Ubuntu
eucalyptus package

Merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat into lp:ubuntu/oneiric/eucalyptus

  1. Oneiric (11.10)
  2. fix-sslv3-compat
  3. Merge into oneiric
Proposed by James Page
Status: Merged
Merged at revision: 182
Proposed branch: lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat
Merge into: lp:ubuntu/oneiric/eucalyptus
Diff against target: 2347 lines (+2232/-2)
14 files modified
.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in (+1555/-0)
.pc/30-clock_drift.patch/tools/client-policy-template.xml (+73/-0)
.pc/30-clock_drift.patch/tools/service-policy-template.xml (+67/-0)
.pc/30-clock_drift.patch/util/euca_axis.c (+459/-0)
.pc/applied-patches (+2/-0)
debian/changelog (+13/-0)
debian/eucalyptus-cloud.upstart (+1/-0)
debian/patches/29-euca_conf-sslv3.patch (+18/-0)
debian/patches/30-clock_drift.patch (+38/-0)
debian/patches/series (+2/-0)
tools/client-policy-template.xml (+1/-0)
tools/euca_conf.in (+1/-1)
tools/service-policy-template.xml (+1/-0)
util/euca_axis.c (+1/-1)
To merge this branch: bzr merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+76258@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added directory '.pc/29-euca_conf-sslv3.patch'
=== added directory '.pc/29-euca_conf-sslv3.patch/tools'
=== added file '.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in'
--- .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 1970-01-01 00:00:00 +0000
+++ .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 2011-09-21 09:10:44 +0000
@@ -0,0 +1,1555 @@
1#!/bin/bash
2#Copyright (c) 2009 Eucalyptus Systems, Inc.
3#
4#This program is free software: you can redistribute it and/or modify
5#it under the terms of the GNU General Public License as published by
6#the Free Software Foundation, only version 3 of the License.
7#
8#This file is distributed in the hope that it will be useful, but WITHOUT
9#ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10#FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
11#for more details.
12#
13#You should have received a copy of the GNU General Public License along
14#with this program. If not, see <http://www.gnu.org/licenses/>.
15#
16#Please contact Eucalyptus Systems, Inc., 130 Castilian
17#Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/>
18#if you need additional information or have any questions.
19#
20#This file may incorporate work covered under the following copyright and
21#permission notice:
22#
23# Software License Agreement (BSD License)
24#
25# Copyright (c) 2008, Regents of the University of California
26#
27#
28# Redistribution and use of this software in source and binary forms, with
29# or without modification, are permitted provided that the following
30# conditions are met:
31#
32# Redistributions of source code must retain the above copyright notice,
33# this list of conditions and the following disclaimer.
34#
35# Redistributions in binary form must reproduce the above copyright
36# notice, this list of conditions and the following disclaimer in the
37# documentation and/or other materials provided with the distribution.
38#
39# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
40# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
41# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
42# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
43# OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
44# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
45# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
46# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
47# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
48# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
49# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF
50# THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE
51# LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS
52# SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
53# IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA
54# BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN
55# THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT
56# OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR
57# WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH
58# ANY SUCH LICENSES OR RIGHTS.
59#
60#
61#FAKEREG="yes"
62
63FILE="@prefix@/etc/eucalyptus/eucalyptus.local.conf"
64DEFAULTS_FILE="@prefix@/etc/eucalyptus/eucalyptus.conf"
65IMPORTFILE=""
66EUCALYPTUS=""
67CC_PORT=""
68NC_PORT=""
69CLOUD_PORT=""
70CLOUD_SSL_PORT=""
71NAME=""
72INSTANCE=""
73EUCA_USER=""
74HYPERVISOR=""
75DHCPD=""
76DHCP_USER=""
77BRIDGE=""
78NEWNODES=""
79NODEMODE=""
80WALRUS_MODE=""
81SYNC=""
82WALRUS=""
83WALRUS_MODE=""
84CLUSNAME=""
85NEWCLUS=""
86CLUSMODE=""
87UPGRADE_CONF=""
88SETUP=""
89VERSION=""
90CHECK=""
91TOSYNC=""
92TO_BACKUP="Y"
93CREDENTIALZIPFILE=""
94SCP="`which scp 2> /dev/null`"
95SCP_OPT=""
96RSYNC="`which rsync 2> /dev/null`"
97LOCALSYNC="N"
98WGET="`which wget 2> /dev/null`"
99VERBOSE="N"
100LIST=""
101ENABLED=""
102DISABLED=""
103TO_START=""
104
105
106usage () {
107 echo "$0 [options] [<file>]"
108 echo
109 echo "where <file> is the configuration file ($FILE by default)"
110 echo " --help this message"
111 echo " -d <dir> point EUCALYPTUS to <dir>"
112 echo " --no-rsync don't use rsync"
113 echo " --no-scp don't use scp"
114 echo " --skip-scp-hostcheck skip scp interactive host keycheck"
115 echo " --local-sync force local key sync"
116 echo " --get-credentials <zipfile> download credentials to <zipfile>"
117 echo " --register-nodes \"host host ...\" add new nodes to EUCALYPTUS"
118 echo " --discover-nodes find and add nodes on local network"
119 echo " --deregister-nodes \"host host ...\" remove nodes from EUCALYPTUS"
120 echo " --register-cluster <clustername> <host> add new cluster to EUCALYPTUS"
121 echo " --deregister-cluster <clustername> remove cluster from EUCALYPTUS"
122 echo " --register-walrus <host> add walrus to EUCALYPTUS"
123 echo " --deregister-walrus <host> remove walrus from EUCALYPTUS"
124 echo " --register-sc <clustername> <host> add storage controller"
125 echo " --deregister-sc <clustername> remove storage controller from EUCALYPTUS"
126 echo " --list-walruses list registered walrus(es)"
127 echo " --list-clusters list registered CCs"
128 echo " --list-nodes list registered NCs"
129 echo " --list-scs list registered SCs"
130 echo " --no-sync used only with --register-* to skip syncing keys"
131 echo " --cc-port <port> set CC port"
132 echo " --nc-port <port> set NC port"
133 echo " --instances <path> set the INSTANCE path"
134# echo " --cloud-port <port1> <port2> set the 2 cloud ports"
135 echo " --hypervisor <kvm|xen> set hypervisor to use"
136 echo " --user <euca_user> set the user to use"
137 echo " --dhcpd <dhcpd> set the dhcpd binary to <name>"
138 echo " --dhcp_user <user> set the username to run dhcpd as"
139 echo " --name <var> returns the value or <name>"
140 echo " --import-conf <file> import variables from <file> into $FILE"
141 echo " --setup perform initial setup"
142 echo " --enable {cloud|walrus|sc} enable service at next start"
143 echo " --disable {cloud|walrus|sc} disable service at next start"
144 echo " --check {nc|cc|cloud|sc|walrus} pre-flight checks"
145# echo " --sync {nc|cc|cloud|sc|walrus} pre-flight checks"
146 echo " --version eucalyptus version"
147 echo
148}
149
150# utility function to make a copy of the conf file
151check_and_backup () {
152 # can we write to the configuration file?
153 if [ ! -w $1 ]; then
154 echo "Cannot write to $1!"
155 exit 1
156 fi
157
158 # let's see if we need a copy
159 if [ "$TO_BACKUP" = "Y" ]; then
160 cp $1 $1.bak
161 TO_BACKUP="N"
162 fi
163}
164
165# 3 paramenter: the file, the variable name, the new value
166change_var_value () {
167 check_and_backup $1
168 sed -i "s<^[[:blank:]#]*\(${2}\).*<\1=\"${3}\"<" $1
169}
170# comment lines matching $2 ($1 is the file)
171comment () {
172 check_and_backup $1
173 sed -i "s<^[[:blank:]]*\(${2}.*\)<#\1<" $1
174}
175# comment lines matching $2 ($1 is the file)
176uncomment () {
177 check_and_backup $1
178 sed -i "s<^[#[:blank:]]*\(${2}.*\)<\1<" $1
179}
180
181check_heartbeat() {
182 local __host="$1"
183 local __service="$2"
184 local ret=""
185
186 # checks
187 if [ -z "$__host" -o -z "$__service" ]; then
188 echo "check_heartbeat: need a host and a service!"
189 return 1
190 fi
191 if [ -z "$WGET" -o ! -x "$WGET" ]; then
192 echo "ERROR: wget is missing, cannot continue."
193 return 1
194 fi
195
196 # let's talk to the host and check if something is running
197 ret="`$WGET -q -T 10 -t 1 -O - http://${__host}:8773/services/Heartbeat`"
198 if [ "$?" != "0" -o -z "$ret" ]; then
199 return 1
200 fi
201
202 # we need both ehabled and local to be true
203 if ! echo $ret |grep "enabled=true" > /dev/null ; then
204 return 1
205 elif ! echo $ret |grep "local=true" > /dev/null ; then
206 return 1
207 fi
208
209 return 0
210}
211
212check_ws() {
213 local URL="$1"
214 local ret=""
215 local soap_error=""
216
217 if [ -z "$URL" ]; then
218 echo "check_ws: need a URL!"
219 return 1
220 fi
221
222 if [ -n "${FAKEREG}" ]; then
223 ret=""
224 elif [ "$2" != "" ]; then
225 if [ "$VERBOSE" = "Y" ]; then
226 echo "$WGET -q -T 10 -t 1 -O - \"$URL\"" "|sed 's/<euca:registered>\\(.*\\)<\\/euca:registered>/\\n\\1\\n/g;s/<euca:name>/\\n>/g;s/<\\/*euca:item>//g;s/<\\/*euca:[^>]*>/ /g'|awk -F\">\" '/>/{print \" \"$2}')"
227 fi
228 E=$($WGET -q -T 10 -t 1 -O - "$URL"|\
229 sed 's/<euca:registered>\(.*\)<\/euca:registered>/\n\1\n/g;s/<euca:name>/\n>/g;s/<\/*euca:item>//g;s/<\/*euca:[^>]*>/ /g'|\
230 awk -F">" '/>/{print " "$2}')
231 eval "$2=\"${E}\""
232 else
233 if [ "$VERBOSE" = "Y" ]; then
234 echo "$WGET -q -T 10 -t 1 -O - \"$URL\" |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'"
235 fi
236 soap_error="`$WGET -q -T 10 -t 1 -O - \"$URL\"`"
237 ret="$?"
