[Pkg-ganeti-devel] [ganeti] 143/165: Redistribute master key on downgrade

Tue Aug 11 13:53:22 UTC 2015

This is an automated email from the git hooks/post-receive script.

apoikos pushed a commit to branch master
in repository ganeti.

commit 930cbbddcc5d46e4864388b939609dc60e2ba4fe
Author: Helga Velroyen <helgav at google.com>
Date:   Fri Jul 17 15:03:43 2015 +0200

    Redistribute master key on downgrade
    
    When downgrading from 2.13 to 2.12, the SSH key pair of
    each node needs to be replaced by the master's SSH key
    pair. If that is not done, any node added after the
    downgrade will not be reachable if the master is failed
    over to one of the original non-master nodes.
    
    This patch fixes Issue 1008. However, what is not cleaned
    up is the nodes' authorized_keys file. This will need
    significantly more effort, but this patch at least fixes
    the user-impacting issue.
    
    Signed-off-by: Helga Velroyen <helgav at google.com>
    Reviewed-by: Klaus Aehlig <aehlig at google.com>
---
 lib/client/gnt_cluster.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py
index 6165dce..7304aab 100644
--- a/lib/client/gnt_cluster.py
+++ b/lib/client/gnt_cluster.py
@@ -2181,6 +2181,42 @@ def _VersionSpecificDowngrade():
   """
   ToStdout("Performing version-specific downgrade tasks.")
 
+  # Determine if this cluster is set up with SSH handling
+  # (aka not using --no-ssh-init), check if the public
+  # keyfile exists.
+  update_keys = os.path.exists(pathutils.SSH_PUB_KEYS)
+
+  if not update_keys:
+    return True
+
+  ToStdout("Replace nodes' SSH keys with the master's keys.")
+  (_, root_keyfiles) = \
+    ssh.GetAllUserFiles(constants.SSH_LOGIN_USER, mkdir=False, dircheck=False)
+
+  dsa_root_keyfiles = dict((kind, value) for (kind, value)
+                           in root_keyfiles.items()
+                           if kind == constants.SSHK_DSA)
+  master_private_keyfile, master_public_keyfile = \
+      dsa_root_keyfiles[constants.SSHK_DSA]
+
+  nodes = ssconf.SimpleStore().GetOnlineNodeList()
+  master_node = ssconf.SimpleStore().GetMasterNode()
+  cluster_name = ssconf.SimpleStore().GetClusterName()
+
+  # If master node is in 'nodes', remove it
+  if master_node in nodes:
+    nodes.remove(master_node)
+
+  srun = ssh.SshRunner(cluster_name=cluster_name)
+  for name in nodes:
+    for key_file in [master_private_keyfile, master_public_keyfile]:
+      command = utils.text.ShellQuoteArgs([
+          "scp", key_file, "%s:%s" % (name, key_file)])
+      result = srun.Run(master_node, constants.SSH_LOGIN_USER, command)
+      if result.exit_code != 0:
+        ToStderr("Overiding SSH key '%s' of node '%s' failed. You might"
+                 " want to clean up manually." % (key_file, name))
+
   return True
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git

