apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add logs to keystore-setup and fix password regex (#10723)

Browse Source
This commit is contained in:
Orsiris de Jong 2025-08-29 10:44:04 +02:00 committed by GitHub
parent 5da7d2d01e
commit cbc614d8e3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 49 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
scripts/util/keystore-setup
View File

@ -25,45 +25,75 @@ CSR_FILE="$5"
ALIAS="cloud" ALIAS="cloud"
LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf" LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"
if type -p logger > /dev/null; then
LOGGER_CMD="$(type -p logger) -t cloudstack-keystore-setup"
else
LOG_FILE="/var/log/cloudstack/agent/cloudstack-keystore-setup.log"
log() {
if [ "${1}" != "" ]; then
__log_line="${1}"
else
read -r __log_line
fi
echo "${__log_line}" >> "${LOG_FILE}"
echo "${__log_line}"
}
LOGGER_CMD=log
fi
$LOGGER_CMD "$(date) - starting keystore-setup"
# Re-use existing password or use the one provided # Re-use existing password or use the one provided
if [ -f "$PROPS_FILE" ]; then if [ -f "$PROPS_FILE" ]; then
OLD_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null) $LOGGER_CMD "Previous props file exists, trying to extract password"
if [ ! -z "${OLD_PASS// }" ]; then OLD_PASS=$(sed -n '/^keystore.passphrase/p' "$PROPS_FILE" | sed 's/^keystore.passphrase=//g')
if [ -n "${OLD_PASS// }" ]; then
KS_PASS="$OLD_PASS" KS_PASS="$OLD_PASS"
$LOGGER_CMD "Password extraction successful"
else else
sed -i "/keystore.passphrase.*/d" $PROPS_FILE 2> /dev/null || true sed -i "/^keystore.passphrase.*/d" "$PROPS_FILE" 2>&1 | $LOGGER_CMD || true
echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE echo "keystore.passphrase=$KS_PASS" >> "$PROPS_FILE"
if [ $? != 0 ]; then
$LOGGER_CMD "Could not add new password to agent.properties"
else
$LOGGER_CMD "New keystore password set"
fi
fi fi
fi fi
if [ -f "$KS_FILE" ]; then if [ -f "$KS_FILE" ]; then
keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true $LOGGER_CMD "keystore file exists. Deleting current entries"
keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>&1 | $LOGGER_CMD
[ $? -ne 0 ] && $LOGGER_CMD "Failed to delete current entries"
fi fi
$LOGGER_CMD "Generating new key"
CN=$(hostname --fqdn) CN=$(hostname --fqdn)
keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" > /dev/null 2>&1 keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" 2>&1 | $LOGGER_CMD
# Generate CSR # Generate CSR
rm -f "$CSR_FILE" $LOGGER_CMD "Generating CSR"
[ -f "$CSR_FILE" ] && rm -f "$CSR_FILE"
addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',') addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',')
keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" > /dev/null 2>&1 $LOGGER_CMD "Found following SAN addresses to add to CSR: ${addresses}"
keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD
if [ $? -ne 0 ];then if [ $? -ne 0 ];then
echo "Failed to generate CSR file, retrying after removing existing settings" $LOGGER_CMD "Failed to generate CSR file, retrying after removing existing settings"
if [ -f "$LIBVIRTD_FILE" ]; then if [ -f "$LIBVIRTD_FILE" ]; then
echo "Reverting libvirtd to not listen on TLS" $LOGGER_CMD "Reverting libvirtd to not listen on TLS"
sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE
systemctl restart libvirtd systemctl restart libvirtd
fi fi
echo "Removing cloud.* files in /etc/cloudstack/agent" $LOGGER_CMD "Removing cloud.* files in /etc/cloudstack/agent"
rm -f /etc/cloudstack/agent/cloud.* rm -f /etc/cloudstack/agent/cloud.* || $LOGGER_CMD "Could not remove /etc/cloudstack/agent/cloud.*"
echo "Retrying to generate CSR file" $LOGGER_CMD "Retrying to generate CSR file"
keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >/dev/null 2>&1 keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD
if [ $? -ne 0 ];then if [ $? -ne 0 ];then
echo "Failed to generate CSR file while retrying" $LOGGER_CMD "Failed to generate CSR file while retrying"
exit 1 exit 1
fi fi
fi fi
@ -71,6 +101,6 @@ fi
cat "$CSR_FILE" cat "$CSR_FILE"
# Fix file permissions # Fix file permissions
chmod 600 $KS_FILE chmod 600 "$KS_FILE" || $LOGGER_CMD "Cannot chmod $KS_FILE"
chmod 600 $PROPS_FILE chmod 600 "$PROPS_FILE" || $LOGGER_CMD "Cannot chmod $PROPS_FILE"
chmod 600 $CSR_FILE chmod 600 "$CSR_FILE" || $LOGGER_CMD "Cannot chmod $CSR_FILE"