--- /dev/null
+"""
+Copyright 2007, Red Hat, Inc
+see AUTHORS
+
+This software may be freely redistributed under the terms of the GNU
+general public license.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+"""
+
+import os
+import socket
+import string
+import sys
+import time
+import traceback
+import xmlrpclib
+import glob
+import traceback
+
+import codes
+from func import certs
+from func.config import read_config
+from func.commonconfig import FuncdConfig
+from func import logger
+
+# "localhost" is a lame hostname to use for a key, so try to get
+# a more meaningful hostname. We do this by connecting to the certmaster
+# and seeing what interface/ip it uses to make that connection, and looking
+# up the hostname for that.
+def get_hostname():
+
+ # FIXME: this code ignores http proxies (which granted, we don't
+ # support elsewhere either. It also hardcodes the port number
+ # for the certmaster for now
+ hostname = None
+ hostname = socket.gethostname()
+ try:
+ ip = socket.gethostbyname(hostname)
+ except:
+ return hostname
+ if ip != "127.0.0.1":
+ return hostname
+
+
+ config_file = '/etc/func/minion.conf'
+ config = read_config(config_file, FuncdConfig)
+
+ server = config.certmaster
+ port = 51235
+
+ try:
+ s = socket.socket()
+ s.settimeout(5)
+ s.connect((server, port))
+ (intf, port) = s.getsockname()
+ hostname = socket.gethostbyaddr(intf)[0]
+ s.close()
+ except:
+ s.close()
+ raise
+
+ return hostname
+
+
+
+def create_minion_keys():
+ config_file = '/etc/func/minion.conf'
+ config = read_config(config_file, FuncdConfig)
+ cert_dir = config.cert_dir
+ master_uri = 'http://%s:51235/' % config.certmaster
+ hn = get_hostname()
+
+ if hn is None:
+ raise codes.FuncException("Could not determine a hostname other than localhost")
+
+ key_file = '%s/%s.pem' % (cert_dir, hn)
+ csr_file = '%s/%s.csr' % (cert_dir, hn)
+ cert_file = '%s/%s.cert' % (cert_dir, hn)
+ ca_cert_file = '%s/ca.cert' % cert_dir
+
+
+ if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
+ return
+
+ keypair = None
+ try:
+ if not os.path.exists(cert_dir):
+ os.makedirs(cert_dir)
+ if not os.path.exists(key_file):
+ keypair = certs.make_keypair(dest=key_file)
+ if not os.path.exists(csr_file):
+ if not keypair:
+ keypair = certs.retrieve_key_from_file(key_file)
+ csr = certs.make_csr(keypair, dest=csr_file)
+ except Exception, e:
+ traceback.print_exc()
+ raise codes.FuncException, "Could not create local keypair or csr for minion funcd session"
+
+ result = False
+ log = logger.Logger().logger
+ while not result:
+ try:
+ log.debug("submitting CSR to certmaster %s" % master_uri)
+ result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
+ except socket.gaierror, e:
+ raise codes.FuncException, "Could not locate certmaster at %s" % master_uri
+
+ # logging here would be nice
+ if not result:
+ log.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri)
+ time.sleep(10)
+
+
+ if result:
+ log.debug("received certificate from certmaster %s, storing" % master_uri)
+ cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
+ os.write(cert_fd, cert_string)
+ os.close(cert_fd)
+
+ ca_cert_fd = os.open(ca_cert_file, os.O_RDWR|os.O_CREAT, 0644)
+ os.write(ca_cert_fd, ca_cert_string)
+ os.close(ca_cert_fd)
+
+def submit_csr_to_master(csr_file, master_uri):
+ """"
+ gets us our cert back from the certmaster.wait_for_cert() method
+ takes csr_file as path location and master_uri
+ returns Bool, str(cert), str(ca_cert)
+ """
+
+ fo = open(csr_file)
+ csr = fo.read()
+ s = xmlrpclib.ServerProxy(master_uri)
+
+ return s.wait_for_cert(csr)
+
+
+# this is kind of handy, so keep it around for now
+# but we really need to fix out server side logging and error
+# reporting so we don't need it
+def trace_me():
+ x = traceback.extract_stack()
+ bar = string.join(traceback.format_list(x))
+ return bar
+
+
+def daemonize(pidfile=None):
+ """
+ Daemonize this process with the UNIX double-fork trick.
+ Writes the new PID to the provided file name if not None.
+ """
+
+ print pidfile
+ pid = os.fork()
+ if pid > 0:
+ sys.exit(0)
+ os.setsid()
+ os.umask(0)
+ pid = os.fork()
+
+
+ if pid > 0:
+ if pidfile is not None:
+ open(pidfile, "w").write(str(pid))
+ sys.exit(0)
+
+def get_acls_from_config(acldir='/etc/func/minion-acl.d'):
+ """
+ takes a dir of .acl files
+ returns a dict of hostname+hash = [methods, to, run]
+
+ """
+
+ acls = {}
+ if not os.path.exists(acldir):
+ print 'acl dir does not exist: %s' % acldir
+ return acls
+
+ # get the set of files
+ acl_glob = '%s/*.acl' % acldir
+ files = glob.glob(acl_glob)
+
+ for acl_file in files:
+
+ try:
+ fo = open(acl_file, 'r')
+ except (IOError, OSError), e:
+ print 'cannot open acl config file: %s - %s' % (acl_file, e)
+ continue
+
+ for line in fo.readlines():
+ if line.startswith('#'): continue
+ if line.strip() == '': continue
+ line = line.replace('\n', '')
+ (host, methods) = line.split('=')
+ host = host.strip().lower()
+ methods = methods.strip()
+ methods = methods.replace(',',' ')
+ methods = methods.split()
+ if not acls.has_key(host):
+ acls[host] = []
+ acls[host].extend(methods)
+
+ return acls
projects / certmaster.git / blobdiff