summaryrefslogtreecommitdiffstats
path: root/glustolibs-gluster/glustolibs/gluster/ssl_ops.py
blob: 9ce7c08a53fafc3e5a79f19bcbda11392c6dbc32 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
#!/usr/bin/env python
#  Copyright (C) 2017-2018  Red Hat, Inc. <http://www.redhat.com>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License along
#  with this program; if not, write to the Free Software Foundation, Inc.,
#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

"""
    Description: Module for creating ssl machines for
    validating basic ssl cases
"""

from StringIO import StringIO
from glusto.core import Glusto as g


def create_ssl_machine(servers, clients):
    """Following are the steps to create ssl machines:
            - Stop glusterd on all servers
            - Run: openssl genrsa -out /etc/ssl/glusterfs.key 2048
            - Run: openssl req -new -x509 -key /etc/ssl/glusterfs.key
                   -subj "/CN=ip's" -days 365 -out /etc/ssl/glusterfs.pem
            - copy glusterfs.pem files into glusterfs.ca from all
              the nodes(servers+clients) to all the servers
            - touch /var/lib/glusterd/secure-access
            - Start glusterd on all servers
    Args:
        servers: List of servers
        clients: List of clients

    Returns:
        bool : True if successfully created ssl machine. False otherwise.
    """
    # pylint: disable=too-many-statements, too-many-branches
    # pylint: disable=too-many-return-statements
    # Variable to collect all servers ca_file for servers
    ca_file_server = StringIO()

    # Stop glusterd on all servers
    ret = g.run_parallel(servers, "systemctl stop glusterd")
    if not ret:
        g.log.error("Failed to stop glusterd on all servers")
        return False

    # Generate key file on all servers
    cmd = "openssl genrsa -out /etc/ssl/glusterfs.key 2048"
    ret = g.run_parallel(servers, cmd)
    if not ret:
        g.log.error("Failed to create /etc/ssl/glusterfs.key "
                    "file on all servers")
        return False

    # Generate glusterfs.pem file on all servers
    for server in servers:
        _, hostname, _ = g.run(server, "hostname")
        cmd = ("openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "
               "/CN=%s -days 365 -out /etc/ssl/glusterfs.pem" % (hostname))
        ret = g.run(server, cmd)
        if not ret:
            g.log.error("Failed to create /etc/ssl/glusterfs.pem "
                        "file on server %s", server)
            return False

    # Copy glusterfs.pem file of all servers into ca_file_server
    for server in servers:
        conn1 = g.rpyc_get_connection(server)
        if conn1 == "None":
            g.log.error("Failed to get rpyc connection on %s", server)

        with conn1.builtin.open('/etc/ssl/glusterfs.pem') as fin:
            ca_file_server.write(fin.read())

    # Copy all ca_file_server for clients use
    ca_file_client = ca_file_server.getvalue()

    # Generate key file on all clients
    for client in clients:
        _, hostname, _ = g.run(client, "hostname -s")
        cmd = "openssl genrsa -out /etc/ssl/glusterfs.key 2048"
        ret = g.run(client, cmd)
        if not ret:
            g.log.error("Failed to create /etc/ssl/glusterfs.key "
                        "file on client %s", client)
            return False

        # Generate glusterfs.pem file on all clients
        cmd = ("openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "
               "/CN=%s -days 365 -out /etc/ssl/glusterfs.pem" % (client))
        ret = g.run(client, cmd)
        if not ret:
            g.log.error("Failed to create /etc/ssl/glusterf.pem "
                        "file on client %s", client)
            return False

        # Copy glusterfs.pem file of client to a ca_file_server
        conn2 = g.rpyc_get_connection(client)
        if conn2 == "None":
            g.log.error("Failed to get rpyc connection on %s", server)
        with conn2.builtin.open('/etc/ssl/glusterfs.pem') as fin:
            ca_file_server.write(fin.read())

        # Copy glusterfs.pem file to glusterfs.ca of client such that
        # clients shouldn't share respectives ca file each other
        cmd = "cp /etc/ssl/glusterfs.pem /etc/ssl/glusterfs.ca"
        ret, _, _ = g.run(client, cmd)
        if ret != 0:
            g.log.error("Failed to copy the glusterfs.pem to "
                        "glusterfs.ca of client")
            return False

        # Now copy the ca_file of all servers to client ca file
        with conn2.builtin.open('/etc/ssl/glusterfs.ca', 'a') as fout:
            fout.write(ca_file_client)

        # Create /var/lib/glusterd directory on clients
        ret = g.run(client, "mkdir -p /var/lib/glusterd/")
        if not ret:
            g.log.error("Failed to create directory /var/lib/glusterd/"
                        " on clients")

    # Copy ca_file_server to all servers
    for server in servers:
        conn3 = g.rpyc_get_connection(server)
        if conn3 == "None":
            g.log.error("Failed to get rpyc connection on %s", server)

        with conn3.builtin.open('/etc/ssl/glusterfs.ca', 'w') as fout:
            fout.write(ca_file_server.getvalue())

    # Touch /var/lib/glusterd/secure-access on all servers
    ret = g.run_parallel(servers, "touch /var/lib/glusterd/secure-access")
    if not ret:
        g.log.error("Failed to touch the file on servers")
        return False

    # Touch /var/lib/glusterd/secure-access on all clients
    ret = g.run_parallel(clients, "touch /var/lib/glusterd/secure-access")
    if not ret:
        g.log.error("Failed to touch the file on clients")
        return False

    # Start glusterd on all servers
    ret = g.run_parallel(servers, "systemctl start glusterd")
    if not ret:
        g.log.error("Failed to stop glusterd on servers")
        return False

    return True


def cleanup_ssl_setup(servers, clients):
    """
    Following are the steps to cleanup ssl setup:
            - Stop glusterd on all servers
            - Remove folder /etc/ssl/*
            - Remove /var/lib/glusterd/*
            - Start glusterd on all servers

    Args:
        servers: List of servers
        clients: List of clients

    Returns:
        bool : True if successfully cleaned ssl machine. False otherwise.
    """
    # pylint: disable=too-many-return-statements
    _rc = True

    # Stop glusterd on all servers
    ret = g.run_parallel(servers, "systemctl stop glusterd")
    if not ret:
        _rc = False
        g.log.error("Failed to stop glusterd on all servers")

    # Remove glusterfs.key, glusterfs.pem and glusterfs.ca file
    # from all servers
    cmd = "rm -rf /etc/ssl/glusterfs*"
    ret = g.run_parallel(servers, cmd)
    if not ret:
        _rc = False
        g.log.error("Failed to remove folder /etc/ssl/glusterfs* "
                    "on all servers")

    # Remove folder /var/lib/glusterd/secure-access from servers
    cmd = "rm -rf /var/lib/glusterd/secure-access"
    ret = g.run_parallel(servers, cmd)
    if not ret:
        _rc = False
        g.log.error("Failed to remove folder /var/lib/glusterd/secure-access "
                    "on all servers")

    # Remove glusterfs.key, glusterfs.pem and glusterfs.ca file
    # from all clients
    cmd = "rm -rf /etc/ssl/glusterfs*"
    ret = g.run_parallel(clients, cmd)
    if not ret:
        _rc = False
        g.log.error("Failed to remove folder /etc/ssl/glusterfs* "
                    "on all clients")

    # Remove folder /var/lib/glusterd/secure-access from clients
    cmd = "rm -rf /var/lib/glusterd/secure-access"
    ret = g.run_parallel(clients, cmd)
    if not ret:
        _rc = False
        g.log.error("Failed to remove folder /var/lib/glusterd/secure-access "
                    "on all clients")

    # Start glusterd on all servers
    ret = g.run_parallel(servers, "systemctl start glusterd")
    if not ret:
        _rc = False
        g.log.error("Failed to stop glusterd on servers")

    return _rc