manageiq-appliance_console 1.0.0

data/bin/appliance_console_cli

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require 'bundler'
+Bundler.setup
+
+require 'manageiq-appliance_console'
+ManageIQ::ApplianceConsole::Cli.parse(ARGV)

data/lib/manageiq-appliance_console.rb

@@ -0,0 +1,51 @@
+module ManageIQ
+  module ApplianceConsole
+    require 'pathname'
+    require 'tempfile'
+    RAILS_ROOT = File.exist?("/var/www/miq/vmdb") ? Pathname.new("/var/www/miq/vmdb") : Pathname.new(Dir.mktmpdir)
+
+    class << self
+      attr_writer :logger
+    end
+
+    def self.logger
+      @logger ||= ManageIQ::ApplianceConsole::Logger.instance
+    end
+
+    def self.logger=(logger)
+      @logger = logger
+    end
+  end
+end
+
+require 'manageiq/appliance_console/version'
+require 'manageiq/appliance_console/errors'
+require 'manageiq/appliance_console/logger'
+require 'manageiq/appliance_console/logging'
+
+require 'manageiq-gems-pending'
+
+require 'manageiq/appliance_console/certificate'
+require 'manageiq/appliance_console/certificate_authority'
+require 'manageiq/appliance_console/cli'
+require 'manageiq/appliance_console/database_configuration'
+require 'manageiq/appliance_console/database_maintenance'
+require 'manageiq/appliance_console/database_maintenance_hourly'
+require 'manageiq/appliance_console/database_maintenance_periodic'
+require 'manageiq/appliance_console/database_replication'
+require 'manageiq/appliance_console/database_replication_primary'
+require 'manageiq/appliance_console/database_replication_standby'
+require 'manageiq/appliance_console/date_time_configuration'
+require 'manageiq/appliance_console/external_auth_options'
+require 'manageiq/appliance_console/external_database_configuration'
+require 'manageiq/appliance_console/external_httpd_authentication'
+require 'manageiq/appliance_console/internal_database_configuration'
+require 'manageiq/appliance_console/key_configuration'
+require 'manageiq/appliance_console/logfile_configuration'
+require 'manageiq/appliance_console/logical_volume_management'
+require 'manageiq/appliance_console/principal'
+require 'manageiq/appliance_console/prompts'
+require 'manageiq/appliance_console/scap'
+require 'manageiq/appliance_console/temp_storage_configuration'
+require 'manageiq/appliance_console/timezone_configuration'
+require 'manageiq/appliance_console/utilities'

data/lib/manageiq/appliance_console/certificate.rb

@@ -0,0 +1,146 @@
+require "awesome_spawn"
+
+module ManageIQ
+module ApplianceConsole
+  class Certificate
+    STATUS_COMPLETE = :complete
+
+    # map `getcert status` return codes to something more descriptive
+    # 0 => :complete -- keys/certs generated
+    # 1 => :no_key   -- either certmonger is down, or we havent asked for the key yet. (assuming the latter)
+    # 2 => :rejected -- request failed. we need to resubmit once we fix stuff
+    # 3 => :waiting  -- couldn't contact CA, will try again
+    # 4 => :error    -- certmonger is not configured properly
+    # 5 => :waiting  -- waiting for CA to send back the certificate
+    STATUS_RETURN_CODES = [:complete, :no_key, :rejected, :waiting, :error, :waiting]
+
+    # key filename defaults to certificate name w/ different extension
+    attr_writer   :key_filename
+    attr_accessor :cert_filename
+    # root certificate filename
+    attr_accessor :root_filename
+    attr_accessor :service
+    # 509 v3 extesions for stuff to signify purpose of this certificate (e.g.: client)
+    attr_accessor :extensions
+    attr_accessor :owner
+
+    # hostname of current machine
+    attr_accessor :hostname
+    # ipa realm
+    attr_accessor :realm
+    # name of certificate authority
+    attr_accessor :ca_name
+
+    def initialize(options = {})
+      options.each { |n, v| public_send("#{n}=", v) }
+      @ca_name ||= "ipa"
+      @extensions ||= %w(server client)
+      @realm ||= hostname.split(".")[1..-1].join(".").upcase if hostname
+    end
+
+    def request
+      if should_request_key?
+        principal.register
+        request_certificate
+        # NOTE: status probably changed
+        set_owner_of_key unless rejected?
+      end
+
+      if complete?
+        make_certs_world_readable
+        yield if block_given?
+      end
+      self
+    end
+
+    def principal
+      @principal ||= Principal.new(:hostname => hostname, :realm => realm, :service => service, :ca_name => ca_name)
+    end
+
+    def request_certificate
+      if rejected?
+        request_again
+      else
+        request_first
+      end
+      clear_status
+    end
+
+    # workaround
+    # currently, the -C is not run after the root certificate is written
+    def make_certs_world_readable
+      FileUtils.chmod(0644, [root_filename, cert_filename].compact)
+    end
+
+    def set_owner_of_key
+      FileUtils.chown(owner.split(".").first, owner.split(".")[1], key_filename) if owner && (owner != "root")
+      self
+    end
+
+    # statuses
+
+    def should_request_key?
+      no_key? || rejected?
+    end
+
+    def no_key?
+      status == :no_key
+    end
+
+    def rejected?
+      status == :rejected
+    end
+
+    def complete?
+      status == :complete
+    end
+
+    def clear_status
+      @status = nil
+    end
+
+    def status
+      @status ||= key_status
+    end
+
+    private
+
+    def request_first
+      params = {
+        nil  => "request",
+        "-c" => ca_name,
+        "-v" => nil, # verbose
+        "-w" => nil, # wait til completion if possible
+        "-k" => key_filename,
+        "-f" => cert_filename,
+        "-N" => principal.subject_name,
+        "-K" => principal.name,
+        "-C" => "chmod 644 #{cert_filename} #{root_filename}",
+        "-U" => key_ext_usage
+      }
+      params["-F"] = root_filename if root_filename
+
+      AwesomeSpawn.run!("/usr/bin/getcert", :params => params)
+      self
+    end
+
+    def request_again
+      AwesomeSpawn.run!("/usr/bin/getcert", :params => ["resubmit", "-w", "-f", cert_filename])
+      self
+    end
+
+    def key_filename
+      @key_filename || "#{cert_filename.chomp(File.extname(cert_filename))}.key"
+    end
+
+    def key_status
+      ret = AwesomeSpawn.run("/usr/bin/getcert", :params => ["status", "-f", cert_filename])
+      STATUS_RETURN_CODES[ret.exit_status]
+    end
+
+    def key_ext_usage
+      extensions.collect { |n| "id-kp-#{n}Auth" }.join(",")
+    end
+  end
+end
+end

data/lib/manageiq/appliance_console/certificate_authority.rb

@@ -0,0 +1,140 @@
+require 'fileutils'
+require 'tempfile'
+require 'util/postgres_admin'
+
+module ManageIQ
+module ApplianceConsole
+  # configure ssl certificates for postgres communication
+  # and appliance to appliance communications
+  class CertificateAuthority
+    CFME_DIR        = "/var/www/miq/vmdb/certs"
+    PSQL_CLIENT_DIR = "/root/.postgresql"
+
+    # hostname of current machine
+    attr_accessor :hostname
+    attr_accessor :realm
+    # name of certificate authority
+    attr_accessor :ca_name
+    # true if we should configure postgres client
+    attr_accessor :pgclient
+    # true if we should configure postgres server
+    attr_accessor :pgserver
+    # true if we should configure http endpoint
+    attr_accessor :http
+    attr_accessor :verbose
+
+    def initialize(options = {})
+      options.each { |n, v| public_send("#{n}=", v) }
+      @ca_name ||= "ipa"
+    end
+
+    def ask_questions
+      if ipa?
+        self.principal = just_ask("IPA Server Principal", @principal)
+        self.password  = ask_for_password("IPA Server Principal Password", @password)
+      end
+      self.pgclient = ask_yn("Configure certificate for postgres client", "Y")
+      self.pgserver = ask_yn("Configure certificate for postgres server", "Y")
+      self.http = ask_yn("Configure certificate for http server", "Y")
+      true
+    end
+
+    def activate
+      valid_environment?
+
+      configure_pgclient if pgclient
+      configure_pgserver if pgserver
+      configure_http if http
+
+      status_string
+    end
+
+    def valid_environment?
+      if ipa? && !ExternalHttpdAuthentication.ipa_client_configured?
+        raise ArgumentError, "ipa client not configured"
+      end
+
+      raise ArgumentError, "hostname needs to be defined" unless hostname
+    end
+
+    def configure_pgclient
+      unless File.exist?(PSQL_CLIENT_DIR)
+        FileUtils.mkdir_p(PSQL_CLIENT_DIR, :mode => 0700)
+        AwesomeSpawn.run!("/sbin/restorecon -R #{PSQL_CLIENT_DIR}")
+      end
+
+      self.pgclient = Certificate.new(
+        :cert_filename => "#{PSQL_CLIENT_DIR}/postgresql.crt",
+        :root_filename => "#{PSQL_CLIENT_DIR}/root.crt",
+        :service       => "manageiq",
+        :extensions    => %w(client),
+        :ca_name       => ca_name,
+        :hostname      => hostname,
+        :realm         => realm,
+      ).request.status
+    end
+
+    def configure_pgserver
+      cert = Certificate.new(
+        :cert_filename => "#{CFME_DIR}/postgres.crt",
+        :root_filename => "#{CFME_DIR}/root.crt",
+        :service       => "postgresql",
+        :extensions    => %w(server),
+        :ca_name       => ca_name,
+        :hostname      => hostname,
+        :realm         => realm,
+        :owner         => "postgres.postgres"
+      ).request
+
+      if cert.complete?
+        say "configuring postgres to use certs"
+        # only telling postgres to rewrite server configuration files
+        # no need for username/password since not writing database.yml
+        InternalDatabaseConfiguration.new(:ssl => true).configure_postgres
+        LinuxAdmin::Service.new(PostgresAdmin.service_name).restart
+      end
+      self.pgserver = cert.status
+    end
+
+    def configure_http
+      cert = Certificate.new(
+        :key_filename  => "#{CFME_DIR}/server.cer.key",
+        :cert_filename => "#{CFME_DIR}/server.cer",
+        :root_filename => "#{CFME_DIR}/root.crt",
+        :service       => "HTTP",
+        :extensions    => %w(server),
+        :ca_name       => ca_name,
+        :hostname      => hostname,
+        :owner         => "apache.apache",
+      ).request
+      if cert.complete?
+        say "configuring apache to use new certs"
+        LinuxAdmin::Service.new("httpd").restart
+      end
+      self.http = cert.status
+    end
+
+    def status
+      {"pgclient" => pgclient, "pgserver" => pgserver, "http" => http}.delete_if { |_n, v| !v }
+    end
+
+    def status_string
+      status.collect { |n, v| "#{n}: #{v}" }.join " "
+    end
+
+    def complete?
+      !status.values.detect { |v| v != ManageIQ::ApplianceConsole::Certificate::STATUS_COMPLETE }
+    end
+
+    def ipa?
+      ca_name == "ipa"
+    end
+
+    private
+
+    def log
+      say yield if verbose && block_given?
+    end
+  end
+end
+end

data/lib/manageiq/appliance_console/cli.rb

@@ -0,0 +1,363 @@
+require 'trollop'
+require 'pathname'
+
+# support for appliance_console methods
+unless defined?(say)
+  def say(arg)
+    puts(arg)
+  end
+end
+
+module ManageIQ
+module ApplianceConsole
+  class Cli
+    attr_accessor :options
+
+    # machine host
+    def host
+      options[:host] || LinuxAdmin::Hosts.new.hostname
+    end
+
+    # database hostname
+    def hostname
+      options[:internal] ? "localhost" : options[:hostname]
+    end
+
+    def local?(name = hostname)
+      name.presence.in?(["localhost", "127.0.0.1", nil])
+    end
+
+    def set_host?
+      options[:host]
+    end
+
+    def key?
+      options[:key] || options[:fetch_key] || (local_database? && !key_configuration.key_exist?)
+    end
+
+    def database?
+      hostname
+    end
+
+    def local_database?
+      database? && local?(hostname)
+    end
+
+    def certs?
+      options[:postgres_client_cert] || options[:postgres_server_cert] || options[:http_cert]
+    end
+
+    def uninstall_ipa?
+      options[:uninstall_ipa]
+    end
+
+    def install_ipa?
+      options[:ipaserver]
+    end
+
+    def tmp_disk?
+      options[:tmpdisk]
+    end
+
+    def log_disk?
+      options[:logdisk]
+    end
+
+    def time_zone?
+      options[:timezone]
+    end
+
+    def extauth_opts?
+      options[:extauth_opts]
+    end
+
+    def set_server_state?
+      options[:server]
+    end
+
+    def db_hourly_maintenance?
+      options[:db_hourly_maintenance]
+    end
+
+    def initialize(options = {})
+      self.options = options
+    end
+
+    def disk_from_string(path)
+      return if path.blank?
+      path == "auto" ? disk : disk_by_path(path)
+    end
+
+    def disk
+      LinuxAdmin::Disk.local.detect { |d| d.partitions.empty? }
+    end
+
+    def disk_by_path(path)
+      LinuxAdmin::Disk.local.detect { |d| d.path == path }
+    end
+
+    def parse(args)
+      args.shift if args.first == "--" # Handle when called through script/runner
+      self.options = Trollop.options(args) do
+        banner "Usage: appliance_console_cli [options]"
+
+        opt :host,     "/etc/hosts name",    :type => :string,  :short => 'H'
+        opt :region,   "Region Number",      :type => :integer, :short => "r"
+        opt :internal, "Internal Database",                     :short => 'i'
+        opt :hostname, "Database Hostname",  :type => :string,  :short => 'h'
+        opt :port,     "Database Port",      :type => :integer,                :default => 5432
+        opt :username, "Database Username",  :type => :string,  :short => 'U', :default => "root"
+        opt :password, "Database Password",  :type => :string,  :short => "p"
+        opt :dbname,   "Database Name",      :type => :string,  :short => "d", :default => "vmdb_production"
+        opt :db_hourly_maintenance, "Configure database hourly maintenance", :type => :bool, :short => :none
+        opt :standalone, "Run this server as a standalone database server", :type => :bool, :short => 'S'
+        opt :key,      "Create encryption key",  :type => :boolean, :short => "k"
+        opt :fetch_key, "SSH host with encryption key", :type => :string, :short => "K"
+        opt :force_key, "Forcefully create encryption key", :type => :boolean, :short => "f"
+        opt :sshlogin,  "SSH login",         :type => :string,                 :default => "root"
+        opt :sshpassword, "SSH password",    :type => :string
+        opt :verbose,  "Verbose",            :type => :boolean, :short => "v"
+        opt :dbdisk,   "Database Disk Path", :type => :string
+        opt :logdisk,  "Log Disk Path",      :type => :string
+        opt :tmpdisk,   "Temp storage Disk Path", :type => :string
+        opt :uninstall_ipa, "Uninstall IPA Client", :type => :boolean,         :default => false
+        opt :ipaserver,  "IPA Server FQDN",  :type => :string
+        opt :ipaprincipal,  "IPA Server principal", :type => :string,          :default => "admin"
+        opt :ipapassword,   "IPA Server password",  :type => :string
+        opt :ipadomain,     "IPA Server domain (optional)", :type => :string
+        opt :iparealm,      "IPA Server realm (optional)", :type => :string
+        opt :ca,                   "CA name used for certmonger",       :type => :string,  :default => "ipa"
+        opt :timezone,             "Time zone",                         :type => :string
+        opt :postgres_client_cert, "install certs for postgres client", :type => :boolean
+        opt :postgres_server_cert, "install certs for postgres server", :type => :boolean
+        opt :http_cert,            "install certs for http server",     :type => :boolean
+        opt :extauth_opts,         "External Authentication Options",   :type => :string
+        opt :server,               "Server status",                     :type => :string
+      end
+      Trollop.die :region, "needed when setting up a local database" if options[:region].nil? && local_database?
+      self
+    end
+
+    def run
+      Trollop.educate unless set_host? || key? || database? || tmp_disk? || log_disk? ||
+                             uninstall_ipa? || install_ipa? || certs? || extauth_opts? ||
+                             time_zone? || set_server_state? || db_hourly_maintenance?
+      if set_host?
+        system_hosts = LinuxAdmin::Hosts.new
+        system_hosts.hostname = options[:host]
+        system_hosts.set_loopback_hostname(options[:host])
+        system_hosts.save
+        LinuxAdmin::Service.new("network").restart
+      end
+      create_key if key?
+      set_db if database?
+      set_time_zone if time_zone?
+      config_db_hourly_maintenance if db_hourly_maintenance?
+      config_tmp_disk if tmp_disk?
+      config_log_disk if log_disk?
+      uninstall_ipa if uninstall_ipa?
+      install_ipa if install_ipa?
+      install_certs if certs?
+      extauth_opts if extauth_opts?
+      set_server_state if set_server_state?
+    rescue AwesomeSpawn::CommandResultError => e
+      say e.result.output
+      say e.result.error
+      say ""
+      raise
+    end
+
+    def set_db
+      raise "No encryption key (v2_key) present" unless key_configuration.key_exist?
+      raise "A password is required to configure a database" unless password?
+      if local?
+        set_internal_db
+      else
+        set_external_db
+      end
+    end
+
+    def password?
+      options[:password] && !options[:password].strip.empty?
+    end
+
+    def set_internal_db
+      say "configuring internal database"
+      config = ManageIQ::ApplianceConsole::InternalDatabaseConfiguration.new({
+        :database          => options[:dbname],
+        :region            => options[:region],
+        :username          => options[:username],
+        :password          => options[:password],
+        :interactive       => false,
+        :disk              => disk_from_string(options[:dbdisk]),
+        :run_as_evm_server => !options[:standalone]
+      }.delete_if { |_n, v| v.nil? })
+      config.check_disk_is_mount_point
+
+      # create partition, pv, vg, lv, ext4, update fstab, mount disk
+      # initdb, relabel log directory for selinux, update configs,
+      # start pg, create user, create db update the rails configuration,
+      # verify, set up the database with region. activate does it all!
+      unless config.activate
+        say "Failed to configure internal database"
+        return
+      end
+
+      # enable/start related services
+      config.post_activation
+    rescue RuntimeError => e
+      say e.message
+      say "Failed to configure internal database"
+    end
+
+    def set_external_db
+      say "configuring external database"
+      config = ManageIQ::ApplianceConsole::ExternalDatabaseConfiguration.new({
+        :host        => options[:hostname],
+        :port        => options[:port],
+        :database    => options[:dbname],
+        :region      => options[:region],
+        :username    => options[:username],
+        :password    => options[:password],
+        :interactive => false,
+      }.delete_if { |_n, v| v.nil? })
+
+      # call create_or_join_region (depends on region value)
+      unless config.activate
+        say "Failed to configure external database"
+        return
+      end
+
+      # enable/start related services
+      config.post_activation
+    end
+
+    def set_time_zone
+      timezone_config = ManageIQ::ApplianceConsole::TimezoneConfiguration.new(options[:timezone])
+      if timezone_config.activate
+        say("Timezone configured")
+      else
+        say("Timezone not configured")
+      end
+    end
+
+    def key_configuration
+      @key_configuration ||= KeyConfiguration.new(
+        :action   => options[:fetch_key] ? :fetch : :create,
+        :force    => options[:fetch_key] ? true : options[:force_key],
+        :host     => options[:fetch_key],
+        :login    => options[:sshlogin],
+        :password => options[:sshpassword],
+      )
+    end
+
+    def create_key
+      say "#{key_configuration.action} encryption key"
+      unless key_configuration.activate
+        raise "Could not create encryption key (v2_key)"
+      end
+    end
+
+    def install_certs
+      say "creating ssl certificates"
+      config = CertificateAuthority.new(
+        :hostname => host,
+        :realm    => options[:iparealm],
+        :ca_name  => options[:ca],
+        :pgclient => options[:postgres_client_cert],
+        :pgserver => options[:postgres_server_cert],
+        :http     => options[:http_cert],
+        :verbose  => options[:verbose],
+      )
+
+      config.activate
+      say "\ncertificate result: #{config.status_string}"
+      unless config.complete?
+        say "After the certificates are retrieved, rerun to update service configuration files"
+      end
+    end
+
+    def install_ipa
+      raise "please uninstall ipa before reinstalling" if ExternalHttpdAuthentication.ipa_client_configured?
+      config = ExternalHttpdAuthentication.new(
+        host,
+        :ipaserver => options[:ipaserver],
+        :domain    => options[:ipadomain],
+        :realm     => options[:iparealm],
+        :principal => options[:ipaprincipal],
+        :password  => options[:ipapassword],
+      )
+
+      config.post_activation if config.activate
+    end
+
+    def uninstall_ipa
+      say "Uninstalling IPA-client"
+      config = ExternalHttpdAuthentication.new
+      config.deactivate if config.ipa_client_configured?
+    end
+
+    def config_tmp_disk
+      if (tmp_disk = disk_from_string(options[:tmpdisk]))
+        say "creating temp disk"
+        config = ManageIQ::ApplianceConsole::TempStorageConfiguration.new(:disk => tmp_disk)
+        config.activate
+      else
+        report_disk_error(options[:tmpdisk])
+      end
+    end
+
+    def config_log_disk
+      if (log_disk = disk_from_string(options[:logdisk]))
+        say "creating log disk"
+        config = ManageIQ::ApplianceConsole::LogfileConfiguration.new(:disk => log_disk)
+        config.activate
+      else
+        report_disk_error(options[:logdisk])
+      end
+    end
+
+    def report_disk_error(missing_disk)
+      choose_disk = disk.try(:path)
+      if choose_disk
+        say "could not find disk #{missing_disk}"
+        say "if you pass auto, it will choose: #{choose_disk}"
+      else
+        say "no disks with a free partition"
+      end
+    end
+
+    def extauth_opts
+      extauthopts = ExternalAuthOptions.new
+      extauthopts_hash = extauthopts.parse(options[:extauth_opts])
+      raise "Must specify at least one external authentication option to set" unless extauthopts_hash.present?
+      extauthopts.update_configuration(extauthopts_hash)
+    end
+
+    def set_server_state
+      service = LinuxAdmin::Service.new("evmserverd")
+      service_running = service.running?
+      case options[:server]
+      when "start"
+        service.start unless service_running
+      when "stop"
+        service.stop if service_running
+      when "restart"
+        service.restart
+      else
+        raise "Invalid server action"
+      end
+    end
+
+    def config_db_hourly_maintenance
+      hourly = ManageIQ::ApplianceConsole::DatabaseMaintenanceHourly.new
+      hourly.requested_activate = true
+      hourly.activate
+    end
+
+    def self.parse(args)
+      new.parse(args).run
+    end
+  end
+end
+end