tls_livemigration

1. ###############################################
2. #                                             #
3. #  Livmigration TLS-Skript                    #
4. #  Autor: Christoph Raible                    #
5. #                                             #
6. ###############################################
7. ###############################################################################
8. #                                                                             #
9. #  Requirements:                                                              #
10. #  Jeder Server sollte per ssh ohne passwortautentifizierung erreichbar sein  #
11. #  Die beiliegenden Konfigurationsdateien müssen angepasst werden             #
12. #                                                                             #
13. ###############################################################################
14.  
15.  
16.  
17. #Variablen
18. LOCATION=/root/TLS_LIVEMIGRATION2
19. DIRECTORY=/etc/pki
20. HOSTNAME=( nebula0 nebula1 nebula2 nebula3 )
21.  
22. # Private Key erstellen
23. cd $LOCATION
24. certtool --generate-privkey > ca-key.pem
25. certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
26.  
27.  
28. #Vorlagen erstellen
29. for host in "${HOSTNAME[@]}"; do sed "s/nebulaX/$host/" worker-server.info.TEMPLATE > $host-server.info  ;done
30.  
31.  
32. # Template aufräumen
33. rm -f worker.info.TEMPLATE  
34.  
35. # Private Key pro Worker
36. for host in "${HOSTNAME[@]}"; do certtool --generate-privkey > $host-serverkey.pem ;done
37. for host in "${HOSTNAME[@]}"; do certtool --generate-certificate --load-privkey $host-serverkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template $host-server.info --outfile $host-servercert.pem ;done
38.  
39.  
40. # Anlegen der $host-client.info via Template
41. for host in "${HOSTNAME[@]}"; do sed "s/nebulaX/$host/" worker-client.info.TEMPLATE > $host-client.info  ;done
42. for host in "${HOSTNAME[@]}"; do certtool --generate-privkey > $host-clientkey.pem ;done
43. for host in "${HOSTNAME[@]}"; do certtool --generate-certificate --load-privkey $host-clientkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template $host-client.info --outfile $host-clientcert.pem; done
44.  
45.  
46. # Erstellen der Ordnerstruktur & Setzen der Rechte
47. for host in "${HOSTNAME[@]}"; do ssh $host "mkdir -p $DIRECTORY/CA/private &&  chmod 755 $DIRECTORY/CA && chmod 755 $DIRECTORY/ && mkdir -p $DIRECTORY/libvirt/private/ && chmod 755 $DIRECTORY/libvirt/private &&  chown root:kvm $DIRECTORY/libvirt/private && chmod 755 $DIRECTORY/libvirt/ &&  chown root:kvm $DIRECTORY/libvirt/"; done
48.  
49.  
50.  
51. #Verteilen der keys auf die entsprechenden Server
52. for host in "${HOSTNAME[@]}"; do scp $host-clientkey.pem $host:$DIRECTORY/libvirt/private/clientkey.pem; done
53. for host in "${HOSTNAME[@]}"; do scp $host-serverkey.pem $host:$DIRECTORY/libvirt/private/serverkey.pem ;done
54. for host in "${HOSTNAME[@]}"; do scp $host-servercert.pem $host:$DIRECTORY/libvirt/servercert.pem ;done
55. for host in "${HOSTNAME[@]}"; do scp $host-clientcert.pem $host:$DIRECTORY/libvirt/clientcert.pem ;done
56.  
57. #Setzen der richtigen Rechte
58. for host in "${HOSTNAME[@]}"; do ssh $host "chmod  744 $DIRECTORY/libvirt/private/*" ;done
59.  
60. #Altes CA-Cert sichern & Neues kopieren"
61. for host in "${HOSTNAME[@]}"; do ssh $host "mv $DIRECTORY/CA/cacert.pem $DIRECTORY/CA/cacert.pem.OLD"; done
62. for host in "${HOSTNAME[@]}"; do scp ca-cert.pem $host:$DIRECTORY/CA/cacert.pem ; done
63. for host in "${HOSTNAME[@]}"; do scp ca-key.pem $host:$DIRECTORY/CA/private/cakey.pem ; done
64. for host in "${HOSTNAME[@]}"; do ssh $host "chmod 744 $DIRECTORY/CA/cacert.pem && chmod 744 $DIRECTORY/CA/private/cakey.pem"; done