Commit 7da7263e authored by Leigh B Stoller's avatar Leigh B Stoller

Remove -c (as clearinghouse) option and use new configure variables

instead.

Remove hardwired references to Utah and use new configure variables
instead.

Get rid of restart apache stuff; new installation page has the admon
shutdown the testbed and turn off apache.

Get rid ClearingHouse calls when we are the ClearingHouse. 

Minor bug fixes.
parent caff95eb
...@@ -14,12 +14,12 @@ use Getopt::Std; ...@@ -14,12 +14,12 @@ use Getopt::Std;
# #
sub usage() sub usage()
{ {
print "Usage: initpgenisite [-c]\n"; print "Usage: initpgenisite\n";
exit(1); exit(1);
} }
my $optlist = "c"; my $optlist = "";
my $asch = 0; my $asch = @PROTOGENI_ISCLEARINGHOUSE@;
my $cflag = ""; my $cflag = ($asch ? "-c" : "");
# #
# Configure variables # Configure variables
...@@ -32,6 +32,7 @@ my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@"; ...@@ -32,6 +32,7 @@ my $PGENIDOMAIN = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT = @PROTOGENI_SUPPORT@; my $PGENISUPPORT = @PROTOGENI_SUPPORT@;
my $PROTOGENI_RPCNAME = "@PROTOGENI_RPCNAME@"; my $PROTOGENI_RPCNAME = "@PROTOGENI_RPCNAME@";
my $PROTOGENI_RPCPORT = "@PROTOGENI_RPCPORT@"; my $PROTOGENI_RPCPORT = "@PROTOGENI_RPCPORT@";
my $PROTOGENI_WEBSITE = "@PROTOGENI_WEBSITE@";
my $PROTOGENI_URL = "@PROTOGENI_URL@"; my $PROTOGENI_URL = "@PROTOGENI_URL@";
my $geniuserid = "geniuser"; my $geniuserid = "geniuser";
my $geniprojid = "GeniSlices"; my $geniprojid = "GeniSlices";
...@@ -101,10 +102,6 @@ my %options = (); ...@@ -101,10 +102,6 @@ my %options = ();
if (! getopts($optlist, \%options)) { if (! getopts($optlist, \%options)) {
usage(); usage();
} }
if (defined($options{"c"})) {
$asch = 1;
$cflag = "-c";
}
# #
# People seem to miss this. # People seem to miss this.
...@@ -168,14 +165,15 @@ if( $? == -1 ) { ...@@ -168,14 +165,15 @@ if( $? == -1 ) {
} }
# #
# Have you sent in your certificate to Utah? # Have you sent in your certificate to the ClearingHouse?
# #
if (!$asch && ! -e "$TB/etc/.federated") { if (!$asch && ! -e "$TB/etc/.federated") {
my $done = 0; my $done = 0;
my $federated = 0; my $federated = 0;
while (!$done) { while (!$done) {
print "Have you sent in your root certificate to Utah? [y/n]: "; print
"Have you sent your root certificate to the ClearingHouse? [y/n]: ";
$_ = <STDIN>; $_ = <STDIN>;
if ($_ =~ /^(y|yes)$/i) { if ($_ =~ /^(y|yes)$/i) {
...@@ -191,10 +189,11 @@ if (!$asch && ! -e "$TB/etc/.federated") { ...@@ -191,10 +189,11 @@ if (!$asch && ! -e "$TB/etc/.federated") {
system("/usr/bin/touch $TB/etc/.federated"); system("/usr/bin/touch $TB/etc/.federated");
} }
else { else {
print "Please email $TB/etc/emulab.pem to testbed-ops\@flux.utah.edu"; print "\n";
print "Please email $TB/etc/emulab.pem to @PROTOGENI_EMAIL@";
print "\n"; print "\n";
print "This is a public key, so no harm in sending it in email.\n"; print "This is a public key, so no harm in sending it in email.\n";
print "Once you hear back from Utah, please rerun this script.\n"; print "Once you hear back from the ClearingHouse, rerun this script.\n";
exit(1); exit(1);
} }
} }
...@@ -254,6 +253,14 @@ if (! -e "$TB/www/protogeni") { ...@@ -254,6 +253,14 @@ if (! -e "$TB/www/protogeni") {
mkdir("$TB/www/protogeni", 0775) mkdir("$TB/www/protogeni", 0775)
or fatal("Could not mkdir $TB/www/protogeni"); or fatal("Could not mkdir $TB/www/protogeni");
} }
if (! -e "$TB/www/protogeni/advertisements") {
mkdir("$TB/www/protogeni/advertisements", 0775)
or fatal("Could not mkdir $TB/www/protogeni/advertisements");
}
if (! -e "$TB/www/protogeni/authorities") {
mkdir("$TB/www/protogeni/authorities", 0775)
or fatal("Could not mkdir $TB/www/protogeni/authorities");
}
$crosstext = <<'CROSSEND'; $crosstext = <<'CROSSEND';
<?xml version="1.0"?> <?xml version="1.0"?>
...@@ -279,7 +286,7 @@ if (system("egrep -q -s 'flashpolicy' /etc/services")) { ...@@ -279,7 +286,7 @@ if (system("egrep -q -s 'flashpolicy' /etc/services")) {
$restartinetd++; $restartinetd++;
} }
if (system("egrep -q -s 'flashpolicy' /etc/inetd.conf")) { if (system("egrep -q -s 'flashpolicy' /etc/inetd.conf")) {
print "Please add \n$FLASH_LINE\n to /etc/services\n"; print "Please add \n$FLASH_LINE\n to /etc/inetd.conf\n";
$restartinetd++; $restartinetd++;
} }
if ($restartinetd) { if ($restartinetd) {
...@@ -342,38 +349,28 @@ if (! -e "$TB/ssl/index.txt.attr" || ...@@ -342,38 +349,28 @@ if (! -e "$TB/ssl/index.txt.attr" ||
or fatal("Could not update $TB/ssl/index.txt.attr"); or fatal("Could not update $TB/ssl/index.txt.attr");
} }
my $restartapache = 0;
if (system("egrep -q -s 'PGENI' $APACHE_CONF")) { if (system("egrep -q -s 'PGENI' $APACHE_CONF")) {
print "Please go to the apache subdir of your build tree and do:\n"; print "Please go to the apache subdir of your build tree and do:\n";
print " gmake\n"; print " gmake\n";
print " sudo gmake install\n"; print " sudo gmake install\n";
$restartapache++;
} }
if (system("egrep -q -s 'DPGENI' /etc/rc.conf")) { if (system("egrep -q -s 'DPGENI' /etc/rc.conf")) {
print "Please add '$APACHE_FLAGS=\"-DSSL -DPGENI\"' to /etc/rc.conf\n"; print "Please add '$APACHE_FLAGS=\"-DSSL -DPGENI\"' to /etc/rc.conf\n";
$restartapache++;
}
if ($restartapache) {
print "Then restart apache:\n";
print " sudo $APACHE_START restart\n";
print "Then rerun this script\n";
exit(1);
} }
# #
# On the clients, we have to get the bundle from Utah website and # On the clients, we have to get the bundle from the CH website and
# then break it up for xmlsec (see above). We use a script for this # then break it up for xmlsec (see above). We use a script for this
# since the clients need to do this everytime a new client is added. # since the clients need to do this everytime a new client is added.
# This script restarts apache. # This script restarts apache.
# #
if (!$asch) { if (!$asch) {
system("$GETCACERTS -l -p") == 0 system("$GETCACERTS -l -p") == 0
or fatal("Could not get CA bundle from Utah"); or fatal("Could not get CA bundle from $PROTOGENI_WEBSITE");
# #
# This cron entry will autoupdate the CA/CRL certs by getting them from # This cron entry will autoupdate the CA/CRL certs by getting them from
# Utah. # the CH website.
# #
if (system("egrep -q -s '$GETCACERTS' /etc/crontab")) { if (system("egrep -q -s '$GETCACERTS' /etc/crontab")) {
print "Please add this line to /etc/crontab:\n\n"; print "Please add this line to /etc/crontab:\n\n";
...@@ -447,6 +444,11 @@ if (!defined($sslcert)) { ...@@ -447,6 +444,11 @@ if (!defined($sslcert)) {
if ($?); if ($?);
} }
system("/usr/sbin/chown $geniuserid ".
"$TB/www/protogeni/advertisements $TB/www/protogeni/authorities");
fatal("Could not chown www/protogeni directories")
if ($?);
# #
# Need this fake type for now. # Need this fake type for now.
# #
...@@ -556,16 +558,17 @@ if ($asch) { ...@@ -556,16 +558,17 @@ if ($asch) {
# #
# Add the cert to the DB directly. # Add the cert to the DB directly.
# #
system("$ADDAUTHORITY -c $CHCERT ma") == 0 system("$ADDAUTHORITY -f -c $CHCERT ma") == 0
or fatal("Could not add MA certificate"); or fatal("Could not add MA certificate");
} }
else { else {
# #
# Grab the CH certificate from Utah. Only one for now. # Grab the CH certificate.
# #
print "Fetching clearinghouse certificate from Utah ...\n"; print "Fetching clearinghouse certificate from $PROTOGENI_WEBSITE ...\n";
system("$FETCH -q -o $CHCERT http://boss.emulab.net/genich.pem") == 0 system("$FETCH -q -o $CHCERT http://$PROTOGENI_WEBSITE/genich.pem") == 0
or fatal("Could not fetch clearinghouse certificate from Utah"); or fatal("Could not fetch clearinghouse certificate ".
"from $PROTOGENI_WEBSITE");
} }
# #
...@@ -592,20 +595,13 @@ my $context = Genixmlrpc->Context($certificate); ...@@ -592,20 +595,13 @@ my $context = Genixmlrpc->Context($certificate);
if (!defined($context)) { if (!defined($context)) {
fatal("Could not create context to talk to clearinghouse"); fatal("Could not create context to talk to clearinghouse");
} }
my $cmcert = GeniCertificate->LoadFromFile($CMCERT);
