Merge commit 'origin/devel' into devel

8 files changed, 146 insertions, 567 deletions

diff --git a/certs/master-keys.py b/certs/master-keys.py
deleted file mode 100644
index 2c3f6e5..0000000
--- a/certs/master-keys.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/python -tt
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Library General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-# Copyright (c) 2007 Red Hat, inc 
-#- Written by Seth Vidal skvidal @ fedoraproject.org
-
-import sys
-import os
-import os.path
-import func.certs 
-
-
-cadir = '/etc/pki/func/ca'
-ca_key_file = '%s/funcmaster.key' % cadir
-ca_cert_file = '%s/funcmaster.crt' % cadir
-
-
-def main():
-    keypair = None
-    try:
-        if not os.path.exists(cadir):
-            os.makedirs(cadir)
-        if not os.path.exists(ca_key_file):
-            func.certs.create_ca(ca_key_file=ca_key_file, ca_cert_file=ca_cert_file)
-    except:
-        return 1
-        
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
-       
diff --git a/certs/slave-keys.py b/certs/slave-keys.py
deleted file mode 100644
index 8ddae81..0000000
--- a/certs/slave-keys.py
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/bin/python -tt
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Library General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-# Copyright (c) 2007 Red Hat, inc 
-#- Written by Seth Vidal skvidal @ fedoraproject.org
-
-import sys
-import os
-import os.path
-import xmlrpclib
-import time
-
-from  exceptions import Exception
-
-import func.certs
-
-
-def submit_csr_to_master(csr_file, master_uri):
-    # get csr_file
-    # submit buffer of file content to master_uri.wait_for_cert()
-    # wait for response and return
-    fo = open(csr_file)
-    csr = fo.read()
-    s = xmlrpclib.ServerProxy(master_uri)
-    
-    return s.wait_for_cert(csr)
-    
-    
-
-def main(cert_dir, master_uri):
-    keypair = None
-    key_file = '%s/slave.pem' % cert_dir
-    csr_file = '%s/slave.csr' % cert_dir
-    cert_file = '%s/slave.cert' % cert_dir
-    ca_cert_file = '%s/ca.cert' % cert_dir
-    
-    try:
-        if not os.path.exists(cert_dir):
-            os.makedirs(cert_dir)
-        if not os.path.exists(key_file):
-            keypair = func.certs.make_keypair(dest=key_file)
-        if not os.path.exists(csr_file):
-            if not keypair:
-                keypair = func.certs.retrieve_key_from_file(key_file)
-            csr = func.certs.make_csr(keypair, dest=csr_file)
-    except Exception, e: # need a little more specificity here
-        print e
-        return 1
-    
-    result = False
-    while not result:
-        result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
-        print 'looping'
-        time.sleep(10)    
-    
-    
-    if result:
-        cert_fo = open(cert_file, 'w')
-        cert_fo.write(cert_string)
-        cert_fo.close()
-
-        ca_cert_fo = open(ca_cert_file, 'w')
-        ca_cert_fo.write(ca_cert_string)
-        ca_cert_fo.close()
-    
-    return 0
-
-
-if __name__ == "__main__":
-    if len(sys.argv[1:]) > 0: 
-        cert_dir = sys.argv[1]
-    else:
-        cert_dir = '/etc/pki/func'
-    
-    if len(sys.argv[1:]) > 1:
-        master_uri = sys.argv[2]
-    else:
-        master_uri = 'http://localhost:51235/'
-
-    sys.exit(main(cert_dir, master_uri))
-       
diff --git a/docs/certmaster-ca.pod b/docs/certmaster-ca.pod
deleted file mode 100644
index fce3f73..0000000
--- a/docs/certmaster-ca.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=head1 NAME
-
-certmaster-ca -- signs certificate requests gathered by certmaster.
-
-=head1 SYNOPSIS
-
-certmaster-ca --list 
-
-certmaster-ca --sign machine.example.org
-
-=head1 DESCRIPTION
-
-"certmaster-ca --list"
-
-The list command prints all certificates that have been requested from certmaster by a remote
-service (such as funcd) but are not yet signed.
-
-func commands can't be sent to a remote machine until the certificates have been signed.
-
-"certmaster-ca --sign [hostname]"
-
-This command is used to sign a certificate and send it back to the requester.
-
-=head1 AUTO-SIGNING
-
-The certmaster can be configured to make this command unneccessary; all incoming
-requests can be signed automatically by certmaster.
-
-To configure this, edit /etc/func/certmaster.conf.
