[ https://issues.apache.org/jira/browse/CLOUDSTACK-10283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16373612#comment-16373612 ]
ASF GitHub Bot commented on CLOUDSTACK-10283: --------------------------------------------- rafaelweingartner closed pull request #2454: CLOUDSTACK-10283: Sudo to setup agent keystore, fail on host add failure URL: https://github.com/apache/cloudstack/pull/2454 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/agent/src/com/cloud/agent/Agent.java b/agent/src/com/cloud/agent/Agent.java index d2669c03aeb..1c5417bf767 100644 --- a/agent/src/com/cloud/agent/Agent.java +++ b/agent/src/com/cloud/agent/Agent.java @@ -647,7 +647,7 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) { _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword); } - Script script = new Script(_keystoreSetupPath, 60000, s_logger); + Script script = new Script(true, _keystoreSetupPath, 60000, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(storedPassword); @@ -691,7 +691,7 @@ private Answer setupAgentCertificate(final SetupCertificateCommand cmd) { throw new CloudRuntimeException("Unable to save received agent client and ca certificates", e); } - Script script = new Script(_keystoreCertImportPath, 60000, s_logger); + Script script = new Script(true, _keystoreCertImportPath, 60000, s_logger); script.add(agentFile.getAbsolutePath()); script.add(keyStoreFile); script.add(KeyStoreUtils.agentMode); diff --git a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java index 63a44b83518..c1afc9a6f88 100644 --- a/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java +++ b/server/src/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java @@ -62,6 +62,7 @@ import com.cloud.resource.UnableDeleteHostException; import com.cloud.utils.PasswordGenerator; import com.cloud.utils.StringUtils; +import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.ssh.SSHCmdHelper; import com.trilead.ssh2.Connection; @@ -144,8 +145,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age } if (sshConnection == null) { - s_logger.warn("Cannot secure agent communication because ssh connection is invalid for host ip=" + agentIp); - return; + throw new CloudRuntimeException("Cannot secure agent communication because ssh connection is invalid for host ip=" + agentIp); } Integer validityPeriod = CAManager.CertValidityPeriod.value(); @@ -154,7 +154,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age } final SSHCmdHelper.SSHCmdResult keystoreSetupResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection, - String.format("/usr/share/cloudstack-common/scripts/util/%s " + + String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " + "/etc/cloudstack/agent/agent.properties " + "/etc/cloudstack/agent/%s " + "%s %d " + @@ -166,19 +166,17 @@ private void setupAgentSecurity(final Connection sshConnection, final String age KeyStoreUtils.defaultCsrFile)); if (!keystoreSetupResult.isSuccess()) { - s_logger.error("Failing, the keystore setup script failed execution on the KVM host: " + agentIp); - return; + throw new CloudRuntimeException("Failed to setup keystore on the KVM host: " + agentIp); } final Certificate certificate = caManager.issueCertificate(keystoreSetupResult.getStdOut(), Collections.singletonList(agentHostname), Collections.singletonList(agentIp), null, null); if (certificate == null || certificate.getClientCertificate() == null) { - s_logger.error("Failing, the configured CA plugin failed to issue certificates for KVM host agent: " + agentIp); - return; + throw new CloudRuntimeException("Failed to issue certificates for KVM host agent: " + agentIp); } final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate); final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection, - String.format("/usr/share/cloudstack-common/scripts/util/%s " + + String.format("sudo /usr/share/cloudstack-common/scripts/util/%s " + "/etc/cloudstack/agent/agent.properties " + "/etc/cloudstack/agent/%s %s " + "/etc/cloudstack/agent/%s \"%s\" " + @@ -195,8 +193,7 @@ private void setupAgentSecurity(final Connection sshConnection, final String age certificateCommand.getEncodedPrivateKey())); if (setupCertResult != null && !setupCertResult.isSuccess()) { - s_logger.error("Failed to setup certificate in the KVM agent's keystore file, please configure manually!"); - return; + throw new CloudRuntimeException("Failed to setup certificate in the KVM agent's keystore file, please see logs and configure manually!"); } if (s_logger.isDebugEnabled()) { ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Use sudo to execute keystore setup/import for kvm agents, and fail on > keystore setup failures > --------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-10283 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10283 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Reporter: Rohit Yadav > Assignee: Rohit Yadav > Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > Addition of a KVM host creates keystore on the KVM host's > /etc/cloudstack/agent path. The current scripts and codebase assumes that it > will be the root user which is why the script don't call keytool with 'sudo'. > To allow addition of host using a sudo-enabled/admin user, make suitable > changes to the script, and also fail the addHost execution if keystore > scripts fail (say due to permission issues etc). -- This message was sent by Atlassian JIRA (v7.6.3#76005)