Yedidyah Bar David has uploaded a new change for review. Change subject: packaging: setup: use ssh public key for allinone ......................................................................
packaging: setup: use ssh public key for allinone Instead of asking for the local root password, add the engine's public key to ~root/.ssh/authorized_keys and change the sdk call to use public key authentication. Change-Id: I885894bba4c998e5dd3e9b2fd4da61d833f7a3a1 Signed-off-by: Yedidyah Bar David <[email protected]> --- M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java M packaging/setup/ovirt_engine_setup/constants.py M packaging/setup/plugins/ovirt-engine-setup/all-in-one/__init__.py M packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py D packaging/setup/plugins/ovirt-engine-setup/all-in-one/super_user.py M packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py M packaging/setup/plugins/ovirt-engine-setup/pki/ssh.py 7 files changed, 65 insertions(+), 124 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/96/17996/1 diff --git a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java index a1b81dd..34047dc 100644 --- a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java +++ b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendHostsResource.java @@ -87,7 +87,7 @@ @Override public Response add(Host host) { validateEnums(Host.class, host); - validateParameters(host, "name", "address", "rootPassword"); + validateParameters(host, "name", "address"); VdsStatic staticHost = getMapper(Host.class, VdsStatic.class).map(host, null); staticHost.setVdsGroupId(getClusterId(host)); AddVdsActionParameters addParams = new AddVdsActionParameters(staticHost, host.getRootPassword()); diff --git a/packaging/setup/ovirt_engine_setup/constants.py b/packaging/setup/ovirt_engine_setup/constants.py index 88eda30..fe5e030 100644 --- a/packaging/setup/ovirt_engine_setup/constants.py +++ b/packaging/setup/ovirt_engine_setup/constants.py @@ -545,7 +545,6 @@ DIALOG_TITLES_E_SUMMARY = 'osetup.dialog.titles.summary.end' AIO_CONFIG_AVAILABLE = 'osetup.aio.config.available' - AIO_CONFIG_ROOT_PASSWORD = 'osetup.aio.config.rootpassword' AIO_CONFIG_STORAGE = 'osetup.aio.config.storage' AIO_CONFIG_VDSM = 'osetup.aio.config.vdsm' @@ -998,13 +997,6 @@ ) def CONFIGURE(self): return 'OVESETUP_AIO/configure' - - @osetupattrs( - answerfile=True, - summary=False, - ) - def ROOT_PASSWORD(self): - return 'OVESETUP_AIO/rootPassword' LOCAL_DATA_CENTER = 'OVESETUP_AIO/localDataCenter' LOCAL_CLUSTER = 'OVESETUP_AIO/localCluster' diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/__init__.py b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/__init__.py index 0039c94..73c8d05 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/__init__.py +++ b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/__init__.py @@ -27,7 +27,6 @@ from . import core from . import cpu from . import sshd -from . import super_user from . import vdsm from . import storage from . import firewall @@ -38,7 +37,6 @@ core.Plugin(context=context) cpu.Plugin(context=context) sshd.Plugin(context=context) - super_user.Plugin(context=context) vdsm.Plugin(context=context) storage.Plugin(context=context) firewall.Plugin(context=context) diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py index 1365d0c..798ed40 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py +++ b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/sshd.py @@ -59,9 +59,6 @@ after=( osetupcons.Stages.AIO_CONFIG_AVAILABLE, ), - before=( - osetupcons.Stages.AIO_CONFIG_ROOT_PASSWORD, - ), ) def _customization(self): if not self.services.exists(name='sshd'): diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/super_user.py b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/super_user.py deleted file mode 100644 index b264888..0000000 --- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/super_user.py +++ /dev/null @@ -1,106 +0,0 @@ -# -# ovirt-engine-setup -- ovirt engine setup -# Copyright (C) 2013 Red Hat, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - - -""" -AIO super user password plugin. -""" - -import gettext -_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup') - - -from otopi import util -from otopi import plugin -from otopi import constants as otopicons - - -from ovirt_engine_setup import constants as osetupcons - - [email protected] -class Plugin(plugin.PluginBase): - """ - AIO super user password plugin. - """ - - def __init__(self, context): - super(Plugin, self).__init__(context=context) - - def _validateUserPasswd(self, host, user, password): - valid = False - import paramiko - try: - cli = paramiko.SSHClient() - cli.set_missing_host_key_policy(paramiko.AutoAddPolicy()) - cli.connect( - hostname=host, - username=user, - password=password - ) - valid = True - except paramiko.AuthenticationException: - pass - finally: - cli.close() - return valid - - @plugin.event( - stage=plugin.Stages.STAGE_INIT, - ) - def _init(self): - self.environment.setdefault( - osetupcons.AIOEnv.ROOT_PASSWORD, - None - ) - - @plugin.event( - stage=plugin.Stages.STAGE_CUSTOMIZATION, - condition=lambda self: self.environment[ - osetupcons.AIOEnv.CONFIGURE - ], - name=osetupcons.Stages.AIO_CONFIG_ROOT_PASSWORD - ) - def _customization(self): - interactive = ( - self.environment[osetupcons.AIOEnv.ROOT_PASSWORD] is None - ) - while self.environment[osetupcons.AIOEnv.ROOT_PASSWORD] is None: - password = self.dialog.queryString( - name='AIO_ROOT_PASSWORD', - note=_("Enter 'root' user password: "), - prompt=True, - hidden=True, - ) - if self._validateUserPasswd( - host='localhost', - user='root', - password=password - ): - self.environment[osetupcons.AIOEnv.ROOT_PASSWORD] = password - else: - if interactive: - self.logger.error(_('Wrong root password, try again')) - else: - raise RuntimeError(_('Wrong root password')) - - self.environment[otopicons.CoreEnv.LOG_FILTER].append( - self.environment[osetupcons.AIOEnv.ROOT_PASSWORD] - ) - - -# vim: expandtab tabstop=4 shiftwidth=4 diff --git a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py index 4eb6fa8..77d0ccd 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py +++ b/packaging/setup/plugins/ovirt-engine-setup/all-in-one/vdsm.py @@ -173,7 +173,6 @@ osetupcons.AIOEnv.CONFIGURE ], after=( - osetupcons.Stages.AIO_CONFIG_ROOT_PASSWORD, osetupcons.Stages.AIO_CONFIG_STORAGE, osetupcons.Stages.CORE_ENGINE_START, osetupcons.Stages.APACHE_RESTART, @@ -235,7 +234,9 @@ cluster=engine_api.clusters.get( self.environment[osetupcons.AIOEnv.LOCAL_CLUSTER] ), - root_password=self.environment[osetupcons.AIOEnv.ROOT_PASSWORD] + ssh=self._ovirtsdk_xml.params.SSH( + authentication_method='publickey', + ), ) ) if not self._waitVDSMHostUp( diff --git a/packaging/setup/plugins/ovirt-engine-setup/pki/ssh.py b/packaging/setup/plugins/ovirt-engine-setup/pki/ssh.py index d2e9f23..b6fc2c6 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/pki/ssh.py +++ b/packaging/setup/plugins/ovirt-engine-setup/pki/ssh.py @@ -47,6 +47,7 @@ def _setup(self): self.command.detect('openssl') self.command.detect('ssh-keygen') + self.command.detect('sshd') @plugin.event( stage=plugin.Stages.STAGE_MISC, @@ -55,7 +56,7 @@ ), ) def _misc(self): - rc, stdout, stderr = self.execute( + rc, privkey, stderr = self.execute( ( osetupcons.FileLocations.OVIRT_ENGINE_PKI_PKCS12_EXTRACT, '--name=engine', @@ -69,7 +70,7 @@ self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( filetransaction.FileTransaction( name=osetupcons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_SSH_KEY, - content=stdout, + content=privkey, mode=0o600, owner=self.environment[osetupcons.SystemEnv.USER_ROOT], enforcePermissions=True, @@ -79,6 +80,64 @@ ) ) + rc, pubkey, stderr = self.execute( + ( + self.command.get('ssh-keygen'), + '-y', + '-f', '/dev/fd/0', + ), + stdin=privkey + ) + authorized_keys_line = pubkey[0] + ' ovirt-engine' + + authorized_keys_file = os.path.join( + os.path.expanduser('~'), + '.ssh', + 'authorized_keys' + ) + + already_in_file = False + content = [] + try: + with open(authorized_keys_file, 'r') as f: + for line in f.read().splitlines(): + content.append(line) + if line == authorized_keys_line: + already_in_file = True + break + except: + pass + + if not already_in_file: + self.environment[ + osetupcons.CoreEnv.UNINSTALL_UNREMOVABLE_FILES + ].append(authorized_keys_file) + + self.environment[ + osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS + ].createGroup( + group='authorized_keys', + description='ssh authorized keys of root', + optional=False + ).addLines( + 'authorized_keys', + authorized_keys_file, + [authorized_keys_line], + ) + content.append(authorized_keys_line) + self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( + filetransaction.FileTransaction( + name=authorized_keys_file, + content=content, + mode=0o600, + owner=self.environment[osetupcons.SystemEnv.USER_ROOT], + enforcePermissions=True, + modifiedList=self.environment[ + otopicons.CoreEnv.MODIFIED_FILES + ], + ) + ) + @plugin.event( stage=plugin.Stages.STAGE_CLOSEUP, before=( -- To view, visit http://gerrit.ovirt.org/17996 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I885894bba4c998e5dd3e9b2fd4da61d833f7a3a1 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yedidyah Bar David <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
