diff options
author | Adrian Likins <alikins@grimlock.devel.redhat.com> | 2008-02-29 14:27:07 -0500 |
---|---|---|
committer | Adrian Likins <alikins@grimlock.devel.redhat.com> | 2008-02-29 14:27:07 -0500 |
commit | 0161fd41bb61a9b8d54f7eec3be4941eeb31e563 (patch) | |
tree | f93472194ec0a8e58777b7ee4db8d8dd6639e77a | |
parent | f2e2df8491b9e9d71ed88855e2b043f76d22e119 (diff) | |
parent | bdc3f700d2ddee513173cd3ae6a82de11011bf84 (diff) | |
download | func-0161fd41bb61a9b8d54f7eec3be4941eeb31e563.tar.gz func-0161fd41bb61a9b8d54f7eec3be4941eeb31e563.tar.xz func-0161fd41bb61a9b8d54f7eec3be4941eeb31e563.zip |
Merge commit 'origin/devel'
-rw-r--r-- | certs/master-keys.py | 44 | ||||
-rw-r--r-- | certs/slave-keys.py | 92 | ||||
-rw-r--r-- | docs/certmaster-ca.pod | 41 | ||||
-rw-r--r-- | docs/certmaster.pod | 29 | ||||
-rw-r--r-- | etc/minion.conf | 2 | ||||
-rwxr-xr-x | func/certmaster.py | 247 | ||||
-rw-r--r-- | func/commonconfig.py | 25 | ||||
-rwxr-xr-x | func/minion/server.py | 20 | ||||
-rwxr-xr-x | func/minion/utils.py | 72 | ||||
-rwxr-xr-x | func/overlord/client.py | 14 | ||||
-rw-r--r-- | func/overlord/command.py | 2 | ||||
-rwxr-xr-x | init-scripts/certmaster | 112 | ||||
-rwxr-xr-x | scripts/update-func | 146 |
13 files changed, 184 insertions, 662 deletions
diff --git a/certs/master-keys.py b/certs/master-keys.py deleted file mode 100644 index 2c3f6e5..0000000 --- a/certs/master-keys.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/python -tt -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Library General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# Copyright (c) 2007 Red Hat, inc -#- Written by Seth Vidal skvidal @ fedoraproject.org - -import sys -import os -import os.path -import func.certs - - -cadir = '/etc/pki/func/ca' -ca_key_file = '%s/funcmaster.key' % cadir -ca_cert_file = '%s/funcmaster.crt' % cadir - - -def main(): - keypair = None - try: - if not os.path.exists(cadir): - os.makedirs(cadir) - if not os.path.exists(ca_key_file): - func.certs.create_ca(ca_key_file=ca_key_file, ca_cert_file=ca_cert_file) - except: - return 1 - - return 0 - - -if __name__ == "__main__": - sys.exit(main()) - diff --git a/certs/slave-keys.py b/certs/slave-keys.py deleted file mode 100644 index 8ddae81..0000000 --- a/certs/slave-keys.py +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/python -tt -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Library General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# Copyright (c) 2007 Red Hat, inc -#- Written by Seth Vidal skvidal @ fedoraproject.org - -import sys -import os -import os.path -import xmlrpclib -import time - -from exceptions import Exception - -import func.certs - - -def submit_csr_to_master(csr_file, master_uri): - # get csr_file - # submit buffer of file content to master_uri.wait_for_cert() - # wait for response and return - fo = open(csr_file) - csr = fo.read() - s = xmlrpclib.ServerProxy(master_uri) - - return s.wait_for_cert(csr) - - - -def main(cert_dir, master_uri): - keypair = None - key_file = '%s/slave.pem' % cert_dir - csr_file = '%s/slave.csr' % cert_dir - cert_file = '%s/slave.cert' % cert_dir - ca_cert_file = '%s/ca.cert' % cert_dir - - try: - if not os.path.exists(cert_dir): - os.makedirs(cert_dir) - if not os.path.exists(key_file): - keypair = func.certs.make_keypair(dest=key_file) - if not os.path.exists(csr_file): - if not keypair: - keypair = func.certs.retrieve_key_from_file(key_file) - csr = func.certs.make_csr(keypair, dest=csr_file) - except Exception, e: # need a little more specificity here - print e - return 1 - - result = False - while not result: - result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri) - print 'looping' - time.sleep(10) - - - if result: - cert_fo = open(cert_file, 'w') - cert_fo.write(cert_string) - cert_fo.close() - - ca_cert_fo = open(ca_cert_file, 