Committed by
Gerrit Code Review
Introducing optional ability to secure the ONOS karaf shell and to use raw ssh client.
Change-Id: I48cfc922eaf980d1cb8b9182b26999ce3c26b667
Showing
14 changed files
with
126 additions
and
13 deletions
| ... | @@ -47,7 +47,8 @@ touch $ONOS_STAGE/apps/org.onosproject.drivers/active | ... | @@ -47,7 +47,8 @@ touch $ONOS_STAGE/apps/org.onosproject.drivers/active |
| 47 | sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ | 47 | sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ |
| 48 | $ONOS_ROOT/tools/package/bin/onos-service > bin/onos-service | 48 | $ONOS_ROOT/tools/package/bin/onos-service > bin/onos-service |
| 49 | sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ | 49 | sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ |
| 50 | - $ONOS_ROOT/tools/package/bin/onos > bin/onos | 50 | + $ONOS_ROOT/tools/package/bin/onos-client > bin/onos |
| 51 | +chmod a+x bin/onos-service bin/onos | ||
| 51 | 52 | ||
| 52 | # Stage the ONOS bundles, but only those that match the version | 53 | # Stage the ONOS bundles, but only those that match the version |
| 53 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/onosproject | 54 | mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/onosproject | ... | ... |
| 1 | #!/bin/bash | 1 | #!/bin/bash |
| 2 | # ----------------------------------------------------------------------------- | 2 | # ----------------------------------------------------------------------------- |
| 3 | -# ONOS command-line client | 3 | +# ONOS command-line client that uses the built-in Apache Karaf client. |
| 4 | # ----------------------------------------------------------------------------- | 4 | # ----------------------------------------------------------------------------- |
| 5 | 5 | ||
| 6 | if [ -z "${JAVA_HOME}" ]; then | 6 | if [ -z "${JAVA_HOME}" ]; then | ... | ... |
tools/package/bin/onos-secure-ssh
0 → 100755
| 1 | +#!/bin/bash | ||
| 2 | +# ----------------------------------------------------------------------------- | ||
| 3 | +# Enables secure access to ONOS console by removing default users & keys. | ||
| 4 | +# ----------------------------------------------------------------------------- | ||
| 5 | + | ||
| 6 | +rm -f $(dirname $0)/onos | ||
| 7 | + | ||
| 8 | +set -e | ||
| 9 | + | ||
| 10 | +cd $(dirname $0)/../apache-karaf-*/etc | ||
| 11 | +USERS=users.properties | ||
| 12 | +KEYS=keys.properties | ||
| 13 | + | ||
| 14 | +# Remove the built-in users and keys to secure the access implicitly. | ||
| 15 | +egrep -v "^(karaf|onos)[ ]*=" $USERS > $USERS.new && mv $USERS.new $USERS | ||
| 16 | +egrep -v "^(#karaf|onos)[ ]*=" $KEYS > $KEYS.new && mv $KEYS.new $KEYS | ||
| 17 | + | ||
| 18 | +# Remove any previous known keys for the local host. | ||
| 19 | +ssh-keygen -f "$HOME/.ssh/known_hosts" -R [localhost]:8101 | ||
| 20 | + | ||
| 21 | +# Swap the onos client to use the SSH variant | ||
| 22 | +ln -s $(dirname $0)/onos-ssh $(dirname $0)/onos |
tools/package/bin/onos-ssh
0 → 100755
| 1 | +#!/bin/bash | ||
| 2 | +# ----------------------------------------------------------------------------- | ||
| 3 | +# ONOS command-line client that uses raw ssh. | ||
| 4 | +# ----------------------------------------------------------------------------- | ||
| 5 | + | ||
| 6 | +ssh -p 8101 localhost "$@" | ||
| ... | \ No newline at end of file | ... | \ No newline at end of file |
tools/package/bin/onos-user-key
0 → 100755
| 1 | +#!/bin/bash | ||
| 2 | +# ----------------------------------------------------------------------------- | ||
| 3 | +# Adds or removes a user key for managing passwordless loging to ONOS console. | ||
| 4 | +# ----------------------------------------------------------------------------- | ||
| 5 | + | ||
| 6 | +[ $# -lt 2 ] && echo "usage: $(basename $0) user {key|remove}" && exit 1 | ||
| 7 | + | ||
| 8 | +set -e | ||
| 9 | + | ||
| 10 | +user=$1 | ||
| 11 | +[ -f $2 ] && key=$(cut -d\ -f2 $2) || key=$2 | ||
| 12 | + | ||
| 13 | +cd $(dirname $0)/../apache-karaf-*/etc | ||
| 14 | +KEYS=keys.properties | ||
| 15 | + | ||
| 16 | +# Remove the user key first, in case one was already present | ||
| 17 | +egrep -v "^$user[ ]*=" $KEYS > $KEYS.new && mv $KEYS.new $KEYS | ||
| 18 | +if [ $key != "remove" ]; then | ||
| 19 | + echo "$user=$key,_g_:admingroup" >> $KEYS | ||
| 20 | +fi |
| ... | @@ -10,5 +10,12 @@ | ... | @@ -10,5 +10,12 @@ |
| 10 | [ "$1" = "-w" ] && shift && onos-wait-for-start $1 | 10 | [ "$1" = "-w" ] && shift && onos-wait-for-start $1 |
| 11 | 11 | ||
| 12 | [ -n "$1" ] && OCI=$(find_node $1) && shift | 12 | [ -n "$1" ] && OCI=$(find_node $1) && shift |
| 13 | -unset KARAF_HOME | 13 | + |
| 14 | -client -h $OCI -u karaf "$@" 2>/dev/null | 14 | +if which -s client && [ -z "$ONOS_USE_SSH" ]; then |
| 15 | + # Use Karaf client only if we can and are allowed to | ||
| 16 | + unset KARAF_HOME | ||
| 17 | + client -h $OCI -u karaf "$@" 2>/dev/null | ||
| 18 | +else | ||
| 19 | + # Otherwise use raw ssh; strict checking is off for dev environments only | ||
| 20 | + ssh -p 8101 -o StrictHostKeyChecking=no $OCI "$@" | ||
| 21 | +fi | ... | ... |
| ... | @@ -6,7 +6,8 @@ | ... | @@ -6,7 +6,8 @@ |
| 6 | [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 | 6 | [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 |
| 7 | . $ONOS_ROOT/tools/build/envDefaults | 7 | . $ONOS_ROOT/tools/build/envDefaults |
| 8 | 8 | ||
| 9 | -remote=$ONOS_USER@${1:-$OCI} | 9 | +node=${1:-$OCI} |
| 10 | +remote=$ONOS_USER@$node | ||
| 10 | 11 | ||
| 11 | # ONOS boot features | 12 | # ONOS boot features |
| 12 | export ONOS_BOOT_FEATURES="${ONOS_BOOT_FEATURES:-webconsole,onos-api,onos-core,onos-incubator,onos-cli,onos-rest,onos-gui}" | 13 | export ONOS_BOOT_FEATURES="${ONOS_BOOT_FEATURES:-webconsole,onos-api,onos-core,onos-incubator,onos-cli,onos-rest,onos-gui}" | ... | ... |
tools/test/bin/onos-secure-ssh
0 → 100755
| 1 | +#!/bin/bash | ||
| 2 | +# ----------------------------------------------------------------------------- | ||
| 3 | +# Secures the ONOS console for all instances in the cell ONOS cluster. | ||
| 4 | +# ----------------------------------------------------------------------------- | ||
| 5 | + | ||
| 6 | +[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 | ||
| 7 | +. $ONOS_ROOT/tools/build/envDefaults | ||
| 8 | + | ||
| 9 | +nodes=$(env | sort | egrep "OC[0-9]+" | cut -d= -f2) | ||
| 10 | + | ||
| 11 | +for node in $nodes; do | ||
| 12 | + # Setup passwordless login for the remote user on the local bench host | ||
| 13 | + onos-user-key $node | ||
| 14 | + | ||
| 15 | + # Prune the node entry from the known hosts file since server key changes | ||
| 16 | + ssh-keygen -f "$HOME/.ssh/known_hosts" -R [$node]:8101 | ||
| 17 | + | ||
| 18 | + # Setup passwordless login for the local user on the remote node | ||
| 19 | + ssh $ONOS_USER@$node " | ||
| 20 | + [ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa -f ~/.ssh/id_rsa -P '' -q | ||
| 21 | + $ONOS_INSTALL_DIR/bin/onos-user-key \$(id -un) \$(cut -d\\ -f2 ~/.ssh/id_rsa.pub) | ||
| 22 | + $ONOS_INSTALL_DIR/bin/onos-secure-ssh | ||
| 23 | + | ||
| 24 | + # Implicitly accept the new server key in dev/test environments | ||
| 25 | + while ! ssh -p 8101 -o StrictHostKeyChecking=no localhost list 2>/dev/null; do | ||
| 26 | + echo Waiting for connection... | ||
| 27 | + sleep 1 | ||
| 28 | + done | ||
| 29 | + " | ||
| 30 | +done | ||
| 31 | + |
| ... | @@ -5,6 +5,7 @@ | ... | @@ -5,6 +5,7 @@ |
| 5 | 5 | ||
| 6 | [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 | 6 | [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 |
| 7 | . $ONOS_ROOT/tools/build/envDefaults | 7 | . $ONOS_ROOT/tools/build/envDefaults |
| 8 | +. $ONOS_ROOT/tools/test/bin/find-node.sh | ||
| 8 | 9 | ||
| 9 | -[ -n "$1" ] && OCI=$1 && shift | 10 | +[ -n "$1" ] && OCI=$(find_node $1) && shift |
| 10 | ssh -Y $ONOS_USER@$OCI "$@" | 11 | ssh -Y $ONOS_USER@$OCI "$@" | ... | ... |
| ... | @@ -15,6 +15,7 @@ ssh $remote " | ... | @@ -15,6 +15,7 @@ ssh $remote " |
| 15 | tar zxf /tmp/$ONOS_BITS.tar.gz | 15 | tar zxf /tmp/$ONOS_BITS.tar.gz |
| 16 | 16 | ||
| 17 | cd /tmp/$ONOS_BITS | 17 | cd /tmp/$ONOS_BITS |
| 18 | + export ONOS_NIC=$ONOS_NIC | ||
| 18 | bin/onos-service server 1>/tmp/onos.out 2>/tmp/onos.err & | 19 | bin/onos-service server 1>/tmp/onos.out 2>/tmp/onos.err & |
| 19 | 20 | ||
| 20 | # Setup a few symlinks to allow other tools to work | 21 | # Setup a few symlinks to allow other tools to work | ... | ... |
tools/test/bin/onos-user-key
0 → 100755
| 1 | +#!/bin/bash | ||
| 2 | +# ----------------------------------------------------------------------------- | ||
| 3 | +# Adds or removes a user key for managing passwordless loging to ONOS console. | ||
| 4 | +# ----------------------------------------------------------------------------- | ||
| 5 | + | ||
| 6 | +[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 | ||
| 7 | +. $ONOS_ROOT/tools/build/envDefaults | ||
| 8 | + | ||
| 9 | +node=${1:-$OCI} | ||
| 10 | +user=${2:-$(id -un)} | ||
| 11 | +key=${3:-$(cut -d\ -f2 ~/.ssh/id_rsa.pub)} | ||
| 12 | + | ||
| 13 | +ssh $ONOS_USER@$node $ONOS_INSTALL_DIR/bin/onos-user-key $user $key |
| ... | @@ -9,14 +9,15 @@ | ... | @@ -9,14 +9,15 @@ |
| 9 | remote=$ONOS_USER@${1:-$OCI} | 9 | remote=$ONOS_USER@${1:-$OCI} |
| 10 | 10 | ||
| 11 | ssh -t $remote " | 11 | ssh -t $remote " |
| 12 | + set -x | ||
| 12 | # Wait until we reach the run-level 100 | 13 | # Wait until we reach the run-level 100 |
| 13 | - for i in \$(seq 1 20); do | 14 | + for i in \$(seq 1 45); do |
| 14 | $ONOS_INSTALL_DIR/bin/onos bundle:list 2>/dev/null | \ | 15 | $ONOS_INSTALL_DIR/bin/onos bundle:list 2>/dev/null | \ |
| 15 | grep -q 'START LEVEL 100' && break || sleep 2 | 16 | grep -q 'START LEVEL 100' && break || sleep 2 |
| 16 | done | 17 | done |
| 17 | 18 | ||
| 18 | # Wait until ApplicationManager is available | 19 | # Wait until ApplicationManager is available |
| 19 | - for i in \$(seq 1 5); do | 20 | + for i in \$(seq 1 10); do |
| 20 | grep -q \" ApplicationManager .* Started\" \ | 21 | grep -q \" ApplicationManager .* Started\" \ |
| 21 | $ONOS_INSTALL_DIR/log/karaf.log && break || sleep 1 | 22 | $ONOS_INSTALL_DIR/log/karaf.log && break || sleep 1 |
| 22 | done | 23 | done | ... | ... |
| ... | @@ -16,21 +16,27 @@ | ... | @@ -16,21 +16,27 @@ |
| 16 | <scenario name="setup" description="ONOS cluster setup"> | 16 | <scenario name="setup" description="ONOS cluster setup"> |
| 17 | <group name="Setup"> | 17 | <group name="Setup"> |
| 18 | <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> | 18 | <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> |
| 19 | + <step name="Secure-SSH" exec="onos-secure-ssh" if="${ONOS_USE_SSH}"/> | ||
| 19 | 20 | ||
| 20 | <parallel var="${OC#}"> | 21 | <parallel var="${OC#}"> |
| 21 | - <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/> | 22 | + <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" |
| 23 | + unless="${OCT}"/> | ||
| 22 | <step name="Uninstall-${#}" exec="onos-uninstall ${OC#}"/> | 24 | <step name="Uninstall-${#}" exec="onos-uninstall ${OC#}"/> |
| 23 | - <step name="Kill-${#}" env="~" exec="onos-kill ${OC#}" requires="Uninstall-${#}"/> | 25 | + <step name="Kill-${#}" env="~" exec="onos-kill ${OC#}" |
| 26 | + requires="Uninstall-${#}"/> | ||
| 24 | 27 | ||
| 25 | <step name="Install-${#}" exec="onos-install ${OC#}" | 28 | <step name="Install-${#}" exec="onos-install ${OC#}" |
| 26 | requires="Kill-${#},Push-Bits-${#},Push-Bits"/> | 29 | requires="Kill-${#},Push-Bits-${#},Push-Bits"/> |
| 27 | 30 | ||
| 31 | + <dependency name="Secure-SSH" requires="Install-${#}"/> | ||
| 32 | + | ||
| 28 | <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" | 33 | <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" |
| 29 | - requires="Install-${#}"/> | 34 | + requires="Install-${#},~Secure-SSH"/> |
| 30 | 35 | ||
| 31 | <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" | 36 | <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" |
| 32 | requires="~Wait-for-Start-${#}"/> | 37 | requires="~Wait-for-Start-${#}"/> |
| 33 | - <step name="Check-Components-${#}" exec="onos-check-components ${OC#}" | 38 | + <step name="Check-Components-${#}" |
| 39 | + exec="onos-check-components ${OC#}" | ||
| 34 | requires="~Wait-for-Start-${#},"/> | 40 | requires="~Wait-for-Start-${#},"/> |
| 35 | <step name="Check-Apps-${#}" exec="onos-check-apps ${OC#}" | 41 | <step name="Check-Apps-${#}" exec="onos-check-apps ${OC#}" |
| 36 | requires="~Wait-for-Start-${#}"/> | 42 | requires="~Wait-for-Start-${#}"/> | ... | ... |
| ... | @@ -16,6 +16,7 @@ | ... | @@ -16,6 +16,7 @@ |
| 16 | <scenario name="tar-setup" description="ONOS cluster setup via onos.tar.gz"> | 16 | <scenario name="tar-setup" description="ONOS cluster setup via onos.tar.gz"> |
| 17 | <group name="Setup-Instances"> | 17 | <group name="Setup-Instances"> |
| 18 | <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> | 18 | <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> |
| 19 | + <step name="Secure-SSH" exec="onos-secure-ssh" if="${ONOS_USE_SSH}"/> | ||
| 19 | 20 | ||
| 20 | <parallel var="${OC#}"> | 21 | <parallel var="${OC#}"> |
| 21 | <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/> | 22 | <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/> |
| ... | @@ -25,8 +26,10 @@ | ... | @@ -25,8 +26,10 @@ |
| 25 | <step name="Untar-And-Run-${#}" exec="onos-untar-and-run ${OC#}" | 26 | <step name="Untar-And-Run-${#}" exec="onos-untar-and-run ${OC#}" |
| 26 | requires="Kill-${#},Push-Bits-${#},Push-Bits"/> | 27 | requires="Kill-${#},Push-Bits-${#},Push-Bits"/> |
| 27 | 28 | ||
| 29 | + <dependency name="Secure-SSH" requires="Untar-And-Run-${#}"/> | ||
| 30 | + | ||
| 28 | <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" | 31 | <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" |
| 29 | - requires="Untar-And-Run-${#}"/> | 32 | + requires="Untar-And-Run-${#},~Secure-SSH"/> |
| 30 | 33 | ||
| 31 | <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" | 34 | <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" |
| 32 | requires="~Wait-for-Start-${#}"/> | 35 | requires="~Wait-for-Start-${#}"/> | ... | ... |
-
Please register or login to post a comment