238 soap_error="`echo $soap_error |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'`"
239 if test -n "$soap_error" ; then
240 echo $soap_error
241 ret="1"
242 fi
243 fi
244 return $ret
245}
246
247component_sync_keys() {
248 local COMPONENT=""
249 local NAME=""
250
251 if [ "$SYNC" = "N" ]; then
252 return 0
253 fi
254
255 if [ $# -lt 1 ]; then
256 return 1
257 fi
258
259 COMPONENT="$1"
260 shift
261 NAME="$2"
262 shift
263
264 if [ "$COMPONENT" = "walrus" ]; then
265 echo "syncing walrus"
266 elif [ "$COMPONENT" = "cc" ]; then
267 echo "syncing cc($NAME)"
268 elif [ "$COMPONENT" = "sc" ]; then
269 echo "syncing sc($NAME)"
270 elif [ "$COMPONENT" = "nc" ]; then
271 echo "syncing nc"
272 fi
273
274
275}
276
277# copy files over.
278sync_keys() {
279 local DESTDIR=""
280 local REMOTE=""
281 local FILES=""
282 local FILE=""
283
284 if [ "$SYNC" = "N" ]; then
285 return 0
286 fi
287
288 if [ $# -lt 4 ]; then
289 return 1
290 fi
291
292 SOURCEDIRS="$1"
293 shift
294 DESTDIR="$1"
295 shift
296 REMOTE="$1"
297 shift
298 while [ $# -ge 1 ]; do
299 FILE=""
300 for sd in `echo $SOURCEDIRS | sed "s/,/ /g"`
301 do
302 if [ -e "${sd}/${1}" ]; then
303 FILE="${sd}/${1}"
304 fi
305 done
306 if [ "$FILE" = "" ]; then
307 echo "Warning: cannot file file ${1} in ${SOURCEDIRS}"
308 else
309 FILES="$FILES $FILE"
310 fi
311
312 shift
313 done
314
315 # is REMOTE actually localhost?
316 if [ ${LOCALSYNC} = "Y" -o ${REMOTE} = "127.0.0.1" -o ${REMOTE} = localhost -o ${REMOTE} = "`hostname -s`" -o ${REMOTE} = "`hostname -f`" ]; then
317 # machine is localhost, not need for remote syncing
318 for i in $FILES
319 do
320 if [ ! -e $i ]; then
321 echo "ERROR: cannot find cluster credentials."
322 exit 1
323 else
324 if ! $RSYNC -a $i $DESTDIR ; then
325 echo "ERROR: cannot copy file (${i}) to destination (${DESTDIR})"
326 return 1
327 fi
328 fi
329 done
330 return 0
331 fi
332
333 # try rsync first
334 if [ -n "$RSYNC" ]; then
335 echo
336 echo -n "Trying rsync to sync keys with \"${REMOTE}\"..."
337 [ -z "${RSYNC_RSH}" ] && RSYNC_RSH="ssh"
338 if sudo -u ${EUCA_USER} ${RSYNC} --rsh "${RSYNC_RSH}" -az ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR}/ > /dev/null ; then
339 echo "done."
340 return 0
341 else
342 echo "failed."
343 fi
344 fi
345
346 # scp next
347 if [ -n "$SCP" ]; then
348 echo
349 if [ "$EUCA_USER" = "" ]; then
350 if getent passwd eucalyptus > /dev/null ; then
351 echo "Using 'eucalyptus' as EUCA_USER"
352 EUCA_USER="eucalyptus"
353 else
354 echo "EUCA_USER is not defined!"
355 return 1
356 fi
357 fi
358 echo
359 echo "Trying scp to sync keys to: ${EUCA_USER}@${REMOTE}:${DESTDIR}..."
360 if [ "$EUID" = `getent passwd $EUCA_USER | cut -f3 -d:` ]; then
361 $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null
362 else
363 sudo -u ${EUCA_USER} $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null
364 fi
365 if [ "$?" = "0" ]; then
366 echo "done."
367 return 0
368 else
369 echo "failed."
370 fi
371 fi
372
373 return 1
374}
375
376xsearch() {
377 local needle="$1" i="" haystack=" "
378 shift
379 for i in "$@"; do
380 haystack="${haystack}$(printf "%s" "$i" | tr '\n' ' ') "
381 done
382 [ "${haystack#* ${needle} }" != "${haystack}" ]
383}
384
385if [ $# -eq 0 ]; then
386 usage
387 exit 1
388fi
389
390# let's parse the command line
391while [ $# -gt 0 ]; do
392 if [ "$1" = "-h" -o "$1" = "-help" -o "$1" = "?" -o "$1" = "--help" ]; then
393 usage
394 exit 1
395 fi
396
397 if [ "$1" = "-synckeys" -o "$1" = "-synckey" ]; then
398 NODEMODE="SYNC"
399 shift
400 continue
401 fi
402 if [ "$1" = "-norsync" -o "$1" = "--no-rsync" ]; then
403 RSYNC=""
404 shift
405 continue
406 fi
407 if [ "$1" = "--local-sync" ]; then
408 LOCALSYNC="Y"
409 shift
410 continue
411 fi
412 if [ "$1" = "--list-scs" ]; then
413 LIST="$LIST storages"
414 shift
415 continue
416 fi
417 if [ "$1" = "--list-walruses" ]; then
418 LIST="$LIST walruses"
419 shift
420 continue
421 fi
422 if [ "$1" = "--list-clusters" ]; then
423 LIST="$LIST clusters"
424 shift
425 continue
426 fi
427 if [ "$1" = "--list-nodes" ]; then
428 LIST="$LIST nodes"
429 shift
430 continue
431 fi
432 if [ "$1" = "--verbose" ]; then
433 VERBOSE="Y"
434 shift
435 continue
436 fi
437 if [ "$1" = "-noscp" -o "$1" = "--no-scp" ]; then
438 SCP=""
439 shift
440 continue
441 fi
442 if [ "$1" = "--skip-scp-hostcheck" ]; then
443 SCP_OPT="-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null"
444 shift
445 continue
446 fi
447 if [ "$1" = "-version" -o "$1" = "--version" ]; then
448 VERSION="Y"
449 shift
450 continue
451 fi
452 if [ "$1" = "-setup" -o "$1" = "--setup" ]; then
453 SETUP="Y"
454 shift
455 continue
456 fi
457 if [ "$1" = "--no-sync" ]; then
458 SYNC="N"
459 shift
460 continue
461 fi
462 if [ "$1" = "--deregister-walrus" ]; then
463 WALRUS_MODE="DEL"
464 shift
465 continue
466 fi
467 if [ "$1" = "--discover-nodes" ]; then
468 NODEMODE="DISCOVER"
469 RSYNC_RSH="ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null"
470 shift
471 continue
472 fi
473 if [ $# -eq 1 ]; then
474 # we dont have options with no argument, so it has to be
475 # the file
476 FILE="$1"
477 if [ "${FILE:0:1}" = '-' ]; then
478 usage
479 exit 1
480 fi
481 break
482 fi
483
484 # all other parameters requires at least 1 argument
485 if [ $# -lt 2 ]; then
486 usage
487 exit 1
488 fi
489
490 # old command line options not used anylonger
491 if [ "$1" = "-cc" -o "$1" = "-nc" -o "$1" = "-cloud" ]; then
492 echo "-cc, -nc and -cloud are not used anymore"
493 shift; shift;
494 continue
495 fi
496
497 if [ "$1" = "-d" ]; then
498 if [ ! -d "${2}" ]; then
499 echo "Is $2 where Eucalyptus is installed?"