'w') - ca_cert_fo.write(ca_cert_string) - ca_cert_fo.close() - - return 0 - - -if __name__ == "__main__": - if len(sys.argv[1:]) > 0: - cert_dir = sys.argv[1] - else: - cert_dir = '/etc/pki/func' - - if len(sys.argv[1:]) > 1: - master_uri = sys.argv[2] - else: - master_uri = 'http://localhost:51235/' - - sys.exit(main(cert_dir, master_uri)) - diff --git a/docs/certmaster-ca.pod b/docs/certmaster-ca.pod deleted file mode 100644 index fce3f73..0000000 --- a/docs/certmaster-ca.pod +++ /dev/null @@ -1,41 +0,0 @@ -=head1 NAME - -certmaster-ca -- signs certificate requests gathered by certmaster. - -=head1 SYNOPSIS - -certmaster-ca --list - -certmaster-ca --sign machine.example.org - -=head1 DESCRIPTION - -"certmaster-ca --list" - -The list command prints all certificates that have been requested from certmaster by a remote -service (such as funcd) but are not yet signed. - -func commands can't be sent to a remote machine until the certificates have been signed. - -"certmaster-ca --sign [hostname]" - -This command is used to sign a certificate and send it back to the requester. - -=head1 AUTO-SIGNING - -The certmaster can be configured to make this command unneccessary; all incoming -requests can be signed automatically by certmaster. - -To configure this, edit /etc/func/certmaster.conf. - -=head1 ADDITONAL RESOURCES - -See https://hosted.fedoraproject.org/projects/func/. It's a Wiki. - -See also the manpages for "func", "func-inventory", "funcd", and "certmaster". - -=head1 AUTHOR - -Various. See https://hosted.fedoraproject.org/projects/func - - diff --git a/docs/certmaster.pod b/docs/certmaster.pod deleted file mode 100644 index 92f5074..0000000 --- a/docs/certmaster.pod +++ /dev/null @@ -1,29 +0,0 @@ -=head1 NAME - -certmaster -- hands out certificates to funcd and other components. - -=head1 SYNOPSIS - -certmaster (it's a daemon and takes no arguments) - -=head1 DESCRIPTION - -See https://hosted.fedoraproject.org/projects/func/ - -Certmaster is run on the master-control machine on a network being -controlled by func. It hands out certificates to machines running -funcd. - -Certmaster is configured by /etc/func/certmaster.conf - -=head1 ADDITONAL RESOURCES - -See https://hosted.fedoraproject.org/projects/func/. It's a Wiki. - -See also the manpages for "func", "func-inventory", "funcd", "certmaster-ca". - -=head1 AUTHOR - -Various. See https://hosted.fedoraproject.org/projects/func - - diff --git a/etc/minion.conf b/etc/minion.conf index f2e2b34..00ff009 100644 --- a/etc/minion.conf +++ b/etc/minion.conf @@ -2,7 +2,5 @@ [main] log_level = DEBUG -certmaster = certmaster -cert_dir = /etc/pki/func acl_dir = /etc/func/minion-acl.d diff --git a/func/certmaster.py b/func/certmaster.py deleted file mode 100755 index fe5dcbc..0000000 --- a/func/certmaster.py +++ /dev/null @@ -1,247 +0,0 @@ -# FIXME: more intelligent fault raises - -""" -cert master listener - -Copyright 2007, Red Hat, Inc -see AUTHORS - -This software may be freely redistributed under the terms of the GNU -general public license. - -You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -""" - -# standard modules -import SimpleXMLRPCServer -import sys -import os -import os.path -from OpenSSL import crypto -import sha -import glob -import socket -import exceptions - -#from func.server import codes -import certs -import codes -import utils -from config import read_config -from commonconfig import CMConfig - -CERTMASTER_LISTEN_PORT = 51235 -CERTMASTER_CONFIG = "/etc/func/certmaster.conf" - -class CertMaster(object): - def __init__(self, conf_file=CERTMASTER_CONFIG): - self.cfg = read_config(conf_file, CMConfig) - - usename = utils.get_hostname() - - mycn = '%s-CA-KEY' % usename - self.ca_key_file = '%s/funcmaster.key' % self.cfg.cadir - self.ca_cert_file = '%s/funcmaster.crt' % self.cfg.cadir - try: - if not