4 use Debconf::Client::ConfModule ':all';
7 use Digest::SHA1 'sha1_hex';
11 # XXX should support configuring SWITCH_NETMASK and SWITCH_GATEWAY
12 # when the mode is in-band.
14 my $debconf_owner = 'openflow-switch';
16 my $default = '/etc/default/openflow-switch';
17 my $etc = '/etc/openflow-switch';
18 my $rundir = '/var/run';
19 my $privkey_file = "$etc/of0-privkey.pem";
20 my $req_file = "$etc/of0-req.pem";
21 my $cert_file = "$etc/of0-cert.pem";
22 my $cacert_file = "$etc/cacert.pem";
23 my $ofp_discover_pidfile = "$rundir/ofp-discover.pid";
25 my $ua = LWP::UserAgent->new;
29 system("/etc/init.d/openflow-switch stop 1>&2");
34 title('OpenFlow Switch Setup');
36 my (%netdevs) = find_netdevs();
37 db_subst('netdevs', 'choices',
38 join(', ', map($netdevs{$_}, sort(keys(%netdevs)))));
39 db_set('netdevs', join(', ', grep(!/IP/, values(%netdevs))));
43 %oldconfig = load_config($default);
47 db_set('netdevs', join(', ', map($netdevs{$_},
48 grep(exists $netdevs{$_}, split))))
52 $_ eq 'in-band' || $_ eq 'out-of-band' ? $_ : 'discovery')
54 SWITCH_IP => sub { db_set('switch-ip', $_) },
55 CONTROLLER => sub { db_set('controller-vconn', $_) },
56 PRIVKEY => sub { $privkey_file = $_ },
57 CERT => sub { $cert_file = $_ },
58 CACERT => sub { $cacert_file = $_ },
61 for my $key (keys(%map)) {
62 local $_ = $oldconfig{$key};
63 &{$map{$key}}() if defined && !/^\s*$/;
67 my $cacert_preverified = -e $cacert_file;
68 my ($req, $req_fingerprint);
74 # User backed up from first dialog box.
78 # Prompt for ports to include in switch.
83 # Validate the chosen ports.
84 my (@netdevs) = split(', ', db_get('netdevs'));
86 # No ports chosen. Disable switch.
87 db_input('no-netdevs');
88 return 'prev' if db_go();
90 } elsif (my (@conf_netdevs) = grep(/IP/, @netdevs)) {
91 # Point out that some ports have configured IP addresses.
92 db_subst('configured-netdevs', 'configured-netdevs',
93 join(', ', @conf_netdevs));
94 db_input('configured-netdevs');
102 # Discovery or in-band or out-of-band controller?
107 return 'skip' if db_get('mode') ne 'discovery';
109 # Notify user that we are going to do discovery.
110 db_input('discover');
111 return 'prev' if db_go();
112 print STDERR "Please wait up to 30 seconds for discovery...\n";
114 # Make sure that there's no running discovery process.
119 open(DISCOVER, '-|', 'ofp-discover --timeout=30 --pidfile '
120 . join(' ', netdev_names()));
123 if (my ($name, $value) = /^([^=]+)=(.*)$/) {
124 if ($value =~ /^"(.*)"$/) {
126 $value =~ s/\\([0-7][0-7][0-7])/chr($1)/ge;
128 $value =~ s/^(0x[[:xdigit:]]+)$/hex($1)/e;
129 $value = '' if $value eq 'empty';
130 next if $value eq 'null'; # Shouldn't happen.
132 $options{$name} = $value;
138 my $vconn = $options{'ofp-controller-vconn'};
139 my $pki_uri = $options{'ofp-pki-uri'};
142 && is_valid_vconn($vconn)
143 && (!is_ssl_vconn($vconn) || defined($pki_uri)));
147 db_input('discovery-failure');
152 return 'skip' if db_get('mode') ne 'discovery';
154 my $vconn = $options{'ofp-controller-vconn'};
155 my $pki_uri = $options{'ofp-pki-uri'};
156 db_subst('discovery-success', 'controller-vconn', $vconn);
157 db_subst('discovery-success',
158 'pki-uri', is_ssl_vconn($vconn) ? $pki_uri : "no PKI in use");
159 db_input('discovery-success');
160 return 'prev' if db_go();
161 db_set('controller-vconn', $vconn);
162 db_set('pki-uri', $pki_uri);
166 return 'skip' if db_get('mode') ne 'in-band';
168 db_input('switch-ip');
169 return 'prev' if db_go();
171 my $ip = db_get('switch-ip');
172 return 'next' if $ip =~ /^dhcp|\d+\.\d+.\d+.\d+$/i;
174 db_input('switch-ip-error');
179 return 'skip' if db_get('mode') eq 'discovery';
181 my $old_vconn = db_get('controller-vconn');
182 db_input('controller-vconn');
183 return 'prev' if db_go();
185 my $vconn = db_get('controller-vconn');
186 if (is_valid_vconn($vconn)) {
187 if ($old_vconn ne $vconn || db_get('pki-uri') eq '') {
188 db_set('pki-uri', pki_host_to_uri($2));
193 db_input('controller-vconn-error');
198 return 'skip' if !ssl_enabled();
200 if (! -e $privkey_file) {
201 my $old_umask = umask(077);
202 run_cmd("ofp-pki req $etc/of0 >&2 2>/dev/null");
203 chmod(0644, $req_file) or die "$req_file: chmod: $!\n";
207 if (! -e $cert_file) {
208 open(REQ, '<', $req_file) or die "$req_file: open: $!\n";
209 $req = join('', <REQ>);
211 $req_fingerprint = sha1_hex($req);
216 return 'skip' if !ssl_enabled();
217 return 'skip' if -e $cacert_file && -e $cert_file;
220 return 'prev' if db_go();
224 return 'skip' if !ssl_enabled();
225 return 'skip' if -e $cacert_file;
227 my $pki_uri = db_get('pki-uri');
228 if ($pki_uri !~ /:/) {
229 $pki_uri = pki_host_to_uri($pki_uri);
231 # Trim trailing slashes.
234 db_set('pki-uri', $pki_uri);
236 my $url = "$pki_uri/controllerca/cacert.pem";
237 my $response = $ua->get($url, ':content_file' => $cacert_file);
238 if ($response->is_success) {
242 db_subst('fetch-cacert-failed', 'url', $url);
243 db_subst('fetch-cacert-failed', 'error', $response->status_line);
244 db_subst('fetch-cacert-failed', 'pki-uri', $pki_uri);
245 db_input('fetch-cacert-failed');
250 return 'skip' if !ssl_enabled();
251 return 'skip' if -e $cert_file;
254 db_set('send-cert-req', 'yes');
255 db_input('send-cert-req');
256 return 'prev' if db_go();
257 return 'next' if db_get('send-cert-req') eq 'no';
259 my $pki_uri = db_get('pki-uri');
260 my ($pki_base_uri) = $pki_uri =~ m%^([^/]+://[^/]+)/%;
261 my $url = "$pki_base_uri/cgi-bin/ofp-pki-cgi";
262 my $response = $ua->post($url, {'type' => 'switch',
264 return 'next' if $response->is_success;
266 db_subst('send-cert-req-failed', 'url', $url);
267 db_subst('send-cert-req-failed', 'error',
268 $response->status_line);
269 db_subst('send-cert-req-failed', 'pki-uri', $pki_uri);
270 db_input('send-cert-req-failed');
275 return 'skip' if !ssl_enabled();
276 return 'skip' if $cacert_preverified;
278 my ($cacert_fingerprint) = x509_fingerprint($cacert_file);
279 db_subst('verify-controller-ca', 'fingerprint', $cacert_fingerprint);
280 db_input('verify-controller-ca');
281 return 'prev' if db_go();
282 return 'next' if db_get('verify-controller-ca') eq 'yes';
283 unlink($cacert_file);
287 return 'skip' if !ssl_enabled();
288 return 'skip' if -e $cert_file;
291 db_set('fetch-switch-cert', 'yes');
292 db_input('fetch-switch-cert');
293 return 'prev' if db_go();
294 exit(1) if db_get('fetch-switch-cert') eq 'no';
296 my $pki_uri = db_get('pki-uri');
297 my $url = "$pki_uri/switchca/certs/$req_fingerprint-cert.pem";
298 my $response = $ua->get($url, ':content_file' => $cert_file);
299 if ($response->is_success) {
303 db_subst('fetch-switch-cert-failed', 'url', $url);
304 db_subst('fetch-switch-cert-failed', 'error',
305 $response->status_line);
306 db_subst('fetch-switch-cert-failed', 'pki-uri', $pki_uri);
307 db_input('fetch-switch-cert-failed');
312 db_input('complete');
324 my $ret = &{$states[$state]}();
325 $ret = db_go() ? 'prev' : 'next' if !defined $ret;
326 if ($ret eq 'next') {
328 } elsif ($ret eq 'prev') {
330 } elsif ($ret eq 'skip') {
332 } elsif ($ret eq 'done') {
335 die "unknown ret $ret";
337 $state += $direction;
340 my %config = %oldconfig;
341 $config{NETDEVS} = join(' ', netdev_names());
342 $config{MODE} = db_get('mode');
343 if (db_get('mode') eq 'in-band') {
344 $config{SWITCH_IP} = db_get('switch-ip');
346 if (db_get('mode') ne 'discovery') {
347 $config{CONTROLLER} = db_get('controller-vconn');
349 $config{PRIVKEY} = $privkey_file;
350 $config{CERT} = $cert_file;
351 $config{CACERT} = $cacert_file;
352 save_config($default, %config);
354 dup2(2, 1); # Get stdout back.
356 system("/etc/init.d/openflow-switch start");
359 return is_ssl_vconn(db_get('controller-vconn'));
363 my ($question, $key, $value) = @_;
364 $question = "$debconf_owner/$question";
365 my ($ret, $seen) = subst($question, $key, $value);
366 if ($ret && $ret != 30) {
367 die "Error substituting $value for $key in debconf question "
368 . "$question: $seen";
373 my ($question, $value) = @_;
374 $question = "$debconf_owner/$question";
375 my ($ret, $seen) = set($question, $value);
376 if ($ret && $ret != 30) {
377 die "Error setting debconf question $question to $value: $seen";
383 $question = "$debconf_owner/$question";
384 my ($ret, $seen) = get($question);
386 die "Error getting debconf question $question answer: $seen";
392 my ($question, $flag, $value) = @_;
393 $question = "$debconf_owner/$question";
394 my ($ret, $seen) = fset($question, $flag, $value);
395 if ($ret && $ret != 30) {
396 die "Error setting debconf question $question flag $flag to $value: "
402 my ($question, $flag) = @_;
403 $question = "$debconf_owner/$question";
404 my ($ret, $seen) = fget($question, $flag);
406 die "Error getting debconf question $question flag $flag: $seen";
413 db_fset($question, "seen", "false");
415 $question = "$debconf_owner/$question";
416 my ($ret, $seen) = input('high', $question);
417 if ($ret && $ret != 30) {
418 die "Error requesting debconf question $question: $seen";
424 my ($ret, $seen) = go();
425 if (!defined($ret)) {
426 exit(1); # Cancel button was pushed.