500 exit 1
501 fi
502 EUCALYPTUS="${2}"
503 shift; shift
504 continue
505 fi
506 if [ "$1" = "-name" -o "$1" = "--name" ]; then
507 NAME="$NAME $2"
508 shift; shift
509 continue
510 fi
511 if [ "$1" = "-bridge" ]; then
512 BRIDGE="$2"
513 shift; shift
514 continue
515 fi
516 if [ "$1" = "-upgrade-conf" -o "$1" = "--upgrade-conf" ]; then
517 # hidden options to upgrade from an older version
518 UPGRADE_CONF="$2"
519 if [ ! -e "$UPGRADE_CONF" ]; then
520 echo "Cannot read $UPGRADE_CONF"
521 exit 1
522 fi
523 shift; shift
524 continue
525 fi
526 if [ "$1" = "-import-conf" -o "$1" = "--import-conf" ]; then
527 IMPORTFILE="$2"
528 if [ ! -e "$IMPORTFILE" ]; then
529 echo "Cannot read $IMPORTFILE"
530 exit 1
531 fi
532 shift; shift
533 continue
534 fi
535 if [ "$1" = "-dhcpd" -o "$1" = "--dhcpd" ]; then
536 DHCPD="$2"
537 shift; shift
538 continue
539 fi
540 if [ "$1" = "-dhcp_user" -o "$1" = "--dhcp_user" ]; then
541 DHCPC_USER="$2"
542 shift; shift
543 continue
544 fi
545 if [ "$1" = "-nodes" ]; then
546 NODES="${2}"
547 shift; shift
548 continue
549 fi
550 if [ "$1" = "-ccp" -o "$1" = "--cc-port" ]; then
551 CC_PORT="$2"
552 shift; shift
553 continue
554 fi
555 if [ "$1" = "-ncp" -o "$1" = "--nc-port" ]; then
556 NC_PORT="$2"
557 shift; shift
558 continue
559 fi
560 if [ "$1" = "-instances" -o "$1" = "--instances" ]; then
561 INSTANCE="$2"
562 shift; shift
563 continue
564 fi
565 if [ "$1" = "-user" -o "$1" = "--user" ]; then
566 EUCA_USER="$2"
567 shift; shift
568 continue
569 fi
570 if [ "$1" = "-hypervisor" -o "$1" = "--hypervisor" ]; then
571 if [ "$2" != "xen" -a "$2" != "kvm" ]; then
572 echo "Only kvm or xen are supported at the moment"
573 exit 1
574 fi
575 HYPERVISOR="$2"
576 shift; shift
577 continue
578 fi
579 if [ "$1" = "-cloudp" ]; then
580 if [ $# -lt 3 ]; then
581 echo "We need 2 ports for cloud controller"
582 exit 1
583 fi
584# doesn't work right now
585# CLOUD_PORT="$2"
586# CLOUD_SSL_PORT="$3"
587 shift; shift; shift
588 continue
589 fi
590 if [ "$1" = "--get-credentials" ]; then
591 CREDENTIALZIPFILE="${2}"
592 shift; shift;
593 continue
594 fi
595 if [ "$1" = "-addnode" -o "$1" = "--register-nodes" ]; then
596 NEWNODES="${2}"
597 NODEMODE="ADD"
598 shift; shift
599 continue
600 fi
601 if [ "$1" = "-delnode" -o "$1" = "--deregister-nodes" ]; then
602 NEWNODES="${2}"
603 NODEMODE="REM"
604 shift; shift
605 continue
606 fi
607 if [ "$1" = "--register-walrus" ]; then
608 WALRUS_MODE="ADD"
609 WALRUS="$2"
610 shift; shift
611 continue
612 fi
613 if [ "$1" = "--deregister-sc" ]; then
614 SC_MODE="DEL"
615 SCNAME="$2"
616 shift; shift
617 continue
618 fi
619 if [ "$1" = "--register-sc" ]; then
620 if [ $# -lt 3 ]; then
621 echo "--register-sc requires a CC and a hostname"
622 exit 1
623 fi
624 SC_MODE="ADD"
625 SCNAME="$2"
626 SCHOST="$3"
627 shift; shift; shift
628 continue
629 fi
630 if [ "$1" = "-addcluster" -o "$1" = "--register-cluster" ]; then
631 if [ $# -lt 3 ]; then
632 echo "--register-cluster requires a user assigned name and CC hostname"
633 exit 1
634 fi
635 CLUSNAME="$2"
636 NEWCLUS="$3"
637 CLUSMODE="ADD"
638 shift; shift; shift
639 continue
640 fi
641 if [ "$1" = "--deregister-cluster" ]; then
642 CLUSNAME="$2"
643 CLUSMODE="DEL"
644 shift; shift
645 continue
646 fi
647 if [ "$1" = "-check" -o "$1" = "--check" ]; then
648 if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then
649 echo "-check requires cc, nc, sc, walrus or cloud"
650 exit 1
651 fi
652 CHECK="$2"
653 shift; shift
654 continue
655 fi
656 if [ "$1" = "--enable" ]; then
657 if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then
658 echo "--enable requires cloud, sc or walrus"
659 exit 1
660 fi
661 ENABLED="$ENABLED $2"
662 shift; shift
663 continue
664 fi
665 if [ "$1" = "--disable" ]; then
666 if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then
667 echo "--disable requires cloud, sc or walrus"
668 exit 1
669 fi
670 DISABLED="$DISABLED $2"
671 shift; shift
672 continue
673 fi
674 if [ "$1" = "-sync" -o "$1" = "--sync" ]; then
675 if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then
676 echo "-sync requires cc, nc, sc, walrus or cloud"
677 exit 1
678 fi
679 TOSYNC="$2"
680 shift; shift
681 continue
682 fi
683 usage
684 exit 1
685done
686
687if [ -z "${FILE}" -o ! -f "${FILE}" ]; then
688 echo "$FILE is not a valid eucalyptus configuration file"
689 exit 1
690fi
691
692# if asked to print the version that's all we do
693if [ "$VERSION" = "Y" ]; then
694 . $DEFAULTS_FILE
695 . $FILE
696
697 if [ -e $EUCALYPTUS/etc/eucalyptus/eucalyptus-version ]; then
698 VERSION="$EUCALYPTUS/etc/eucalyptus/eucalyptus-version"
699 elif [ -e @prefix@/etc/eucalyptus/eucalyptus-version ]; then
700 VERSION="@prefix@/etc/eucalyptus/eucalyptus-version"
701 fi
702 if [ -n "$VERSION" ]; then
703 echo -n "Eucalyptus version: "
704 cat $VERSION
705 else
706 echo "Cannot find eucalyptus installation!"
707 exit 1
708 fi
709 exit 0
710fi
711
712# let's change the value
713if [ -n "$EUCALYPTUS" ]; then
714 change_var_value $FILE EUCALYPTUS "${EUCALYPTUS}"
715fi
716if [ -n "$CC_PORT" ]; then
717 change_var_value $FILE CC_PORT "${CC_PORT}"
718fi
719if [ -n "$NC_PORT" ]; then
720 change_var_value $FILE NC_PORT "${NC_PORT}"
721fi
722if [ -n "$CLOUD_PORT" ]; then
723 change_var_value $FILE CLOUD_PORT "${CLOUD_PORT}"
724fi
725if [ -n "$CLOUD_SSL_PORT" ]; then
726 change_var_value $FILE CLOUD_SSL_PORT "${CLOUD_SSL_PORT}"
727fi
728if [ -n "$INSTANCE" ]; then
729 change_var_value $FILE INSTANCE_PATH "${INSTANCE}"
730fi
731if [ -n "$DHCPD" ]; then
732 change_var_value $FILE VNET_DHCPDAEMON "${DHCPD}"
733fi
734if [ -n "$DHCPC_USER" ]; then
735 change_var_value $FILE VNET_DHCPUSER "${DHCPC_USER}"
736 uncomment $FILE VNET_DHCPUSER
737fi
738if [ -n "$NODES" ]; then
739 change_var_value $FILE NODES "${NODES}"
740fi
741if [ -n "$HYPERVISOR" ]; then
742 change_var_value $FILE HYPERVISOR "${HYPERVISOR}"
743 uncomment $FILE HYPERVISOR
744fi
745if [ -n "$BRIDGE" ]; then
746 change_var_value $FILE VNET_BRIDGE "${BRIDGE}"
747 uncomment $FILE VNET_BRIDGE
748fi
749if [ -n "$EUCA_USER" ]; then
750 ID="`which id 2> /dev/null`"
751 if [ -n "$ID" ]; then
752 if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
753 echo "WARNING: $EUCA_USER doesn't exists!"
754 fi
755 fi
756 change_var_value $FILE EUCA_USER "${EUCA_USER}"
757fi
758for x in $NAME ; do
759 VALUE=`cat $FILE |grep $x|cut -f 2 -d =|tr '"' ' '`
760 echo "$x=$VALUE"
761done
762
763# modify the current conf file based on an older configuration, or from import file
764if [ -n "$UPGRADE_CONF" -o -n "$IMPORTFILE" ]; then
765 VARS="EUCA_USER ENABLE_WS_SECURITY DISABLE_EBS HYPERVISOR LOGLEVEL SWAP_SIZE CC_PORT MANUAL_INSTANCES_CLEANUP NC_CACHE_SIZE SCHEDPOLICY NODES NC_SERVICE NC_PORT MAX_MEM MAX_CORES INSTANCE_PATH VNET_BRIDGE VNET_DHCPDAEMON VNET_DHCPUSER VNET_PRIVINTERFACE VNET_PUBINTERFACE VNET_INTERFACE DISABLE_TUNNELING DISABLE_DNS POWER_IDLETHRESH POWER_WAKETHRESH CONCURRENT_DISK_OPS"
766 VNET_VARS="VNET_MODE VNET_SUBNET VNET_NETMASK VNET_DNS VNET_ADDRSPERNET VNET_PUBLICIPS VNET_BROADCAST VNET_ROUTER VNET_MACMAP VNET_CLOUDIP VNET_LOCALIP"
767
768 if [ -n "$UPGRADE_CONF" ]; then
769 # source the old config
770 VARS_TO_DO=$VARS
771 VNET_VARS_TO_DO=$VNET_VARS
772 . $UPGRADE_CONF
773 elif [ -n "$IMPORTFILE" ]; then
774 VARS_TO_DO=""
775 VNET_VARS_TO_DO=""
776 . $IMPORTFILE
777 for i in $VNET_VARS
778 do
779 VAL="$(echo \$${i})"
780 eval VAL=$VAL
781 if [ -n "$VAL" ]; then
782 VNET_VARS_TO_DO="$VNET_VARS_TO_DO $i"
783 fi
784 done
785 fi
786
787 # let's start from no network
788 for x in $VNET_VARS_TO_DO ; do
789 comment $FILE $x
790 done
791
792 # modified the defined variables
793 for x in $VARS_TO_DO ; do
794 y="$(echo \$${x})"
795 eval y="$y"
796 if [ -z "$y" ]; then
797 # we just leave NODES uncommented even if it's empty
798 if [ "$x" != "NODES" ]; then
799 comment $FILE $x
800 fi
801 else
802 uncomment $FILE $x
803 change_var_value $FILE $x "${y}"
804 fi
805 done
806 # and add the network variables
807 echo >> $FILE
808 echo "# network configuration from the input configuration file" >> $FILE
809 for x in $VNET_VARS_TO_DO ; do
810 y="$(echo \$${x})"
811 eval y="$y"
812 if [ -n "$y" ]; then
813 if [ "$x" = "VNET_INTERFACE" ]; then
814 change_var_value $FILE VNET_PRIVINTERFACE "${y}"
815 change_var_value $FILE VNET_PUBINTERFACE "${y}"
816 else
817 echo "$x=\"${y}\"" >> $FILE
818 fi
819 fi
820 done
821fi
822
823# we may need the location of the ssh key for eucalyptus
824EUCA_HOME="`getent passwd eucalyptus|cut -f 6 -d ':'`"
825if [ -f "${EUCA_HOME}/.ssh/id_rsa.pub" ]; then
826 SSHKEY=`cat ${EUCA_HOME}/.ssh/id_rsa.pub`
827else
828 SSHKEY=""
829fi
830
831# we need defaults in eucalyptus.conf
832. $DEFAULTS_FILE
833. $FILE
834# get node from nodes.list if it exists
835if [ -e "$EUCALYPTUS/var/lib/eucalyptus/nodes.list" ]; then
836 NODES=`cat $EUCALYPTUS/var/lib/eucalyptus/nodes.list`
837fi
838
839# first time setup
840if [ -n "$SETUP" ]; then
841 ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap"
842
843 # first of all setup euca_rootwrap
844 if [ ! -x "$ROOTWRAP" ]; then
845 echo "Cannot find $ROOTWRAP (or not readable)!"
846 exit 1
847 fi
848 # get EUCA group
849 if [ -z "$EUCA_USER" ]; then
850 echo "Is EUCA_USER defined?"
851 exit 1
852 fi
853 # if running as root no need to do anything
854 if [ "$EUCA_USER" != "root" ]; then
855 ID="`which id 2> /dev/null`"
856 if [ -z "$ID" ]; then
857 echo "Cannot find command $ID"
858 exit 1
859 fi
860 if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
861 echo "User $EUCA_USER doesn't exists!"
862 exit 1
863 fi
864 EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`"
865 if [ -z "$EUCA_GROUP" ]; then
866 echo "Cannot detect $EUCA_USER group"
867 exit 1
868 fi
869 if ! chown root:$EUCA_GROUP $ROOTWRAP ; then
870 exit 1
871 fi
872 if ! chmod 4750 $ROOTWRAP ; then
873 exit 1
874 fi
875 fi
876
877 # let's create the instance path
878 if [ -n "$INSTANCE_PATH" -a "$INSTANCE_PATH" != "not_configured" -a ! -d "$INSTANCE_PATH" ]; then
879 if ! mkdir -p $INSTANCE_PATH ; then
880 echo "Failed to create instance path!"
881 exit 1
882 fi
883 if ! chown $EUCA_USER:$EUCA_GROUP $INSTANCE_PATH ; then
884 exit 1
885 fi
886 fi
887
888 chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus
889 ret=$?
890 chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/log/eucalyptus
891 let $((ret += $?))
892 chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus
893 let $((ret += $?))
894 chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/etc/eucalyptus/eucalyptus.conf
895 let $((ret += $?))
896
897 # let's create more needed directory with the right permissions
898 mkdir -p $EUCALYPTUS/var/lib/eucalyptus/db
899 let $((ret += $?))
900 chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/db
901 let $((ret += $?))
902 chmod 700 $EUCALYPTUS/var/lib/eucalyptus/db
903 let $((ret += $?))
904 mkdir -p $EUCALYPTUS/var/lib/eucalyptus/keys
905 let $((ret += $?))
906 chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/keys
907 let $((ret += $?))
908 chmod 700 $EUCALYPTUS/var/lib/eucalyptus/keys
909 let $((ret += $?))
910 mkdir -p $EUCALYPTUS/var/lib/eucalyptus/CC
911 let $((ret += $?))
912 chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/CC
913 let $((ret += $?))
914 chmod 700 $EUCALYPTUS/var/lib/eucalyptus/CC
915 let $((ret += $?))
916
917 exit $ret
918fi
919
920if [ -n "$TOSYNC" ]; then
921 echo "not implemented"
922fi
923
924# pre-flight checks
925if [ -n "$CHECK" ]; then
926 ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap"
927
928 # vblade and aoe may be needed
929 if [ "$DISABLE_EBS" != "Y" -a "$DISABLE_EBS" != "y" ]; then
930 if [ "$CHECK" = "sc" ]; then
931 VBLADE="`which vblade 2> /dev/null`"
932 if [ -z "$VBLADE" ]; then
933 echo
934 echo "ERROR: EBS is enabled and vblade was not found"
935 exit 1
936 fi
937 fi
938 fi
939
940 # first of all check euca_rootwrap
941 if [ ! -x $ROOTWRAP ]; then
942 echo "Cannot find euca_rootwrap!"
943 exit 1
944 fi
945 # get EUCA group
946 if [ -z "$EUCA_USER" ]; then
947 echo "Running eucalyptus as root"
948 EUCA_USER="root"
949 EUCA_GROUP="root"
950 fi
951 # if running as root no need to do anything
952 if [ "$EUCA_USER" != "root" ]; then
953 ID="`which id 2> /dev/null`"
954 if [ -z "$ID" ]; then
955 echo "Cannot find command id"
956 exit 1
957 fi
958 if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
959 echo "User $EUCA_USER doesn't exists!"
960 exit 1
961 fi
962 EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`"
963 if [ -z "$EUCA_GROUP" ]; then
964 echo "Cannot detect $EUCA_USER group: using $EUCA_USER"
965 exit 1
966 fi
967 # need to check if euca_rootwrap can run as EUCA_USER
968 TEST_EUID="`sudo -u $EUCA_USER $ROOTWRAP $ID -u`"
969 if [ "$?" != "0" -o "$TEST_EUID" != "0" ]; then
970 echo "Problem running $ROOTWRAP! Did you run euca_conf -setup?"
971 exit 1
972 fi
973 fi
974
975 # let's be sure we have the INSTANCE_PATH
976 if [ "$CHECK" = "nc" ]; then
977 if [ -z "$INSTANCE_PATH" ]; then
978 echo "INSTANCE_PATH is not defined"
979 exit 1
980 fi
981 if [ ! -d "$INSTANCE_PATH" ]; then
982 echo "$INSTANCE_PATH doesn't exist: did you run euca_conf -setup?"
983 exit 1
984 fi
985 fi
986
987 # let's set up directories which could disappears if /var/run is
988 # in memory
989 if [ ! -d $EUCALYPTUS/var/run/eucalyptus ]; then
990 if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus ; then
991 # error should come from mkdir
992 exit 1
993 fi
994 fi
995 if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus ; then
996 # error should come from chown
997 exit 1
998 fi
999
1000
1001 if [ "$CHECK" = "cc" ]; then
1002 if [ ! -d $EUCALYPTUS/var/run/eucalyptus/net ]; then
1003 if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus/net ; then
1004 # error should come from mkdir
1005 exit 1
1006 fi
1007 fi
1008 if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus/net ; then
1009 # error should come from chown
1010 exit 1
1011 fi
1012 fi
1013 # good to go
1014 exit 0
1015fi
1016
1017createCloudURL () {
1018 if ! getSecretKey; then
1019 echo "ERROR: cannot get credentials"
1020 return 1
1021 fi
1022 ARGS="AWSAccessKeyId=$AKEY"
1023 KEY=$1
1024 shift
1025 VAL=$1
1026 shift
1027 while ( test -n "$KEY" -a -n "$VAL")
1028 do
1029 ARGS="${ARGS}&${KEY}=${VAL}"
1030 KEY=$1
1031 shift
1032 VAL=$1
1033 shift
1034 done
1035 if [ -z "$SKEY" ]; then
1036 echo "ERROR: SKEY parameter is not set."
1037 export URL=""
1038 return 1
1039 fi
1040 ARGS="${ARGS}&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=$(date -u '+%Y-%m-%dT%H%%3A%M%%3A%S.000Z')&Version=eucalyptus"
1041 SIGNATURE=$(echo -en "GET\n127.0.0.1\n/services/Configuration\n${ARGS}" | openssl dgst -sha256 -hmac ${SKEY} -binary | openssl base64)
1042 export URL="http://127.0.0.1:8773/services/Configuration?${ARGS}&Signature=${SIGNATURE}"
1043 if [ "$VERBOSE" = "Y" ]; then
1044 echo $URL
1045 fi
1046 return 0
1047}
1048
1049getSecretKey() {
1050 if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then
1051 DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/"
1052 else
1053 echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface."
1054 exit 1
1055 fi
1056
1057 FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Ss][Ee][Cc][Rr][Ee][Tt][Kk][Ee][Yy]/ {print NR}'`
1058 if [ "$FIELD" = "" ]; then
1059 echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface"
1060 export SKEY=""
1061 return 1
1062 fi
1063 SKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g'))
1064
1065 FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Qq][Uu][Ee][Rr][Yy]_[Ii][Dd]/ {print NR}'`
1066 if [ "$FIELD" = "" ]; then
1067 echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface"
1068 export AKEY=""
1069 return 1
1070 fi
1071 AKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g'))
1072
1073 return 0
1074}
1075
1076checkLocalService() {
1077 local SERVICE=""
1078
1079 if [ -z "$WGET" -o ! -x "$WGET" ]; then
1080 echo "ERROR: wget is missing, cannot continue."
1081 return 1
1082 fi
1083
1084 SERVICE="$1"
1085 if [ -z "$SERVICE" ]; then
1086 echo "ERROR: must pass in service name (CLC, CC)"
1087 return 1
1088 elif [ "$SERVICE" = "CLC" ]; then
1089 if [ -n "$FAKEREG" ]; then
1090 local SOURCEDIR="$EUCALYPTUS/var/lib/eucalyptus/keys/"
1091 for i in cloud
1092 do
1093 if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1094 openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1095 fi
1096 done
1097 fi
1098
1099 CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
1100 elif [ "$SERVICE" = "CC" ]; then
1101 CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
1102 fi
1103
1104 if [ -n "${FAKEREG}" ]; then
1105 CMD="echo"
1106 fi
1107 if ! eval $CMD ; then
1108 echo "ERROR: you need to be on the $SERVICE host and the $SERVICE needs to be running."
1109 return 1
1110 fi
1111 return 0
1112}
1113
1114if [ -n "$CREDENTIALZIPFILE" ]; then
1115 if [ -f "$CREDENTIALZIPFILE" ]; then
1116 echo "file '$CREDENTIALZIPFILE' already exists, please remove and try again"
1117 exit 1
1118 fi
1119 if ! checkLocalService "CLC" ; then
1120 exit 1
1121 fi
1122
1123 if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then
1124 DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/"
1125 else
1126 echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface."
1127 exit 1
1128 fi
1129 FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Tt][Oo][Kk][Ee][Nn]/ {print NR}'`
1130 if [ -z "$FIELD" ]; then
1131 echo "cannot find code field in database, please go to the Eucalyptus web UI to obtain credentials."
1132 exit 1
1133 fi
1134 VERCOL=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Vv][Ee][Rr][Ss][Ii][Oo][Nn]/ {print NR}'`
1135 if [ -z "$VERCOL" ]; then
1136 echo "cannot find version field in database, please go to the Eucalyptus web UI to obtain credentials."
1137 exit 1
1138 fi
1139 KEY=$(eval echo $(awk -v field=${FIELD} -v vercol=${VERCOL} -F, 'BEGIN { token=""; max=-1; } /INSERT INTO AUTH_USERS.*admin/ { if ($vercol>max) { max=$vercol; token=$field; } } END { print token; }' ${DBDIR}/* | head -n 1 | sed 's/[()]//g'))
1140 if [ -z "$KEY" ]; then
1141 echo "cannot find code in database, please go to the Eucalyptus web UI to obtain credentials."
1142 exit 1
1143 fi
1144 CMD="$WGET --no-check-certificate \"https://localhost:8443/getX509?user=admin&code=$KEY\" -O $CREDENTIALZIPFILE"
1145 if ! eval $CMD ; then
1146 echo "failed to obtain credentals, please try again or go to the Eucalyptus web UI."
1147 exit 1
1148 fi
1149fi
1150
1151# adding a new cluster
1152if [ -n "$CLUSNAME" ]; then
1153 if ! checkLocalService "CLC" ; then
1154 exit 1
1155 fi
1156
1157 if [ "$CLUSMODE" = "ADD" ]; then
1158 if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1159 SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/${CLUSNAME}/
1160 DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1161 else
1162 echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1163 exit 1
1164 fi
1165
1166 URL=""
1167 if ! createCloudURL "Action" "RegisterCluster" "Host" "${NEWCLUS}" "Name" "${CLUSNAME}" "Port" "${CC_PORT}"; then
1168 exit 1
1169 fi
1170
1171 if ! check_ws "$URL" ; then
1172 echo "ERROR: failed to register new cluster, please log in to the admin interface and check cloud status."
1173 exit 1
1174 fi
1175
1176 if [ -n "${FAKEREG}" ]; then
1177 mkdir -p $SOURCEDIR
1178 if [ -n "${FAKEREG}" ]; then
1179 mkdir -p $SOURCEDIR
1180 for i in cluster node
1181 do
1182 if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1183 openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1184 fi
1185 done
1186 fi
1187 fi
1188
1189 # sync the keys
1190 if ! sync_keys "${DESTDIR},${SOURCEDIR}" ${DESTDIR} ${NEWCLUS} node-cert.pem cluster-cert.pem cluster-pk.pem node-pk.pem vtunpass cloud-cert.pem; then
1191 echo "ERROR: failed to sync keys with ${NEWCLUS}; registration will not be complete until keys can be synced, please try again."
1192 exit 1
1193 fi
1194 echo
1195 echo "SUCCESS: new cluster '${CLUSNAME}' on host '${NEWCLUS}' successfully registered."
1196 elif [ "$CLUSMODE" = "DEL" ]; then
1197 URL=""
1198 # let's see if we have such a cluster
1199 LIST_RES=""
1200 if ! createCloudURL "Action" "DescribeClusters" ; then
1201 exit 1
1202 fi
1203 if ! check_ws "$URL" LIST_RES ; then
1204 echo "ERROR: cannot talk with CLC"
1205 exit 1
1206 fi
1207 FOUND="N"
1208 for x in $LIST_RES ; do
1209 if [ "$x" = "${CLUSNAME}" ]; then
1210 FOUND="Y"
1211 break
1212 fi
1213 done
1214 if [ "$FOUND" = "N" ]; then
1215 echo "No registered cluster $CLUSNAME was found"
1216 exit 1
1217 fi
1218
1219 # now let's deregister
1220 URL=""
1221 if ! createCloudURL "Action" "DeregisterCluster" "Name" "${CLUSNAME}"; then
1222 exit 1
1223 fi
1224
1225 if ! check_ws "$URL" ; then
1226 echo "ERROR: failed to deregister new cluster, please log in to the admin interface and check cloud status."
1227 exit 1
1228 fi
1229 echo
1230 echo "SUCCESS: cluster '${CLUSNAME}' successfully deregistered."
1231 fi
1232fi
1233
1234# walrus
1235if [ -n "$WALRUS" -o -n "$WALRUS_MODE" ]; then
1236 if ! checkLocalService "CLC" ; then
1237 exit 1
1238 fi
1239
1240 if [ "$WALRUS_MODE" = "ADD" ]; then
1241 echo "Adding WALRUS host $WALRUS"
1242 if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1243 SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1244 DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1245 else
1246 echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1247 exit 1
1248 fi
1249
1250 URL=""
1251 if ! createCloudURL "Action" "RegisterWalrus" "Host" "${WALRUS}" "Name" "walrus" "Port" "8773"; then
1252 exit 1
1253 fi
1254
1255 if ! check_ws "$URL" ; then
1256 echo "ERROR: failed to register Walrus, please log in to the admin interface and check cloud status."
1257 exit 1
1258 fi
1259
1260 # check that walrus is at least running on the remote host
1261 sleep 3
1262 if ! check_heartbeat ${WALRUS} walrus ; then
1263 echo "WARNING: Walrus is not up on host ${WALRUS}; registration will not be complete until walrus is running."
1264 fi
1265
1266 # sync the keys
1267 if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${WALRUS} euca.p12 ; then
1268 echo "ERROR: failed to sync keys with ${WALRUS}; registration will not be complete until keys can be synced, please try again."
1269 exit 1
1270 fi
1271 echo
1272 echo "SUCCESS: new walrus on host '${WALRUS}' successfully registered."
1273
1274 elif [ "$WALRUS_MODE" = "DEL" ]; then
1275 URL=""
1276 if ! createCloudURL "Action" "DeregisterWalrus" "Name" "walrus"; then
1277 exit 1
1278 fi
1279 if ! check_ws "$URL" ; then
1280 echo "ERROR: failed to deregister Walrus, please log in to the admin interface and check cloud status."
1281 exit 1
1282 fi
1283 echo
1284 echo "SUCCESS: Walrus successfully deregistered."
1285 fi
1286fi
1287
1288# sc
1289if [ -n "$SCNAME" ]; then
1290 if ! checkLocalService "CLC" ; then
1291 exit 1
1292 fi
1293
1294 if [ "$SC_MODE" = "ADD" ]; then
1295 echo "Adding SC $SCHOST to cluster $SCNAME"
1296 if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1297 SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1298 DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1299 else
1300 echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1301 exit 1
1302 fi
1303
1304 URL=""
1305 if ! createCloudURL "Action" "RegisterStorageController" "Host" "${SCHOST}" "Name" "${SCNAME}" "Port" "8773"; then
1306 exit 1
1307 fi
1308 if ! check_ws "$URL"; then
1309 echo "ERROR: failed to register storage controller, please log in to the admin interface and check cloud status."
1310 exit 1
1311 fi
1312 if [ -n "${FAKEREG}" ]; then
1313 mkdir -p $SOURCEDIR
1314 for i in sc
1315 do
1316 if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1317 openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1318 fi
1319 done
1320 fi
1321
1322 # sync the keys
1323 if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${SCHOST} euca.p12; then
1324 echo "ERROR: failed to sync keys with ${SCHOST}; registration will not be complete until keys can be synced, please try again."
1325 exit 1
1326 fi
1327 echo
1328 echo "SUCCESS: new SC for cluster '${SCNAME}' on host '${SCHOST}' successfully registered."
1329
1330 elif [ "$SC_MODE" = "DEL" ]; then
1331 # let's see if we have such a storage controller
1332 LIST_RES=""
1333 if ! createCloudURL "Action" "DescribeStorageControllers" ; then
1334 exit 1
1335 fi
1336 if ! check_ws "$URL" LIST_RES ; then
1337 echo "ERROR: cannot talk with CLC"
1338 exit 1
1339 fi
1340 FOUND="N"
1341 for x in $LIST_RES ; do
1342 if [ "$x" = "${SCNAME}" ]; then
1343 FOUND="Y"
1344 break
1345 fi
1346 done
1347 if [ "$FOUND" = "N" ]; then
1348 echo "No registered storage controller $SCNAME was found"
1349 exit 1
1350 fi
1351
1352 # now let's deregister
1353 URL=""
1354 if ! createCloudURL "Action" "DeregisterStorageController" "Name" "${SCNAME}"; then
1355 exit 1
1356 fi
1357 if ! check_ws "$URL" ; then
1358 echo "ERROR: failed to deregister StorageController, please log in to the admin interface and check cloud status."
1359 exit 1
1360 fi
1361 echo
1362 echo "SUCCESS: Storage controller for cluster '${SCNAME}' successfully deregistered."
1363 fi
1364fi
1365
1366# operations on the nodes
1367if [ -n "$NODEMODE" ]; then
1368 # for synckey we fake addnodes
1369 if [ "$NODEMODE" = "SYNC" ]; then
1370 if [ -z "$NODES" ]; then
1371 echo "Warning: there are no NODES configured"
1372 else
1373 NEWNODES="${NODES}"
1374 NODEMODE="ADD"
1375 fi
1376 fi
1377 if [ "$NODEMODE" = "DISCOVER" ]; then
1378 if ! which avahi-browse >/dev/null 2>&1; then
1379 echo "ERROR: avahi-browse not installed, so cannot discover nodes"
1380 exit 1
1381 fi
1382 NEWNODES=
1383 for DISCOVERED in $(avahi-browse -prt _eucalyptus._tcp | grep '^=.*"type=node"' | cut -d\; -f8 | sort -u); do
1384 if ! xsearch "$DISCOVERED" "$NODES"; then
1385 read -p "New node found on $DISCOVERED; add it? [Yn] " CONFIRM
1386 CONFIRM="$(printf %s "$CONFIRM" | tr A-Z a-z | cut -c1)"
1387 if [ "x$CONFIRM" = x ] || [ "x$CONFIRM" = xy ]; then
1388 NEWNODES="${NEWNODES:+$NEWNODES }$DISCOVERED"
1389 fi
1390 fi
1391 done
1392 NODEMODE="ADD"
1393 fi
1394
1395 # check we have a valid command
1396 if [ "$NODEMODE" != "ADD" -a "$NODEMODE" != "REM" ]; then
1397 echo "ERROR: unknown mode '$NODEMODE', don't know what to do"
1398 exit 1
1399 fi
1400
1401 if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1402 SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1403 DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1404 else
1405 echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful and that this cluster is already registered!"
1406 exit 1
1407 fi
1408
1409 # CC needs to be running
1410 if ! checkLocalService "CC" ; then
1411 exit 1
1412 fi
1413
1414 # warn the user on where we expect the keys to be
1415 if [ "$NODEMODE" = "ADD" ]; then
1416 echo
1417 echo "INFO: We expect all nodes to have eucalyptus installed in $EUCALYPTUS/var/lib/eucalyptus/keys for key synchronization."
1418 fi
1419
1420 # adding (or removing) nodes
1421 for NEWNODE in ${NEWNODES} ; do
1422 # let's see if the node is already in the node list
1423 its_here="0"
1424 for x in $NODES ; do
1425 if [ "$x" = "${NEWNODE}" ]; then
1426 its_here="1"
1427 break
1428 fi
1429 done
1430
1431 # remove is simpler: just remove the node name
1432 if [ "$NODEMODE" = "REM" ]; then
1433 if [ "$its_here" = "0" ]; then
1434 echo "Node ${NEWNODE} is not known"
1435 continue
1436 fi
1437 NEW_NODES=""
1438 for x in $NODES; do
1439 if [ "$x" = "${NEWNODE}" ]; then
1440 continue
1441 fi
1442 NEW_NODES="$x $NEW_NODES"
1443 done
1444 echo "$NEW_NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list
1445 echo "SUCCESS: removed node '${NEWNODE}' from '$FILE'"
1446 continue
1447 fi
1448
1449 # let's sync keys with the nodes
1450 if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${NEWNODE} node-cert.pem cluster-cert.pem node-pk.pem cloud-cert.pem; then
1451 errors=1
1452 echo
1453 echo "ERROR: could not synchronize keys with $NEWNODE!"
1454 echo "The configuration will not have this node."
1455 if [ "$SSHKEY" = "" ]; then
1456 echo "User $EUCA_USER may have to run ssh-keygen!"
1457 else
1458 echo "Hint: to setup passwordless login to the nodes as user $EUCA_USER, you can"
1459 echo "run the following commands on node $NEWNODE:"
1460 echo "sudo -u $EUCA_USER mkdir -p ~${EUCA_USER}/.ssh"
1461 echo "sudo -u $EUCA_USER tee ~${EUCA_USER}/.ssh/authorized_keys > /dev/null <<EOT"
1462 echo "$SSHKEY"
1463 echo "EOT"
1464 echo ""
1465 echo "Be sure that authorized_keys is not group/world readable or writable"
1466 fi
1467 continue
1468 fi
1469
1470 # if the node is already listed, we are done
1471 if [ "$its_here" = "1" ]; then
1472 continue
1473 fi
1474
1475 # add the node
1476 NODES="${NODES} $NEWNODE"
1477 echo "$NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list
1478
1479 done
1480fi
1481
1482
1483for x in $LIST ; do
1484 LIST_RES=""
1485
1486 if [ "$x" = "walruses" ]; then
1487 if ! createCloudURL "Action" "DescribeWalruses" ; then
1488 exit 1
1489 fi
1490 if ! check_ws "$URL" LIST_RES ; then
1491 exit 1
1492 fi
1493 if [ -n "$LIST_RES" ]; then
1494 echo "registered walruses:"
1495 fi
1496 echo "$LIST_RES"
1497 fi
1498 if [ "$x" = "storages" ]; then
1499 if ! createCloudURL "Action" "DescribeStorageControllers" ; then
1500 exit 1
1501 fi
1502 if ! check_ws "$URL" LIST_RES ; then
1503 exit 1
1504 fi
1505 if [ -n "$LIST_RES" ]; then
1506 echo "registered storage controllers:"
1507 fi
1508 echo "$LIST_RES"
1509 fi
1510 if [ "$x" = "clusters" ]; then
1511 if ! createCloudURL "Action" "DescribeClusters" ; then
1512 exit 1
1513 fi
1514 if ! check_ws "$URL" LIST_RES ; then
1515 exit 1
1516 fi
1517 if [ -n "$LIST_RES" ]; then
1518 echo "registered clusters:"
1519 fi
1520 echo "$LIST_RES"
1521 fi
1522 if [ "$x" = "nodes" ]; then
1523 if ! createCloudURL "Action" "DescribeNodes" ; then
1524 exit 1
1525 fi
1526 if ! check_ws "$URL" LIST_RES ; then
1527 exit 1
1528 fi
1529 if [ -n "$LIST_RES" ]; then
1530 echo "registered nodes:"
1531 fi
1532 echo "$LIST_RES"
1533 fi
1534done
1535
1536
1537# enable/disable services
1538if [ -r $EUCALYPTUS/var/lib/eucalyptus/services ]; then
1539 for x in `cat $EUCALYPTUS/var/lib/eucalyptus/services` ; do
1540 TO_START="$TO_START $x"
1541 done
1542fi
1543if [ -n "$DISABLED" -o -n "$ENABLED" ]; then
1544 for x in $TO_START $ENABLED ; do
1545 to_start="Y"
1546 for y in $DISABLED ; do
1547 if [ "$x" = "$y" ]; then
1548 to_start="N"
1549 fi
1550 done
1551 [ $to_start = "Y" ] && echo $x
1552 done | sort | uniq > $EUCALYPTUS/var/lib/eucalyptus/services
1553fi
1554
1555[ "$errors" = "1" ] && exit 1 || exit 0
01556
=== added directory '.pc/30-clock_drift.patch'
=== added directory '.pc/30-clock_drift.patch/tools'
=== added file '.pc/30-clock_drift.patch/tools/client-policy-template.xml'
--- .pc/30-clock_drift.patch/tools/client-policy-template.xml 1970-01-01 00:00:00 +0000
+++ .pc/30-clock_drift.patch/tools/client-policy-template.xml 2011-09-21 09:10:44 +0000
@@ -0,0 +1,73 @@
1<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
2 <wsp:ExactlyOne>
3 <wsp:All>
4 <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
5 <wsp:Policy>
6 <sp:InitiatorToken>
7 <wsp:Policy>
8 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
9 <wsp:Policy>
10 <sp:RequireEmbeddedTokenReference/>
11 <sp:WssX509V3Token10/>
12 </wsp:Policy>
13 </sp:X509Token>
14 </wsp:Policy>
15 </sp:InitiatorToken>
16 <sp:RecipientToken>
17 <wsp:Policy>
18 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
19 <wsp:Policy>
20 <sp:RequireEmbeddedTokenReference/>
21 <sp:WssX509V3Token10/>
22 </wsp:Policy>
23 </sp:X509Token>
24 </wsp:Policy>
25 </sp:RecipientToken>
26
27 <sp:AlgorithmSuite>
28 <wsp:Policy>
29 <sp:Basic256Rsa15/>
30 </wsp:Policy>
31 </sp:AlgorithmSuite>
32
33 <sp:Layout>
34 <wsp:Policy>
35 <sp:Strict/>
36 </wsp:Policy>
37 </sp:Layout>
38
39 <sp:IncludeTimestamp/>
40 <sp:OnlySignEntireHeadersAndBody/>
41 </wsp:Policy>
42 </sp:AsymmetricBinding>
43
44 <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
45 <wsp:Policy>
46 <sp:MustSupportRefKeyIdentifier/>
47 <sp:MustSupportRefEmbeddedToken/>
48 </wsp:Policy>
49 </sp:Wss10>
50
51 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
52 <sp:Body/>
53 <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
54 </sp:SignedParts>
55
56 <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
57 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
58 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
59 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
60 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
61 <!--
62 <rampc:User>CLIENT-USERNAME</rampc:User>
63 <rampc:PasswordType>Digest</rampc:PasswordType>
64 <rampc:PasswordCallbackClass>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/libpwcb.so</rampc:PasswordCallbackClass>
65 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
66 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
67 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
68 -->
69 </rampc:RampartConfig>
70 </wsp:All>
71 </wsp:ExactlyOne>
72</wsp:Policy>
73
074
=== added file '.pc/30-clock_drift.patch/tools/service-policy-template.xml'
--- .pc/30-clock_drift.patch/tools/service-policy-template.xml 1970-01-01 00:00:00 +0000
+++ .pc/30-clock_drift.patch/tools/service-policy-template.xml 2011-09-21 09:10:44 +0000
@@ -0,0 +1,67 @@
1<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
2 <wsp:ExactlyOne>
3 <wsp:All>
4 <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
5 <wsp:Policy>
6 <sp:InitiatorToken>
7 <wsp:Policy>
8 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">a
9 <wsp:Policy>
10 <sp:RequireEmbeddedTokenReference/>
11 <sp:WssX509V3Token10/>
12 </wsp:Policy>
13 </sp:X509Token>
14 </wsp:Policy>
15 </sp:InitiatorToken>
16 <sp:RecipientToken>
17 <wsp:Policy>
18 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
19 <wsp:Policy>
20 <sp:RequireEmbeddedTokenReference/>
21 <sp:WssX509V3Token10/>
22 </wsp:Policy>
23 </sp:X509Token>
24 </wsp:Policy>
25 </sp:RecipientToken>
26
27 <sp:AlgorithmSuite>
28 <wsp:Policy>
29 <sp:Basic256Rsa15/>
30 </wsp:Policy>
31 </sp:AlgorithmSuite>
32
33 <sp:Layout>
34 <wsp:Policy>
35 <sp:Strict/>
36 </wsp:Policy>
37 </sp:Layout>
38
39 <sp:IncludeTimestamp/>
40 <sp:OnlySignEntireHeadersAndBody/>
41 <!-- <sp:EncryptSignature/> -->
42 </wsp:Policy>
43 </sp:AsymmetricBinding>
44
45 <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
46 <wsp:Policy>
47 <sp:MustSupportRefKeyIdentifier/>
48 <sp:MustSupportRefEmbeddedToken/>
49 <sp:MustSupportRefIssuerSerial/>
50 </wsp:Policy>
51 </sp:Wss10>
52
53 <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
54 <sp:Body/>
55 <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
56 </sp:SignedParts>
57
58 <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
59 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:ReceiverCertificate>
60 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
61 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
62 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
63 </rampc:RampartConfig>
64 </wsp:All>
65 </wsp:ExactlyOne>
66</wsp:Policy>
67
068
=== added directory '.pc/30-clock_drift.patch/util'
=== added file '.pc/30-clock_drift.patch/util/euca_axis.c'
--- .pc/30-clock_drift.patch/util/euca_axis.c 1970-01-01 00:00:00 +0000
+++ .pc/30-clock_drift.patch/util/euca_axis.c 2011-09-21 09:10:44 +0000
@@ -0,0 +1,459 @@
1/*
2Copyright (c) 2009 Eucalyptus Systems, Inc.
3
4This program is free software: you can redistribute it and/or modify
5it under the terms of the GNU General Public License as published by
6the Free Software Foundation, only version 3 of the License.
7
8This file is distributed in the hope that it will be useful, but WITHOUT
9ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
11for more details.
12
13You should have received a copy of the GNU General Public License along
14with this program. If not, see <http://www.gnu.org/licenses/>.
15
16Please contact Eucalyptus Systems, Inc., 130 Castilian
17Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/>
18if you need additional information or have any questions.
19
20This file may incorporate work covered under the following copyright and
21permission notice:
22
23 Software License Agreement (BSD License)
24
25 Copyright (c) 2008, Regents of the University of California
26
27
28 Redistribution and use of this software in source and binary forms, with
29 or without modification, are permitted provided that the following
30 conditions are met:
31
32 Redistributions of source code must retain the above copyright notice,
33 this list of conditions and the following disclaimer.
34
35 Redistributions in binary form must reproduce the above copyright
36 notice, this list of conditions and the following disclaimer in the
37 documentation and/or other materials provided with the distribution.
38
39 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
40 IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
41 TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
42 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
43 OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
44 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
45 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
46 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
47 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
48 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
49 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF
50 THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE
51 LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS
52 SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
53 IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA
54 BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN
55 THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT
56 OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR
57 WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH
58 ANY SUCH LICENSES OR RIGHTS.
59*/
60/* BRIEF EXAMPLE MSG:
61<soapenv:Envelope>.
62 <soapenv:Header>
63 [..snip..]
64 <wsse:Security>
65 [..snip..]
66 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
67 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
68 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
69 wsu:Id="CertId-469">[..snip..]</wsse:BinarySecurityToken>
70 [..snip..]
71 <ds:Signature>
72 <ds:SignedInfo>
73 <!-- <ref-id> points to a signed element. Body, Timestamp, To, Action, and MessageId element are expected to be signed-->
74 <ds:Reference URI="#<ref-id>>
75 [..snip..]
76 </ds:Reference>
77 </ds:SignedInfo>
78 <ds:KeyInfo Id="KeyId-374652">
79 <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22112351">
80 <!-- this thing points to the wsse:BinarySecurityToken above -->
81 <wsse:Reference URI="#CertId-469" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
82 </wsse:SecurityTokenReference>
83 </ds:KeyInfo>
84 </ds:Signature>
85 </wsse:Security>
86 </soapenv:Header>
87 <soapenv:Body>...</soapenv:Body>
88</soapenv:Envelope>.
89*/
90
91#include "oxs_axiom.h"
92#include "oxs_x509_cert.h"
93#include "oxs_key_mgr.h"
94#include "rampart_handler_util.h"
95#include "rampart_sec_processed_result.h"
96#include "rampart_error.h"
97#include "axis2_op_ctx.h"
98#include "rampart_context.h"
99#include "rampart_constants.h"
100#include "axis2_addr.h"
101#include "axiom_util.h"
102#include "rampart_timestamp_token.h"
103
104#include <neethi_policy.h>
105#include <neethi_util.h>
106#include <axutil_utils.h>
107#include <axis2_client.h>
108#include <axis2_stub.h>
109
110#include "misc.h" /* check_file, logprintf */
111#include "euca_axis.h"
112
113#define NO_U_FAIL(x) do{ \
114AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\
115AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\
116return AXIS2_FAILURE; \
117}while(0)
118
119axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx)
120{
121 //***** First get the message context before doing anything dumb w/ a NULL pointer *****/
122 axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see?
123 msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN);
124
125 //***** Print everything from the security results, just for testing now *****//
126 rampart_context_t *rampart_context = NULL;
127 axutil_property_t *property = NULL;
128
129 property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT);
130 if(property)
131 {
132 rampart_context = (rampart_context_t *)axutil_property_get_value(property, env);
133 // AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== ");
134 rampart_print_security_processed_results_set(env,msg_ctx);
135 }
136
137 //***** Extract Security Node from header from enveloper from msg_ctx *****//
138 axiom_soap_envelope_t *soap_envelope = NULL;
139 axiom_soap_header_t *soap_header = NULL;
140 axiom_node_t *sec_node = NULL;
141
142
143 soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
144 if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found.");
145 soap_header = axiom_soap_envelope_get_header(soap_envelope, env);
146 if (!soap_header) NO_U_FAIL("SOAP header cannot be found.");
147 sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is!
148 if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security");
149
150 //***** Find the wsse:Reference to the BinarySecurityToken *****//
151 //** Path is: Security/
152 //** *sec_node must be non-NULL, kkthx **//
153 axiom_node_t *sig_node = NULL;
154 axiom_node_t *key_info_node = NULL;
155 axiom_node_t *sec_token_ref_node = NULL;
156 /** the ds:Signature node **/
157 sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS );
158 if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature");
159 /** the ds:KeyInfo **/
160 key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL );
161 if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key");
162 /** the wsse:SecurityTokenReference **/
163 sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
164 if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token");
165 //** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/
166
167 //***** Find the wsse:Reference to the BinarySecurityToken *****//
168 //** *sec_token_ref_node must be non-NULL **/
169 axis2_char_t *ref = NULL;
170 axis2_char_t *ref_id = NULL;
171 axiom_node_t *token_ref_node = NULL;
172 axiom_node_t *bst_node = NULL;
173 /** the wsse:Reference node **/
174 token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
175 /** pull out the name of the BST node **/
176 ref = oxs_token_get_reference(env, token_ref_node);
177 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
178 /** get the wsse:BinarySecurityToken used to sign the message **/
179 bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS);
180 if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");}
181
182
183 //***** Find the wsse:Reference to the BinarySecurityToken *****//
184 //** *bst_node must be non-NULL **/
185 axis2_char_t *data = NULL;
186 oxs_x509_cert_t *_cert = NULL;
187 oxs_x509_cert_t *recv_cert = NULL;
188 axis2_char_t *file_name = NULL;
189 axis2_char_t *recv_x509_buf = NULL;
190 axis2_char_t *msg_x509_buf = NULL;
191
192 /** pull out the data from the BST **/
193 data = oxs_axiom_get_node_content(env, bst_node);
194 /** create an oxs_X509_cert **/
195 _cert = oxs_key_mgr_load_x509_cert_from_string(env, data);
196 if(_cert)
197 {
198 //***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****//
199 msg_x509_buf = oxs_x509_cert_get_data(_cert,env);
200 if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!");
201 /*
202 recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env);
203 if(recv_x509_buf)
204 recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf);
205 else
206 {
207 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
208 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
209 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
210 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
211 }
212 */
213
214 file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
215 if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
216 if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
217 recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
218
219 if (recv_cert) {
220 recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env);
221 } else {
222 NO_U_FAIL("could not populate receiver cert");
223 }
224
225 if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){
226 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" );
227 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf );
228 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" );
229 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf );
230 AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" );
231 NO_U_FAIL("The certificate specified is invalid!");
232 }
233 if(verify_references(sig_node, env, out_msg_ctx, soap_envelope) == AXIS2_FAILURE) {
234 return AXIS2_FAILURE;
235 }
236
237 }
238 else
239 {
240 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data);
241 NO_U_FAIL("Failed to build certificate from BinarySecurityToken");
242 }
243 oxs_x509_cert_free(_cert, env);
244 oxs_x509_cert_free(recv_cert, env);
245
246 return AXIS2_SUCCESS;
247
248}
249
250/**
251 * Verifes that Body, Timestamp, To, Action, and MessageId elements are signed and located
252 * where expected by the application logic. Timestamp is checked for expiration regardless
253 * of its actual location.
254 */
255axis2_status_t verify_references(axiom_node_t *sig_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axiom_soap_envelope_t *envelope) {
256 axiom_node_t *si_node = NULL;
257 axiom_node_t *ref_node = NULL;
258 axis2_status_t status = AXIS2_SUCCESS;
259
260 si_node = oxs_axiom_get_first_child_node_by_name(env,sig_node, OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS);
261
262 if(!si_node) {
263 axis2_char_t *tmp = axiom_node_to_string(sig_node, env);
264 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart]sig = %s", tmp);
265 NO_U_FAIL("Couldn't find SignedInfo!");
266 }
267
268 axutil_qname_t *qname = NULL;
269 axiom_element_t *parent_elem = NULL;
270 axiom_children_qname_iterator_t *qname_iter = NULL;
271
272 parent_elem = axiom_node_get_data_element(si_node, env);
273 if(!parent_elem)
274 {
275 NO_U_FAIL("Could not get Reference elem");
276 }
277
278 axis2_char_t *ref = NULL;
279 axis2_char_t *ref_id = NULL;
280 axiom_node_t *signed_node = NULL;
281 axiom_node_t *envelope_node = NULL;
282
283 short signed_elems[5] = {0,0,0,0,0};
284
285 envelope_node = axiom_soap_envelope_get_base_node(envelope, env);
286
287 qname = axutil_qname_create(env, OXS_NODE_REFERENCE, OXS_DSIG_NS, NULL);
288 qname_iter = axiom_element_get_children_with_qname(parent_elem, env, qname, si_node);
289 while (axiom_children_qname_iterator_has_next(qname_iter , env)) {
290 ref_node = axiom_children_qname_iterator_next(qname_iter, env);
291 axis2_char_t *txt = axiom_node_to_string(ref_node, env);
292
293 /* get reference to a signed element */
294 ref = oxs_token_get_reference(env, ref_node);
295 if(ref == NULL || strlen(ref) == 0 || ref[0] != '#') {
296 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unsupported reference ID in %s", txt);
297 status = AXIS2_FAILURE;
298 break;
299 }
300
301 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] %s, ref = %s", txt, ref);
302
303 /* get rid of '#' */
304 ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
305 signed_node = oxs_axiom_get_node_by_id(env, envelope_node, OXS_ATTR_ID, ref_id, OXS_WSU_XMLNS);
306 if(!signed_node) {
307 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);
308 status = AXIS2_FAILURE;
309 break;
310 }
311 if(verify_node(signed_node, env, msg_ctx, ref, signed_elems)) {
312 status = AXIS2_FAILURE;
313 break;
314 }
315 }
316
317
318 axutil_qname_free(qname, env);
319 qname = NULL;
320
321 if(status == AXIS2_FAILURE) {
322 NO_U_FAIL("Failed to verify location of signed elements!");
323 }
324
325 /* This is needed to make sure that all security-critical elements are signed */
326 for(int i = 0; i < 5; i++) {
327 if(signed_elems[i] == 0) {
328 NO_U_FAIL("Not all required elements are signed");
329 }
330 }
331
332 return status;
333
334}
335
336/**
337 * Verifies XPath location of signed elements.
