-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync varstore certificates in XAPI with those on disks #4659
Sync varstore certificates in XAPI with those on disks #4659
Conversation
ocaml/idl/datamodel_pool.ml
Outdated
~params: | ||
[ | ||
(Ref _pool, "self", "The pool") | ||
; (String, "value", "The certificates to apply to the pool anbd its hosts") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo in and
. Is the string the certificate (encoded?) or a reference to it, like a path? It would be good to make this clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like for Host.set_uefi_certificates
it's the tarball.
ocaml/xapi/xapi_host.ml
Outdated
let extract_certificate_file name = | ||
if String.contains name '/' then | ||
(* Internal error: tarfile not created correctly *) | ||
failwith ("Invalid path in certificate tarball: " ^ name) ; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error could be read as referring to a path in a tar file but it refers to the path of the tar file itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No it references the path inside the tarball to an .auth
file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could make this more specific: Path in certificate tarball %s contains /
ocaml/xapi/xapi_host.ml
Outdated
List.iter | ||
(fun name -> | ||
let path = Filename.concat !Xapi_globs.varstore_dir name in | ||
debug "*** BRS: Remove UEFI cert %s" path ; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove BRS:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This are temporary logs for my tests :)
Should I let them once I'm done? (without the *** BRS:
of course)
ocaml/xapi/xapi_host.ml
Outdated
debug "*** BRS: Remove UEFI cert %s" path ; | ||
try Sys.remove path | ||
with | ||
| Sys_error e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Matching the string seems to me like a poor way to detect this problem. Use a different function to remove a file that uses a better interface for errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not aware of another lib to remove a file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unix.unlink
() | ||
) | ||
["PK.auth"; "KEK.auth"; "db.auth"; "dbx.auth"] ; | ||
if contents <> "" then ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the empty string special? Might want to log this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the string is empty it means there's no certificates in XAPI to extract on the host disk.
ocaml/xapi/xapi_host.mli
Outdated
@@ -479,6 +479,9 @@ val nvidia_vf_setup : | |||
val allocate_resources_for_vm : | |||
__context:Context.t -> self:API.ref_host -> vm:API.ref_VM -> live:bool -> unit | |||
|
|||
val save_uefi_certificates_to_dir : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the name confusing? It has dir
in its name but not in the parameter list.
I was wondering: how would you feel to remove the It seems this API and field are useless (unless there is a usecase where a host needs to have different certificates than the others in the pool but I can't think of one). What do you think? |
ocaml/xapi/xapi_host.ml
Outdated
path | ||
|
||
let with_temp_file_contents ~contents f = | ||
let filename, out = Filename.open_temp_file "xapi_uefi_certificates" "tar" in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's more common to use a dash (-
) in file names than the underscore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It comes from already existing code, but I can change that 👍
Latest commit is an implementation of what is proposed in my previous comment, and @stormi 's one in the issue. Deprecate Host.uefi_certificates in favor of Pool API:
I think it's the right way to go since having different certs on pool's hosts seems really dangerous to me. |
28722de
to
8dc49ff
Compare
ocaml/idl/datamodel_host.ml
Outdated
let write_uefi_certificates_to_disk = | ||
call ~name:"write_uefi_certificates_to_disk" | ||
~lifecycle:[(Published, rel_next, "")] | ||
~doc:"Writes the UEFI certificates on a host disk" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"writes to"?
ocaml/idl/datamodel_pool.ml
Outdated
let set_uefi_certificates = | ||
call ~name:"set_uefi_certificates" | ||
~lifecycle:[(Published, rel_next, "")] | ||
~doc:"Sets the UEFI certificates on a pool and all its hosts" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Sets .. for a pool"?
ocaml/xapi/xapi_host.ml
Outdated
let extract_certificate_file name = | ||
if String.contains name '/' then | ||
(* Internal error: tarfile not created correctly *) | ||
failwith ("Invalid path in certificate tarball: " ^ name) ; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could make this more specific: Path in certificate tarball %s contains /
8dc49ff
to
4140850
Compare
I'll rebase and rework the commit message once the code stop changing before the merge. :) |
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
- `Pool.set_uefi_certificates` is implemented and writes the certificates on all its hosts' disks - `Host.set_uefi_certificates` is now deprecated and transmit the call to the pool method - `Host.uefi_certificates` is deprecated as well as it's getter, the value is not updated. - On XAPI startup certificates stored in XAPI's `Pool.uefi_certificates` are written on disks - When a host joins the pool's certificates are written on its disk. This means: - At every XAPI startup the certificates in host disks are synced with XAPI's `Pool.uefi_certificates` - When `Pool.set_uefi_certificates` is called all hosts are synced on their disks with XAPI's `Pool.uefi_certificates`. Also: `Host.set_uefi_certificates` calls should be replaced by `Pool.set_uefi_certificates`, this requires changes in external libs (varstored, uefistored, etc) to set the pool's certificates: call `Pool.set_uefi_certificates`. See: xapi-project#4647 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
e73b8df
to
53d656b
Compare
Hi! I rebased the code into one commit with a (hopefully) clear commit message. |
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
For XCP-ng > 8.2.1 there is a new behavior regarding SB certs management See: xapi-project/xen-api#4659 Keep previous behavior for XCP-ng <= 8.2.1 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
See: xapi-project/xen-api#4659 `Host` API is deprecated in favor of `Pool` API Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Starting from next release, the host disk certificate will be updated by the pool ones at XAPI startup instead of when a VM starts. See: xapi-project/xen-api#4659 Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
Pool.set_uefi_certificates
is implemented and callsHost.set_uefi_certificates
on all hostsHost.set_uefi_certificates
writes certificates on disksHost.uefi_certificates
are written on disksHost.set_uefi_certificates
is called with the certificates stored in XAPI'sPool.uefi_certificates
This means:
Host.uefi_certificates
Pool.set_uefi_certificates
is called all hosts are synced in XAPi and disks with XAPI'sPool.uefi_certificates
Host.set_uefi_certificates
is called the host certificates on disk are synced with XAPI'sHost.uefi_certificates
Also:
Host.set_uefi_certificates
no longer callsPool.set_uefi_certificates
, this requires changesin external libs (varstored, uefistored, etc) to set the pool's certificates: call
Pool.set_uefi_certificates
.See: #4647
Signed-off-by: BenjiReis benjamin.reis@vates.fr