#!/bin/bash # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. PROPS_FILE="$1" KS_PASS="$2" KS_FILE="$3" MODE="$4" CERT_FILE="$5" CERT=$(echo "$6" | tr '^' '\n' | tr '~' ' ') CACERT_FILE="$7" CACERT=$(echo "$8" | tr '^' '\n' | tr '~' ' ') PRIVKEY_FILE="$9" PRIVKEY=$(echo "${10}" | tr '^' '\n' | tr '~' ' ') ALIAS="cloud" SYSTEM_FILE="/var/cache/cloud/cmdline" LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf" if [ ! -f "$LIBVIRTD_FILE" ]; then # Re-use existing password or use the one provided while [ ! -d /usr/local/cloud/systemvm/conf ]; do sleep 1; done if [ -f "$PROPS_FILE" ]; then OLD_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null) if [ ! -z "${OLD_PASS// }" ]; then KS_PASS="$OLD_PASS" else sed -i "/keystore.passphrase.*/d" $PROPS_FILE 2> /dev/null || true echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE fi fi fi # Find keystore password KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null) if [ -z "${KS_PASS// }" ]; then echo "Failed to find keystore passphrase from file: $PROPS_FILE, quitting!" exit 1 fi # Import certificate if [ ! -z "${CERT// }" ]; then echo "$CERT" > "$CERT_FILE" elif [ ! -f "$CERT_FILE" ]; then echo "Cannot find certificate file: $CERT_FILE, exiting" exit fi # Import ca certs if [ ! -z "${CACERT// }" ]; then echo "$CACERT" > "$CACERT_FILE" elif [ ! -f "$CACERT_FILE" ]; then echo "Cannot find ca certificate file: $CACERT_FILE, exiting!" exit fi # Import cacerts into the keystore awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE" for caChain in $(ls cloudca.*); do keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1 done rm -f cloudca.* # Stop cloud service in systemvm if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then systemctl stop cloud > /dev/null 2>&1 fi # Import private key if available if [ ! -z "${PRIVKEY// }" ]; then echo "$PRIVKEY" > "$PRIVKEY_FILE" else > "$PRIVKEY_FILE" fi if [ -f "$PRIVKEY_FILE" ] && [ -s "$PRIVKEY_FILE" ]; then # Re-initialize keystore when private key is provided keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null || true openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1 keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1 else # Import certificate into the keystore keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 || true # Export private key from keystore rm -f "$PRIVKEY_FILE" keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1 openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null | openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1 fi rm -f "$KS_FILE.p12" # Secure libvirtd on cert import if [ -f "$LIBVIRTD_FILE" ]; then mkdir -p /etc/pki/CA mkdir -p /etc/pki/libvirt/private ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem # VNC TLS directory and certificates mkdir -p /etc/pki/libvirt-vnc ln -sf /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem cloudstack-setup-agent -s > /dev/null QEMU_GROUP=$(sed -n 's/^group\s*=//p' /etc/libvirt/qemu.conf | tr -d '"' | tr -d ' ' | tr -d "'" | tail -n1) if [ ! -z "${QEMU_GROUP// }" ]; then chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem fi fi # Update ca-certs if we're in systemvm if [ -f "$SYSTEM_FILE" ]; then mkdir -p /usr/local/share/ca-certificates/cloudstack cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt chmod 755 /usr/local/share/ca-certificates/cloudstack chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt update-ca-certificates > /dev/null 2>&1 || true # Ensure cloud service is running in systemvm if [ "$MODE" == "ssh" ]; then systemctl start cloud > /dev/null 2>&1 fi fi # Fix file permission chmod 750 $CACERT_FILE chmod 750 $CERT_FILE chmod 750 $PRIVKEY_FILE