Fix for downloading uwsgi on centos in lib/apache
On Centos the lib/apache script in devstack downloads and compiles uwsgi package. It uses pip-download to pull uwsgi tar file. However, it does not return the full name of downloaded file so right now the script looks for filename that starts with prefix "uwsgi". This method is case sensitive so after downloading file with name uWSGI-2.0.19.tar.gz the script was unable to locate this file. This change downloads the file to an empty directory and expect it to be the only file there so there is no name vulnerability. Change-Id: I57e6219d675c951880808ced4e26c2344ef15cee Closes-Bug: #1883897
This commit is contained in:
parent
f4b063b207
commit
10877d79d6
69
lib/apache
69
lib/apache
|
@ -73,15 +73,55 @@ function enable_apache_mod {
|
|||
fi
|
||||
}
|
||||
|
||||
function download_and_compile_uwsgi {
|
||||
local build_dir
|
||||
build_dir="$(mktemp -d)"
|
||||
pip_install uwsgi
|
||||
|
||||
# We need to download uwsgi from pip. Since we don't know the full name
|
||||
# of its tar file we will download it to an empty dir. After download
|
||||
# there should be single tar file.
|
||||
local uwsgidir="$build_dir/uwsgidir"
|
||||
mkdir -p "$uwsgidir"
|
||||
pip download uwsgi -c $REQUIREMENTS_DIR/upper-constraints.txt -d "$uwsgidir"
|
||||
|
||||
local downloaded_files
|
||||
downloaded_files=( $(find $uwsgidir/* ) )
|
||||
if [[ "${#downloaded_files[@]}" != "1" ]] ; then
|
||||
echo "Expected single uwsgi tar file. Got: '${downloaded_files[@]}'"
|
||||
sudo rm -rf $build_dir
|
||||
exit 1
|
||||
fi
|
||||
local uwsgitar="${downloaded_files[@]}"
|
||||
|
||||
# Now we can unwrap it somewhere else.
|
||||
local uwsgiout="$build_dir/uwsgiout"
|
||||
mkdir -p $uwsgiout
|
||||
tar xf $uwsgitar -C "$uwsgiout"
|
||||
|
||||
# Unwrapped uwsgi can be wrapped with additional directory so
|
||||
# we need to resolve a path to it.
|
||||
local extracted_files
|
||||
extracted_files=( $(ls $uwsgiout ) )
|
||||
if [[ "${#extracted_files[@]}" == "1" ]] ; then
|
||||
local uwsgipath="$uwsgiout/${extracted_files[0]}"
|
||||
else
|
||||
local uwsgipath="$uwsgiout"
|
||||
fi
|
||||
|
||||
if is_fedora; then
|
||||
sudo apxs -i -c $uwsgipath/apache2/mod_proxy_uwsgi.c
|
||||
else
|
||||
sudo apxs2 -i -c $uwsgipath/apache2/mod_proxy_uwsgi.c
|
||||
fi
|
||||
|
||||
sudo rm -rf $build_dir
|
||||
}
|
||||
|
||||
# NOTE(sdague): Install uwsgi including apache module, we need to get
|
||||
# to 2.0.6+ to get a working mod_proxy_uwsgi. We can probably build a
|
||||
# check for that and do it differently for different platforms.
|
||||
function install_apache_uwsgi {
|
||||
local apxs="apxs2"
|
||||
if is_fedora; then
|
||||
apxs="apxs"
|
||||
fi
|
||||
|
||||
# This varies based on packaged/installed. If we've
|
||||
# pip_installed, then the pip setup will only build a "python"
|
||||
# module that will be either python2 or python3 depending on what
|
||||
|
@ -110,22 +150,7 @@ function install_apache_uwsgi {
|
|||
install_package uwsgi \
|
||||
uwsgi-plugin-python3
|
||||
else
|
||||
# Centos actually has the module in epel, but there was a big
|
||||
# push to disable epel by default. As such, compile from source
|
||||
# there.
|
||||
local dir
|
||||
dir=$(mktemp -d)
|
||||
pushd $dir
|
||||
pip_install uwsgi
|
||||
pip download uwsgi -c $REQUIREMENTS_DIR/upper-constraints.txt
|
||||
local uwsgi
|
||||
uwsgi=$(ls uwsgi*)
|
||||
tar xvf $uwsgi
|
||||
cd uwsgi*/apache2
|
||||
sudo $apxs -i -c mod_proxy_uwsgi.c
|
||||
popd
|
||||
# delete the temp directory
|
||||
sudo rm -rf $dir
|
||||
download_and_compile_uwsgi
|
||||
UWSGI_PYTHON_PLUGIN=python
|
||||
fi
|
||||
|
||||
|
@ -215,7 +240,7 @@ function enable_apache_site {
|
|||
sudo a2ensite ${site}
|
||||
elif is_fedora || is_suse; then
|
||||
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
|
||||
# Do nothing if site already enabled or no site config exists
|
||||
# Do nothing if site already enabled or no site config exists.
|
||||
if [[ -f ${enabled_site_file}.disabled ]] && [[ ! -f ${enabled_site_file} ]]; then
|
||||
sudo mv ${enabled_site_file}.disabled ${enabled_site_file}
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue