mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
107 lines
4.1 KiB
Bash
Executable File
107 lines
4.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
PROPS_FILE="$1"
|
|
KS_FILE="$2"
|
|
KS_PASS="$3"
|
|
KS_VALIDITY="$4"
|
|
CSR_FILE="$5"
|
|
|
|
ALIAS="cloud"
|
|
LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"
|
|
|
|
if type -p logger > /dev/null; then
|
|
LOGGER_CMD="$(type -p logger) -t cloudstack-keystore-setup"
|
|
else
|
|
LOG_FILE="/var/log/cloudstack/agent/cloudstack-keystore-setup.log"
|
|
log() {
|
|
if [ "${1}" != "" ]; then
|
|
__log_line="${1}"
|
|
else
|
|
read -r __log_line
|
|
fi
|
|
|
|
echo "${__log_line}" >> "${LOG_FILE}"
|
|
echo "${__log_line}"
|
|
}
|
|
LOGGER_CMD=log
|
|
fi
|
|
|
|
$LOGGER_CMD "$(date) - starting keystore-setup"
|
|
|
|
# Re-use existing password or use the one provided
|
|
if [ -f "$PROPS_FILE" ]; then
|
|
$LOGGER_CMD "Previous props file exists, trying to extract password"
|
|
OLD_PASS=$(sed -n '/^keystore.passphrase/p' "$PROPS_FILE" | sed 's/^keystore.passphrase=//g')
|
|
if [ -n "${OLD_PASS// }" ]; then
|
|
KS_PASS="$OLD_PASS"
|
|
$LOGGER_CMD "Password extraction successful"
|
|
else
|
|
sed -i "/^keystore.passphrase.*/d" "$PROPS_FILE" 2>&1 | $LOGGER_CMD || true
|
|
echo "keystore.passphrase=$KS_PASS" >> "$PROPS_FILE"
|
|
if [ $? != 0 ]; then
|
|
$LOGGER_CMD "Could not add new password to agent.properties"
|
|
else
|
|
$LOGGER_CMD "New keystore password set"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if [ -f "$KS_FILE" ]; then
|
|
$LOGGER_CMD "keystore file exists. Deleting current entries"
|
|
keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>&1 | $LOGGER_CMD
|
|
[ $? -ne 0 ] && $LOGGER_CMD "Failed to delete current entries"
|
|
fi
|
|
|
|
$LOGGER_CMD "Generating new key"
|
|
CN=$(hostname --fqdn)
|
|
keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" 2>&1 | $LOGGER_CMD
|
|
|
|
# Generate CSR
|
|
$LOGGER_CMD "Generating CSR"
|
|
[ -f "$CSR_FILE" ] && rm -f "$CSR_FILE"
|
|
addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',')
|
|
$LOGGER_CMD "Found following SAN addresses to add to CSR: ${addresses}"
|
|
keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD
|
|
if [ $? -ne 0 ];then
|
|
$LOGGER_CMD "Failed to generate CSR file, retrying after removing existing settings"
|
|
|
|
if [ -f "$LIBVIRTD_FILE" ]; then
|
|
$LOGGER_CMD "Reverting libvirtd to not listen on TLS"
|
|
sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE
|
|
systemctl restart libvirtd
|
|
fi
|
|
|
|
$LOGGER_CMD "Removing cloud.* files in /etc/cloudstack/agent"
|
|
rm -f /etc/cloudstack/agent/cloud.* || $LOGGER_CMD "Could not remove /etc/cloudstack/agent/cloud.*"
|
|
|
|
$LOGGER_CMD "Retrying to generate CSR file"
|
|
keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD
|
|
if [ $? -ne 0 ];then
|
|
$LOGGER_CMD "Failed to generate CSR file while retrying"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
cat "$CSR_FILE"
|
|
|
|
# Fix file permissions
|
|
chmod 600 "$KS_FILE" || $LOGGER_CMD "Cannot chmod $KS_FILE"
|
|
chmod 600 "$PROPS_FILE" || $LOGGER_CMD "Cannot chmod $PROPS_FILE"
|
|
chmod 600 "$CSR_FILE" || $LOGGER_CMD "Cannot chmod $CSR_FILE"
|