Support listening on a Unix socket
When using nginx to terminate TLS (like it's done in Bifrost), it's more secure to use a Unix socket for communication, so that local users cannot access plain text communication. Change-Id: I37b762cca035b5855deb92635c29e8eb97a87c20
This commit is contained in:
parent
567b73138d
commit
3ebfdf05e1
@ -14,10 +14,20 @@
|
||||
import socket
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_config import types as cfg_types
|
||||
|
||||
from ironic_inspector.common.i18n import _
|
||||
|
||||
|
||||
class Octal(cfg_types.Integer):
|
||||
|
||||
def __call__(self, value):
|
||||
if isinstance(value, int):
|
||||
return value
|
||||
else:
|
||||
return int(str(value), 8)
|
||||
|
||||
|
||||
_OPTS = [
|
||||
cfg.StrOpt('listen_address',
|
||||
default='::',
|
||||
@ -25,6 +35,12 @@ _OPTS = [
|
||||
cfg.PortOpt('listen_port',
|
||||
default=5050,
|
||||
help=_('Port to listen on.')),
|
||||
cfg.StrOpt('listen_unix_socket',
|
||||
help=_('Unix socket to listen on. Disables listen_address and '
|
||||
'listen_port.')),
|
||||
cfg.Opt('listen_unix_socket_mode', type=Octal(),
|
||||
help=_('File mode (an octal number) of the unix socket to '
|
||||
'listen on. Ignored if listen_unix_socket is not set.')),
|
||||
cfg.StrOpt('host',
|
||||
default=socket.getfqdn(),
|
||||
sample_default='localhost',
|
||||
|
@ -10,6 +10,9 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import socket
|
||||
|
||||
from ironic_lib import utils as il_utils
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log
|
||||
from oslo_service import service
|
||||
@ -26,11 +29,20 @@ class WSGIService(service.Service):
|
||||
|
||||
def __init__(self):
|
||||
self.app = main.get_app()
|
||||
self.server = wsgi.Server(CONF, 'ironic_inspector',
|
||||
self.app,
|
||||
host=CONF.listen_address,
|
||||
port=CONF.listen_port,
|
||||
use_ssl=CONF.use_ssl)
|
||||
if CONF.listen_unix_socket:
|
||||
il_utils.unlink_without_raise(CONF.listen_unix_socket)
|
||||
self.server = wsgi.Server(CONF, 'ironic_inspector',
|
||||
self.app,
|
||||
socket_family=socket.AF_UNIX,
|
||||
socket_file=CONF.listen_unix_socket,
|
||||
socket_mode=CONF.listen_unix_socket_mode,
|
||||
use_ssl=CONF.use_ssl)
|
||||
else:
|
||||
self.server = wsgi.Server(CONF, 'ironic_inspector',
|
||||
self.app,
|
||||
host=CONF.listen_address,
|
||||
port=CONF.listen_port,
|
||||
use_ssl=CONF.use_ssl)
|
||||
|
||||
def start(self):
|
||||
"""Start serving this service using loaded configuration.
|
||||
@ -45,6 +57,8 @@ class WSGIService(service.Service):
|
||||
:returns: None
|
||||
"""
|
||||
self.server.stop()
|
||||
if CONF.listen_unix_socket:
|
||||
il_utils.unlink_without_raise(CONF.listen_unix_socket)
|
||||
|
||||
def wait(self):
|
||||
"""Wait for the service to stop serving this API.
|
||||
|
5
releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml
Normal file
5
releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Supports listening on a Unix socket instead of a normal TCP socket.
|
||||
This is useful with an HTTP server such as nginx in proxy mode.
|
Loading…
Reference in New Issue
Block a user