File: oci-renew-intermediate-ca

package info (click to toggle)
openstack-cluster-installer 43.0.22
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,544 kB
  • sloc: php: 19,169; sh: 18,137; ruby: 75; makefile: 31; xml: 8
file content (361 lines) | stat: -rwxr-xr-x 18,333 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
 
#!/bin/sh

set -e

echo "===> Fetching cluster infos"
CLUSTER_NAME=$(ocicli -csv cluster-list | q -H -d, "SELECT name FROM -" | head -n 1)
DOMAIN_NAME=$(ocicli -csv cluster-list | q -H -d, "SELECT domain FROM -" | head -n 1)
SELF_SIGNED_API_CERT=$(ocicli -csv cluster-show ${CLUSTER_NAME} | grep "Self signed API cert:" | cut -d, -f2)
API_HOSTNAME=$(ocicli -csv cluster-show ${CLUSTER_NAME}  | grep "VIP Hostname:" | cut -d, -f2)
if echo "${API_HOSTNAME}" | grep -q -E "^default " ; then
        API_HOSTNAME=${CLUSTER_NAME}-api.${DOMAIN_NAME}
fi

TMP=$(mktemp)
ocicli -csv machine-list -a >${TMP}
ALL_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND status='installed'")
CTRL_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='controller' AND status='installed'")
MSG_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='messaging' AND status='installed'")
PRX_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='swiftproxy' AND status='installed'")
COMP_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='compute' AND status='installed'")
VOL_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='volume' AND status='installed'")
NET_HOSTS=$(cat ${TMP} | q -H -d, "SELECT hostname,Cur_ip FROM - WHERE hostname!='-' AND role='network' AND status='installed'")
rm -f ${TMP}


CTRL_HOSTS_REV=
for i in $CTRL_HOSTS; do
        CTRL_HOSTS_REV="$i $CTRL_HOSTS_REV"
done

update_oci_utils_on_all_hosts () {
        echo "===> Update oci-utils everywhere"
        for HOST in ${ALL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Re-installing openstack-cluster-installer-utils on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "apt-get update && apt-get install openstack-cluster-installer-utils openstack-cluster-installer-common --reinstall -y"
        done
}

delete_intermediary_ca_on_oci_host () {
        echo "===> Deleting oci-ca"
        rm -f /var/lib/oci/ssl/ca/oci-pki-oci-ca-chain.pem
        rm -f /var/lib/oci/ssl/ca/oci-pki-oci-ca.pem

        rm -rf /etc/openstack-cluster-installer/pki/ca/oci-ca
        rm -f /etc/openstack-cluster-installer/pki/ca/oci-ca-chain.pem
        rm -f /etc/openstack-cluster-installer/pki/ca/oci-ca.crt
        rm -f /etc/openstack-cluster-installer/pki/ca/oci-ca.csr
}

delete_all_server_certs () {
        echo "===> Deleting self-signed API certs"
        if [ "${SELF_SIGNED_API_CERT}" = "yes" ] ; then
                for KEYMATERIAL in .crt .csr .key .pem ; do
                        rm -f /var/lib/oci/ssl/slave-nodes/${API_HOSTNAME}/${API_HOSTNAME}${KEYMATERIAL}
                done
        fi
        echo "===> Deleting all server certs"
        for HOST in ${ALL_HOSTS} ${DEL_API} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                echo "-> $HOSTNAME"
                for KEYMATERIAL in .crt .csr .key .pem _client.crt _client.csr _client.key _client.pem ; do
                        rm -f /var/lib/oci/ssl/slave-nodes/${HOSTNAME}/${HOSTNAME}${KEYMATERIAL}
                done
        done
}

gen_api_cert () {
        ISTHERE=yes
        for KEYMATERIAL in .crt .csr .key .pem ; do
                if [ ! -e /var/lib/oci/ssl/slave-nodes/${API_HOSTNAME}/${API_HOSTNAME}${KEYMATERIAL} ] ; then
                        ISTHERE=no
                fi
        done
        if [ "${ISTHERE}" = "no" ] ; then
                oci-gen-slave-node-cert ${API_HOSTNAME}
        fi
}

run_puppet_on_ctrls () {
        echo "===> Running puppet on all controllers"
        for HOST in ${CTRL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Running puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "/etc/init.d/haproxy restart"
        done
}

run_puppet_on_msgs () {
        echo "===> Running puppet on all messagings"
        for HOST in ${MSG_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Running puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
        done
}

run_puppet_on_swiftproxies () {
        echo "===> Running puppet on all swift proxies"
        for HOST in ${PRX_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Running puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
        done
}

restart_rabbitmq_on_controllers (){
        echo "===> Restarting rabbitmq on all controllers"
        for HOST in ${CTRL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Running rabbitmqctl stop_app on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "rabbitmqctl stop_app"
        done
        for HOST in ${CTRL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Stopping rabbitmq-server service on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "/etc/init.d/rabbitmq-server stop"
        done
        for HOST in ${CTRL_HOSTS_REV} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Starting rabbitmq-server service on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "/etc/init.d/rabbitmq-server start"
        done
        for HOST in ${CTRL_HOSTS_REV} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Running rabbitmqctl start_app on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "rabbitmqctl start_app"
        done
}

restart_haproxy_on_all_controllers () {
        echo "===> Restarting haproxy on all controllers"
        for HOST in ${CTRL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Restarting haproxy service on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "/etc/init.d/haproxy restart"
        done
}

restart_all_service_on_controllers () {
        echo "===> Restarting all openstack services on all controllers"
        for HOST in ${CTRL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Restarting all OpenStack services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
        done
}

restart_all_service_on_messagings () {
        echo "===> Restarting all openstack services on all messagings"
        for HOST in ${MSG_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Restarting all OpenStack services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
        done
}

run_puppet_on_all_computes () {
        echo "===> Run puppet and restart all services on all compute nodes"
        for HOST in ${COMP_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Run puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
                echo "-> Restart all services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
                echo "-> Start libvirt over TLS on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "systemctl enable libvirtd-tls.socket && systemctl disable libvirtd-tcp.socket && systemctl stop libvirtd.service && systemctl start libvirtd-tls.socket && systemctl start libvirtd.service"
        done
}

run_puppet_on_all_network_nodes () {
        echo "===> Run puppet and restart all services on all network nodes"
        for HOST in ${NET_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Run puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
                echo "-> Restart all services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
        done
}

run_puppet_on_all_volumes () {
        echo "===> Run puppet and restart all services on all volume nodes"
        for HOST in ${VOL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> Run puppet on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable && oci-puppet || true"
                echo "-> Restart all services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
        done
}

enable_puppet_on_all_hosts () {
        echo "===> Enabling puppet on all hosts"
        for HOST in ${ALL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> $HOSTNAME"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "puppet agent --enable"
                echo "-> Restart all services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "oci-restart-all-services"
        done
}

upgrade_oci_host () {
        apt-get update
        apt-get dist-upgrade -y
        MYCURDIR=$(pwd)
        cd /usr/share/openstack-cluster-installer
        php db_sync.php
        cd ${MYCURDIR}
        /etc/init.d/puppet-master restart
        ocicli cluster-set ${CLUSTER_NAME} --install-designate no --install-octavia yes --initial-cluster-setup yes
}

switch_to_bullseye_victoria () {
        if [ -e /etc/apt/sources.list.d/openstack.list ] ; then
                sed -i s/pub1-repo.infomaniak.ch/bullseye-victoria.debian.net/ /etc/apt/sources.list.d/openstack.list
                apt-get update
        fi
}

install_old_root_ca_on_all_hosts () {
        echo "===> Copying old root CA to /usr/share/ca-certificates/oci-old in all hosts"
        for HOST in ${ALL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> $HOSTNAME"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "mkdir -p /usr/share/ca-certificates/oci-old"
                SSH_AUTH_SOCK= scp -i /etc/openstack-cluster-installer/id_rsa /var/lib/oci/ssl/ca/oci-pki-root-ca.pem root@${IP}:/usr/share/ca-certificates/oci-old/OCI_old_1_selfsigned-root-ca.crt
                SSH_AUTH_SOCK= scp -i /etc/openstack-cluster-installer/id_rsa /var/lib/oci/ssl/ca/oci-pki-oci-ca.pem root@${IP}:/usr/share/ca-certificates/oci-old/OCI_old_2_oci-ca.crt
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "if ! grep -q -E ^oci-old/OCI_old_1_selfsigned-root-ca.crt /etc/ca-certificates.conf; then echo oci-old/OCI_old_1_selfsigned-root-ca.crt >> /etc/ca-certificates.conf ; fi"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "if ! grep -q -E ^oci-old/OCI_old_2_oci-ca.crt /etc/ca-certificates.conf; then echo oci-old/OCI_old_2_oci-ca.crt >> /etc/ca-certificates.conf ; fi"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "update-ca-certificates"
        done 
}

