2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-25 19:10:10 +00:00

Have osdeploy initialize skip SSH regen

When generating new key materials, most people say 'yes' and cause problems
where they cycle valid keys without
realizing the significance.

Replace prompting with an emphasized warning instead.
This commit is contained in:
Jarrod Johnson 2022-08-29 11:10:45 -04:00
parent 2a3e6cd6f1
commit 570611f22b
2 changed files with 16 additions and 2 deletions

View File

@ -292,11 +292,17 @@ def initialize(cmdset):
if cmdset.s:
didsomething = True
init_confluent_myname()
sshutil.initialize_ca()
try:
sshutil.initialize_ca()
except sshutil.AlreadyExists:
emprint('Skipping generation of SSH CA, already present and would likely be more problematic to regenerate than to reuse (if absolutely sure you want to discard old CA, then delete /etc/confluent/ssh/ca*')
if cmdset.a:
didsomething = True
init_confluent_myname()
sshutil.initialize_root_key(True, True)
try:
sshutil.initialize_root_key(True, True)
except sshutil.AlreadyExists:
emprint('Skipping generation of new automation key, already present and regeneration usually causes more problems. (If absolutely certain, delete /etc/confluent/ssh/automation*)')
if cmdset.p:
install_tftp_content()
if cmdset.l:

View File

@ -72,8 +72,14 @@ def get_passphrase():
phrase = phrase.decode('utf8')
return phrase
class AlreadyExists(Exception):
pass
def initialize_ca():
ouid = normalize_uid()
# if already there, skip, make warning
if os.path.exists('/etc/confluent/ssh/ca.pub'):
raise AlreadyExists()
try:
os.makedirs('/etc/confluent/ssh', mode=0o700)
except OSError as e:
@ -162,6 +168,8 @@ def initialize_root_key(generate, automation=False):
for currkey in glob.glob('/root/.ssh/*.pub'):
authorized.append(currkey)
if automation and generate:
if os.path.exists('/etc/confluent/ssh/automation'):
raise AlreadyExists()
subprocess.check_call(
['ssh-keygen', '-t', 'ed25519',
'-f','/etc/confluent/ssh/automation', '-N', get_passphrase(),