홍길동 / onos

Go to a project
Toggle navigation Toggle navigation pinning
Thomas Vachuska
Committed by Gerrit Code Review
12bf4452 1 parent 2a65575c

Introducing optional ability to secure the ONOS karaf shell and to use raw ssh client. 

Change-Id: I48cfc922eaf980d1cb8b9182b26999ce3c26b667
Inline Side-by-side
Showing 14 changed files with 126 additions and 13 deletions
...@@ -47,7 +47,8 @@ touch $ONOS_STAGE/apps/org.onosproject.drivers/active ...@@ -47,7 +47,8 @@ touch $ONOS_STAGE/apps/org.onosproject.drivers/active
47 sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ 47 sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \
48 $ONOS_ROOT/tools/package/bin/onos-service > bin/onos-service 48 $ONOS_ROOT/tools/package/bin/onos-service > bin/onos-service
49 sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \ 49 sed "s/\$KARAF_VERSION/$KARAF_VERSION/g" \
50 - $ONOS_ROOT/tools/package/bin/onos > bin/onos 50 + $ONOS_ROOT/tools/package/bin/onos-client > bin/onos
51 +chmod a+x bin/onos-service bin/onos
51 52
52 # Stage the ONOS bundles, but only those that match the version 53 # Stage the ONOS bundles, but only those that match the version
53 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/onosproject 54 mkdir -p $ONOS_STAGE/$KARAF_DIST/system/org/onosproject
......
1 #!/bin/bash 1 #!/bin/bash
2 # ----------------------------------------------------------------------------- 2 # -----------------------------------------------------------------------------
3 -# ONOS command-line client 3 +# ONOS command-line client that uses the built-in Apache Karaf client.
4 # ----------------------------------------------------------------------------- 4 # -----------------------------------------------------------------------------
5 5
6 if [ -z "${JAVA_HOME}" ]; then 6 if [ -z "${JAVA_HOME}" ]; then
......
1 +#!/bin/bash
2 +# -----------------------------------------------------------------------------
3 +# Enables secure access to ONOS console by removing default users & keys.
4 +# -----------------------------------------------------------------------------
5 +
6 +rm -f $(dirname $0)/onos
7 +
8 +set -e
9 +
10 +cd $(dirname $0)/../apache-karaf-*/etc
11 +USERS=users.properties
12 +KEYS=keys.properties
13 +
14 +# Remove the built-in users and keys to secure the access implicitly.
15 +egrep -v "^(karaf|onos)[ ]*=" $USERS > $USERS.new && mv $USERS.new $USERS
16 +egrep -v "^(#karaf|onos)[ ]*=" $KEYS > $KEYS.new && mv $KEYS.new $KEYS
17 +
18 +# Remove any previous known keys for the local host.
19 +ssh-keygen -f "$HOME/.ssh/known_hosts" -R [localhost]:8101
20 +
21 +# Swap the onos client to use the SSH variant
22 +ln -s $(dirname $0)/onos-ssh $(dirname $0)/onos
1 +#!/bin/bash
2 +# -----------------------------------------------------------------------------
3 +# ONOS command-line client that uses raw ssh.
4 +# -----------------------------------------------------------------------------
5 +
6 +ssh -p 8101 localhost "$@"
...\ No newline at end of file ...\ No newline at end of file
1 +#!/bin/bash
2 +# -----------------------------------------------------------------------------
3 +# Adds or removes a user key for managing passwordless loging to ONOS console.
4 +# -----------------------------------------------------------------------------
5 +
6 +[ $# -lt 2 ] && echo "usage: $(basename $0) user {key|remove}" && exit 1
7 +
8 +set -e
9 +
10 +user=$1
11 +[ -f $2 ] && key=$(cut -d\ -f2 $2) || key=$2
12 +
13 +cd $(dirname $0)/../apache-karaf-*/etc
14 +KEYS=keys.properties
15 +
16 +# Remove the user key first, in case one was already present
17 +egrep -v "^$user[ ]*=" $KEYS > $KEYS.new && mv $KEYS.new $KEYS
18 +if [ $key != "remove" ]; then
19 + echo "$user=$key,_g_:admingroup" >> $KEYS
20 +fi
...@@ -10,5 +10,12 @@ ...@@ -10,5 +10,12 @@
10 [ "$1" = "-w" ] && shift && onos-wait-for-start $1 10 [ "$1" = "-w" ] && shift && onos-wait-for-start $1
11 11
12 [ -n "$1" ] && OCI=$(find_node $1) && shift 12 [ -n "$1" ] && OCI=$(find_node $1) && shift
13 -unset KARAF_HOME 13 +
14 -client -h $OCI -u karaf "$@" 2>/dev/null 14 +if which -s client && [ -z "$ONOS_USE_SSH" ]; then
15 + # Use Karaf client only if we can and are allowed to
16 + unset KARAF_HOME
17 + client -h $OCI -u karaf "$@" 2>/dev/null
18 +else
19 + # Otherwise use raw ssh; strict checking is off for dev environments only
20 + ssh -p 8101 -o StrictHostKeyChecking=no $OCI "$@"
21 +fi
......
...@@ -6,7 +6,8 @@ ...@@ -6,7 +6,8 @@
6 [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 6 [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
7 . $ONOS_ROOT/tools/build/envDefaults 7 . $ONOS_ROOT/tools/build/envDefaults
8 8
9 -remote=$ONOS_USER@${1:-$OCI} 9 +node=${1:-$OCI}
10 +remote=$ONOS_USER@$node
10 11
11 # ONOS boot features 12 # ONOS boot features
12 export ONOS_BOOT_FEATURES="${ONOS_BOOT_FEATURES:-webconsole,onos-api,onos-core,onos-incubator,onos-cli,onos-rest,onos-gui}" 13 export ONOS_BOOT_FEATURES="${ONOS_BOOT_FEATURES:-webconsole,onos-api,onos-core,onos-incubator,onos-cli,onos-rest,onos-gui}"
......
1 +#!/bin/bash
2 +# -----------------------------------------------------------------------------
3 +# Secures the ONOS console for all instances in the cell ONOS cluster.
4 +# -----------------------------------------------------------------------------
5 +
6 +[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
7 +. $ONOS_ROOT/tools/build/envDefaults
8 +
9 +nodes=$(env | sort | egrep "OC[0-9]+" | cut -d= -f2)
10 +
11 +for node in $nodes; do
12 + # Setup passwordless login for the remote user on the local bench host
13 + onos-user-key $node
14 +
15 + # Prune the node entry from the known hosts file since server key changes
16 + ssh-keygen -f "$HOME/.ssh/known_hosts" -R [$node]:8101
17 +
18 + # Setup passwordless login for the local user on the remote node
19 + ssh $ONOS_USER@$node "
20 + [ ! -f ~/.ssh/id_rsa.pub ] && ssh-keygen -t rsa -f ~/.ssh/id_rsa -P '' -q
21 + $ONOS_INSTALL_DIR/bin/onos-user-key \$(id -un) \$(cut -d\\ -f2 ~/.ssh/id_rsa.pub)
22 + $ONOS_INSTALL_DIR/bin/onos-secure-ssh
23 +
24 + # Implicitly accept the new server key in dev/test environments
25 + while ! ssh -p 8101 -o StrictHostKeyChecking=no localhost list 2>/dev/null; do
26 + echo Waiting for connection...
27 + sleep 1
28 + done
29 + "
30 +done
31 +
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
5 5
6 [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1 6 [ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
7 . $ONOS_ROOT/tools/build/envDefaults 7 . $ONOS_ROOT/tools/build/envDefaults
8 +. $ONOS_ROOT/tools/test/bin/find-node.sh
8 9
9 -[ -n "$1" ] && OCI=$1 && shift 10 +[ -n "$1" ] && OCI=$(find_node $1) && shift
10 ssh -Y $ONOS_USER@$OCI "$@" 11 ssh -Y $ONOS_USER@$OCI "$@"
......
...@@ -15,6 +15,7 @@ ssh $remote " ...@@ -15,6 +15,7 @@ ssh $remote "
15 tar zxf /tmp/$ONOS_BITS.tar.gz 15 tar zxf /tmp/$ONOS_BITS.tar.gz
16 16
17 cd /tmp/$ONOS_BITS 17 cd /tmp/$ONOS_BITS
18 + export ONOS_NIC=$ONOS_NIC
18 bin/onos-service server 1>/tmp/onos.out 2>/tmp/onos.err & 19 bin/onos-service server 1>/tmp/onos.out 2>/tmp/onos.err &
19 20
20 # Setup a few symlinks to allow other tools to work 21 # Setup a few symlinks to allow other tools to work
......
1 +#!/bin/bash
2 +# -----------------------------------------------------------------------------
3 +# Adds or removes a user key for managing passwordless loging to ONOS console.
4 +# -----------------------------------------------------------------------------
5 +
6 +[ ! -d "$ONOS_ROOT" ] && echo "ONOS_ROOT is not defined" >&2 && exit 1
7 +. $ONOS_ROOT/tools/build/envDefaults
8 +
9 +node=${1:-$OCI}
10 +user=${2:-$(id -un)}
11 +key=${3:-$(cut -d\ -f2 ~/.ssh/id_rsa.pub)}
12 +
13 +ssh $ONOS_USER@$node $ONOS_INSTALL_DIR/bin/onos-user-key $user $key
...@@ -9,14 +9,15 @@ ...@@ -9,14 +9,15 @@
9 remote=$ONOS_USER@${1:-$OCI} 9 remote=$ONOS_USER@${1:-$OCI}
10 10
11 ssh -t $remote " 11 ssh -t $remote "
12 + set -x
12 # Wait until we reach the run-level 100 13 # Wait until we reach the run-level 100
13 - for i in \$(seq 1 20); do 14 + for i in \$(seq 1 45); do
14 $ONOS_INSTALL_DIR/bin/onos bundle:list 2>/dev/null | \ 15 $ONOS_INSTALL_DIR/bin/onos bundle:list 2>/dev/null | \
15 grep -q 'START LEVEL 100' && break || sleep 2 16 grep -q 'START LEVEL 100' && break || sleep 2
16 done 17 done
17 18
18 # Wait until ApplicationManager is available 19 # Wait until ApplicationManager is available
19 - for i in \$(seq 1 5); do 20 + for i in \$(seq 1 10); do
20 grep -q \" ApplicationManager .* Started\" \ 21 grep -q \" ApplicationManager .* Started\" \
21 $ONOS_INSTALL_DIR/log/karaf.log && break || sleep 1 22 $ONOS_INSTALL_DIR/log/karaf.log && break || sleep 1
22 done 23 done
......
...@@ -16,21 +16,27 @@ ...@@ -16,21 +16,27 @@
16 <scenario name="setup" description="ONOS cluster setup"> 16 <scenario name="setup" description="ONOS cluster setup">
17 <group name="Setup"> 17 <group name="Setup">
18 <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> 18 <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/>
19 + <step name="Secure-SSH" exec="onos-secure-ssh" if="${ONOS_USE_SSH}"/>
19 20
20 <parallel var="${OC#}"> 21 <parallel var="${OC#}">
21 - <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/> 22 + <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}"
23 + unless="${OCT}"/>
22 <step name="Uninstall-${#}" exec="onos-uninstall ${OC#}"/> 24 <step name="Uninstall-${#}" exec="onos-uninstall ${OC#}"/>
23 - <step name="Kill-${#}" env="~" exec="onos-kill ${OC#}" requires="Uninstall-${#}"/> 25 + <step name="Kill-${#}" env="~" exec="onos-kill ${OC#}"
26 + requires="Uninstall-${#}"/>
24 27
25 <step name="Install-${#}" exec="onos-install ${OC#}" 28 <step name="Install-${#}" exec="onos-install ${OC#}"
26 requires="Kill-${#},Push-Bits-${#},Push-Bits"/> 29 requires="Kill-${#},Push-Bits-${#},Push-Bits"/>
27 30
31 + <dependency name="Secure-SSH" requires="Install-${#}"/>
32 +
28 <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" 33 <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}"
29 - requires="Install-${#}"/> 34 + requires="Install-${#},~Secure-SSH"/>
30 35
31 <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" 36 <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}"
32 requires="~Wait-for-Start-${#}"/> 37 requires="~Wait-for-Start-${#}"/>
33 - <step name="Check-Components-${#}" exec="onos-check-components ${OC#}" 38 + <step name="Check-Components-${#}"
39 + exec="onos-check-components ${OC#}"
34 requires="~Wait-for-Start-${#},"/> 40 requires="~Wait-for-Start-${#},"/>
35 <step name="Check-Apps-${#}" exec="onos-check-apps ${OC#}" 41 <step name="Check-Apps-${#}" exec="onos-check-apps ${OC#}"
36 requires="~Wait-for-Start-${#}"/> 42 requires="~Wait-for-Start-${#}"/>
......
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
16 <scenario name="tar-setup" description="ONOS cluster setup via onos.tar.gz"> 16 <scenario name="tar-setup" description="ONOS cluster setup via onos.tar.gz">
17 <group name="Setup-Instances"> 17 <group name="Setup-Instances">
18 <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/> 18 <step name="Push-Bits" exec="onos-push-bits-through-proxy" if="${OCT}"/>
19 + <step name="Secure-SSH" exec="onos-secure-ssh" if="${ONOS_USE_SSH}"/>
19 20
20 <parallel var="${OC#}"> 21 <parallel var="${OC#}">
21 <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/> 22 <step name="Push-Bits-${#}" exec="onos-push-bits ${OC#}" unless="${OCT}"/>
...@@ -25,8 +26,10 @@ ...@@ -25,8 +26,10 @@
25 <step name="Untar-And-Run-${#}" exec="onos-untar-and-run ${OC#}" 26 <step name="Untar-And-Run-${#}" exec="onos-untar-and-run ${OC#}"
26 requires="Kill-${#},Push-Bits-${#},Push-Bits"/> 27 requires="Kill-${#},Push-Bits-${#},Push-Bits"/>
27 28
29 + <dependency name="Secure-SSH" requires="Untar-And-Run-${#}"/>
30 +
28 <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}" 31 <step name="Wait-for-Start-${#}" exec="onos-wait-for-start ${OC#}"
29 - requires="Untar-And-Run-${#}"/> 32 + requires="Untar-And-Run-${#},~Secure-SSH"/>
30 33
31 <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}" 34 <step name="Check-Logs-${#}" exec="onos-check-logs ${OC#}"
32 requires="~Wait-for-Start-${#}"/> 35 requires="~Wait-for-Start-${#}"/>
......