X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fsfa-start.py;h=f1fc047689372cdbda82204421b0c313f6f61d78;hb=3d51e29695f79b143974f5cf7b2e104d89626ba4;hp=ed77c78a4609b435a1ad17b30c32712c826c8e6f;hpb=ee8a376da1107884bee1ea29248a70e4da8410c9;p=sfa.git diff --git a/sfa/server/sfa-start.py b/sfa/server/sfa-start.py index ed77c78a..f1fc0476 100755 --- a/sfa/server/sfa-start.py +++ b/sfa/server/sfa-start.py @@ -14,7 +14,7 @@ # is up to date and accurate. # # 1) Import the existing planetlab database, creating the -# appropriate SFA records. This is done by running the "sfa-import-plc.py" tool. +# appropriate SFA records. This is done by running the "sfa-import.py" tool. # # 2) Create a "trusted_roots" directory and place the certificate of the root # authority in that directory. Given the defaults in sfa-import-plc.py, this @@ -25,30 +25,25 @@ # TODO: Can all three servers use the same "registry" certificate? ## -# TCP ports for the three servers -#registry_port=12345 -#aggregate_port=12346 -#slicemgr_port=12347 ### xxx todo not in the config yet component_port=12346 import os, os.path import traceback import sys -import sfa.util.xmlrpcprotocol as xmlrpcprotocol from optparse import OptionParser from sfa.util.sfalogging import logger +from sfa.util.xrn import get_authority, hrn_to_urn +from sfa.util.config import Config +from sfa.trust.gid import GID +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.certificate import Keypair, Certificate from sfa.trust.hierarchy import Hierarchy from sfa.trust.gid import GID -from sfa.util.config import Config -from sfa.plc.api import PlcSfaApi +from sfa.server.sfaapi import SfaApi from sfa.server.registry import Registries from sfa.server.aggregate import Aggregates -from sfa.util.xrn import get_authority, hrn_to_urn -from sfa.util.sfalogging import logger - -from sfa.managers.managerwrapper import import_manager +from sfa.client.return_value import ReturnValue # after http://www.erlenstar.demon.co.uk/unix/faq_2.html def daemon(): @@ -60,103 +55,13 @@ def daemon(): devnull = os.open(os.devnull, os.O_RDWR) os.dup2(devnull, 0) # xxx fixme - this is just to make sure that nothing gets stupidly lost - should use devnull - crashlog = os.open('/var/log/httpd/sfa_access_log', os.O_RDWR | os.O_APPEND | os.O_CREAT, 0644) + logdir='/var/log/httpd' + # when installed in standalone we might not have httpd installed + if not os.path.isdir(logdir): os.mkdir('/var/log/httpd') + crashlog = os.open('%s/sfa_access_log'%logdir, os.O_RDWR | os.O_APPEND | os.O_CREAT, 0644) os.dup2(crashlog, 1) os.dup2(crashlog, 2) -def init_server_key(server_key_file, server_cert_file, config, hierarchy): - - hrn = config.SFA_INTERFACE_HRN.lower() - # check if the server's private key exists. If it doesnt, - # get the right one from the authorities directory. If it cant be - # found in the authorities directory, generate a random one - if not os.path.exists(server_key_file): - hrn = config.SFA_INTERFACE_HRN.lower() - hrn_parts = hrn.split(".") - rel_key_path = hrn - pkey_filename = hrn+".pkey" - - # sub authority's have "." in their hrn. This must - # be converted to os.path separator - if len(hrn_parts) > 0: - rel_key_path = hrn.replace(".", os.sep) - pkey_filename= hrn_parts[-1]+".pkey" - - key_file = os.sep.join([hierarchy.basedir, rel_key_path, pkey_filename]) - if not os.path.exists(key_file): - # if it doesnt exist then this is probably a fresh interface - # with no records. Generate a random keypair for now - logger.debug("server's public key not found in %s" % key_file) - - logger.debug("generating a random server key pair") - key = Keypair(create=True) - key.save_to_file(server_key_file) - init_server_cert(hrn, key, server_cert_file, self_signed=True) - - else: - # the pkey was found in the authorites directory. lets - # copy it to where the server key should be and generate - # the cert - key = Keypair(filename=key_file) - key.save_to_file(server_key_file) - init_server_cert(hrn, key, server_cert_file) - - # If private key exists and cert doesnt, recreate cert - if (os.path.exists(server_key_file)) and (not os.path.exists(server_cert_file)): - key = Keypair(filename=server_key_file) - init_server_cert(hrn, key, server_cert_file) - - -def init_server_cert(hrn, key, server_cert_file, self_signed=False): - """ - Setup the certificate for this server. Attempt to use gid before - creating a self signed cert - """ - if self_signed: - init_self_signed_cert(hrn, key, server_cert_file) - else: - try: - # look for gid file - logger.debug("generating server cert from gid: %s"% hrn) - hierarchy = Hierarchy() - auth_info = hierarchy.get_auth_info(hrn) - gid = GID(filename=auth_info.gid_filename) - gid.save_to_file(filename=server_cert_file) - except: - # fall back to self signed cert - logger.debug("gid for %s not found" % hrn) - init_self_signed_cert(hrn, key, server_cert_file) - -def init_self_signed_cert(hrn, key, server_cert_file): - logger.debug("generating self signed cert") - # generate self signed certificate - cert = Certificate(subject=hrn) - cert.set_issuer(key=key, subject=hrn) - cert.set_pubkey(key) - cert.sign() - cert.save_to_file(server_cert_file) - -def init_server(options, config): - """ - Locate the manager based on config.*TYPE - Execute the init_server method (well in fact function, sigh) if defined in that module - In order to migrate to a more generic approach: - * search for <>_manager_.py - * if not found, try <>_manager.py (and issue a warning if !='pl') - """ - if options.registry: - manager=import_manager ("registry", config.SFA_REGISTRY_TYPE) - if manager and hasattr(manager, 'init_server'): manager.init_server() - if options.am: - manager=import_manager ("aggregate", config.SFA_AGGREGATE_TYPE) - if manager and hasattr(manager, 'init_server'): manager.init_server() - if options.sm: - manager=import_manager ("slice", config.SFA_SM_TYPE) - if manager and hasattr(manager, 'init_server'): manager.init_server() - if options.cm: - manager=import_manager ("component", config.SFA_CM_TYPE) - if manager and hasattr(manager, 'init_server'): manager.init_server() - def install_peer_certs(server_key_file, server_cert_file): """ @@ -167,7 +72,8 @@ def install_peer_certs(server_key_file, server_cert_file): # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. - api = PlcSfaApi(key_file = server_key_file, cert_file = server_cert_file) + print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs server_key_file %s server_cert_file %s"%(server_key_file,server_cert_file) + api = SfaApi(key_file = server_key_file, cert_file = server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) @@ -179,32 +85,33 @@ def install_peer_certs(server_key_file, server_cert_file): peer_gids = [] if not new_hrns: return - + print>>sys.stderr," \r\n \r\n \t=============================================== install_peer_certs interfaces %s api.config.SFA_INTERFACE_HRN %s new_hrns %s" %( interfaces,api.config.SFA_INTERFACE_HRN,new_hrns) trusted_certs_dir = api.config.get_trustedroots_dir() - for new_hrn in new_hrns: + for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() - interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30) + interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates + print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs IIIinterface %s url %s" %(interface,url) server_version = api.get_cached_server_version(interface) + print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs server_version %s \r\n \r\rn \t\t =============================================== server_version['sfa'] %s, " %(server_version, server_version['sfa']) if 'sfa' not in server_version: logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue - - trusted_gids = interface.get_trusted_certs() + trusted_gids = ReturnValue.get_value(interface.get_trusted_certs()) if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure - for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % \ (new_hrn) - gid = GID(string=trusted_gids[0]) + gid = GID(string=trusted_gid) + print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs gid %s " %(gid) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, '%s.gid' % new_hrn) @@ -224,35 +131,35 @@ def update_cert_records(gids): Make sure there is a record in the registry for the specified gids. Removes old records from the db. """ - # import SfaTable here so this module can be loaded by PlcComponentApi - from sfa.util.table import SfaTable - from sfa.util.record import SfaRecord + # import db stuff here here so this module can be loaded by PlcComponentApi + from sfa.storage.alchemy import dbsession + from sfa.storage.model import RegRecord if not gids: return - table = SfaTable() # get records that actually exist in the db gid_urns = [gid.get_urn() for gid in gids] hrns_expected = [gid.get_hrn() for gid in gids] - records_found = table.find({'hrn': hrns_expected, 'pointer': -1}) + records_found = dbsession.query(RegRecord).\ + filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all() # remove old records for record in records_found: - if record['hrn'] not in hrns_expected and \ - record['hrn'] != self.api.config.SFA_INTERFACE_HRN: - table.remove(record) + if record.hrn not in hrns_expected and \ + record.hrn != self.api.config.SFA_INTERFACE_HRN: + dbsession.delete(record) # TODO: store urn in the db so we do this in 1 query for gid in gids: hrn, type = gid.get_hrn(), gid.get_type() - record = table.find({'hrn': hrn, 'type': type, 'pointer': -1}) + record = dbsession.query(RegRecord).filter_by(hrn=hrn, type=type,pointer=-1).first() if not record: - record = { - 'hrn': hrn, 'type': type, 'pointer': -1, - 'authority': get_authority(hrn), - 'gid': gid.save_to_string(save_parents=True), - } - record = SfaRecord(dict=record) - table.insert(record) + record = RegRecord (dict= {'type':type, + 'hrn': hrn, + 'authority': get_authority(hrn), + 'gid': gid.save_to_string(save_parents=True), + }) + dbsession.add(record) + dbsession.commit() def main(): # Generate command line parser @@ -267,21 +174,23 @@ def main(): help="run component server", default=False) parser.add_option("-t", "--trusted-certs", dest="trusted_certs", action="store_true", help="refresh trusted certs", default=False) - parser.add_option("-v", "--verbose", action="count", dest="verbose", default=0, - help="verbose mode - cumulative") parser.add_option("-d", "--daemon", dest="daemon", action="store_true", help="Run as daemon.", default=False) (options, args) = parser.parse_args() config = Config() - if config.SFA_API_DEBUG: pass - hierarchy = Hierarchy() - server_key_file = os.path.join(hierarchy.basedir, "server.key") - server_cert_file = os.path.join(hierarchy.basedir, "server.cert") + logger.setLevelFromOptVerbose(config.SFA_API_LOGLEVEL) + - init_server_key(server_key_file, server_cert_file, config, hierarchy) - init_server(options, config) - + # ge the server's key and cert + hierarchy = Hierarchy() + auth_info = hierarchy.get_interface_auth_info() + server_key_file = auth_info.get_privkey_filename() + server_cert_file = auth_info.get_gid_filename() + print>>sys.stderr, " \r\n \t\t\t\t\t SFA-START MAIN auth_info %s server_key_file %s server_cert_file %s "%(auth_info, server_key_file,server_cert_file) + # ensure interface cert is present in trusted roots dir + trusted_roots = TrustedRoots(config.get_trustedroots_dir()) + trusted_roots.add_gid(GID(filename=server_cert_file)) if (options.daemon): daemon() if options.trusted_certs: