#include <strings.h>
#include <sys/stat.h>
#include <sys/socket.h>
+#include <sys/types.h>
#include <unistd.h>
#include "bitmap.h"
#include "cfg.h"
static char *private_key_file;
static char *certificate_file;
static char *cacert_file;
+ struct stat s;
if (config_string_change("ssl.private-key", &private_key_file)) {
vconn_ssl_set_private_key_file(private_key_file);
vconn_ssl_set_certificate_file(certificate_file);
}
- if (config_string_change("ssl.ca-cert", &cacert_file)) {
+ /* We assume that even if the filename hasn't changed, if the CA cert
+ * file has been removed, that we want to move back into
+ * boot-strapping mode. This opens a small security hole, because
+ * the old certificate will still be trusted until vSwitch is
+ * restarted. We may want to address this in vconn's SSL library. */
+ if (config_string_change("ssl.ca-cert", &cacert_file)
+ || (stat(cacert_file, &s) && errno == ENOENT)) {
vconn_ssl_set_ca_cert_file(cacert_file,
cfg_get_bool(0, "ssl.bootstrap-ca-cert"));
}
#include <assert.h>
#include <errno.h>
#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/types.h>
#include "bridge.h"
#include "cfg.h"
static char *private_key_file;
static char *certificate_file;
static char *cacert_file;
+ struct stat s;
/* XXX SSL should be configurable separate from the bridges.
* XXX should be possible to de-configure SSL. */
vconn_ssl_set_certificate_file(certificate_file);
}
- if (config_string_change("ssl.ca-cert", &cacert_file)) {
+ /* We assume that even if the filename hasn't changed, if the CA cert
+ * file has been removed, that we want to move back into
+ * boot-strapping mode. This opens a small security hole, because
+ * the old certificate will still be trusted until vSwitch is
+ * restarted. We may want to address this in vconn's SSL library. */
+ if (config_string_change("ssl.ca-cert", &cacert_file)
+ || (stat(cacert_file, &s) && errno == ENOENT)) {
vconn_ssl_set_ca_cert_file(cacert_file,
cfg_get_bool(0, "ssl.bootstrap-ca-cert"));
}
import XenAPIPlugin
import XenAPI
+import os
import subprocess
cfg_mod="/root/vswitch/bin/ovs-cfg-mod"
vswitchd_cfg_filename="/etc/ovs-vswitchd.conf"
+cacert_filename="/etc/ovs-vswitchd.cacert"
+
+# Delete the CA certificate, so that we go back to boot-strapping mode
+def delete_cacert():
+ try:
+ os.remove(cacert_filename)
+ except OSError:
+ # Ignore error if file doesn't exist
+ pass
def update(session, args):
pools = session.xenapi.pool.get_all()
currentController = vswitchCurrentController()
if controller == "" and currentController != "":
log.debug("Removing controller configuration.")
+ delete_cacert()
removeControllerCfg()
return "Successfully removed controller config"
elif controller != currentController:
log.debug("Setting controller to: %s" % (controller))
else:
log.debug("Changing controller from %s to %s" % (currentController, controller))
+ delete_cacert()
setControllerCfg(controller)
return "Successfully set controller to " + controller
else:
git://git.onelab.eu / sliver-openvswitch.git / commitdiff