Merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat into lp:ubuntu/oneiric/eucalyptus
- Oneiric (11.10)
- fix-sslv3-compat
- Merge into oneiric
Proposed by
James Page
Status: | Merged |
---|---|
Merged at revision: | 182 |
Proposed branch: | lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat |
Merge into: | lp:ubuntu/oneiric/eucalyptus |
Diff against target: |
2347 lines (+2232/-2) 14 files modified
.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in (+1555/-0) .pc/30-clock_drift.patch/tools/client-policy-template.xml (+73/-0) .pc/30-clock_drift.patch/tools/service-policy-template.xml (+67/-0) .pc/30-clock_drift.patch/util/euca_axis.c (+459/-0) .pc/applied-patches (+2/-0) debian/changelog (+13/-0) debian/eucalyptus-cloud.upstart (+1/-0) debian/patches/29-euca_conf-sslv3.patch (+18/-0) debian/patches/30-clock_drift.patch (+38/-0) debian/patches/series (+2/-0) tools/client-policy-template.xml (+1/-0) tools/euca_conf.in (+1/-1) tools/service-policy-template.xml (+1/-0) util/euca_axis.c (+1/-1) |
To merge this branch: | bzr merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu branches | Pending | ||
Review via email: mp+76258@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === added directory '.pc/29-euca_conf-sslv3.patch' | |||
2 | === added directory '.pc/29-euca_conf-sslv3.patch/tools' | |||
3 | === added file '.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in' | |||
4 | --- .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 1970-01-01 00:00:00 +0000 | |||
5 | +++ .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 2011-09-21 09:10:44 +0000 | |||
6 | @@ -0,0 +1,1555 @@ | |||
7 | 1 | #!/bin/bash | ||
8 | 2 | #Copyright (c) 2009 Eucalyptus Systems, Inc. | ||
9 | 3 | # | ||
10 | 4 | #This program is free software: you can redistribute it and/or modify | ||
11 | 5 | #it under the terms of the GNU General Public License as published by | ||
12 | 6 | #the Free Software Foundation, only version 3 of the License. | ||
13 | 7 | # | ||
14 | 8 | #This file is distributed in the hope that it will be useful, but WITHOUT | ||
15 | 9 | #ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
16 | 10 | #FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | ||
17 | 11 | #for more details. | ||
18 | 12 | # | ||
19 | 13 | #You should have received a copy of the GNU General Public License along | ||
20 | 14 | #with this program. If not, see <http://www.gnu.org/licenses/>. | ||
21 | 15 | # | ||
22 | 16 | #Please contact Eucalyptus Systems, Inc., 130 Castilian | ||
23 | 17 | #Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/> | ||
24 | 18 | #if you need additional information or have any questions. | ||
25 | 19 | # | ||
26 | 20 | #This file may incorporate work covered under the following copyright and | ||
27 | 21 | #permission notice: | ||
28 | 22 | # | ||
29 | 23 | # Software License Agreement (BSD License) | ||
30 | 24 | # | ||
31 | 25 | # Copyright (c) 2008, Regents of the University of California | ||
32 | 26 | # | ||
33 | 27 | # | ||
34 | 28 | # Redistribution and use of this software in source and binary forms, with | ||
35 | 29 | # or without modification, are permitted provided that the following | ||
36 | 30 | # conditions are met: | ||
37 | 31 | # | ||
38 | 32 | # Redistributions of source code must retain the above copyright notice, | ||
39 | 33 | # this list of conditions and the following disclaimer. | ||
40 | 34 | # | ||
41 | 35 | # Redistributions in binary form must reproduce the above copyright | ||
42 | 36 | # notice, this list of conditions and the following disclaimer in the | ||
43 | 37 | # documentation and/or other materials provided with the distribution. | ||
44 | 38 | # | ||
45 | 39 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS | ||
46 | 40 | # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | ||
47 | 41 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A | ||
48 | 42 | # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER | ||
49 | 43 | # OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | ||
50 | 44 | # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | ||
51 | 45 | # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | ||
52 | 46 | # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
53 | 47 | # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
54 | 48 | # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
55 | 49 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF | ||
56 | 50 | # THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE | ||
57 | 51 | # LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS | ||
58 | 52 | # SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING | ||
59 | 53 | # IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA | ||
60 | 54 | # BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN | ||
61 | 55 | # THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT | ||
62 | 56 | # OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR | ||
63 | 57 | # WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH | ||
64 | 58 | # ANY SUCH LICENSES OR RIGHTS. | ||
65 | 59 | # | ||
66 | 60 | # | ||
67 | 61 | #FAKEREG="yes" | ||
68 | 62 | |||
69 | 63 | FILE="@prefix@/etc/eucalyptus/eucalyptus.local.conf" | ||
70 | 64 | DEFAULTS_FILE="@prefix@/etc/eucalyptus/eucalyptus.conf" | ||
71 | 65 | IMPORTFILE="" | ||
72 | 66 | EUCALYPTUS="" | ||
73 | 67 | CC_PORT="" | ||
74 | 68 | NC_PORT="" | ||
75 | 69 | CLOUD_PORT="" | ||
76 | 70 | CLOUD_SSL_PORT="" | ||
77 | 71 | NAME="" | ||
78 | 72 | INSTANCE="" | ||
79 | 73 | EUCA_USER="" | ||
80 | 74 | HYPERVISOR="" | ||
81 | 75 | DHCPD="" | ||
82 | 76 | DHCP_USER="" | ||
83 | 77 | BRIDGE="" | ||
84 | 78 | NEWNODES="" | ||
85 | 79 | NODEMODE="" | ||
86 | 80 | WALRUS_MODE="" | ||
87 | 81 | SYNC="" | ||
88 | 82 | WALRUS="" | ||
89 | 83 | WALRUS_MODE="" | ||
90 | 84 | CLUSNAME="" | ||
91 | 85 | NEWCLUS="" | ||
92 | 86 | CLUSMODE="" | ||
93 | 87 | UPGRADE_CONF="" | ||
94 | 88 | SETUP="" | ||
95 | 89 | VERSION="" | ||
96 | 90 | CHECK="" | ||
97 | 91 | TOSYNC="" | ||
98 | 92 | TO_BACKUP="Y" | ||
99 | 93 | CREDENTIALZIPFILE="" | ||
100 | 94 | SCP="`which scp 2> /dev/null`" | ||
101 | 95 | SCP_OPT="" | ||
102 | 96 | RSYNC="`which rsync 2> /dev/null`" | ||
103 | 97 | LOCALSYNC="N" | ||
104 | 98 | WGET="`which wget 2> /dev/null`" | ||
105 | 99 | VERBOSE="N" | ||
106 | 100 | LIST="" | ||
107 | 101 | ENABLED="" | ||
108 | 102 | DISABLED="" | ||
109 | 103 | TO_START="" | ||
110 | 104 | |||
111 | 105 | |||
112 | 106 | usage () { | ||
113 | 107 | echo "$0 [options] [<file>]" | ||
114 | 108 | echo | ||
115 | 109 | echo "where <file> is the configuration file ($FILE by default)" | ||
116 | 110 | echo " --help this message" | ||
117 | 111 | echo " -d <dir> point EUCALYPTUS to <dir>" | ||
118 | 112 | echo " --no-rsync don't use rsync" | ||
119 | 113 | echo " --no-scp don't use scp" | ||
120 | 114 | echo " --skip-scp-hostcheck skip scp interactive host keycheck" | ||
121 | 115 | echo " --local-sync force local key sync" | ||
122 | 116 | echo " --get-credentials <zipfile> download credentials to <zipfile>" | ||
123 | 117 | echo " --register-nodes \"host host ...\" add new nodes to EUCALYPTUS" | ||
124 | 118 | echo " --discover-nodes find and add nodes on local network" | ||
125 | 119 | echo " --deregister-nodes \"host host ...\" remove nodes from EUCALYPTUS" | ||
126 | 120 | echo " --register-cluster <clustername> <host> add new cluster to EUCALYPTUS" | ||
127 | 121 | echo " --deregister-cluster <clustername> remove cluster from EUCALYPTUS" | ||
128 | 122 | echo " --register-walrus <host> add walrus to EUCALYPTUS" | ||
129 | 123 | echo " --deregister-walrus <host> remove walrus from EUCALYPTUS" | ||
130 | 124 | echo " --register-sc <clustername> <host> add storage controller" | ||
131 | 125 | echo " --deregister-sc <clustername> remove storage controller from EUCALYPTUS" | ||
132 | 126 | echo " --list-walruses list registered walrus(es)" | ||
133 | 127 | echo " --list-clusters list registered CCs" | ||
134 | 128 | echo " --list-nodes list registered NCs" | ||
135 | 129 | echo " --list-scs list registered SCs" | ||
136 | 130 | echo " --no-sync used only with --register-* to skip syncing keys" | ||
137 | 131 | echo " --cc-port <port> set CC port" | ||
138 | 132 | echo " --nc-port <port> set NC port" | ||
139 | 133 | echo " --instances <path> set the INSTANCE path" | ||
140 | 134 | # echo " --cloud-port <port1> <port2> set the 2 cloud ports" | ||
141 | 135 | echo " --hypervisor <kvm|xen> set hypervisor to use" | ||
142 | 136 | echo " --user <euca_user> set the user to use" | ||
143 | 137 | echo " --dhcpd <dhcpd> set the dhcpd binary to <name>" | ||
144 | 138 | echo " --dhcp_user <user> set the username to run dhcpd as" | ||
145 | 139 | echo " --name <var> returns the value or <name>" | ||
146 | 140 | echo " --import-conf <file> import variables from <file> into $FILE" | ||
147 | 141 | echo " --setup perform initial setup" | ||
148 | 142 | echo " --enable {cloud|walrus|sc} enable service at next start" | ||
149 | 143 | echo " --disable {cloud|walrus|sc} disable service at next start" | ||
150 | 144 | echo " --check {nc|cc|cloud|sc|walrus} pre-flight checks" | ||
151 | 145 | # echo " --sync {nc|cc|cloud|sc|walrus} pre-flight checks" | ||
152 | 146 | echo " --version eucalyptus version" | ||
153 | 147 | echo | ||
154 | 148 | } | ||
155 | 149 | |||
156 | 150 | # utility function to make a copy of the conf file | ||
157 | 151 | check_and_backup () { | ||
158 | 152 | # can we write to the configuration file? | ||
159 | 153 | if [ ! -w $1 ]; then | ||
160 | 154 | echo "Cannot write to $1!" | ||
161 | 155 | exit 1 | ||
162 | 156 | fi | ||
163 | 157 | |||
164 | 158 | # let's see if we need a copy | ||
165 | 159 | if [ "$TO_BACKUP" = "Y" ]; then | ||
166 | 160 | cp $1 $1.bak | ||
167 | 161 | TO_BACKUP="N" | ||
168 | 162 | fi | ||
169 | 163 | } | ||
170 | 164 | |||
171 | 165 | # 3 paramenter: the file, the variable name, the new value | ||
172 | 166 | change_var_value () { | ||
173 | 167 | check_and_backup $1 | ||
174 | 168 | sed -i "s<^[[:blank:]#]*\(${2}\).*<\1=\"${3}\"<" $1 | ||
175 | 169 | } | ||
176 | 170 | # comment lines matching $2 ($1 is the file) | ||
177 | 171 | comment () { | ||
178 | 172 | check_and_backup $1 | ||
179 | 173 | sed -i "s<^[[:blank:]]*\(${2}.*\)<#\1<" $1 | ||
180 | 174 | } | ||
181 | 175 | # comment lines matching $2 ($1 is the file) | ||
182 | 176 | uncomment () { | ||
183 | 177 | check_and_backup $1 | ||
184 | 178 | sed -i "s<^[#[:blank:]]*\(${2}.*\)<\1<" $1 | ||
185 | 179 | } | ||
186 | 180 | |||
187 | 181 | check_heartbeat() { | ||
188 | 182 | local __host="$1" | ||
189 | 183 | local __service="$2" | ||
190 | 184 | local ret="" | ||
191 | 185 | |||
192 | 186 | # checks | ||
193 | 187 | if [ -z "$__host" -o -z "$__service" ]; then | ||
194 | 188 | echo "check_heartbeat: need a host and a service!" | ||
195 | 189 | return 1 | ||
196 | 190 | fi | ||
197 | 191 | if [ -z "$WGET" -o ! -x "$WGET" ]; then | ||
198 | 192 | echo "ERROR: wget is missing, cannot continue." | ||
199 | 193 | return 1 | ||
200 | 194 | fi | ||
201 | 195 | |||
202 | 196 | # let's talk to the host and check if something is running | ||
203 | 197 | ret="`$WGET -q -T 10 -t 1 -O - http://${__host}:8773/services/Heartbeat`" | ||
204 | 198 | if [ "$?" != "0" -o -z "$ret" ]; then | ||
205 | 199 | return 1 | ||
206 | 200 | fi | ||
207 | 201 | |||
208 | 202 | # we need both ehabled and local to be true | ||
209 | 203 | if ! echo $ret |grep "enabled=true" > /dev/null ; then | ||
210 | 204 | return 1 | ||
211 | 205 | elif ! echo $ret |grep "local=true" > /dev/null ; then | ||
212 | 206 | return 1 | ||
213 | 207 | fi | ||
214 | 208 | |||
215 | 209 | return 0 | ||
216 | 210 | } | ||
217 | 211 | |||
218 | 212 | check_ws() { | ||
219 | 213 | local URL="$1" | ||
220 | 214 | local ret="" | ||
221 | 215 | local soap_error="" | ||
222 | 216 | |||
223 | 217 | if [ -z "$URL" ]; then | ||
224 | 218 | echo "check_ws: need a URL!" | ||
225 | 219 | return 1 | ||
226 | 220 | fi | ||
227 | 221 | |||
228 | 222 | if [ -n "${FAKEREG}" ]; then | ||
229 | 223 | ret="" | ||
230 | 224 | elif [ "$2" != "" ]; then | ||
231 | 225 | if [ "$VERBOSE" = "Y" ]; then | ||
232 | 226 | echo "$WGET -q -T 10 -t 1 -O - \"$URL\"" "|sed 's/<euca:registered>\\(.*\\)<\\/euca:registered>/\\n\\1\\n/g;s/<euca:name>/\\n>/g;s/<\\/*euca:item>//g;s/<\\/*euca:[^>]*>/ /g'|awk -F\">\" '/>/{print \" \"$2}')" | ||
233 | 227 | fi | ||
234 | 228 | E=$($WGET -q -T 10 -t 1 -O - "$URL"|\ | ||
235 | 229 | sed 's/<euca:registered>\(.*\)<\/euca:registered>/\n\1\n/g;s/<euca:name>/\n>/g;s/<\/*euca:item>//g;s/<\/*euca:[^>]*>/ /g'|\ | ||
236 | 230 | awk -F">" '/>/{print " "$2}') | ||
237 | 231 | eval "$2=\"${E}\"" | ||
238 | 232 | else | ||
239 | 233 | if [ "$VERBOSE" = "Y" ]; then | ||
240 | 234 | echo "$WGET -q -T 10 -t 1 -O - \"$URL\" |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'" | ||
241 | 235 | fi | ||
242 | 236 | soap_error="`$WGET -q -T 10 -t 1 -O - \"$URL\"`" | ||
243 | 237 | ret="$?" | ||
244 | 238 | soap_error="`echo $soap_error |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'`" | ||
245 | 239 | if test -n "$soap_error" ; then | ||
246 | 240 | echo $soap_error | ||
247 | 241 | ret="1" | ||
248 | 242 | fi | ||
249 | 243 | fi | ||
250 | 244 | return $ret | ||
251 | 245 | } | ||
252 | 246 | |||
253 | 247 | component_sync_keys() { | ||
254 | 248 | local COMPONENT="" | ||
255 | 249 | local NAME="" | ||
256 | 250 | |||
257 | 251 | if [ "$SYNC" = "N" ]; then | ||
258 | 252 | return 0 | ||
259 | 253 | fi | ||
260 | 254 | |||
261 | 255 | if [ $# -lt 1 ]; then | ||
262 | 256 | return 1 | ||
263 | 257 | fi | ||
264 | 258 | |||
265 | 259 | COMPONENT="$1" | ||
266 | 260 | shift | ||
267 | 261 | NAME="$2" | ||
268 | 262 | shift | ||
269 | 263 | |||
270 | 264 | if [ "$COMPONENT" = "walrus" ]; then | ||
271 | 265 | echo "syncing walrus" | ||
272 | 266 | elif [ "$COMPONENT" = "cc" ]; then | ||
273 | 267 | echo "syncing cc($NAME)" | ||
274 | 268 | elif [ "$COMPONENT" = "sc" ]; then | ||
275 | 269 | echo "syncing sc($NAME)" | ||
276 | 270 | elif [ "$COMPONENT" = "nc" ]; then | ||
277 | 271 | echo "syncing nc" | ||
278 | 272 | fi | ||
279 | 273 | |||
280 | 274 | |||
281 | 275 | } | ||
282 | 276 | |||
283 | 277 | # copy files over. | ||
284 | 278 | sync_keys() { | ||
285 | 279 | local DESTDIR="" | ||
286 | 280 | local REMOTE="" | ||
287 | 281 | local FILES="" | ||
288 | 282 | local FILE="" | ||
289 | 283 | |||
290 | 284 | if [ "$SYNC" = "N" ]; then | ||
291 | 285 | return 0 | ||
292 | 286 | fi | ||
293 | 287 | |||
294 | 288 | if [ $# -lt 4 ]; then | ||
295 | 289 | return 1 | ||
296 | 290 | fi | ||
297 | 291 | |||
298 | 292 | SOURCEDIRS="$1" | ||
299 | 293 | shift | ||
300 | 294 | DESTDIR="$1" | ||
301 | 295 | shift | ||
302 | 296 | REMOTE="$1" | ||
303 | 297 | shift | ||
304 | 298 | while [ $# -ge 1 ]; do | ||
305 | 299 | FILE="" | ||
306 | 300 | for sd in `echo $SOURCEDIRS | sed "s/,/ /g"` | ||
307 | 301 | do | ||
308 | 302 | if [ -e "${sd}/${1}" ]; then | ||
309 | 303 | FILE="${sd}/${1}" | ||
310 | 304 | fi | ||
311 | 305 | done | ||
312 | 306 | if [ "$FILE" = "" ]; then | ||
313 | 307 | echo "Warning: cannot file file ${1} in ${SOURCEDIRS}" | ||
314 | 308 | else | ||
315 | 309 | FILES="$FILES $FILE" | ||
316 | 310 | fi | ||
317 | 311 | |||
318 | 312 | shift | ||
319 | 313 | done | ||
320 | 314 | |||
321 | 315 | # is REMOTE actually localhost? | ||
322 | 316 | if [ ${LOCALSYNC} = "Y" -o ${REMOTE} = "127.0.0.1" -o ${REMOTE} = localhost -o ${REMOTE} = "`hostname -s`" -o ${REMOTE} = "`hostname -f`" ]; then | ||
323 | 317 | # machine is localhost, not need for remote syncing | ||
324 | 318 | for i in $FILES | ||
325 | 319 | do | ||
326 | 320 | if [ ! -e $i ]; then | ||
327 | 321 | echo "ERROR: cannot find cluster credentials." | ||
328 | 322 | exit 1 | ||
329 | 323 | else | ||
330 | 324 | if ! $RSYNC -a $i $DESTDIR ; then | ||
331 | 325 | echo "ERROR: cannot copy file (${i}) to destination (${DESTDIR})" | ||
332 | 326 | return 1 | ||
333 | 327 | fi | ||
334 | 328 | fi | ||
335 | 329 | done | ||
336 | 330 | return 0 | ||
337 | 331 | fi | ||
338 | 332 | |||
339 | 333 | # try rsync first | ||
340 | 334 | if [ -n "$RSYNC" ]; then | ||
341 | 335 | echo | ||
342 | 336 | echo -n "Trying rsync to sync keys with \"${REMOTE}\"..." | ||
343 | 337 | [ -z "${RSYNC_RSH}" ] && RSYNC_RSH="ssh" | ||
344 | 338 | if sudo -u ${EUCA_USER} ${RSYNC} --rsh "${RSYNC_RSH}" -az ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR}/ > /dev/null ; then | ||
345 | 339 | echo "done." | ||
346 | 340 | return 0 | ||
347 | 341 | else | ||
348 | 342 | echo "failed." | ||
349 | 343 | fi | ||
350 | 344 | fi | ||
351 | 345 | |||
352 | 346 | # scp next | ||
353 | 347 | if [ -n "$SCP" ]; then | ||
354 | 348 | echo | ||
355 | 349 | if [ "$EUCA_USER" = "" ]; then | ||
356 | 350 | if getent passwd eucalyptus > /dev/null ; then | ||
357 | 351 | echo "Using 'eucalyptus' as EUCA_USER" | ||
358 | 352 | EUCA_USER="eucalyptus" | ||
359 | 353 | else | ||
360 | 354 | echo "EUCA_USER is not defined!" | ||
361 | 355 | return 1 | ||
362 | 356 | fi | ||
363 | 357 | fi | ||
364 | 358 | echo | ||
365 | 359 | echo "Trying scp to sync keys to: ${EUCA_USER}@${REMOTE}:${DESTDIR}..." | ||
366 | 360 | if [ "$EUID" = `getent passwd $EUCA_USER | cut -f3 -d:` ]; then | ||
367 | 361 | $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null | ||
368 | 362 | else | ||
369 | 363 | sudo -u ${EUCA_USER} $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null | ||
370 | 364 | fi | ||
371 | 365 | if [ "$?" = "0" ]; then | ||
372 | 366 | echo "done." | ||
373 | 367 | return 0 | ||
374 | 368 | else | ||
375 | 369 | echo "failed." | ||
376 | 370 | fi | ||
377 | 371 | fi | ||
378 | 372 | |||
379 | 373 | return 1 | ||
380 | 374 | } | ||
381 | 375 | |||
382 | 376 | xsearch() { | ||
383 | 377 | local needle="$1" i="" haystack=" " | ||
384 | 378 | shift | ||
385 | 379 | for i in "$@"; do | ||
386 | 380 | haystack="${haystack}$(printf "%s" "$i" | tr '\n' ' ') " | ||
387 | 381 | done | ||
388 | 382 | [ "${haystack#* ${needle} }" != "${haystack}" ] | ||
389 | 383 | } | ||
390 | 384 | |||
391 | 385 | if [ $# -eq 0 ]; then | ||
392 | 386 | usage | ||
393 | 387 | exit 1 | ||
394 | 388 | fi | ||
395 | 389 | |||
396 | 390 | # let's parse the command line | ||
397 | 391 | while [ $# -gt 0 ]; do | ||
398 | 392 | if [ "$1" = "-h" -o "$1" = "-help" -o "$1" = "?" -o "$1" = "--help" ]; then | ||
399 | 393 | usage | ||
400 | 394 | exit 1 | ||
401 | 395 | fi | ||
402 | 396 | |||
403 | 397 | if [ "$1" = "-synckeys" -o "$1" = "-synckey" ]; then | ||
404 | 398 | NODEMODE="SYNC" | ||
405 | 399 | shift | ||
406 | 400 | continue | ||
407 | 401 | fi | ||
408 | 402 | if [ "$1" = "-norsync" -o "$1" = "--no-rsync" ]; then | ||
409 | 403 | RSYNC="" | ||
410 | 404 | shift | ||
411 | 405 | continue | ||
412 | 406 | fi | ||
413 | 407 | if [ "$1" = "--local-sync" ]; then | ||
414 | 408 | LOCALSYNC="Y" | ||
415 | 409 | shift | ||
416 | 410 | continue | ||
417 | 411 | fi | ||
418 | 412 | if [ "$1" = "--list-scs" ]; then | ||
419 | 413 | LIST="$LIST storages" | ||
420 | 414 | shift | ||
421 | 415 | continue | ||
422 | 416 | fi | ||
423 | 417 | if [ "$1" = "--list-walruses" ]; then | ||
424 | 418 | LIST="$LIST walruses" | ||
425 | 419 | shift | ||
426 | 420 | continue | ||
427 | 421 | fi | ||
428 | 422 | if [ "$1" = "--list-clusters" ]; then | ||
429 | 423 | LIST="$LIST clusters" | ||
430 | 424 | shift | ||
431 | 425 | continue | ||
432 | 426 | fi | ||
433 | 427 | if [ "$1" = "--list-nodes" ]; then | ||
434 | 428 | LIST="$LIST nodes" | ||
435 | 429 | shift | ||
436 | 430 | continue | ||
437 | 431 | fi | ||
438 | 432 | if [ "$1" = "--verbose" ]; then | ||
439 | 433 | VERBOSE="Y" | ||
440 | 434 | shift | ||
441 | 435 | continue | ||
442 | 436 | fi | ||
443 | 437 | if [ "$1" = "-noscp" -o "$1" = "--no-scp" ]; then | ||
444 | 438 | SCP="" | ||
445 | 439 | shift | ||
446 | 440 | continue | ||
447 | 441 | fi | ||
448 | 442 | if [ "$1" = "--skip-scp-hostcheck" ]; then | ||
449 | 443 | SCP_OPT="-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null" | ||
450 | 444 | shift | ||
451 | 445 | continue | ||
452 | 446 | fi | ||
453 | 447 | if [ "$1" = "-version" -o "$1" = "--version" ]; then | ||
454 | 448 | VERSION="Y" | ||
455 | 449 | shift | ||
456 | 450 | continue | ||
457 | 451 | fi | ||
458 | 452 | if [ "$1" = "-setup" -o "$1" = "--setup" ]; then | ||
459 | 453 | SETUP="Y" | ||
460 | 454 | shift | ||
461 | 455 | continue | ||
462 | 456 | fi | ||
463 | 457 | if [ "$1" = "--no-sync" ]; then | ||
464 | 458 | SYNC="N" | ||
465 | 459 | shift | ||
466 | 460 | continue | ||
467 | 461 | fi | ||
468 | 462 | if [ "$1" = "--deregister-walrus" ]; then | ||
469 | 463 | WALRUS_MODE="DEL" | ||
470 | 464 | shift | ||
471 | 465 | continue | ||
472 | 466 | fi | ||
473 | 467 | if [ "$1" = "--discover-nodes" ]; then | ||
474 | 468 | NODEMODE="DISCOVER" | ||
475 | 469 | RSYNC_RSH="ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null" | ||
476 | 470 | shift | ||
477 | 471 | continue | ||
478 | 472 | fi | ||
479 | 473 | if [ $# -eq 1 ]; then | ||
480 | 474 | # we dont have options with no argument, so it has to be | ||
481 | 475 | # the file | ||
482 | 476 | FILE="$1" | ||
483 | 477 | if [ "${FILE:0:1}" = '-' ]; then | ||
484 | 478 | usage | ||
485 | 479 | exit 1 | ||
486 | 480 | fi | ||
487 | 481 | break | ||
488 | 482 | fi | ||
489 | 483 | |||
490 | 484 | # all other parameters requires at least 1 argument | ||
491 | 485 | if [ $# -lt 2 ]; then | ||
492 | 486 | usage | ||
493 | 487 | exit 1 | ||
494 | 488 | fi | ||
495 | 489 | |||
496 | 490 | # old command line options not used anylonger | ||
497 | 491 | if [ "$1" = "-cc" -o "$1" = "-nc" -o "$1" = "-cloud" ]; then | ||
498 | 492 | echo "-cc, -nc and -cloud are not used anymore" | ||
499 | 493 | shift; shift; | ||
500 | 494 | continue | ||
501 | 495 | fi | ||
502 | 496 | |||
503 | 497 | if [ "$1" = "-d" ]; then | ||
504 | 498 | if [ ! -d "${2}" ]; then | ||
505 | 499 | echo "Is $2 where Eucalyptus is installed?" | ||
506 | 500 | exit 1 | ||
507 | 501 | fi | ||
508 | 502 | EUCALYPTUS="${2}" | ||
509 | 503 | shift; shift | ||
510 | 504 | continue | ||
511 | 505 | fi | ||
512 | 506 | if [ "$1" = "-name" -o "$1" = "--name" ]; then | ||
513 | 507 | NAME="$NAME $2" | ||
514 | 508 | shift; shift | ||
515 | 509 | continue | ||
516 | 510 | fi | ||
517 | 511 | if [ "$1" = "-bridge" ]; then | ||
518 | 512 | BRIDGE="$2" | ||
519 | 513 | shift; shift | ||
520 | 514 | continue | ||
521 | 515 | fi | ||
522 | 516 | if [ "$1" = "-upgrade-conf" -o "$1" = "--upgrade-conf" ]; then | ||
523 | 517 | # hidden options to upgrade from an older version | ||
524 | 518 | UPGRADE_CONF="$2" | ||
525 | 519 | if [ ! -e "$UPGRADE_CONF" ]; then | ||
526 | 520 | echo "Cannot read $UPGRADE_CONF" | ||
527 | 521 | exit 1 | ||
528 | 522 | fi | ||
529 | 523 | shift; shift | ||
530 | 524 | continue | ||
531 | 525 | fi | ||
532 | 526 | if [ "$1" = "-import-conf" -o "$1" = "--import-conf" ]; then | ||
533 | 527 | IMPORTFILE="$2" | ||
534 | 528 | if [ ! -e "$IMPORTFILE" ]; then | ||
535 | 529 | echo "Cannot read $IMPORTFILE" | ||
536 | 530 | exit 1 | ||
537 | 531 | fi | ||
538 | 532 | shift; shift | ||
539 | 533 | continue | ||
540 | 534 | fi | ||
541 | 535 | if [ "$1" = "-dhcpd" -o "$1" = "--dhcpd" ]; then | ||
542 | 536 | DHCPD="$2" | ||
543 | 537 | shift; shift | ||
544 | 538 | continue | ||
545 | 539 | fi | ||
546 | 540 | if [ "$1" = "-dhcp_user" -o "$1" = "--dhcp_user" ]; then | ||
547 | 541 | DHCPC_USER="$2" | ||
548 | 542 | shift; shift | ||
549 | 543 | continue | ||
550 | 544 | fi | ||
551 | 545 | if [ "$1" = "-nodes" ]; then | ||
552 | 546 | NODES="${2}" | ||
553 | 547 | shift; shift | ||
554 | 548 | continue | ||
555 | 549 | fi | ||
556 | 550 | if [ "$1" = "-ccp" -o "$1" = "--cc-port" ]; then | ||
557 | 551 | CC_PORT="$2" | ||
558 | 552 | shift; shift | ||
559 | 553 | continue | ||
560 | 554 | fi | ||
561 | 555 | if [ "$1" = "-ncp" -o "$1" = "--nc-port" ]; then | ||
562 | 556 | NC_PORT="$2" | ||
563 | 557 | shift; shift | ||
564 | 558 | continue | ||
565 | 559 | fi | ||
566 | 560 | if [ "$1" = "-instances" -o "$1" = "--instances" ]; then | ||
567 | 561 | INSTANCE="$2" | ||
568 | 562 | shift; shift | ||
569 | 563 | continue | ||
570 | 564 | fi | ||
571 | 565 | if [ "$1" = "-user" -o "$1" = "--user" ]; then | ||
572 | 566 | EUCA_USER="$2" | ||
573 | 567 | shift; shift | ||
574 | 568 | continue | ||
575 | 569 | fi | ||
576 | 570 | if [ "$1" = "-hypervisor" -o "$1" = "--hypervisor" ]; then | ||
577 | 571 | if [ "$2" != "xen" -a "$2" != "kvm" ]; then | ||
578 | 572 | echo "Only kvm or xen are supported at the moment" | ||
579 | 573 | exit 1 | ||
580 | 574 | fi | ||
581 | 575 | HYPERVISOR="$2" | ||
582 | 576 | shift; shift | ||
583 | 577 | continue | ||
584 | 578 | fi | ||
585 | 579 | if [ "$1" = "-cloudp" ]; then | ||
586 | 580 | if [ $# -lt 3 ]; then | ||
587 | 581 | echo "We need 2 ports for cloud controller" | ||
588 | 582 | exit 1 | ||
589 | 583 | fi | ||
590 | 584 | # doesn't work right now | ||
591 | 585 | # CLOUD_PORT="$2" | ||
592 | 586 | # CLOUD_SSL_PORT="$3" | ||
593 | 587 | shift; shift; shift | ||
594 | 588 | continue | ||
595 | 589 | fi | ||
596 | 590 | if [ "$1" = "--get-credentials" ]; then | ||
597 | 591 | CREDENTIALZIPFILE="${2}" | ||
598 | 592 | shift; shift; | ||
599 | 593 | continue | ||
600 | 594 | fi | ||
601 | 595 | if [ "$1" = "-addnode" -o "$1" = "--register-nodes" ]; then | ||
602 | 596 | NEWNODES="${2}" | ||
603 | 597 | NODEMODE="ADD" | ||
604 | 598 | shift; shift | ||
605 | 599 | continue | ||
606 | 600 | fi | ||
607 | 601 | if [ "$1" = "-delnode" -o "$1" = "--deregister-nodes" ]; then | ||
608 | 602 | NEWNODES="${2}" | ||
609 | 603 | NODEMODE="REM" | ||
610 | 604 | shift; shift | ||
611 | 605 | continue | ||
612 | 606 | fi | ||
613 | 607 | if [ "$1" = "--register-walrus" ]; then | ||
614 | 608 | WALRUS_MODE="ADD" | ||
615 | 609 | WALRUS="$2" | ||
616 | 610 | shift; shift | ||
617 | 611 | continue | ||
618 | 612 | fi | ||
619 | 613 | if [ "$1" = "--deregister-sc" ]; then | ||
620 | 614 | SC_MODE="DEL" | ||
621 | 615 | SCNAME="$2" | ||
622 | 616 | shift; shift | ||
623 | 617 | continue | ||
624 | 618 | fi | ||
625 | 619 | if [ "$1" = "--register-sc" ]; then | ||
626 | 620 | if [ $# -lt 3 ]; then | ||
627 | 621 | echo "--register-sc requires a CC and a hostname" | ||
628 | 622 | exit 1 | ||
629 | 623 | fi | ||
630 | 624 | SC_MODE="ADD" | ||
631 | 625 | SCNAME="$2" | ||
632 | 626 | SCHOST="$3" | ||
633 | 627 | shift; shift; shift | ||
634 | 628 | continue | ||
635 | 629 | fi | ||
636 | 630 | if [ "$1" = "-addcluster" -o "$1" = "--register-cluster" ]; then | ||
637 | 631 | if [ $# -lt 3 ]; then | ||
638 | 632 | echo "--register-cluster requires a user assigned name and CC hostname" | ||
639 | 633 | exit 1 | ||
640 | 634 | fi | ||
641 | 635 | CLUSNAME="$2" | ||
642 | 636 | NEWCLUS="$3" | ||
643 | 637 | CLUSMODE="ADD" | ||
644 | 638 | shift; shift; shift | ||
645 | 639 | continue | ||
646 | 640 | fi | ||
647 | 641 | if [ "$1" = "--deregister-cluster" ]; then | ||
