Alon Bar-Lev has posted comments on this change.
Change subject: pki: use PKCS#12 format to store keys
......................................................................
Patch Set 7: (6 inline comments)
....................................................
File packaging/fedora/setup/engine-setup.py
Line 767: pubtemp = None
Line 768:
Line 769: try:
Line 770: # Create new CA only if none available
Line 771: if not os.path.exists(os.path.join(basedefs.DIR_OVIRT_PKI,
"ca.pem")):
Done, this derived some other changes of similar existing issues in script.
Line 772: _updateCaCrtTemplate()
Line 773:
Line 774: # time.timezone is in seconds
Line 775: tzOffset = time.timezone / 3600
....................................................
File packaging/fedora/setup/engine-upgrade.py
Line 573: class CA():
Line 574:
Line 575: JKSKEYSTORE = "/etc/pki/ovirt-engine/.keystore"
Line 576: rollback_keystore = False
Line 577: rollback_key = False
Right. Thanks!
Line 578:
Line 579: def prepare(self):
Line 580: if os.path.exists(self.JKSKEYSTORE):
Line 581: logging.debug("PKI: convert JKS to PKCS#12")
Line 578:
Line 579: def prepare(self):
Line 580: if os.path.exists(self.JKSKEYSTORE):
Line 581: logging.debug("PKI: convert JKS to PKCS#12")
Line 582: output, rc = utils. execCmd(
OK, although I would have moved all to in-line as there is no reason for this
extra variable... :)
Line 583: cmdList=[
Line 584: basedefs.EXEC_KEYTOOL,
Line 585: "-importkeystore",
Line 586: "-noprompt",
Line 620: raise
Line 621:
Line 622: utils.updateVDCOption("keystoreUrl",
basedefs.FILE_ENGINE_KEYSTORE, (), "text")
Line 623: utils.updateVDCOption("TruststoreUrl",
basedefs.FILE_TRUSTSTORE, (), "text")
Line 624: utils.updateVDCOption("CertAlias", "1", (), "text")
No... anyway not that I think:
1. it can fail.
2. database rollback will be performed upon rollback anyway.
Line 625:
Line 626: def commit(self):
Line 627: if os.path.exists(self.JKSKEYSTORE):
Line 628: logging.debug("PKI: removing JKS keystore")
Line 630: os.remove(self.JKSKEYSTORE)
Line 631: except OsError:
Line 632: logging.error("PKI: cannot remove JKS keystore '%s'"
% self.JKSKEYSTORE)
Line 633:
Line 634: if not
stat.S_ISLNK(os.lstat(basedefs.FILE_ENGINE_PRIVATE_KEY).st_mode):
Yes, although I wanted to protect in case of invalid configuration.
But you are right, it is impossible to get different result.
Line 635: try:
Line 636: os.remove(basedefs.FILE_PRIVATE_SSH_KEY)
Line 637: except OSError:
Line 638: logging.error("PKI: cannot remove '%s'" %
basedefs.FILE_PRIVATE_SSH_KEY)
Line 644: logging.error("PKI: cannot symlink '%s'->'%s'" %
(basedefs.FILE_PRIVATE_SSH_KEY, basedefs.FILE_ENGINE_PRIVATE_KEY) )
Line 645: raise
Line 646:
Line 647: def rollback(self):
Line 648: if os.path.exists(self.JKSKEYSTORE):
If remove cannot happen, also symlink cannot happen... the file is left intact.
System continue to operate.
JKSKEYSTORE should be removed in favour of the FILE_ENGINE_KEYSTORE. this
happens in the prepare.
So unless I am missing something, it is OK.
Thanks!
Line 649: for f in (basedefs.FILE_ENGINE_KEYSTORE,
basedefs.FILE_ENGINE_PRIVATE_KEY):
Line 650: try:
Line 651: os.remove(f)
Line 652: except OSError:
--
To view, visit http://gerrit.ovirt.org/6883
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I2abda5778477faff09798a43cf3dc96435efb272
Gerrit-PatchSet: 7
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Alex Lourie <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Barak Azulay <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Ofer Schreiber <[email protected]>
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
