Merge pull request #4568 from danmcp/bug1049044

Merged by openshift-bot

controller/app/models/application.rb

@@ -1656,6 +1656,10 @@ def calculate_gear_create_ops(ginst_id, gear_ids, deploy_gear_id, comp_specs, co
       reserve_uid_op = ReserveGearUidOp.new(gear_id: gear_id, prereq: maybe_notify_app_create_op + [init_gear_op._id.to_s])
 
       create_gear_op = CreateGearOp.new(gear_id: gear_id, prereq: [reserve_uid_op._id.to_s], retry_rollback_op: reserve_uid_op._id.to_s)
+      # this flag is passed to the node to indicate that an sshkey is required to be generated for this gear
+      # currently the sshkey is being generated on the app dns gear if the application is scalable
+      # we are assuming that haproxy will also be added to this gear
+      create_gear_op.sshkey_required = app_dns && self.scalable
 
       track_usage_op = TrackUsageOp.new(user_id: self.domain.owner._id, parent_user_id:
                            self.domain.owner.parent_user_id, app_name: self.name, gear_id: gear_id,

controller/app/models/gear.rb

@@ -108,8 +108,8 @@ def unreserve_uid
     self.uid = nil
   end
 
-  def create_gear
-    result_io = get_proxy.create(self)
+  def create_gear(sshkey_required=false)
+    result_io = get_proxy.create(self, nil, nil, sshkey_required)
     application.process_commands(result_io, nil, self)
     result_io
   end

controller/app/pending_ops_models/create_gear_op.rb

@@ -1,11 +1,12 @@
 class CreateGearOp < PendingAppOp
 
   field :gear_id, type: String
+  field :sshkey_required, type: Boolean, default: false
 
   def execute
     result_io = ResultIO.new
     gear = get_gear()
-    result_io = gear.create_gear unless gear.removed
+    result_io = gear.create_gear(sshkey_required) unless gear.removed
     raise OpenShift::NodeException.new("Unable to create gear", result_io.exitcode, result_io) if result_io.exitcode != 0
     pending_app_op_group.inc(:num_gears_created, 1)
     result_io

node/lib/openshift-origin-node/model/application_container.rb

@@ -179,16 +179,18 @@ def get_ip_addr(host_id)
       #
       # - model/unix_user.rb
       # context: root
-      # @param secret_token value of OPENSHIFT_SECRET_TOKEN for application
-      def create(secret_token = nil)
+      # @param secret_token     [String]      value of OPENSHIFT_SECRET_TOKEN for application
+      # @param generate_app_key [true, false] Should application ssh key be generated?
+      # @return [String] output from operations creating gear
+      def create(secret_token = nil, generate_app_key = false)
         output = ''
         notify_observers(:before_container_create)
         # lock to prevent race condition between create and delete of gear
         PathUtils.flock("/var/lock/oo-create.#{@uuid}") do
-          resource = OpenShift::Runtime::Node.resource_limits
+          resource             = OpenShift::Runtime::Node.resource_limits
           no_overcommit_active = resource.get_bool('no_overcommit_active', false)
           overcommit_lock_file = "/var/lock/oo-create.overcommit"
-          File.open(overcommit_lock_file, File::RDWR|File::CREAT|File::TRUNC, 0600) do | overcommit_lock |
+          File.open(overcommit_lock_file, File::RDWR|File::CREAT|File::TRUNC, 0600) do |overcommit_lock|
             overcommit_lock.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
 
             begin
@@ -209,12 +211,13 @@ def create(secret_token = nil)
           end
 
           add_env_var('SECRET_TOKEN', secret_token, true) if secret_token
-          output = generate_ssh_key
+
+          output = generate_ssh_key if generate_app_key
 
           if @config.get("CREATE_APP_SYMLINKS").to_i == 1
-            unobfuscated = PathUtils.join(File.dirname(@container_dir),"#{@container_name}-#{@namespace}")
+            unobfuscated = PathUtils.join(File.dirname(@container_dir), "#{@container_name}-#{@namespace}")
             if not File.exists? unobfuscated
-              FileUtils.ln_s File.basename(@container_dir), unobfuscated, :force=>true
+              FileUtils.ln_s File.basename(@container_dir), unobfuscated, :force => true
             end
           end
         end

node/lib/openshift-origin-node/model/application_container_ext/cartridge_actions.rb

@@ -1404,6 +1404,9 @@ def update_cluster(proxies, cluster, rollback, sync_new_gears)
                 # sync from this gear (load balancer) to all new proxy gears
                 # copy the git repo
                 sync_git_repo(ssh_urls, gear_env)
+
+                # also sync the private key so that new proxy gears can also deploy to other gears when elected
+                sync_private_key(ssh_urls, gear_env)
               end
             end
           end
@@ -1429,6 +1432,22 @@ def sync_git_repo(ssh_urls, gear_env)
           end
         end
 
+        def sync_private_key(ssh_urls, gear_env)
+          ssh_dir        = PathUtils.join(container_dir, '.openshift_ssh')
+          ssh_key        = PathUtils.join(ssh_dir, 'id_rsa')
+          Parallel.map(ssh_urls, :in_threads => MAX_THREADS) do |gear|
+            out, err, rc = run_in_container_context("rsync -aAX --rsh=/usr/bin/oo-ssh #{ssh_key}{,.pub} #{gear}:.openshift_ssh/", 
+                                                    env: gear_env, 
+                                                    chdir: container_dir, 
+                                                    expected_exitstatus: 0)
+            if rc==0
+              # rsync drops the system_u context on the files, reset it
+              command = "/usr/bin/oo-ssh #{gear} chcon -u system_u .openshift_ssh/*"
+              out, err, rc = run_in_container_context(command, env: gear_env, expected_exitstatus: 0)
+            end
+          end
+        end
+
         # Enables/disables the specified gear in the current gear's web proxy
         #
         # @param action a Symbol indicating the desired new status (:enable or :disable)

node/lib/openshift-origin-node/model/application_container_ext/setup.rb

@@ -151,6 +151,11 @@ def initialize_homedir(basedir, homedir)
 
           ::OpenShift::Runtime::FrontendHttpServer.new(self).create
 
+          ssh_dir = PathUtils.join(homedir, '.openshift_ssh')
+          FileUtils.mkdir_p(ssh_dir)
+          FileUtils.chmod(0750, ssh_dir)
+          set_rw_permission(ssh_dir)
+
           # Fix SELinux context for cart dirs
           set_rw_permission(profile)
           reset_permission_R(homedir)
@@ -165,9 +170,6 @@ def generate_ssh_key()
           ssh_key        = PathUtils.join(ssh_dir, 'id_rsa')
           ssh_public_key = ssh_key + '.pub'
 
-          FileUtils.mkdir_p(ssh_dir)
-          set_rw_permission(ssh_dir)
-
           run_in_container_context("/usr/bin/ssh-keygen -N '' -f #{ssh_key}",
                                    chdir:               @container_dir,
                                    timeout:             @hourglass.remaining,
@@ -176,9 +178,6 @@ def generate_ssh_key()
           FileUtils.touch(known_hosts)
           FileUtils.touch(ssh_config)
 
-          set_rw_permission_R(ssh_dir)
-
-          FileUtils.chmod(0750, ssh_dir)
           FileUtils.chmod(0600, [ssh_key, ssh_public_key])
           FileUtils.chmod(0660, [known_hosts, ssh_config])
 

node/misc/bin/oo-devel-node

@@ -141,7 +141,8 @@ command :'app-create' do |c|
   c.syntax      = %Q(#{$name} #{c.name} --with-container-uuid UUID --with-namespace NAMESPACE \\
      --with-app-uuid UUID --with-app-name NAME --with-secret-token TOKEN \\
      [--with-uid UID] [--with-container-name NAME] \\
-     [--with-quota-blocks BLOCKS] [--with-quota-files FILES])
+     [--with-quota-blocks BLOCKS] [--with-quota-files FILES] \\
+     [--with-generate-app-key])
   c.description = 'Create a gear without using the Broker'
 
   c.option '-S', '--with-secret-token token', 'Value of OPENSHIFT_SECRET_TOKEN for gear'
@@ -152,6 +153,7 @@ command :'app-create' do |c|
   c.option '-i', '--with-uid UID', Integer, 'User ID to use in /etc/passwd'
   c.option '-b', '--with-quota-blocks BLOCKS', Integer, 'Number of blocks to allow'
   c.option '-f', '--with-quota-files FILES', Integer, 'Number of files to allow'
+  c.option '--with-generate-app-key', 'Should application ssh key be generated'
   c.action do |args, options|
     options.default with_container_name: options.with_app_name,
                     with_secret_token: Digest::SHA1.base64digest(SecureRandom.random_bytes(256)).to_s
@@ -171,7 +173,7 @@ command :'app-create' do |c|
         options.with_quota_blocks,
         options.with_quota_files
     )
-    execute { container.create(options.with_secret_token) }
+    execute { container.create(options.with_secret_token, options.with_generate_app_key) }
   end
 end
 

node/test/unit/application_container_test.rb

@@ -440,6 +440,11 @@ def test_update_cluster_add_gears
     gear_registry = mock()
     @container.expects(:gear_registry).returns(gear_registry).at_least_once
 
+    @container.expects(:run_in_container_context).with("rsync -aAX --rsh=/usr/bin/oo-ssh /var/lib/openshift/#{@gear_uuid}/.openshift_ssh/id_rsa{,.pub} #{@gear_uuid.to_i + 2}@node1.example.com:.openshift_ssh/",
+                                                            env: gear_env,
+                                                            chdir: @container.container_dir,
+                                                            expected_exitstatus: 0)
+
     uuid1 = @container.uuid
     gear1 = {
       uuid: uuid1,

plugins/msg-broker/mcollective/lib/openshift/mcollective_application_container_proxy.rb

@@ -329,7 +329,7 @@ def unreserve_uid(uid, district_uuid=nil)
         end
       end
 
-      def build_base_gear_args(gear, quota_blocks=nil, quota_files=nil)
+      def build_base_gear_args(gear, quota_blocks=nil, quota_files=nil, sshkey_required=false)
         app = gear.application
         args = Hash.new
         args['--with-app-uuid'] = app.uuid
@@ -338,6 +338,7 @@ def build_base_gear_args(gear, quota_blocks=nil, quota_files=nil)
         args['--with-container-name'] = gear.name
         args['--with-quota-blocks'] = quota_blocks if quota_blocks
         args['--with-quota-files'] = quota_files if quota_files
+        args['--with-generate-app-key'] = sshkey_required if sshkey_required
         args['--with-namespace'] = app.domain_namespace
         args['--with-uid'] = gear.uid if gear.uid
         args['--with-request-id'] = Thread.current[:user_action_log_uuid]
@@ -380,11 +381,11 @@ def build_base_component_args(component, existing_args={})
       # Constructs a shell command line to be executed by the MCollective agent
       # on the node.
       #
-      def create(gear, quota_blocks=nil, quota_files=nil)
+      def create(gear, quota_blocks=nil, quota_files=nil, sshkey_required=false)
         app = gear.application
         result = nil
         (1..10).each do |i|
-          args = build_base_gear_args(gear, quota_blocks, quota_files)
+          args = build_base_gear_args(gear, quota_blocks, quota_files, sshkey_required)
 
           # set the secret token for new gear creations
           # log an error if the application does not have its secret_token set

plugins/msg-node/mcollective/src/openshift.rb

@@ -336,9 +336,10 @@ def oo_app_create(args)
         output = ''
         begin
           token = args.key?('--with-secret-token') ? args['--with-secret-token'].to_s : nil
+          generate_app_key = args.key?('--with-generate-app-key') ? args['--with-generate-app-key'] : false
 
           container = get_app_container_from_args(args)
-          output = container.create(token)
+          output = container.create(token, generate_app_key)
         rescue OpenShift::Runtime::UserCreationException => e
           report_exception e
           Log.instance.info e.message