x/packstack
Code Issues Proposed changes

HTTPS cert changes

Browse Source 
o No longer use the self signed cert genetated by the mod_ssl package
o generate our own self signed cert
o add options so user can specify their own cert to use
o close port 80 if using ssl for horizon
o Adds a new resources member to the controller object, this contains
  a list of files to be copied to remote host

Addresses some of the points raised in
https://bugzilla.redhat.com/show_bug.cgi?id=919071

Change-Id: I9182b07481fd396a8a250ea045428a5c382eb2b1
This commit is contained in:
Derek Higgins
2013-03-10 17:35:16 -04:00
parent b366123ecc
commit ae1b33dcc4
6 changed files with 156 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
packstack/installer/setup_controller.py
View File

@@ -34,6 +34,21 @@ class Controller(object):
# only like data container # only like data container
self.temp_map = {} self.temp_map = {}
# Resources that should be copied to each host along with the puppet
# files, on the remote host the file will be placed in
# $PACKSTACK_VAR_DIR/resources. As with temp_map, this controller
# should copy the files, for now the puppet plugin is doing it
# format {'host':[('/path/to/fileordirectory', 'filenameonremotehost'), ..]}
self.resources = {}
def addResource(self, host, localpath, remotename):
""" Populates self.resources """
current_value_for_host = self.resources.get(host, [])
current_value_for_host.append((localpath,remotename))
self.resources[host] = current_value_for_host
# PLugins # PLugins
def addPlugin(self, plugObj): def addPlugin(self, plugObj):
self.__PLUGINS.append(plugObj) self.__PLUGINS.append(plugObj)

62
packstack/plugins/dashboard_500.py
View File

@@ -3,11 +3,13 @@ Installs and configures OpenStack Horizon
""" """
import logging import logging
import os
import uuid import uuid
import packstack.installer.engine_validators as validate import packstack.installer.engine_validators as validate
import packstack.installer.engine_processors as process import packstack.installer.engine_processors as process
from packstack.installer import basedefs, output_messages from packstack.installer import basedefs, output_messages
from packstack.installer import exceptions
import packstack.installer.common_utils as utils import packstack.installer.common_utils as utils
from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile
@@ -61,6 +63,42 @@ def initConfig(controllerObject):
controller.addGroup(groupDict, paramsList) controller.addGroup(groupDict, paramsList)
paramsList = [
{"CMD_OPTION" : "os-ssl-cert",
"USAGE" : "PEM encoded certificate to be used for ssl on the https server, leave blank if one should be generated, this certificate should not require a passphrase",
"PROMPT" : "Enter the path to a PEM encoded certificate to be used on thr https server, leave blank if one should be generated, this certificate should not require a passphrase",
"OPTION_LIST" : [],
"VALIDATORS" : [],
"DEFAULT_VALUE" : '',
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_SSL_CERT",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
{"CMD_OPTION" : "os-ssl-key",
"USAGE" : "Keyfile corresponding to the certificate if one was entered",
"PROMPT" : "Enter the keyfile corresponding to the certificate if one was entered",
"OPTION_LIST" : [],
"VALIDATORS" : [],
"DEFAULT_VALUE" : "",
"MASK_INPUT" : False,
"LOOSE_VALIDATION": True,
"CONF_NAME" : "CONFIG_SSL_KEY",
"USE_DEFAULT" : False,
"NEED_CONFIRM" : False,
"CONDITION" : False },
]
groupDict = { "GROUP_NAME" : "OSSSL",
"DESCRIPTION" : "SSL Config parameters",
"PRE_CONDITION" : "CONFIG_HORIZON_SSL",
"PRE_CONDITION_MATCH" : "y",
"POST_CONDITION" : False,
"POST_CONDITION_MATCH" : True}
controller.addGroup(groupDict, paramsList)
def initSequences(controller): def initSequences(controller):
if controller.CONF['CONFIG_HORIZON_INSTALL'] != 'y': if controller.CONF['CONFIG_HORIZON_INSTALL'] != 'y':
@@ -83,13 +121,31 @@ def createmanifest():
if controller.CONF["CONFIG_HORIZON_SSL"] == 'y': if controller.CONF["CONFIG_HORIZON_SSL"] == 'y':
controller.CONF["CONFIG_HORIZON_PORT"] = "'443'" controller.CONF["CONFIG_HORIZON_PORT"] = "'443'"
controller.MESSAGES.append( controller.MESSAGES.append(
"%sNOTE%s : A default self signed certificate was used for ssl, " "%sNOTE%s : A certificate was generated to be used for ssl, "
"You should change the ssl certificate configured in " "You should change the ssl certificate configured in "
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert." "/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
% (basedefs.RED, basedefs.NO_COLOR, horizon_host)) % (basedefs.RED, basedefs.NO_COLOR, horizon_host))
proto = "https" proto = "https"
sslmanifestdata += ("class {'apache::mod::ssl': }\n" sslmanifestdata += getManifestTemplate("https.pp")
"file {'/etc/httpd/conf.d/ssl.conf':}\n")
# Are we using the users cert/key files
if controller.CONF["CONFIG_SSL_CERT"]:
ssl_cert = controller.CONF["CONFIG_SSL_CERT"]
ssl_key = controller.CONF["CONFIG_SSL_KEY"]
if not os.path.exists(ssl_cert):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_cert)
if ssl_key and not os.path.exists(ssl_key):
raise exceptions.ParamValidationError(
"The file %s doesn't exist" % ssl_key)
controller.addResource(horizon_host, ssl_cert, 'ssl_ps_server.crt')
if ssl_key:
controller.addResource(
horizon_host, ssl_key, 'ssl_ps_server.key'
)
manifestdata = getManifestTemplate("horizon.pp") manifestdata = getManifestTemplate("horizon.pp")
manifestdata += sslmanifestdata manifestdata += sslmanifestdata