install_new_root_ca_on_all_hosts () {
        echo "===> Copying new root CA to /usr/share/ca-certificates/oci in all hosts"
        for HOST in ${ALL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> $HOSTNAME"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "mkdir -p /usr/share/ca-certificates/oci"
                SSH_AUTH_SOCK= scp -i /etc/openstack-cluster-installer/id_rsa /var/lib/oci/ssl/ca/oci-pki-root-ca.pem root@${IP}:/usr/share/ca-certificates/oci/OCI_1_selfsigned-root-ca.crt
                SSH_AUTH_SOCK= scp -i /etc/openstack-cluster-installer/id_rsa /var/lib/oci/ssl/ca/oci-pki-oci-ca.pem root@${IP}:/usr/share/ca-certificates/oci/OCI_2_oci-ca.crt
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "if ! grep -q -E ^oci/OCI_1_selfsigned-root-ca.crt /etc/ca-certificates.conf; then echo oci/OCI_1_selfsigned-root-ca.crt >> /etc/ca-certificates.conf ; fi"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "if ! grep -q -E ^oci/OCI_2_oci-ca.crt /etc/ca-certificates.conf; then echo oci/OCI_2_oci-ca.crt >> /etc/ca-certificates.conf ; fi"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "update-ca-certificates"
        done
}

remove_old_root_ca_on_all_hosts () {
        echo "===> Remove old root CA in /usr/share/ca-certificates/oci-old in all hosts"
        for HOST in ${ALL_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> $HOSTNAME"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "rm -rf /usr/share/ca-certificates/oci-old"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "set -x ; sed -i '/^oci-old\\/OCI_old_1_selfsigned-root-ca.crt/d' /etc/ca-certificates.conf"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "set -x ; sed -i '/^oci-old\\/OCI_old_2_oci-ca.crt/d' /etc/ca-certificates.conf"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "update-ca-certificates"
        done
}

remove_rabbitmq_ssl_ca_file () {
        echo "===> Remove location of CA in /etc/neutron/neutron.conf"
        for HOST in ${CTRL_HOSTS} ${COMP_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> CA location remove on ${HOSTNAME}"
                #SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "sed -i '/^ssl_ca_file=.*/d' /etc/neutron/neutron.conf"

                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "sed -i 's@ssl_ca_file=/etc/ssl/certs/oci-pki-oci-ca-chain.pem@ssl_ca_file=/etc/ssl/certs/ca-certificates.crt@g' /etc/neutron/neutron.conf"
                echo "-> restarting all neutron services on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "systemctl restart 'neutron-*'"
                echo "-> Wait 5 secondes after neutron restart on ${HOSTNAME}"
                sleep 5
        done


        for HOST in ${NET_HOSTS} ; do
                HOSTNAME=$(echo $HOST | cut -d, -f1)
                IP=$(echo $HOST | cut -d, -f2)
                echo "-> CA location remove on ${HOSTNAME}"
                SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "sed -i 's@ssl_ca_file=/etc/ssl/certs/oci-pki-oci-ca-chain.pem@ssl_ca_file=/etc/ssl/certs/ca-certificates.crt@g' /etc/neutron/neutron.conf"

                #echo "-> restarting all neutron services on ${HOSTNAME}"
                #SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "systemctl restart neutron-dhcp-agent.service; systemctl restart neutron-metadata-agent.service; systemctl restart neutron-openvswitch-agent.service; systemctl restart neutron-l3-agent.service "
                #SSH_AUTH_SOCK= ssh -i /etc/openstack-cluster-installer/id_rsa root@${IP} "systemctl show --property MainPID --value neutron-bgp-dragent.service | xargs kill -SIGHUP"
                #echo "-> Wait 5 secondes after neutron restart on ${HOSTNAME}"         #sleep 5
        done
}

# Prepare the upgrade
oci-disable-puppet
update_oci_utils_on_all_hosts

# Switch to bullseye-victoria instead of pub1-repo.
# Note: this is only for the PoC, but shouldn't be a problem
# for production.
switch_to_bullseye_victoria

# Upgrade OCI
upgrade_oci_host

# Install the old root ca
install_old_root_ca_on_all_hosts

# Remake the PKI
delete_intermediary_ca_on_oci_host
oci-root-ca-destroy
oci-root-ca-gen

install_new_root_ca_on_all_hosts

remove_rabbitmq_ssl_ca_file

delete_all_server_certs
gen_api_cert


# Apply on controllers & messaging
run_puppet_on_ctrls
run_puppet_on_msgs

# Apply on swift proxies
run_puppet_on_swiftproxies

restart_rabbitmq_on_controllers

restart_haproxy_on_all_controllers
restart_all_service_on_controllers
restart_all_service_on_messagings

#
# Apply on all servers
#run_puppet_on_all_network_nodes
run_puppet_on_all_computes
run_puppet_on_all_volumes

remove_old_root_ca_on_all_hosts

oci-enable-puppet
ocicli cluster-set ${CLUSTER_NAME} --initial-cluster-setup no