Certificate install script waits endless for SDN-R
Issue-ID: SDNC-1149
Signed-off-by: herbert <herbert.eiselt@highstreet-technologies.com>
Change-Id: Id6b7ef32a2b73d3370ec7a21be2133d8c24979d7
Signed-off-by: herbert <herbert.eiselt@highstreet-technologies.com>
Former-commit-id: 1dee0abcffb0c13bd566bb88460d5453d35c23dc
diff --git a/installation/sdnc/src/main/scripts/installCerts.oom.py b/installation/sdnc/src/main/scripts/installCerts.oom.py
new file mode 100644
index 0000000..ea76c67
--- /dev/null
+++ b/installation/sdnc/src/main/scripts/installCerts.oom.py
@@ -0,0 +1,317 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 Nordix Foundation.
+# ================================================================================
+# extended by highstreet technologies GmbH (c) 2020
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+
+
+# coding=utf-8
+import os
+import httplib
+import base64
+import time
+import zipfile
+import shutil
+import subprocess
+import logging
+
+odl_home = os.environ['ODL_HOME']
+log_directory = odl_home + '/data/log/'
+log_file = log_directory + 'installCerts.log'
+log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+if not os.path.exists(log_directory):
+ os.makedirs(log_directory)
+logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format)
+print 'Start cert provisioning. Log file: ' + log_file;
+
+Path = os.environ['ODL_CERT_DIR']
+
+zipFileList = []
+
+username = os.environ['ODL_ADMIN_USERNAME']
+password = os.environ['ODL_ADMIN_PASSWORD']
+TIMEOUT=1000
+INTERVAL=30
+timePassed=0
+
+postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry"
+postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key"
+postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate"
+
+envOdlFeaturesBoot='ODL_FEATURES_BOOT'
+# Strategy sli-api is default
+certreadyCmd="POST"
+certreadyUrl="/restconf/operations/SLI-API:healthcheck"
+odlFeaturesBoot=os.environ.get(envOdlFeaturesBoot)
+if odlFeaturesBoot is not None:
+ odlFeaturesBoot=odlFeaturesBoot.lower()
+ if 'odl-netconf-topology' in odlFeaturesBoot or 'odl-netconf-clustered-topology' in odlFeaturesBoot:
+ certreadyCmd="GET"
+ certreadyUrl="/restconf/operational/network-topology:network-topology"
+logging.info('ODL ready strategy with command %s and url %s', certreadyCmd, certreadyUrl)
+
+cadi_file = '.pass'
+odl_port = 8181
+headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password),
+ 'X-FromAppId': 'csit-sdnc',
+ 'X-TransactionId': 'csit-sdnc',
+ 'Accept':"application/json",
+ 'Content-type':"application/json"}
+
+def readFile(folder, file):
+ key = open(Path + "/" + folder + "/" + file, "r")
+ fileRead = key.read()
+ key.close()
+ fileRead = "\n".join(fileRead.splitlines()[1:-1])
+ return fileRead
+
+def readTrustedCertificate(folder, file):
+ listCert = list()
+ caPem = ""
+ startCa = False
+ key = open(folder + "/" + file, "r")
+ lines = key.readlines()
+ for line in lines:
+ if not "BEGIN CERTIFICATE" in line and not "END CERTIFICATE" in line and startCa:
+ caPem += line
+ elif "BEGIN CERTIFICATE" in line:
+ startCa = True
+ elif "END CERTIFICATE" in line:
+ startCa = False
+ listCert.append(caPem)
+ caPem = ""
+ return listCert
+
+def makeKeystoreKey(clientKey, count):
+ odl_private_key="ODL_private_key_%d" %count
+
+ json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \
+ '\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format(
+ odl_private_key=odl_private_key,
+ clientKey=clientKey)
+
+ return json_keystore_key
+
+
+
+def makePrivateKey(clientKey, clientCrt, certList, count):
+ caPem = ""
+ if certList:
+ for cert in certList:
+ caPem += '\"%s\",' % cert
+ caPem = caPem.rsplit(',', 1)[0]
+ odl_private_key="ODL_private_key_%d" %count
+