-
-=head1 ADDITONAL RESOURCES
-
-See https://hosted.fedoraproject.org/projects/func/.  It's a Wiki.
-
-See also the manpages for "func", "func-inventory", "funcd", and "certmaster".
-
-=head1 AUTHOR
-
-Various. See https://hosted.fedoraproject.org/projects/func
-
-
diff --git a/docs/certmaster.pod b/docs/certmaster.pod
deleted file mode 100644
index 92f5074..0000000
--- a/docs/certmaster.pod
+++ /dev/null
@@ -1,29 +0,0 @@
-=head1 NAME
-
-certmaster -- hands out certificates to funcd and other components.
-
-=head1 SYNOPSIS
-
-certmaster (it's a daemon and takes no arguments)
-
-=head1 DESCRIPTION
-
-See https://hosted.fedoraproject.org/projects/func/
-
-Certmaster is run on the master-control machine on a network being
-controlled by func.  It hands out certificates to machines running
-funcd. 
-
-Certmaster is configured by /etc/func/certmaster.conf
-
-=head1 ADDITONAL RESOURCES
-
-See https://hosted.fedoraproject.org/projects/func/.  It's a Wiki.
-
-See also the manpages for "func", "func-inventory", "funcd", "certmaster-ca".
-
-=head1 AUTHOR
-
-Various. See https://hosted.fedoraproject.org/projects/func
-
-
diff --git a/etc/minion.conf b/etc/minion.conf
index f2e2b34..00ff009 100644
--- a/etc/minion.conf
+++ b/etc/minion.conf
@@ -2,7 +2,5 @@
 
 [main]
 log_level = DEBUG
-certmaster = certmaster
-cert_dir = /etc/pki/func
 acl_dir = /etc/func/minion-acl.d
 
diff --git a/func/certmaster.py b/func/certmaster.py
deleted file mode 100755
index fe5dcbc..0000000
--- a/func/certmaster.py
+++ /dev/null
@@ -1,247 +0,0 @@
-# FIXME: more intelligent fault raises
-
-"""
-cert master listener
-
-Copyright 2007, Red Hat, Inc
-see AUTHORS
-
-This software may be freely redistributed under the terms of the GNU
-general public license.
-
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-"""
-
-# standard modules
-import SimpleXMLRPCServer
-import sys
-import os
-import os.path
-from OpenSSL import crypto
-import sha
-import glob
-import socket
-import exceptions
-
-#from func.server import codes
-import certs
-import codes
-import utils
-from config import read_config
-from commonconfig import CMConfig
-
-CERTMASTER_LISTEN_PORT = 51235
-CERTMASTER_CONFIG = "/etc/func/certmaster.conf"
-
-class CertMaster(object):
-    def __init__(self, conf_file=CERTMASTER_CONFIG):
-        self.cfg = read_config(conf_file, CMConfig)
-
-        usename = utils.get_hostname()
-
-        mycn = '%s-CA-KEY' % usename
-        self.ca_key_file = '%s/funcmaster.key' % self.cfg.cadir
-        self.ca_cert_file = '%s/funcmaster.crt' % self.cfg.cadir
-        try:
-            if not os.path.exists(self.cfg.cadir):
-                os.makedirs(self.cfg.cadir)
-            if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file):
-                certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file)
-        except (IOError, OSError), e:
-            print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
-            sys.exit(1)
-
-            
-        # open up the cakey and cacert so we have them available
-        self.cakey = certs.retrieve_key_from_file(self.ca_key_file)
-        self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file)
-        
-        for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]:
-            if not os.path.exists(dirpath):
-                os.makedirs(dirpath)
-
-        # setup handlers
-        self.handlers = {
-                 'wait_for_cert': self.wait_for_cert,
-                 }
-        
-    def _dispatch(self, method, params):
-        if method == 'trait_names' or method == '_getAttributeNames':
-            return self.handlers.keys()
-        
-        if method in self.handlers.keys():
-            return self.handlers[method](*params)
-        else:
-            raise codes.InvalidMethodException
-    
-    def _sanitize_cn(self, commonname):
-        commonname = commonname.replace('/', '')
-        commonname = commonname.replace('\\', '')       
-        return commonname
-    
-    def wait_for_cert(self, csrbuf):
-        """
-           takes csr as a string
-           returns True, caller_cert, ca_cert
-           returns False, '', ''
-        """
-       
-        try:
-            csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf)
-        except crypto.Error, e:
-            #XXX need to raise a fault here and document it - but false is just as good
-            return False, '', ''
-            
-        requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
-        
-        # get rid of dodgy characters in the filename we're about to make
-        
-        certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host)
