From e01693992d7a0304d926b922b43f3b747c35964c Mon Sep 17 00:00:00 2001 From: Stanislaw Bogatkin Date: Tue, 4 Aug 2015 19:28:25 +0300 Subject: [PATCH] Add ability to use HTTPS port As long as we have HTTPS enabled by default on master node, it would be nice to use secure channel for nailgun agent. So, this commit switch to HTTPS as default protocol for agent and allow to use plain HTTP as a fallback. We use SSL no_verify for connection cause now certificate for master node nginx generated on container creation and we don't have an ability to easily push it to trusted on bootstrap node. Change-Id: I570890b19eac74db6f3666af966e86f64327740d Closes-Bug: #1480866 --- agent | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/agent b/agent index 9322601..b7dd7df 100755 --- a/agent +++ b/agent @@ -129,7 +129,8 @@ class NodeAgent @logger = logger @api_default_address = "localhost" - @api_default_port = "8000" + @api_default_port = "8443" + @api_legacy_port = "8000" @api_url = url @@ -145,9 +146,19 @@ class NodeAgent @logger.info("Can't get API url from /proc/cmdline. Will use localhost.") @api_ip = "127.0.0.1" end - @api_url = "http://#{@api_ip}:#{@api_default_port}/api" + begin + res = htclient.get("https://#{@api_ip}:#{@api_default_port}/") + @scheme = "https" + @api_port = @api_default_port + rescue Errno::ECONNREFUSED + @logger.warn("Connection Refused catched when trying connect to HTTPS port. Use plain HTTP") + @scheme = "http" + @api_port = @api_legacy_port + end + @api_url = "#{@scheme}://#{@api_ip}:#{@api_port}/api" end + @logger.info("API URL is #{@api_url}") @os = ohai_system_info end @@ -187,6 +198,8 @@ class NodeAgent def htclient client = HTTPClient.new + client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE + client.ssl_config.ssl_version = :TLSv1 client.connect_timeout = 10 client.send_timeout = 10 client.receive_timeout = 10 # (mihgen): Nailgun may hang for a while, but 10sec should be enough for him to respond