apache
diff --git a/‎agent/bindir/cloud-setup-agent.in‎
Lines changed: 11 additions & 1 deletion b/‎agent/bindir/cloud-setup-agent.in‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎agent/src/com/cloud/agent/Agent.java‎
Lines changed: 137 additions & 18 deletions b/‎agent/src/com/cloud/agent/Agent.java‎
Lines changed: 137 additions & 18 deletions
diff --git a/‎agent/src/com/cloud/agent/AgentShell.java‎
Lines changed: 4 additions & 3 deletions b/‎agent/src/com/cloud/agent/AgentShell.java‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎agent/src/com/cloud/agent/IAgentShell.java‎
Lines changed: 5 additions & 0 deletions b/‎agent/src/com/cloud/agent/IAgentShell.java‎
Lines changed: 5 additions & 0 deletions
@@ -26,6 +26,7 @@ from cloudutils.configFileOps import  configFileOps
 from cloudutils.globalEnv import globalEnv
 from cloudutils.networkConfig import networkConfig
 from cloudutils.syscfg import sysConfigFactory
+from cloudutils.serviceConfig import configureLibvirtConfig
 
 from optparse import OptionParser
 
@@ -100,6 +101,7 @@ if __name__ == '__main__':
     parser.add_option("-c", "--cluster", dest="cluster", help="cluster id")
     parser.add_option("-t", "--hypervisor", default="kvm", dest="hypervisor", help="hypervisor type")
     parser.add_option("-g", "--guid", dest="guid", help="guid")
+    parser.add_option("-s", action="store_true", default=False, dest="secure", help="Secure and enable TLS for libvirtd")
     parser.add_option("--pubNic", dest="pubNic", help="Public traffic interface")
     parser.add_option("--prvNic", dest="prvNic", help="Private traffic interface")
     parser.add_option("--guestNic", dest="guestNic", help="Guest traffic interface")
@@ -110,6 +112,12 @@ if __name__ == '__main__':
         glbEnv.bridgeType = bridgeType
 
     (options, args) = parser.parse_args()
+
+    if not options.auto and options.secure:
+        configureLibvirtConfig(True)
+        print "Libvirtd with TLS configured"
+        sys.exit(0)
+
     if options.auto is None:
         userInputs = getUserInputs()
         glbEnv.mgtSvr = userInputs[0]
@@ -138,7 +146,9 @@ if __name__ == '__main__':
         glbEnv.nics.append(options.prvNic)
         glbEnv.nics.append(options.pubNic)
         glbEnv.nics.append(options.guestNic)
-        
+
+    glbEnv.secure = options.secure
+
     print "Starting to configure your system:"
     syscfg = sysConfigFactory.getSysConfigFactory(glbEnv)
     try:
 
@@ -42,6 +42,7 @@
 import org.apache.cloudstack.agent.directdownload.SetupDirectDownloadCertificate;
 import org.apache.cloudstack.agent.lb.SetupMSListAnswer;
 import org.apache.cloudstack.agent.lb.SetupMSListCommand;
+import org.apache.cloudstack.ca.PostCertificateRenewalCommand;
 import org.apache.cloudstack.ca.SetupCertificateAnswer;
 import org.apache.cloudstack.ca.SetupCertificateCommand;
 import org.apache.cloudstack.ca.SetupKeyStoreCommand;
@@ -68,6 +69,7 @@
 import com.cloud.agent.transport.Request;
 import com.cloud.agent.transport.Response;
 import com.cloud.exception.AgentControlChannelException;
+import com.cloud.host.Host;
 import com.cloud.resource.ServerResource;
 import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.StringUtils;
@@ -127,6 +129,7 @@ public int value() {
     Long _id;
 
     Timer _timer = new Timer("Agent Timer");
+    Timer certTimer;
     Timer hostLBTimer;
 
     List<WatchTask> _watchList = new ArrayList<WatchTask>();
@@ -140,9 +143,11 @@ public int value() {
     long _startupWait = _startupWaitDefault;
     boolean _reconnectAllowed = true;
     //For time sentitive task, e.g. PingTask
-    private final ThreadPoolExecutor _ugentTaskPool;
+    ThreadPoolExecutor _ugentTaskPool;
     ExecutorService _executor;
 