+ json_private_key='{{\"input\": {{ \"private-key\":{{\"name\": \"{odl_private_key}\", \"data\" : ' \
+ '\"{clientKey}\",\"certificate-chain\":[\"{clientCrt}\",{caPem}]}}}}}}'.format(
+ odl_private_key=odl_private_key,
+ clientKey=clientKey,
+ clientCrt=clientCrt,
+ caPem=caPem)
+
+ return json_private_key
+
+def makeTrustedCertificate(certList, count):
+ number = 0
+ json_cert_format = ""
+ for cert in certList:
+ cert_name = "xNF_CA_certificate_%d_%d" %(count, number)
+ json_cert_format += '{{\"name\": \"{trusted_name}\",\"certificate\":\"{cert}\"}},\n'.format(
+ trusted_name=cert_name,
+ cert=cert.strip())
+ number += 1
+
+ json_cert_format = json_cert_format.rsplit(',', 1)[0]
+ json_trusted_cert='{{\"input\": {{ \"trusted-certificate\": [{certificates}]}}}}'.format(
+ certificates=json_cert_format)
+ return json_trusted_cert
+
+
+def makeRestconfPost(conn, json_file, apiCall):
+ req = conn.request("POST", apiCall, json_file, headers=headers)
+ res = conn.getresponse()
+ res.read()
+ if res.status != 200:
+ logging.error("Error here, response back wasnt 200: Response was : %d , %s" % (res.status, res.reason))
+ else:
+ logging.debug("Response :%s Reason :%s ",res.status, res.reason)
+
+def extractZipFiles(zipFileList, count):
+ for zipFolder in zipFileList:
+ with zipfile.ZipFile(Path + "/" + zipFolder.strip(),"r") as zip_ref:
+ zip_ref.extractall(Path)
+ folder = zipFolder.rsplit(".")[0]
+ processFiles(folder, count)
+
+def processFiles(folder, count):
+ logging.info('Process folder: %d %s', count, folder)
+ for file in os.listdir(Path + "/" + folder):
+ if os.path.isfile(Path + "/" + folder + "/" + file.strip()):
+ if ".key" in file:
+ clientKey = readFile(folder, file.strip())
+ elif "trustedCertificate" in file:
+ certList = readTrustedCertificate(Path + "/" + folder, file.strip())
+ elif ".crt" in file:
+ clientCrt = readFile(folder, file.strip())
+ else:
+ logging.error("Could not find file %s" % file.strip())
+ shutil.rmtree(Path + "/" + folder)
+ post_content(clientKey, clientCrt, certList, count)
+
+def post_content(clientKey, clientCrt, certList, count):
+ logging.info('Post content: %d', count)
+ conn = httplib.HTTPConnection("localhost",odl_port)
+ if clientKey:
+ json_keystore_key = makeKeystoreKey(clientKey, count)
+ logging.debug("Posting private key in to ODL keystore")
+ makeRestconfPost(conn, json_keystore_key, postKeystore)
+
+ if certList:
+ json_trusted_cert = makeTrustedCertificate(certList, count)
+ logging.debug("Posting trusted cert list in to ODL")
+ makeRestconfPost(conn, json_trusted_cert, postTrustedCertificate)
+
+ if clientKey and clientCrt and certList:
+ json_private_key = makePrivateKey(clientKey, clientCrt, certList, count)
+ logging.debug("Posting the cert in to ODL")
+ makeRestconfPost(conn, json_private_key, postPrivateKey)
+
+
+def makeHealthcheckCall(headers, timePassed):
+ connected = False
+ # WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200
+ while timePassed < TIMEOUT:
+ try:
+ conn = httplib.HTTPConnection("localhost",odl_port)
+ req = conn.request(certreadyCmd, certreadyUrl,headers=headers)
+ res = conn.getresponse()
+ res.read()
+ httpStatus = res.status
+ if httpStatus == 200:
+ logging.debug("Healthcheck Passed in %d seconds." %timePassed)
+ connected = True
+ break
+ else:
+ logging.debug("Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds. Problem code was: %d" %(INTERVAL, timePassed, TIMEOUT, httpStatus))
+ except:
+ logging.error("Cannot execute REST call. Sleep: %d seconds before testing if Healthcheck worked. Total wait time up now is: %d seconds. Timeout is: %d seconds." %(INTERVAL, timePassed, TIMEOUT))
+ timePassed = timeIncrement(timePassed)
+
+ if timePassed > TIMEOUT:
+ logging.error("TIME OUT: Healthcheck not passed in %d seconds... Could cause problems for testing activities..." %TIMEOUT)
+
+ return connected
+
+
+def timeIncrement(timePassed):
+ time.sleep(INTERVAL)
+ timePassed = timePassed + INTERVAL
+ return timePassed
+
+def get_cadi_password():
+ try:
+ with open(Path + '/' + cadi_file , 'r') as file_obj:
+ cadi_pass = file_obj.read().split('=', 1)[1].strip()
+ return cadi_pass
+ except Exception as e:
+ logging.error("Error occurred while fetching password : %s", e)
+ exit()
+
+def cleanup():
+ for file in os.listdir(Path):
+ if os.path.isfile(Path + '/' + file):
+ logging.debug("Cleaning up the file %s", Path + '/'+ file)
+ os.remove(Path + '/'+ file)
+
+def extract_content(file, password, count):
+ try:
+ certList = []
+ key = None
+ cert = None
+ if (file.endswith('.jks')):
+ p12_file = file.replace('.jks', '.p12')
+ jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
+ logging.debug("Converting %s into p12 format", file)
+ os.system(jks_cmd)
+ file = p12_file
+
+ clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
+ clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
+ trust_file = file.split('/')[2] + '.trust'
+ trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password)
+
+ result_key = subprocess.check_output(clkey_cmd , shell=True)
+ if result_key:
+ key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0]
+
+ os.system(trustCerts_cmd)
+ if os.path.exists(Path + '/' + trust_file):
+ certList = readTrustedCertificate(Path, trust_file)
+
+ result_crt = subprocess.check_output(clcrt_cmd , shell=True)
+ if result_crt:
+ cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0]
+ """
+ To-do: Posting the key, cert, certList might need modification
+ based on how AAF distributes the files.
+
+ """
+ post_content(key, cert, certList, count)
+ except Exception as e:
+ logging.error("Error occurred while processing the file %s : %s", file,e)
+
+def lookforfiles():
+ count = 0
+ for file in os.listdir(Path):
+ if (file.endswith(('.p12', '.jks'))):
+ if os.path.exists(Path + '/' + cadi_file):
+ cert_password = get_cadi_password()
+ logging.debug("Extracting contents from the file %s", file)
+ extract_content(Path + '/' + file, cert_password, count)
+ count += 1
+ else:
+ logging.error("Cadi password file %s not present under cert directory", cadi_file)
+ exit()
+ if count > 0:
+ cleanup()
+ else:
+ logging.debug("No jks/p12 files found under cert directory %s", Path)
+
+
+def readCertProperties():
+ connected = makeHealthcheckCall(headers, timePassed)
+ logging.info('Connected status: %s', connected)
+ if connected:
+ count = 0
+ if os.path.isfile(Path + "/certs.properties"):
+ with open(Path + "/certs.properties", "r") as f:
+ for line in f:
+ if not "*****" in line:
+ zipFileList.append(line)
+ else:
+ extractZipFiles(zipFileList, count)
+ count += 1
+ del zipFileList[:]
+ else:
+ logging.debug("No zipfiles present under cert directory")
+
+ logging.info("Looking for jks/p12 files under cert directory")
+ lookforfiles()
+
+readCertProperties()
+logging.info('Cert installation ending')
diff --git a/installation/sdnc/src/main/scripts/startODL.oom.sh b/installation/sdnc/src/main/scripts/startODL.oom.sh
index e5e0d8c..f158c7d 100755
--- a/installation/sdnc/src/main/scripts/startODL.oom.sh
+++ b/installation/sdnc/src/main/scripts/startODL.oom.sh
@@ -27,8 +27,20 @@
# List of used constants, that are provided during container initialization
ODL_HOME=${ODL_HOME:-/opt/opendaylight/current}
+ODL_FEATURES_BOOT_FILE=$ODL_HOME/etc/org.apache.karaf.features.cfg
+#
+ODL_REMOVEIDMDB=${ODL_REMOVEIDMDB:-false}
+
+#ODL_CERT_DIR
ODL_ADMIN_USERNAME=${ODL_ADMIN_USERNAME:-admin}
-ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U}
+if $ODL_REMOVEIDMDB ; then
+ echo "Remove odl idmdb"
