Merge "Use apache for tls-proxy ssl termination"

This commit is contained in:
Jenkins 2016-09-21 18:19:40 +00:00 committed by Gerrit Code Review
commit a2d1848419
12 changed files with 102 additions and 38 deletions

View File

@ -1 +1 @@
stud
apache2

View File

@ -2304,6 +2304,16 @@ function stop_service {
fi
}
# Service wrapper to stop services
# reload_service service-name
function reload_service {
if [ -x /bin/systemctl ]; then
sudo /bin/systemctl reload $1
else
sudo service $1 reload
fi
}
# Test with a finite retry loop.
#
function test_with_retry {

View File

@ -42,24 +42,40 @@ fi
# Functions
# ---------
# Enable apache mod and restart apache if it isn't already enabled.
function enable_apache_mod {
local mod=$1
# Apache installation, because we mark it NOPRIME
if is_ubuntu || is_suse ; then
if ! a2query -m $mod ; then
sudo a2enmod $mod
restart_apache_server
fi
elif is_fedora; then
# pass
true
else
exit_distro_not_supported "apache enable mod"
fi
}
# install_apache_wsgi() - Install Apache server and wsgi module
function install_apache_wsgi {
# Apache installation, because we mark it NOPRIME
if is_ubuntu; then
# Install apache2, which is NOPRIME'd
install_package apache2 libapache2-mod-wsgi
# WSGI isn't enabled by default, enable it
sudo a2enmod wsgi
elif is_fedora; then
sudo rm -f /etc/httpd/conf.d/000-*
install_package httpd mod_wsgi
elif is_suse; then
install_package apache2 apache2-mod_wsgi
# WSGI isn't enabled by default, enable it
sudo a2enmod wsgi
else
exit_distro_not_supported "apache installation"
exit_distro_not_supported "apache wsgi installation"
fi
# WSGI isn't enabled by default, enable it
enable_apache_mod wsgi
# ensure mod_version enabled for <IfVersion ...>. This is
# built-in statically on anything recent, but precise (2.2)
@ -192,6 +208,11 @@ function restart_apache_server {
time_stop "restart_apache_server"
}
# reload_apache_server
function reload_apache_server {
reload_service $APACHE_NAME
}
# Restore xtrace
$_XTRACE_LIB_APACHE

View File

@ -305,8 +305,8 @@ function configure_cinder {
if is_service_enabled tls-proxy; then
# Set the service port for a proxy to take the original
iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
fi
if [ "$SYSLOG" != "False" ]; then
@ -534,7 +534,7 @@ function start_cinder {
# Start proxies if enabled
if is_service_enabled c-api && is_service_enabled tls-proxy; then
start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT &
start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT
fi
}

View File

@ -383,8 +383,8 @@ function install_glance {
function start_glance {
local service_protocol=$GLANCE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT &
start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT &
start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT
start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT
fi
run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"

View File

@ -611,8 +611,8 @@ function start_keystone {
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.

View File

@ -412,7 +412,7 @@ function start_neutron_api {
# Start proxy if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT &
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
fi
}

View File

@ -462,7 +462,7 @@ function start_neutron_service_and_check {
# Start proxy if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT &
start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
fi
}

View File

@ -808,7 +808,7 @@ function start_nova_api {
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT
fi
export PATH=$old_path

View File

@ -806,7 +806,7 @@ function start_swift {
done
if is_service_enabled tls-proxy; then
local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT &
start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
fi
run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
if [[ ${SWIFT_REPLICAS} == 1 ]]; then

76
lib/tls
View File

@ -16,7 +16,6 @@
#
# - configure_CA
# - init_CA
# - cleanup_CA
# - configure_proxy
# - start_tls_proxy
@ -221,19 +220,6 @@ function init_CA {
fi
}
# Clean up the CA files
# cleanup_CA
function cleanup_CA {
if is_fedora; then
sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
elif is_ubuntu; then
sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
fi
}
# Create an initial server cert
# init_cert
function init_cert {
@ -455,26 +441,72 @@ function enable_mod_ssl {
# Starts the TLS proxy for the given IP/ports
# start_tls_proxy front-host front-port back-host back-port
function start_tls_proxy {
local f_host=$1
local f_port=$2
local b_host=$3
local b_port=$4
local b_service="$1-tls-proxy"
local f_host=$2
local f_port=$3
local b_host=$4
local b_port=$5
stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
local config_file
config_file=$(apache_site_config_for $b_service)
local listen_string
# Default apache configs on ubuntu and centos listen on 80 and 443
# newer apache seems fine with duplicate listen directive but older
# apache does not so special case 80 and 443.
if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
listen_string=""
elif [[ "$f_host" == '*' ]] ; then
listen_string="Listen $f_port"
else
listen_string="Listen $f_host:$f_port"
fi
sudo bash -c "cat >$config_file" << EOF
$listen_string
<VirtualHost $f_host:$f_port>
SSLEngine On
SSLCertificateFile $DEVSTACK_CERT
<Location />
ProxyPass http://$b_host:$b_port/ retry=5 nocanon
ProxyPassReverse http://$b_host:$b_port/
</Location>
</VirtualHost>
EOF
for mod in ssl proxy proxy_http; do
enable_apache_mod $mod
done
enable_apache_site $b_service
# Only a reload is required to pull in new vhosts
# Note that a restart reliably fails on centos7 and trusty
# because apache can't open port 80 because the old apache
# still has it open. Using reload fixes trusty but centos7
# still doesn't work.
reload_apache_server
}
# Cleanup Functions
# =================
# Stops all stud processes. This should be done only after all services
# Stops the apache service. This should be done only after all services
# using tls configuration are down.
function stop_tls_proxy {
killall stud
stop_apache_server
}
# Remove CA along with configuration, as well as the local server certificate
# Clean up the CA files
# cleanup_CA
function cleanup_CA {
if is_fedora; then
sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
elif is_ubuntu; then
sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
fi
rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
}

View File

@ -1052,6 +1052,7 @@ EOF
if is_service_enabled tls-proxy; then
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi
source $TOP_DIR/userrc_early