
temptlspaths = _get_temptlspaths(vm_uuid)
if util.file_old_or_none_existent(temptlspaths['client_cert']):
if not os.path.exists(temptlspaths['parent']):
os.makedirs(temptlspaths['parent'])
os.chmod(temptlspaths['parent'], 0o600)
util.write_file(temptlspaths['client_cert'],
secretdict[XSCONTAINER_TLS_CLIENT_CERT])
util.write_file(temptlspaths['client_key'],
secretdict[XSCONTAINER_TLS_CLIENT_KEY])
util.write_file(temptlspaths['ca_cert'],
secretdict[XSCONTAINER_TLS_CA_CERT])
return temptlspaths
def export_for_vm(session, vm_uuid):
other_config = api_helper.get_vm_other_config(session, vm_uuid)
secretdict = {}
for key, value in other_config.items():
if key in XSCONTAINER_TLS_KEYS:
secret_uuid = value
secret_ref = session.xenapi.secret.get_by_uuid(secret_uuid)
secret_record = session.xenapi.secret.get_record(secret_ref)
secretdict[key] = secret_record['value']
temptlspaths = _get_temptlspaths(vm_uuid)
if util.file_old_or_none_existent(temptlspaths['client_cert']):
if not os.path.exists(temptlspaths['parent']):
os.makedirs(temptlspaths['parent'])
os.chmod(temptlspaths['parent'], 0600)
util.write_file(
temptlspaths['client_cert'],
secretdict[XSCONTAINER_TLS_CLIENT_CERT])
util.write_file(
temptlspaths['client_key'],
secretdict[XSCONTAINER_TLS_CLIENT_KEY])
util.write_file(
temptlspaths['ca_cert'],
secretdict[XSCONTAINER_TLS_CA_CERT])
return temptlspaths