+ rm $ODL_HOME/data/idmlight.db.mv.db
+ ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-admin}
+else
+ ODL_ADMIN_PASSWORD=${ODL_ADMIN_PASSWORD:-Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U}
+fi
+
export ODL_ADMIN_PASSWORD ODL_ADMIN_USERNAME
SDNC_HOME=${SDNC_HOME:-/opt/onap/sdnc}
@@ -52,9 +64,16 @@
SDNRWT=${SDNRWT:-false}
SDNRWT_BOOTFEATURES=${SDNRWT_BOOTFEATURES:-sdnr-wt-feature-aggregator}
SDNRDM=${SDNRDM:-false}
-SDNRDM_BOOTFEATURES=${SDNRDM_BOOTFEATURES:-sdnr-wt-feature-aggregator-devicemanager}
-
+# Add devicemanager base and specific repositories
+SDNRDM_BASE_REPO=${SDNRDM_BASE_REPO:-mvn:org.onap.ccsdk.features.sdnr.wt/sdnr-wt-feature-aggregator-devicemanager-base/$CCSDKFEATUREVERSION/xml/features}
+SDNRDM_ONF_REPO=${SDNRDM_ONF_REPO:-mvn:org.onap.ccsdk.features.sdnr.wt/sdnr-wt-devicemanager-onf-feature/$CCSDKFEATUREVERSION/xml/features}
+SDNRDM_ORAN_REPO=${SDNRDM_ORAN_REPO:-mvn:org.onap.ccsdk.features.sdnr.wt/sdnr-wt-devicemanager-oran-feature/$CCSDKFEATUREVERSION/xml/features}
+SDNRDM_GRAN_REPO=${SDNRDM_GRAN_REPO:-mvn:org.onap.ccsdk.features.sdnr.wt/sdnr-wt-devicemanager-gran-feature/$CCSDKFEATUREVERSION/xml/features}
+# Add devicemanager features
+SDNRDM_SDM_LIST=${SDNRDM_SDM_LIST:-sdnr-wt-devicemanager-onf-feature, sdnr-wt-devicemanager-oran-feature, sdnr-wt-devicemanager-gran-feature}
+SDNRDM_BOOTFEATURES=${SDNRDM_BOOTFEATURES:-sdnr-wt-feature-aggregator-devicemanager-base, ${SDNRDM_SDM_LIST}}
SDNRINIT=${SDNRINIT:-false}
+SDNRONLY=${SDNRONLY:-false}
SDNRDBURL=${SDNRDBURL:-http://sdnrdb:9200}
#SDNRDBUSERNAME
#SDNRDBPASSWORD
@@ -66,45 +85,84 @@
# Functions
+# Test if repository exists, like this mvn:org.onap.ccsdk.features.sdnr.wt/sdnr-wt-devicemanager-oran-feature/0.7.2/xml/features
+# $1 repository
+function isRepoExisting() {
+ REPO=$(echo $1 | sed -E "s#mvn:(.*)/xml/features\$#\1#")
+ OIFS="$IFS"
+ IFS='/' parts=($REPO)
+ IFS="$OIFS"
+ path="$ODL_HOME/system/"${parts[0]//./\/}"/"${parts[1]}"/"${parts[2]}
+ [ -d "$path" ]
+}
+
+# Add features repository to karaf featuresRepositories configuration
+# $1 repositories to be added
+function addRepository() {
+ CFG=$ODL_FEATURES_BOOT_FILE
+ ORIG=$CFG.orig
+ if isRepoExisting "$1" ; then
+ echo "Add repository: $1"
+ sed -i "\|featuresRepositories|s|$|, $1|" $CFG
+ else
+ echo "Repo does not exist: $1"
+ fi
+}
+
# Append features to karaf boot feature configuration
# $1 additional feature to be added
# $2 repositories to be added (optional)
function addToFeatureBoot() {
- CFG=$ODL_HOME/etc/org.apache.karaf.features.cfg
+ CFG=$ODL_FEATURES_BOOT_FILE
ORIG=$CFG.orig
if [ -n "$2" ] ; then
- echo "Add repository: $2"
- mv $CFG $ORIG
- cat $ORIG | sed -e "\|featuresRepositories|s|$|,$2|" > $CFG
+ addRepository $2
fi
echo "Add boot feature: $1"
- mv $CFG $ORIG
- cat $ORIG | sed -e "\|featuresBoot *=|s|$|,$1|" > $CFG
+ sed -i "\|featuresBoot *=|s|$|,$1|" $CFG
}
# Append features to karaf boot feature configuration
# $1 search pattern
# $2 replacement
function replaceFeatureBoot() {
- CFG=$ODL_HOME/etc/org.apache.karaf.features.cfg
- ORIG=$CFG.orig
+ CFG=$ODL_FEATURES_BOOT_FILE
echo "Replace boot feature $1 with: $2"
sed -i "/featuresBoot/ s/$1/$2/g" $CFG
}
+# Remove all sdnc specific features
+function cleanupFeatureBoot() {
+ echo "Remove northbound bootfeatures "
+ sed -i "/featuresBoot/ s/,ccsdk-sli-core-all.*$//g" $ODL_FEATURES_BOOT_FILE
+}
+
function initialize_sdnr() {
echo "SDN-R Database Initialization"
INITCMD="$JAVA_HOME/bin/java -jar "
INITCMD+="$ODL_HOME/system/org/onap/ccsdk/features/sdnr/wt/sdnr-wt-data-provider-setup/$CCSDKFEATUREVERSION/sdnr-dmt.jar "
INITCMD+="$SDNRDBCOMMAND"
echo "Execute: $INITCMD"
- $INITCMD
+ n=0
+ until [ $n -ge 5 ] ; do
+ $INITCMD && break
+ n=$[$n+1]
+ sleep 15
+ done
return $?
}
function install_sdnrwt_features() {
# Repository setup provided via sdnc dockerfile
if $SDNRWT; then
+ addRepository $SDNRDM_BASE_REPO
+ addRepository $SDNRDM_ONF_REPO
+ addRepository $SDNRDM_ORAN_REPO
+ addRepository $SDNRDM_GRAN_REPO
+
+ if $SDNRONLY; then
+ cleanupFeatureBoot
+ fi
if $SDNRDM; then
addToFeatureBoot "$SDNRDM_BOOTFEATURES"
else
@@ -113,6 +171,7 @@
fi
}
+
function install_sdnr_northbound_features() {
# Repository setup provided via sdnc dockerfile
addToFeatureBoot "$SDNR_NORTHBOUND_BOOTFEATURES"
@@ -181,12 +240,20 @@
# -----------------------
# Main script starts here
+echo "Image path=${IMAGEPATH}"
+echo "Image names=${IMAGENAMES}"
echo "Settings:"
-echo " ENABLE_ODL_CLUSTER=$ENABLE_ODL_CLUSTER"
-echo " SDNC_REPLICAS=$SDNC_REPLICAS"
+echo " USER=$(whoami)"
+echo " SDNC_BIN=$SDNC_BIN"
+echo " SDNC_HOME=$SDNC_HOME"
+echo " ODL_CERT_DIR=$ODL_CERT_DIR"
echo " CCSDKFEATUREVERSION=$CCSDKFEATUREVERSION"
+echo " ENABLE_ODL_CLUSTER=$ENABLE_ODL_CLUSTER"
+echo " ODL_REMOVEIDMDB=$ODL_REMOVEIDMDB"
+echo " SDNC_REPLICAS=$SDNC_REPLICAS"
echo " SDNRWT=$SDNRWT"
echo " SDNRDM=$SDNRDM"
+echo " SDNRONLY=$SDNRONLY"
echo " SDNRINIT=$SDNRINIT"
echo " SDNRDBURL=$SDNRDBURL"
echo " SDNRDBUSERNAME=$SDNRDBUSERNAME"
@@ -197,7 +264,6 @@
echo " PEER_ODL_CLUSTER=$PEER_ODL_CLUSTER"
echo " AAF_ENABLED=$SDNC_AAF_ENABLED"
-
if $SDNC_AAF_ENABLED; then
export SDNC_STORE_DIR=/opt/app/osaaf/local
export SDNC_CONFIG_DIR=/opt/app/osaaf/local
@@ -219,7 +285,11 @@
initialize_sdnr
init_result=$?
echo "Result of init script: $init_result"
- exit $init_result
+ if $SDNRWT ; then
+ echo "Proceed to initialize sdnr"
+ else
+ exit $init_result
+ fi
fi
if [ ! -f ${SDNC_HOME}/.installed ]
@@ -236,9 +306,17 @@
echo "Installed at `date`" > ${SDNC_HOME}/.installed
fi
-if [ -d /opt/opendaylight/current/certs ] ; then
- cp /opt/opendaylight/current/certs/* /tmp
-fi
-nohup python ${SDNC_BIN}/installCerts.py &
+# Odl configuration done
+ODL_FEATURES_BOOT=$(sed -n "/featuresBoot =/p" $ODL_FEATURES_BOOT_FILE)
+export ODL_FEATURES_BOOT
+if [ -z "$ODL_CERT_DIR" ] ; then
+ echo "No certs provided. Skip installation."
+else
+ echo "Start background cert installer"
+ nohup python ${SDNC_BIN}/installCerts.oom.py &
+fi
+
+echo "Startup opendaylight"
+echo $ODL_FEATURES_BOOT
exec ${ODL_HOME}/bin/karaf server