Federico Simoncelli has uploaded a new change for review. Change subject: setup: move the the certificate generation ......................................................................
setup: move the the certificate generation Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=860067 Signed-off-by: Federico Simoncelli <[email protected]> Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360 --- M vdsm.spec.in M vdsm/vdsm-gencerts.sh.in M vdsm/vdsmd.init.in 3 files changed, 95 insertions(+), 38 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/68/8368/1 diff --git a/vdsm.spec.in b/vdsm.spec.in index 61b0c3e..2f80b8d 100644 --- a/vdsm.spec.in +++ b/vdsm.spec.in @@ -456,9 +456,6 @@ # set the vdsm "secret" password for libvirt %{_bindir}/vdsm-tool set-saslpasswd -# generate the vdsm certificates (if missing) -%{_libexecdir}/%{vdsm_name}/vdsm-gencerts.sh - # Have moved vdsm section in /etc/sysctl.conf to /etc/sysctl.d/vdsm. # So Remove them if it is played with /etc/sysctl.conf. if grep -q "# VDSM section begin" /etc/sysctl.conf; then diff --git a/vdsm/vdsm-gencerts.sh.in b/vdsm/vdsm-gencerts.sh.in index 6cdb227..8beba64 100755 --- a/vdsm/vdsm-gencerts.sh.in +++ b/vdsm/vdsm-gencerts.sh.in @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # Copyright 2012 Red Hat, Inc. # @@ -19,56 +19,105 @@ # Refer to the README and COPYING files for full details of the license # -VDSM_PKI="@TRUSTSTORE@" -VDSM_KEY="$VDSM_PKI/keys/vdsmkey.pem" -VDSM_CRT="$VDSM_PKI/certs/vdsmcert.pem" -VDSM_CA="$VDSM_PKI/certs/cacert.pem" +__vdsm_gencerts_key="@TRUSTSTORE@/keys/vdsmkey.pem" +__vdsm_gencerts_crt="@TRUSTSTORE@/certs/vdsmcert.pem" +__vdsm_gencerts_ca="@TRUSTSTORE@/certs/cacert.pem" +__vdsm_gencerts_perms="@VDSMUSER@:@VDSMGROUP@" -VDSM_TEMPLATE="$(mktemp)" +vdsm_check_certificate() { + [ -s "$__vdsm_gencerts_key" -o -s "$__vdsm_gencerts_ca" -o \ + -s "$__vdsm_gencerts_crt" ] +} -VDSM_FQDN=`hostname -f` -[ -z "$VDSM_FQDN" ] && VDSM_FQDN="localhost.localdomain" +vdsm_create_key() { + [ -s "$__vdsm_gencerts_key" ] && return -VDSM_PERMS="@VDSMUSER@:@VDSMGROUP@" + (umask 0077 + /usr/bin/certtool --generate-privkey \ + --outfile "${__vdsm_gencerts_key}~" \ + 2> /dev/null) + local __retcode=$? -umask 077 + if [ $__retcode -ne 0 ]; then + return $__retcode + fi -if [ ! -f "$VDSM_KEY" ]; then - /usr/bin/certtool --generate-privkey --outfile "$VDSM_KEY" 2> /dev/null - /bin/chown "$VDSM_PERMS" "$VDSM_KEY" - /sbin/restorecon "$VDSM_KEY" -fi + /bin/mv -f "${__vdsm_gencerts_key}~" "$__vdsm_gencerts_key" -if [ ! -f "$VDSM_CA" ]; then - /bin/cat > "$VDSM_TEMPLATE" <<EOF + /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_key" + /sbin/restorecon "$__vdsm_gencerts_key" +} + +vdsm_create_ca() { + [ -s "$__vdsm_gencerts_ca" ] && return + + local __vdsm_gencerts_template=`mktemp` + /bin/cat > "$__vdsm_gencerts_template" <<EOF cn = "VDSM Certificate Authority" ca cert_signing_key EOF - /usr/bin/certtool --generate-self-signed --load-privkey "$VDSM_KEY" \ - --template "$VDSM_TEMPLATE" --outfile "$VDSM_CA" \ - 2> /dev/null - /bin/chown "$VDSM_PERMS" "$VDSM_CA" - /sbin/restorecon "$VDSM_CA" -fi + (umask 0077 + /usr/bin/certtool --generate-self-signed \ + --load-privkey "$__vdsm_gencerts_key" \ + --template "$__vdsm_gencerts_template" \ + --outfile "${__vdsm_gencerts_ca}~" \ + 2> /dev/null) + local __retcode=$? -if [ ! -f "$VDSM_CRT" ]; then - /bin/cat > "$VDSM_TEMPLATE" <<EOF + rm -f "$__vdsm_gencerts_template" + + if [ $__retcode -ne 0 ]; then + return $__retcode + fi + + /bin/mv -f "${__vdsm_gencerts_ca}~" "$__vdsm_gencerts_ca" + + /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_ca" + /sbin/restorecon "$__vdsm_gencerts_ca" +} + +vdsm_create_cert() { + [ -s "$__vdsm_gencerts_crt" ] && return + + local __vdsm_gencerts_fqdn=`hostname -f` + [ -z "$__vdsm_gencerts_fqdn" ] \ + && __vdsm_gencerts_fqdn="localhost.localdomain" + + local __vdsm_gencerts_template=`mktemp` + /bin/cat > "$__vdsm_gencerts_template" <<EOF organization = "VDSM Certificate" -cn = "$VDSM_FQDN" -email = "root@$VDSM_FQDN" +cn = "$__vdsm_gencerts_fqdn" +email = "root@$__vdsm_gencerts_fqdn" signing_key encryption_key tls_www_server tls_www_client EOF - /usr/bin/certtool --generate-certificate --load-privkey "$VDSM_KEY" \ - --load-ca-privkey "$VDSM_KEY" \ - --load-ca-certificate "$VDSM_CA" \ - --template "$VDSM_TEMPLATE" --outfile "$VDSM_CRT" \ + /usr/bin/certtool --generate-certificate \ + --load-privkey "$__vdsm_gencerts_key" \ + --load-ca-privkey "$__vdsm_gencerts_key" \ + --load-ca-certificate "$__vdsm_gencerts_ca" \ + --template "$__vdsm_gencerts_template" \ + --outfile "${__vdsm_gencerts_crt}~" \ 2> /dev/null - /bin/chown "$VDSM_PERMS" "$VDSM_CRT" - /sbin/restorecon "$VDSM_CRT" -fi + local __retcode=$? -/bin/rm -f "$VDSM_TEMPLATE" + rm -f "$__vdsm_gencerts_template" + + if [ $__retcode -ne 0 ]; then + return $__retcode + fi + + /bin/mv -f "${__vdsm_gencerts_crt}~" "$__vdsm_gencerts_crt" + + /bin/chown "$__vdsm_gencerts_perms" "$__vdsm_gencerts_crt" + /sbin/restorecon "$__vdsm_gencerts_crt" + /bin/rm -f "$__vdsm_gencerts_template" +} + +if [ "$1" != "--bash-import" ]; then + vdsm_create_key + vdsm_create_ca + vdsm_create_cert +fi diff --git a/vdsm/vdsmd.init.in b/vdsm/vdsmd.init.in index 0012157..2267b74 100755 --- a/vdsm/vdsmd.init.in +++ b/vdsm/vdsmd.init.in @@ -22,6 +22,7 @@ ### END INIT INFO . @LIBEXECDIR@/ovirt_functions.sh +. @LIBEXECDIR@/vdsm-gencerts.sh --bash-import VDSM_BIN=@VDSMDIR@/vdsm CONF_FILE=@CONFDIR@/vdsm.conf @@ -449,6 +450,16 @@ shutdown_conflicting_srv && stop_libvirtd_sysv + if ! vdsm_check_certificate; then + echo -n $"Configuring the VDSM host certificate " + if vdsm_create_key && vdsm_create_ca && vdsm_create_cert; then + success + else + failure + fi + echo + fi + reconfigure noforce ret_val=$? if [ $ret_val -ne 0 ] -- To view, visit http://gerrit.ovirt.org/8368 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I40fa3d9a6a54e312e399af3f87ac67e843078360 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Federico Simoncelli <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