# if (!defined($cmcert)) {
# Note that we had to send the clearinghouse $TB/etc/emulab.pem so they fatal("Could not load certificate from $CMCERT\n");
# know about this new site. That is sent out of band (email).
#
print "Getting credential to talk to clearinghouse ...\n";
my $credential = GeniRegistry::ClearingHouse->GetCredential($context);
if (!defined($credential)) {
fatal("Could not get credential to talk to clearinghouse");
} }
my $clearinghouse = GeniRegistry::ClearingHouse->Create($context, my $sescert = GeniCertificate->LoadFromFile($SESCERT);
$credential); if (!defined($sescert)) {
if (!defined($clearinghouse)) { fatal("Could not load certificate from $SESCERT\n");
fatal("Could not create a clearinghouse client");
} }
# #
...@@ -627,31 +623,47 @@ system("$ADDAUTHORITY -a $CMCERT cm") == 0 ...@@ -627,31 +623,47 @@ system("$ADDAUTHORITY -a $CMCERT cm") == 0
or fatal("Could not add CM certificate to CM DB"); or fatal("Could not add CM certificate to CM DB");
# #
# Register our certs at the clearinghouse. # Register our certs at the clearinghouse or locally.
# #
print "Registering SA cert at the clearinghouse.\n"; if ($asch) {
if ($clearinghouse->Register("SA", $certificate->cert())) { system("$ADDAUTHORITY -c $SACERT sa") == 0
fatal("Could not register SA cert at the clearinghouse"); or fatal("Could not add SA certificate");
} system("$ADDAUTHORITY -c $CMCERT cm") == 0
my $cmcert = GeniCertificate->LoadFromFile($CMCERT); or fatal("Could not add CM certificate");
if (!defined($cmcert)) { system("$ADDAUTHORITY -c $SESCERT ses") == 0
fatal("Could not load certificate from $CMCERT\n"); or fatal("Could not add SES certificate");
}
print "Registering CM cert at the clearinghouse.\n";
if ($clearinghouse->Register("CM", $cmcert->cert())) {
fatal("Could not register CM cert at the clearinghouse");
}
my $sescert = GeniCertificate->LoadFromFile($SESCERT);
if (!defined($sescert)) {
fatal("Could not load certificate from $SESCERT\n");
}
# Don't treat SES registration failure as a fatal error quite yet, until
# we're certain that server-side support exists everywhere.
print "Registering SES cert at the clearinghouse.\n";
if ($clearinghouse->Register("SES", $sescert->cert())) {
print("Warning: could not register SES cert at the clearinghouse\n");
} }
else {
#
# Note that we had to send the clearinghouse $TB/etc/emulab.pem so they
# know about this new site. That is sent out of band (email).
#
print "Getting credential to talk to clearinghouse ...\n";
my $credential = GeniRegistry::ClearingHouse->GetCredential($context);
if (!defined($credential)) {
fatal("Could not get credential to talk to clearinghouse");
}
my $clearinghouse = GeniRegistry::ClearingHouse->Create($context,
$credential);
if (!defined($clearinghouse)) {
fatal("Could not create a clearinghouse client");
}
print "Registering SA cert at the clearinghouse.\n";
if ($clearinghouse->Register("SA", $certificate->cert())) {
fatal("Could not register SA cert at the clearinghouse");
}
print "Registering CM cert at the clearinghouse.\n";
if ($clearinghouse->Register("CM", $cmcert->cert())) {
fatal("Could not register CM cert at the clearinghouse");
}
# Don't treat SES registration failure as a fatal error quite yet, until
# we're certain that server-side support exists everywhere.
print "Registering SES cert at the clearinghouse.\n";
if ($clearinghouse->Register("SES", $sescert->cert())) {
print("Warning: could not register SES cert at the clearinghouse\n");
}
}
# #
# Local SiteVars to hold the UUIDs. # Local SiteVars to hold the UUIDs.
# #
...@@ -659,6 +671,12 @@ TBSetSiteVar('protogeni/sa_uuid', $certificate->uuid()); ...@@ -659,6 +671,12 @@ TBSetSiteVar('protogeni/sa_uuid', $certificate->uuid());
TBSetSiteVar('protogeni/cm_uuid', $cmcert->uuid()); TBSetSiteVar('protogeni/cm_uuid', $cmcert->uuid());
TBSetSiteVar('protogeni/ses_uuid', $sescert->uuid()); TBSetSiteVar('protogeni/ses_uuid', $sescert->uuid());
#
# Do this again.
#
system("$GETCACERTS -l -p") == 0
or fatal("Could not get (again) CA bundle from $PROTOGENI_WEBSITE");
exit(0); exit(0);
sub fatal($) sub fatal($)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment