[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures

ASF GitHub Bot (JIRA) Thu, 22 Feb 2018 14:45:27 -0800

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373612#comment-16373612
 ]


ASF GitHub Bot commented on CLOUDSTACK-10283:
---------------------------------------------

rafaelweingartner closed pull request #2454: CLOUDSTACK-10283: Sudo to setup 
agent keystore, fail on host add failure
URL: https://github.com/apache/cloudstack/pull/2454
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/agent/src/com/cloud/agent/Agent.java 
b/agent/src/com/cloud/agent/Agent.java
index d2669c03aeb..1c5417bf767 100644
--- a/agent/src/com/cloud/agent/Agent.java
+++ b/agent/src/com/cloud/agent/Agent.java
@@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand 
cmd) {
             _shell.setPersistentProperty(null, 
KeyStoreUtils.passphrasePropertyName, storedPassword);
         }
 
-        Script script = new Script(_keystoreSetupPath, 60000, s_logger);
+        Script script = new Script(true, _keystoreSetupPath, 60000, s_logger);
         script.add(agentFile.getAbsolutePath());
         script.add(keyStoreFile);
         script.add(storedPassword);
@@ -691,7 +691,7 @@ private Answer setupAgentCertificate(final 
SetupCertificateCommand cmd) {
             throw new CloudRuntimeException("Unable to save received agent 
client and ca certificates", e);
         }
 
-        Script script = new Script(_keystoreCertImportPath, 60000, s_logger);
+        Script script = new Script(true, _keystoreCertImportPath, 60000, 
s_logger);
         script.add(agentFile.getAbsolutePath());
         script.add(keyStoreFile);
         script.add(KeyStoreUtils.agentMode);
diff --git 
a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java 
b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
index 63a44b83518..c1afc9a6f88 100644
--- 
a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
+++ 
b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
@@ -62,6 +62,7 @@
 import com.cloud.resource.UnableDeleteHostException;
 import com.cloud.utils.PasswordGenerator;
 import com.cloud.utils.StringUtils;
+import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.ssh.SSHCmdHelper;
 import com.trilead.ssh2.Connection;
 
@@ -144,8 +145,7 @@ private void setupAgentSecurity(final Connection 
sshConnection, final String age
         }
 
         if (sshConnection == null) {
-            s_logger.warn("Cannot secure agent communication because ssh 
connection is invalid for host ip=" + agentIp);
-            return;
+            throw new CloudRuntimeException("Cannot secure agent communication 
because ssh connection is invalid for host ip=" + agentIp);
         }
 
         Integer validityPeriod = CAManager.CertValidityPeriod.value();
@@ -154,7 +154,7 @@ private void setupAgentSecurity(final Connection 
sshConnection, final String age
         }
 
         final SSHCmdHelper.SSHCmdResult keystoreSetupResult = 
SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                String.format("/usr/share/cloudstack-common/scripts/util/%s " +
+                String.format("sudo 
/usr/share/cloudstack-common/scripts/util/%s " +
                                 "/etc/cloudstack/agent/agent.properties " +
                                 "/etc/cloudstack/agent/%s " +
                                 "%s %d " +
@@ -166,19 +166,17 @@ private void setupAgentSecurity(final Connection 
sshConnection, final String age
                         KeyStoreUtils.defaultCsrFile));
 
         if (!keystoreSetupResult.isSuccess()) {
-            s_logger.error("Failing, the keystore setup script failed 
execution on the KVM host: " + agentIp);
-            return;
+            throw new CloudRuntimeException("Failed to setup keystore on the 
KVM host: " + agentIp);
         }
 
         final Certificate certificate = 
caManager.issueCertificate(keystoreSetupResult.getStdOut(), 
Collections.singletonList(agentHostname), Collections.singletonList(agentIp), 
null, null);
         if (certificate == null || certificate.getClientCertificate() == null) 
{
-            s_logger.error("Failing, the configured CA plugin failed to issue 
certificates for KVM host agent: " + agentIp);
-            return;
+            throw new CloudRuntimeException("Failed to issue certificates for 
KVM host agent: " + agentIp);
         }
 
         final SetupCertificateCommand certificateCommand = new 
SetupCertificateCommand(certificate);
         final SSHCmdHelper.SSHCmdResult setupCertResult = 
SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,
-                    
String.format("/usr/share/cloudstack-common/scripts/util/%s " +
+                    String.format("sudo 
/usr/share/cloudstack-common/scripts/util/%s " +
                                     "/etc/cloudstack/agent/agent.properties " +
                                     "/etc/cloudstack/agent/%s %s " +
                                     "/etc/cloudstack/agent/%s \"%s\" " +
@@ -195,8 +193,7 @@ private void setupAgentSecurity(final Connection 
sshConnection, final String age
                             certificateCommand.getEncodedPrivateKey()));
 
         if (setupCertResult != null && !setupCertResult.isSuccess()) {
-            s_logger.error("Failed to setup certificate in the KVM agent's 
keystore file, please configure manually!");
-            return;
+            throw new CloudRuntimeException("Failed to setup certificate in 
the KVM agent's keystore file, please see logs and configure manually!");
         }
 
         if (s_logger.isDebugEnabled()) {


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Use sudo to execute keystore setup/import for kvm agents, and fail on 
> keystore setup failures
> ---------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10283
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For: 4.12.0.0, 4.11.1.0
>
>
> Addition of a KVM host creates keystore on the KVM host's 
> /etc/cloudstack/agent path. The current scripts and codebase assumes that it 
> will be the root user which is why the script don't call keytool with 'sudo'. 
> To allow addition of host using a sudo-enabled/admin user, make suitable 
> changes to the script, and also fail the addHost execution if keystore 
> scripts fail (say due to permission issues etc).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (CLOUDSTACK-10283) Use sudo to execute keystore setup/import for kvm agents, and fail on keystore setup failures

Reply via email to