648 | 642 | CLUSNAME="$2" | ||
649 | 643 | CLUSMODE="DEL" | ||
650 | 644 | shift; shift | ||
651 | 645 | continue | ||
652 | 646 | fi | ||
653 | 647 | if [ "$1" = "-check" -o "$1" = "--check" ]; then | ||
654 | 648 | if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then | ||
655 | 649 | echo "-check requires cc, nc, sc, walrus or cloud" | ||
656 | 650 | exit 1 | ||
657 | 651 | fi | ||
658 | 652 | CHECK="$2" | ||
659 | 653 | shift; shift | ||
660 | 654 | continue | ||
661 | 655 | fi | ||
662 | 656 | if [ "$1" = "--enable" ]; then | ||
663 | 657 | if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then | ||
664 | 658 | echo "--enable requires cloud, sc or walrus" | ||
665 | 659 | exit 1 | ||
666 | 660 | fi | ||
667 | 661 | ENABLED="$ENABLED $2" | ||
668 | 662 | shift; shift | ||
669 | 663 | continue | ||
670 | 664 | fi | ||
671 | 665 | if [ "$1" = "--disable" ]; then | ||
672 | 666 | if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then | ||
673 | 667 | echo "--disable requires cloud, sc or walrus" | ||
674 | 668 | exit 1 | ||
675 | 669 | fi | ||
676 | 670 | DISABLED="$DISABLED $2" | ||
677 | 671 | shift; shift | ||
678 | 672 | continue | ||
679 | 673 | fi | ||
680 | 674 | if [ "$1" = "-sync" -o "$1" = "--sync" ]; then | ||
681 | 675 | if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then | ||
682 | 676 | echo "-sync requires cc, nc, sc, walrus or cloud" | ||
683 | 677 | exit 1 | ||
684 | 678 | fi | ||
685 | 679 | TOSYNC="$2" | ||
686 | 680 | shift; shift | ||
687 | 681 | continue | ||
688 | 682 | fi | ||
689 | 683 | usage | ||
690 | 684 | exit 1 | ||
691 | 685 | done | ||
692 | 686 | |||
693 | 687 | if [ -z "${FILE}" -o ! -f "${FILE}" ]; then | ||
694 | 688 | echo "$FILE is not a valid eucalyptus configuration file" | ||
695 | 689 | exit 1 | ||
696 | 690 | fi | ||
697 | 691 | |||
698 | 692 | # if asked to print the version that's all we do | ||
699 | 693 | if [ "$VERSION" = "Y" ]; then | ||
700 | 694 | . $DEFAULTS_FILE | ||
701 | 695 | . $FILE | ||
702 | 696 | |||
703 | 697 | if [ -e $EUCALYPTUS/etc/eucalyptus/eucalyptus-version ]; then | ||
704 | 698 | VERSION="$EUCALYPTUS/etc/eucalyptus/eucalyptus-version" | ||
705 | 699 | elif [ -e @prefix@/etc/eucalyptus/eucalyptus-version ]; then | ||
706 | 700 | VERSION="@prefix@/etc/eucalyptus/eucalyptus-version" | ||
707 | 701 | fi | ||
708 | 702 | if [ -n "$VERSION" ]; then | ||
709 | 703 | echo -n "Eucalyptus version: " | ||
710 | 704 | cat $VERSION | ||
711 | 705 | else | ||
712 | 706 | echo "Cannot find eucalyptus installation!" | ||
713 | 707 | exit 1 | ||
714 | 708 | fi | ||
715 | 709 | exit 0 | ||
716 | 710 | fi | ||
717 | 711 | |||
718 | 712 | # let's change the value | ||
719 | 713 | if [ -n "$EUCALYPTUS" ]; then | ||
720 | 714 | change_var_value $FILE EUCALYPTUS "${EUCALYPTUS}" | ||
721 | 715 | fi | ||
722 | 716 | if [ -n "$CC_PORT" ]; then | ||
723 | 717 | change_var_value $FILE CC_PORT "${CC_PORT}" | ||
724 | 718 | fi | ||
725 | 719 | if [ -n "$NC_PORT" ]; then | ||
726 | 720 | change_var_value $FILE NC_PORT "${NC_PORT}" | ||
727 | 721 | fi | ||
728 | 722 | if [ -n "$CLOUD_PORT" ]; then | ||
729 | 723 | change_var_value $FILE CLOUD_PORT "${CLOUD_PORT}" | ||
730 | 724 | fi | ||
731 | 725 | if [ -n "$CLOUD_SSL_PORT" ]; then | ||
732 | 726 | change_var_value $FILE CLOUD_SSL_PORT "${CLOUD_SSL_PORT}" | ||
733 | 727 | fi | ||
734 | 728 | if [ -n "$INSTANCE" ]; then | ||
735 | 729 | change_var_value $FILE INSTANCE_PATH "${INSTANCE}" | ||
736 | 730 | fi | ||
737 | 731 | if [ -n "$DHCPD" ]; then | ||
738 | 732 | change_var_value $FILE VNET_DHCPDAEMON "${DHCPD}" | ||
739 | 733 | fi | ||
740 | 734 | if [ -n "$DHCPC_USER" ]; then | ||
741 | 735 | change_var_value $FILE VNET_DHCPUSER "${DHCPC_USER}" | ||
742 | 736 | uncomment $FILE VNET_DHCPUSER | ||
743 | 737 | fi | ||
744 | 738 | if [ -n "$NODES" ]; then | ||
745 | 739 | change_var_value $FILE NODES "${NODES}" | ||
746 | 740 | fi | ||
747 | 741 | if [ -n "$HYPERVISOR" ]; then | ||
748 | 742 | change_var_value $FILE HYPERVISOR "${HYPERVISOR}" | ||
749 | 743 | uncomment $FILE HYPERVISOR | ||
750 | 744 | fi | ||
751 | 745 | if [ -n "$BRIDGE" ]; then | ||
752 | 746 | change_var_value $FILE VNET_BRIDGE "${BRIDGE}" | ||
753 | 747 | uncomment $FILE VNET_BRIDGE | ||
754 | 748 | fi | ||
755 | 749 | if [ -n "$EUCA_USER" ]; then | ||
756 | 750 | ID="`which id 2> /dev/null`" | ||
757 | 751 | if [ -n "$ID" ]; then | ||
758 | 752 | if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then | ||
759 | 753 | echo "WARNING: $EUCA_USER doesn't exists!" | ||
760 | 754 | fi | ||
761 | 755 | fi | ||
762 | 756 | change_var_value $FILE EUCA_USER "${EUCA_USER}" | ||
763 | 757 | fi | ||
764 | 758 | for x in $NAME ; do | ||
765 | 759 | VALUE=`cat $FILE |grep $x|cut -f 2 -d =|tr '"' ' '` | ||
766 | 760 | echo "$x=$VALUE" | ||
767 | 761 | done | ||
768 | 762 | |||
769 | 763 | # modify the current conf file based on an older configuration, or from import file | ||
770 | 764 | if [ -n "$UPGRADE_CONF" -o -n "$IMPORTFILE" ]; then | ||
771 | 765 | VARS="EUCA_USER ENABLE_WS_SECURITY DISABLE_EBS HYPERVISOR LOGLEVEL SWAP_SIZE CC_PORT MANUAL_INSTANCES_CLEANUP NC_CACHE_SIZE SCHEDPOLICY NODES NC_SERVICE NC_PORT MAX_MEM MAX_CORES INSTANCE_PATH VNET_BRIDGE VNET_DHCPDAEMON VNET_DHCPUSER VNET_PRIVINTERFACE VNET_PUBINTERFACE VNET_INTERFACE DISABLE_TUNNELING DISABLE_DNS POWER_IDLETHRESH POWER_WAKETHRESH CONCURRENT_DISK_OPS" | ||
772 | 766 | VNET_VARS="VNET_MODE VNET_SUBNET VNET_NETMASK VNET_DNS VNET_ADDRSPERNET VNET_PUBLICIPS VNET_BROADCAST VNET_ROUTER VNET_MACMAP VNET_CLOUDIP VNET_LOCALIP" | ||
773 | 767 | |||
774 | 768 | if [ -n "$UPGRADE_CONF" ]; then | ||
775 | 769 | # source the old config | ||
776 | 770 | VARS_TO_DO=$VARS | ||
777 | 771 | VNET_VARS_TO_DO=$VNET_VARS | ||
778 | 772 | . $UPGRADE_CONF | ||
779 | 773 | elif [ -n "$IMPORTFILE" ]; then | ||
780 | 774 | VARS_TO_DO="" | ||
781 | 775 | VNET_VARS_TO_DO="" | ||
782 | 776 | . $IMPORTFILE | ||
783 | 777 | for i in $VNET_VARS | ||
784 | 778 | do | ||
785 | 779 | VAL="$(echo \$${i})" | ||
786 | 780 | eval VAL=$VAL | ||
787 | 781 | if [ -n "$VAL" ]; then | ||
788 | 782 | VNET_VARS_TO_DO="$VNET_VARS_TO_DO $i" | ||
789 | 783 | fi | ||
790 | 784 | done | ||
791 | 785 | fi | ||
792 | 786 | |||
793 | 787 | # let's start from no network | ||
794 | 788 | for x in $VNET_VARS_TO_DO ; do | ||
795 | 789 | comment $FILE $x | ||
796 | 790 | done | ||
797 | 791 | |||
798 | 792 | # modified the defined variables | ||
799 | 793 | for x in $VARS_TO_DO ; do | ||
800 | 794 | y="$(echo \$${x})" | ||
801 | 795 | eval y="$y" | ||
802 | 796 | if [ -z "$y" ]; then | ||
803 | 797 | # we just leave NODES uncommented even if it's empty | ||
804 | 798 | if [ "$x" != "NODES" ]; then | ||
805 | 799 | comment $FILE $x | ||
806 | 800 | fi | ||
807 | 801 | else | ||
808 | 802 | uncomment $FILE $x | ||
809 | 803 | change_var_value $FILE $x "${y}" | ||
810 | 804 | fi | ||
811 | 805 | done | ||
812 | 806 | # and add the network variables | ||
813 | 807 | echo >> $FILE | ||
814 | 808 | echo "# network configuration from the input configuration file" >> $FILE | ||
815 | 809 | for x in $VNET_VARS_TO_DO ; do | ||
816 | 810 | y="$(echo \$${x})" | ||
817 | 811 | eval y="$y" | ||
818 | 812 | if [ -n "$y" ]; then | ||
819 | 813 | if [ "$x" = "VNET_INTERFACE" ]; then | ||
820 | 814 | change_var_value $FILE VNET_PRIVINTERFACE "${y}" | ||
821 | 815 | change_var_value $FILE VNET_PUBINTERFACE "${y}" | ||
822 | 816 | else | ||
823 | 817 | echo "$x=\"${y}\"" >> $FILE | ||
824 | 818 | fi | ||
825 | 819 | fi | ||
826 | 820 | done | ||
827 | 821 | fi | ||
828 | 822 | |||
829 | 823 | # we may need the location of the ssh key for eucalyptus | ||
830 | 824 | EUCA_HOME="`getent passwd eucalyptus|cut -f 6 -d ':'`" | ||
831 | 825 | if [ -f "${EUCA_HOME}/.ssh/id_rsa.pub" ]; then | ||
832 | 826 | SSHKEY=`cat ${EUCA_HOME}/.ssh/id_rsa.pub` | ||
833 | 827 | else | ||
834 | 828 | SSHKEY="" | ||
835 | 829 | fi | ||
836 | 830 | |||
837 | 831 | # we need defaults in eucalyptus.conf | ||
838 | 832 | . $DEFAULTS_FILE | ||
839 | 833 | . $FILE | ||
840 | 834 | # get node from nodes.list if it exists | ||
841 | 835 | if [ -e "$EUCALYPTUS/var/lib/eucalyptus/nodes.list" ]; then | ||
842 | 836 | NODES=`cat $EUCALYPTUS/var/lib/eucalyptus/nodes.list` | ||
843 | 837 | fi | ||
844 | 838 | |||
845 | 839 | # first time setup | ||
846 | 840 | if [ -n "$SETUP" ]; then | ||
847 | 841 | ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap" | ||
848 | 842 | |||
849 | 843 | # first of all setup euca_rootwrap | ||
850 | 844 | if [ ! -x "$ROOTWRAP" ]; then | ||
851 | 845 | echo "Cannot find $ROOTWRAP (or not readable)!" | ||
852 | 846 | exit 1 | ||
853 | 847 | fi | ||
854 | 848 | # get EUCA group | ||
855 | 849 | if [ -z "$EUCA_USER" ]; then | ||
856 | 850 | echo "Is EUCA_USER defined?" | ||
857 | 851 | exit 1 | ||
858 | 852 | fi | ||
859 | 853 | # if running as root no need to do anything | ||
860 | 854 | if [ "$EUCA_USER" != "root" ]; then | ||
861 | 855 | ID="`which id 2> /dev/null`" | ||
862 | 856 | if [ -z "$ID" ]; then | ||
863 | 857 | echo "Cannot find command $ID" | ||
864 | 858 | exit 1 | ||
865 | 859 | fi | ||
866 | 860 | if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then | ||
867 | 861 | echo "User $EUCA_USER doesn't exists!" | ||
868 | 862 | exit 1 | ||
869 | 863 | fi | ||
870 | 864 | EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`" | ||
871 | 865 | if [ -z "$EUCA_GROUP" ]; then | ||
872 | 866 | echo "Cannot detect $EUCA_USER group" | ||
873 | 867 | exit 1 | ||
874 | 868 | fi | ||
875 | 869 | if ! chown root:$EUCA_GROUP $ROOTWRAP ; then | ||
876 | 870 | exit 1 | ||
877 | 871 | fi | ||
878 | 872 | if ! chmod 4750 $ROOTWRAP ; then | ||
879 | 873 | exit 1 | ||
880 | 874 | fi | ||
881 | 875 | fi | ||
882 | 876 | |||
883 | 877 | # let's create the instance path | ||
884 | 878 | if [ -n "$INSTANCE_PATH" -a "$INSTANCE_PATH" != "not_configured" -a ! -d "$INSTANCE_PATH" ]; then | ||
885 | 879 | if ! mkdir -p $INSTANCE_PATH ; then | ||
886 | 880 | echo "Failed to create instance path!" | ||
887 | 881 | exit 1 | ||
888 | 882 | fi | ||
889 | 883 | if ! chown $EUCA_USER:$EUCA_GROUP $INSTANCE_PATH ; then | ||
890 | 884 | exit 1 | ||
891 | 885 | fi | ||
892 | 886 | fi | ||
893 | 887 | |||
894 | 888 | chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus | ||
895 | 889 | ret=$? | ||
896 | 890 | chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/log/eucalyptus | ||
897 | 891 | let $((ret += $?)) | ||
898 | 892 | chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus | ||
899 | 893 | let $((ret += $?)) | ||
900 | 894 | chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/etc/eucalyptus/eucalyptus.conf | ||
901 | 895 | let $((ret += $?)) | ||
902 | 896 | |||
903 | 897 | # let's create more needed directory with the right permissions | ||
904 | 898 | mkdir -p $EUCALYPTUS/var/lib/eucalyptus/db | ||
905 | 899 | let $((ret += $?)) | ||
906 | 900 | chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/db | ||
907 | 901 | let $((ret += $?)) | ||
908 | 902 | chmod 700 $EUCALYPTUS/var/lib/eucalyptus/db | ||
909 | 903 | let $((ret += $?)) | ||
910 | 904 | mkdir -p $EUCALYPTUS/var/lib/eucalyptus/keys | ||
911 | 905 | let $((ret += $?)) | ||
912 | 906 | chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/keys | ||
913 | 907 | let $((ret += $?)) | ||
914 | 908 | chmod 700 $EUCALYPTUS/var/lib/eucalyptus/keys | ||
915 | 909 | let $((ret += $?)) | ||
916 | 910 | mkdir -p $EUCALYPTUS/var/lib/eucalyptus/CC | ||
917 | 911 | let $((ret += $?)) | ||
918 | 912 | chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/CC | ||
919 | 913 | let $((ret += $?)) | ||
920 | 914 | chmod 700 $EUCALYPTUS/var/lib/eucalyptus/CC | ||
921 | 915 | let $((ret += $?)) | ||
922 | 916 | |||
923 | 917 | exit $ret | ||
924 | 918 | fi | ||
925 | 919 | |||
926 | 920 | if [ -n "$TOSYNC" ]; then | ||
927 | 921 | echo "not implemented" | ||
928 | 922 | fi | ||
929 | 923 | |||
930 | 924 | # pre-flight checks | ||
931 | 925 | if [ -n "$CHECK" ]; then | ||
932 | 926 | ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap" | ||
933 | 927 | |||
934 | 928 | # vblade and aoe may be needed | ||
935 | 929 | if [ "$DISABLE_EBS" != "Y" -a "$DISABLE_EBS" != "y" ]; then | ||
936 | 930 | if [ "$CHECK" = "sc" ]; then | ||
937 | 931 | VBLADE="`which vblade 2> /dev/null`" | ||
938 | 932 | if [ -z "$VBLADE" ]; then | ||
939 | 933 | echo | ||
940 | 934 | echo "ERROR: EBS is enabled and vblade was not found" | ||
941 | 935 | exit 1 | ||
942 | 936 | fi | ||
943 | 937 | fi | ||
944 | 938 | fi | ||
945 | 939 | |||
946 | 940 | # first of all check euca_rootwrap | ||
947 | 941 | if [ ! -x $ROOTWRAP ]; then | ||
948 | 942 | echo "Cannot find euca_rootwrap!" | ||
949 | 943 | exit 1 | ||
950 | 944 | fi | ||
951 | 945 | # get EUCA group | ||
952 | 946 | if [ -z "$EUCA_USER" ]; then | ||
953 | 947 | echo "Running eucalyptus as root" | ||
954 | 948 | EUCA_USER="root" | ||
955 | 949 | EUCA_GROUP="root" | ||
956 | 950 | fi | ||
957 | 951 | # if running as root no need to do anything | ||
958 | 952 | if [ "$EUCA_USER" != "root" ]; then | ||
959 | 953 | ID="`which id 2> /dev/null`" | ||
960 | 954 | if [ -z "$ID" ]; then | ||
961 | 955 | echo "Cannot find command id" | ||
962 | 956 | exit 1 | ||
963 | 957 | fi | ||
964 | 958 | if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then | ||
965 | 959 | echo "User $EUCA_USER doesn't exists!" | ||
966 | 960 | exit 1 | ||
967 | 961 | fi | ||
968 | 962 | EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`" | ||
969 | 963 | if [ -z "$EUCA_GROUP" ]; then | ||
970 | 964 | echo "Cannot detect $EUCA_USER group: using $EUCA_USER" | ||
971 | 965 | exit 1 | ||
972 | 966 | fi | ||
973 | 967 | # need to check if euca_rootwrap can run as EUCA_USER | ||
974 | 968 | TEST_EUID="`sudo -u $EUCA_USER $ROOTWRAP $ID -u`" | ||
975 | 969 | if [ "$?" != "0" -o "$TEST_EUID" != "0" ]; then | ||
976 | 970 | echo "Problem running $ROOTWRAP! Did you run euca_conf -setup?" | ||
977 | 971 | exit 1 | ||
978 | 972 | fi | ||
979 | 973 | fi | ||
980 | 974 | |||
981 | 975 | # let's be sure we have the INSTANCE_PATH | ||
982 | 976 | if [ "$CHECK" = "nc" ]; then | ||
983 | 977 | if [ -z "$INSTANCE_PATH" ]; then | ||
984 | 978 | echo "INSTANCE_PATH is not defined" | ||
985 | 979 | exit 1 | ||
986 | 980 | fi | ||
987 | 981 | if [ ! -d "$INSTANCE_PATH" ]; then | ||
988 | 982 | echo "$INSTANCE_PATH doesn't exist: did you run euca_conf -setup?" | ||
989 | 983 | exit 1 | ||
990 | 984 | fi | ||
991 | 985 | fi | ||
992 | 986 | |||
993 | 987 | # let's set up directories which could disappears if /var/run is | ||
994 | 988 | # in memory | ||
995 | 989 | if [ ! -d $EUCALYPTUS/var/run/eucalyptus ]; then | ||
996 | 990 | if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus ; then | ||
997 | 991 | # error should come from mkdir | ||
998 | 992 | exit 1 | ||
999 | 993 | fi | ||
1000 | 994 | fi | ||
1001 | 995 | if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus ; then | ||
1002 | 996 | # error should come from chown | ||
1003 | 997 | exit 1 | ||
1004 | 998 | fi | ||
1005 | 999 | |||
1006 | 1000 | |||
1007 | 1001 | if [ "$CHECK" = "cc" ]; then | ||
1008 | 1002 | if [ ! -d $EUCALYPTUS/var/run/eucalyptus/net ]; then | ||
1009 | 1003 | if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus/net ; then | ||
1010 | 1004 | # error should come from mkdir | ||
1011 | 1005 | exit 1 | ||
1012 | 1006 | fi | ||
1013 | 1007 | fi | ||
1014 | 1008 | if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus/net ; then | ||
1015 | 1009 | # error should come from chown | ||
1016 | 1010 | exit 1 | ||
1017 | 1011 | fi | ||
1018 | 1012 | fi | ||
1019 | 1013 | # good to go | ||
1020 | 1014 | exit 0 | ||
1021 | 1015 | fi | ||
1022 | 1016 | |||
1023 | 1017 | createCloudURL () { | ||
1024 | 1018 | if ! getSecretKey; then | ||
1025 | 1019 | echo "ERROR: cannot get credentials" | ||
1026 | 1020 | return 1 | ||
1027 | 1021 | fi | ||
1028 | 1022 | ARGS="AWSAccessKeyId=$AKEY" | ||
1029 | 1023 | KEY=$1 | ||
1030 | 1024 | shift | ||
1031 | 1025 | VAL=$1 | ||
1032 | 1026 | shift | ||
1033 | 1027 | while ( test -n "$KEY" -a -n "$VAL") | ||
1034 | 1028 | do | ||
1035 | 1029 | ARGS="${ARGS}&${KEY}=${VAL}" | ||
1036 | 1030 | KEY=$1 | ||
1037 | 1031 | shift | ||
1038 | 1032 | VAL=$1 | ||
1039 | 1033 | shift | ||
1040 | 1034 | done | ||
1041 | 1035 | if [ -z "$SKEY" ]; then | ||
1042 | 1036 | echo "ERROR: SKEY parameter is not set." | ||
1043 | 1037 | export URL="" | ||
1044 | 1038 | return 1 | ||
1045 | 1039 | fi | ||
1046 | 1040 | ARGS="${ARGS}&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=$(date -u '+%Y-%m-%dT%H%%3A%M%%3A%S.000Z')&Version=eucalyptus" | ||
1047 | 1041 | SIGNATURE=$(echo -en "GET\n127.0.0.1\n/services/Configuration\n${ARGS}" | openssl dgst -sha256 -hmac ${SKEY} -binary | openssl base64) | ||
1048 | 1042 | export URL="http://127.0.0.1:8773/services/Configuration?${ARGS}&Signature=${SIGNATURE}" | ||
1049 | 1043 | if [ "$VERBOSE" = "Y" ]; then | ||
1050 | 1044 | echo $URL | ||
1051 | 1045 | fi | ||
1052 | 1046 | return 0 | ||
1053 | 1047 | } | ||
1054 | 1048 | |||
1055 | 1049 | getSecretKey() { | ||
1056 | 1050 | if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then | ||
1057 | 1051 | DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/" | ||
1058 | 1052 | else | ||
1059 | 1053 | echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface." | ||
1060 | 1054 | exit 1 | ||
1061 | 1055 | fi | ||
1062 | 1056 | |||
1063 | 1057 | FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Ss][Ee][Cc][Rr][Ee][Tt][Kk][Ee][Yy]/ {print NR}'` | ||
1064 | 1058 | if [ "$FIELD" = "" ]; then | ||
1065 | 1059 | echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface" | ||
1066 | 1060 | export SKEY="" | ||
1067 | 1061 | return 1 | ||
1068 | 1062 | fi | ||
1069 | 1063 | SKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g')) | ||
1070 | 1064 | |||
1071 | 1065 | FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Qq][Uu][Ee][Rr][Yy]_[Ii][Dd]/ {print NR}'` | ||
1072 | 1066 | if [ "$FIELD" = "" ]; then | ||
1073 | 1067 | echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface" | ||
1074 | 1068 | export AKEY="" | ||
1075 | 1069 | return 1 | ||
1076 | 1070 | fi | ||
1077 | 1071 | AKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g')) | ||
1078 | 1072 | |||
1079 | 1073 | return 0 | ||
1080 | 1074 | } | ||
1081 | 1075 | |||
1082 | 1076 | checkLocalService() { | ||
1083 | 1077 | local SERVICE="" | ||
1084 | 1078 | |||
1085 | 1079 | if [ -z "$WGET" -o ! -x "$WGET" ]; then | ||
1086 | 1080 | echo "ERROR: wget is missing, cannot continue." | ||
1087 | 1081 | return 1 | ||
1088 | 1082 | fi | ||
1089 | 1083 | |||
1090 | 1084 | SERVICE="$1" | ||
1091 | 1085 | if [ -z "$SERVICE" ]; then | ||
1092 | 1086 | echo "ERROR: must pass in service name (CLC, CC)" | ||
1093 | 1087 | return 1 | ||
1094 | 1088 | elif [ "$SERVICE" = "CLC" ]; then | ||
1095 | 1089 | if [ -n "$FAKEREG" ]; then | ||
1096 | 1090 | local SOURCEDIR="$EUCALYPTUS/var/lib/eucalyptus/keys/" | ||
1097 | 1091 | for i in cloud | ||
1098 | 1092 | do | ||
1099 | 1093 | if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then | ||
1100 | 1094 | openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost" | ||
1101 | 1095 | fi | ||
1102 | 1096 | done | ||
1103 | 1097 | fi | ||
1104 | 1098 | |||
1105 | 1099 | CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null" | ||
1106 | 1100 | elif [ "$SERVICE" = "CC" ]; then | ||
1107 | 1101 | CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null" | ||
1108 | 1102 | fi | ||
1109 | 1103 | |||
1110 | 1104 | if [ -n "${FAKEREG}" ]; then | ||
1111 | 1105 | CMD="echo" | ||
1112 | 1106 | fi | ||
1113 | 1107 | if ! eval $CMD ; then | ||
1114 | 1108 | echo "ERROR: you need to be on the $SERVICE host and the $SERVICE needs to be running." | ||
1115 | 1109 | return 1 | ||
1116 | 1110 | fi | ||
1117 | 1111 | return 0 | ||
1118 | 1112 | } | ||
1119 | 1113 | |||
1120 | 1114 | if [ -n "$CREDENTIALZIPFILE" ]; then | ||
1121 | 1115 | if [ -f "$CREDENTIALZIPFILE" ]; then | ||
1122 | 1116 | echo "file '$CREDENTIALZIPFILE' already exists, please remove and try again" | ||
1123 | 1117 | exit 1 | ||
1124 | 1118 | fi | ||
1125 | 1119 | if ! checkLocalService "CLC" ; then | ||
1126 | 1120 | exit 1 | ||
1127 | 1121 | fi | ||
1128 | 1122 | |||
1129 | 1123 | if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then | ||
1130 | 1124 | DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/" | ||
1131 | 1125 | else | ||
1132 | 1126 | echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface." | ||
1133 | 1127 | exit 1 | ||
1134 | 1128 | fi | ||
1135 | 1129 | FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Tt][Oo][Kk][Ee][Nn]/ {print NR}'` | ||
1136 | 1130 | if [ -z "$FIELD" ]; then | ||
1137 | 1131 | echo "cannot find code field in database, please go to the Eucalyptus web UI to obtain credentials." | ||
1138 | 1132 | exit 1 | ||
1139 | 1133 | fi | ||
1140 | 1134 | VERCOL=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Vv][Ee][Rr][Ss][Ii][Oo][Nn]/ {print NR}'` | ||
1141 | 1135 | if [ -z "$VERCOL" ]; then | ||
1142 | 1136 | echo "cannot find version field in database, please go to the Eucalyptus web UI to obtain credentials." | ||
1143 | 1137 | exit 1 | ||
1144 | 1138 | fi | ||
1145 | 1139 | KEY=$(eval echo $(awk -v field=${FIELD} -v vercol=${VERCOL} -F, 'BEGIN { token=""; max=-1; } /INSERT INTO AUTH_USERS.*admin/ { if ($vercol>max) { max=$vercol; token=$field; } } END { print token; }' ${DBDIR}/* | head -n 1 | sed 's/[()]//g')) | ||
1146 | 1140 | if [ -z "$KEY" ]; then | ||
1147 | 1141 | echo "cannot find code in database, please go to the Eucalyptus web UI to obtain credentials." | ||
1148 | 1142 | exit 1 | ||
1149 | 1143 | fi | ||
1150 | 1144 | CMD="$WGET --no-check-certificate \"https://localhost:8443/getX509?user=admin&code=$KEY\" -O $CREDENTIALZIPFILE" | ||
1151 | 1145 | if ! eval $CMD ; then | ||
1152 | 1146 | echo "failed to obtain credentals, please try again or go to the Eucalyptus web UI." | ||
1153 | 1147 | exit 1 | ||
1154 | 1148 | fi | ||
1155 | 1149 | fi | ||
1156 | 1150 | |||
1157 | 1151 | # adding a new cluster | ||
1158 | 1152 | if [ -n "$CLUSNAME" ]; then | ||
1159 | 1153 | if ! checkLocalService "CLC" ; then | ||
1160 | 1154 | exit 1 | ||
1161 | 1155 | fi | ||
1162 | 1156 | |||
1163 | 1157 | if [ "$CLUSMODE" = "ADD" ]; then | ||
1164 | 1158 | if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then | ||
1165 | 1159 | SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/${CLUSNAME}/ | ||
1166 | 1160 | DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1167 | 1161 | else | ||
1168 | 1162 | echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!" | ||
1169 | 1163 | exit 1 | ||
1170 | 1164 | fi | ||
1171 | 1165 | |||
1172 | 1166 | URL="" | ||
1173 | 1167 | if ! createCloudURL "Action" "RegisterCluster" "Host" "${NEWCLUS}" "Name" "${CLUSNAME}" "Port" "${CC_PORT}"; then | ||
1174 | 1168 | exit 1 | ||
1175 | 1169 | fi | ||
1176 | 1170 | |||
1177 | 1171 | if ! check_ws "$URL" ; then | ||
1178 | 1172 | echo "ERROR: failed to register new cluster, please log in to the admin interface and check cloud status." | ||
1179 | 1173 | exit 1 | ||
1180 | 1174 | fi | ||
1181 | 1175 | |||
1182 | 1176 | if [ -n "${FAKEREG}" ]; then | ||
1183 | 1177 | mkdir -p $SOURCEDIR | ||
1184 | 1178 | if [ -n "${FAKEREG}" ]; then | ||
1185 | 1179 | mkdir -p $SOURCEDIR | ||
1186 | 1180 | for i in cluster node | ||
1187 | 1181 | do | ||
1188 | 1182 | if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then | ||
1189 | 1183 | openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost" | ||
1190 | 1184 | fi | ||
1191 | 1185 | done | ||
1192 | 1186 | fi | ||
1193 | 1187 | fi | ||
1194 | 1188 | |||
1195 | 1189 | # sync the keys | ||
1196 | 1190 | if ! sync_keys "${DESTDIR},${SOURCEDIR}" ${DESTDIR} ${NEWCLUS} node-cert.pem cluster-cert.pem cluster-pk.pem node-pk.pem vtunpass cloud-cert.pem; then | ||
1197 | 1191 | echo "ERROR: failed to sync keys with ${NEWCLUS}; registration will not be complete until keys can be synced, please try again." | ||
1198 | 1192 | exit 1 | ||
1199 | 1193 | fi | ||
1200 | 1194 | echo | ||
1201 | 1195 | echo "SUCCESS: new cluster '${CLUSNAME}' on host '${NEWCLUS}' successfully registered." | ||
1202 | 1196 | elif [ "$CLUSMODE" = "DEL" ]; then | ||
1203 | 1197 | URL="" | ||
1204 | 1198 | # let's see if we have such a cluster | ||
1205 | 1199 | LIST_RES="" | ||
1206 | 1200 | if ! createCloudURL "Action" "DescribeClusters" ; then | ||
1207 | 1201 | exit 1 | ||
1208 | 1202 | fi | ||
1209 | 1203 | if ! check_ws "$URL" LIST_RES ; then | ||
1210 | 1204 | echo "ERROR: cannot talk with CLC" | ||
1211 | 1205 | exit 1 | ||
1212 | 1206 | fi | ||
1213 | 1207 | FOUND="N" | ||
1214 | 1208 | for x in $LIST_RES ; do | ||
1215 | 1209 | if [ "$x" = "${CLUSNAME}" ]; then | ||
1216 | 1210 | FOUND="Y" | ||
1217 | 1211 | break | ||
1218 | 1212 | fi | ||
1219 | 1213 | done | ||
1220 | 1214 | if [ "$FOUND" = "N" ]; then | ||
1221 | 1215 | echo "No registered cluster $CLUSNAME was found" | ||
1222 | 1216 | exit 1 | ||
1223 | 1217 | fi | ||
1224 | 1218 | |||
1225 | 1219 | # now let's deregister | ||
1226 | 1220 | URL="" | ||
1227 | 1221 | if ! createCloudURL "Action" "DeregisterCluster" "Name" "${CLUSNAME}"; then | ||
1228 | 1222 | exit 1 | ||
1229 | 1223 | fi | ||
1230 | 1224 | |||
1231 | 1225 | if ! check_ws "$URL" ; then | ||
1232 | 1226 | echo "ERROR: failed to deregister new cluster, please log in to the admin interface and check cloud status." | ||
1233 | 1227 | exit 1 | ||
1234 | 1228 | fi | ||
1235 | 1229 | echo | ||
1236 | 1230 | echo "SUCCESS: cluster '${CLUSNAME}' successfully deregistered." | ||
1237 | 1231 | fi | ||
1238 | 1232 | fi | ||
1239 | 1233 | |||
1240 | 1234 | # walrus | ||
1241 | 1235 | if [ -n "$WALRUS" -o -n "$WALRUS_MODE" ]; then | ||
1242 | 1236 | if ! checkLocalService "CLC" ; then | ||
1243 | 1237 | exit 1 | ||
1244 | 1238 | fi | ||
1245 | 1239 | |||
1246 | 1240 | if [ "$WALRUS_MODE" = "ADD" ]; then | ||
1247 | 1241 | echo "Adding WALRUS host $WALRUS" | ||
1248 | 1242 | if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then | ||
1249 | 1243 | SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1250 | 1244 | DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1251 | 1245 | else | ||
1252 | 1246 | echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!" | ||
1253 | 1247 | exit 1 | ||
1254 | 1248 | fi | ||
1255 | 1249 | |||
1256 | 1250 | URL="" | ||
1257 | 1251 | if ! createCloudURL "Action" "RegisterWalrus" "Host" "${WALRUS}" "Name" "walrus" "Port" "8773"; then | ||
1258 | 1252 | exit 1 | ||
1259 | 1253 | fi | ||
1260 | 1254 | |||
1261 | 1255 | if ! check_ws "$URL" ; then | ||
1262 | 1256 | echo "ERROR: failed to register Walrus, please log in to the admin interface and check cloud status." | ||
1263 | 1257 | exit 1 | ||
1264 | 1258 | fi | ||
1265 | 1259 | |||
1266 | 1260 | # check that walrus is at least running on the remote host | ||
1267 | 1261 | sleep 3 | ||
1268 | 1262 | if ! check_heartbeat ${WALRUS} walrus ; then | ||
1269 | 1263 | echo "WARNING: Walrus is not up on host ${WALRUS}; registration will not be complete until walrus is running." | ||
1270 | 1264 | fi | ||
1271 | 1265 | |||
1272 | 1266 | # sync the keys | ||
1273 | 1267 | if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${WALRUS} euca.p12 ; then | ||
1274 | 1268 | echo "ERROR: failed to sync keys with ${WALRUS}; registration will not be complete until keys can be synced, please try again." | ||
1275 | 1269 | exit 1 | ||
1276 | 1270 | fi | ||
1277 | 1271 | echo | ||
1278 | 1272 | echo "SUCCESS: new walrus on host '${WALRUS}' successfully registered." | ||
1279 | 1273 | |||
1280 | 1274 | elif [ "$WALRUS_MODE" = "DEL" ]; then | ||
1281 | 1275 | URL="" | ||
1282 | 1276 | if ! createCloudURL "Action" "DeregisterWalrus" "Name" "walrus"; then | ||
1283 | 1277 | exit 1 | ||
1284 | 1278 | fi | ||
1285 | 1279 | if ! check_ws "$URL" ; then | ||
1286 | 1280 | echo "ERROR: failed to deregister Walrus, please log in to the admin interface and check cloud status." | ||
1287 | 1281 | exit 1 | ||
1288 | 1282 | fi | ||
1289 | 1283 | echo | ||
1290 | 1284 | echo "SUCCESS: Walrus successfully deregistered." | ||
1291 | 1285 | fi | ||
1292 | 1286 | fi | ||
1293 | 1287 | |||
1294 | 1288 | # sc | ||
1295 | 1289 | if [ -n "$SCNAME" ]; then | ||
1296 | 1290 | if ! checkLocalService "CLC" ; then | ||
1297 | 1291 | exit 1 | ||
1298 | 1292 | fi | ||
1299 | 1293 | |||
1300 | 1294 | if [ "$SC_MODE" = "ADD" ]; then | ||
1301 | 1295 | echo "Adding SC $SCHOST to cluster $SCNAME" | ||
1302 | 1296 | if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then | ||
1303 | 1297 | SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1304 | 1298 | DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1305 | 1299 | else | ||
1306 | 1300 | echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!" | ||
1307 | 1301 | exit 1 | ||
1308 | 1302 | fi | ||
1309 | 1303 | |||
1310 | 1304 | URL="" | ||
1311 | 1305 | if ! createCloudURL "Action" "RegisterStorageController" "Host" "${SCHOST}" "Name" "${SCNAME}" "Port" "8773"; then | ||
1312 | 1306 | exit 1 | ||
1313 | 1307 | fi | ||
1314 | 1308 | if ! check_ws "$URL"; then | ||
1315 | 1309 | echo "ERROR: failed to register storage controller, please log in to the admin interface and check cloud status." | ||
1316 | 1310 | exit 1 | ||
1317 | 1311 | fi | ||
1318 | 1312 | if [ -n "${FAKEREG}" ]; then | ||
1319 | 1313 | mkdir -p $SOURCEDIR | ||
1320 | 1314 | for i in sc | ||
1321 | 1315 | do | ||
1322 | 1316 | if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then | ||
1323 | 1317 | openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost" | ||
1324 | 1318 | fi | ||
1325 | 1319 | done | ||
1326 | 1320 | fi | ||
1327 | 1321 | |||
1328 | 1322 | # sync the keys | ||
1329 | 1323 | if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${SCHOST} euca.p12; then | ||
1330 | 1324 | echo "ERROR: failed to sync keys with ${SCHOST}; registration will not be complete until keys can be synced, please try again." | ||
1331 | 1325 | exit 1 | ||
1332 | 1326 | fi | ||
1333 | 1327 | echo | ||
1334 | 1328 | echo "SUCCESS: new SC for cluster '${SCNAME}' on host '${SCHOST}' successfully registered." | ||
1335 | 1329 | |||
1336 | 1330 | elif [ "$SC_MODE" = "DEL" ]; then | ||
1337 | 1331 | # let's see if we have such a storage controller | ||
1338 | 1332 | LIST_RES="" | ||
1339 | 1333 | if ! createCloudURL "Action" "DescribeStorageControllers" ; then | ||
1340 | 1334 | exit 1 | ||
1341 | 1335 | fi | ||
1342 | 1336 | if ! check_ws "$URL" LIST_RES ; then | ||
1343 | 1337 | echo "ERROR: cannot talk with CLC" | ||
1344 | 1338 | exit 1 | ||
1345 | 1339 | fi | ||
1346 | 1340 | FOUND="N" | ||
1347 | 1341 | for x in $LIST_RES ; do | ||
1348 | 1342 | if [ "$x" = "${SCNAME}" ]; then | ||
1349 | 1343 | FOUND="Y" | ||
1350 | 1344 | break | ||
1351 | 1345 | fi | ||
1352 | 1346 | done | ||
1353 | 1347 | if [ "$FOUND" = "N" ]; then | ||
1354 | 1348 | echo "No registered storage controller $SCNAME was found" | ||
1355 | 1349 | exit 1 | ||
1356 | 1350 | fi | ||
1357 | 1351 | |||
1358 | 1352 | # now let's deregister | ||
1359 | 1353 | URL="" | ||
1360 | 1354 | if ! createCloudURL "Action" "DeregisterStorageController" "Name" "${SCNAME}"; then | ||
1361 | 1355 | exit 1 | ||
1362 | 1356 | fi | ||
1363 | 1357 | if ! check_ws "$URL" ; then | ||
1364 | 1358 | echo "ERROR: failed to deregister StorageController, please log in to the admin interface and check cloud status." | ||
1365 | 1359 | exit 1 | ||
1366 | 1360 | fi | ||
1367 | 1361 | echo | ||
1368 | 1362 | echo "SUCCESS: Storage controller for cluster '${SCNAME}' successfully deregistered." | ||
1369 | 1363 | fi | ||
1370 | 1364 | fi | ||
1371 | 1365 | |||
1372 | 1366 | # operations on the nodes | ||
1373 | 1367 | if [ -n "$NODEMODE" ]; then | ||
1374 | 1368 | # for synckey we fake addnodes | ||
1375 | 1369 | if [ "$NODEMODE" = "SYNC" ]; then | ||
1376 | 1370 | if [ -z "$NODES" ]; then | ||
1377 | 1371 | echo "Warning: there are no NODES configured" | ||
1378 | 1372 | else | ||
1379 | 1373 | NEWNODES="${NODES}" | ||
1380 | 1374 | NODEMODE="ADD" | ||
1381 | 1375 | fi | ||
1382 | 1376 | fi | ||
1383 | 1377 | if [ "$NODEMODE" = "DISCOVER" ]; then | ||
1384 | 1378 | if ! which avahi-browse >/dev/null 2>&1; then | ||
1385 | 1379 | echo "ERROR: avahi-browse not installed, so cannot discover nodes" | ||
1386 | 1380 | exit 1 | ||
1387 | 1381 | fi | ||
1388 | 1382 | NEWNODES= | ||
1389 | 1383 | for DISCOVERED in $(avahi-browse -prt _eucalyptus._tcp | grep '^=.*"type=node"' | cut -d\; -f8 | sort -u); do | ||
1390 | 1384 | if ! xsearch "$DISCOVERED" "$NODES"; then | ||
1391 | 1385 | read -p "New node found on $DISCOVERED; add it? [Yn] " CONFIRM | ||
1392 | 1386 | CONFIRM="$(printf %s "$CONFIRM" | tr A-Z a-z | cut -c1)" | ||
1393 | 1387 | if [ "x$CONFIRM" = x ] || [ "x$CONFIRM" = xy ]; then | ||
1394 | 1388 | NEWNODES="${NEWNODES:+$NEWNODES }$DISCOVERED" | ||
1395 | 1389 | fi | ||
1396 | 1390 | fi | ||
1397 | 1391 | done | ||
1398 | 1392 | NODEMODE="ADD" | ||
1399 | 1393 | fi | ||
1400 | 1394 | |||
1401 | 1395 | # check we have a valid command | ||
1402 | 1396 | if [ "$NODEMODE" != "ADD" -a "$NODEMODE" != "REM" ]; then | ||
1403 | 1397 | echo "ERROR: unknown mode '$NODEMODE', don't know what to do" | ||
1404 | 1398 | exit 1 | ||
1405 | 1399 | fi | ||
1406 | 1400 | |||
1407 | 1401 | if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then | ||
1408 | 1402 | SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1409 | 1403 | DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/ | ||
1410 | 1404 | else | ||
1411 | 1405 | echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful and that this cluster is already registered!" | ||
1412 | 1406 | exit 1 | ||
1413 | 1407 | fi | ||
1414 | 1408 | |||
1415 | 1409 | # CC needs to be running | ||
1416 | 1410 | if ! checkLocalService "CC" ; then | ||
1417 | 1411 | exit 1 | ||
1418 | 1412 | fi | ||
1419 | 1413 | |||
1420 | 1414 | # warn the user on where we expect the keys to be | ||
1421 | 1415 | if [ "$NODEMODE" = "ADD" ]; then | ||
1422 | 1416 | echo | ||
1423 | 1417 | echo "INFO: We expect all nodes to have eucalyptus installed in $EUCALYPTUS/var/lib/eucalyptus/keys for key synchronization." | ||
1424 | 1418 | fi | ||
1425 | 1419 | |||
1426 | 1420 | # adding (or removing) nodes | ||
1427 | 1421 | for NEWNODE in ${NEWNODES} ; do | ||
1428 | 1422 | # let's see if the node is already in the node list | ||
1429 | 1423 | its_here="0" | ||
1430 | 1424 | for x in $NODES ; do | ||
1431 | 1425 | if [ "$x" = "${NEWNODE}" ]; then | ||
1432 | 1426 | its_here="1" | ||
1433 | 1427 | break | ||
1434 | 1428 | fi | ||
1435 | 1429 | done | ||
1436 | 1430 | |||
1437 | 1431 | # remove is simpler: just remove the node name | ||
1438 | 1432 | if [ "$NODEMODE" = "REM" ]; then | ||
1439 | 1433 | if [ "$its_here" = "0" ]; then | ||
1440 | 1434 | echo "Node ${NEWNODE} is not known" | ||
1441 | 1435 | continue | ||
1442 | 1436 | fi | ||
1443 | 1437 | NEW_NODES="" | ||
1444 | 1438 | for x in $NODES; do | ||
1445 | 1439 | if [ "$x" = "${NEWNODE}" ]; then | ||
1446 | 1440 | continue | ||
1447 | 1441 | fi | ||
1448 | 1442 | NEW_NODES="$x $NEW_NODES" | ||
1449 | 1443 | done | ||
1450 | 1444 | echo "$NEW_NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list | ||
1451 | 1445 | echo "SUCCESS: removed node '${NEWNODE}' from '$FILE'" | ||
1452 | 1446 | continue | ||
1453 | 1447 | fi | ||
1454 | 1448 | |||
1455 | 1449 | # let's sync keys with the nodes | ||
1456 | 1450 | if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${NEWNODE} node-cert.pem cluster-cert.pem node-pk.pem cloud-cert.pem; then | ||
1457 | 1451 | errors=1 | ||
1458 | 1452 | echo | ||
1459 | 1453 | echo "ERROR: could not synchronize keys with $NEWNODE!" | ||
1460 | 1454 | echo "The configuration will not have this node." | ||
1461 | 1455 | if [ "$SSHKEY" = "" ]; then | ||
1462 | 1456 | echo "User $EUCA_USER may have to run ssh-keygen!" | ||
1463 | 1457 | else | ||
1464 | 1458 | echo "Hint: to setup passwordless login to the nodes as user $EUCA_USER, you can" | ||
1465 | 1459 | echo "run the following commands on node $NEWNODE:" | ||
1466 | 1460 | echo "sudo -u $EUCA_USER mkdir -p ~${EUCA_USER}/.ssh" | ||
1467 | 1461 | echo "sudo -u $EUCA_USER tee ~${EUCA_USER}/.ssh/authorized_keys > /dev/null <<EOT" | ||
1468 | 1462 | echo "$SSHKEY" | ||
1469 | 1463 | echo "EOT" | ||
1470 | 1464 | echo "" | ||
1471 | 1465 | echo "Be sure that authorized_keys is not group/world readable or writable" | ||
1472 | 1466 | fi | ||
1473 | 1467 | continue | ||
1474 | 1468 | fi | ||
1475 | 1469 | |||
1476 | 1470 | # if the node is already listed, we are done | ||
1477 | 1471 | if [ "$its_here" = "1" ]; then | ||
1478 | 1472 | continue | ||
1479 | 1473 | fi | ||
1480 | 1474 | |||
1481 | 1475 | # add the node | ||
1482 | 1476 | NODES="${NODES} $NEWNODE" | ||
1483 | 1477 | echo "$NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list | ||
1484 | 1478 | |||
1485 | 1479 | done | ||
1486 | 1480 | fi | ||
1487 | 1481 | |||
1488 | 1482 | |||
1489 | 1483 | for x in $LIST ; do | ||
1490 | 1484 | LIST_RES="" | ||
1491 | 1485 | |||
1492 | 1486 | if [ "$x" = "walruses" ]; then | ||
1493 | 1487 | if ! createCloudURL "Action" "DescribeWalruses" ; then | ||
1494 | 1488 | exit 1 | ||
1495 | 1489 | fi | ||
1496 | 1490 | if ! check_ws "$URL" LIST_RES ; then | ||
1497 | 1491 | exit 1 | ||
1498 | 1492 | fi | ||
1499 | 1493 | if [ -n "$LIST_RES" ]; then | ||
1500 | 1494 | echo "registered walruses:" | ||
1501 | 1495 | fi | ||
1502 | 1496 | echo "$LIST_RES" | ||
1503 | 1497 | fi | ||
1504 | 1498 | if [ "$x" = "storages" ]; then | ||
1505 | 1499 | if ! createCloudURL "Action" "DescribeStorageControllers" ; then | ||
1506 | 1500 | exit 1 | ||
1507 | 1501 | fi | ||
1508 | 1502 | if ! check_ws "$URL" LIST_RES ; then | ||
1509 | 1503 | exit 1 | ||
1510 | 1504 | fi | ||
1511 | 1505 | if [ -n "$LIST_RES" ]; then | ||
1512 | 1506 | echo "registered storage controllers:" | ||
1513 | 1507 | fi | ||
1514 | 1508 | echo "$LIST_RES" | ||
1515 | 1509 | fi | ||
1516 | 1510 | if [ "$x" = "clusters" ]; then | ||
1517 | 1511 | if ! createCloudURL "Action" "DescribeClusters" ; then | ||
1518 | 1512 | exit 1 | ||
1519 | 1513 | fi | ||
1520 | 1514 | if ! check_ws "$URL" LIST_RES ; then | ||
1521 | 1515 | exit 1 | ||
1522 | 1516 | fi | ||
1523 | 1517 | if [ -n "$LIST_RES" ]; then | ||
1524 | 1518 | echo "registered clusters:" | ||
1525 | 1519 | fi | ||
1526 | 1520 | echo "$LIST_RES" | ||
1527 | 1521 | fi | ||
1528 | 1522 | if [ "$x" = "nodes" ]; then | ||
1529 | 1523 | if ! createCloudURL "Action" "DescribeNodes" ; then | ||
1530 | 1524 | exit 1 | ||
1531 | 1525 | fi | ||
1532 | 1526 | if ! check_ws "$URL" LIST_RES ; then | ||
1533 | 1527 | exit 1 | ||
1534 | 1528 | fi | ||
1535 | 1529 | if [ -n "$LIST_RES" ]; then | ||
1536 | 1530 | echo "registered nodes:" | ||
1537 | 1531 | fi | ||
1538 | 1532 | echo "$LIST_RES" | ||
1539 | 1533 | fi | ||
1540 | 1534 | done | ||
1541 | 1535 | |||
1542 | 1536 | |||
1543 | 1537 | # enable/disable services | ||
1544 | 1538 | if [ -r $EUCALYPTUS/var/lib/eucalyptus/services ]; then | ||
1545 | 1539 | for x in `cat $EUCALYPTUS/var/lib/eucalyptus/services` ; do | ||
1546 | 1540 | TO_START="$TO_START $x" | ||
1547 | 1541 | done | ||
1548 | 1542 | fi | ||
1549 | 1543 | if [ -n "$DISABLED" -o -n "$ENABLED" ]; then | ||
1550 | 1544 | for x in $TO_START $ENABLED ; do | ||
1551 | 1545 | to_start="Y" | ||
1552 | 1546 | for y in $DISABLED ; do | ||
1553 | 1547 | if [ "$x" = "$y" ]; then | ||
1554 | 1548 | to_start="N" | ||
1555 | 1549 | fi | ||
1556 | 1550 | done | ||
1557 | 1551 | [ $to_start = "Y" ] && echo $x | ||
1558 | 1552 | done | sort | uniq > $EUCALYPTUS/var/lib/eucalyptus/services | ||
1559 | 1553 | fi | ||
1560 | 1554 | |||
1561 | 1555 | [ "$errors" = "1" ] && exit 1 || exit 0 | ||
1562 | 0 | 1556 | ||
1563 | === added directory '.pc/30-clock_drift.patch' | |||
1564 | === added directory '.pc/30-clock_drift.patch/tools' | |||
1565 | === added file '.pc/30-clock_drift.patch/tools/client-policy-template.xml' | |||
1566 | --- .pc/30-clock_drift.patch/tools/client-policy-template.xml 1970-01-01 00:00:00 +0000 | |||
1567 | +++ .pc/30-clock_drift.patch/tools/client-policy-template.xml 2011-09-21 09:10:44 +0000 | |||
1568 | @@ -0,0 +1,73 @@ | |||
1569 | 1 | <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> | ||
1570 | 2 | <wsp:ExactlyOne> | ||
1571 | 3 | <wsp:All> | ||
1572 | 4 | <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1573 | 5 | <wsp:Policy> | ||
1574 | 6 | <sp:InitiatorToken> | ||
1575 | 7 | <wsp:Policy> | ||
1576 | 8 | <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> | ||
1577 | 9 | <wsp:Policy> | ||
1578 | 10 | <sp:RequireEmbeddedTokenReference/> | ||
1579 | 11 | <sp:WssX509V3Token10/> | ||
1580 | 12 | </wsp:Policy> | ||
1581 | 13 | </sp:X509Token> | ||
1582 | 14 | </wsp:Policy> | ||
1583 | 15 | </sp:InitiatorToken> | ||
1584 | 16 | <sp:RecipientToken> | ||
1585 | 17 | <wsp:Policy> | ||
1586 | 18 | <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> | ||
1587 | 19 | <wsp:Policy> | ||
1588 | 20 | <sp:RequireEmbeddedTokenReference/> | ||
1589 | 21 | <sp:WssX509V3Token10/> | ||
1590 | 22 | </wsp:Policy> | ||
1591 | 23 | </sp:X509Token> | ||
1592 | 24 | </wsp:Policy> | ||
1593 | 25 | </sp:RecipientToken> | ||
1594 | 26 | |||
1595 | 27 | <sp:AlgorithmSuite> | ||
1596 | 28 | <wsp:Policy> | ||
1597 | 29 | <sp:Basic256Rsa15/> | ||
1598 | 30 | </wsp:Policy> | ||
1599 | 31 | </sp:AlgorithmSuite> | ||
1600 | 32 | |||
1601 | 33 | <sp:Layout> | ||
1602 | 34 | <wsp:Policy> | ||
1603 | 35 | <sp:Strict/> | ||
1604 | 36 | </wsp:Policy> | ||
1605 | 37 | </sp:Layout> | ||
1606 | 38 | |||
1607 | 39 | <sp:IncludeTimestamp/> | ||
1608 | 40 | <sp:OnlySignEntireHeadersAndBody/> | ||
1609 | 41 | </wsp:Policy> | ||
1610 | 42 | </sp:AsymmetricBinding> | ||
1611 | 43 | |||
1612 | 44 | <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1613 | 45 | <wsp:Policy> | ||
1614 | 46 | <sp:MustSupportRefKeyIdentifier/> | ||
1615 | 47 | <sp:MustSupportRefEmbeddedToken/> | ||
1616 | 48 | </wsp:Policy> | ||
1617 | 49 | </sp:Wss10> | ||
1618 | 50 | |||
1619 | 51 | <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1620 | 52 | <sp:Body/> | ||
1621 | 53 | <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/> | ||
1622 | 54 | </sp:SignedParts> | ||
1623 | 55 | |||
1624 | 56 | <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy"> | ||
1625 | 57 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate> | ||
1626 | 58 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate> | ||
1627 | 59 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey> | ||
1628 | 60 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | ||
1629 | 61 | <!-- | ||
1630 | 62 | <rampc:User>CLIENT-USERNAME</rampc:User> | ||
1631 | 63 | <rampc:PasswordType>Digest</rampc:PasswordType> | ||
1632 | 64 | <rampc:PasswordCallbackClass>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/libpwcb.so</rampc:PasswordCallbackClass> | ||
1633 | 65 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate> | ||
1634 | 66 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate> | ||
1635 | 67 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey> | ||
1636 | 68 | --> | ||
1637 | 69 | </rampc:RampartConfig> | ||
1638 | 70 | </wsp:All> | ||
1639 | 71 | </wsp:ExactlyOne> | ||
1640 | 72 | </wsp:Policy> | ||
1641 | 73 | |||
1642 | 0 | 74 | ||
1643 | === added file '.pc/30-clock_drift.patch/tools/service-policy-template.xml' | |||
1644 | --- .pc/30-clock_drift.patch/tools/service-policy-template.xml 1970-01-01 00:00:00 +0000 | |||
1645 | +++ .pc/30-clock_drift.patch/tools/service-policy-template.xml 2011-09-21 09:10:44 +0000 | |||
1646 | @@ -0,0 +1,67 @@ | |||
1647 | 1 | <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> | ||
1648 | 2 | <wsp:ExactlyOne> | ||
1649 | 3 | <wsp:All> | ||
1650 | 4 | <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1651 | 5 | <wsp:Policy> | ||
1652 | 6 | <sp:InitiatorToken> | ||
1653 | 7 | <wsp:Policy> | ||
1654 | 8 | <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">a | ||
1655 | 9 | <wsp:Policy> | ||
1656 | 10 | <sp:RequireEmbeddedTokenReference/> | ||
1657 | 11 | <sp:WssX509V3Token10/> | ||
1658 | 12 | </wsp:Policy> | ||
1659 | 13 | </sp:X509Token> | ||
1660 | 14 | </wsp:Policy> | ||
1661 | 15 | </sp:InitiatorToken> | ||
1662 | 16 | <sp:RecipientToken> | ||
1663 | 17 | <wsp:Policy> | ||
1664 | 18 | <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always"> | ||
1665 | 19 | <wsp:Policy> | ||
1666 | 20 | <sp:RequireEmbeddedTokenReference/> | ||
1667 | 21 | <sp:WssX509V3Token10/> | ||
1668 | 22 | </wsp:Policy> | ||
1669 | 23 | </sp:X509Token> | ||
1670 | 24 | </wsp:Policy> | ||
1671 | 25 | </sp:RecipientToken> | ||
1672 | 26 | |||
1673 | 27 | <sp:AlgorithmSuite> | ||
1674 | 28 | <wsp:Policy> | ||
1675 | 29 | <sp:Basic256Rsa15/> | ||
1676 | 30 | </wsp:Policy> | ||
1677 | 31 | </sp:AlgorithmSuite> | ||
1678 | 32 | |||
1679 | 33 | <sp:Layout> | ||
1680 | 34 | <wsp:Policy> | ||
1681 | 35 | <sp:Strict/> | ||
1682 | 36 | </wsp:Policy> | ||
1683 | 37 | </sp:Layout> | ||
1684 | 38 | |||
1685 | 39 | <sp:IncludeTimestamp/> | ||
1686 | 40 | <sp:OnlySignEntireHeadersAndBody/> | ||
1687 | 41 | <!-- <sp:EncryptSignature/> --> | ||
1688 | 42 | </wsp:Policy> | ||
1689 | 43 | </sp:AsymmetricBinding> | ||
1690 | 44 | |||
1691 | 45 | <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1692 | 46 | <wsp:Policy> | ||
1693 | 47 | <sp:MustSupportRefKeyIdentifier/> | ||
1694 | 48 | <sp:MustSupportRefEmbeddedToken/> | ||
1695 | 49 | <sp:MustSupportRefIssuerSerial/> | ||
1696 | 50 | </wsp:Policy> | ||
1697 | 51 | </sp:Wss10> | ||
1698 | 52 | |||
1699 | 53 | <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> | ||
1700 | 54 | <sp:Body/> | ||
1701 | 55 | <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/> | ||
1702 | 56 | </sp:SignedParts> | ||
1703 | 57 | |||
1704 | 58 | <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy"> | ||
1705 | 59 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:ReceiverCertificate> | ||
1706 | 60 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate> | ||
1707 | 61 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey> | ||
1708 | 62 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | ||
1709 | 63 | </rampc:RampartConfig> | ||
1710 | 64 | </wsp:All> | ||
1711 | 65 | </wsp:ExactlyOne> | ||
1712 | 66 | </wsp:Policy> | ||
1713 | 67 | |||
1714 | 0 | 68 | ||
1715 | === added directory '.pc/30-clock_drift.patch/util' | |||
1716 | === added file '.pc/30-clock_drift.patch/util/euca_axis.c' | |||
1717 | --- .pc/30-clock_drift.patch/util/euca_axis.c 1970-01-01 00:00:00 +0000 | |||
1718 | +++ .pc/30-clock_drift.patch/util/euca_axis.c 2011-09-21 09:10:44 +0000 | |||
1719 | @@ -0,0 +1,459 @@ | |||
1720 | 1 | /* | ||
1721 | 2 | Copyright (c) 2009 Eucalyptus Systems, Inc. | ||
1722 | 3 | |||
1723 | 4 | This program is free software: you can redistribute it and/or modify | ||
1724 | 5 | it under the terms of the GNU General Public License as published by | ||
1725 | 6 | the Free Software Foundation, only version 3 of the License. | ||
1726 | 7 | |||
1727 | 8 | This file is distributed in the hope that it will be useful, but WITHOUT | ||
1728 | 9 | ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | ||
1729 | 10 | FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | ||
1730 | 11 | for more details. | ||
1731 | 12 | |||
1732 | 13 | You should have received a copy of the GNU General Public License along | ||
1733 | 14 | with this program. If not, see <http://www.gnu.org/licenses/>. | ||
1734 | 15 | |||
1735 | 16 | Please contact Eucalyptus Systems, Inc., 130 Castilian | ||
1736 | 17 | Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/> | ||
1737 | 18 | if you need additional information or have any questions. | ||
1738 | 19 | |||
1739 | 20 | This file may incorporate work covered under the following copyright and | ||
1740 | 21 | permission notice: | ||
1741 | 22 | |||
1742 | 23 | Software License Agreement (BSD License) | ||
1743 | 24 | |||
1744 | 25 | Copyright (c) 2008, Regents of the University of California | ||
1745 | 26 | |||
1746 | 27 | |||
1747 | 28 | Redistribution and use of this software in source and binary forms, with | ||
1748 | 29 | or without modification, are permitted provided that the following | ||
1749 | 30 | conditions are met: | ||
1750 | 31 | |||
1751 | 32 | Redistributions of source code must retain the above copyright notice, | ||
1752 | 33 | this list of conditions and the following disclaimer. | ||
1753 | 34 | |||
1754 | 35 | Redistributions in binary form must reproduce the above copyright | ||
1755 | 36 | notice, this list of conditions and the following disclaimer in the | ||
1756 | 37 | documentation and/or other materials provided with the distribution. | ||
1757 | 38 | |||
1758 | 39 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS | ||
1759 | 40 | IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | ||
1760 | 41 | TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A | ||
1761 | 42 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER | ||
1762 | 43 | OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | ||
1763 | 44 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | ||
1764 | 45 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | ||
1765 | 46 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | ||
1766 | 47 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | ||
1767 | 48 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
1768 | 49 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF | ||
1769 | 50 | THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE | ||
1770 | 51 | LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS | ||
1771 | 52 | SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING | ||
1772 | 53 | IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA | ||
1773 | 54 | BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN | ||
1774 | 55 | THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT | ||
1775 | 56 | OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR | ||
1776 | 57 | WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH | ||
1777 | 58 | ANY SUCH LICENSES OR RIGHTS. | ||
1778 | 59 | */ | ||
1779 | 60 | /* BRIEF EXAMPLE MSG: | ||
1780 | 61 | <soapenv:Envelope>. | ||
1781 | 62 | <soapenv:Header> | ||
1782 | 63 | [..snip..] | ||
1783 | 64 | <wsse:Security> | ||
1784 | 65 | [..snip..] | ||
1785 | 66 | <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" | ||
1786 | 67 | EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" | ||
1787 | 68 | ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" | ||
1788 | 69 | wsu:Id="CertId-469">[..snip..]</wsse:BinarySecurityToken> | ||
1789 | 70 | [..snip..] | ||
1790 | 71 | <ds:Signature> | ||
1791 | 72 | <ds:SignedInfo> | ||
1792 | 73 | <!-- <ref-id> points to a signed element. Body, Timestamp, To, Action, and MessageId element are expected to be signed--> | ||
1793 | 74 | <ds:Reference URI="#<ref-id>> | ||
1794 | 75 | [..snip..] | ||
1795 | 76 | </ds:Reference> | ||
1796 | 77 | </ds:SignedInfo> | ||
1797 | 78 | <ds:KeyInfo Id="KeyId-374652"> | ||
1798 | 79 | <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22112351"> | ||
1799 | 80 | <!-- this thing points to the wsse:BinarySecurityToken above --> | ||
1800 | 81 | <wsse:Reference URI="#CertId-469" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> | ||
1801 | 82 | </wsse:SecurityTokenReference> | ||
1802 | 83 | </ds:KeyInfo> | ||
1803 | 84 | </ds:Signature> | ||
1804 | 85 | </wsse:Security> | ||
1805 | 86 | </soapenv:Header> | ||
1806 | 87 | <soapenv:Body>...</soapenv:Body> | ||
1807 | 88 | </soapenv:Envelope>. | ||
1808 | 89 | */ | ||
1809 | 90 | |||
1810 | 91 | #include "oxs_axiom.h" | ||
1811 | 92 | #include "oxs_x509_cert.h" | ||
1812 | 93 | #include "oxs_key_mgr.h" | ||
1813 | 94 | #include "rampart_handler_util.h" | ||
1814 | 95 | #include "rampart_sec_processed_result.h" | ||
1815 | 96 | #include "rampart_error.h" | ||
1816 | 97 | #include "axis2_op_ctx.h" | ||
1817 | 98 | #include "rampart_context.h" | ||
1818 | 99 | #include "rampart_constants.h" | ||
1819 | 100 | #include "axis2_addr.h" | ||
1820 | 101 | #include "axiom_util.h" | ||
1821 | 102 | #include "rampart_timestamp_token.h" | ||
1822 | 103 | |||
1823 | 104 | #include <neethi_policy.h> | ||
1824 | 105 | #include <neethi_util.h> | ||
1825 | 106 | #include <axutil_utils.h> | ||
1826 | 107 | #include <axis2_client.h> | ||
1827 | 108 | #include <axis2_stub.h> | ||
1828 | 109 | |||
1829 | 110 | #include "misc.h" /* check_file, logprintf */ | ||
1830 | 111 | #include "euca_axis.h" | ||
1831 | 112 | |||
1832 | 113 | #define NO_U_FAIL(x) do{ \ | ||
1833 | 114 | AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\ | ||
1834 | 115 | AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\ | ||
1835 | 116 | return AXIS2_FAILURE; \ | ||
1836 | 117 | }while(0) | ||
1837 | 118 | |||
1838 | 119 | axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx) | ||
1839 | 120 | { | ||
1840 | 121 | //***** First get the message context before doing anything dumb w/ a NULL pointer *****/ | ||
1841 | 122 | axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see? | ||
1842 | 123 | msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN); | ||
1843 | 124 | |||
1844 | 125 | //***** Print everything from the security results, just for testing now *****// | ||
1845 | 126 | rampart_context_t *rampart_context = NULL; | ||
1846 | 127 | axutil_property_t *property = NULL; | ||
1847 | 128 | |||
1848 | 129 | property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT); | ||
1849 | 130 | if(property) | ||
1850 | 131 | { | ||
1851 | 132 | rampart_context = (rampart_context_t *)axutil_property_get_value(property, env); | ||
1852 | 133 | // AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== "); | ||
1853 | 134 | rampart_print_security_processed_results_set(env,msg_ctx); | ||
1854 | 135 | } | ||
1855 | 136 | |||
1856 | 137 | //***** Extract Security Node from header from enveloper from msg_ctx *****// | ||
1857 | 138 | axiom_soap_envelope_t *soap_envelope = NULL; | ||
1858 | 139 | axiom_soap_header_t *soap_header = NULL; | ||
1859 | 140 | axiom_node_t *sec_node = NULL; | ||
1860 | 141 | |||
1861 | 142 | |||
1862 | 143 | soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env); | ||
1863 | 144 | if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found."); | ||
1864 | 145 | soap_header = axiom_soap_envelope_get_header(soap_envelope, env); | ||
1865 | 146 | if (!soap_header) NO_U_FAIL("SOAP header cannot be found."); | ||
1866 | 147 | sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is! | ||
1867 | 148 | if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security"); | ||
1868 | 149 | |||
1869 | 150 | //***** Find the wsse:Reference to the BinarySecurityToken *****// | ||
1870 | 151 | //** Path is: Security/ | ||
1871 | 152 | //** *sec_node must be non-NULL, kkthx **// | ||
1872 | 153 | axiom_node_t *sig_node = NULL; | ||
1873 | 154 | axiom_node_t *key_info_node = NULL; | ||
1874 | 155 | axiom_node_t *sec_token_ref_node = NULL; | ||
1875 | 156 | /** the ds:Signature node **/ | ||
1876 | 157 | sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS ); | ||
1877 | 158 | if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature"); | ||
1878 | 159 | /** the ds:KeyInfo **/ | ||
1879 | 160 | key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL ); | ||
1880 | 161 | if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key"); | ||
1881 | 162 | /** the wsse:SecurityTokenReference **/ | ||
1882 | 163 | sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL); | ||
1883 | 164 | if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token"); | ||
1884 | 165 | //** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/ | ||
1885 | 166 | |||
1886 | 167 | //***** Find the wsse:Reference to the BinarySecurityToken *****// | ||
1887 | 168 | //** *sec_token_ref_node must be non-NULL **/ | ||
1888 | 169 | axis2_char_t *ref = NULL; | ||
1889 | 170 | axis2_char_t *ref_id = NULL; | ||
1890 | 171 | axiom_node_t *token_ref_node = NULL; | ||
1891 | 172 | axiom_node_t *bst_node = NULL; | ||
1892 | 173 | /** the wsse:Reference node **/ | ||
1893 | 174 | token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL); | ||
1894 | 175 | /** pull out the name of the BST node **/ | ||
1895 | 176 | ref = oxs_token_get_reference(env, token_ref_node); | ||
1896 | 177 | ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1); | ||
1897 | 178 | /** get the wsse:BinarySecurityToken used to sign the message **/ | ||
1898 | 179 | bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS); | ||
1899 | 180 | if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");} | ||
1900 | 181 | |||
1901 | 182 | |||
1902 | 183 | //***** Find the wsse:Reference to the BinarySecurityToken *****// | ||
1903 | 184 | //** *bst_node must be non-NULL **/ | ||
1904 | 185 | axis2_char_t *data = NULL; | ||
1905 | 186 | oxs_x509_cert_t *_cert = NULL; | ||
1906 | 187 | oxs_x509_cert_t *recv_cert = NULL; | ||
1907 | 188 | axis2_char_t *file_name = NULL; | ||
1908 | 189 | axis2_char_t *recv_x509_buf = NULL; | ||
1909 | 190 | axis2_char_t *msg_x509_buf = NULL; | ||
1910 | 191 | |||
1911 | 192 | /** pull out the data from the BST **/ | ||
1912 | 193 | data = oxs_axiom_get_node_content(env, bst_node); | ||
1913 | 194 | /** create an oxs_X509_cert **/ | ||
1914 | 195 | _cert = oxs_key_mgr_load_x509_cert_from_string(env, data); | ||
1915 | 196 | if(_cert) | ||
1916 | 197 | { | ||
1917 | 198 | //***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****// | ||
1918 | 199 | msg_x509_buf = oxs_x509_cert_get_data(_cert,env); | ||
1919 | 200 | if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!"); | ||
1920 | 201 | /* | ||
1921 | 202 | recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env); | ||
1922 | 203 | if(recv_x509_buf) | ||
1923 | 204 | recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf); | ||
1924 | 205 | else | ||
1925 | 206 | { | ||
1926 | 207 | file_name = rampart_context_get_receiver_certificate_file(rampart_context, env); | ||
1927 | 208 | if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!"); | ||
1928 | 209 | if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing"); | ||
1929 | 210 | recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name); | ||
1930 | 211 | } | ||
1931 | 212 | */ | ||
1932 | 213 | |||
1933 | 214 | file_name = rampart_context_get_receiver_certificate_file(rampart_context, env); | ||
1934 | 215 | if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!"); | ||
1935 | 216 | if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing"); | ||
1936 | 217 | recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name); | ||
1937 | 218 | |||
1938 | 219 | if (recv_cert) { | ||
1939 | 220 | recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env); | ||
1940 | 221 | } else { | ||
1941 | 222 | NO_U_FAIL("could not populate receiver cert"); | ||
1942 | 223 | } | ||
1943 | 224 | |||
1944 | 225 | if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){ | ||
1945 | 226 | AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" ); | ||
1946 | 227 | AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf ); | ||
1947 | 228 | AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" ); | ||
1948 | 229 | AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf ); | ||
1949 | 230 | AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" ); | ||
1950 | 231 | NO_U_FAIL("The certificate specified is invalid!"); | ||
1951 | 232 | } | ||
1952 | 233 | if(verify_references(sig_node, env, out_msg_ctx, soap_envelope) == AXIS2_FAILURE) { | ||
1953 | 234 | return AXIS2_FAILURE; | ||
1954 | 235 | } | ||
1955 | 236 | |||
1956 | 237 | } | ||
1957 | 238 | else | ||
1958 | 239 | { | ||
1959 | 240 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data); | ||
1960 | 241 | NO_U_FAIL("Failed to build certificate from BinarySecurityToken"); | ||
1961 | 242 | } | ||
1962 | 243 | oxs_x509_cert_free(_cert, env); | ||
1963 | 244 | oxs_x509_cert_free(recv_cert, env); | ||
1964 | 245 | |||
1965 | 246 | return AXIS2_SUCCESS; | ||
1966 | 247 | |||
1967 | 248 | } | ||
1968 | 249 | |||
1969 | 250 | /** | ||
1970 | 251 | * Verifes that Body, Timestamp, To, Action, and MessageId elements are signed and located | ||
1971 | 252 | * where expected by the application logic. Timestamp is checked for expiration regardless | ||
1972 | 253 | * of its actual location. | ||
1973 | 254 | */ | ||
1974 | 255 | axis2_status_t verify_references(axiom_node_t *sig_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axiom_soap_envelope_t *envelope) { | ||
1975 | 256 | axiom_node_t *si_node = NULL; | ||
1976 | 257 | axiom_node_t *ref_node = NULL; | ||
1977 | 258 | axis2_status_t status = AXIS2_SUCCESS; | ||
1978 | 259 | |||
1979 | 260 | si_node = oxs_axiom_get_first_child_node_by_name(env,sig_node, OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS); | ||
1980 | 261 | |||
1981 | 262 | if(!si_node) { | ||
1982 | 263 | axis2_char_t *tmp = axiom_node_to_string(sig_node, env); | ||
1983 | 264 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart]sig = %s", tmp); | ||
1984 | 265 | NO_U_FAIL("Couldn't find SignedInfo!"); | ||
1985 | 266 | } | ||
1986 | 267 | |||
1987 | 268 | axutil_qname_t *qname = NULL; | ||
1988 | 269 | axiom_element_t *parent_elem = NULL; | ||
1989 | 270 | axiom_children_qname_iterator_t *qname_iter = NULL; | ||
1990 | 271 | |||
1991 | 272 | parent_elem = axiom_node_get_data_element(si_node, env); | ||
1992 | 273 | if(!parent_elem) | ||
1993 | 274 | { | ||
1994 | 275 | NO_U_FAIL("Could not get Reference elem"); | ||
1995 | 276 | } | ||
1996 | 277 | |||
1997 | 278 | axis2_char_t *ref = NULL; | ||
1998 | 279 | axis2_char_t *ref_id = NULL; | ||
1999 | 280 | axiom_node_t *signed_node = NULL; | ||
2000 | 281 | axiom_node_t *envelope_node = NULL; | ||
2001 | 282 | |||
2002 | 283 | short signed_elems[5] = {0,0,0,0,0}; | ||
2003 | 284 | |||
2004 | 285 | envelope_node = axiom_soap_envelope_get_base_node(envelope, env); | ||
2005 | 286 | |||
2006 | 287 | qname = axutil_qname_create(env, OXS_NODE_REFERENCE, OXS_DSIG_NS, NULL); | ||
2007 | 288 | qname_iter = axiom_element_get_children_with_qname(parent_elem, env, qname, si_node); | ||
2008 | 289 | while (axiom_children_qname_iterator_has_next(qname_iter , env)) { | ||
2009 | 290 | ref_node = axiom_children_qname_iterator_next(qname_iter, env); | ||
2010 | 291 | axis2_char_t *txt = axiom_node_to_string(ref_node, env); | ||
2011 | 292 | |||
2012 | 293 | /* get reference to a signed element */ | ||
2013 | 294 | ref = oxs_token_get_reference(env, ref_node); | ||
2014 | 295 | if(ref == NULL || strlen(ref) == 0 || ref[0] != '#') { | ||
2015 | 296 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unsupported reference ID in %s", txt); | ||
2016 | 297 | status = AXIS2_FAILURE; | ||
2017 | 298 | break; | ||
2018 | 299 | } | ||
2019 | 300 | |||
2020 | 301 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] %s, ref = %s", txt, ref); | ||
2021 | 302 | |||
2022 | 303 | /* get rid of '#' */ | ||
2023 | 304 | ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1); | ||
2024 | 305 | signed_node = oxs_axiom_get_node_by_id(env, envelope_node, OXS_ATTR_ID, ref_id, OXS_WSU_XMLNS); | ||
2025 | 306 | if(!signed_node) { | ||
2026 | 307 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id); | ||
2027 | 308 | status = AXIS2_FAILURE; | ||
2028 | 309 | break; | ||
2029 | 310 | } | ||
2030 | 311 | if(verify_node(signed_node, env, msg_ctx, ref, signed_elems)) { | ||
2031 | 312 | status = AXIS2_FAILURE; | ||
2032 | 313 | break; | ||
2033 | 314 | } | ||
2034 | 315 | } | ||
2035 | 316 | |||
2036 | 317 | |||
2037 | 318 | axutil_qname_free(qname, env); | ||
2038 | 319 | qname = NULL; | ||
2039 | 320 | |||
2040 | 321 | if(status == AXIS2_FAILURE) { | ||
2041 | 322 | NO_U_FAIL("Failed to verify location of signed elements!"); | ||
2042 | 323 | } | ||
2043 | 324 | |||
2044 | 325 | /* This is needed to make sure that all security-critical elements are signed */ | ||
2045 | 326 | for(int i = 0; i < 5; i++) { | ||
2046 | 327 | if(signed_elems[i] == 0) { | ||
2047 | 328 | NO_U_FAIL("Not all required elements are signed"); | ||
2048 | 329 | } | ||
2049 | 330 | } | ||
2050 | 331 | |||
2051 | 332 | return status; | ||
2052 | 333 | |||
2053 | 334 | } | ||
2054 | 335 | |||
2055 | 336 | /** | ||
2056 | 337 | * Verifies XPath location of signed elements. | ||
2057 | 338 | */ | ||
2058 | 339 | int verify_node(axiom_node_t *signed_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axis2_char_t *ref, short *signed_elems) { | ||
2059 | 340 | |||
2060 | 341 | if(!axutil_strcmp(OXS_NODE_BODY, axiom_util_get_localname(signed_node, env))) { | ||
2061 | 342 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Body", ref); | ||
2062 | 343 | signed_elems[0] = 1; | ||
2063 | 344 | |||
2064 | 345 | axiom_node_t *parent = axiom_node_get_parent(signed_node,env); | ||
2065 | 346 | if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) { | ||
2066 | 347 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected parent element for Body with ID = %s", ref); | ||
2067 | 348 | return 1; | ||
2068 | 349 | } | ||
2069 | 350 | |||
2070 | 351 | parent = axiom_node_get_parent(parent,env); | ||
2071 | 352 | if(parent) { | ||
2072 | 353 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env)); | ||
2073 | 354 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref); | ||
2074 | 355 | return 1; | ||
2075 | 356 | } | ||
2076 | 357 | |||
2077 | 358 | } else if(!axutil_strcmp(RAMPART_SECURITY_TIMESTAMP, axiom_util_get_localname(signed_node, env))) { | ||
2078 | 359 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Timestamp", ref); | ||
2079 | 360 | signed_elems[1] = 1; | ||
2080 | 361 | |||
2081 | 362 | /* Regardless of the location of the Timestamp, verify the one that is signed */ | ||
2082 | 363 | if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) { | ||
2083 | 364 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref); | ||
2084 | 365 | return 1; | ||
2085 | 366 | } | ||
2086 | 367 | |||
2087 | 368 | } else if(!axutil_strcmp(AXIS2_WSA_ACTION, axiom_util_get_localname(signed_node, env))) { | ||
2088 | 369 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Action", ref); | ||
2089 | 370 | signed_elems[2] = 1; | ||
2090 | 371 | |||
2091 | 372 | if(verify_addr_hdr_elem_loc(signed_node, env, ref)) { | ||
2092 | 373 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Action with ID = %s", ref); | ||
2093 | 374 | return 1; | ||
2094 | 375 | } | ||
2095 | 376 | |||
2096 | 377 | } else if(!axutil_strcmp(AXIS2_WSA_TO, axiom_util_get_localname(signed_node, env))) { | ||
2097 | 378 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is To", ref); | ||
2098 | 379 | signed_elems[3] = 1; | ||
2099 | 380 | |||
2100 | 381 | if(verify_addr_hdr_elem_loc(signed_node, env, ref)) { | ||
2101 | 382 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for To with ID = %s", ref); | ||
2102 | 383 | return 1; | ||
2103 | 384 | } | ||
2104 | 385 | |||
2105 | 386 | |||
2106 | 387 | } else if(!axutil_strcmp(AXIS2_WSA_MESSAGE_ID, axiom_util_get_localname(signed_node, env))) { | ||
2107 | 388 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is MessageId", ref); | ||
2108 | 389 | signed_elems[4] = 1; | ||
2109 | 390 | |||
2110 | 391 | if(verify_addr_hdr_elem_loc(signed_node, env, ref)) { | ||
2111 | 392 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for MessageId with ID = %s", ref); | ||
2112 | 393 | return 1; | ||
2113 | 394 | } | ||
2114 | 395 | |||
2115 | 396 | } else { | ||
2116 | 397 | AXIS2_LOG_WARNING(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is UNKNOWN", ref); | ||
2117 | 398 | } | ||
2118 | 399 | |||
2119 | 400 | return 0; | ||
2120 | 401 | } | ||
2121 | 402 | |||
2122 | 403 | /** | ||
2123 | 404 | * Verify that an addressing element is located in <Envelope>/<Header> | ||
2124 | 405 | */ | ||
2125 | 406 | int verify_addr_hdr_elem_loc(axiom_node_t *signed_node, const axutil_env_t *env, axis2_char_t *ref) { | ||
2126 | 407 | |||
2127 | 408 | axiom_node_t *parent = axiom_node_get_parent(signed_node,env); | ||
2128 | 409 | |||
2129 | 410 | if(axutil_strcmp(OXS_NODE_HEADER, axiom_util_get_localname(parent, env))) { | ||
2130 | 411 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of addressing elem is %s", axiom_node_to_string(parent, env)); | ||
2131 | 412 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref); | ||
2132 | 413 | return 1; | ||
2133 | 414 | |||
2134 | 415 | } | ||
2135 | 416 | parent = axiom_node_get_parent(parent,env); | ||
2136 | 417 | |||
2137 | 418 | if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) { | ||
2138 | 419 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] second parent of addressing elem is %s", axiom_node_to_string(parent, env)); | ||
2139 | 420 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref); | ||
2140 | 421 | return 1; | ||
2141 | 422 | |||
2142 | 423 | } | ||
2143 | 424 | |||
2144 | 425 | parent = axiom_node_get_parent(parent,env); | ||
2145 | 426 | if(parent) { | ||
2146 | 427 | AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env)); | ||
2147 | 428 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref); | ||
2148 | 429 | return 1; | ||
2149 | 430 | } | ||
2150 | 431 | |||
2151 | 432 | return 0; | ||
2152 | 433 | } | ||
2153 | 434 | |||
2154 | 435 | |||
2155 | 436 | int InitWSSEC(axutil_env_t *env, axis2_stub_t *stub, char *policyFile) { | ||
2156 | 437 | axis2_svc_client_t *svc_client = NULL; | ||
2157 | 438 | neethi_policy_t *policy = NULL; | ||
2158 | 439 | axis2_status_t status = AXIS2_FAILURE; | ||
2159 | 440 | |||
2160 | 441 | //return(0); | ||
2161 | 442 | |||
2162 | 443 | svc_client = axis2_stub_get_svc_client(stub, env); | ||
2163 | 444 | if (!svc_client) { | ||
2164 | 445 | logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not get svc_client from stub\n"); | ||
2165 | 446 | return(1); | ||
2166 | 447 | } | ||
2167 | 448 | axis2_svc_client_engage_module(svc_client, env, "rampart"); | ||
2168 | 449 | |||
2169 | 450 | policy = neethi_util_create_policy_from_file(env, policyFile); | ||
2170 | 451 | if (!policy) { | ||
2171 | 452 | logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not initialize policy file %s\n", policyFile); | ||
2172 | 453 | return(1); | ||
2173 | 454 | } | ||
2174 | 455 | status = axis2_svc_client_set_policy(svc_client, env, policy); | ||
2175 | 456 | |||
2176 | 457 | return(0); | ||
2177 | 458 | } | ||
2178 | 459 | |||
2179 | 0 | 460 | ||
2180 | === modified file '.pc/applied-patches' | |||
2181 | --- .pc/applied-patches 2011-09-15 13:35:03 +0000 | |||
2182 | +++ .pc/applied-patches 2011-09-21 09:10:44 +0000 | |||
2183 | @@ -16,3 +16,5 @@ | |||
2184 | 16 | 26-google-collections-1.0-ftbfs.patch | 16 | 26-google-collections-1.0-ftbfs.patch |
2185 | 17 | 27-soap-security.patch | 17 | 27-soap-security.patch |
2186 | 18 | 28-fix-startup-crash.patch | 18 | 28-fix-startup-crash.patch |
2187 | 19 | 29-euca_conf-sslv3.patch | ||
2188 | 20 | 30-clock_drift.patch | ||
2189 | 19 | 21 | ||
2190 | === modified file 'debian/changelog' | |||
2191 | --- debian/changelog 2011-09-15 13:35:03 +0000 | |||
2192 | +++ debian/changelog 2011-09-21 09:10:44 +0000 | |||
2193 | @@ -1,3 +1,16 @@ | |||
2194 | 1 | eucalyptus (2.0.1+bzr1256-0ubuntu8) oneiric; urgency=low | ||
2195 | 2 | |||
2196 | 3 | * Fix compatibility issues with SSLv3 (LP: #851611): | ||
2197 | 4 | - d/patches/29-euca_conf-sslv3.patch: Use --secure-protocol=SSLv3 | ||
2198 | 5 | with wget when communicating with CLC. | ||
2199 | 6 | - d/eucalyptus-cloud.upstart: Use --secure-protocol=SSLv3 with wget | ||
2200 | 7 | when checking for CLC startup complete. | ||
2201 | 8 | * d/patches/30-clock_drift.patch: Resolve issue with rampart blocking | ||
2202 | 9 | communication between CC and NC when time is fractionally in the | ||
2203 | 10 | future (LP: #854946): | ||
2204 | 11 | |||
2205 | 12 | -- James Page <james.page@ubuntu.com> Wed, 21 Sep 2011 09:57:58 +0100 | ||
2206 | 13 | |||
2207 | 1 | eucalyptus (2.0.1+bzr1256-0ubuntu7) oneiric; urgency=low | 14 | eucalyptus (2.0.1+bzr1256-0ubuntu7) oneiric; urgency=low |
2208 | 2 | 15 | ||
2209 | 3 | * d/patches/28-fix-startup-crash.patch: Fix from Graziano Obertelli | 16 | * d/patches/28-fix-startup-crash.patch: Fix from Graziano Obertelli |
2210 | 4 | 17 | ||
2211 | === modified file 'debian/eucalyptus-cloud.upstart' | |||
2212 | --- debian/eucalyptus-cloud.upstart 2010-02-03 19:01:47 +0000 | |||
2213 | +++ debian/eucalyptus-cloud.upstart 2011-09-21 09:10:44 +0000 | |||
2214 | @@ -12,6 +12,7 @@ | |||
2215 | 12 | . /etc/eucalyptus/eucalyptus-ipaddr.conf | 12 | . /etc/eucalyptus/eucalyptus-ipaddr.conf |
2216 | 13 | # Should this check something on :8773 instead? -mdz | 13 | # Should this check something on :8773 instead? -mdz |
2217 | 14 | if wget -q -T10 -t1 -O- --no-check-certificate \ | 14 | if wget -q -T10 -t1 -O- --no-check-certificate \ |
2218 | 15 | --secure-protocol=SSLv3 \ | ||
2219 | 15 | https://$CLOUD_IP_ADDR:8443/register | \ | 16 | https://$CLOUD_IP_ADDR:8443/register | \ |
2220 | 16 | grep CloudVersion; then | 17 | grep CloudVersion; then |
2221 | 17 | 18 | ||
2222 | 18 | 19 | ||
2223 | === added file 'debian/patches/29-euca_conf-sslv3.patch' | |||
2224 | --- debian/patches/29-euca_conf-sslv3.patch 1970-01-01 00:00:00 +0000 | |||
2225 | +++ debian/patches/29-euca_conf-sslv3.patch 2011-09-21 09:10:44 +0000 | |||
2226 | @@ -0,0 +1,18 @@ | |||
2227 | 1 | Description: Force wget to use SSLv3 protocol when talking to CLC | ||
2228 | 2 | otherwise SSL comms failures happen. | ||
2229 | 3 | Origin: https://build.opensuse.org/package/view_file?file=eucalyptus-force-sslv3.patch&package=eucalyptus&project=Virtualization%3ACloud%3AEucalyptus&srcmd5=603fc985140105bd4ed7a079a4dc7258 | ||
2230 | 4 | Forwarded: not-needed | ||
2231 | 5 | |||
2232 | 6 | Index: eucalyptus/tools/euca_conf.in | ||
2233 | 7 | =================================================================== | ||
2234 | 8 | --- eucalyptus.orig/tools/euca_conf.in 2011-09-20 17:03:52.995305737 +0100 | ||
2235 | 9 | +++ eucalyptus/tools/euca_conf.in 2011-09-20 17:05:46.935553670 +0100 | ||
2236 | 10 | @@ -1096,7 +1096,7 @@ | ||
2237 | 11 | done | ||
2238 | 12 | fi | ||
2239 | 13 | |||
2240 | 14 | - CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null" | ||
2241 | 15 | + CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null" | ||
2242 | 16 | elif [ "$SERVICE" = "CC" ]; then | ||
2243 | 17 | CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null" | ||
2244 | 18 | fi | ||
2245 | 0 | 19 | ||
2246 | === added file 'debian/patches/30-clock_drift.patch' | |||
2247 | --- debian/patches/30-clock_drift.patch 1970-01-01 00:00:00 +0000 | |||
2248 | +++ debian/patches/30-clock_drift.patch 2011-09-21 09:10:44 +0000 | |||
2249 | @@ -0,0 +1,38 @@ | |||
2250 | 1 | Author: Graziano Obertelli <graziano@eucalyptus.com> | ||
2251 | 2 | Description: Permit fractional time difference between NC and CC | ||
2252 | 3 | Bug-Ubuntu: http://pad.lv/854946 | ||
2253 | 4 | |||
2254 | 5 | --- a/tools/client-policy-template.xml 2011-03-30 16:44:16 +0000 | ||
2255 | 6 | +++ b/tools/client-policy-template.xml 2011-04-07 22:26:08 +0000 | ||
2256 | 7 | @@ -57,6 +57,7 @@ | ||
2257 | 8 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate> | ||
2258 | 9 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate> | ||
2259 | 10 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey> | ||
2260 | 11 | + <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer> | ||
2261 | 12 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | ||
2262 | 13 | <!-- | ||
2263 | 14 | <rampc:User>CLIENT-USERNAME</rampc:User> | ||
2264 | 15 | |||
2265 | 16 | --- a/tools/service-policy-template.xml 2011-03-30 16:44:16 +0000 | ||
2266 | 17 | +++ b/tools/service-policy-template.xml 2011-04-07 22:26:08 +0000 | ||
2267 | 18 | @@ -60,6 +60,7 @@ | ||
2268 | 19 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate> | ||
2269 | 20 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey> | ||
2270 | 21 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | ||
2271 | 22 | + <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer> | ||
2272 | 23 | </rampc:RampartConfig> | ||
2273 | 24 | </wsp:All> | ||
2274 | 25 | </wsp:ExactlyOne> | ||
2275 | 26 | |||
2276 | 27 | --- a/util/euca_axis.c 2011-03-30 16:44:16 +0000 | ||
2277 | 28 | +++ b/util/euca_axis.c 2011-04-07 22:26:08 +0000 | ||
2278 | 29 | @@ -360,7 +360,7 @@ | ||
2279 | 30 | signed_elems[1] = 1; | ||
2280 | 31 | |||
2281 | 32 | /* Regardless of the location of the Timestamp, verify the one that is signed */ | ||
2282 | 33 | - if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) { | ||
2283 | 34 | + if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) { | ||
2284 | 35 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref); | ||
2285 | 36 | return 1; | ||
2286 | 37 | } | ||
2287 | 38 | |||
2288 | 0 | 39 | ||
2289 | === modified file 'debian/patches/series' | |||
2290 | --- debian/patches/series 2011-09-15 13:35:03 +0000 | |||
2291 | +++ debian/patches/series 2011-09-21 09:10:44 +0000 | |||
2292 | @@ -16,3 +16,5 @@ | |||
2293 | 16 | 26-google-collections-1.0-ftbfs.patch | 16 | 26-google-collections-1.0-ftbfs.patch |
2294 | 17 | 27-soap-security.patch | 17 | 27-soap-security.patch |
2295 | 18 | 28-fix-startup-crash.patch | 18 | 28-fix-startup-crash.patch |
2296 | 19 | 29-euca_conf-sslv3.patch | ||
2297 | 20 | 30-clock_drift.patch | ||
2298 | 19 | 21 | ||
2299 | === modified file 'tools/client-policy-template.xml' | |||
2300 | --- tools/client-policy-template.xml 2011-05-26 10:21:56 +0000 | |||
2301 | +++ tools/client-policy-template.xml 2011-09-21 09:10:44 +0000 | |||
2302 | @@ -57,6 +57,7 @@ | |||
2303 | 57 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate> | 57 | <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate> |
2304 | 58 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate> | 58 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate> |
2305 | 59 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey> | 59 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey> |
2306 | 60 | <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer> | ||
2307 | 60 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | 61 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> |
2308 | 61 | <!-- | 62 | <!-- |
2309 | 62 | <rampc:User>CLIENT-USERNAME</rampc:User> | 63 | <rampc:User>CLIENT-USERNAME</rampc:User> |
2310 | 63 | 64 | ||
2311 | === modified file 'tools/euca_conf.in' | |||
2312 | --- tools/euca_conf.in 2010-09-27 23:41:14 +0000 | |||
2313 | +++ tools/euca_conf.in 2011-09-21 09:10:44 +0000 | |||
2314 | @@ -1096,7 +1096,7 @@ | |||
2315 | 1096 | done | 1096 | done |
2316 | 1097 | fi | 1097 | fi |
2317 | 1098 | 1098 | ||
2319 | 1099 | CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null" | 1099 | CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null" |
2320 | 1100 | elif [ "$SERVICE" = "CC" ]; then | 1100 | elif [ "$SERVICE" = "CC" ]; then |
2321 | 1101 | CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null" | 1101 | CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null" |
2322 | 1102 | fi | 1102 | fi |
2323 | 1103 | 1103 | ||
2324 | === modified file 'tools/service-policy-template.xml' | |||
2325 | --- tools/service-policy-template.xml 2011-05-26 10:21:56 +0000 | |||
2326 | +++ tools/service-policy-template.xml 2011-09-21 09:10:44 +0000 | |||
2327 | @@ -60,6 +60,7 @@ | |||
2328 | 60 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate> | 60 | <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate> |
2329 | 61 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey> | 61 | <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey> |
2330 | 62 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> | 62 | <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> --> |
2331 | 63 | <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer> | ||
2332 | 63 | </rampc:RampartConfig> | 64 | </rampc:RampartConfig> |
2333 | 64 | </wsp:All> | 65 | </wsp:All> |
2334 | 65 | </wsp:ExactlyOne> | 66 | </wsp:ExactlyOne> |
2335 | 66 | 67 | ||
2336 | === modified file 'util/euca_axis.c' | |||
2337 | --- util/euca_axis.c 2011-05-26 10:21:56 +0000 | |||
2338 | +++ util/euca_axis.c 2011-09-21 09:10:44 +0000 | |||
2339 | @@ -360,7 +360,7 @@ | |||
2340 | 360 | signed_elems[1] = 1; | 360 | signed_elems[1] = 1; |
2341 | 361 | 361 | ||
2342 | 362 | /* Regardless of the location of the Timestamp, verify the one that is signed */ | 362 | /* Regardless of the location of the Timestamp, verify the one that is signed */ |
2344 | 363 | if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) { | 363 | if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) { |
2345 | 364 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref); | 364 | oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref); |
2346 | 365 | return 1; | 365 | return 1; |
2347 | 366 | } | 366 | } |