diff --git a/confluent_server/bin/osdeploy b/confluent_server/bin/osdeploy index a9bb2d2d..9d343110 100644 --- a/confluent_server/bin/osdeploy +++ b/confluent_server/bin/osdeploy @@ -292,11 +292,17 @@ def initialize(cmdset): if cmdset.s: didsomething = True init_confluent_myname() - sshutil.initialize_ca() + try: + sshutil.initialize_ca() + except sshutil.AlreadyExists: + emprint('Skipping generation of SSH CA, already present and would likely be more problematic to regenerate than to reuse (if absolutely sure you want to discard old CA, then delete /etc/confluent/ssh/ca*') if cmdset.a: didsomething = True init_confluent_myname() - sshutil.initialize_root_key(True, True) + try: + sshutil.initialize_root_key(True, True) + except sshutil.AlreadyExists: + emprint('Skipping generation of new automation key, already present and regeneration usually causes more problems. (If absolutely certain, delete /etc/confluent/ssh/automation*)') if cmdset.p: install_tftp_content() if cmdset.l: diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index da6a60f6..41b300e6 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -72,8 +72,14 @@ def get_passphrase(): phrase = phrase.decode('utf8') return phrase +class AlreadyExists(Exception): + pass + def initialize_ca(): ouid = normalize_uid() + # if already there, skip, make warning + if os.path.exists('/etc/confluent/ssh/ca.pub'): + raise AlreadyExists() try: os.makedirs('/etc/confluent/ssh', mode=0o700) except OSError as e: @@ -162,6 +168,8 @@ def initialize_root_key(generate, automation=False): for currkey in glob.glob('/root/.ssh/*.pub'): authorized.append(currkey) if automation and generate: + if os.path.exists('/etc/confluent/ssh/automation'): + raise AlreadyExists() subprocess.check_call( ['ssh-keygen', '-t', 'ed25519', '-f','/etc/confluent/ssh/automation', '-N', get_passphrase(),