Add setup scripts for the agent.

Refs #4865
2014-04-12 11:35:18 +02:00 · 2014-04-12 11:35:18 +02:00 · f0e58db266
parent 750603c49d
commit f0e58db266
6 changed files with 360 additions and 3 deletions
--- a/debian/icinga2-common.install
+++ b/debian/icinga2-common.install
@ -1,5 +1,7 @@
 debian/tmp/etc/icinga2
 usr/bin/icinga2-build*
+usr/bin/icinga2-sign-key
 usr/bin/icinga2-migrate-config
 usr/sbin/icinga2-*-feature
+usr/sbin/icinga2-setup-agent
 usr/share/icinga2
--- a/pki/CMakeLists.txt
+++ b/pki/CMakeLists.txt
@ -18,15 +18,24 @@
 if(UNIX OR CYGWIN)
  configure_file(icinga2-build-ca.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca @ONLY)
  configure_file(icinga2-build-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key @ONLY)
+  configure_file(icinga2-sign-key.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key @ONLY)
+  configure_file(icinga2-setup-agent.cmake ${CMAKE_CURRENT_BINARY_DIR}/icinga2-setup-agent @ONLY)

  install(
    FILES ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-ca ${CMAKE_CURRENT_BINARY_DIR}/icinga2-build-key
+          ${CMAKE_CURRENT_BINARY_DIR}/icinga2-sign-key
    DESTINATION ${CMAKE_INSTALL_BINDIR}
    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
  )

