[Linux-cluster] Problem with automating ricci & ccs

Fri Jan 18 18:44:16 UTC 2013

On 01/16/2013 02:14 PM, Jan Pokorný wrote:

> The point here is that once the public certificate of ccs is recognized by
> ricci as authorized by supplying the password within the initial session,
> any other other session will be passwordless, based only on the "proved"
> client's certificate.
> 
> Your intention seems to be to skip the initial phase involving password,
> is it the case?  This should be doable by forcing ccs to generate its
> certificate by doing some NO-OP, then copying (scp?) the public part
> to the predefined destination at the machine with ricci installed,
> e.g.:
> 
>   [root at client1]# ccs -h localhost -p IGNOREME --getconf &>/dev/null
>   [root at client1]# PUBLIC_CERT=~/.ccs/cacert/pem
>   [root at client1]# RICCI_CLIENTS=/var/lib/ricci/certs/clients
>   [root at client1]# UNIQUE_SUFFIX=$(hostname | sha1sum | cut -b1-6)
>   [root at client1]# RICCI_CERT=${RICCI_CLIENTS}/client_cert_${UNIQUE_SUFFIX}
>   [root at client1]# scp $PUBLIC_CERT riccihost:$RICCI_CERT

Thank you for your explanation. I've figured that out later myself :)

So, instead of using the sha1sum to avoide collisions, I use nodename.
So my client_cert names look like this:

client_cert_mynode1
client_cert_mynode2
...

Is this ok? Or should I obfuscate name for some reason...

> Surely, the first step can be substituted by either using pregenerated
> certificate + key on the locations expected by ccs (~/.ccs) or
> generating them explicitly (e.g., by "openssl req") as part
> of the process.  The point is that css-local and ricci-tracked
> certificate (one of presumably many) matches.

I've done this by pre-generating the certificates on my puppet master.

>> I'm building puppet module which will autoconfigure whole cluster from bare
>> metal to working state. So far my only problem is updating cluster.conf, for
>> which I need fully working ricci CA and user certificates in /root/.ccs of
>> every node...
> 
> By any chance, are you willing to share the module or its skeleton
> to the community?

Offcourse, as soon as I'm happy with the code and the level of
functionality. We have around dozen clusters, I'm developing this module
on a new one that's supposed to go into production soon. Other clusters
use older module which really doesn't solve any of this, so as soon as
my code is stable we'll push other clusters to new puppet module. After
that, I will publish it. So expect it in another week or two.

> Hope the above helps.

Yeah, it really did help. But, for some strange reason it seems that
ccs_sync doesn't use certificates, but instead it asks for password...

My idea was to use ccs_sync to propagate new cluster.conf. So, puppet
puts cluster.conf in /etc/cluster.conf, and after that runs ccs_sync -f
/etc/cluster.conf

But unfortunately, ccs_sync doesn't seem to recognize the certificates
as ccs does :( Any idea on this one?

pgsql01-xc # ccs -h pgsql01-xc --getversion
2

pgsql01-xc # ccs_sync -f /etc/cluster.conf
You have not authenticated to the ricci daemon on pgsql01-xc
Password:

I'm digging into source code to try to get some sense of it :-/