Commit 13635c9a authored by Thomas Goirand's avatar Thomas Goirand

Add oci-fernet-keys-rotate script on the first master controller node.

parent 901612ef
#!/bin/sh
set -e
ME=$(hostname)
HOSTLIST=$(cat /etc/hosts | grep controller | awk '{print $2}')
keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keystone-user keystone --keystone-group keystone
for i in ${HOSTLIST} ; do
if ! [ "${i}" = "${ME}" ] ; then
rsync -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' -avz --delete /etc/keystone/fernet-keys/ root@${i}:/etc/keystone/fernet-keys/
fi
done
......@@ -96,6 +96,7 @@ if [ -d /oci-in-target ] ; then
cd /oci-in-target
cp -auxf * ${BODI_CHROOT_PATH}
cd ${CWD}
# Make sure we have correct rights for /root/.ssh
mkdir ${BODI_CHROOT_PATH}/root
if [ -e ${BODI_CHROOT_PATH}/root/.ssh ] ; then
chmod 0700 ${BODI_CHROOT_PATH}/root/.ssh
......@@ -105,6 +106,11 @@ if [ -d /oci-in-target ] ; then
if [ -e ${BODI_CHROOT_PATH}/root/.ssh/id_rsa.pub ] ; then
cat ${BODI_CHROOT_PATH}/root/.ssh/id_rsa.pub >> ${BODI_CHROOT_PATH}/root/.ssh/authorized_keys
fi
# Make sure we have correct rights for /etc/cron.daily scripts
chown -R root:root ${BODI_CHROOT_PATH}/etc/cron.daily || true
if [ -e ${BODI_CHROOT_PATH}/etc/cron.daily/oci-fernet-keys-rotate ] ; then
chmod +x ${BODI_CHROOT_PATH}/etc/cron.daily/oci-fernet-keys-rotate
fi
fi
# Customize /root/.screenrc
......
......@@ -1012,9 +1012,11 @@ function slave_install_os($con, $conf, $machine_id, $install_cmd){
return $out;
}
$cluster = mysqli_fetch_array($r);
$cluster_name = $cluster["name"];
$cluster_domain = $cluster["domain"];
$cluster_vip_hostname = $cluster["vip_hostname"];
$cluster_name = $cluster["name"];
$cluster_domain = $cluster["domain"];
$cluster_vip_hostname = $cluster["vip_hostname"];
$first_master_machine_id = $cluster["first_master_machine_id"];
if($cluster_vip_hostname == ""){
$api_hostname = $cluster_name . "-api." . $cluster_domain;
}else{
......@@ -1077,16 +1079,23 @@ https://salsa.debian.org/openstack-team/debian/openstack-cluster-installer
copy("$swift_ring_path/object.ring.gz", "$template_path/oci-in-target/etc/swift/object.ring.gz");
}
######################################
### Copy the cluster's ssh keypair ###
######################################
$ssh_key_dir = "/var/lib/oci/clusters/$cluster_name/ssh";
if(file_exists("$ssh_key_dir/id_rsa")){
mkdir("$template_path/root");
mkdir("$template_path/root/.ssh", 0700);
copy("$ssh_key_dir/id_rsa", "$template_path/oci-in-target/root/.ssh/id_rsa");
if(file_exists("$ssh_key_dir/id_rsa.pub")){
copy("$ssh_key_dir/id_rsa.pub", "$template_path/oci-in-target/root/.ssh/id_rsa.pub");
###########################################################
### Copy the cluster's ssh keypair if it's a controller ###
###########################################################
if($machine_role == "controller"){
$ssh_key_dir = "/var/lib/oci/clusters/$cluster_name/ssh";
if(file_exists("$ssh_key_dir/id_rsa")){
mkdir("$template_path/root");
mkdir("$template_path/root/.ssh", 0700);
copy("$ssh_key_dir/id_rsa", "$template_path/oci-in-target/root/.ssh/id_rsa");
if(file_exists("$ssh_key_dir/id_rsa.pub")){
copy("$ssh_key_dir/id_rsa.pub", "$template_path/oci-in-target/root/.ssh/id_rsa.pub");
}
}
# Add fernet rotation script if it's the first master server
if($machine_id == $first_master_machine_id){
mkdir("$template_path/oci-in-target/etc/cron.daily");
copy("/usr/bin/oci-fernet-keys-rotate", "$template_path/oci-in-target/etc/cron.daily/oci-fernet-keys-rotate");
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment