Re: [PATCH stable-2.11] Smooth renewal of client certificates

Wed, 19 Feb 2014 08:49:39 -0800 

Just to be clear, don't ignore this patch, please :)


On Wed, Feb 19, 2014 at 5:46 PM, Helga Velroyen <[email protected]> wrote:

> This patch fixes another chicken-and-egg problem which
> occurred when the node certificates get renewed. When
> renewing a node certificate, the previous certificate
> has to be used to update the configuration. To address
> this, we keep the digest of the previos certificate
> around till the new one is written to all nodes in
> the configuration.
>
> Signed-off-by: Helga Velroyen <[email protected]>
> ---
>  lib/cmdlib/cluster.py | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/lib/cmdlib/cluster.py b/lib/cmdlib/cluster.py
> index edcd0ea..7a8125c 100644
> --- a/lib/cmdlib/cluster.py
> +++ b/lib/cmdlib/cluster.py
> @@ -108,19 +108,32 @@ class LUClusterRenewCrypto(NoHooksLU):
>
>      server_digest = utils.GetCertificateDigest(
>        cert_filename=pathutils.NODED_CERT_FILE)
> +    old_master_digest = utils.GetCertificateDigest(
> +      cert_filename=pathutils.NODED_CLIENT_CERT_FILE)
>      utils.AddNodeToCandidateCerts("%s-SERVER" % master_uuid,
>                                    server_digest,
>                                    cluster.candidate_certs)
> +    utils.AddNodeToCandidateCerts("%s-OLDMASTER" % master_uuid,
> +                                  old_master_digest,
> +                                  cluster.candidate_certs)
>      new_master_digest = _UpdateMasterClientCert(self, master_uuid,
> cluster,
>                                                  feedback_fn)
>
> -    cluster.candidate_certs = {master_uuid: new_master_digest}
> +    utils.AddNodeToCandidateCerts(master_uuid,
> +                                  new_master_digest,
> +                                  cluster.candidate_certs)
>      nodes = self.cfg.GetAllNodesInfo()
>      for (node_uuid, node_info) in nodes.items():
>        if node_uuid != master_uuid:
>          new_digest = CreateNewClientCert(self, node_uuid)
>          if node_info.master_candidate:
> -          cluster.candidate_certs[node_uuid] = new_digest
> +          utils.AddNodeToCandidateCerts(node_uuid,
> +                                        new_digest,
> +                                        cluster.candidate_certs)
> +    utils.RemoveNodeFromCandidateCerts("%s-SERVER" % master_uuid,
> +                                       cluster.candidate_certs)
> +    utils.RemoveNodeFromCandidateCerts("%s-OLDMASTER" % master_uuid,
> +                                       cluster.candidate_certs)
>      # Trigger another update of the config now with the new master cert
>      self.cfg.Update(cluster, feedback_fn)
>
> --
> 1.9.0.rc1.175.g0b1dcb5
>
>


-- 
-- 
Helga Velroyen | Software Engineer | [email protected] |

Google Germany GmbH
Dienerstr. 12
80331 München

Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores

Reply via email to