7
packstack/plugins/puppet_950.py
View File

@@ -94,6 +94,12 @@ def copyPuppetModules():
"ssh -o StrictHostKeyChecking=no " "ssh -o StrictHostKeyChecking=no "
"-o UserKnownHostsFile=/dev/null " "-o UserKnownHostsFile=/dev/null "
"root@%s tar -C %s -xpzf -" % (tar_opts, hostname, host_dir)) "root@%s tar -C %s -xpzf -" % (tar_opts, hostname, host_dir))
for path, localname in controller.resources.get(hostname, []):
server.append("scp -o StrictHostKeyChecking=no "
"-o UserKnownHostsFile=/dev/null %s root@%s:%s/resources/%s" %
(path, hostname, host_dir, localname))
server.execute() server.execute()
@@ -170,6 +176,7 @@ def applyPuppetManifest():
server.append("export FACTERLIB=$FACTERLIB:%s/facts" % host_dir) server.append("export FACTERLIB=$FACTERLIB:%s/facts" % host_dir)
server.append("touch %s" % running_logfile) server.append("touch %s" % running_logfile)
server.append("chmod 600 %s" % running_logfile) server.append("chmod 600 %s" % running_logfile)
server.append("export PACKSTACK_VAR_DIR=%s" % host_dir)
command = "( flock %s/ps.lock puppet apply --modulepath %s/modules %s > %s 2>&1 < /dev/null ; mv %s %s ) > /dev/null 2>&1 < /dev/null &" % (host_dir, host_dir, man_path, running_logfile, running_logfile, finished_logfile) command = "( flock %s/ps.lock puppet apply --modulepath %s/modules %s > %s 2>&1 < /dev/null ; mv %s %s ) > /dev/null 2>&1 < /dev/null &" % (host_dir, host_dir, man_path, running_logfile, running_logfile, finished_logfile)
server.append(command) server.append(command)
server.execute() server.execute()

1
packstack/plugins/serverprep_901.py
View File

@@ -436,6 +436,7 @@ def serverprep():
# the directory already exists # the directory already exists
host_dir = os.path.join(basedefs.PACKSTACK_VAR_DIR, uuid.uuid4().hex) host_dir = os.path.join(basedefs.PACKSTACK_VAR_DIR, uuid.uuid4().hex)
server.append("mkdir --mode 0700 %s" % host_dir) server.append("mkdir --mode 0700 %s" % host_dir)
server.append("mkdir %s/resources" % host_dir)
controller.temp_map[hostname] = host_dir controller.temp_map[hostname] = host_dir
# Add yum repositories if configured # Add yum repositories if configured

37
packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/env bash
FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain
fi
SSLKEY=/etc/pki/tls/private/ssl_ps_server.key
SSLCERT=/etc/pki/tls/certs/ssl_ps_server.crt
# If packstack dropped a cert in the resources directory then we
# use that instead of generating one
if [ -f $PACKSTACK_VAR_DIR/resources/ssl_ps_server.crt ] ; then
cp $PACKSTACK_VAR_DIR/resources/ssl_ps_server.crt $SSLCERT
cp $PACKSTACK_VAR_DIR/resources/ssl_ps_server.key $SSLKEY
exit 0
fi
umask 277
answers() {
echo --
echo State
echo City
echo openstack
echo packstack
echo $1
echo admin@$1
echo
echo
}
# gen key and self signed host cert
openssl genrsa -rand 2048 > $SSLKEY 2> /dev/null
answers $FQDN | openssl req -new -x509 -days 1096 -key $SSLKEY -text -out $SSLCERT

37
packstack/puppet/templates/https.pp Normal file
View File

@@ -0,0 +1,37 @@
class {'apache::mod::ssl': }
file {'/etc/httpd/conf.d/ssl.conf':}
file {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
content => template('packstack/ssl/generate_ssl_certs.sh.erb'),
ensure => present,
mode => '755',
}
exec {'/etc/pki/tls/certs/ps_generate_ssl_certs.ssh':
require => File['/etc/pki/tls/certs/ps_generate_ssl_certs.ssh'],
notify => Service['httpd'],
}
# close port 80
file_line{'nohttp':
path => '/etc/httpd/conf/httpd.conf',
match => '^#?Listen 80',
line => '#Listen 80',
require => Class['apache::mod::ssl']
}
# set the name of the ssl cert and key file
file_line{'sslcert':
path => '/etc/httpd/conf.d/ssl.conf',
match => '^SSLCertificateFile ',
line => 'SSLCertificateFile /etc/pki/tls/certs/ssl_ps_server.crt',
require => Class['apache::mod::ssl']
}
file_line{'sslkey':
path => '/etc/httpd/conf.d/ssl.conf',
match => '^SSLCertificateKeyFile ',
line => 'SSLCertificateKeyFile /etc/pki/tls/private/ssl_ps_server.key',
require => Class['apache::mod::ssl']
}