[Ovirt-devel] [PATCH server] Batten Down the Hatch!

Ian Main imain at redhat.com
Fri Feb 6 04:18:11 UTC 2009


This patch switches to upstream ruby-qpid package instead of the
rubygem-qpid patch that dlutter and I created.  Upstream now supports
GSSAPI so we can require that all connections to qpidd now be
authenticated and encrypted.

Signed-off-by: Ian Main <imain at redhat.com>
---
 installer/modules/ovirt/files/qpidd.conf       |    7 +------
 installer/modules/ovirt/files/sasl2_qpidd.conf |    5 ++---
 ovirt-server.spec.in                           |    2 +-
 src/db-omatic/db_omatic.rb                     |    4 +++-
 src/dutils/dutils.rb                           |    6 +++---
 src/qmf-libvirt-example.rb                     |    7 ++++++-
 src/task-omatic/taskomatic.rb                  |    5 +++--
 7 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/installer/modules/ovirt/files/qpidd.conf b/installer/modules/ovirt/files/qpidd.conf
index bf80918..4480460 100644
--- a/installer/modules/ovirt/files/qpidd.conf
+++ b/installer/modules/ovirt/files/qpidd.conf
@@ -2,10 +2,5 @@
 #  name = value
 # Using default settings: "qpidd --help" or "man qpidd" for more details.
 
-
-# This is where we want to be, but we can't actually do that yet because
-# we have unencrypted db-omatic and taskomatic running over localhost.
-# This will change shortly once we have gssapi support for ruby.
-#
-#require-encryption
+require-encryption
 
diff --git a/installer/modules/ovirt/files/sasl2_qpidd.conf b/installer/modules/ovirt/files/sasl2_qpidd.conf
index c61131f..e5c4143 100644
--- a/installer/modules/ovirt/files/sasl2_qpidd.conf
+++ b/installer/modules/ovirt/files/sasl2_qpidd.conf
@@ -40,8 +40,7 @@ pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: /var/lib/qpidd/qpidd.sasldb
 
-# For now we allow plain auth too because the local daemons do not yet
-# support kerberos.
-mech_list: gssapi plain
+# Only allow GSSAPI
+mech_list: gssapi
 keytab: /usr/share/ovirt-server/ovirt.keytab
 
diff --git a/ovirt-server.spec.in b/ovirt-server.spec.in
index a35ff6f..b2ffdd6 100644
--- a/ovirt-server.spec.in
+++ b/ovirt-server.spec.in
@@ -35,7 +35,7 @@ Requires: iscsi-initiator-utils
 Requires: cyrus-sasl-gssapi
 Requires: ovirt-docs
 Requires: qpidd
-Requires: rubygem-qpid
+Requires: ruby-qpid
 Requires: qpidc
 Requires: qmf
 Requires: ruby-qpid
diff --git a/src/db-omatic/db_omatic.rb b/src/db-omatic/db_omatic.rb
index 2ba9456..06adc19 100755
--- a/src/db-omatic/db_omatic.rb
+++ b/src/db-omatic/db_omatic.rb
@@ -324,9 +324,11 @@ def main()
         puts "#{Time.now}: db_omatic started."
     end
 
+    get_credentials('qpidd')
+
     dbsync = DbOmatic.new()
     s = Qpid::Qmf::Session.new(:console => dbsync, :rcv_events => false)
-    b = s.add_broker("amqp://guest:guest@localhost:5672")
+    b = s.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
 
     dbsync.db_init_cleanup()
 
diff --git a/src/dutils/dutils.rb b/src/dutils/dutils.rb
index fd47a8f..6df2f06 100644
--- a/src/dutils/dutils.rb
+++ b/src/dutils/dutils.rb
@@ -22,10 +22,10 @@ include Krb5Auth
 
 ENV['KRB5CCNAME'] = '/usr/share/ovirt-server/ovirt-cc'
 
-def get_credentials
+def get_credentials(service = 'libvirt')
   krb5 = Krb5.new
   default_realm = krb5.get_default_realm
-  princ = 'libvirt/' + Socket::gethostname + '@' + default_realm
+  princ = service + '/' + Socket::gethostname + '@' + default_realm
 
   now = Time.now
   renew = true
@@ -45,7 +45,7 @@ def get_credentials
 
   if renew
     begin
-      krb5.get_init_creds_keytab('libvirt/' + Socket::gethostname + '@' + default_realm, '/usr/share/ovirt-server/ovirt.keytab')
+      krb5.get_init_creds_keytab(service + '/' + Socket::gethostname + '@' + default_realm, '/usr/share/ovirt-server/ovirt.keytab')
       krb5.cache(ENV['KRB5CCNAME'])
     rescue
       # well, if we run into an error here, there's not much we can do.  Just
diff --git a/src/qmf-libvirt-example.rb b/src/qmf-libvirt-example.rb
index 8fac3c9..f8d6aca 100644
--- a/src/qmf-libvirt-example.rb
+++ b/src/qmf-libvirt-example.rb
@@ -1,10 +1,15 @@
 #!/usr/bin/ruby
 
+$: << File.join(File.dirname(__FILE__), "./dutils")
+
 require "rubygems"
 require "qpid"
+require "dutils"
+
+get_credentials('qpidd')
 
 s = Qpid::Qmf::Session.new()
-b = s.add_broker("amqp://guest:guest@localhost:5672")
+b = s.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
 
 while true:
     nodes = s.objects(:class => "node")
diff --git a/src/task-omatic/taskomatic.rb b/src/task-omatic/taskomatic.rb
index 9382f2b..79e2082 100755
--- a/src/task-omatic/taskomatic.rb
+++ b/src/task-omatic/taskomatic.rb
@@ -48,7 +48,7 @@ class TaskOmatic
 
     @session = Qpid::Qmf::Session.new()
     # FIXME: Should come from some kind of config or DNS SRV or what have you.
-    @broker = @session.add_broker("amqp://guest:guest@localhost:5672")
+    @broker = @session.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
 
     do_daemon = true
 
@@ -754,7 +754,8 @@ class TaskOmatic
 
       tasks.each do |task|
         # make sure we get our credentials up-front
-        get_credentials
+        get_credentials('libvirt')
+        get_credentials('qpidd')
 
         task.time_started = Time.now
 
-- 
1.6.0.4




More information about the ovirt-devel mailing list