338 */
339int verify_node(axiom_node_t *signed_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axis2_char_t *ref, short *signed_elems) {
340
341 if(!axutil_strcmp(OXS_NODE_BODY, axiom_util_get_localname(signed_node, env))) {
342 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Body", ref);
343 signed_elems[0] = 1;
344
345 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
346 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
347 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected parent element for Body with ID = %s", ref);
348 return 1;
349 }
350
351 parent = axiom_node_get_parent(parent,env);
352 if(parent) {
353 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
354 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
355 return 1;
356 }
357
358 } else if(!axutil_strcmp(RAMPART_SECURITY_TIMESTAMP, axiom_util_get_localname(signed_node, env))) {
359 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Timestamp", ref);
360 signed_elems[1] = 1;
361
362 /* Regardless of the location of the Timestamp, verify the one that is signed */
363 if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {
364 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
365 return 1;
366 }
367
368 } else if(!axutil_strcmp(AXIS2_WSA_ACTION, axiom_util_get_localname(signed_node, env))) {
369 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Action", ref);
370 signed_elems[2] = 1;
371
372 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
373 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Action with ID = %s", ref);
374 return 1;
375 }
376
377 } else if(!axutil_strcmp(AXIS2_WSA_TO, axiom_util_get_localname(signed_node, env))) {
378 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is To", ref);
379 signed_elems[3] = 1;
380
381 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
382 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for To with ID = %s", ref);
383 return 1;
384 }
385
386
387 } else if(!axutil_strcmp(AXIS2_WSA_MESSAGE_ID, axiom_util_get_localname(signed_node, env))) {
388 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is MessageId", ref);
389 signed_elems[4] = 1;
390
391 if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
392 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for MessageId with ID = %s", ref);
393 return 1;
394 }
395
396 } else {
397 AXIS2_LOG_WARNING(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is UNKNOWN", ref);
398 }
399
400 return 0;
401}
402
403/**
404 * Verify that an addressing element is located in <Envelope>/<Header>
405 */
406int verify_addr_hdr_elem_loc(axiom_node_t *signed_node, const axutil_env_t *env, axis2_char_t *ref) {
407
408 axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
409
410 if(axutil_strcmp(OXS_NODE_HEADER, axiom_util_get_localname(parent, env))) {
411 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of addressing elem is %s", axiom_node_to_string(parent, env));
412 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
413 return 1;
414
415 }
416 parent = axiom_node_get_parent(parent,env);
417
418 if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
419 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] second parent of addressing elem is %s", axiom_node_to_string(parent, env));
420 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
421 return 1;
422
423 }
424
425 parent = axiom_node_get_parent(parent,env);
426 if(parent) {
427 AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
428 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
429 return 1;
430 }
431
432 return 0;
433}
434
435
436int InitWSSEC(axutil_env_t *env, axis2_stub_t *stub, char *policyFile) {
437 axis2_svc_client_t *svc_client = NULL;
438 neethi_policy_t *policy = NULL;
439 axis2_status_t status = AXIS2_FAILURE;
440
441 //return(0);
442
443 svc_client = axis2_stub_get_svc_client(stub, env);
444 if (!svc_client) {
445 logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not get svc_client from stub\n");
446 return(1);
447 }
448 axis2_svc_client_engage_module(svc_client, env, "rampart");
449
450 policy = neethi_util_create_policy_from_file(env, policyFile);
451 if (!policy) {
452 logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not initialize policy file %s\n", policyFile);
453 return(1);
454 }
455 status = axis2_svc_client_set_policy(svc_client, env, policy);
456
457 return(0);
458}
459
0460
=== modified file '.pc/applied-patches'
--- .pc/applied-patches 2011-09-15 13:35:03 +0000
+++ .pc/applied-patches 2011-09-21 09:10:44 +0000
@@ -16,3 +16,5 @@
1626-google-collections-1.0-ftbfs.patch1626-google-collections-1.0-ftbfs.patch
1727-soap-security.patch1727-soap-security.patch
1828-fix-startup-crash.patch1828-fix-startup-crash.patch
1929-euca_conf-sslv3.patch
2030-clock_drift.patch
1921
=== modified file 'debian/changelog'
--- debian/changelog 2011-09-15 13:35:03 +0000
+++ debian/changelog 2011-09-21 09:10:44 +0000
@@ -1,3 +1,16 @@
1eucalyptus (2.0.1+bzr1256-0ubuntu8) oneiric; urgency=low
2
3 * Fix compatibility issues with SSLv3 (LP: #851611):
4 - d/patches/29-euca_conf-sslv3.patch: Use --secure-protocol=SSLv3
5 with wget when communicating with CLC.
6 - d/eucalyptus-cloud.upstart: Use --secure-protocol=SSLv3 with wget
7 when checking for CLC startup complete.
8 * d/patches/30-clock_drift.patch: Resolve issue with rampart blocking
9 communication between CC and NC when time is fractionally in the
10 future (LP: #854946):
11
12 -- James Page <james.page@ubuntu.com> Wed, 21 Sep 2011 09:57:58 +0100
13
1eucalyptus (2.0.1+bzr1256-0ubuntu7) oneiric; urgency=low14eucalyptus (2.0.1+bzr1256-0ubuntu7) oneiric; urgency=low
215
3 * d/patches/28-fix-startup-crash.patch: Fix from Graziano Obertelli16 * d/patches/28-fix-startup-crash.patch: Fix from Graziano Obertelli
417
=== modified file 'debian/eucalyptus-cloud.upstart'
--- debian/eucalyptus-cloud.upstart 2010-02-03 19:01:47 +0000
+++ debian/eucalyptus-cloud.upstart 2011-09-21 09:10:44 +0000
@@ -12,6 +12,7 @@
12 . /etc/eucalyptus/eucalyptus-ipaddr.conf12 . /etc/eucalyptus/eucalyptus-ipaddr.conf
13 # Should this check something on :8773 instead? -mdz13 # Should this check something on :8773 instead? -mdz
14 if wget -q -T10 -t1 -O- --no-check-certificate \14 if wget -q -T10 -t1 -O- --no-check-certificate \
15 --secure-protocol=SSLv3 \
15 https://$CLOUD_IP_ADDR:8443/register | \16 https://$CLOUD_IP_ADDR:8443/register | \
16 grep CloudVersion; then17 grep CloudVersion; then
1718
1819
=== added file 'debian/patches/29-euca_conf-sslv3.patch'
--- debian/patches/29-euca_conf-sslv3.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/29-euca_conf-sslv3.patch 2011-09-21 09:10:44 +0000
@@ -0,0 +1,18 @@
1Description: Force wget to use SSLv3 protocol when talking to CLC
2 otherwise SSL comms failures happen.
3Origin: https://build.opensuse.org/package/view_file?file=eucalyptus-force-sslv3.patch&package=eucalyptus&project=Virtualization%3ACloud%3AEucalyptus&srcmd5=603fc985140105bd4ed7a079a4dc7258
4Forwarded: not-needed
5
6Index: eucalyptus/tools/euca_conf.in
7===================================================================
8--- eucalyptus.orig/tools/euca_conf.in 2011-09-20 17:03:52.995305737 +0100
9+++ eucalyptus/tools/euca_conf.in 2011-09-20 17:05:46.935553670 +0100
10@@ -1096,7 +1096,7 @@
11 done
12 fi
13
14- CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
15+ CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
16 elif [ "$SERVICE" = "CC" ]; then
17 CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
18 fi
019
=== added file 'debian/patches/30-clock_drift.patch'
--- debian/patches/30-clock_drift.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/30-clock_drift.patch 2011-09-21 09:10:44 +0000
@@ -0,0 +1,38 @@
1Author: Graziano Obertelli <graziano@eucalyptus.com>
2Description: Permit fractional time difference between NC and CC
3Bug-Ubuntu: http://pad.lv/854946
4
5--- a/tools/client-policy-template.xml 2011-03-30 16:44:16 +0000
6+++ b/tools/client-policy-template.xml 2011-04-07 22:26:08 +0000
7@@ -57,6 +57,7 @@
8 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
9 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
10 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
11+ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
12 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
13 <!--
14 <rampc:User>CLIENT-USERNAME</rampc:User>
15
16--- a/tools/service-policy-template.xml 2011-03-30 16:44:16 +0000
17+++ b/tools/service-policy-template.xml 2011-04-07 22:26:08 +0000
18@@ -60,6 +60,7 @@
19 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
20 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
21 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
22+ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
23 </rampc:RampartConfig>
24 </wsp:All>
25 </wsp:ExactlyOne>
26
27--- a/util/euca_axis.c 2011-03-30 16:44:16 +0000
28+++ b/util/euca_axis.c 2011-04-07 22:26:08 +0000
29@@ -360,7 +360,7 @@
30 signed_elems[1] = 1;
31
32 /* Regardless of the location of the Timestamp, verify the one that is signed */
33- if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {
34+ if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) {
35 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
36 return 1;
37 }
38
039
=== modified file 'debian/patches/series'
--- debian/patches/series 2011-09-15 13:35:03 +0000
+++ debian/patches/series 2011-09-21 09:10:44 +0000
@@ -16,3 +16,5 @@
1626-google-collections-1.0-ftbfs.patch1626-google-collections-1.0-ftbfs.patch
1727-soap-security.patch1727-soap-security.patch
1828-fix-startup-crash.patch1828-fix-startup-crash.patch
1929-euca_conf-sslv3.patch
2030-clock_drift.patch
1921
=== modified file 'tools/client-policy-template.xml'
--- tools/client-policy-template.xml 2011-05-26 10:21:56 +0000
+++ tools/client-policy-template.xml 2011-09-21 09:10:44 +0000
@@ -57,6 +57,7 @@
57 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>57 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
58 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>58 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
59 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>59 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
60 <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
60 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->61 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
61 <!--62 <!--
62 <rampc:User>CLIENT-USERNAME</rampc:User>63 <rampc:User>CLIENT-USERNAME</rampc:User>
6364
=== modified file 'tools/euca_conf.in'
--- tools/euca_conf.in 2010-09-27 23:41:14 +0000
+++ tools/euca_conf.in 2011-09-21 09:10:44 +0000
@@ -1096,7 +1096,7 @@
1096 done1096 done
1097 fi1097 fi
1098 1098
1099 CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"1099 CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
1100 elif [ "$SERVICE" = "CC" ]; then1100 elif [ "$SERVICE" = "CC" ]; then
1101 CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"1101 CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
1102 fi1102 fi
11031103
=== modified file 'tools/service-policy-template.xml'
--- tools/service-policy-template.xml 2011-05-26 10:21:56 +0000
+++ tools/service-policy-template.xml 2011-09-21 09:10:44 +0000
@@ -60,6 +60,7 @@
60 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>60 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
61 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>61 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
62 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->62 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
63 <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
63 </rampc:RampartConfig>64 </rampc:RampartConfig>
64 </wsp:All>65 </wsp:All>
65 </wsp:ExactlyOne>66 </wsp:ExactlyOne>
6667
=== modified file 'util/euca_axis.c'
--- util/euca_axis.c 2011-05-26 10:21:56 +0000
+++ util/euca_axis.c 2011-09-21 09:10:44 +0000
@@ -360,7 +360,7 @@
360 signed_elems[1] = 1;360 signed_elems[1] = 1;
361361
362 /* Regardless of the location of the Timestamp, verify the one that is signed */362 /* Regardless of the location of the Timestamp, verify the one that is signed */
363 if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {363 if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) {
364 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);364 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
365 return 1;365 return 1;
366 }366 }

Subscribers

People subscribed via source and target branches

to all changes: