Changeset 3df9b33
- Timestamp:
- Oct 6, 2011 5:56:31 PM (13 years ago)
- Branches:
- compt_changes, info-ops, master
- Children:
- 9bde415
- Parents:
- b6a6206
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/emulab_access.py
rb6a6206 r3df9b33 925 925 allocation log bound to the state log variable as well. 926 926 """ 927 configs = set(('hosts', 'ssh_pubkey', 'ssh_secretkey')) 927 configs = ('hosts', 'ssh_pubkey', 'ssh_secretkey', 928 'seer_ca_pem', 'seer_node_pem') 928 929 ename = None 929 930 pubkey_base = None -
fedd/federation/experiment_control.py
rb6a6206 r3df9b33 13 13 import signal 14 14 import time 15 16 import os.path 15 17 16 18 import traceback … … 551 553 "Cannot generate nonce ssh keys. %s return code %d" \ 552 554 % (self.ssh_keygen, rv)) 555 556 def generate_seer_certs(self, destdir): 557 ''' 558 Create a SEER ca cert and a node cert in destdir/ca.pem and 559 destdir/node.pem respectively. These will be distributed throughout 560 the federated experiment. This routine reports errors via 561 service_errors. 562 ''' 563 openssl = '/usr/bin/openssl' 564 # All the filenames and parameters we need for openssl calls below 565 ca_serial =os.path.join(destdir, 'ca.serial') 566 ca_key =os.path.join(destdir, 'ca.key') 567 ca_pem = os.path.join(destdir, 'ca.pem') 568 node_key =os.path.join(destdir, 'node.key') 569 node_pem = os.path.join(destdir, 'node.pem') 570 node_req = os.path.join(destdir, 'node.req') 571 node_signed = os.path.join(destdir, 'node.signed') 572 days = '%s' % (3600 * 24 * 365 * 10) 573 574 try: 575 # init a serial number for the openssl calls 576 f = open(ca_serial, 'w') 577 print >>f, '%s' % random.randint(0, 0xffffffff) 578 f.close() 579 580 # Sequence of calls to create a CA key, create a ca cert, create a 581 # node key, node signing request, and finally a signed node 582 # certificate. 583 sequence = ( 584 (openssl, 'genrsa', '-out', ca_key, '1024'), 585 (openssl, 'req', '-new', '-x509', '-key', ca_key, '-out', 586 ca_pem, '-days', days, '-subj', 587 '/C=US/ST=CA/O=DETER/OU=fedd/CN=CA' ), 588 (openssl, 'genrsa', '-out', node_key, '1024'), 589 (openssl, 'req', '-new', '-key', node_key, '-out', 590 node_req, '-days', days, '-subj', 591 '/C=US/ST=CA/O=DETER/OU=fedd/CN=node' ), 592 (openssl, 'x509', '-CA', ca_pem, '-CAkey', ca_key, 593 '-CAserial', ca_serial, '-req', '-in', node_req, 594 '-out', node_signed, '-days', days), 595 ) 596 # Do all that stuff; bail if there's an error, and push all the 597 # output to dev/null. 598 for cmd in sequence: 599 trace = open("/dev/null", "w") 600 rv = call(cmd, stdout=trace, stderr=trace, close_fds=True) 601 if rv != 0: 602 raise service_error(service_error.internal, 603 "Cannot generate SEER certs. %s return code %d" \ 604 % (' '.join(cmd), rv)) 605 # Concatinate the node key and signed certificate into node.pem 606 f = open(node_pem, 'w') 607 for comp in (node_signed, node_key): 608 g = open(comp, 'r') 609 f.write(g.read)) 610 g.close() 611 f.close() 612 613 # Throw out intermediaries. 614 for fn in (ca_serial, ca_key, node_key, node_req, node_signed): 615 os.unlink(fn) 616 617 except EnvironmentError, e: 618 # Any difficulties with the file system wind up here 619 raise service_error(service_error.internal, 620 "File error on %s while creating SEER certs: %s" % \ 621 (e.filename, e.strerror)) 622 623 553 624 554 625 def gentopo(self, str): … … 1692 1763 testbed to lists of federated_service objects. The first lists all 1693 1764 exporters of services, and the second all exporters of services that 1694 need control portals in tthe experiment.1765 need control portals in the experiment. 