-        csrfile = '%s/%s.csr' % (self.cfg.csrroot, requesting_host)
-
-        # check for old csr on disk
-        # if we have it - compare the two - if they are not the same - raise a fault
-        if os.path.exists(csrfile):
-            oldfo = open(csrfile)
-            oldcsrbuf = oldfo.read()
-            oldsha = sha.new()
-            oldsha.update(oldcsrbuf)
-            olddig = oldsha.hexdigest()
-            newsha = sha.new()
-            newsha.update(csrbuf)
-            newdig = newsha.hexdigest()
-            if not newdig == olddig:
-                # XXX raise a proper fault
-                return False, '', ''
-
-        # look for a cert:
-        # if we have it, then return True, etc, etc
-        if os.path.exists(certfile):
-            slavecert = certs.retrieve_cert_from_file(certfile)
-            cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert)
-            cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
-            return True, cert_buf, cacert_buf
-        
-        # if we don't have a cert then:
-        # if we're autosign then sign it, write out the cert and return True, etc, etc
-        # else write out the csr
-        
-        if self.cfg.autosign:
-            cert_fn = self.sign_this_csr(csrreq)
-            cert = certs.retrieve_cert_from_file(cert_fn)            
-            cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
-            cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
-            return True, cert_buf, cacert_buf
-        
-        else:
-            # write the csr out to a file to be dealt with by the admin
-            destfo = open(csrfile, 'w')
-            destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csrreq))
-            destfo.close()
-            del destfo
-            return False, '', ''
-
-        return False, '', ''
-
-    def get_csrs_waiting(self):
-        hosts = [] 
-        csrglob = '%s/*.csr' % self.cfg.csrroot
-        csr_list = glob.glob(csrglob)
-        for f in csr_list:
-            hn = os.path.basename(f)
-            hn = hn[:-4]
-            hosts.append(hn)
-        return hosts
-   
-    def remove_this_cert(self, hn):
-        """ removes cert for hostname using unlink """
-        cm = self
-        csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn)
-        csrs = glob.glob(csrglob)
-        certglob = '%s/%s.cert' % (cm.cfg.certroot, hn)
-        certs = glob.glob(certglob)
-        if not csrs and not certs:
-            # FIXME: should be an exception?
-            print 'No match for %s to clean up' % hn
-            return
-        for fn in csrs + certs:
-            print 'Cleaning out %s for host matching %s' % (fn, hn)
-            os.unlink(fn)         
-            
-    def sign_this_csr(self, csr):
-        """returns the path to the signed cert file"""
-        csr_unlink_file = None
-
-        if type(csr) is type(''): 
-            if csr.startswith('/') and os.path.exists(csr):  # we have a full path to the file
-                csrfo = open(csr)
-                csr_buf = csrfo.read()
-                csr_unlink_file = csr
-                
-            elif os.path.exists('%s/%s' % (self.cfg.csrroot, csr)): # we have a partial path?
-                csrfo = open('%s/%s' % (self.cfg.csrroot, csr))
-                csr_buf = csrfo.read()
-                csr_unlink_file = '%s/%s' % (self.cfg.csrroot, csr)
-                
-            # we have a string of some kind
-            else:
-                csr_buf = csr
-
-            try:
-                csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buf)                
-            except crypto.Error, e:
-                raise exceptions.Exception("Bad CSR: %s" % csr)
-                
-        else: # assume we got a bare csr req
-            csrreq = csr
-        requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
-        
-        certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host)
-        thiscert = certs.create_slave_certificate(csrreq, self.cakey, self.cacert, self.cfg.cadir)
-        destfo = open(certfile, 'w')
-        destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert))
-        destfo.close()
-        del destfo
-        if csr_unlink_file and os.path.exists(csr_unlink_file):
-            os.unlink(csr_unlink_file)
-            
-        return certfile
-        
-
-class CertmasterXMLRPCServer(SimpleXMLRPCServer.SimpleXMLRPCServer):
-    def __init__(self, args):
-        self.allow_reuse_address = True
-        SimpleXMLRPCServer.SimpleXMLRPCServer.__init__(self, args)
-        
-
-def serve(xmlrpcinstance):
-
-    """
-    Code for starting the XMLRPC service.
-    """
-
-    server = CertmasterXMLRPCServer((xmlrpcinstance.cfg.listen_addr, CERTMASTER_LISTEN_PORT))
-    server.logRequests = 0 # don't print stuff to console
-    server.register_instance(xmlrpcinstance)
-    server.serve_forever()
-
-
-def main(argv):
-    
-    cm = CertMaster('/etc/func/certmaster.conf')
-
-    if "daemon" in argv or "--daemon" in argv:
-        utils.daemonize("/var/run/certmaster.pid")
-    else:
-        print "serving...\n"
-
-
-    # just let exceptions bubble up for now
-    serve(cm)
-
- 
-if __name__ == "__main__":
-    #textdomain(I18N_DOMAIN)
-    main(sys.argv)
diff --git a/init-scripts/certmaster b/init-scripts/certmaster
deleted file mode 100755
index 819ba0d..0000000
--- a/init-scripts/certmaster
+++ /dev/null
@@ -1,112 +0,0 @@
-#!/bin/sh
-#
-# certmaster    certmaster
-###################################
-
-# LSB header
-
-### BEGIN INIT INFO
-# Provides: certmaster
-# Required-Start: network
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
-# Short-Description: certificate master for Fedora Unified Network Control 'master server only'
-# Description: certificate master to sign/manage ca/cert infrastructure for func
-### END INIT INFO
-
-# chkconfig header
-
-# chkconfig: - 98 99 
-# description:  certificate master to sign/manage ca/cert infrastructure for func
-#
-# processname: /usr/bin/certmaster
-
-# Sanity checks.
-[ -x /usr/bin/certmaster ] || exit 0
-
-SERVICE=certmaster
-PROCESS=certmaster
-DAEMON=/usr/bin/certmaster
-CONFIG_ARGS="--daemon"
-
-CAStatus()
-{
-  ps wt? | grep "$DAEMON" 2>&1 > /dev/null
-  if [ "x$?" = "x0" ]; then
-    RVAL=0
-    echo "certmaster is running"
-  else
-    RVAL=3
-    echo "certmaster is not running"
-  fi
-}
-
-if [ -f /lib/lsb/init-functions ]; then
-  . /lib/lsb/init-functions
-  alias START_DAEMON=start_daemon
-  alias STATUS=CAStatus
-  alias LOG_SUCCESS=log_success_msg
-  alias LOG_FAILURE=log_failure_msg
-  alias LOG_WARNING=log_warning_msg
-elif [ -f /etc/init.d/functions ]; then
-  . /etc/init.d/functions
-  alias START_DAEMON=daemon
-  alias STATUS=status
-  alias LOG_SUCCESS=success
-  alias LOG_FAILURE=failure
-  alias LOG_WARNING=passed
-else
-  echo "Error: your platform is not supported by $0" > /dev/stderr
-  exit 1
-fi
-
-RETVAL=0
-
-start() {
-    echo -n $"Starting certmaster daemon: "
-    START_DAEMON $PROCESS $CONFIG_ARGS
-    RETVAL=$?
-    echo
-    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE
-    return $RETVAL
-}
-
-stop() {
-    echo -n $"Stopping certmaster daemon: "
-    killproc $PROCESS
-    RETVAL=$?
-    echo
-    if [ $RETVAL -eq 0 ]; then
-	rm -f /var/lock/subsys/$SERVICE
-        rm -f /var/run/$SERVICE.pid
-    fi
-}
-
-restart() {
-   stop
-   start
-}
-
-# See how we were called.
-case "$1" in
-    start|stop|restart)
-        $1
-        ;;
-    status)
-        STATUS $PROCESS
-        RETVAL=$?
-        ;;
-    condrestart)
-        [ -f /var/lock/subsys/$SERVICE ] && restart || :
-        ;;
-    reload)
-        echo "can't reload configuration, you have to restart it"
-        RETVAL=$?
-        ;;
-    *)
-        echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
-        exit 1
-        ;;
-esac
-exit $RETVAL
-
diff --git a/scripts/update-func b/scripts/update-func
new file mode 100755
index 0000000..30fced5
--- /dev/null
+++ b/scripts/update-func
@@ -0,0 +1,146 @@
+#!/usr//bin/python
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Library General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# 2008 Adrian Likins <alikins@redhat.com>
+
+# script to migrate pre func/certmaster 0.17 to the split func/certmaster 
+# locations and formats from 0.17 and later versions
+
+
+import os
+import subprocess
+
+from func import commonconfig
+from func import config
+
+from certmaster import commonconfig as cm_commonconfig
+from certmaster import config as cm_config
+
+# files that have moved
+#
+#  minion certs moved from /etc/pki/func to /etc/pki/certmaster
+#  overlord certs moved /var/lib/func/certmaster to /var/lib/certmaster/certmaster
+#
+# /etc/func/minion.conf still exists, but parts of config moved to /etc/certmaster/minion.conf
+
+
+FUNC_MINION_CONF="/etc/func/minion.conf"
+CERTMASTER_MINION_CONF="/etc/certmaster/minion.conf"
+
+FUNC_MINION_CERT_DIR="/etc/pki/func/"
+CERTMASTER_MINION_CERT_DIR="/etc/pki/certmaster"
+
+CERTMASTER_CONF="/etc/certmaster/certmaster.conf"
+
+
+FUNC_CERTMASTER_CERT_DIR="/var/lib/func/certmaster/"
+CERTMASTER_CERT_DIR="/var/lib/certmaster/"
+
+
+def list_files(files):
+    for filename in files:
+        if os.access(filename, os.R_OK):
+            print filename, os.stat(filename)
+        else:
+            print "%s not found" % filename
+
+
+#list_files([FUNC_MINION_CONF, CERTMASTER_MINION_CONF, FUNC_MINION_CERT_DIR,            
+#            CERTMASTER_MINION_CERT_DIR, FUNC_CERTMASTER_CERT_DIR,CERTMASTER_CERT_DIR])
+
+ 
+def func_minion_has_cert_info(fmc_content):
+    for line in fmc_content:
+        match  = line.find("cert_dir")
+        if match != -1 and match == 0:
+             return True
+    return False
+
+def certmaster_minion_has_cert_info(cmc_content):
+    for line in cmc_content:
+        match  = line.find("cert_dir")
+        if match != -1 and match == 0:
+             return True
+    return False
+
+
+def migrate_minion_conf_settings():
+    # ugh, do I really want to parse these files? 
+    # guess I kind of have to...
+    fc = config.read_config(FUNC_MINION_CONF, commonconfig.FuncdConfig)
+
+
+    # see if we have edited this file before
+    fc_f = open(FUNC_MINION_CONF, "r")
+    fc_c = fc_f.readlines()
+    obs = False
+    for line in fc_c:
+        match = line.find("obsolete =")
+        if match != -1 and match == 0:
+            obs = True
+
+    if obs  == True:
+        return
+
+    cmc = cm_config.read_config(CERTMASTER_CONF, cm_commonconfig.CMConfig)
+    cm_mc = cm_config.read_config(CERTMASTER_MINION_CONF, cm_commonconfig.MinionConfig)
+
+
+    cmc.cert_dir = fc.cert_dir
+    cmc.certmaster = fc.certmaster
+
+    cm_mc.cert_dir = fc.cert_dir
+    cm_mc.certmaster = fc.certmaster
+
+    # there doesnt' seem to be an obvious way to
+    # add something to a config obj/file without
+    # changing the corresponding config class, 
+    # so this is a kluge
+    fc_f = open(FUNC_MINION_CONF, "a+")
+    fc_f.write("obsolete = 1\n")
+    fc_f.close()
+
+
+#    print "fc", fc
+#    print "dir(fc)", dir(fc)
+ 
+    cmc.write(open(CERTMASTER_CONF, 'w'))
+    cm_mc.write(open(CERTMASTER_MINION_CONF, 'w'))
+
+
+if os.access(FUNC_MINION_CONF, os.R_OK):
+    if os.access(CERTMASTER_MINION_CONF, os.R_OK):
+        fmc_content = open(FUNC_MINION_CONF, 'r').readlines()
+        cmc_content = open(CERTMASTER_MINION_CONF, 'r').readlines()
+
+#        if func_minion_has_cert_info(fmc_content) and not certmaster_minion_has_cert_info(cmc_content):
+        if func_minion_has_cert_info(fmc_content):
+            migrate_minion_conf_settings()
+                
+
+if os.access(FUNC_MINION_CERT_DIR, os.R_OK):
+#    print "copying files from %s to %s" % (FUNC_MINION_CERT_DIR, CERTMASTER_MINION_CERT_DIR)
+    output = subprocess.Popen(["cp", "-var", FUNC_MINION_CERT_DIR, CERTMASTER_MINION_CERT_DIR], stdout=subprocess.PIPE).communicate()[0]
+#    print output
+
+if os.access(CERTMASTER_CERT_DIR, os.R_OK):
+#    print "copyying files from %s to %s" % (FUNC_CERTMASTER_CERT_DIR, CERTMASTER_CERT_DIR)
+    output = subprocess.Popen(["cp", "-var", FUNC_CERTMASTER_CERT_DIR, CERTMASTER_CERT_DIR], stdout=subprocess.PIPE).communicate()[0]
+#    print output
+                                                                                                                                  
+
+
+
+