Sync varstore certificates in XAPI with those on disks #4659
Conversation
ocaml/idl/datamodel_pool.ml
Outdated
| ~params: | ||
| [ | ||
| (Ref _pool, "self", "The pool") | ||
| ; (String, "value", "The certificates to apply to the pool anbd its hosts") |
There was a problem hiding this comment.
Typo in and. Is the string the certificate (encoded?) or a reference to it, like a path? It would be good to make this clear.
There was a problem hiding this comment.
Like for Host.set_uefi_certificates it's the tarball.
ocaml/xapi/xapi_host.ml
Outdated
| let extract_certificate_file name = | ||
| if String.contains name '/' then | ||
| (* Internal error: tarfile not created correctly *) | ||
| failwith ("Invalid path in certificate tarball: " ^ name) ; |
There was a problem hiding this comment.
The error could be read as referring to a path in a tar file but it refers to the path of the tar file itself.
There was a problem hiding this comment.
No it references the path inside the tarball to an .auth file.
There was a problem hiding this comment.
You could make this more specific: Path in certificate tarball %s contains /
ocaml/xapi/xapi_host.ml
Outdated
| List.iter | ||
| (fun name -> | ||
| let path = Filename.concat !Xapi_globs.varstore_dir name in | ||
| debug "*** BRS: Remove UEFI cert %s" path ; |
There was a problem hiding this comment.
This are temporary logs for my tests :)
Should I let them once I'm done? (without the *** BRS: of course)
ocaml/xapi/xapi_host.ml
Outdated
| debug "*** BRS: Remove UEFI cert %s" path ; | ||
| try Sys.remove path | ||
| with | ||
| | Sys_error e |
There was a problem hiding this comment.
Matching the string seems to me like a poor way to detect this problem. Use a different function to remove a file that uses a better interface for errors.
There was a problem hiding this comment.
I'm not aware of another lib to remove a file.
| () | ||
| ) | ||
| ["PK.auth"; "KEK.auth"; "db.auth"; "dbx.auth"] ; | ||
| if contents <> "" then ( |
There was a problem hiding this comment.
Why is the empty string special? Might want to log this.
There was a problem hiding this comment.
If the string is empty it means there's no certificates in XAPI to extract on the host disk.
ocaml/xapi/xapi_host.mli
Outdated
| @@ -479,6 +479,9 @@ val nvidia_vf_setup : | |||
| val allocate_resources_for_vm : | |||
| __context:Context.t -> self:API.ref_host -> vm:API.ref_VM -> live:bool -> unit | |||
|
|
|||
| val save_uefi_certificates_to_dir : | |||
There was a problem hiding this comment.
Is the name confusing? It has dir in its name but not in the parameter list.
|
I was wondering: how would you feel to remove the It seems this API and field are useless (unless there is a usecase where a host needs to have different certificates than the others in the pool but I can't think of one). What do you think? |
ocaml/xapi/xapi_host.ml
Outdated
| path | ||
|
|
||
| let with_temp_file_contents ~contents f = | ||
| let filename, out = Filename.open_temp_file "xapi_uefi_certificates" "tar" in |
There was a problem hiding this comment.
It's more common to use a dash (-) in file names than the underscore.
There was a problem hiding this comment.
It comes from already existing code, but I can change that 👍
|
Latest commit is an implementation of what is proposed in my previous comment, and @stormi 's one in the issue. Deprecate Host.uefi_certificates in favor of Pool API:
I think it's the right way to go since having different certs on pool's hosts seems really dangerous to me. |
benjamreis
force-pushed
the
synch-varstored-between-hosts
branch
8 times, most recently
from
28722de
to
8dc49ff
Compare
ocaml/idl/datamodel_host.ml
Outdated
| let write_uefi_certificates_to_disk = | ||
| call ~name:"write_uefi_certificates_to_disk" | ||
| ~lifecycle:[(Published, rel_next, "")] | ||
| ~doc:"Writes the UEFI certificates on a host disk" |
ocaml/idl/datamodel_pool.ml
Outdated
| let set_uefi_certificates = | ||
| call ~name:"set_uefi_certificates" | ||
| ~lifecycle:[(Published, rel_next, "")] | ||
| ~doc:"Sets the UEFI certificates on a pool and all its hosts" |
ocaml/xapi/xapi_host.ml
Outdated
| let extract_certificate_file name = | ||
| if String.contains name '/' then | ||
| (* Internal error: tarfile not created correctly *) | ||
| failwith ("Invalid path in certificate tarball: " ^ name) ; |
There was a problem hiding this comment.
You could make this more specific: Path in certificate tarball %s contains /
benjamreis
force-pushed
the
synch-varstored-between-hosts
branch
from
8dc49ff
to
4140850
Compare
benjamreis
changed the title
|
I'll rebase and rework the commit message once the code stop changing before the merge. :) |
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
- `Pool.set_uefi_certificates` is implemented and writes the certificates on all its hosts' disks - `Host.set_uefi_certificates` is now deprecated and transmit the call to the pool method - `Host.uefi_certificates` is deprecated as well as it's getter, the value is not updated. - On XAPI startup certificates stored in XAPI's `Pool.uefi_certificates` are written on disks - When a host joins the pool's certificates are written on its disk. This means: - At every XAPI startup the certificates in host disks are synced with XAPI's `Pool.uefi_certificates` - When `Pool.set_uefi_certificates` is called all hosts are synced on their disks with XAPI's `Pool.uefi_certificates`. Also: `Host.set_uefi_certificates` calls should be replaced by `Pool.set_uefi_certificates`, this requires changes in external libs (varstored, uefistored, etc) to set the pool's certificates: call `Pool.set_uefi_certificates`. See: xapi-project#4647 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
benjamreis
force-pushed
the
synch-varstored-between-hosts
branch
from
e73b8df
to
53d656b
Compare
|
Hi! I rebased the code into one commit with a (hopefully) clear commit message. |
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Pool.set_uefi_certificatesis implemented and callsHost.set_uefi_certificateson all hostsHost.set_uefi_certificateswrites certificates on disksHost.uefi_certificatesare written on disksHost.set_uefi_certificatesis called with the certificates stored in XAPI'sPool.uefi_certificatesThis means:
Host.uefi_certificatesPool.set_uefi_certificatesis called all hosts are synced in XAPi and disks with XAPI'sPool.uefi_certificatesHost.set_uefi_certificatesis called the host certificates on disk are synced with XAPI'sHost.uefi_certificatesAlso:
Host.set_uefi_certificatesno longer callsPool.set_uefi_certificates, this requires changesin external libs (varstored, uefistored, etc) to set the pool's certificates: call
Pool.set_uefi_certificates.See: #4647
Signed-off-by: BenjiReis benjamin.reis@vates.fr