1695 1766 """ 1696 1767 masters = { } … … 1733 1804 def generate_keys_and_hosts(self, tmpdir, expid, hosts, tbparams): 1734 1805 """ 1735 Create the ssh keys necessary for interconnecting the po tral nodes and1806 Create the ssh keys necessary for interconnecting the portal nodes and 1736 1807 the global hosts file for letting each segment know about the IP 1737 1808 addresses in play. Save these into the repo. Add attributes to the 1738 1809 autorizer allowing access controllers to download them and return a set 1739 of attributes that inform the segments where to find this stuff. Ma u1810 of attributes that inform the segments where to find this stuff. May 1740 1811 raise service_errors in if there are problems. 1741 1812 """ 1742 1813 gw_pubkey_base = "fed.%s.pub" % self.ssh_type 1743 1814 gw_secretkey_base = "fed.%s" % self.ssh_type 1744 gw_pubkey = tmpdir + "/keys/" + gw_pubkey_base 1745 gw_secretkey = tmpdir + "/keys/" + gw_secretkey_base 1815 keydir = os.path.join(tmpdir, 'keys') 1816 gw_pubkey = os.path.join(keydir, gw_pubkey_base) 1817 gw_secretkey = os.path.join(keydir, gw_secretkey_base) 1746 1818 1747 1819 try: … … 1751 1823 "Bad key type (%s)" % self.ssh_type) 1752 1824 1825 self.generate_seer_certs(keydir) 1753 1826 1754 1827 # Copy configuration files into the remote file store … … 1770 1843 "Cannot write hosts file: %s" % e) 1771 1844 try: 1772 copy_file("%s" % gw_pubkey, "%s/%s" % \ 1773 (configdir, gw_pubkey_base)) 1774 copy_file("%s" % gw_secretkey, "%s/%s" % \ 1775 (configdir, gw_secretkey_base)) 1845 copy_file(gw_pubkey, os.path.join(configdir, gw_pubkey_base)) 1846 copy_file(gw_secretkey, os.path.join(configdir, gw_secretkey_base)) 1847 copy_file(os.path.join(keydir, 'ca.pem'), 1848 os.path.join(configdir, 'ca.pem')) 1849 copy_file(os.path.join(keydir, 'node.pem'), 1850 os.path.join(configdir, 'node.pem')) 1776 1851 except EnvironmentError, e: 1777 1852 raise service_error(service_error.internal, … … 1784 1859 (tbparams[tb]['allocID']['fedid'], "%s/%s" % (configpath, f)) \ 1785 1860 for tb in tbparams.keys() \ 1786 for f in ("hosts", gw_secretkey_base, gw_pubkey_base)])) 1861 for f in ("hosts", 'ca.pem', 'node.pem', 1862 gw_secretkey_base, gw_pubkey_base)])) 1787 1863 1788 1864 attrs = [ … … 1801 1877 'value': '%s/%s/config/hosts' % \ 1802 1878 (self.repo_url, expid) 1879 }, 1880 { 1881 'attribute': 'seer_ca_pem', 1882 'value': '%s/%s/config/%s' % \ 1883 (self.repo_url, expid, 'ca.pem') 1884 }, 1885 { 1886 'attribute': 'seer_node_pem', 1887 'value': '%s/%s/config/%s' % \ 1888 (self.repo_url, expid, 'node.pem') 1803 1889 }, 1804 1890 ] -
fedkit/federate.pl
rb6a6206 r3df9b33 21 21 my $tmcc_p = new IO::Pipe() || die "Can't open pipe: $!\n"; 22 22 my $shared_config_dir; 23 my $shared_seer_auth_dir; 23 24 my $local_config_dir = "/usr/local/federation/etc"; 24 25 my %services; … … 63 64 ($proj, $exp) = ($1, $2); 64 65 $shared_config_dir = "/proj/$proj/exp/$exp/tmp"; 66 $shared_seer_auth_dir = "/proj/$proj/exp/$exp/tbdata"; 65 67 last; 66 68 }; … … 70 72 mkdir($local_config_dir); 71 73 72 foreach my $fn ("seer.conf", "client.conf", "userconf", "hosts") { 74 foreach my $fn ("seer.conf", "client.conf", "userconf", "hosts", 75 "ca.pem", "node.pem") { 73 76 copy("$shared_config_dir/$fn", $local_config_dir ) 74 77 if -e "$shared_config_dir/$fn"; 78 } 79 80 # Copy seer authorization files into the location that standard SEER 81 # invocations will look. The above loop puts them where -F invocations 82 # will look. 83 foreach my $fn ("ca.pem", "node.pem") { 84 copy("$shared_config_dir/$fn", $shared_seer_auth_dir ) 85 if -e "$shared_config_dir/$fn" && -d $shared_seer_auth_dir; 75 86 } 76 87 }
Note: See TracChangeset
for help on using the changeset viewer.