mirror of https://github.com/Icinga/icinga2.git
Cli: 'node setup' on the master uses 'api setup' if api feature is disabled
refs #9471
This commit is contained in:
Michael Friedrich
parent
5249e4af11
commit
ec3f1c6320
|
|
@ -21,6 +21,7 @@
|
||||||
#include "cli/nodeutility.hpp"
|
#include "cli/nodeutility.hpp"
|
||||||
#include "cli/featureutility.hpp"
|
#include "cli/featureutility.hpp"
|
||||||
#include "cli/pkiutility.hpp"
|
#include "cli/pkiutility.hpp"
|
||||||
|
#include "cli/apisetuputility.hpp"
|
||||||
#include "base/logger.hpp"
|
#include "base/logger.hpp"
|
||||||
#include "base/console.hpp"
|
#include "base/console.hpp"
|
||||||
#include "base/application.hpp"
|
#include "base/application.hpp"
|
||||||
|
|
@ -122,94 +123,16 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
|
||||||
if (vm.count("accept-commands"))
|
if (vm.count("accept-commands"))
|
||||||
Log(LogWarning, "cli", "Master for Node setup: Ignoring --accept-commands");
|
Log(LogWarning, "cli", "Master for Node setup: Ignoring --accept-commands");
|
||||||
|
|
||||||
/* Generate a new CA, if not already existing */
|
String cn = Utility::GetFQDN();
|
||||||
|
|
||||||
Log(LogInformation, "cli", "Generating new CA.");
|
if (vm.count("cn"))
|
||||||
|
cn = vm["cn"].as<std::string>();
|
||||||
|
|
||||||
if (PkiUtility::NewCa() > 0) {
|
if (FeatureUtility::CheckFeatureDisabled("api")) {
|
||||||
Log(LogWarning, "cli", "Found CA, skipping and using the existing one.");
|
Log(LogInformation, "cli", "'api' feature not enabled, running 'api setup' now.\n");
|
||||||
}
|
ApiSetupUtility::SetupMaster(cn);
|
||||||
|
} else
|
||||||
/* Generate a self signed certificate */
|
Log(LogInformation, "cli", "'api' feature already enabled.\n");
|
||||||
|
|
||||||
Log(LogInformation, "cli", "Generating new self-signed certificate.");
|
|
||||||
|
|
||||||
String pki_path = PkiUtility::GetPkiPath();
|
|
||||||
|
|
||||||
if (!Utility::MkDirP(pki_path, 0700)) {
|
|
||||||
Log(LogCritical, "cli")
|
|
||||||
<< "Could not create local pki directory '" << pki_path << "'.";
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
String user = ScriptGlobal::Get("RunAsUser");
|
|
||||||
String group = ScriptGlobal::Get("RunAsGroup");
|
|
||||||
|
|
||||||
if (!Utility::SetFileOwnership(pki_path, user, group)) {
|
|
||||||
Log(LogWarning, "cli")
|
|
||||||
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << pki_path << "'. Verify it yourself!";
|
|
||||||
}
|
|
||||||
|
|
||||||
String cn = Utility::GetFQDN();
|
|
||||||
|
|
||||||
if (vm.count("cn"))
|
|
||||||
cn = vm["cn"].as<std::string>();
|
|
||||||
|
|
||||||
String key = pki_path + "/" + cn + ".key";
|
|
||||||
String csr = pki_path + "/" + cn + ".csr";
|
|
||||||
|
|
||||||
if (Utility::PathExists(key))
|
|
||||||
NodeUtility::CreateBackupFile(key, true);
|
|
||||||
if (Utility::PathExists(csr))
|
|
||||||
NodeUtility::CreateBackupFile(csr);
|
|
||||||
|
|
||||||
if (PkiUtility::NewCert(cn, key, csr, "") > 0) {
|
|
||||||
Log(LogCritical, "cli", "Failed to create self-signed certificate");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Sign the CSR with the CA key */
|
|
||||||
|
|
||||||
String cert = pki_path + "/" + cn + ".crt";
|
|
||||||
|
|
||||||
if (Utility::PathExists(cert))
|
|
||||||
NodeUtility::CreateBackupFile(cert);
|
|
||||||
|
|
||||||
if (PkiUtility::SignCsr(csr, cert) != 0) {
|
|
||||||
Log(LogCritical, "cli", "Could not sign CSR.");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Copy CA certificate to /etc/icinga2/pki */
|
|
||||||
String ca_path = PkiUtility::GetLocalCaPath();
|
|
||||||
String ca = ca_path + "/ca.crt";
|
|
||||||
String ca_key = ca_path + "/ca.key";
|
|
||||||
String serial = ca_path + "/serial.txt";
|
|
||||||
String target_ca = pki_path + "/ca.crt";
|
|
||||||
|
|
||||||
Log(LogInformation, "cli")
|
|
||||||
<< "Copying CA certificate to '" << target_ca << "'.";
|
|
||||||
|
|
||||||
/* does not overwrite existing files! */
|
|
||||||
Utility::CopyFile(ca, target_ca);
|
|
||||||
|
|
||||||
/* fix permissions: root -> icinga daemon user */
|
|
||||||
std::vector<String> files;
|
|
||||||
files.push_back(ca_path);
|
|
||||||
files.push_back(ca);
|
|
||||||
files.push_back(ca_key);
|
|
||||||
files.push_back(serial);
|
|
||||||
files.push_back(target_ca);
|
|
||||||
files.push_back(key);
|
|
||||||
files.push_back(csr);
|
|
||||||
files.push_back(cert);
|
|
||||||
|
|
||||||
BOOST_FOREACH(const String& file, files) {
|
|
||||||
if (!Utility::SetFileOwnership(file, user, group)) {
|
|
||||||
Log(LogWarning, "cli")
|
|
||||||
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << file << "'. Verify it yourself!";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* read zones.conf and update with zone + endpoint information */
|
/* read zones.conf and update with zone + endpoint information */
|
||||||
|
|
||||||
|
|
@ -217,14 +140,10 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
|
||||||
|
|
||||||
NodeUtility::GenerateNodeMasterIcingaConfig(cn);
|
NodeUtility::GenerateNodeMasterIcingaConfig(cn);
|
||||||
|
|
||||||
/* enable the ApiListener config */
|
/* update the ApiListener config - SetupMaster() will always enable it */
|
||||||
|
|
||||||
Log(LogInformation, "cli", "Updating the APIListener feature.");
|
Log(LogInformation, "cli", "Updating the APIListener feature.");
|
||||||
|
|
||||||
std::vector<std::string> enable;
|
|
||||||
enable.push_back("api");
|
|
||||||
FeatureUtility::EnableFeatures(enable);
|
|
||||||
|
|
||||||
String apipath = FeatureUtility::GetFeaturesAvailablePath() + "/api.conf";
|
String apipath = FeatureUtility::GetFeaturesAvailablePath() + "/api.conf";
|
||||||
NodeUtility::CreateBackupFile(apipath);
|
NodeUtility::CreateBackupFile(apipath);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue