From bb7bd1c58ecde7acf5ff8a8798c2975a985276f3 Mon Sep 17 00:00:00 2001 From: Alexey Odinokov Date: Sun, 12 Apr 2020 07:46:08 +0000 Subject: [PATCH] Substituting redfish-emulator and reverse-proxy with Apache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current implementation of airship-libvirt-gate is using sushy-emulator binary to emulate redfish. Sushy-emulator works only for http and also can’t authenticate users out-of-box if ran by itself. In order to check https and authentication the reverse-proxy was introduced. This approach had several drawbacks: 1) http still doesn’t check auth 2) to use apache for https only is too heavy solution for https This change converts reverse proxy to apache running sushy-emulator as wsgi backend, that gives an ability to check authentication for both http and https. We’re also getting rid of ad-hoc sushy-emulator service and using out-of-box apache service implementation. The code also introduces gathering of apache resulting configs and logs for quicker debug if needed. Right now authentication is disabled, since manifests are written in a way so they don’t use them. If it’s necessary to enable it, just set username here[1] PS There is ability to use apache for http-server [2], but it’s better to do as a separate PR [1] roles/airship-libvirt-gate/defaults/main.yaml [2] roles/http-fileserver Change-Id: I43b5bca41519c88b01535c156b2db0e9edaa81bb --- playbooks/airship-collect-logs.yaml | 2 +- .../tasks/main.yaml | 32 +++- roles/airship-libvirt-gate/defaults/main.yaml | 23 ++- .../tasks/build-infra.yaml | 30 ++-- roles/airship-libvirt-gate/tests/main.yaml | 12 +- roles/airship-libvirt-gate/tests/vars.yaml | 23 ++- roles/apache-server/defaults/main.yml | 27 ++++ roles/apache-server/handlers/main.yml | 31 ++++ roles/apache-server/tasks/htpasswd.yml | 35 +++++ roles/apache-server/tasks/install.yml | 64 ++++++++ .../tasks/main.yml} | 2 +- .../tasks/restart.yml} | 14 +- roles/apache-server/tasks/ssl.yml | 53 +++++++ .../templates}/ssl-params.conf.j2 | 1 - .../defaults/main.yml | 19 +++ .../tasks/backend.yml | 59 +++++++ .../tasks/frontend.yml | 123 +++++++++++++++ .../tasks/main.yml} | 4 +- .../templates/sushy-emulator.wsgi.j2 | 2 + .../templates/wsgi-sushy-emulator-ssl.conf.j2 | 35 +++++ .../templates/wsgi-sushy-emulator.conf.j2 | 29 ++++ .../tests/main.yaml | 13 +- .../tests/vars.yaml | 0 roles/redfish-emulator/tasks/install.yaml | 48 ------ .../templates/sushy-tools.service.j2 | 15 -- roles/redfish-emulator/tests/local-main.retry | 1 - roles/reverse-proxy/defaults/main.yaml | 9 -- roles/reverse-proxy/tasks/dependencies.yaml | 23 --- roles/reverse-proxy/tasks/install.yaml | 103 ------------ roles/reverse-proxy/tasks/main.yaml | 1 - .../sites-available/000-default.conf.j2 | 3 - .../sites-available/default-ssl.conf.j2 | 148 ------------------ tests/ansible/role-test-runner.yaml | 2 +- 33 files changed, 572 insertions(+), 414 deletions(-) rename roles/{airship-gather-sushy-logs => airship-gather-apache-logs}/tasks/main.yaml (53%) create mode 100644 roles/apache-server/defaults/main.yml create mode 100644 roles/apache-server/handlers/main.yml create mode 100644 roles/apache-server/tasks/htpasswd.yml create mode 100644 roles/apache-server/tasks/install.yml rename roles/{redfish-emulator/tasks/main.yaml => apache-server/tasks/main.yml} (91%) rename roles/{redfish-emulator/handlers/main.yaml => apache-server/tasks/restart.yml} (74%) create mode 100644 roles/apache-server/tasks/ssl.yml rename roles/{reverse-proxy/templates/etc/apache2/conf-available => apache-server/templates}/ssl-params.conf.j2 (88%) create mode 100644 roles/apache-wsgi-sushy-emulator/defaults/main.yml create mode 100644 roles/apache-wsgi-sushy-emulator/tasks/backend.yml create mode 100644 roles/apache-wsgi-sushy-emulator/tasks/frontend.yml rename roles/{redfish-emulator/defaults/main.yaml => apache-wsgi-sushy-emulator/tasks/main.yml} (85%) create mode 100644 roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2 create mode 100644 roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2 create mode 100644 roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2 rename roles/{redfish-emulator => apache-wsgi-sushy-emulator}/tests/main.yaml (80%) rename roles/{redfish-emulator => apache-wsgi-sushy-emulator}/tests/vars.yaml (100%) delete mode 100644 roles/redfish-emulator/tasks/install.yaml delete mode 100644 roles/redfish-emulator/templates/sushy-tools.service.j2 delete mode 100644 roles/redfish-emulator/tests/local-main.retry delete mode 100644 roles/reverse-proxy/defaults/main.yaml delete mode 100644 roles/reverse-proxy/tasks/dependencies.yaml delete mode 100644 roles/reverse-proxy/tasks/install.yaml delete mode 100644 roles/reverse-proxy/tasks/main.yaml delete mode 100644 roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2 delete mode 100644 roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2 diff --git a/playbooks/airship-collect-logs.yaml b/playbooks/airship-collect-logs.yaml index 07b8f2d12..7c376bf92 100644 --- a/playbooks/airship-collect-logs.yaml +++ b/playbooks/airship-collect-logs.yaml @@ -17,7 +17,7 @@ logs_dir: "/tmp/logs" roles: - gather-system-logs - - airship-gather-sushy-logs + - airship-gather-apache-logs - airship-gather-libvirt-logs - airship-gather-runtime-logs - airship-airshipctl-gather-configs diff --git a/roles/airship-gather-sushy-logs/tasks/main.yaml b/roles/airship-gather-apache-logs/tasks/main.yaml similarity index 53% rename from roles/airship-gather-sushy-logs/tasks/main.yaml rename to roles/airship-gather-apache-logs/tasks/main.yaml index e9d6e4ddf..41d8b76dc 100644 --- a/roles/airship-gather-sushy-logs/tasks/main.yaml +++ b/roles/airship-gather-apache-logs/tasks/main.yaml @@ -10,26 +10,42 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: set redfish log dir +- name: set apache log dir set_fact: - redfish_log_dir: "{{ logs_dir }}/redfish" + apache_log_dir: "{{ logs_dir }}/apache" -- name: ensure directory for redfish logs exists +- name: ensure directory for apache logs exists file: state: directory - path: "{{ redfish_log_dir }}" + path: "{{ apache_log_dir }}" -- name: dump sushy-tool logs to directory +- name: dump apache logs to directory shell: |- - journalctl --unit sushy-tools.service > "{{ redfish_log_dir }}/sushy-tools.log" + journalctl --unit apache2.service > "{{ apache_log_dir }}/apache2-service.log" args: executable: /bin/bash ignore_errors: True become: true +- name: copy configs + command: "cp -r /etc/apache2 {{ apache_log_dir }}/configs" + become: true + +- name: copy logs + command: "cp -r /var/log/apache2 {{ apache_log_dir }}/logs" + become: true + +- name: Change ownership of the logs dir + file: + state: directory + recurse: true + owner: "{{ ansible_user }}" + path: "{{ apache_log_dir }}" + become: true + - name: "Downloads logs to executor" synchronize: - src: "{{ redfish_log_dir }}" + src: "{{ apache_log_dir }}" dest: "{{ zuul.executor.log_root }}/{{ inventory_hostname }}" mode: pull - ignore_errors: True \ No newline at end of file + ignore_errors: True diff --git a/roles/airship-libvirt-gate/defaults/main.yaml b/roles/airship-libvirt-gate/defaults/main.yaml index 22f90e12d..9830914b5 100644 --- a/roles/airship-libvirt-gate/defaults/main.yaml +++ b/roles/airship-libvirt-gate/defaults/main.yaml @@ -30,13 +30,22 @@ airship_gate_ipam: provision_network: bridge_ip: "10.23.24.1" -airship_gate_redfish: - hostname: "redfish-emulator" - username: "username" - password: "password" - secure_port: 443 - port: 8000 - bind_address: "127.0.0.1" +airship_gate_redfish_noauth: + servername: "localhost" + ip: + - "127.0.0.1" + - "::1" + http_port: 8000 + +airship_gate_redfish_auth: + servername: "localhost" + ip: + - "127.0.0.1" + - "::1" + https_port: 8443 + user: + - username: "username" + password: "password" airship_gate_flavors: small: diff --git a/roles/airship-libvirt-gate/tasks/build-infra.yaml b/roles/airship-libvirt-gate/tasks/build-infra.yaml index da58dacaf..42d0d6e71 100644 --- a/roles/airship-libvirt-gate/tasks/build-infra.yaml +++ b/roles/airship-libvirt-gate/tasks/build-infra.yaml @@ -106,23 +106,23 @@ - network: "{{ airship_gate_names.nat_network }}" - network: "{{ airship_gate_names.provision_network }}" -- name: install apache2 reverse proxy +- name: Add noauth sushy-emulator to apache include_role: - name: reverse-proxy + name: apache-wsgi-sushy-emulator vars: - reverse_proxy_action: "install" - reverse_proxy_hostname: "{{ airship_gate_redfish.hostname }}" - reverse_proxy_username: "{{ airship_gate_redfish.username }}" - reverse_proxy_password: "{{ airship_gate_redfish.password }}" - reverse_proxy_frontend_ip: "{{ airship_gate_redfish.bind_address }}" - reverse_proxy_frontend_port: "{{ airship_gate_redfish.secure_port }}" - reverse_proxy_backend_ip: "{{ airship_gate_redfish.bind_address }}" - reverse_proxy_backend_port: "{{ airship_gate_redfish.port }}" + sushy_emulator_frontend_name: airship_gate_redfish_noauth + sushy_emulator_frontend_servername: "{{ airship_gate_redfish_noauth.servername }}" + sushy_emulator_frontend_ip: "{{ airship_gate_redfish_noauth.ip }}" + sushy_emulator_frontend_http_port: "{{ airship_gate_redfish_noauth.http_port }}" -- name: install and start redfish emulator +- name: Add auth sushy-emulator to apache include_role: - name: redfish-emulator + name: apache-wsgi-sushy-emulator vars: - redfish_action: "install" - redfish_emulator_bind_ip: "{{ airship_gate_redfish.bind_address }}" - redfish_emulator_bind_port: "{{ airship_gate_redfish.port }}" + sushy_emulator_frontend_name: airship_gate_redfish_auth + sushy_emulator_frontend_servername: "{{ airship_gate_redfish_auth.servername }}" + sushy_emulator_frontend_ip: "{{ airship_gate_redfish_auth.ip }}" + sushy_emulator_frontend_https_port: "{{ airship_gate_redfish_auth.https_port }}" + sushy_emulator_frontend_user: "{{ airship_gate_redfish_auth.user }}" + + diff --git a/roles/airship-libvirt-gate/tests/main.yaml b/roles/airship-libvirt-gate/tests/main.yaml index 28fea6b99..9cfb55d59 100644 --- a/roles/airship-libvirt-gate/tests/main.yaml +++ b/roles/airship-libvirt-gate/tests/main.yaml @@ -23,9 +23,9 @@ - name: query redfish to make sure it has running domains using HTTPS uri: - url: "https://{{ airship_gate_redfish.bind_address }}:{{ airship_gate_redfish.secure_port }}/redfish/v1/Systems?format=json" - url_username: "{{ airship_gate_redfish.username }}" - url_password: "{{ airship_gate_redfish.password }}" + url: "https://{{ airship_gate_redfish_auth.servername }}:{{ airship_gate_redfish_auth.https_port }}/redfish/v1/Systems?format=json" + url_username: "{{ airship_gate_redfish_auth.user[0].username }}" + url_password: "{{ airship_gate_redfish_auth.user[0].password}}" validate_certs: false method: GET return_content: yes @@ -37,9 +37,9 @@ - name: save ids to list uri: - url: "https://{{ airship_gate_redfish.bind_address }}:{{ airship_gate_redfish.secure_port }}{{ item.value }}?format=json" - url_username: "{{ airship_gate_redfish.username }}" - url_password: "{{ airship_gate_redfish.password }}" + url: "https://{{ airship_gate_redfish_auth.servername }}:{{ airship_gate_redfish_auth.https_port }}{{ item.value }}?format=json" + url_username: "{{ airship_gate_redfish_auth.user[0].username }}" + url_password: "{{ airship_gate_redfish_auth.user[0].password }}" validate_certs: false method: GET return_content: yes diff --git a/roles/airship-libvirt-gate/tests/vars.yaml b/roles/airship-libvirt-gate/tests/vars.yaml index a5c1041fd..0c49f2c9d 100644 --- a/roles/airship-libvirt-gate/tests/vars.yaml +++ b/roles/airship-libvirt-gate/tests/vars.yaml @@ -10,13 +10,22 @@ # See the License for the specific language governing permissions and # limitations under the License. -airship_gate_redfish: - hostname: "redfish-emulator" - username: "username" - password: "password" - secure_port: 443 - port: 8000 - bind_address: "127.0.0.1" +airship_gate_redfish_noauth: + servername: "localhost" + ip: + - "127.0.0.1" + - "::1" + http_port: 8000 + +airship_gate_redfish_auth: + servername: "localhost" + ip: + - "127.0.0.1" + - "::1" + https_port: 8443 + user: + - username: "username" + password: "password" airship_gate_names: provision_network: air_prov diff --git a/roles/apache-server/defaults/main.yml b/roles/apache-server/defaults/main.yml new file mode 100644 index 000000000..c4a047162 --- /dev/null +++ b/roles/apache-server/defaults/main.yml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# install, htpasswd, ssl +apache_server_action: install + +apache_server_htpasswd_path: /etc/apache2/sites-available/.htpasswd +apache_server_htpasswd_user: + - username: username + password: password + +apache_server_ssl_cn: localhost +apache_server_ssl_alt_name: + - "IP:127.0.0.1" + - "IP:::1" +apache_server_ssl_key_path: /etc/ssl/private/.key +apache_server_ssl_cert_path: /etc/ssl/private/.pem + diff --git a/roles/apache-server/handlers/main.yml b/roles/apache-server/handlers/main.yml new file mode 100644 index 000000000..f8f661094 --- /dev/null +++ b/roles/apache-server/handlers/main.yml @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# handlers file for ansible-apache2 +- name: restart apache2 + service: + name: "apache2" + state: "restarted" + become: true + +- name: reload apache2 + service: + name: "apache2" + state: "reloaded" + become: true + +- name: "restart httpd" + service: + name: "httpd" + state: "restarted" + become: true diff --git a/roles/apache-server/tasks/htpasswd.yml b/roles/apache-server/tasks/htpasswd.yml new file mode 100644 index 000000000..47d5f16e3 --- /dev/null +++ b/roles/apache-server/tasks/htpasswd.yml @@ -0,0 +1,35 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +- name: Confguring htpasswd + become: true + block: + - name: Ensure needed packages + apt: + name: + - python3-passlib + state: present + + - name: Remove older htpasswd file + file: + path: "{{ apache_server_htpasswd_path }}" + state: absent + + - name: Adding users + when: apache_server_htpasswd_user is defined + htpasswd: + path: "{{ apache_server_htpasswd_path }}" + name: "{{ item.username }}" + password: "{{ item.password }}" + with_items: "{{ apache_server_htpasswd_user }}" + diff --git a/roles/apache-server/tasks/install.yml b/roles/apache-server/tasks/install.yml new file mode 100644 index 000000000..d0804622c --- /dev/null +++ b/roles/apache-server/tasks/install.yml @@ -0,0 +1,64 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: redhat | ensuring apache packages are present + become: true + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + yum: + name: + - httpd + update_cache: yes + state: present + +- name: ubuntu | ensuring apache packages are present + become: true + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + apt: + name: + - apache2 + update_cache: yes + state: present + +- name: Disable default virtual host + become: true + command: a2dissite 000-default + +- name: Enable ssl module + become: true + command: a2enmod headers ssl + +- name: Add ssl configuration + become: true + template: + src: ssl-params.conf.j2 + dest: /etc/apache2/conf-available/ssl-params.conf + +- name: Enable ssl configuration + become: true + command: a2enconf ssl-params + +- name: redhat | enabling apache on boot and starting + become: true + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + service: + name: httpd + state: started + enabled: true + +- name: Reload apache2 service + become: true + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + service: + name: apache2 + state: reloaded + diff --git a/roles/redfish-emulator/tasks/main.yaml b/roles/apache-server/tasks/main.yml similarity index 91% rename from roles/redfish-emulator/tasks/main.yaml rename to roles/apache-server/tasks/main.yml index a162cbc37..7887da259 100644 --- a/roles/redfish-emulator/tasks/main.yaml +++ b/roles/apache-server/tasks/main.yml @@ -10,4 +10,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: "{{ redfish_action }}.yaml" +- include_tasks: "{{ apache_server_action }}.yml" diff --git a/roles/redfish-emulator/handlers/main.yaml b/roles/apache-server/tasks/restart.yml similarity index 74% rename from roles/redfish-emulator/handlers/main.yaml rename to roles/apache-server/tasks/restart.yml index 13e044e43..afc515ca5 100644 --- a/roles/redfish-emulator/handlers/main.yaml +++ b/roles/apache-server/tasks/restart.yml @@ -10,14 +10,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: reload systemd configuration - become: yes - systemd: - daemon_reload: yes - -- name: restart sushy-emulator - become: yes +- name: Reload apache2 service + become: true service: - name: sushy-tools - state: restarted - enabled: true \ No newline at end of file + name: apache2 + state: reloaded diff --git a/roles/apache-server/tasks/ssl.yml b/roles/apache-server/tasks/ssl.yml new file mode 100644 index 000000000..7ab988d28 --- /dev/null +++ b/roles/apache-server/tasks/ssl.yml @@ -0,0 +1,53 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Generating ssl key & certificate + become: true + block: + - name: Ensure needed packages + apt: + name: + - python3-passlib + - python3-openssl + state: present + + - name: Generate private key + openssl_privatekey: + path: "{{ apache_server_ssl_key_path }}" + + - name: Create temporary CSR file + tempfile: + state: file + suffix: csr + register: csr_tempfile + + - name: Generate CSR + openssl_csr: + path: "{{ csr_tempfile.path }}" + privatekey_path: "{{ apache_server_ssl_key_path }}" + common_name: "{{ apache_server_ssl_cn }}" + subject_alt_name: "{{ apache_server_ssl_alt_name }}" + + - name: Generate the self signed certificate for sushy-emulator + openssl_certificate: + path: "{{ apache_server_ssl_cert_path }}" + privatekey_path: "{{ apache_server_ssl_key_path }}" + csr_path: "{{ csr_tempfile.path }}" + provider: selfsigned + + always: + - name: Cleanup CSR file + file: + path: "{{ csr_tempfile.path }}" + state: absent + when: csr_tempfile.path is defined + diff --git a/roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2 b/roles/apache-server/templates/ssl-params.conf.j2 similarity index 88% rename from roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2 rename to roles/apache-server/templates/ssl-params.conf.j2 index 91867779f..4fcb1d338 100644 --- a/roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2 +++ b/roles/apache-server/templates/ssl-params.conf.j2 @@ -14,4 +14,3 @@ SSLSessionTickets Off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" -#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/{{ reverse_proxy_hostname }}-dhparam.pem" diff --git a/roles/apache-wsgi-sushy-emulator/defaults/main.yml b/roles/apache-wsgi-sushy-emulator/defaults/main.yml new file mode 100644 index 000000000..200322a48 --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/defaults/main.yml @@ -0,0 +1,19 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sushy_emulator_action: frontend +sushy_emulator_frontend_name: wsgi-sushy-emulator +sushy_emulator_frontend_ip: + - "127.0.0.1" + - "::1" +sushy_emulator_frontend_servername: "localhost" +sushy_emulator_frontend_check: true diff --git a/roles/apache-wsgi-sushy-emulator/tasks/backend.yml b/roles/apache-wsgi-sushy-emulator/tasks/backend.yml new file mode 100644 index 000000000..cac35c00e --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/tasks/backend.yml @@ -0,0 +1,59 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ensure OS + when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu' + fail: + msg: "Only Debian|Ubuntu are currently supported" + +- name: Preparing wsgi module for sushy-emulator + become: true + block: + + - name: Ensure Apache + include_role: + name: apache-server + + - name: Install needed packages + apt: + name: + - python3-pip + - libapache2-mod-wsgi-py3 + state: present + + - name: Install sushy-tools + pip: + name: sushy-tools + executable: pip3 + + - name: Create a used wsgi will run with + user: + name: wsgiapp-sushy + groups: libvirt + state: present + system: yes + + - name: Create sushy-emulator wsgi dir + file: + path: /var/www/sushy-emulator/ + state: directory + owner: wsgiapp-sushy + group: wsgiapp-sushy + mode: u+rwx,g-w,o-w + + - name: Created sushy-emulator wsgi file + template: + src: sushy-emulator.wsgi.j2 + dest: /var/www/sushy-emulator/sushy-emulator.wsgi + owner: wsgiapp-sushy + group: wsgiapp-sushy + diff --git a/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml b/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml new file mode 100644 index 000000000..2946b94a8 --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml @@ -0,0 +1,123 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +- name: ensure OS + when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu' + fail: + msg: "Only Debian|Ubuntu are currently supported" + +- name: Confguring sushy-emulator frontend + become: true + block: + - name: Ensure sushy-emulator backend + include_role: + name: apache-wsgi-sushy-emulator + vars: + sushy_emulator_action: backend + + - name: Create htpasswd file + when: sushy_emulator_frontend_user is defined + include_role: + name: apache-server + vars: + apache_server_action: htpasswd + apache_server_htpasswd_path: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd" + apache_server_htpasswd_user: "{{ sushy_emulator_frontend_user }}" + + - name: Create sushy-emulator HTTP virtual host config + when: sushy_emulator_frontend_http_port is defined + block: + - name: Create sushy-emulator virtual host config for HTTP + template: + src: wsgi-sushy-emulator.conf.j2 + dest: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.conf" + + - name: Enable sushy-emulator virtual host + command: "a2ensite {{ sushy_emulator_frontend_name }}" + + - name: Create sushy-emulator HTTPS virtual host config + when: sushy_emulator_frontend_https_port is defined + block: + - name: Generate certs for casewith alt_names + when: sushy_emulator_frontend_ip is defined + include_role: + name: apache-server + vars: + apache_server_action: ssl + apache_server_ssl_key_path: "/etc/ssl/private/{{ sushy_emulator_frontend_name }}.key" + apache_server_ssl_cert_path: "/etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem" + apache_server_ssl_cn: "{{ sushy_emulator_frontend_servername }}" + apache_server_ssl_alt_name: "{{ sushy_emulator_frontend_ip | map('regex_replace', '(.*)', 'IP:\\1') | list }}" + + - name: Generate certs for case without alt_names + when: sushy_emulator_frontend_ip is undefined + include_role: + name: apache-server + vars: + apache_server_action: ssl + apache_server_ssl_key_path: "/etc/ssl/private/{{ sushy_emulator_frontend_name }}.key" + apache_server_ssl_cert_path: "/etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem" + apache_server_ssl_cn: "{{ sushy_emulator_frontend_servername }}" + + - name: Create sushy-emulator virtual host config for HTTPS + template: + src: wsgi-sushy-emulator-ssl.conf.j2 + dest: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}-ssl.conf" + + - name: Enable sushy-emulator virtual host + command: "a2ensite {{ sushy_emulator_frontend_name }}-ssl" + + - name: Restart Apache to apply all changes + include_role: + name: apache-server + vars: + apache_server_action: restart + +- name: Sanity check for HTTP + when: sushy_emulator_frontend_check and sushy_emulator_frontend_http_port is defined + block: + - name: Check without auth + when: sushy_emulator_frontend_user is undefined + uri: + url: http://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_http_port }}/redfish/v1/Systems?format=json + method: GET + return_content: yes + - name: Check with auth + when: sushy_emulator_frontend_user is defined + uri: + url: http://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_http_port }}/redfish/v1/Systems?format=json + url_username: "{{ sushy_emulator_frontend_user[0].username }}" + url_password: "{{ sushy_emulator_frontend_user[0].password }}" + method: GET + return_content: yes + +- name: Sanity check for HTTPS + when: sushy_emulator_frontend_check and sushy_emulator_frontend_https_port is defined + block: + - name: Check without auth + when: sushy_emulator_frontend_user is undefined + uri: + url: https://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_https_port }}/redfish/v1/Systems?format=json + method: GET + validate_certs: false + return_content: yes + - name: Check with auth + when: sushy_emulator_frontend_user is defined + uri: + url: https://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_https_port }}/redfish/v1/Systems?format=json + url_username: "{{ sushy_emulator_frontend_user[0].username }}" + url_password: "{{ sushy_emulator_frontend_user[0].password }}" + validate_certs: false + method: GET + return_content: yes + diff --git a/roles/redfish-emulator/defaults/main.yaml b/roles/apache-wsgi-sushy-emulator/tasks/main.yml similarity index 85% rename from roles/redfish-emulator/defaults/main.yaml rename to roles/apache-wsgi-sushy-emulator/tasks/main.yml index c56a21d7b..10c2f2929 100644 --- a/roles/redfish-emulator/defaults/main.yaml +++ b/roles/apache-wsgi-sushy-emulator/tasks/main.yml @@ -10,6 +10,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -redfish_action: install -redfish_emulator_bind_ip: 127.0.0.1 -redfish_emulator_bind_port: 8000 \ No newline at end of file +- include_tasks: "{{ sushy_emulator_action }}.yml" diff --git a/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2 b/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2 new file mode 100644 index 000000000..55820ce50 --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2 @@ -0,0 +1,2 @@ +from sushy_tools.emulator.main import app as application + diff --git a/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2 b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2 new file mode 100644 index 000000000..00e234b40 --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2 @@ -0,0 +1,35 @@ + +{% if sushy_emulator_frontend_https_port != 443 %} + Listen {{ sushy_emulator_frontend_https_port }} +{% endif %} + + # Add machine's IP address (use ifconfig command) + ServerName {{ sushy_emulator_frontend_servername }} + # Give an alias to to start your website url with + WSGIDaemonProcess wsgiapp-{{ sushy_emulator_frontend_name }}-https user=wsgiapp-sushy processes=2 threads=5 + WSGIScriptAlias / /var/www/sushy-emulator/sushy-emulator.wsgi + + # set permissions as per apache2.conf file + WSGIProcessGroup wsgiapp-{{ sushy_emulator_frontend_name }}-https + Options FollowSymLinks + AllowOverride None + Require all granted + +{% if sushy_emulator_frontend_user is defined %} + + AuthType Basic + AuthName "Authentication Required" + AuthUserFile /etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd + Require valid-user + +{% endif %} + SSLEngine on + SSLCertificateFile /etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem + SSLCertificateKeyFile /etc/ssl/private/{{ sushy_emulator_frontend_name }}.key + + ErrorLog ${APACHE_LOG_DIR}/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + diff --git a/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2 b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2 new file mode 100644 index 000000000..015a0b060 --- /dev/null +++ b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2 @@ -0,0 +1,29 @@ +{% if sushy_emulator_frontend_http_port != 80 %} +Listen {{ sushy_emulator_frontend_http_port }} +{% endif %} + + # Add machine's IP address (use ifconfig command) + ServerName {{ sushy_emulator_frontend_servername }} + # Give an alias to to start your website url with + WSGIDaemonProcess wsgiapp-{{ sushy_emulator_frontend_name }} user=wsgiapp-sushy processes=2 threads=5 + WSGIScriptAlias / /var/www/sushy-emulator/sushy-emulator.wsgi + + # set permissions as per apache2.conf file + WSGIProcessGroup wsgiapp-{{ sushy_emulator_frontend_name }} + Options FollowSymLinks + AllowOverride None + Require all granted + +{% if sushy_emulator_frontend_user is defined %} + + AuthType Basic + AuthName "Authentication Required" + AuthUserFile /etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd + Require valid-user + +{% endif %} + ErrorLog ${APACHE_LOG_DIR}/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + + diff --git a/roles/redfish-emulator/tests/main.yaml b/roles/apache-wsgi-sushy-emulator/tests/main.yaml similarity index 80% rename from roles/redfish-emulator/tests/main.yaml rename to roles/apache-wsgi-sushy-emulator/tests/main.yaml index 405eb559e..9dff9a735 100644 --- a/roles/redfish-emulator/tests/main.yaml +++ b/roles/apache-wsgi-sushy-emulator/tests/main.yaml @@ -31,12 +31,19 @@ - name: create libvirt domains include_role: name: libvirt-domain -- name: install sushy-tools +- name: install apache-wsgi-sushy-emulator include_role: - name: redfish-emulator + name: apache-wsgi-sushy-emulator + vars: + sushy_emulator_frontend_http_port: 80 + sushy_emulator_frontend_user: + - username: "user" + password: "password" - name: query redfish to make sure it has runnig domains uri: - url: http://localhost:8000/redfish/v1/Systems?format=json + url: http://localhost:80/redfish/v1/Systems?format=json + url_username: "user" + url_password: "password" method: GET return_content: yes register: sushy_response diff --git a/roles/redfish-emulator/tests/vars.yaml b/roles/apache-wsgi-sushy-emulator/tests/vars.yaml similarity index 100% rename from roles/redfish-emulator/tests/vars.yaml rename to roles/apache-wsgi-sushy-emulator/tests/vars.yaml diff --git a/roles/redfish-emulator/tasks/install.yaml b/roles/redfish-emulator/tasks/install.yaml deleted file mode 100644 index 95dd0ad89..000000000 --- a/roles/redfish-emulator/tasks/install.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- block: - - name: Ensuring python3-pip and support packages are present - when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' - fail: - msg: "CentoOS or RHEL is not currently supported" - - - name: Ensuring python3-pip and support packages are present - become: true - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - apt: - name: - - python3-pip - - python3-libvirt - state: present - - - name: Install sushy-tools - pip: - name: sushy-tools - executable: pip3 - become: true - -- name: install systemd sushy service unit - become: true - template: - src: sushy-tools.service.j2 - dest: /etc/systemd/system/sushy-tools.service - notify: - - reload systemd configuration - - restart sushy-emulator - -- name: start sushy-emulator service - become: true - service: - name: sushy-tools - state: started - enabled: true diff --git a/roles/redfish-emulator/templates/sushy-tools.service.j2 b/roles/redfish-emulator/templates/sushy-tools.service.j2 deleted file mode 100644 index db132020a..000000000 --- a/roles/redfish-emulator/templates/sushy-tools.service.j2 +++ /dev/null @@ -1,15 +0,0 @@ -# This file is part of sushy-emulator (redfish). -# - -[Unit] -Description=Sushy Libvirt emulator -After=syslog.target - -[Service] -Type=simple -ExecStart=/usr/local/bin/sushy-emulator -i {{ redfish_emulator_bind_ip }} -p {{ redfish_emulator_bind_port }} --libvirt-uri "qemu:///system" -StandardOutput=syslog -StandardError=syslog - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/redfish-emulator/tests/local-main.retry b/roles/redfish-emulator/tests/local-main.retry deleted file mode 100644 index e06aca39a..000000000 --- a/roles/redfish-emulator/tests/local-main.retry +++ /dev/null @@ -1 +0,0 @@ -primary diff --git a/roles/reverse-proxy/defaults/main.yaml b/roles/reverse-proxy/defaults/main.yaml deleted file mode 100644 index 37318bbf2..000000000 --- a/roles/reverse-proxy/defaults/main.yaml +++ /dev/null @@ -1,9 +0,0 @@ -reverse_proxy_action: install - -reverse_proxy_hostname: "redfish-emulator" -reverse_proxy_username: "username" -reverse_proxy_password: "password" -reverse_proxy_frontend_ip: "127.0.0.1" -reverse_proxy_frontend_port: 443 -reverse_proxy_backend_ip: "127.0.0.1" -reverse_proxy_backend_port: 8000 diff --git a/roles/reverse-proxy/tasks/dependencies.yaml b/roles/reverse-proxy/tasks/dependencies.yaml deleted file mode 100644 index a0ebb508c..000000000 --- a/roles/reverse-proxy/tasks/dependencies.yaml +++ /dev/null @@ -1,23 +0,0 @@ -- block: - - name: Ensuring python3-pip and support packages are present - when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' - fail: - msg: "CentoOS or RHEL is not currently supported" - - - name: Ensuring python3-pip and support packages are present - become: true - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - apt: - name: - - python3-pip - - python3-libvirt - state: present - - - name: Install required pip packages - pip: - name: "{{ item }}" - executable: pip3 - with_items: - - pyOpenSSL - - passlib - become: true diff --git a/roles/reverse-proxy/tasks/install.yaml b/roles/reverse-proxy/tasks/install.yaml deleted file mode 100644 index ba2a3a5bb..000000000 --- a/roles/reverse-proxy/tasks/install.yaml +++ /dev/null @@ -1,103 +0,0 @@ -- name: Install dependencies - include_tasks: dependencies.yaml - -- name: Install apache2 package - apt: - name: apache2 - state: present - become: true - -- name: Disable default virtualhost - file: - path: /etc/apache2/sites-enabled/000-default.conf - state: absent - become: true - -- name: Enable proxy related modules - apache2_module: - name: "{{ item }}" - state: present - with_items: - - headers - - proxy - - proxy_http - - rewrite - - ssl - become: true - -- name: Generate private key for "{{ reverse_proxy_hostname }}" - openssl_privatekey: - path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem - become: true - -- name: Generate CSR for "{{ reverse_proxy_hostname }}" - openssl_csr: - path: /tmp/{{ reverse_proxy_hostname }}.csr - privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem - common_name: "{{ reverse_proxy_hostname }}" - subject_alt_name: "IP:{{ reverse_proxy_frontend_ip }}" - become: true - -- name: Generate the self signed certificate for "{{ reverse_proxy_hostname }}" - openssl_certificate: - path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-cert.pem - privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem - csr_path: /tmp/{{ reverse_proxy_hostname }}.csr - provider: selfsigned - become: true - -# TODO: Using dhparam can be good to have for HTTPS virtual host -# But it takes too much time to generate for each run. -# It can be enabled if necessary at a later point. -#- name: Generate Diffie-Hellman parameters with the default size (4096 bits) -# openssl_dhparam: -# path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-dhparams.pem - -- name: Remove older htpasswd file - file: - path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd - state: absent - become: true - -- name: Create username and password for basic authentication - htpasswd: - path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd - name: "{{ reverse_proxy_username }}" - password: "{{ reverse_proxy_password }}" - become: true - -- name: Add default virtual host - template: - src: etc/apache2/sites-available/000-default.conf.j2 - dest: /etc/apache2/sites-available/000-default.conf - become: true - -- name: Add ssl virtual host - template: - src: etc/apache2/sites-available/default-ssl.conf.j2 - dest: /etc/apache2/sites-available/default-ssl.conf - become: true - -- name: Add ssl configuration - template: - src: etc/apache2/conf-available/ssl-params.conf.j2 - dest: /etc/apache2/conf-available/ssl-params.conf - become: true - -- name: Enable default virtual host - command: a2ensite 000-default - become: true - -- name: Enable ssl virtual host - command: a2ensite default-ssl - become: true - -- name: Enable ssl configuration - command: a2enconf ssl-params - become: true - -- name: Reload apache2 service - service: - name: apache2 - state: reloaded - become: true diff --git a/roles/reverse-proxy/tasks/main.yaml b/roles/reverse-proxy/tasks/main.yaml deleted file mode 100644 index 2f4233beb..000000000 --- a/roles/reverse-proxy/tasks/main.yaml +++ /dev/null @@ -1 +0,0 @@ -- include_tasks: "{{ reverse_proxy_action }}.yaml" diff --git a/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2 b/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2 deleted file mode 100644 index c6840c506..000000000 --- a/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2 +++ /dev/null @@ -1,3 +0,0 @@ - - Redirect permanent "/" "https://{{ reverse_proxy_frontend_ip }}:{{ reverse_proxy_frontend_port }}/" - diff --git a/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2 b/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2 deleted file mode 100644 index dbffe7658..000000000 --- a/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2 +++ /dev/null @@ -1,148 +0,0 @@ - - - ServerAdmin webmaster@localhost - ServerName {{ reverse_proxy_hostname }} - - DocumentRoot /var/www/html - - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/ssl/certs/{{ reverse_proxy_hostname }}-cert.pem - SSLCertificateKeyFile /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/ssl/certs/ - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl/ - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - # BrowserMatch "MSIE [2-6]" \ - # nokeepalive ssl-unclean-shutdown \ - # downgrade-1.0 force-response-1.0 - - - Order deny,allow - Allow from all - Authtype Basic - Authname "Password based authentication" - AuthUserFile /etc/apache2/{{ reverse_proxy_hostname }}-passwd - Require valid-user - - - ProxyPreserveHost On - - ProxyPass / http://{{ reverse_proxy_backend_ip }}:{{ reverse_proxy_backend_port }}/ - ProxyPassReverse / http://{{ reverse_proxy_backend_ip }}:{{ reverse_proxy_backend_port }}/ - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/tests/ansible/role-test-runner.yaml b/tests/ansible/role-test-runner.yaml index 622dc978c..17b00f542 100644 --- a/tests/ansible/role-test-runner.yaml +++ b/tests/ansible/role-test-runner.yaml @@ -20,7 +20,7 @@ - libvirt-pool - libvirt-volume - libvirt-domain - - redfish-emulator + - apache-wsgi-sushy-emulator - airship-libvirt-gate - http-fileserver - name: run tests against defined roles