+    Thread _shutdownThread = new ShutdownThread(this);
+
     private String _keystoreSetupPath;
     private String _keystoreCertImportPath;
 
@@ -153,7 +158,7 @@ public Agent(final IAgentShell shell) {
 
         _connection = new NioClient("Agent", _shell.getNextHost(), _shell.getPort(), _shell.getWorkers(), this);
 
-        Runtime.getRuntime().addShutdownHook(new ShutdownThread(this));
+        Runtime.getRuntime().addShutdownHook(_shutdownThread);
 
         _ugentTaskPool =
                 new ThreadPoolExecutor(shell.getPingRetries(), 2 * shell.getPingRetries(), 10, TimeUnit.MINUTES, new SynchronousQueue<Runnable>(), new NamedThreadFactory(
@@ -192,7 +197,7 @@ public Agent(final IAgentShell shell, final int localAgentId, final ServerResour
         // ((NioClient)_connection).setBindAddress(_shell.getPrivateIp());
 
         s_logger.debug("Adding shutdown hook");
-        Runtime.getRuntime().addShutdownHook(new ShutdownThread(this));
+        Runtime.getRuntime().addShutdownHook(_shutdownThread);
 
         _ugentTaskPool =
                 new ThreadPoolExecutor(shell.getPingRetries(), 2 * shell.getPingRetries(), 10, TimeUnit.MINUTES, new SynchronousQueue<Runnable>(), new NamedThreadFactory(
@@ -239,20 +244,39 @@ public String getResourceName() {
         return _resource.getClass().getSimpleName();
     }
 
+    /**
+     * In case of a software based agent restart, this method
+     * can help to perform explicit garbage collection of any old
+     * agent instances and its inner objects.
+     */
+    private void scavengeOldAgentObjects() {
+        _executor.submit(new Runnable() {
+            @Override
+            public void run() {
+                try {
+                    Thread.sleep(2000L);
+                } catch (final InterruptedException ignored) {
+                } finally {
+                    System.gc();
+                }
+            }
+        });
+    }
+
     public void start() {
         if (!_resource.start()) {
             s_logger.error("Unable to start the resource: " + _resource.getName());
             throw new CloudRuntimeException("Unable to start the resource: " + _resource.getName());
         }
 
-        _keystoreSetupPath = Script.findScript("scripts/util/", KeyStoreUtils.keyStoreSetupScript);
+        _keystoreSetupPath = Script.findScript("scripts/util/", KeyStoreUtils.KS_SETUP_SCRIPT);
         if (_keystoreSetupPath == null) {
-            throw new CloudRuntimeException(String.format("Unable to find the '%s' script", KeyStoreUtils.keyStoreSetupScript));
+            throw new CloudRuntimeException(String.format("Unable to find the '%s' script", KeyStoreUtils.KS_SETUP_SCRIPT));
         }
 
-        _keystoreCertImportPath = Script.findScript("scripts/util/", KeyStoreUtils.keyStoreImportScript);
+        _keystoreCertImportPath = Script.findScript("scripts/util/", KeyStoreUtils.KS_IMPORT_SCRIPT);
         if (_keystoreCertImportPath == null) {
-            throw new CloudRuntimeException(String.format("Unable to find the '%s' script", KeyStoreUtils.keyStoreImportScript));
+            throw new CloudRuntimeException(String.format("Unable to find the '%s' script", KeyStoreUtils.KS_IMPORT_SCRIPT));
         }
 
         try {
@@ -274,6 +298,7 @@ public void start() {
             }
         }
         _shell.updateConnectedHost();
+        scavengeOldAgentObjects();
     }
 
     public void stop(final String reason, final String detail) {
@@ -298,14 +323,42 @@ public void stop(final String reason, final String detail) {
             }
             _connection.stop();
             _connection = null;
+            _link = null;
         }
 
         if (_resource != null) {
             _resource.stop();
             _resource = null;
         }
 
-        _ugentTaskPool.shutdownNow();
+        if (_startup != null) {
+            _startup = null;
+        }
+
+        if (_ugentTaskPool != null) {
+            _ugentTaskPool.shutdownNow();
+            _ugentTaskPool = null;
+        }
+
+        if (_executor != null) {
+            _executor.shutdown();
+            _executor = null;
+        }
+
+        if (_timer != null) {
+            _timer.cancel();
+            _timer = null;
+        }
+
+        if (hostLBTimer != null) {
+            hostLBTimer.cancel();
+            hostLBTimer = null;
+        }
+
+        if (certTimer != null) {
+            certTimer.cancel();
+            certTimer = null;
+        }
     }
 
     public Long getId() {
@@ -318,6 +371,15 @@ public void setId(final Long id) {
         _shell.setPersistentProperty(getResourceName(), "id", Long.toString(id));
     }
 
+    private synchronized void scheduleServicesRestartTask() {
+        if (certTimer != null) {
+            certTimer.cancel();
+            certTimer.purge();
+        }
+        certTimer = new Timer("Certificate Renewal Timer");
+        certTimer.schedule(new PostCertificateRenewalTask(this), 5000L);
+    }
+
     private synchronized void scheduleHostLBCheckerTask(final long checkInterval) {
         if (hostLBTimer != null) {
             hostLBTimer.cancel();
@@ -578,6 +640,9 @@ protected void processRequest(final Request request, final Link link) {
                         answer = setupAgentKeystore((SetupKeyStoreCommand) cmd);
                     } else if (cmd instanceof SetupCertificateCommand && ((SetupCertificateCommand) cmd).isHandleByAgent()) {
                         answer = setupAgentCertificate((SetupCertificateCommand) cmd);
+                        if (Host.Type.Routing.equals(_resource.getType())) {
+                            scheduleServicesRestartTask();
+                        }
                     } else if (cmd instanceof SetupDirectDownloadCertificate) {
                         answer = setupDirectDownloadCertificate((SetupDirectDownloadCertificate) cmd);
                     } else if (cmd instanceof SetupMSListCommand) {
@@ -641,7 +706,7 @@ private Answer setupDirectDownloadCertificate(SetupDirectDownloadCertificate cmd
             return new Answer(cmd, false, "Failed to find agent.properties file");
         }
 
-        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultKeystoreFile;
+        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
 
         String cerFile = agentFile.getParent() + "/" + certificateName + ".cer";
         Script.runSimpleBashScript(String.format("echo '%s' > %s", certificate, cerFile));
@@ -666,13 +731,13 @@ public Answer setupAgentKeystore(final SetupKeyStoreCommand cmd) {
         if (agentFile == null) {
             return new Answer(cmd, false, "Failed to find agent.properties file");
         }
-        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultKeystoreFile;
-        final String csrFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultCsrFile;
+        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
+        final String csrFile = agentFile.getParent() + "/" + KeyStoreUtils.CSR_FILENAME;
 
-        String storedPassword = _shell.getPersistentProperty(null, KeyStoreUtils.passphrasePropertyName);
+        String storedPassword = _shell.getPersistentProperty(null, KeyStoreUtils.KS_PASSPHRASE_PROPERTY);
         if (Strings.isNullOrEmpty(storedPassword)) {
             storedPassword = keyStorePassword;
-            _shell.setPersistentProperty(null, KeyStoreUtils.passphrasePropertyName, storedPassword);
+            _shell.setPersistentProperty(null, KeyStoreUtils.KS_PASSPHRASE_PROPERTY, storedPassword);
         }
 
         Script script = new Script(true, _keystoreSetupPath, 60000, s_logger);
@@ -706,10 +771,10 @@ private Answer setupAgentCertificate(final SetupCertificateCommand cmd) {
         if (agentFile == null) {
             return new Answer(cmd, false, "Failed to find agent.properties file");
         }
-        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultKeystoreFile;
-        final String certFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultCertFile;
-        final String privateKeyFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultPrivateKeyFile;
-        final String caCertFile = agentFile.getParent() + "/" + KeyStoreUtils.defaultCaCertFile;
+        final String keyStoreFile = agentFile.getParent() + "/" + KeyStoreUtils.KS_FILENAME;
+        final String certFile = agentFile.getParent() + "/" + KeyStoreUtils.CERT_FILENAME;
+        final String privateKeyFile = agentFile.getParent() + "/" + KeyStoreUtils.PKEY_FILENAME;
+        final String caCertFile = agentFile.getParent() + "/" + KeyStoreUtils.CACERT_FILENAME;
 
         try {
             FileUtils.writeStringToFile(new File(certFile), certificate, Charset.defaultCharset());
@@ -722,7 +787,7 @@ private Answer setupAgentCertificate(final SetupCertificateCommand cmd) {
         Script script = new Script(true, _keystoreCertImportPath, 60000, s_logger);
         script.add(agentFile.getAbsolutePath());
         script.add(keyStoreFile);
-        script.add(KeyStoreUtils.agentMode);
+        script.add(KeyStoreUtils.AGENT_MODE);
         script.add(certFile);
         script.add("");
         script.add(caCertFile);
@@ -1072,6 +1137,60 @@ public void doTask(final Task task) throws TaskExecutionException {
         }
     }
 
+    /**
+     * Task stops the current agent and launches a new agent
+     * when there are no outstanding jobs in the agent's task queue
+     */
+    public class PostCertificateRenewalTask extends ManagedContextTimerTask {
+
+        private Agent agent;
+
+        public PostCertificateRenewalTask(final Agent agent) {
+            this.agent = agent;
+        }
+
+        @Override
+        protected void runInContext() {
+            while (true) {
+                try {
+                    if (_inProgress.get() == 0) {
+                        s_logger.debug("Running post certificate renewal task to restart services.");
+
+                        // Let the resource perform any post certificate renewal cleanups
+                        _resource.executeRequest(new PostCertificateRenewalCommand());
+
+                        IAgentShell shell = agent._shell;
+                        ServerResource resource = agent._resource.getClass().newInstance();
+
+                        // Stop current agent
+                        agent.cancelTasks();
+                        agent._reconnectAllowed = false;
+                        Runtime.getRuntime().removeShutdownHook(agent._shutdownThread);
+                        agent.stop(ShutdownCommand.Requested, "Restarting due to new X509 certificates");
+
+                        // Nullify references for GC
+                        agent._shell = null;
+                        agent._watchList = null;
+                        agent._shutdownThread = null;
+                        agent._controlListeners = null;
+                        agent = null;
+
+                        // Start a new agent instance
+                        shell.launchNewAgent(resource);
+                        return;
+                    }
+                    if (s_logger.isTraceEnabled()) {
+                        s_logger.debug("Other tasks are in progress, will retry post certificate renewal command after few seconds");
+                    }
+                    Thread.sleep(5000);
+                } catch (final Exception e) {
+                    s_logger.warn("Failed to execute post certificate renewal command:", e);
+                    break;
+                }
+            }
+        }
+    }
+
     public class PreferredHostCheckerTask extends ManagedContextTimerTask {
 
         @Override
 
@@ -419,7 +419,7 @@ private void launchAgentFromClassInfo(String resourceClassNames) throws Configur
                 final Constructor<?> constructor = impl.getDeclaredConstructor();
                 constructor.setAccessible(true);
                 ServerResource resource = (ServerResource)constructor.newInstance();
-                launchAgent(getNextAgentId(), resource);
+                launchNewAgent(resource);
             } catch (final ClassNotFoundException e) {
                 throw new ConfigurationException("Resource class not found: " + name + " due to: " + e.toString());
             } catch (final SecurityException e) {
@@ -447,9 +447,10 @@ private void launchAgentFromTypeInfo() throws ConfigurationException {
         s_logger.trace("Launching agent based on type=" + typeInfo);
     }
 
-    private void launchAgent(int localAgentId, ServerResource resource) throws ConfigurationException {
+    public void launchNewAgent(ServerResource resource) throws ConfigurationException {
         // we don't track agent after it is launched for now
-        Agent agent = new Agent(this, localAgentId, resource);
+        _agents.clear();
+        Agent agent = new Agent(this, getNextAgentId(), resource);
         _agents.add(agent);
         agent.start();
     }
 
@@ -19,6 +19,9 @@
 import java.util.Map;
 import java.util.Properties;
 
+import javax.naming.ConfigurationException;
+
+import com.cloud.resource.ServerResource;
 import com.cloud.utils.backoff.BackoffAlgorithm;
 
 public interface IAgentShell {
@@ -66,4 +69,6 @@ public interface IAgentShell {
     void updateConnectedHost();
 
     String getConnectedHost();
+
+    void launchNewAgent(ServerResource resource) throws ConfigurationException;
 }