os.path.exists(self.cfg.cadir): - os.makedirs(self.cfg.cadir) - if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): - certs.create_ca(CN=mycn, ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file) - except (IOError, OSError), e: - print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e - sys.exit(1) - - - # open up the cakey and cacert so we have them available - self.cakey = certs.retrieve_key_from_file(self.ca_key_file) - self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file) - - for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]: - if not os.path.exists(dirpath): - os.makedirs(dirpath) - - # setup handlers - self.handlers = { - 'wait_for_cert': self.wait_for_cert, - } - - def _dispatch(self, method, params): - if method == 'trait_names' or method == '_getAttributeNames': - return self.handlers.keys() - - if method in self.handlers.keys(): - return self.handlers[method](*params) - else: - raise codes.InvalidMethodException - - def _sanitize_cn(self, commonname): - commonname = commonname.replace('/', '') - commonname = commonname.replace('\\', '') - return commonname - - def wait_for_cert(self, csrbuf): - """ - takes csr as a string - returns True, caller_cert, ca_cert - returns False, '', '' - """ - - try: - csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf) - except crypto.Error, e: - #XXX need to raise a fault here and document it - but false is just as good - return False, '', '' - - requesting_host = self._sanitize_cn(csrreq.get_subject().CN) - - # get rid of dodgy characters in the filename we're about to make - - certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) - csrfile = '%s/%s.csr' % (self.cfg.csrroot, requesting_host) - - # check for old csr on disk - # if we have it - compare the two - if they are not the same - raise a fault - if os.path.exists(csrfile): - oldfo = open(csrfile) - oldcsrbuf = oldfo.read() - oldsha = sha.new() - oldsha.update(oldcsrbuf) - olddig = oldsha.hexdigest() - newsha = sha.new() - newsha.update(csrbuf) - newdig = newsha.hexdigest() - if not newdig == olddig: - # XXX raise a proper fault - return False, '', '' - - # look for a cert: - # if we have it, then return True, etc, etc - if os.path.exists(certfile): - slavecert = certs.retrieve_cert_from_file(certfile) - cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert) - cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) - return True, cert_buf, cacert_buf - - # if we don't have a cert then: - # if we're autosign then sign it, write out the cert and return True, etc, etc - # else write out the csr - - if self.cfg.autosign: - cert_fn = self.sign_this_csr(csrreq) - cert = certs.retrieve_cert_from_file(cert_fn) - cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) - cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) - return True, cert_buf, cacert_buf - - else: - # write the csr out to a file to be dealt with by the admin - destfo = open(csrfile, 'w') - destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csrreq)) - destfo.close() - del destfo - return False, '', '' - - return False, '', '' - - def get_csrs_waiting(self): - hosts = [] - csrglob = '%s/*.csr' % self.cfg.csrroot - csr_list = glob.glob(csrglob) - for f in csr_list: - hn = os.path.basename(f) - hn = hn[:-4] - hosts.append(hn) - return hosts - - def remove_this_cert(self, hn): - """ removes cert for hostname using unlink """ - cm = self - csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn) - csrs = glob.glob(csrglob) - certglob = '%s/%s.cert' % (cm.cfg.certroot, hn) - certs = glob.glob(certglob) - if not csrs and not certs: - # FIXME: should be an exception? - print 'No match for %s to clean up' % hn - return - for fn in csrs + certs: - print 'Cleaning out %s for host matching %s' % (fn, hn) - os.unlink(fn) - - def sign_this_csr(self, csr): - """returns the path to the signed cert file""" - csr_unlink_file = None - - if type(csr) is type(''): - if csr.startswith('/') and os.path.exists(csr): # we have a full path to the file - csrfo = open(csr) - csr_buf = csrfo.read() - csr_unlink_file = csr - - elif os.path.exists('%s/%s' % (self.cfg.csrroot, csr)): # we have a partial path? - csrfo = open('%s/%s' % (self.cfg.csrroot, csr)) - csr_buf = csrfo.read() - csr_unlink_file = '%s/%s' % (self.cfg.csrroot, csr) - - # we have a string of some kind - else: - csr_buf = csr - - try: - csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buf) - except crypto.Error, e: - raise exceptions.Exception("Bad CSR: %s" % csr) - - else: # assume we got a bare csr req - csrreq = csr - requesting_host = self._sanitize_cn(csrreq.get_subject().CN) - - certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) - thiscert = certs.create_slave_certificate(csrreq, self.cakey, self.cacert, self.cfg.cadir) - destfo = open(certfile, 'w') - destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert)) - destfo.close() - del destfo - if csr_unlink_file and os.path.exists(csr_unlink_file): - os.unlink(csr_unlink_file) - - return certfile - - -class CertmasterXMLRPCServer(SimpleXMLRPCServer.SimpleXMLRPCServer): - def __init__(self, args): - self.allow_reuse_address = True - SimpleXMLRPCServer.SimpleXMLRPCServer.__init__(self, args) - - -def serve(xmlrpcinstance): - - """ - Code for starting the XMLRPC service. - """ - - server = CertmasterXMLRPCServer((xmlrpcinstance.cfg.listen_addr, CERTMASTER_LISTEN_PORT)) - server.logRequests = 0 # don't print stuff to console - server.register_instance(xmlrpcinstance) - server.serve_forever() - - -def main(argv): - - cm = CertMaster('/etc/func/certmaster.conf') - - if "daemon" in argv or "--daemon" in argv: - utils.daemonize("/var/run/certmaster.pid") - else: - print "serving...\n" - - - # just let exceptions bubble up for now - serve(cm) - - -if __name__ == "__main__": - #textdomain(I18N_DOMAIN) - main(sys.argv) diff --git a/func/commonconfig.py b/func/commonconfig.py index 292eb45..66f4cfc 100644 --- a/func/commonconfig.py +++ b/func/commonconfig.py @@ -1,15 +1,22 @@ -from config import BaseConfig, BoolOption, Option +#!/usr/bin/python +""" +func + +Copyright 2007, Red Hat, Inc +see AUTHORS + +This software may be freely redistributed under the terms of the GNU +general public license. -class CMConfig(BaseConfig): - listen_addr = Option('') - cadir = Option('/etc/pki/func/ca') - certroot = Option('/var/lib/certmaster/certmaster/certs') - csrroot = Option('/var/lib/certmaster/certmaster/csrs') - autosign = BoolOption(False) +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +""" + + +from config import BaseConfig, BoolOption, Option class FuncdConfig(BaseConfig): log_level = Option('INFO') - certmaster = Option('certmaster') - cert_dir = Option('/etc/pki/func') acl_dir = Option('/etc/func/minion-acl.d') diff --git a/func/minion/server.py b/func/minion/server.py index 2fa175a..c511598 100755 --- a/func/minion/server.py +++ b/func/minion/server.py @@ -25,17 +25,20 @@ I18N_DOMAIN = "func" from func.config import read_config from func.commonconfig import FuncdConfig +from certmaster.commonconfig import CMConfig from func import logger from func import certs import func.jobthing as jobthing -import utils # our modules import AuthedXMLRPCServer import codes import module_loader import func.utils as futils +import func.minion.utils as fmutils +from certmaster import utils +from certmaster import requester class XmlRpcInterface(object): @@ -46,8 +49,11 @@ class XmlRpcInterface(object): Constructor. """ - config_file = '/etc/func/minion.conf' + cm_config_file = '/etc/certmaster/minion.conf' + self.cm_config = read_config(cm_config_file, CMConfig) + config_file = "/etc/func/minion.conf" self.config = read_config(config_file, FuncdConfig) + self.logger = logger.Logger().logger self.audit_logger = logger.AuditLogger() self.