Changeset 3df9b33


Ignore:
Timestamp:
Oct 6, 2011 5:56:31 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
compt_changes, info-ops, master
Children:
9bde415
Parents:
b6a6206
Message:

fedd-generated SEER certs and distribution (initial implementation,
untested) addresses #33

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/emulab_access.py

    rb6a6206 r3df9b33  
    925925        allocation log bound to the state log variable as well.
    926926        """
    927         configs = set(('hosts', 'ssh_pubkey', 'ssh_secretkey'))
     927        configs = ('hosts', 'ssh_pubkey', 'ssh_secretkey',
     928                'seer_ca_pem', 'seer_node_pem')
    928929        ename = None
    929930        pubkey_base = None
  • fedd/federation/experiment_control.py

    rb6a6206 r3df9b33  
    1313import signal
    1414import time
     15
     16import os.path
    1517
    1618import traceback
     
    551553                    "Cannot generate nonce ssh keys.  %s return code %d" \
    552554                            % (self.ssh_keygen, rv))
     555
     556    def generate_seer_certs(self, destdir):
     557        '''
     558        Create a SEER ca cert and a node cert in destdir/ca.pem and
     559        destdir/node.pem respectively.  These will be distributed throughout
     560        the federated experiment.  This routine reports errors via
     561        service_errors.
     562        '''
     563        openssl = '/usr/bin/openssl'
     564        # All the filenames and parameters we need for openssl calls below
     565        ca_serial =os.path.join(destdir, 'ca.serial')
     566        ca_key =os.path.join(destdir, 'ca.key')
     567        ca_pem = os.path.join(destdir, 'ca.pem')
     568        node_key =os.path.join(destdir, 'node.key')
     569        node_pem = os.path.join(destdir, 'node.pem')
     570        node_req = os.path.join(destdir, 'node.req')
     571        node_signed = os.path.join(destdir, 'node.signed')
     572        days = '%s' % (3600 * 24 * 365 * 10)
     573
     574        try:
     575            # init a serial number for the openssl calls
     576            f = open(ca_serial, 'w')
     577            print >>f, '%s' % random.randint(0, 0xffffffff)
     578            f.close()
     579
     580            # Sequence of calls to create a CA key, create a ca cert, create a
     581            # node key, node signing request, and finally a signed node
     582            # certificate.
     583            sequence = (
     584                    (openssl, 'genrsa', '-out', ca_key, '1024'),
     585                    (openssl, 'req', '-new', '-x509', '-key', ca_key, '-out',
     586                        ca_pem, '-days', days, '-subj',
     587                        '/C=US/ST=CA/O=DETER/OU=fedd/CN=CA' ),
     588                    (openssl, 'genrsa', '-out', node_key, '1024'),
     589                    (openssl, 'req', '-new', '-key', node_key, '-out',
     590                        node_req, '-days', days, '-subj',
     591                        '/C=US/ST=CA/O=DETER/OU=fedd/CN=node' ),
     592                    (openssl, 'x509', '-CA', ca_pem, '-CAkey', ca_key,
     593                        '-CAserial', ca_serial, '-req', '-in', node_req,
     594                        '-out', node_signed, '-days', days),
     595                )
     596            # Do all that stuff; bail if there's an error, and push all the
     597            # output to dev/null.
     598            for cmd in sequence:
     599                trace = open("/dev/null", "w")
     600                rv = call(cmd, stdout=trace, stderr=trace, close_fds=True)
     601                if rv != 0:
     602                    raise service_error(service_error.internal,
     603                            "Cannot generate SEER certs.  %s return code %d" \
     604                                    % (' '.join(cmd), rv))
     605            # Concatinate the node key and signed certificate into node.pem
     606            f = open(node_pem, 'w')
     607            for comp in (node_signed, node_key):
     608                g = open(comp, 'r')
     609                f.write(g.read))
     610                g.close()
     611            f.close()
     612
     613            # Throw out intermediaries.
     614            for fn in (ca_serial, ca_key, node_key, node_req, node_signed):
     615                os.unlink(fn)
     616
     617        except EnvironmentError, e:
     618            # Any difficulties with the file system wind up here
     619            raise service_error(service_error.internal,
     620                    "File error on  %s while creating SEER certs: %s" % \
     621                            (e.filename, e.strerror))
     622
     623
    553624
    554625    def gentopo(self, str):
     
    16921763        testbed to lists of federated_service objects.  The first lists all
    16931764        exporters of services, and the second all exporters of services that
    1694         need control portals int the experiment.
     1765        need control portals in the experiment.
    16951766        """
    16961767        masters = { }
     
    17331804    def generate_keys_and_hosts(self, tmpdir, expid, hosts, tbparams):
    17341805        """
    1735         Create the ssh keys necessary for interconnecting the potral nodes and
     1806        Create the ssh keys necessary for interconnecting the portal nodes and
    17361807        the global hosts file for letting each segment know about the IP
    17371808        addresses in play.  Save these into the repo.  Add attributes to the
    17381809        autorizer allowing access controllers to download them and return a set
    1739         of attributes that inform the segments where to find this stuff.  Mau
     1810        of attributes that inform the segments where to find this stuff.  May
    17401811        raise service_errors in if there are problems.
    17411812        """
    17421813        gw_pubkey_base = "fed.%s.pub" % self.ssh_type
    17431814        gw_secretkey_base = "fed.%s" % self.ssh_type
    1744         gw_pubkey = tmpdir + "/keys/" + gw_pubkey_base
    1745         gw_secretkey = tmpdir + "/keys/" + gw_secretkey_base
     1815        keydir = os.path.join(tmpdir, 'keys')
     1816        gw_pubkey = os.path.join(keydir, gw_pubkey_base)
     1817        gw_secretkey = os.path.join(keydir, gw_secretkey_base)
    17461818
    17471819        try:
     
    17511823                    "Bad key type (%s)" % self.ssh_type)
    17521824
     1825        self.generate_seer_certs(keydir)
    17531826
    17541827        # Copy configuration files into the remote file store
     
    17701843                    "Cannot write hosts file: %s" % e)
    17711844        try:
    1772             copy_file("%s" % gw_pubkey, "%s/%s" % \
    1773                     (configdir, gw_pubkey_base))
    1774             copy_file("%s" % gw_secretkey, "%s/%s" % \
    1775                     (configdir, gw_secretkey_base))
     1845            copy_file(gw_pubkey, os.path.join(configdir, gw_pubkey_base))
     1846            copy_file(gw_secretkey, os.path.join(configdir, gw_secretkey_base))
     1847            copy_file(os.path.join(keydir, 'ca.pem'),
     1848                    os.path.join(configdir, 'ca.pem'))
     1849            copy_file(os.path.join(keydir, 'node.pem'),
     1850                    os.path.join(configdir, 'node.pem'))
    17761851        except EnvironmentError, e:
    17771852            raise service_error(service_error.internal,
     
    17841859            (tbparams[tb]['allocID']['fedid'], "%s/%s" % (configpath, f)) \
    17851860                    for tb in tbparams.keys() \
    1786                         for f in ("hosts", gw_secretkey_base, gw_pubkey_base)]))
     1861                        for f in ("hosts", 'ca.pem', 'node.pem',
     1862                            gw_secretkey_base, gw_pubkey_base)]))
    17871863
    17881864        attrs = [
     
    18011877                    'value': '%s/%s/config/hosts' % \
    18021878                            (self.repo_url, expid)
     1879                },
     1880                {
     1881                    'attribute': 'seer_ca_pem',
     1882                    'value': '%s/%s/config/%s' % \
     1883                            (self.repo_url, expid, 'ca.pem')
     1884                },
     1885                {
     1886                    'attribute': 'seer_node_pem',
     1887                    'value': '%s/%s/config/%s' % \
     1888                            (self.repo_url, expid, 'node.pem')
    18031889                },
    18041890            ]
  • fedkit/federate.pl

    rb6a6206 r3df9b33  
    2121my $tmcc_p = new IO::Pipe() || die "Can't open pipe: $!\n";
    2222my $shared_config_dir;
     23my $shared_seer_auth_dir;
    2324my $local_config_dir = "/usr/local/federation/etc";
    2425my %services;
     
    6364            ($proj, $exp) = ($1, $2);
    6465            $shared_config_dir = "/proj/$proj/exp/$exp/tmp";
     66            $shared_seer_auth_dir = "/proj/$proj/exp/$exp/tbdata";
    6567            last;
    6668        };
     
    7072    mkdir($local_config_dir);
    7173
    72     foreach my $fn ("seer.conf", "client.conf", "userconf", "hosts") {
     74    foreach my $fn ("seer.conf", "client.conf", "userconf", "hosts",
     75            "ca.pem", "node.pem") {
    7376        copy("$shared_config_dir/$fn", $local_config_dir )
    7477            if -e "$shared_config_dir/$fn";
     78    }
     79
     80    # Copy seer authorization files into the location that standard SEER
     81    # invocations will look.  The above loop puts them where -F invocations
     82    # will look.
     83    foreach my $fn ("ca.pem", "node.pem") {
     84        copy("$shared_config_dir/$fn", $shared_seer_auth_dir )
     85            if -e "$shared_config_dir/$fn" && -d $shared_seer_auth_dir;
    7586    }
    7687}
Note: See TracChangeset for help on using the changeset viewer.