| #!/bin/bash |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| PROPS_FILE="$1" |
| KS_FILE="$2" |
| MODE="$3" |
| CERT_FILE="$4" |
| CERT=$(echo "$5" | tr '^' '\n' | tr '~' ' ') |
| CACERT_FILE="$6" |
| CACERT=$(echo "$7" | tr '^' '\n' | tr '~' ' ') |
| PRIVKEY_FILE="$8" |
| PRIVKEY=$(echo "$9" | tr '^' '\n' | tr '~' ' ') |
| |
| ALIAS="cloud" |
| SYSTEM_FILE="/var/cache/cloud/cmdline" |
| LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf" |
| |
| # Find keystore password |
| KS_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null) |
| |
| if [ -z "${KS_PASS// }" ]; then |
| echo "Failed to find keystore passphrase from file: $PROPS_FILE, quiting!" |
| exit 1 |
| fi |
| |
| # Import certificate |
| if [ ! -z "${CERT// }" ]; then |
| echo "$CERT" > "$CERT_FILE" |
| fi |
| |
| # Import ca certs |
| if [ ! -z "${CACERT// }" ]; then |
| echo "$CACERT" > "$CACERT_FILE" |
| fi |
| |
| # Import cacerts into the keystore |
| awk '/-----BEGIN CERTIFICATE-----?/{n++}{print > "cloudca." n }' "$CACERT_FILE" |
| for caChain in $(ls cloudca.*); do |
| keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true |
| keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1 |
| done |
| rm -f cloudca.* |
| |
| # Stop cloud service in systemvm |
| if [ "$MODE" == "ssh" ] && [ -f $SYSTEM_FILE ]; then |
| systemctl stop cloud > /dev/null 2>&1 |
| fi |
| |
| # Import private key if available |
| if [ ! -z "${PRIVKEY// }" ]; then |
| echo "$PRIVKEY" > "$PRIVKEY_FILE" |
| # Re-initialize keystore when private key is provided |
| keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>/dev/null || true |
| openssl pkcs12 -export -name "$ALIAS" -in "$CERT_FILE" -inkey "$PRIVKEY_FILE" -out "$KS_FILE.p12" -password pass:"$KS_PASS" > /dev/null 2>&1 |
| keytool -importkeystore -srckeystore "$KS_FILE.p12" -destkeystore "$KS_FILE" -srcstoretype PKCS12 -alias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1 |
| else |
| # Import certificate into the keystore |
| keytool -import -storepass "$KS_PASS" -alias "$ALIAS" -file "$CERT_FILE" -keystore "$KS_FILE" > /dev/null 2>&1 || true |
| # Export private key from keystore |
| rm -f "$PRIVKEY_FILE" |
| keytool -importkeystore -srckeystore "$KS_FILE" -destkeystore "$KS_FILE.p12" -deststoretype PKCS12 -srcalias "$ALIAS" -deststorepass "$KS_PASS" -destkeypass "$KS_PASS" -srcstorepass "$KS_PASS" -srckeypass "$KS_PASS" > /dev/null 2>&1 |
| openssl pkcs12 -in "$KS_FILE.p12" -nodes -nocerts -nomac -password pass:"$KS_PASS" 2>/dev/null | openssl rsa -out "$PRIVKEY_FILE" > /dev/null 2>&1 |
| fi |
| |
| rm -f "$KS_FILE.p12" |
| |
| # Secure libvirtd on cert import |
| if [ -f "$LIBVIRTD_FILE" ]; then |
| mkdir -p /etc/pki/CA |
| mkdir -p /etc/pki/libvirt/private |
| ln -sf /etc/cloudstack/agent/cloud.ca.crt /etc/pki/CA/cacert.pem |
| ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/clientcert.pem |
| ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem |
| ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem |
| ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem |
| cloudstack-setup-agent -s > /dev/null |
| fi |
| |
| # Update ca-certs if we're in systemvm |
| if [ -f "$SYSTEM_FILE" ]; then |
| mkdir -p /usr/local/share/ca-certificates/cloudstack |
| cp "$CACERT_FILE" /usr/local/share/ca-certificates/cloudstack/ca.crt |
| chmod 755 /usr/local/share/ca-certificates/cloudstack |
| chmod 644 /usr/local/share/ca-certificates/cloudstack/ca.crt |
| update-ca-certificates > /dev/null 2>&1 || true |
| |
| # Ensure cloud service is running in systemvm |
| if [ "$MODE" == "ssh" ]; then |
| systemctl start cloud > /dev/null 2>&1 |
| fi |
| fi |
| |
| # Fix file permission |
| chmod 600 $CACERT_FILE |
| chmod 600 $CERT_FILE |
| chmod 600 $PRIVKEY_FILE |