__setup_handlers() @@ -172,9 +178,9 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, XmlRpcInterface.__init__(self) hn = utils.get_hostname() - self.key = "%s/%s.pem" % (self.config.cert_dir, hn) - self.cert = "%s/%s.cert" % (self.config.cert_dir, hn) - self.ca = "%s/ca.cert" % self.config.cert_dir + self.key = "%s/%s.pem" % (self.cm_config.cert_dir, hn) + self.cert = "%s/%s.cert" % (self.cm_config.cert_dir, hn) + self.ca = "%s/ca.cert" % self.cm_config.cert_dir self._our_ca = certs.retrieve_cert_from_file(self.ca) @@ -234,7 +240,7 @@ class FuncSSLXMLRPCServer(AuthedXMLRPCServer.AuthedSSLXMLRPCServer, return peer_cert.get_subject().CN def _check_acl(self, cert, ip, method, params): - acls = utils.get_acls_from_config(acldir=self.config.acl_dir) + acls = fmutils.get_acls_from_config(acldir=self.config.acl_dir) # certmaster always gets to run things ca_cn = self._our_ca.get_subject().CN @@ -271,7 +277,7 @@ def main(argv): print "serving...\n" try: - utils.create_minion_keys() + requester.request_cert() serve() except codes.FuncException, e: print >> sys.stderr, 'error: %s' % e diff --git a/func/minion/utils.py b/func/minion/utils.py index ea8854c..1133866 100755 --- a/func/minion/utils.py +++ b/func/minion/utils.py @@ -65,78 +65,6 @@ def get_hostname(): -def create_minion_keys(): - config_file = '/etc/func/minion.conf' - config = read_config(config_file, FuncdConfig) - cert_dir = config.cert_dir - master_uri = 'http://%s:51235/' % config.certmaster - hn = get_hostname() - - if hn is None: - raise codes.FuncException("Could not determine a hostname other than localhost") - - key_file = '%s/%s.pem' % (cert_dir, hn) - csr_file = '%s/%s.csr' % (cert_dir, hn) - cert_file = '%s/%s.cert' % (cert_dir, hn) - ca_cert_file = '%s/ca.cert' % cert_dir - - - if os.path.exists(cert_file) and os.path.exists(ca_cert_file): - return - - keypair = None - try: - if not os.path.exists(cert_dir): - os.makedirs(cert_dir) - if not os.path.exists(key_file): - keypair = certs.make_keypair(dest=key_file) - if not os.path.exists(csr_file): - if not keypair: - keypair = certs.retrieve_key_from_file(key_file) - csr = certs.make_csr(keypair, dest=csr_file) - except Exception, e: - traceback.print_exc() - raise codes.FuncException, "Could not create local keypair or csr for minion funcd session" - - result = False - log = logger.Logger().logger - while not result: - try: - log.debug("submitting CSR to certmaster %s" % master_uri) - result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri) - except socket.gaierror, e: - raise codes.FuncException, "Could not locate certmaster at %s" % master_uri - - # logging here would be nice - if not result: - log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri) - time.sleep(10) - - - if result: - log.debug("received certificate from certmaster %s, storing" % master_uri) - cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644) - os.write(cert_fd, cert_string) - os.close(cert_fd) - - ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644) - os.write(ca_cert_fd, ca_cert_string) - os.close(ca_cert_fd) - -def submit_csr_to_master(csr_file, master_uri): - """" - gets us our cert back from the certmaster.wait_for_cert() method - takes csr_file as path location and master_uri - returns Bool, str(cert), str(ca_cert) - """ - - fo = open(csr_file) - csr = fo.read() - s = xmlrpclib.ServerProxy(master_uri) - - return s.wait_for_cert(csr) - - # this is kind of handy, so keep it around for now # but we really need to fix out server side logging and error # reporting so we don't need it diff --git a/func/overlord/client.py b/func/overlord/client.py index fdcf875..26b1cca 100755 --- a/func/overlord/client.py +++ b/func/overlord/client.py @@ -17,7 +17,7 @@ import sys import glob import os -from func.commonconfig import CMConfig +from certmaster.commonconfig import CMConfig from func.config import read_config, CONFIG_FILE import sslclient @@ -189,13 +189,15 @@ class Client(object): # certmaster key, cert, ca # funcd key, cert, ca # raise FuncClientError - ol_key = '%s/funcmaster.key' % self.config.cadir - ol_crt = '%s/funcmaster.crt' % self.config.cadir + ol_key = '%s/certmaster.key' % self.config.cadir + ol_crt = '%s/certmaster.crt' % self.config.cadir myname = utils.get_hostname() + + # FIXME: should be config -akl? # maybe /etc/pki/func is a variable somewhere? - fd_key = '/etc/pki/func/%s.pem' % myname - fd_crt = '/etc/pki/func/%s.cert' % myname - self.ca = '%s/funcmaster.crt' % self.config.cadir + fd_key = '/etc/pki/certmaster/%s.pem' % myname + fd_crt = '/etc/pki/certmaster/%s.cert' % myname + self.ca = '%s/certmaster.crt' % self.config.cadir if client_key and client_cert and ca: if (os.access(client_key, os.R_OK) and os.access(client_cert, os.R_OK) and os.access(ca, os.R_OK)): diff --git a/func/overlord/command.py b/func/overlord/command.py index 7fb7de4..7cf3623 100644 --- a/func/overlord/command.py +++ b/func/overlord/command.py @@ -15,7 +15,7 @@ import optparse import sys from func.config import read_config, CONFIG_FILE -from func.commonconfig import CMConfig +from certmaster.commonconfig import CMConfig class CommandHelpFormatter(optparse.IndentedHelpFormatter): """ diff --git a/init-scripts/certmaster b/init-scripts/certmaster deleted file mode 100755 index 819ba0d..0000000 --- a/init-scripts/certmaster +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh -# -# certmaster certmaster -################################### - -# LSB header - -### BEGIN INIT INFO -# Provides: certmaster -# Required-Start: network -# Default-Start: 3 4 5 -# Default-Stop: 0 1 2 6 -# Short-Description: certificate master for Fedora Unified Network Control 'master server only' -# Description: certificate master to sign/manage ca/cert infrastructure for func -### END INIT INFO - -# chkconfig header - -# chkconfig: - 98 99 -# description: certificate master to sign/manage ca/cert infrastructure for func -# -# processname: /usr/bin/certmaster - -# Sanity checks. -[ -x /usr/bin/certmaster ] || exit 0 - -SERVICE=certmaster -PROCESS=certmaster -DAEMON=/usr/bin/certmaster -CONFIG_ARGS="--daemon" - -CAStatus() -{ - ps wt? | grep "$DAEMON" 2>&1 > /dev/null - if [ "x$?" = "x0" ]; then - RVAL=0 - echo "certmaster is running" - else - RVAL=3 - echo "certmaster is not running" - fi -} - -if [ -f /lib/lsb/init-functions ]; then - . /lib/lsb/init-functions - alias START_DAEMON=start_daemon - alias STATUS=CAStatus - alias LOG_SUCCESS=log_success_msg - alias LOG_FAILURE=log_failure_msg - alias LOG_WARNING=log_warning_msg -elif [ -f /etc/init.d/functions ]; then - . /etc/init.d/functions - alias START_DAEMON=daemon - alias STATUS=status - alias LOG_SUCCESS=success - alias LOG_FAILURE=failure - alias LOG_WARNING=passed -else - echo "Error: your platform is not supported by $0" > /dev/stderr - exit 1 -fi - -RETVAL=0 - -start() { - echo -n $"Starting certmaster daemon: " - START_DAEMON $PROCESS $CONFIG_ARGS - RETVAL=$? - echo - [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SERVICE - return $RETVAL -} - -stop() { - echo -n $"Stopping certmaster daemon: " - killproc $PROCESS - RETVAL=$? - echo - if [ $RETVAL -eq 0 ]; then - rm -f /var/lock/subsys/$SERVICE - rm -f /var/run/$SERVICE.pid - fi -} - -restart() { - stop - start -} - -# See how we were called. -case "$1" in - start|stop|restart) - $1 - ;; - status) - STATUS $PROCESS - RETVAL=$? - ;; - condrestart) - [ -f /var/lock/subsys/$SERVICE ] && restart || : - ;; - reload) - echo "can't reload configuration, you have to restart it" - RETVAL=$? - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" - exit 1 - ;; -esac -exit $RETVAL - diff --git a/scripts/update-func b/scripts/update-func new file mode 100755 index 0000000..30fced5 --- /dev/null +++ b/scripts/update-func @@ -0,0 +1,146 @@ +#!