mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 19:10:10 +00:00
Have osdeploy initialize skip SSH regen
When generating new key materials, most people say 'yes' and cause problems where they cycle valid keys without realizing the significance. Replace prompting with an emphasized warning instead.
This commit is contained in:
parent
2a3e6cd6f1
commit
570611f22b
@ -292,11 +292,17 @@ def initialize(cmdset):
|
||||
if cmdset.s:
|
||||
didsomething = True
|
||||
init_confluent_myname()
|
||||
sshutil.initialize_ca()
|
||||
try:
|
||||
sshutil.initialize_ca()
|
||||
except sshutil.AlreadyExists:
|
||||
emprint('Skipping generation of SSH CA, already present and would likely be more problematic to regenerate than to reuse (if absolutely sure you want to discard old CA, then delete /etc/confluent/ssh/ca*')
|
||||
if cmdset.a:
|
||||
didsomething = True
|
||||
init_confluent_myname()
|
||||
sshutil.initialize_root_key(True, True)
|
||||
try:
|
||||
sshutil.initialize_root_key(True, True)
|
||||
except sshutil.AlreadyExists:
|
||||
emprint('Skipping generation of new automation key, already present and regeneration usually causes more problems. (If absolutely certain, delete /etc/confluent/ssh/automation*)')
|
||||
if cmdset.p:
|
||||
install_tftp_content()
|
||||
if cmdset.l:
|
||||
|
@ -72,8 +72,14 @@ def get_passphrase():
|
||||
phrase = phrase.decode('utf8')
|
||||
return phrase
|
||||
|
||||
class AlreadyExists(Exception):
|
||||
pass
|
||||
|
||||
def initialize_ca():
|
||||
ouid = normalize_uid()
|
||||
# if already there, skip, make warning
|
||||
if os.path.exists('/etc/confluent/ssh/ca.pub'):
|
||||
raise AlreadyExists()
|
||||
try:
|
||||
os.makedirs('/etc/confluent/ssh', mode=0o700)
|
||||
except OSError as e:
|
||||
@ -162,6 +168,8 @@ def initialize_root_key(generate, automation=False):
|
||||
for currkey in glob.glob('/root/.ssh/*.pub'):
|
||||
authorized.append(currkey)
|
||||
if automation and generate:
|
||||
if os.path.exists('/etc/confluent/ssh/automation'):
|
||||
raise AlreadyExists()
|
||||
subprocess.check_call(
|
||||
['ssh-keygen', '-t', 'ed25519',
|
||||
'-f','/etc/confluent/ssh/automation', '-N', get_passphrase(),
|
||||
|
Loading…
Reference in New Issue
Block a user