Upgrade: forbid upgrading with a key XAPI will reject #167
Conversation
upgrade.py
Outdated
| if tool.partTableType == constants.PARTITION_DOS: | ||
| raise RuntimeError("Upgrade from a DOS partition type is not supported.") | ||
| if self.key_size < 2048: | ||
| raise RuntimeError("Server certificate is too small, must regenerate on 8.2.1 before upgrade.") |
There was a problem hiding this comment.
I'm nervous about stating a specific version number, perhaps better to have this as e.g. "Current server certificate is too small (%d bits), please regenerate with at least 2048 bits" % (self.key_size,)?
(It may also be a good idea to encode the 2048 as a MIN_KEY_SIZE constant in case this needs to change in the future)
There was a problem hiding this comment.
adjusted in last push
ydirson
force-pushed
the
for-xs/certificate-keysize-protection
branch
3 times, most recently
from
1871e0a to
8ab5b8d
Compare
|
any news on this? |
|
What if the certificate is not using RSA ? Other algorithms require smaller key sizes. |
Currently, XAPI doesn't support anything but RSA for this certificate. |
| import re | ||
| import shutil | ||
|
|
||
| from OpenSSL import crypto |
There was a problem hiding this comment.
Do we need an additional dependency in order to use OpenSSL module?
There was a problem hiding this comment.
This is right. Is it too big? I'm not sure we have many alternatives to choose from.
|
Xapi currently enforces not only the key size, but the algorithm as well. So to be extra safe I recommend adding a check that the key must be an RSA one. (and change the message accordingly) |
ydirson
force-pushed
the
for-xs/certificate-keysize-protection
branch
from
8ab5b8d to
fb9e0a6
Compare
|
Added the check for RSA type, and made a few improvements |
XAPI now rejects the default keysize of 7.x era, which must be regenerated before upgrading to 8.3. Let the installer refuse to initiate a situation where a Rolling Pool Upgrade would be unable to proceed, with not-yet-updated slaves holding the running VMs getting refused connection to the updated part of the pool. To be extra-safe, add a check that the key is indeed a RSA one as that's all current XAPI supports, this will make sure this code gets updated when XAPI starts supporting other key types. Signed-off-by: Yann Dirson <yann.dirson@vates.tech>
ydirson
force-pushed
the
for-xs/certificate-keysize-protection
branch
from
fb9e0a6 to
7542c28
Compare
|
and added back the "before upgrade" that slept away during the message reformulation |
5 participants
XAPI now rejects the default keysize of 7.x era, which must be regenerated before upgrading to 8.3. Let the installer refuse to initiate a situation where a Rolling Pool Upgrade would be unable to proceed, with not-yet-updated slaves holding the running VMs getting refused connection to the updated part of the pool.
This now stops the upgrade with the following screen, but after letting the user give consent for launching the upgrade: