harbor/make/prepare

618 lines
28 KiB
Plaintext
Raw Normal View History

2016-02-01 12:59:10 +01:00
#!/usr/bin/python
2016-04-15 11:23:40 +02:00
# -*- coding: utf-8 -*-
from __future__ import print_function, unicode_literals # We require Python 2.6 or later
2016-02-01 12:59:10 +01:00
from string import Template
import random
2016-04-15 11:23:40 +02:00
import os
2016-04-18 10:01:44 +02:00
import sys
import string
import argparse
import subprocess
2016-10-14 11:13:15 +02:00
import shutil
2016-04-15 11:23:40 +02:00
from io import open
2016-04-18 10:01:44 +02:00
if sys.version_info[:3][0] == 2:
2016-04-15 11:23:40 +02:00
import ConfigParser as ConfigParser
import StringIO as StringIO
2016-04-18 10:01:44 +02:00
if sys.version_info[:3][0] == 3:
2016-04-15 11:23:40 +02:00
import configparser as ConfigParser
import io as StringIO
DATA_VOL = "/data"
2017-02-20 11:40:05 +01:00
def validate(conf, args):
if args.ha_mode:
db_host = rcp.get("configuration", "db_host")
if db_host == "mysql":
raise Exception("Error: In HA mode, db_host in harbor.cfg needs to point to an external DB address.")
registry_storage_provider_name = rcp.get("configuration",
"registry_storage_provider_name").strip()
if registry_storage_provider_name == "filesystem" and not args.yes:
msg = 'Is the Harbor Docker Registry configured to use shared storage (e.g. NFS, Ceph etc.)? [yes/no]:'
if raw_input(msg).lower() != "yes":
raise Exception("Error: In HA mode, shared storage configuration for Docker Registry in harbor.cfg is required. Refer to HA installation guide for details.")
redis_url = rcp.get("configuration", "redis_url")
if redis_url is None or len(redis_url) < 1:
raise Exception("Error: In HA mode, redis_url in harbor.cfg needs to point to a Redis cluster.")
if args.notary_mode:
raise Exception("Error: HA mode doesn't support Notary currently")
if args.clair_mode:
clair_db_host = rcp.get("configuration", "clair_db_host")
if "postgres" == clair_db_host:
raise Exception("Error: In HA mode, clair_db_host in harbor.cfg needs to point to an external Postgres DB address.")
cert_path = rcp.get("configuration", "ssl_cert")
cert_key_path = rcp.get("configuration", "ssl_cert_key")
shared_cert_key = os.path.join(base_dir, "ha", os.path.basename(cert_key_path))
shared_cert_path = os.path.join(base_dir, "ha", os.path.basename(cert_path))
if os.path.isfile(shared_cert_key):
shutil.copy2(shared_cert_key, cert_key_path)
if os.path.isfile(shared_cert_path):
shutil.copy2(shared_cert_path, cert_path)
2016-10-14 11:13:15 +02:00
protocol = rcp.get("configuration", "ui_url_protocol")
2017-02-20 11:40:05 +01:00
if protocol != "https" and args.notary_mode:
raise Exception("Error: the protocol must be https when Harbor is deployed with Notary")
2016-10-14 11:13:15 +02:00
if protocol == "https":
if not rcp.has_option("configuration", "ssl_cert"):
raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
cert_path = rcp.get("configuration", "ssl_cert")
if not os.path.isfile(cert_path):
raise Exception("Error: The path for certificate: %s is invalid" % cert_path)
if not rcp.has_option("configuration", "ssl_cert_key"):
raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
cert_key_path = rcp.get("configuration", "ssl_cert_key")
if not os.path.isfile(cert_key_path):
raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path)
project_creation = rcp.get("configuration", "project_creation_restriction")
if project_creation != "everyone" and project_creation != "adminonly":
raise Exception("Error invalid value for project_creation_restriction: %s" % project_creation)
2016-10-14 11:13:15 +02:00
#To meet security requirement
#By default it will change file mode to 0600, and make the owner of the file to 10000:10000
def mark_file(path, mode=0o600, uid=10000, gid=10000):
os.chmod(path, mode)
os.chown(path, uid, gid)
def prepare_ha(conf, args):
#files under ha folder will have high prority
protocol = rcp.get("configuration", "ui_url_protocol")
if protocol == "https":
#copy nginx certificate
cert_path = rcp.get("configuration", "ssl_cert")
cert_key_path = rcp.get("configuration", "ssl_cert_key")
shared_cert_key = os.path.join(base_dir, "ha", os.path.basename(cert_key_path))
shared_cert_path = os.path.join(base_dir, "ha", os.path.basename(cert_path))
if os.path.isfile(shared_cert_key):
shutil.copy2(shared_cert_key, cert_key_path)
else:
if os.path.isfile(cert_key_path):
shutil.copy2(cert_key_path, shared_cert_key)
if os.path.isfile(shared_cert_path):
shutil.copy2(shared_cert_path, cert_path)
else:
if os.path.isfile(cert_path):
shutil.copy2(cert_path, shared_cert_path)
#check if ca exsit
cert_ca_path = os.path.join(DATA_VOL, 'ca_download', 'ca.crt')
shared_ca_path = os.path.join(base_dir, "ha", os.path.basename(cert_ca_path))
if os.path.isfile(shared_ca_path):
shutil.copy2(shared_ca_path, cert_ca_path)
else:
if os.path.isfile(cert_ca_path):
shutil.copy2(cert_ca_path, shared_ca_path)
#check root.crt and priviate_key.pem
private_key_pem = os.path.join(config_dir, "ui", "private_key.pem")
root_crt = os.path.join(config_dir, "registry", "root.crt")
shared_private_key_pem = os.path.join(base_dir, "ha", "private_key.pem")
shared_root_crt = os.path.join(base_dir, "ha", "root.crt")
if os.path.isfile(shared_private_key_pem):
shutil.copy2(shared_private_key_pem, private_key_pem)
else:
if os.path.isfile(private_key_pem):
shutil.copy2(private_key_pem, shared_private_key_pem)
if os.path.isfile(shared_root_crt):
shutil.copy2(shared_root_crt, root_crt)
else:
if os.path.isfile(root_crt):
shutil.copy2(root_crt, shared_root_crt)
#secretkey
shared_secret_key = os.path.join(base_dir, "ha", "secretkey")
secretkey_path = rcp.get("configuration", "secretkey_path")
secret_key = os.path.join(secretkey_path, "secretkey")
if os.path.isfile(shared_secret_key):
shutil.copy2(shared_secret_key, secret_key)
else:
if os.path.isfile(secret_key):
shutil.copy2(secret_key, shared_secret_key)
def get_secret_key(path):
secret_key = _get_secret(path, "secretkey")
if len(secret_key) != 16:
raise Exception("secret key's length has to be 16 chars, current length: %d" % len(secret_key))
return secret_key
def get_alias(path):
alias = _get_secret(path, "defaultalias", length=8)
return alias
def _get_secret(folder, filename, length=16):
key_file = os.path.join(folder, filename)
if os.path.isfile(key_file):
with open(key_file, 'r') as f:
key = f.read()
print("loaded secret from file: %s" % key_file)
mark_file(key_file)
return key
if not os.path.isdir(folder):
os.makedirs(folder)
key = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(length))
with open(key_file, 'w') as f:
f.write(key)
print("Generated and saved secret to file: %s" % key_file)
mark_file(key_file)
return key
2016-10-19 08:32:00 +02:00
def prep_conf_dir(root, *name):
absolute_path = os.path.join(root, *name)
2017-02-20 11:40:05 +01:00
if not os.path.exists(absolute_path):
os.makedirs(absolute_path)
return absolute_path
def render(src, dest, **kw):
t = Template(open(src, 'r').read())
with open(dest, 'w') as f:
f.write(t.substitute(**kw))
print("Generated configuration file: %s" % dest)
2016-10-19 08:32:00 +02:00
base_dir = os.path.dirname(__file__)
config_dir = os.path.join(base_dir, "common/config")
templates_dir = os.path.join(base_dir, "common/templates")
2017-02-20 11:40:05 +01:00
def delfile(src):
if os.path.isfile(src):
try:
os.remove(src)
print("Clearing the configuration file: %s" % src)
except:
pass
elif os.path.isdir(src):
for item in os.listdir(src):
itemsrc=os.path.join(src,item)
delfile(itemsrc)
parser = argparse.ArgumentParser()
2017-02-20 04:16:55 +01:00
parser.add_argument('--conf', dest='cfgfile', default=base_dir+'/harbor.cfg',type=str,help="the path of Harbor configuration file")
2017-02-20 11:40:05 +01:00
parser.add_argument('--with-notary', dest='notary_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with notary")
parser.add_argument('--with-clair', dest='clair_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with clair")
parser.add_argument('--ha', dest='ha_mode', default=False, action='store_true', help="the Harbor instance is to be deployed in HA mode")
parser.add_argument('--yes', dest='yes', default=False, action='store_true', help="Answer yes to all questions")
args = parser.parse_args()
2017-02-20 11:40:05 +01:00
delfile(config_dir)
#Read configurations
conf = StringIO.StringIO()
conf.write("[configuration]\n")
conf.write(open(args.cfgfile).read())
conf.seek(0, os.SEEK_SET)
2016-04-15 11:23:40 +02:00
rcp = ConfigParser.RawConfigParser()
rcp.readfp(conf)
2017-02-20 11:40:05 +01:00
validate(rcp, args)
reload_config = rcp.get("configuration", "reload_config") if rcp.has_option(
"configuration", "reload_config") else "false"
2016-04-15 11:23:40 +02:00
hostname = rcp.get("configuration", "hostname")
2016-10-14 11:13:15 +02:00
protocol = rcp.get("configuration", "ui_url_protocol")
public_url = protocol + "://" + hostname
email_identity = rcp.get("configuration", "email_identity")
2017-01-12 11:29:02 +01:00
email_host = rcp.get("configuration", "email_server")
email_port = rcp.get("configuration", "email_server_port")
email_usr = rcp.get("configuration", "email_username")
email_pwd = rcp.get("configuration", "email_password")
2016-04-15 11:23:40 +02:00
email_from = rcp.get("configuration", "email_from")
email_ssl = rcp.get("configuration", "email_ssl")
email_insecure = rcp.get("configuration", "email_insecure")
2016-04-15 11:23:40 +02:00
harbor_admin_password = rcp.get("configuration", "harbor_admin_password")
auth_mode = rcp.get("configuration", "auth_mode")
ldap_url = rcp.get("configuration", "ldap_url")
2016-08-18 12:31:41 +02:00
# this two options are either both set or unset
if rcp.has_option("configuration", "ldap_searchdn"):
ldap_searchdn = rcp.get("configuration", "ldap_searchdn")
ldap_search_pwd = rcp.get("configuration", "ldap_search_pwd")
else:
ldap_searchdn = ""
ldap_search_pwd = ""
2016-04-15 11:23:40 +02:00
ldap_basedn = rcp.get("configuration", "ldap_basedn")
2016-08-18 12:31:41 +02:00
# ldap_filter is null by default
if rcp.has_option("configuration", "ldap_filter"):
ldap_filter = rcp.get("configuration", "ldap_filter")
else:
ldap_filter = ""
ldap_uid = rcp.get("configuration", "ldap_uid")
ldap_scope = rcp.get("configuration", "ldap_scope")
2017-01-12 11:29:02 +01:00
ldap_timeout = rcp.get("configuration", "ldap_timeout")
ldap_verify_cert = rcp.get("configuration", "ldap_verify_cert")
2018-03-14 12:07:06 +01:00
ldap_group_basedn = rcp.get("configuration", "ldap_group_basedn")
ldap_group_filter = rcp.get("configuration", "ldap_group_filter")
ldap_group_gid = rcp.get("configuration", "ldap_group_gid")
ldap_group_scope = rcp.get("configuration", "ldap_group_scope")
2016-04-15 11:23:40 +02:00
db_password = rcp.get("configuration", "db_password")
2017-09-22 04:46:02 +02:00
db_host = rcp.get("configuration", "db_host")
db_user = rcp.get("configuration", "db_user")
db_port = rcp.get("configuration", "db_port")
2016-04-15 11:23:40 +02:00
self_registration = rcp.get("configuration", "self_registration")
2016-10-14 11:13:15 +02:00
if protocol == "https":
cert_path = rcp.get("configuration", "ssl_cert")
cert_key_path = rcp.get("configuration", "ssl_cert_key")
customize_crt = rcp.get("configuration", "customize_crt")
max_job_workers = rcp.get("configuration", "max_job_workers")
2016-08-08 05:21:48 +02:00
token_expiration = rcp.get("configuration", "token_expiration")
proj_cre_restriction = rcp.get("configuration", "project_creation_restriction")
2016-12-12 05:39:11 +01:00
secretkey_path = rcp.get("configuration", "secretkey_path")
2017-03-16 09:09:05 +01:00
if rcp.has_option("configuration", "admiral_url"):
admiral_url = rcp.get("configuration", "admiral_url")
else:
admiral_url = ""
clair_db_password = rcp.get("configuration", "clair_db_password")
clair_db_host = rcp.get("configuration", "clair_db_host")
clair_db_port = rcp.get("configuration", "clair_db_port")
clair_db_username = rcp.get("configuration", "clair_db_username")
clair_db = rcp.get("configuration", "clair_db")
uaa_endpoint = rcp.get("configuration", "uaa_endpoint")
uaa_clientid = rcp.get("configuration", "uaa_clientid")
uaa_clientsecret = rcp.get("configuration", "uaa_clientsecret")
uaa_verify_cert = rcp.get("configuration", "uaa_verify_cert")
uaa_ca_cert = rcp.get("configuration", "uaa_ca_cert")
2016-12-12 05:39:11 +01:00
secret_key = get_secret_key(secretkey_path)
2017-11-08 06:07:27 +01:00
log_rotate_count = rcp.get("configuration", "log_rotate_count")
log_rotate_size = rcp.get("configuration", "log_rotate_size")
if rcp.has_option("configuration", "redis_url"):
redis_url = rcp.get("configuration", "redis_url")
else:
redis_url = ""
if rcp.has_option("configuration", "skip_reload_env_pattern"):
skip_reload_env_pattern = rcp.get("configuration", "skip_reload_env_pattern")
else:
skip_reload_env_pattern = "$^"
storage_provider_name = rcp.get("configuration", "registry_storage_provider_name").strip()
storage_provider_config = rcp.get("configuration", "registry_storage_provider_config").strip()
# yaml requires 1 or more spaces between the key and value
storage_provider_config = storage_provider_config.replace(":", ": ", 1)
ui_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))
jobservice_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))
2017-01-12 11:29:02 +01:00
adminserver_config_dir = os.path.join(config_dir,"adminserver")
if not os.path.exists(adminserver_config_dir):
os.makedirs(os.path.join(config_dir, "adminserver"))
2017-02-20 11:40:05 +01:00
ui_config_dir = prep_conf_dir(config_dir,"ui")
ui_certificates_dir = prep_conf_dir(ui_config_dir,"certificates")
2017-02-20 11:40:05 +01:00
db_config_dir = prep_conf_dir(config_dir, "db")
job_config_dir = prep_conf_dir(config_dir, "jobservice")
registry_config_dir = prep_conf_dir(config_dir, "registry")
nginx_config_dir = prep_conf_dir (config_dir, "nginx")
nginx_conf_d = prep_conf_dir(nginx_config_dir, "conf.d")
2017-10-13 10:06:25 +02:00
log_config_dir = prep_conf_dir (config_dir, "log")
2016-02-01 12:59:10 +01:00
2017-01-12 11:29:02 +01:00
adminserver_conf_env = os.path.join(config_dir, "adminserver", "env")
2016-02-01 12:59:10 +01:00
ui_conf_env = os.path.join(config_dir, "ui", "env")
2016-04-15 11:23:40 +02:00
ui_conf = os.path.join(config_dir, "ui", "app.conf")
ui_cert_dir = os.path.join(config_dir, "ui", "certificates")
jobservice_conf = os.path.join(config_dir, "jobservice", "config.yml")
2016-02-01 12:59:10 +01:00
registry_conf = os.path.join(config_dir, "registry", "config.yml")
db_conf_env = os.path.join(config_dir, "db", "env")
job_conf_env = os.path.join(config_dir, "jobservice", "env")
2016-10-14 11:13:15 +02:00
nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
2017-10-13 10:06:25 +02:00
cert_dir = os.path.join(config_dir, "nginx", "cert")
2017-11-08 06:07:27 +01:00
log_rotate_config = os.path.join(config_dir, "log", "logrotate.conf")
adminserver_url = "http://adminserver:8080"
registry_url = "http://registry:5000"
ui_url = "http://ui:8080"
token_service_url = "http://ui:8080/service/token"
jobservice_url = "http://jobservice:8080"
clair_url = "http://clair:6060"
notary_url = "http://notary-server:4443"
2016-02-01 12:59:10 +01:00
if len(admiral_url) != 0 and admiral_url != "NA":
#VIC overwrites the data volume path, which by default should be same as the value of secretkey_path
DATA_VOL = secretkey_path
JOB_LOG_DIR = os.path.join(DATA_VOL, "job_logs")
if not os.path.exists(JOB_LOG_DIR):
os.makedirs(JOB_LOG_DIR)
mark_file(JOB_LOG_DIR, mode=0o755)
2016-10-14 11:13:15 +02:00
if protocol == "https":
target_cert_path = os.path.join(cert_dir, os.path.basename(cert_path))
2016-11-17 09:14:22 +01:00
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
2016-10-14 11:13:15 +02:00
shutil.copy2(cert_path,target_cert_path)
target_cert_key_path = os.path.join(cert_dir, os.path.basename(cert_key_path))
shutil.copy2(cert_key_path,target_cert_key_path)
render(os.path.join(templates_dir, "nginx", "nginx.https.conf"),
nginx_conf,
ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
else:
render(os.path.join(templates_dir, "nginx", "nginx.http.conf"),
nginx_conf)
#Use reload_key to avoid reload config after restart harbor
reload_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6)) if reload_config == "true" else ""
2017-01-12 11:29:02 +01:00
render(os.path.join(templates_dir, "adminserver", "env"),
2017-03-09 13:12:33 +01:00
adminserver_conf_env,
reload_config=reload_config,
public_url=public_url,
2017-03-09 13:12:33 +01:00
ui_url=ui_url,
auth_mode=auth_mode,
self_registration=self_registration,
2016-02-01 12:59:10 +01:00
ldap_url=ldap_url,
2016-08-18 12:31:41 +02:00
ldap_searchdn =ldap_searchdn,
ldap_search_pwd =ldap_search_pwd,
ldap_basedn=ldap_basedn,
2016-08-18 12:31:41 +02:00
ldap_filter=ldap_filter,
ldap_uid=ldap_uid,
ldap_scope=ldap_scope,
ldap_verify_cert=ldap_verify_cert,
2017-01-12 11:29:02 +01:00
ldap_timeout=ldap_timeout,
2018-03-14 12:07:06 +01:00
ldap_group_basedn=ldap_group_basedn,
ldap_group_filter=ldap_group_filter,
ldap_group_gid=ldap_group_gid,
ldap_group_scope=ldap_group_scope,
2017-01-12 11:29:02 +01:00
db_password=db_password,
2017-09-22 04:46:02 +02:00
db_host=db_host,
db_user=db_user,
db_port=db_port,
2017-03-09 13:12:33 +01:00
email_host=email_host,
