From e7c0472db66798d4dce03e0c47d2d1d6ec5ea597 Mon Sep 17 00:00:00 2001 From: Orsiris de Jong Date: Tue, 15 Apr 2025 14:12:40 +0200 Subject: [PATCH 1/2] Add logs to keystore-setup and fix password regex --- scripts/util/keystore-setup | 57 ++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/scripts/util/keystore-setup b/scripts/util/keystore-setup index 25bf28af0086..cc575fa567a6 100755 --- a/scripts/util/keystore-setup +++ b/scripts/util/keystore-setup @@ -22,48 +22,71 @@ KS_PASS="$3" KS_VALIDITY="$4" CSR_FILE="$5" +LOG_FILE="/var/log/cloudstack/agent/keystore-setup.log" + ALIAS="cloud" LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf" +log() { + __log_line="${1}" + __log_level="${2:-INFO}" + + __log_line="${__log_level}: ${__log_line}" + echo "${__log_line}" >> "${LOG_FILE}" + echo "${__log_line}" +} + +log "$(date) - starting keystore-setup" >> "${LOG_FILE}" + # Re-use existing password or use the one provided if [ -f "$PROPS_FILE" ]; then - OLD_PASS=$(sed -n '/keystore.passphrase/p' "$PROPS_FILE" 2>/dev/null | sed 's/keystore.passphrase=//g' 2>/dev/null) + log "Previous props file exists, trying to extract password" + OLD_PASS=$(sed -n '/^keystore.passphrase/p' "$PROPS_FILE" 2>> "${LOG_FILE}" | sed 's/^keystore.passphrase=//g' 2>> "${LOG_FILE}") if [ ! -z "${OLD_PASS// }" ]; then KS_PASS="$OLD_PASS" + log "Password extraction successful" else - sed -i "/keystore.passphrase.*/d" $PROPS_FILE 2> /dev/null || true + sed -i "/^keystore.passphrase.*/d" $PROPS_FILE 2>> "${LOG_FILE}" || true echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE + if [ $? != 0 ]; then + log "Could not add new password to agent.properties" "ERROR" + else + log "New keystore password set" + fi fi fi if [ -f "$KS_FILE" ]; then - keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true + log "keystore file exists. Deleting current entries" + keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" >> "${LOG_FILE}" || log "Failed to delete current entries" "ERROR" fi +log "Generating new key" CN=$(hostname --fqdn) -keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" > /dev/null 2>&1 +keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" >> "${LOG_FILE}" 2>&1 # Generate CSR -rm -f "$CSR_FILE" +log "Generating CSR" +[ -f "$CSR_FILE" ] && rm -f "$CSR_FILE" addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',') -keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" > /dev/null 2>&1 - +log "Found following SAN addresses to add to CSR: ${addresses}" +keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >> "${LOG_FILE}" 2>&1 if [ $? -ne 0 ];then - echo "Failed to generate CSR file, retrying after removing existing settings" + log "Failed to generate CSR file, retrying after removing existing settings" "ERROR" if [ -f "$LIBVIRTD_FILE" ]; then - echo "Reverting libvirtd to not listen on TLS" + log "Reverting libvirtd to not listen on TLS" sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE systemctl restart libvirtd fi - echo "Removing cloud.* files in /etc/cloudstack/agent" - rm -f /etc/cloudstack/agent/cloud.* + log "Removing cloud.* files in /etc/cloudstack/agent" + rm -f /etc/cloudstack/agent/cloud.* || log "Could not remove /etc/cloudstack/agent/cloud.*" "ERROR" - echo "Retrying to generate CSR file" - keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >/dev/null 2>&1 + log "Retrying to generate CSR file" + keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >> "${LOG_FILE}" 2>&1 if [ $? -ne 0 ];then - echo "Failed to generate CSR file while retrying" + log "Failed to generate CSR file while retrying" "ERROR" exit 1 fi fi @@ -71,6 +94,6 @@ fi cat "$CSR_FILE" # Fix file permissions -chmod 600 $KS_FILE -chmod 600 $PROPS_FILE -chmod 600 $CSR_FILE +chmod 600 $KS_FILE || log "Cannot chmod $KS_FILE" "ERROR" +chmod 600 $PROPS_FILE || log "Cannot chmod $PROPS_FILE" "ERROR" +chmod 600 $CSR_FILE || log "Cannot chmod $CSR_FILE" "ERROR" From d9a633eab9bb40667b2b97de5463a766c04a1e60 Mon Sep 17 00:00:00 2001 From: Orsiris de Jong Date: Thu, 17 Apr 2025 10:24:08 +0200 Subject: [PATCH 2/2] Move logging to logger & fix shellcheck issues --- scripts/util/keystore-setup | 77 ++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/scripts/util/keystore-setup b/scripts/util/keystore-setup index cc575fa567a6..1e1237cde04c 100755 --- a/scripts/util/keystore-setup +++ b/scripts/util/keystore-setup @@ -22,71 +22,78 @@ KS_PASS="$3" KS_VALIDITY="$4" CSR_FILE="$5" -LOG_FILE="/var/log/cloudstack/agent/keystore-setup.log" - ALIAS="cloud" LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf" -log() { - __log_line="${1}" - __log_level="${2:-INFO}" +if type -p logger > /dev/null; then + LOGGER_CMD="$(type -p logger) -t cloudstack-keystore-setup" +else + LOG_FILE="/var/log/cloudstack/agent/cloudstack-keystore-setup.log" + log() { + if [ "${1}" != "" ]; then + __log_line="${1}" + else + read -r __log_line + fi - __log_line="${__log_level}: ${__log_line}" - echo "${__log_line}" >> "${LOG_FILE}" - echo "${__log_line}" -} + echo "${__log_line}" >> "${LOG_FILE}" + echo "${__log_line}" + } + LOGGER_CMD=log +fi -log "$(date) - starting keystore-setup" >> "${LOG_FILE}" +$LOGGER_CMD "$(date) - starting keystore-setup" # Re-use existing password or use the one provided if [ -f "$PROPS_FILE" ]; then - log "Previous props file exists, trying to extract password" - OLD_PASS=$(sed -n '/^keystore.passphrase/p' "$PROPS_FILE" 2>> "${LOG_FILE}" | sed 's/^keystore.passphrase=//g' 2>> "${LOG_FILE}") - if [ ! -z "${OLD_PASS// }" ]; then + $LOGGER_CMD "Previous props file exists, trying to extract password" + OLD_PASS=$(sed -n '/^keystore.passphrase/p' "$PROPS_FILE" | sed 's/^keystore.passphrase=//g') + if [ -n "${OLD_PASS// }" ]; then KS_PASS="$OLD_PASS" - log "Password extraction successful" + $LOGGER_CMD "Password extraction successful" else - sed -i "/^keystore.passphrase.*/d" $PROPS_FILE 2>> "${LOG_FILE}" || true - echo "keystore.passphrase=$KS_PASS" >> $PROPS_FILE + sed -i "/^keystore.passphrase.*/d" "$PROPS_FILE" 2>&1 | $LOGGER_CMD || true + echo "keystore.passphrase=$KS_PASS" >> "$PROPS_FILE" if [ $? != 0 ]; then - log "Could not add new password to agent.properties" "ERROR" + $LOGGER_CMD "Could not add new password to agent.properties" else - log "New keystore password set" + $LOGGER_CMD "New keystore password set" fi fi fi if [ -f "$KS_FILE" ]; then - log "keystore file exists. Deleting current entries" - keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" >> "${LOG_FILE}" || log "Failed to delete current entries" "ERROR" + $LOGGER_CMD "keystore file exists. Deleting current entries" + keytool -delete -noprompt -alias "$ALIAS" -keystore "$KS_FILE" -storepass "$KS_PASS" 2>&1 | $LOGGER_CMD + [ $? -ne 0 ] && $LOGGER_CMD "Failed to delete current entries" fi -log "Generating new key" +$LOGGER_CMD "Generating new key" CN=$(hostname --fqdn) -keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" >> "${LOG_FILE}" 2>&1 +keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyalg RSA -validity "$KS_VALIDITY" -dname cn="$CN",ou="cloudstack",o="cloudstack",c="cloudstack" -keystore "$KS_FILE" 2>&1 | $LOGGER_CMD # Generate CSR -log "Generating CSR" +$LOGGER_CMD "Generating CSR" [ -f "$CSR_FILE" ] && rm -f "$CSR_FILE" addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',') -log "Found following SAN addresses to add to CSR: ${addresses}" -keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >> "${LOG_FILE}" 2>&1 +$LOGGER_CMD "Found following SAN addresses to add to CSR: ${addresses}" +keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD if [ $? -ne 0 ];then - log "Failed to generate CSR file, retrying after removing existing settings" "ERROR" + $LOGGER_CMD "Failed to generate CSR file, retrying after removing existing settings" if [ -f "$LIBVIRTD_FILE" ]; then - log "Reverting libvirtd to not listen on TLS" + $LOGGER_CMD "Reverting libvirtd to not listen on TLS" sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE systemctl restart libvirtd fi - log "Removing cloud.* files in /etc/cloudstack/agent" - rm -f /etc/cloudstack/agent/cloud.* || log "Could not remove /etc/cloudstack/agent/cloud.*" "ERROR" + $LOGGER_CMD "Removing cloud.* files in /etc/cloudstack/agent" + rm -f /etc/cloudstack/agent/cloud.* || $LOGGER_CMD "Could not remove /etc/cloudstack/agent/cloud.*" - log "Retrying to generate CSR file" - keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >> "${LOG_FILE}" 2>&1 + $LOGGER_CMD "Retrying to generate CSR file" + keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file "$CSR_FILE" -keystore "$KS_FILE" -ext san="$addresses" 2>&1 | $LOGGER_CMD if [ $? -ne 0 ];then - log "Failed to generate CSR file while retrying" "ERROR" + $LOGGER_CMD "Failed to generate CSR file while retrying" exit 1 fi fi @@ -94,6 +101,6 @@ fi cat "$CSR_FILE" # Fix file permissions -chmod 600 $KS_FILE || log "Cannot chmod $KS_FILE" "ERROR" -chmod 600 $PROPS_FILE || log "Cannot chmod $PROPS_FILE" "ERROR" -chmod 600 $CSR_FILE || log "Cannot chmod $CSR_FILE" "ERROR" +chmod 600 "$KS_FILE" || $LOGGER_CMD "Cannot chmod $KS_FILE" +chmod 600 "$PROPS_FILE" || $LOGGER_CMD "Cannot chmod $PROPS_FILE" +chmod 600 "$CSR_FILE" || $LOGGER_CMD "Cannot chmod $CSR_FILE"