[ovs-dev] [PATCH 1/2] ovs-monitor-ipsec: Various minor cleanups
Justin Pettit
jpettit at nicira.com
Wed Dec 29 00:07:29 UTC 2010
A few minor cleanups:
- Clean out stale peer certs from previous runs
- Weakly attempt to verify that a certificate is valid, since Racoon
will refuse to start if it's not.
- Restart racoon if it can't be reloaded, since it's temperamental
If these changes look good, I'll roll them into the commit that adds
support for certificates, since it hasn't been pushed yet.
---
debian/ovs-monitor-ipsec | 51 +++++++++++++++++++++++++++++++++++++--------
1 files changed, 42 insertions(+), 9 deletions(-)
diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
index 2f0ca2c..360053d 100755
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -20,9 +20,13 @@
# xxx To-do:
# - Doesn't actually check that Interface is connected to bridge
+# - If a certificate is badly formed, Racoon will refuse to start. We
+# should do a better job of verifying certificates are valid before
+# adding an interface to racoon.conf.
import getopt
+import glob
import logging, logging.handlers
import os
import subprocess
@@ -112,13 +116,24 @@ path certificate "%s";
self.psk_hosts = {}
self.cert_hosts = {}
+ # Clean out stale peer certs from previous runs
+ for ovs_cert in glob.glob("%s/ovs-*.pem" % self.cert_dir):
+ os.remove(ovs_cert)
+
# Replace racoon's conf file with our template
self.commit()
def reload(self):
exitcode = subprocess.call(["/etc/init.d/racoon", "reload"])
if exitcode != 0:
- s_log.warning("couldn't reload racoon")
+ # Racoon is finicky about it's configuration file and will
+ # refuse to start if it sees something it doesn't like
+ # (e.g., a certificate file doesn't exist). Try restarting
+ # the process before giving up.
+ s_log.warning("attempting to restart racoon")
+ exitcode = subprocess.call(["/etc/init.d/racoon", "restart"])
+ if exitcode != 0:
+ s_log.warning("couldn't reload racoon")
def commit(self):
# Rewrite the Racoon configuration file
@@ -155,6 +170,31 @@ path certificate "%s";
self.psk_hosts[host] = psk
self.commit()
+ def _verify_certs(self, vals):
+ # Racoon will refuse to start if the certificate files don't
+ # exist, so verify that they're there.
+ if not os.path.isfile(vals["certificate"]):
+ raise error.Error("'certificate' file does not exist: %s"
+ % vals["certificate"])
+ elif not os.path.isfile(vals["private_key"]):
+ raise error.Error("'private_key' file does not exist: %s"
+ % vals["private_key"])
+
+ # Racoon won't start if a given certificate or private key isn't
+ # valid. This is a weak test, but will detect the most flagrant
+ # errors.
+ if vals["peer_cert"].find("-----BEGIN CERTIFICATE-----") == -1:
+ raise error.Error("'peer_cert' is not in valid PEM format")
+
+ cert = open(vals["certificate"]).read()
+ if cert.find("-----BEGIN CERTIFICATE-----") == -1:
+ raise error.Error("'certificate' is not in valid PEM format")
+
+ cert = open(vals["private_key"]).read()
+ if cert.find("-----BEGIN RSA PRIVATE KEY-----") == -1:
+ raise error.Error("'private_key' is not in valid PEM format")
+
+
def _add_cert(self, host, vals):
if host in self.psk_hosts:
raise error.Error("host %s already defined for psk" % host)
@@ -170,14 +210,7 @@ path certificate "%s";
vals = vals.copy()
vals["private_key"] = vals["certificate"]
- # Racoon will refuse to start if the certificate files don't
- # exist, so verify that they're there.
- if not os.path.isfile(vals["certificate"]):
- raise error.Error("'certificate' file does not exist: %s"
- % vals["certificate"])
- elif not os.path.isfile(vals["private_key"]):
- raise error.Error("'private_key' file does not exist: %s"
- % vals["private_key"])
+ self._verify_certs(vals)
# The peer's certificate comes to us in PEM format as a string.
# Write that string to a file for Racoon to use.
--
1.7.1
More information about the dev
mailing list