From Yaniv Bronhaim <ybronhei(a)redhat.com>:
Yaniv Bronhaim has uploaded a new change for review.
Change subject: Configure sasl2 libvirt to use scram-sha-1
......................................................................
Configure sasl2 libvirt to use scram-sha-1
The default of mech_list was changed in libvirt 3.2 to gssapi. This
patch adds to isconfigured a check if the new value exists. If so,
configure will replace the content to mech_list: scram-sha-1
Change-Id: I589e7de6df46ebb2f971701cf99a313b3c4a2f8e
Bug-Url:
https://bugzilla.redhat.com/show_bug.cgi?id=1444426
Signed-off-by: Yaniv Bronhaim <ybronhei(a)redhat.com>
---
M lib/vdsm/tool/configurators/passwd.py
M vdsm.spec.in
2 files changed, 38 insertions(+), 6 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/34/77534/1
diff --git a/lib/vdsm/tool/configurators/passwd.py
b/lib/vdsm/tool/configurators/passwd.py
index b75228e..1584d39 100644
--- a/lib/vdsm/tool/configurators/passwd.py
+++ b/lib/vdsm/tool/configurators/passwd.py
@@ -23,13 +23,14 @@
from vdsm import utils
-from . import YES, NO
+from . import YES, NO, MAYBE
_SASLDBLISTUSERS2 = utils.CommandPath("sasldblistusers2",
"/usr/sbin/sasldblistusers2",
)
_LIBVIRT_SASLDB = "/etc/libvirt/passwd.db"
+_SASL2_CONF = "/etc/sasl2/libvirt.conf"
_SASLPASSWD2 = utils.CommandPath("saslpasswd2",
"/usr/sbin/saslpasswd2",
)
@@ -38,6 +39,22 @@
def isconfigured():
+ ret = passwd_isconfigured()
+ if ret == NO:
+ return ret
+ return libvirt_sasl_isconfigured()
+
+
+def libvirt_sasl_isconfigured():
+ with open(_SASL2_CONF, 'r') as f:
+ lines = f.readlines()
+ # check for new default configuration - since libvirt 3.2
+ if 'mech_list: gssapi\n' in lines:
+ return NO
+ return MAYBE
+
+
+def passwd_isconfigured():
script = (str(_SASLDBLISTUSERS2), '-f', _LIBVIRT_SASLDB)
_, out, _ = commands.execCmd(script)
for user in out:
@@ -47,14 +64,12 @@
def configure():
- script = (str(_SASLPASSWD2), '-p', '-a', 'libvirt',
SASL_USERNAME)
- rc, _, err = commands.execCmd(script, data=libvirt_password())
- if rc != 0:
- raise RuntimeError("Set password failed: %s" % (err,))
+ configure_libvirt_sasl()
+ configure_passwd()
def removeConf():
- if isconfigured() == YES:
+ if passwd_isconfigured() == YES:
rc, out, err = commands.execCmd(
(
str(_SASLPASSWD2),
@@ -67,6 +82,22 @@
raise RuntimeError("Remove password failed: %s" % (err,))
+def configure_libvirt_sasl():
+ with open(_SASL2_CONF, 'w') as f:
+ f.writelines(['## start vdsm-4.20.0 configuration\n',
+ 'mech_list: scram-sha-1\n',
+ 'sasldb_path: %s\n' % (_LIBVIRT_SASLDB),
+ '## end vdsm configuration']
+ )
+
+
+def configure_passwd():
+ script = (str(_SASLPASSWD2), '-p', '-a', 'libvirt',
SASL_USERNAME)
+ rc, _, err = commands.execCmd(script, data=libvirt_password())
+ if rc != 0:
+ raise RuntimeError("Set password failed: %s" % (err,))
+
+
@utils.memoized
def libvirt_password():
with open(LIBVIRT_PASSWORD_PATH) as passwd_file:
diff --git a/vdsm.spec.in b/vdsm.spec.in
index 173216d..120a70e 100644
--- a/vdsm.spec.in
+++ b/vdsm.spec.in
@@ -89,6 +89,7 @@
%endif
Requires: chrony
+Requires: cyrus-sasl-scram
Requires: dbus-python
Requires: ethtool
Requires: which
--
To view, visit
https://gerrit.ovirt.org/77534
To unsubscribe, visit
https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I589e7de6df46ebb2f971701cf99a313b3c4a2f8e
Gerrit-PatchSet: 1
Gerrit-Project: vdsm
Gerrit-Branch: ovirt-4.1
Gerrit-Owner: Yaniv Bronhaim <ybronhei(a)redhat.com>