From Yaniv Bronhaim <ybronhei(a)redhat.com&gt;: Yaniv Bronhaim has uploaded a new change for review. Change subject: Configure sasl2 libvirt to use scram-sha-1 ...................................................................... Configure sasl2 libvirt to use scram-sha-1 The default of mech_list was changed in libvirt 3.2 to gssapi. This patch adds to isconfigured a check if the new value exists. If so, configure will replace the content to mech_list: scram-sha-1 Change-Id: I589e7de6df46ebb2f971701cf99a313b3c4a2f8e Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1444426 Signed-off-by: Yaniv Bronhaim <ybronhei(a)redhat.com&gt; --- M lib/vdsm/tool/configurators/passwd.py M vdsm.spec.in 2 files changed, 38 insertions(+), 6 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/34/77534/1 diff --git a/lib/vdsm/tool/configurators/passwd.py b/lib/vdsm/tool/configurators/passwd.py index b75228e..1584d39 100644 --- a/lib/vdsm/tool/configurators/passwd.py +++ b/lib/vdsm/tool/configurators/passwd.py @@ -23,13 +23,14 @@ from vdsm import utils -from . import YES, NO +from . import YES, NO, MAYBE _SASLDBLISTUSERS2 = utils.CommandPath("sasldblistusers2", "/usr/sbin/sasldblistusers2", ) _LIBVIRT_SASLDB = "/etc/libvirt/passwd.db" +_SASL2_CONF = "/etc/sasl2/libvirt.conf" _SASLPASSWD2 = utils.CommandPath("saslpasswd2", "/usr/sbin/saslpasswd2", ) @@ -38,6 +39,22 @@ def isconfigured(): + ret = passwd_isconfigured() + if ret == NO: + return ret + return libvirt_sasl_isconfigured() + + +def libvirt_sasl_isconfigured(): + with open(_SASL2_CONF, 'r') as f: + lines = f.readlines() + # check for new default configuration - since libvirt 3.2 + if 'mech_list: gssapi\n' in lines: + return NO + return MAYBE + + +def passwd_isconfigured(): script = (str(_SASLDBLISTUSERS2), '-f', _LIBVIRT_SASLDB) _, out, _ = commands.execCmd(script) for user in out: @@ -47,14 +64,12 @@ def configure(): - script = (str(_SASLPASSWD2), '-p', '-a', 'libvirt', SASL_USERNAME) - rc, _, err = commands.execCmd(script, data=libvirt_password()) - if rc != 0: - raise RuntimeError("Set password failed: %s" % (err,)) + configure_libvirt_sasl() + configure_passwd() def removeConf(): - if isconfigured() == YES: + if passwd_isconfigured() == YES: rc, out, err = commands.execCmd( ( str(_SASLPASSWD2), @@ -67,6 +82,22 @@ raise RuntimeError("Remove password failed: %s" % (err,)) +def configure_libvirt_sasl(): + with open(_SASL2_CONF, 'w') as f: + f.writelines(['## start vdsm-4.20.0 configuration\n', + 'mech_list: scram-sha-1\n', + 'sasldb_path: %s\n' % (_LIBVIRT_SASLDB), + '## end vdsm configuration'] + ) + + +def configure_passwd(): + script = (str(_SASLPASSWD2), '-p', '-a', 'libvirt', SASL_USERNAME) + rc, _, err = commands.execCmd(script, data=libvirt_password()) + if rc != 0: + raise RuntimeError("Set password failed: %s" % (err,)) + + @utils.memoized def libvirt_password(): with open(LIBVIRT_PASSWORD_PATH) as passwd_file: diff --git a/vdsm.spec.in b/vdsm.spec.in index 173216d..120a70e 100644 --- a/vdsm.spec.in +++ b/vdsm.spec.in @@ -89,6 +89,7 @@ %endif Requires: chrony +Requires: cyrus-sasl-scram Requires: dbus-python Requires: ethtool Requires: which -- To view, visit https://gerrit.ovirt.org/77534 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I589e7de6df46ebb2f971701cf99a313b3c4a2f8e Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: ovirt-4.1 Gerrit-Owner: Yaniv Bronhaim <ybronhei(a)redhat.com&gt;