  install(
-    FILES openssl.cnf pkifuncs vars
+    FILES ${CMAKE_CURRENT_BINARY_DIR}/icinga2-setup-agent
+    DESTINATION ${CMAKE_INSTALL_SBINDIR}
+    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+  )
+
+  install(
+    FILES openssl.cnf openssl-quiet.cnf pkifuncs vars
    DESTINATION ${CMAKE_INSTALL_DATADIR}/icinga2/pki
  )
-endif()
+endif()
--- a/pki/icinga2-build-key.cmake
+++ b/pki/icinga2-build-key.cmake
@ -29,5 +29,5 @@ fi
 REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA_CA" openssl req -config $ICINGA2PKIDIR/openssl.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA_CA/$name.key -outform PEM -out $ICINGA_CA/$name.csr -nodes && \
 	openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$name.csr -outform PEM -out $ICINGA_CA/$name.tmp -CAserial $ICINGA_CA/serial && \
 	chmod 600 $ICINGA_CA/$name.key && \
-	openssl x509 -in $ICINGA_CA/$name.tmp -text >  $ICINGA_CA/$name.crt && \
+	openssl x509 -in $ICINGA_CA/$name.tmp -text > $ICINGA_CA/$name.crt && \
 	rm -f $ICINGA_CA/$name.csr $ICINGA_CA/$name.tmp
--- a/pki/icinga2-setup-agent.cmake
+++ b/pki/icinga2-setup-agent.cmake
@ -0,0 +1,70 @@
+#!/bin/bash
+ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
+ICINGA2CONFIG=@CMAKE_INSTALL_FULL_SYSCONFDIR@/icinga2
+
+if [ -n "$1" ]; then
+	if [ ! -e $ICINGA2CONFIG/pki/agent/agent.key ]; then
+		echo "You haven't generated a private key for this Icinga 2 instance"
+		echo "yet. Please run this script without any parameters to generate a key."
+		exit 1
+	fi
+
+	if [ ! -e "$1" ]; then
+		echo "The specified key bundle does not exist."
+		exit 1
+	fi
+
+	tar -C /etc/icinga2/pki/agent/agent.crt xf "$1"
+
+	cat >$ICINGACONFIG/features-available/agent.conf <<AGENT
+/**
+ * The agent listener accepts checks from agents.
+ */
+
+library "agent"
+
+object AgentListener "agent" {
+  cert_path = SysconfDir + "/icinga2/pki/agent.crt"
+  key_path = SysconfDir + "/icinga2/pki/agent.key"
+  ca_path = SysconfDir + "/icinga2/pki/ca.crt"
+
+  bind_port = 7000
+}
+AGENT
+
+	$CMAKE_INSTALL_FULL_SBINDIR@/icinga2-enable-feature agent
+
+	echo "The key bundle was installed successfully and the agent component"
+	echo "was enabled. Please make sure to restart Icinga 2 for these changes"
+	echo "to take effect."
+	exit 0
+fi
+
+name=$(hostname --fqdn)
+
+echo "Host name: $name"
+
+mkdir -p $ICINGA2CONFIG/pki/agent
+chmod 700 $ICINGA2CONFIG/pki
+chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki || exit 1
+chmod 700 $ICINGA2CONFIG/pki/agent
+chown @ICINGA2_USER@:@ICINGA2_GROUP@ $ICINGA2CONFIG/pki/agent || exit 1
+
+if [ -e $ICINGA2CONFIG/pki/agent/agent.key ]; then
+	echo "You already have agent certificates in $ICINGA2CONFIG/pki/agent/"
+	exit 1
+fi
+
+REQ_COMMON_NAME="$name" KEY_DIR="$ICINGA2CONFIG/pki/agent" openssl req -config $ICINGA2PKIDIR/openssl-quiet.cnf -new -newkey rsa:4096 -keyform PEM -keyout $ICINGA2CONFIG/pki/agent/agent.key -outform PEM -out $ICINGA2CONFIG/pki/agent/agent.csr -nodes && \
+	chmod 600 $ICINGA2CONFIG/pki/agent/agent.key
+
+echo "Please sign the following X509 CSR using the Agent CA:"
+echo ""
+
+cat $ICINGA2CONFIG/pki/agent/agent.csr
+
+echo ""
+
+echo "You can use the icinga2-sign-key command to sign the CSR. Once signed the"
+echo "key bundle can be installed using $0 <bundle>."
+exit 0
--- a/pki/icinga2-sign-key.cmake
+++ b/pki/icinga2-sign-key.cmake
@ -0,0 +1,38 @@
+#!/bin/bash
+ICINGA2PKIDIR=@CMAKE_INSTALL_FULL_DATADIR@/icinga2/pki
+
+source $ICINGA2PKIDIR/pkifuncs
+
+if [ -z "$1" ]; then
+	echo "Syntax: $0 <csr-file>" >&2
+	exit 1
+fi
+
+csrfile=$1
+
+if [ ! -e "$csrfile" ]; then
+	echo "The specified CSR file does not exist."
+	exit 1
+fi
+
+pubkfile=$(basename -- ${csrfile%.*})
+
+check_pki_dir
+
+if [ ! -f $ICINGA_CA/ca.crt -o ! -f $ICINGA_CA/ca.key ]; then
+	echo "Please build a CA certificate first." >&2
+	exit 1
+fi
+
+[ -f $ICINGA_CA/vars ] && source $ICINGA_CA/vars
+
+openssl x509 -days "$REQ_DAYS" -CA $ICINGA_CA/ca.crt -CAkey $ICINGA_CA/ca.key -req -in $ICINGA_CA/$csrfile -outform PEM -out $ICINGA_CA/$csrfile.tmp -CAserial $ICINGA_CA/serial && \
+	openssl x509 -in $ICINGA_CA/$csrfile.tmp -text > $ICINGA_CA/$pubkfile.crt && \
+	rm -f $ICINGA_CA/$csrfile.tmp
+
+# Make an agent bundle file
+mkdir -p $ICINGA_CA/agent
+cp $ICINGA_CA/$pubkfile.crt $ICINGA_CA/agent/agent.crt
+cp $ICINGA_CA/ca.crt $ICINGA_CA/agent/ca.crt
+tar cf $ICINGA_CA/$pubkfile.bundle -C $ICINGA_CA/agent/ ca.crt agent.crt
+rm -rf $ICINGA_CA/agent
--- a/pki/openssl-quiet.cnf
+++ b/pki/openssl-quiet.cnf
@ -0,0 +1,238 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::KEY_DIR		# Where everything is kept
+certs		= $dir			# Where the issued certs are kept
+crl_dir		= $dir			# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/ca.crt 		# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/ca.key		# The private key
+RANDFILE	= $dir/.rand		# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_anything
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+prompt                  = no
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+CN                              = $ENV::REQ_COMMON_NAME
+
+# SET-ex3			= SET extension number 3
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=clientAuth,serverAuth
+keyUsage=digitalSignature
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always