Juan Hernandez has uploaded a new change for review. Change subject: BZ#856167 - Store engine CA cert in enginecacert.pem ......................................................................
BZ#856167 - Store engine CA cert in enginecacert.pem Currently we store the CA certificate downloaded that we get from the engine for registration purposes in the /etc/pki/vdsm/cacert.pem file. This file is then replaced by VDSM by its default one during reboot, making a backup before. This means that after the reboot vdsm-reg can't use it to download the SSH key, and this means that registration fails. This patch changes deployUtil.py so that it downloads the engine CA certificate to a new file: /etc/pki/vdsm/enginecacert.pem. This file is preserved, so that vdsm-reg can use it to download the SSH key correctly. Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c Signed-off-by: Juan Hernandez <[email protected]> --- M vdsm_reg/deployUtil.py.in M vdsm_reg/engine.py.in 2 files changed, 24 insertions(+), 20 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/38/8038/1 diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in index bbda70e..60fda9e 100644 --- a/vdsm_reg/deployUtil.py.in +++ b/vdsm_reg/deployUtil.py.in @@ -629,10 +629,10 @@ """ This functions returns the public ssh key of @ENGINENAME@. """ - CACERT, dontcare = certPaths('') + dontcare, dontcare, ENGINECACERT = certPaths('') for cert in REMOTE_SSH_KEY_FILE: data = getRemoteFile(IP, port, cert, - timeout=HTTP_TIMEOUT, certPath=CACERT) + timeout=HTTP_TIMEOUT, certPath=ENGINECACERT) if data != None: break @@ -1137,8 +1137,9 @@ if fAddID: VDSMCERT = tsDir + "/certs/vdsm-" + os.environ.get("SSH_CONNECTION").split()[2] + "-cert.pem" CACERT = tsDir + "/certs/cacert.pem" + ENGINECACERT = tsDir + "/certs/enginecacert.pem" - return CACERT, VDSMCERT + return CACERT, VDSMCERT, ENGINECACERT def pkiCleanup(key, cert): """ @@ -1185,7 +1186,7 @@ nGID = gGroup.gr_gid uUserInfo = pwd.getpwnam(VDSM_USER) nUID = uUserInfo.pw_uid - CACERT, VDSMCERT = certPaths(confFile) + CACERT, VDSMCERT, ENGINECACERT = certPaths(confFile) # Delete old certificates logging.debug("instCert: try to delete old certificates") @@ -1447,34 +1448,37 @@ backupTime = dt.strftime("%Y-%m-%d_%H%M%S") for pemFile in certs: - certName = os.path.basename(pemFile) - dirName = os.path.dirname(pemFile) + if os.path.exists(pemFile): + certName = os.path.basename(pemFile) + dirName = os.path.dirname(pemFile) - bkpCertName = dirName + "/bkp-" + backupTime + '_' + certName + bkpCertName = dirName + "/bkp-" + backupTime + '_' + certName - shutil.copy2(pemFile, bkpCertName) - st = os.stat(pemFile) - os.chown(bkpCertName, st.st_uid, st.st_gid) - ovirtfunctions.ovirt_store_config(bkpCertName) + shutil.copy2(pemFile, bkpCertName) + st = os.stat(pemFile) + os.chown(bkpCertName, st.st_uid, st.st_gid) + ovirtfunctions.ovirt_store_config(bkpCertName) def nodeCleanup(): if isOvirt(): - CACERT, VDSMCERT = certPaths('') + CACERT, VDSMCERT, ENGINECACERT = certPaths('') - _nodeBackupCerts([CACERT, VDSMCERT]) + _nodeBackupCerts([CACERT, VDSMCERT, ENGINECACERT]) if os.path.exists(CACERT): ovirtfunctions.ovirt_safe_delete_config(CACERT) + if os.path.exists(ENGINECACERT): + ovirtfunctions.ovirt_safe_delete_config(ENGINECACERT) def getRhevmCert(IP, port): - CACERT, VDSMCERT = certPaths('') + dontcare, VDSMCERT, ENGINECACERT = certPaths('') RHEVM_CERT_FILE = "/ca.crt" rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE) if rhevmCert: - dirName = os.path.dirname(CACERT) + dirName = os.path.dirname(ENGINECACERT) if not os.path.exists(dirName): os.makedirs(dirName) - crt = file(CACERT, "w+") + crt = file(ENGINECACERT, "w+") try: crt.write(rhevmCert) finally: @@ -1542,14 +1546,14 @@ if not getRhevmCert(options.serverIp, options.serverPort): print 'Failed downloading the @ENGINENAME@ certificate file' return -1 - CACERT, dontcare = certPaths('') - fp = generateFingerPrint(CACERT) + dontcare, dontcare, ENGINECACERT = certPaths('') + fp = generateFingerPrint(ENGINECACERT) if options.fingerPrint != fp: print 'Expected fingerprint %s is different from recieved fingerprint %s' % (options.fingerPrint, fp) return -1 if isOvirt(): - ovirtfunctions.ovirt_store_config(CACERT) + ovirtfunctions.ovirt_store_config(ENGINECACERT) print '@ENGINENAME@ certificate downloaded and verified successfully.' return 0 print 'Missing arguments' diff --git a/vdsm_reg/engine.py.in b/vdsm_reg/engine.py.in index 15e38b5..8be6940 100644 --- a/vdsm_reg/engine.py.in +++ b/vdsm_reg/engine.py.in @@ -283,7 +283,7 @@ if self.verify_engine_cert.selected(): if deployUtil.getRhevmCert(self.engine_server.value(), enginePort): - path, dontCare = deployUtil.certPaths('') + path, dontCare, dontCare = deployUtil.certPaths('') fp = deployUtil.generateFingerPrint(path) approval = ButtonChoiceWindow(self.ncs.screen, "Certificate Fingerprint:", -- To view, visit http://gerrit.ovirt.org/8038 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I127bf44cbcde90f7dae26a3bd3127f3eac2ca53c Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