email_port=email_port,
email_usr=email_usr,
email_pwd=email_pwd,
email_ssl=email_ssl,
email_insecure=email_insecure,
2017-03-09 13:12:33 +01:00
email_from=email_from,
email_identity=email_identity,
2017-01-12 11:29:02 +01:00
harbor_admin_password=harbor_admin_password,
2017-03-09 13:12:33 +01:00
project_creation_restriction=proj_cre_restriction,
max_job_workers=max_job_workers,
ui_secret=ui_secret,
jobservice_secret=jobservice_secret,
token_expiration=token_expiration,
admiral_url=admiral_url,
with_notary=args.notary_mode,
with_clair=args.clair_mode,
clair_db_password=clair_db_password,
clair_db_host=clair_db_host,
clair_db_port=clair_db_port,
clair_db_username=clair_db_username,
clair_db=clair_db,
uaa_endpoint=uaa_endpoint,
uaa_clientid=uaa_clientid,
uaa_clientsecret=uaa_clientsecret,
uaa_verify_cert=uaa_verify_cert,
storage_provider_name=storage_provider_name,
registry_url=registry_url,
token_service_url=token_service_url,
jobservice_url=jobservice_url,
clair_url=clair_url,
notary_url=notary_url,
reload_key=reload_key,
skip_reload_env_pattern=skip_reload_env_pattern
2017-01-12 11:29:02 +01:00
)
2016-02-01 12:59:10 +01:00
2017-01-12 11:29:02 +01:00
render(os.path.join(templates_dir, "ui", "env"),
2017-03-09 13:12:33 +01:00
ui_conf_env,
ui_secret=ui_secret,
jobservice_secret=jobservice_secret,
redis_url = redis_url,
adminserver_url = adminserver_url
)
registry_config_file = "config_ha.yml" if args.ha_mode else "config.yml"
if storage_provider_name == "filesystem":
if not storage_provider_config:
storage_provider_config = "rootdirectory: /storage"
elif "rootdirectory:" not in storage_provider_config:
storage_provider_config = "rootdirectory: /storage" + "," + storage_provider_config
# generate storage configuration section in yaml format
storage_provider_conf_list = [storage_provider_name + ':']
for c in storage_provider_config.split(","):
storage_provider_conf_list.append(c.strip())
storage_provider_info = ('\n' + ' ' * 4).join(storage_provider_conf_list)
render(os.path.join(templates_dir, "registry", registry_config_file),
registry_conf,
storage_provider_info=storage_provider_info,
public_url=public_url,
ui_url=ui_url,
redis_url=redis_url)
2016-02-01 12:59:10 +01:00
render(os.path.join(templates_dir, "db", "env"),
db_conf_env,
db_password=db_password)
render(os.path.join(templates_dir, "jobservice", "env"),
job_conf_env,
ui_secret=ui_secret,
jobservice_secret=jobservice_secret,
adminserver_url=adminserver_url)
render(os.path.join(templates_dir, "jobservice", "config.yml"),
jobservice_conf,
max_job_workers=max_job_workers,
redis_url=redis_url)
2017-10-13 10:06:25 +02:00
2017-11-08 06:07:27 +01:00
render(os.path.join(templates_dir, "log", "logrotate.conf"),
log_rotate_config,
log_rotate_count=log_rotate_count,
log_rotate_size=log_rotate_size)
2017-03-09 13:12:33 +01:00
2017-01-12 11:29:02 +01:00
shutil.copyfile(os.path.join(templates_dir, "ui", "app.conf"), ui_conf)
print("Generated configuration file: %s" % ui_conf)
2017-01-12 11:29:02 +01:00
if auth_mode == "uaa_auth":
if os.path.isfile(uaa_ca_cert):
if not os.path.isdir(ui_cert_dir):
os.makedirs(ui_cert_dir)
ui_uaa_ca = os.path.join(ui_cert_dir, "uaa_ca.pem")
print("Copying UAA CA cert to %s" % ui_uaa_ca)
shutil.copyfile(uaa_ca_cert, ui_uaa_ca)
else:
print("Can not find UAA CA cert: %s, skip" % uaa_ca_cert)
2017-01-12 11:29:02 +01:00
2016-04-25 10:08:16 +02:00
def validate_crt_subj(dirty_subj):
subj_list = [item for item in dirty_subj.strip().split("/") \
if len(item.split("=")) == 2 and len(item.split("=")[1]) > 0]
return "/" + "/".join(subj_list)
FNULL = open(os.devnull, 'w')
from functools import wraps
def stat_decorator(func):
2016-05-09 12:50:04 +02:00
@wraps(func)
def check_wrapper(*args, **kw):
stat = func(*args, **kw)
message = "Generated certificate, key file: %s, cert file: %s" % (kw['key_path'], kw['cert_path']) \
if stat == 0 else "Fail to generate key file: %s, cert file: %s" % (kw['key_path'], kw['cert_path'])
2016-04-25 10:08:16 +02:00
print(message)
if stat != 0:
sys.exit(1)
return check_wrapper
@stat_decorator
def create_root_cert(subj, key_path="./k.key", cert_path="./cert.crt"):
rc = subprocess.call(["openssl", "genrsa", "-out", key_path, "4096"], stdout=FNULL, stderr=subprocess.STDOUT)
if rc != 0:
return rc
return subprocess.call(["openssl", "req", "-new", "-x509", "-key", key_path,\
"-out", cert_path, "-days", "3650", "-subj", subj], stdout=FNULL, stderr=subprocess.STDOUT)
2016-04-25 10:08:16 +02:00
@stat_decorator
def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt"):
cert_dir = os.path.dirname(cert_path)
csr_path = os.path.join(cert_dir, "tmp.csr")
rc = subprocess.call(["openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\
"-out", csr_path, "-subj", subj], stdout=FNULL, stderr=subprocess.STDOUT)
if rc != 0:
return rc
return subprocess.call(["openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \
ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-out", cert_path], stdout=FNULL, stderr=subprocess.STDOUT)
2016-04-25 10:08:16 +02:00
def openssl_installed():
shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT)
if shell_stat != 0:
2016-04-25 10:08:16 +02:00
print("Cannot find openssl installed in this computer\nUse default SSL certificate file")
return False
return True
2016-04-25 10:08:16 +02:00
if customize_crt == 'on' and openssl_installed():
2016-04-25 10:08:16 +02:00
shell_stat = subprocess.check_call(["which", "openssl"], stdout=FNULL, stderr=subprocess.STDOUT)
empty_subj = "/C=/ST=/L=/O=/CN=/"
private_key_pem = os.path.join(config_dir, "ui", "private_key.pem")
root_crt = os.path.join(config_dir, "registry", "root.crt")
create_root_cert(empty_subj, key_path=private_key_pem, cert_path=root_crt)
mark_file(private_key_pem)
mark_file(root_crt)
else:
print("Copied configuration file: %s" % ui_config_dir + "private_key.pem")
shutil.copyfile(os.path.join(templates_dir, "ui", "private_key.pem"), os.path.join(ui_config_dir, "private_key.pem"))
print("Copied configuration file: %s" % registry_config_dir + "root.crt")
shutil.copyfile(os.path.join(templates_dir, "registry", "root.crt"), os.path.join(registry_config_dir, "root.crt"))
2017-02-20 11:40:05 +01:00
if args.notary_mode:
notary_config_dir = prep_conf_dir(config_dir, "notary")
notary_temp_dir = os.path.join(templates_dir, "notary")
print("Copying sql file for notary DB")
# if os.path.exists(os.path.join(notary_config_dir, "postgresql-initdb.d")):
# shutil.rmtree(os.path.join(notary_config_dir, "postgresql-initdb.d"))
# shutil.copytree(os.path.join(notary_temp_dir, "postgresql-initdb.d"), os.path.join(notary_config_dir, "postgresql-initdb.d"))
if customize_crt == 'on' and openssl_installed():
try:
temp_cert_dir = os.path.join(base_dir, "cert_tmp")
if not os.path.exists(temp_cert_dir):
os.makedirs(temp_cert_dir)
ca_subj = "/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=Self-signed by VMware, Inc."
cert_subj = "/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=notarysigner"
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
print("Copying certs for notary signer")
shutil.copy2(signer_cert_path, notary_config_dir)
shutil.copy2(signer_key_path, notary_config_dir)
shutil.copy2(signer_ca_cert, notary_config_dir)
finally:
srl_tmp = os.path.join(os.getcwd(), ".srl")
if os.path.isfile(srl_tmp):
os.remove(srl_tmp)
if os.path.isdir(temp_cert_dir):
shutil.rmtree(temp_cert_dir, True)
else:
print("Copying certs for notary signer")
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.crt"), notary_config_dir)
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer.key"), notary_config_dir)
shutil.copy2(os.path.join(notary_temp_dir, "notary-signer-ca.crt"), notary_config_dir)
2017-02-20 11:40:05 +01:00
shutil.copy2(os.path.join(registry_config_dir, "root.crt"), notary_config_dir)
mark_file(os.path.join(notary_config_dir, "notary-signer.crt"))
mark_file(os.path.join(notary_config_dir, "notary-signer.key"))
mark_file(os.path.join(notary_config_dir, "notary-signer-ca.crt"))
mark_file(os.path.join(notary_config_dir, "root.crt"))
2017-03-16 09:09:05 +01:00
print("Copying notary signer configuration file")
#Call render instead of copy so the umask will take effect to mark the file as 0644
render(os.path.join(notary_temp_dir, "signer-config.postgres.json"),
os.path.join(notary_config_dir, "signer-config.postgres.json"))
render(os.path.join(notary_temp_dir, "server-config.postgres.json"),
os.path.join(notary_config_dir, "server-config.postgres.json"),
token_endpoint=public_url)
2017-03-16 09:09:05 +01:00
print("Copying nginx configuration file for notary")
shutil.copy2(os.path.join(templates_dir, "nginx", "notary.upstream.conf"), nginx_conf_d)
2017-03-28 04:11:13 +02:00
render(os.path.join(templates_dir, "nginx", "notary.server.conf"),
os.path.join(nginx_conf_d, "notary.server.conf"),
ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
default_alias = get_alias(secretkey_path)
2017-02-20 11:40:05 +01:00
render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias)
shutil.copy2(os.path.join(notary_temp_dir, "server_env"), notary_config_dir)
2017-02-20 11:40:05 +01:00
if args.clair_mode:
clair_temp_dir = os.path.join(templates_dir, "clair")
clair_config_dir = prep_conf_dir(config_dir, "clair")
if os.path.exists(os.path.join(clair_config_dir, "postgresql-init.d")):
print("Copying offline data file for clair DB")
shutil.rmtree(os.path.join(clair_config_dir, "postgresql-init.d"))
shutil.copytree(os.path.join(clair_temp_dir, "postgresql-init.d"), os.path.join(clair_config_dir, "postgresql-init.d"))
postgres_env = os.path.join(clair_config_dir, "postgres_env")
render(os.path.join(clair_temp_dir, "postgres_env"), postgres_env, password = clair_db_password)
clair_conf = os.path.join(clair_config_dir, "config.yaml")
render(os.path.join(clair_temp_dir, "config.yaml"),
clair_conf,
password = clair_db_password,
username = clair_db_username,
host = clair_db_host,
port = clair_db_port,
dbname = clair_db)
# config http proxy for Clair
http_proxy = rcp.get("configuration", "http_proxy").strip()
https_proxy = rcp.get("configuration", "https_proxy").strip()
no_proxy = rcp.get("configuration", "no_proxy").strip()
clair_env = os.path.join(clair_config_dir, "clair_env")
render(os.path.join(clair_temp_dir, "clair_env"), clair_env,
http_proxy = http_proxy,
https_proxy = https_proxy,
no_proxy = no_proxy)
if args.ha_mode:
prepare_ha(rcp, args)
FNULL.close()
print("The configuration files are ready, please use docker-compose to start the service.")