428 if ($ret && $ret != 30) {
429 die "Error asking debconf questions: $seen";
436 return if system($cmd) == 0;
439 die "$cmd: failed to execute: $!\n";
441 die sprintf("$cmd: child died with signal %d, %s coredump\n",
442 ($? & 127), ($? & 128) ? 'with' : 'without');
444 die sprintf("$cmd: child exited with value %d\n", $? >> 8);
448 sub x509_fingerprint {
450 my $cmd = "openssl x509 -noout -in $file -fingerprint";
451 open(OPENSSL, '-|', $cmd) or die "$cmd: failed to execute: $!\n";
452 my $line = <OPENSSL>;
454 my ($fingerprint) = $line =~ /SHA1 Fingerprint=(.*)/;
455 return $line if !defined $fingerprint;
456 $fingerprint =~ s/://g;
461 my ($netdev, %netdevs);
462 open(IFCONFIG, "/sbin/ifconfig -a|") or die "ifconfig failed: $!";
464 if (my ($nd) = /^([^\s]+)/) {
466 $netdevs{$netdev} = "$netdev";
467 if (my ($hwaddr) = /HWaddr (\S+)/) {
468 $netdevs{$netdev} .= " (MAC: $hwaddr)";
470 } elsif (my ($ip4) = /^\s*inet addr:(\S+)/) {
471 $netdevs{$netdev} .= " (IP: $ip4)";
472 } elsif (my ($ip6) = /^\s*inet6 addr:(\S+)/) {
473 $netdevs{$netdev} .= " (IPv6: $ip6)";
476 foreach my $nd (keys(%netdevs)) {
477 delete $netdevs{$nd} if $nd eq 'lo' || $nd =~ /^wmaster/;
486 # Get the list of the variables that the shell sets automatically.
487 my (%auto_vars) = read_vars("set -a && env");
489 # Get the variables from $default.
490 my (%config) = read_vars("set -a && . '$default' && env");
493 delete @config{keys %auto_vars};
501 if (!open(VARS, '-|', $cmd)) {
502 print STDERR "$cmd: failed to execute: $!\n";
507 my ($var, $value) = /^([^=]+)=(.*)$/ or next;
508 $config{$var} = $value;
518 } elsif (m&^[-a-zA-Z0-9:./%^_+,]*$&) {
527 my ($var, $value) = @_;
528 return $var . '=' . shell_escape($value);
532 my ($file, %config) = @_;
534 if (open(FILE, '<', $file)) {
540 # Replace all existing variable assignments.
541 for (my ($i) = 0; $i <= $#lines; $i++) {
542 local $_ = $lines[$i];
543 my ($var, $value) = /^\s*([^=#]+)=(.*)$/ or next;
544 if (exists($config{$var})) {
545 $lines[$i] = shell_assign($var, $config{$var});
546 delete $config{$var};
548 $lines[$i] = "#$lines[$i]";
552 # Find a place to put any remaining variable assignments.
554 for my $var (keys(%config)) {
555 my $assign = shell_assign($var, $config{$var});
557 # Replace the last commented-out variable assignment to $var, if any.
558 for (my ($i) = $#lines; $i >= 0; $i--) {
559 local $_ = $lines[$i];
560 if (/^\s*#\s*$var=/) {
561 $lines[$i] = $assign;
566 # Find a place to add the var: after the final commented line
567 # just after a line that contains "$var:".
568 for (my ($i) = 0; $i <= $#lines; $i++) {
569 if ($lines[$i] =~ /^\s*#\s*$var:/) {
570 for (my ($j) = $i + 1; $j <= $#lines; $j++) {
571 if ($lines[$j] !~ /^\s*#/) {
572 splice(@lines, $j, 0, $assign);
580 push(@lines, $assign);
583 open(NEWFILE, '>', "$file.tmp") or die "$file.tmp: create: $!\n";
584 print NEWFILE join('', map("$_\n", @lines));
586 rename("$file.tmp", $file) or die "$file.tmp: rename to $file: $!\n";
589 sub pki_host_to_uri {
591 return "http://$pki_host/openflow/pki";
594 sub kill_ofp_discover {
595 # Delegate this to a subprocess because there is no portable way
596 # to invoke fcntl(F_GETLK) from Perl.
597 system("ofp-kill --force $ofp_discover_pidfile");
601 return map(/^(\S+)/, split(', ', db_get('netdevs')));
606 return scalar($vconn =~ /^(tcp|ssl):([^:]+)(:.*)?/);
611 return scalar($vconn =~ /^ssl:/);