x/packstack
Code Issues Proposed changes

Added SSL configuration to qpid

Browse Source 
The SSL option is disabled by default, it uses
the NSS database to store the certificates.

Added a separate configuration group for qpid SSL

Fixes: rhbz#1022312

Change-Id: I8d58710b5938307b3e2a25e821b640a46c48c97e
This commit is contained in:
Ivan Chavero
2013-09-26 13:41:05 -06:00
parent ea63ff3508
commit 5f5c003553
8 changed files with 163 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@@ -88,3 +88,6 @@
[submodule "packstack/puppet/modules/certmonger"]
path = packstack/puppet/modules/certmonger
url = git://github.com/rcritten/puppet-certmonger.git
[submodule "packstack/puppet/modules/nssdb"]
path = packstack/puppet/modules/nssdb
url = https://github.com/rcritten/puppet-nssdb.git

4
packstack/plugins/puppet_950.py
View File

@@ -82,12 +82,12 @@ def copyPuppetModules(config):
os_modules = ' '.join(('apache', 'ceilometer', 'certmonger', 'cinder',
'concat', 'firewall', 'glance', 'heat', 'horizon',
'inifile', 'keystone', 'memcached', 'mongodb',
'mysql', 'neutron', 'nova', 'openstack',
'mysql', 'neutron', 'nova', 'nssdb', 'openstack',
'packstack', 'qpid', 'rsync', 'ssh', 'stdlib',
'swift', 'sysctl', 'tempest', 'vcsrepo', 'vlan',
'vswitch', 'xinetd'))
# write puppet manifest to disk
# write puppet manifest to disk
manifestfiles.writeManifests()
server = utils.ScriptRunner()

127
packstack/plugins/qpid_002.py
View File

@@ -3,12 +3,17 @@ Installs and configures qpid
"""
import logging
import uuid
import os
from packstack.installer import validators
from packstack.installer import basedefs
from packstack.installer import utils
from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile
from packstack.modules.common import filtered_hosts
from packstack.modules.ospluginutils import gethostlist,\
getManifestTemplate,\
appendManifestFile
# Controller object will be initialized from main flow
controller = None
@@ -36,7 +41,21 @@ def initConfig(controllerObject):
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
]
{"CMD_OPTION" : "qpid-enable-ssl",
"USAGE" : "Enable SSL for the QPID service",
"PROMPT" : "Enable SSL for the QPID service?",
"OPTION_LIST" : ["y", "n"],
"VALIDATORS" : [validators.validate_options],
"DEFAULT_VALUE" : "n",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": False,
"CONF_NAME" : "CONFIG_QPID_ENABLE_SSL",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
]
groupDict = { "GROUP_NAME" : "QPIDLANCE",
"DESCRIPTION" : "QPID Config parameters",
@@ -47,6 +66,77 @@ def initConfig(controllerObject):
controller.addGroup(groupDict, paramsList)
paramsList = [
{"CMD_OPTION" : "qpid-nss-certdb-pw",
"USAGE" : "The password for the NSS certificate database of the QPID service",
"PROMPT" : "Enter the password for NSS certificate database",
"OPTION_LIST" : [],
"VALIDATORS" : [validators.validate_not_empty],
"DEFAULT_VALUE" : uuid.uuid4().hex[:32],
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_QPID_NSS_CERTDB_PW",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
{"CMD_OPTION" : "qpid-ssl-port",
"USAGE" : "The port in which the QPID service listens to SSL connections",
"PROMPT" : "Enter the SSL port for the QPID service",
"OPTION_LIST" : [],
"VALIDATORS" : [validators.validate_not_empty],
"DEFAULT_VALUE" : "5671",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_QPID_SSL_PORT",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
{"CMD_OPTION" : "qpid-ssl-cert-file",
"USAGE" : "The filename of the certificate that the QPID service is going to use",
"PROMPT" : "Enter the filename of the SSL certificate for the QPID service",
"OPTION_LIST" : [],
"VALIDATORS" : [validators.validate_not_empty],
"DEFAULT_VALUE" : "/etc/pki/tls/certs/qpid_selfcert.pem",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_QPID_SSL_CERT_FILE",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
{"CMD_OPTION" : "qpid-ssl-key-file",
"USAGE" : "The filename of the private key that the QPID service is going to use",
"PROMPT" : "Enter the private key filename",
"OPTION_LIST" : [],
"VALIDATORS" : [validators.validate_not_empty],
"DEFAULT_VALUE" : "/etc/pki/tls/private/qpid_selfkey.pem",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_QPID_SSL_KEY_FILE",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
{"CMD_OPTION" : "qpid-ssl-self-signed",
"USAGE" : "Auto Generates self signed SSL certificate and key",
"PROMPT" : "Generate Self Signed SSL Certificate",
"OPTION_LIST" : ["y","n"],
"VALIDATORS" : [validators.validate_not_empty],
"DEFAULT_VALUE" : "y",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_QPID_SSL_SELF_SIGNED",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
]
groupDict = { "GROUP_NAME" : "QPIDSSL",
"DESCRIPTION" : "QPID Config SSL parameters",
"PRE_CONDITION" : "CONFIG_QPID_ENABLE_SSL",
"PRE_CONDITION_MATCH" : "y",
"POST_CONDITION" : False,
"POST_CONDITION_MATCH" : True}
controller.addGroup(groupDict, paramsList)
def initSequences(controller):
# If we don't want Nova we don't need qpid
@@ -58,6 +148,35 @@ def initSequences(controller):
controller.addSequence("Installing QPID", [], [], qpidsteps)
def createmanifest(config):
manifestfile = "%s_qpid.pp"%controller.CONF['CONFIG_QPID_HOST']
manifestdata = getManifestTemplate("qpid.pp")
manifestfile = "%s_qpid.pp"%config['CONFIG_QPID_HOST']
manifestdata = ""
ssl_manifestdata = ""
server = utils.ScriptRunner(config['CONFIG_QPID_HOST'])
ports = set(["'5672'"])
if config['CONFIG_QPID_ENABLE_SSL'] == 'y':
ports.add("'%s'" % (config['CONFIG_QPID_SSL_PORT']))
config['CONFIG_QPID_ENABLE_SSL'] = 'true'
if config['CONFIG_QPID_SSL_SELF_SIGNED'] == 'y':
server.append( "openssl req -batch -new -x509 -nodes -keyout %s -out %s -days 1095"
% (config['CONFIG_QPID_SSL_KEY_FILE'], config['CONFIG_QPID_SSL_CERT_FILE']) )
server.execute()
ssl_manifestdata = getManifestTemplate('qpid_ssl.pp')
else:
#Set default values
config['CONFIG_QPID_SSL_PORT'] = "5671"
config['CONFIG_QPID_SSL_CERT_FILE'] = ""
config['CONFIG_QPID_SSL_KEY_FILE'] = ""
config['CONFIG_QPID_NSS_CERTDB_PW'] = ""
config['CONFIG_QPID_ENABLE_SSL'] = 'false'
manifestdata = getManifestTemplate('qpid.pp')
manifestdata += ssl_manifestdata
#All hosts should be able to talk to qpid
hosts = ["'%s'" % i for i in filtered_hosts(config, exclude=False)]
config['FIREWALL_ALLOWED'] = ','.join(hosts)
config['FIREWALL_SERVICE_NAME'] = "qpid"
config['FIREWALL_PORTS'] = ','.join(ports)
manifestdata += getManifestTemplate("firewall.pp")
appendManifestFile(manifestfile, manifestdata, 'pre')

1
packstack/puppet/modules/nssdb Submodule

Submodule packstack/puppet/modules/nssdb added at b3799a9a7c

2
packstack/puppet/modules/qpid

Submodule packstack/puppet/modules/qpid updated: fa4ec7ddb1...587b0b51e8

2
packstack/puppet/templates/firewall.pp
View File

@@ -12,4 +12,4 @@ define add_allow_host {
}
}
add_allow_host { $hosts:}
add_allow_host {$hosts:}

6
packstack/puppet/templates/qpid.pp
View File

@@ -1,4 +1,3 @@
class {"qpid::server":
config_file => $::operatingsystem? {
'Fedora' => '/etc/qpid/qpidd.conf',
@@ -6,6 +5,11 @@ class {"qpid::server":
},
auth => "no",
clustered => false,
ssl_port => '%(CONFIG_QPID_SSL_PORT)s',
ssl => %(CONFIG_QPID_ENABLE_SSL)s,
ssl_cert => '%(CONFIG_QPID_SSL_CERT_FILE)s',
ssl_key => '%(CONFIG_QPID_SSL_KEY_FILE)s',
ssl_database_password => '%(CONFIG_QPID_NSS_CERTDB_PW)s',
}
firewall { '001 qpid incoming':

27
packstack/puppet/templates/qpid_ssl.pp Normal file
View File

@@ -0,0 +1,27 @@
# User and group for the nss database
group { 'qpidd':
ensure => 'present',
}
user { 'qpidd':
ensure => 'present',
managehome => true,
home => '/var/run/qpidd',
require => Group['qpidd']
}
file { 'pid_dir':
path => '/var/run/qpidd',
ensure => directory,
owner => 'qpidd',
group => 'qpidd',
require => User['qpidd'],
}
file_line { 'pid_dir_conf':
path => $qpid::server::config_file,
line => 'pid-dir=/var/run/qpidd',
require => File['pid_dir'],
}