[Ovirt-devel] [PATCH node] Set up libvirt-qpid to use kerberos/gssapi authentication.
Ian Main
imain at redhat.com
Thu Jan 29 13:36:47 UTC 2009
This patch makes libvirt-qpid connect to qpidd using gssapi/kerberos
authentication and encryption. A principal for qpidd is added to the
libvirt keytab and kinit is used in cron to keep the ticket from
expiring.
Signed-off-by: Ian Main <imain at redhat.com>
---
Makefile.am | 1 +
kinit/ovirt-kinit | 10 ++++++++++
ovirt-node.spec.in | 3 +++
scripts/ovirt | 3 ++-
4 files changed, 16 insertions(+), 1 deletions(-)
create mode 100644 kinit/ovirt-kinit
diff --git a/Makefile.am b/Makefile.am
index 0cdf430..733fef1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -46,6 +46,7 @@ EXTRA_DIST = \
scripts/ovirt-post \
scripts/ovirt-process-config \
scripts/ovirt-uninstall-node-stateful \
+ kinit/ovirt-kinit \
logrotate/ovirt-logrotate \
logrotate/ovirt-logrotate.conf
diff --git a/kinit/ovirt-kinit b/kinit/ovirt-kinit
new file mode 100644
index 0000000..143b356
--- /dev/null
+++ b/kinit/ovirt-kinit
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+/usr/kerberos/bin/kinit -k -t /etc/libvirt/krb5.tab qpidd/`hostname`@PRIV.OVIRT.ORG
+
+EXITVALUE=$?
+if [ $EXITVALUE != 0 ]; then
+ /usr/bin/logger -t kinit "ALERT kinit failed abnormally with [$EXITVALUE]"
+fi
+exit $EXITVALUE
+
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index da5e5a1..287a29f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -162,6 +162,8 @@ cd -
%{__install} -p -m0644 scripts/collectd %{buildroot}%{_sysconfdir}/chkconfig.d
%{__install} -p -m0644 scripts/collectd.conf.in %{buildroot}%{_sysconfdir}
+%{__install} -p -m0755 kinit/ovirt-kinit %{buildroot}%{_sysconfdir}/cron.hourly
+
%{__install} -p -m0755 logrotate/ovirt-logrotate %{buildroot}%{_sysconfdir}/cron.hourly
%{__install} -p -m0644 logrotate/ovirt-logrotate.conf %{buildroot}%{_sysconfdir}/logrotate.d
@@ -278,6 +280,7 @@ fi
%{_initrddir}/ovirt-firstboot
%{_initrddir}/ovirt
%{_initrddir}/ovirt-post
+%config %{_sysconfdir}/cron.hourly/ovirt-kinit
%config %{_sysconfdir}/logrotate.d/ovirt-logrotate.conf
%config %{_sysconfdir}/cron.hourly/ovirt-logrotate
%{_sysconfdir}/ovirt-config-setup.d
diff --git a/scripts/ovirt b/scripts/ovirt
index 8694db9..83fe2d7 100755
--- a/scripts/ovirt
+++ b/scripts/ovirt
@@ -63,7 +63,8 @@ start() {
if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
libvirt_qpid_conf=/etc/sysconfig/libvirt-qpid
if [ -f $libvirt_qpid_conf ]; then
- echo "LIBVIRT_QPID_ARGS=\"--broker $SRV_HOST --port $SRV_PORT\"" >> $libvirt_qpid_conf
+ echo "LIBVIRT_QPID_ARGS=\"--broker $SRV_HOST --port $SRV_PORT --gssapi\"" >> $libvirt_qpid_conf
+ echo "/usr/kerberos/bin/kinit -k -t /etc/libvirt/krb5.tab qpidd/`hostname`@PRIV.OVIRT.ORG" >> $libvirt_qpid_conf
fi
else
log "skipping libvirt-qpid configuration, could not find $libvirt_qpid_conf"
--
1.6.0.4
More information about the ovirt-devel
mailing list