/usr//bin/python + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Library General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# 2008 Adrian Likins <alikins@redhat.com> + +# script to migrate pre func/certmaster 0.17 to the split func/certmaster +# locations and formats from 0.17 and later versions + + +import os +import subprocess + +from func import commonconfig +from func import config + +from certmaster import commonconfig as cm_commonconfig +from certmaster import config as cm_config + +# files that have moved +# +# minion certs moved from /etc/pki/func to /etc/pki/certmaster +# overlord certs moved /var/lib/func/certmaster to /var/lib/certmaster/certmaster +# +# /etc/func/minion.conf still exists, but parts of config moved to /etc/certmaster/minion.conf + + +FUNC_MINION_CONF="/etc/func/minion.conf" +CERTMASTER_MINION_CONF="/etc/certmaster/minion.conf" + +FUNC_MINION_CERT_DIR="/etc/pki/func/" +CERTMASTER_MINION_CERT_DIR="/etc/pki/certmaster" + +CERTMASTER_CONF="/etc/certmaster/certmaster.conf" + + +FUNC_CERTMASTER_CERT_DIR="/var/lib/func/certmaster/" +CERTMASTER_CERT_DIR="/var/lib/certmaster/" + + +def list_files(files): + for filename in files: + if os.access(filename, os.R_OK): + print filename, os.stat(filename) + else: + print "%s not found" % filename + + +#list_files([FUNC_MINION_CONF, CERTMASTER_MINION_CONF, FUNC_MINION_CERT_DIR, +# CERTMASTER_MINION_CERT_DIR, FUNC_CERTMASTER_CERT_DIR,CERTMASTER_CERT_DIR]) + + +def func_minion_has_cert_info(fmc_content): + for line in fmc_content: + match = line.find("cert_dir") + if match != -1 and match == 0: + return True + return False + +def certmaster_minion_has_cert_info(cmc_content): + for line in cmc_content: + match = line.find("cert_dir") + if match != -1 and match == 0: + return True + return False + + +def migrate_minion_conf_settings(): + # ugh, do I really want to parse these files? + # guess I kind of have to... + fc = config.read_config(FUNC_MINION_CONF, commonconfig.FuncdConfig) + + + # see if we have edited this file before + fc_f = open(FUNC_MINION_CONF, "r") + fc_c = fc_f.readlines() + obs = False + for line in fc_c: + match = line.find("obsolete =") + if match != -1 and match == 0: + obs = True + + if obs == True: + return + + cmc = cm_config.read_config(CERTMASTER_CONF, cm_commonconfig.CMConfig) + cm_mc = cm_config.read_config(CERTMASTER_MINION_CONF, cm_commonconfig.MinionConfig) + + + cmc.cert_dir = fc.cert_dir + cmc.certmaster = fc.certmaster + + cm_mc.cert_dir = fc.cert_dir + cm_mc.certmaster = fc.certmaster + + # there doesnt' seem to be an obvious way to + # add something to a config obj/file without + # changing the corresponding config class, + # so this is a kluge + fc_f = open(FUNC_MINION_CONF, "a+") + fc_f.write("obsolete = 1\n") + fc_f.close() + + +# print "fc", fc +# print "dir(fc)", dir(fc) + + cmc.write(open(CERTMASTER_CONF, 'w')) + cm_mc.write(open(CERTMASTER_MINION_CONF, 'w')) + + +if os.access(FUNC_MINION_CONF, os.R_OK): + if os.access(CERTMASTER_MINION_CONF, os.R_OK): + fmc_content = open(FUNC_MINION_CONF, 'r').readlines() + cmc_content = open(CERTMASTER_MINION_CONF, 'r').readlines() + +# if func_minion_has_cert_info(fmc_content) and not certmaster_minion_has_cert_info(cmc_content): + if func_minion_has_cert_info(fmc_content): + migrate_minion_conf_settings() + + +if os.access(FUNC_MINION_CERT_DIR, os.R_OK): +# print "copying files from %s to %s" % (FUNC_MINION_CERT_DIR, CERTMASTER_MINION_CERT_DIR) + output = subprocess.Popen(["cp", "-var", FUNC_MINION_CERT_DIR, CERTMASTER_MINION_CERT_DIR], stdout=subprocess.PIPE).communicate()[0] +# print output + +if os.access(CERTMASTER_CERT_DIR, os.R_OK): +# print "copyying files from %s to %s" % (FUNC_CERTMASTER_CERT_DIR, CERTMASTER_CERT_DIR) + output = subprocess.Popen(["cp", "-var", FUNC_CERTMASTER_CERT_DIR, CERTMASTER_CERT_DIR], stdout=subprocess.PIPE).communicate()[0] +# print output + + + + + |