2 Copyright 2007-2008, Red Hat, Inc
5 This software may be freely redistributed under the terms of the GNU
6 general public license.
8 You should have received a copy of the GNU General Public License
9 along with this program; if not, write to the Free Software
10 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 from config
import read_config
25 from commonconfig
import MinionConfig
29 # FIXME: module needs better pydoc
31 # FIXME: can remove this constant?
32 REMOTE_ERROR
= "REMOTE_ERROR"
34 # The standard I/O file descriptors are redirected to /dev/null by default.
35 if (hasattr(os
, "devnull")):
36 REDIRECT_TO
= os
.devnull
38 REDIRECT_TO
= "/dev/null"
41 x
= traceback
.extract_stack()
42 bar
= string
.join(traceback
.format_list(x
))
45 def daemonize(pidfile
=None):
47 Daemonize this process with the UNIX double-fork trick.
48 Writes the new PID to the provided file name if not None.
63 # based on http://code.activestate.com/recipes/278731/
64 os
.open(REDIRECT_TO
, os
.O_RDWR
) # standard input (0)
66 os
.dup2(0, 1) # standard output (1)
67 os
.dup2(0, 2) # standard error (2)
72 if pidfile
is not None:
73 open(pidfile
, "w").write(str(pid
))
77 def nice_exception(etype
, evalue
, etb
):
80 lefti
= etype
.index("'") + 1
81 righti
= etype
.rindex("'")
82 nicetype
= etype
[lefti
:righti
]
85 nicestack
= string
.join(traceback
.format_list(traceback
.extract_tb(etb
)))
86 return [ REMOTE_ERROR
, nicetype
, str(evalue
), nicestack
]
89 # FIXME: I believe we can remove this function
90 if type(result
) != list:
94 if result
[0] == REMOTE_ERROR
:
98 def get_hostname(talk_to_certmaster
=True):
100 "localhost" is a lame hostname to use for a key, so try to get
101 a more meaningful hostname. We do this by connecting to the certmaster
102 and seeing what interface/ip it uses to make that connection, and looking
103 up the hostname for that.
105 # FIXME: this code ignores http proxies (which granted, we don't
106 # support elsewhere either.
108 hostname
= socket
.gethostname()
109 # print "DEBUG: HOSTNAME TRY1: %s" % hostname
111 ip
= socket
.gethostbyname(hostname
)
114 if ip
!= "127.0.0.1":
118 # FIXME: move to requestor module and also create a verbose mode
119 # prints to the screen for usage by /usr/bin/certmaster-request
121 def create_minion_keys(hostname
=None, ca_name
=''):
122 log
= logger
.Logger().logger
124 # FIXME: paths should not be hard coded here, move to settings universally
125 config_file
= '/etc/certmaster/minion.conf'
126 config
= read_config(config_file
, MinionConfig
)
129 certauth
=config
.ca
[ca_name
]
131 raise codes
.CMException("Unknown cert authority: %s" % ca_name
)
133 cert_dir
= certauth
.cert_dir
135 master_uri
= 'http://%s:%s/' % (config
.certmaster
, config
.certmaster_port
)
142 raise codes
.CMException("Could not determine a hostname other than localhost")
144 # use lowercase letters for hostnames
147 key_file
= '%s/%s.pem' % (cert_dir
, hn
)
148 csr_file
= '%s/%s.csr' % (cert_dir
, hn
)
149 cert_file
= '%s/%s.cert' % (cert_dir
, hn
)
150 ca_cert_file
= '%s/ca.cert' % cert_dir
152 if os
.path
.exists(cert_file
) and os
.path
.exists(ca_cert_file
):
153 # print "DEBUG: err, no cert_file"
158 if not os
.path
.exists(cert_dir
):
159 os
.makedirs(cert_dir
)
160 if not os
.path
.exists(key_file
):
161 keypair
= certs
.make_keypair(dest
=key_file
)
162 if not os
.path
.exists(csr_file
):
164 keypair
= certs
.retrieve_key_from_file(key_file
)
165 csr
= certs
.make_csr(keypair
, dest
=csr_file
, hostname
=hn
)
167 traceback
.print_exc()
168 raise codes
.CMException
, "Could not create local keypair or csr for session"
174 # print "DEBUG: submitting CSR to certmaster: %s" % master_uri
175 log
.debug("submitting CSR: %s to certmaster %s" % (csr_file
, master_uri
))
176 result
, cert_string
, ca_cert_string
= submit_csr_to_master(csr_file
, master_uri
, ca_name
)
177 except socket
.error
, e
:
178 log
.warning("Could not locate certmaster at %s" % master_uri
)
180 # logging here would be nice
182 # print "DEBUG: no response from certmaster, sleeping 10 seconds"
183 log
.warning("no response from certmaster %s, sleeping 10 seconds" % master_uri
)
188 # print "DEBUG: recieved certificate from certmaster"
189 log
.debug("received certificate from certmaster %s, storing to %s" % (master_uri
, cert_file
))
191 keypair
= certs
.retrieve_key_from_file(key_file
)
192 valid
= certs
.check_cert_key_match(cert_string
, keypair
)
194 log
.info("certificate does not match key (run certmaster-ca --clean first?)")
195 sys
.stderr
.write("certificate does not match key (run certmaster-ca --clean first?)\n")
197 cert_fd
= os
.open(cert_file
, os
.O_RDWR|os
.O_CREAT
, 0644)
198 os
.write(cert_fd
, cert_string
)
201 ca_cert_fd
= os
.open(ca_cert_file
, os
.O_RDWR|os
.O_CREAT
, 0644)
202 os
.write(ca_cert_fd
, ca_cert_string
)
205 def run_triggers(ref
, globber
):
207 Runs all the trigger scripts in a given directory.
208 ref can be a certmaster object, if not None, the name will be passed
209 to the script. If ref is None, the script will be called with
210 no argumenets. Globber is a wildcard expression indicating which
211 triggers to run. Example: "/var/lib/certmaster/triggers/blah/*"
214 log
= logger
.Logger().logger
215 triggers
= glob
.glob(globber
)
217 for file in triggers
:
218 log
.debug("Executing trigger: %s" % file)
220 if file.find(".rpm") != -1:
221 # skip .rpmnew files that may have been installed
222 # in the triggers directory
225 rc
= sub_process
.call([file, ref
], shell
=False)
227 rc
= sub_process
.call([file], shell
=False)
229 log
.warning("Warning: failed to execute trigger: %s" % file)
233 raise codes
.CMException
, "certmaster trigger failed: %(file)s returns %(code)d" % { "file" : file, "code" : rc
}
236 def submit_csr_to_master(csr_file
, master_uri
, ca_name
=''):
238 gets us our cert back from the certmaster.wait_for_cert() method
239 takes csr_file as path location and master_uri
240 returns Bool, str(cert), str(ca_cert)
245 s
= xmlrpclib
.ServerProxy(master_uri
)
247 # print "DEBUG: waiting for cert"
248 return s
.wait_for_cert(csr
,ca_name
)