[Linux-cluster] Problem with automating ricci & ccs

Jan Pokorný jpokorny at redhat.com
Wed Jan 16 13:14:56 UTC 2013 

Hello Jakov,

On 14/01/13 02:47 +0100, Jakov Sosic wrote:
> Hi.
> 
> I'm using CentOS 6, and have a problem with ccs & ricci.
> 
> At first use, ccs asks for password for each node. After that, ~/.ccs is
> generated with cert in it.
> 
> 1. I've found how to generate private key in ~/.ccs from the code in ccs
> python executable (/usr/sbin/ccs).
> 
> 2. I've also found how to generate CA in /var/lib/ricci/certs => code for
> that can be found in init script of ricci (/etc/init.d/ricci).
> 
> But what I am missing is how to use the user key/certificate from step 1 and
> sign it into CA in step 2?

The point here is that once the public certificate of ccs is recognized by
ricci as authorized by supplying the password within the initial session,
any other other session will be passwordless, based only on the "proved"
client's certificate.

Your intention seems to be to skip the initial phase involving password,
is it the case?  This should be doable by forcing ccs to generate its
certificate by doing some NO-OP, then copying (scp?) the public part
to the predefined destination at the machine with ricci installed,
e.g.:

  [root at client1]# ccs -h localhost -p IGNOREME --getconf &>/dev/null
  [root at client1]# PUBLIC_CERT=~/.ccs/cacert/pem
  [root at client1]# RICCI_CLIENTS=/var/lib/ricci/certs/clients
  [root at client1]# UNIQUE_SUFFIX=$(hostname | sha1sum | cut -b1-6)
  [root at client1]# RICCI_CERT=${RICCI_CLIENTS}/client_cert_${UNIQUE_SUFFIX}
  [root at client1]# scp $PUBLIC_CERT riccihost:$RICCI_CERT

Please note that 'sha1sum' command in the above example is only used
to minimize possible collision at certificate filenames coming from
other machines (under highly unprobable circumstances, collision can
still happen) that will possibly run the same sequence, and otherwise
does not guarantee any anonymity of the certificate within the ricci's
certs/clients directory.

Surely, the first step can be substituted by either using pregenerated
certificate + key on the locations expected by ccs (~/.ccs) or
generating them explicitly (e.g., by "openssl req") as part
of the process.  The point is that css-local and ricci-tracked
certificate (one of presumably many) matches.

> I'm building puppet module which will autoconfigure whole cluster from bare
> metal to working state. So far my only problem is updating cluster.conf, for
> which I need fully working ricci CA and user certificates in /root/.ccs of
> every node...

By any chance, are you willing to share the module or its skeleton
to the community?

> So, any ideas are welcome.

Hope the above helps.

-- 
Jan

More information about the Linux-cluster mailing list