1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
#!/usr/bin/env python
# Copyright (C) 2017-2018 Red Hat, Inc. <http://www.redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
Description: Module for creating ssl machines for
validating basic ssl cases
"""
from io import StringIO
from glusto.core import Glusto as g
def create_ssl_machine(servers, clients):
"""Following are the steps to create ssl machines:
- Stop glusterd on all servers
- Run: openssl genrsa -out /etc/ssl/glusterfs.key 2048
- Run: openssl req -new -x509 -key /etc/ssl/glusterfs.key
-subj "/CN=ip's" -days 365 -out /etc/ssl/glusterfs.pem
- copy glusterfs.pem files into glusterfs.ca from all
the nodes(servers+clients) to all the servers
- touch /var/lib/glusterd/secure-access
- Start glusterd on all servers
Args:
servers: List of servers
clients: List of clients
Returns:
bool : True if successfully created ssl machine. False otherwise.
"""
# pylint: disable=too-many-statements, too-many-branches
# pylint: disable=too-many-return-statements
# Variable to collect all servers ca_file for servers
ca_file_server = StringIO()
# Stop glusterd on all servers
ret = g.run_parallel(servers, "systemctl stop glusterd")
if not ret:
g.log.error("Failed to stop glusterd on all servers")
return False
# Generate key file on all servers
cmd = "openssl genrsa -out /etc/ssl/glusterfs.key 2048"
ret = g.run_parallel(servers, cmd)
if not ret:
g.log.error("Failed to create /etc/ssl/glusterfs.key "
"file on all servers")
return False
# Generate glusterfs.pem file on all servers
for server in servers:
_, hostname, _ = g.run(server, "hostname")
cmd = ("openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "
"/CN=%s -days 365 -out /etc/ssl/glusterfs.pem" % (hostname))
ret = g.run(server, cmd)
if not ret:
g.log.error("Failed to create /etc/ssl/glusterfs.pem "
"file on server %s", server)
return False
# Copy glusterfs.pem file of all servers into ca_file_server
for server in servers:
conn1 = g.rpyc_get_connection(server)
if conn1 == "None":
g.log.error("Failed to get rpyc connection on %s", server)
with conn1.builtin.open('/etc/ssl/glusterfs.pem') as fin:
ca_file_server.write(fin.read())
# Copy all ca_file_server for clients use
ca_file_client = ca_file_server.getvalue()
# Generate key file on all clients
for client in clients:
_, hostname, _ = g.run(client, "hostname -s")
cmd = "openssl genrsa -out /etc/ssl/glusterfs.key 2048"
ret = g.run(client, cmd)
if not ret:
g.log.error("Failed to create /etc/ssl/glusterfs.key "
"file on client %s", client)
return False
# Generate glusterfs.pem file on all clients
cmd = ("openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "
"/CN=%s -days 365 -out /etc/ssl/glusterfs.pem" % (client))
ret = g.run(client, cmd)
if not ret:
g.log.error("Failed to create /etc/ssl/glusterf.pem "
"file on client %s", client)
return False
# Copy glusterfs.pem file of client to a ca_file_server
conn2 = g.rpyc_get_connection(client)
if conn2 == "None":
g.log.error("Failed to get rpyc connection on %s", server)
with conn2.builtin.open('/etc/ssl/glusterfs.pem') as fin:
ca_file_server.write(fin.read())
# Copy glusterfs.pem file to glusterfs.ca of client such that
# clients shouldn't share respectives ca file each other
cmd = "cp /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.ca"
ret, _, _ = g.run(client, cmd)
if ret != 0:
g.log.error("Failed to copy the glusterfs.pem to "
"glusterfs.ca of client")
return False
# Now copy the ca_file of all servers to client ca file
with conn2.builtin.open('/etc/ssl/glusterfs.ca', 'a') as fout:
fout.write(ca_file_client)
# Create /var/lib/glusterd directory on clients
ret = g.run(client, "mkdir -p /var/lib/glusterd/")
if not ret:
g.log.error("Failed to create directory /var/lib/glusterd/"
" on clients")
# Copy ca_file_server to all servers
for server in servers:
conn3 = g.rpyc_get_connection(server)
if conn3 == "None":
g.log.error("Failed to get rpyc connection on %s", server)
with conn3.builtin.open('/etc/ssl/glusterfs.ca', 'w') as fout:
fout.write(ca_file_server.getvalue())
# Touch /var/lib/glusterd/secure-access on all servers
ret = g.run_parallel(servers, "touch /var/lib/glusterd/secure-access")
if not ret:
g.log.error("Failed to touch the file on servers")
return False
# Touch /var/lib/glusterd/secure-access on all clients
ret = g.run_parallel(clients, "touch /var/lib/glusterd/secure-access")
if not ret:
g.log.error("Failed to touch the file on clients")
return False
# Start glusterd on all servers
ret = g.run_parallel(servers, "systemctl start glusterd")
if not ret:
g.log.error("Failed to stop glusterd on servers")
return False
return True
def cleanup_ssl_setup(servers, clients):
"""
Following are the steps to cleanup ssl setup:
- Stop glusterd on all servers
- Remove folder /etc/ssl/*
- Remove /var/lib/glusterd/*
- Start glusterd on all servers
Args:
servers: List of servers
clients: List of clients
Returns:
bool : True if successfully cleaned ssl machine. False otherwise.
"""
# pylint: disable=too-many-return-statements
_rc = True
# Stop glusterd on all servers
ret = g.run_parallel(servers, "systemctl stop glusterd")
if not ret:
_rc = False
g.log.error("Failed to stop glusterd on all servers")
# Remove glusterfs.key, glusterfs.pem and glusterfs.ca file
# from all servers
cmd = "rm -rf /etc/ssl/glusterfs*"
ret = g.run_parallel(servers, cmd)
if not ret:
_rc = False
g.log.error("Failed to remove folder /etc/ssl/glusterfs* "
"on all servers")
# Remove folder /var/lib/glusterd/secure-access from servers
cmd = "rm -rf /var/lib/glusterd/secure-access"
ret = g.run_parallel(servers, cmd)
if not ret:
_rc = False
g.log.error("Failed to remove folder /var/lib/glusterd/secure-access "
"on all servers")
# Remove glusterfs.key, glusterfs.pem and glusterfs.ca file
# from all clients
cmd = "rm -rf /etc/ssl/glusterfs*"
ret = g.run_parallel(clients, cmd)
if not ret:
_rc = False
g.log.error("Failed to remove folder /etc/ssl/glusterfs* "
"on all clients")
# Remove folder /var/lib/glusterd/secure-access from clients
cmd = "rm -rf /var/lib/glusterd/secure-access"
ret = g.run_parallel(clients, cmd)
if not ret:
_rc = False
g.log.error("Failed to remove folder /var/lib/glusterd/secure-access "
"on all clients")
# Start glusterd on all servers
ret = g.run_parallel(servers, "systemctl start glusterd")
if not ret:
_rc = False
g.log.error("Failed to stop glusterd on servers")
return _rc
|