RHEL: Add mod_ssl for services running over httpd

This apache module is necessary for when one wants to use TLS for the services running over httpd. This only addressed RHEL based systems at the moment, since there is no such package available for Ubuntu. This requires apache2.2-common which will carry a lot more dependencies; So I think this should be handled and decided in a separate patch. when installing mod_ssl in RHEL-based distributions, an ssl.conf file is installed in the /etc/httpd/conf.d directory. This file tells httpd to listen on port 443; however, we don't want to do this by default, since this should be explicitly enabled by the container's configuration. This line is thus removed from the configuration. A release note was added, which specifies this. And the last sentence can be removed if this is addressed for debian/ubuntu as well. Related-Bug: #1675490 Co-Authored-By: Martin André <m.andre@redhat.com> Change-Id: Id6215d31547247309d43c031e163fa9e4c4ec5dc
2017-03-17 11:24:04 +02:00 · 2017-03-17 11:24:04 +02:00 · 9df58642c6
commit 9df58642c6
parent cc2f0462e7
14 changed files with 81 additions and 31 deletions
--- a/doc/image-building.rst
+++ b/doc/image-building.rst
@ -209,6 +209,7 @@ as part of a binary install type build:
 * ``openstack-dashboard``
 * ``httpd``
 * ``mod_wsgi``
+* ``mod_ssl``
 * ``gettext``

 To add a package to this list, say, ``iproute``, first create a file, e.g.
--- a/docker/aodh/aodh-base/Dockerfile.j2
+++ b/docker/aodh/aodh-base/Dockerfile.j2
@ -14,13 +14,15 @@ MAINTAINER {{ maintainer }}
            'openstack-aodh-common',
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}

 {{ macros.install_packages(aodh_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/aodh \
    && cp -a /usr/lib/python2.7/site-packages/aodh/api/app.wsgi /var/www/cgi-bin/aodh/ \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}

       {% set aodh_base_packages = [
@ -42,12 +44,14 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
       {% set aodh_base_packages = [
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}

 {{ macros.install_packages(aodh_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/aodh \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu', 'debian'] %}

       {% set aodh_base_packages = [
--- a/docker/ceilometer/ceilometer-api/Dockerfile.j2
+++ b/docker/ceilometer/ceilometer-api/Dockerfile.j2
@ -10,10 +10,12 @@ MAINTAINER {{ maintainer }}
        {% set ceilometer_api_packages = [
            'openstack-ceilometer-api',
            'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
        ] %}
 {{ macros.install_packages(ceilometer_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}
        {% set ceilometer_api_packages = [
            'ceilometer-api',
@ -32,13 +34,15 @@ RUN echo > /etc/apache2/ports.conf
        {% set ceilometer_api_packages = [
                'httpd',
                'mod_wsgi',
+                'mod_ssl',
                'gettext'
        ] %}

 {{ macros.install_packages(ceilometer_api_packages | customizable("packages")) }}

 {% block ceilometer_api_redhat_source_setup %}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% endblock %}

    {% elif base_distro in ['ubuntu', 'debian'] %}
--- a/docker/cinder/cinder-api/Dockerfile.j2
+++ b/docker/cinder/cinder-api/Dockerfile.j2
@ -10,10 +10,12 @@ MAINTAINER {{ maintainer }}
        {% set cinder_api_packages = [
                'python-keystone',
                'httpd',
-                'mod_wsgi'
+                'mod_wsgi',
+                'mod_ssl'
        ] %}
 {{ macros.install_packages(cinder_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}
        {% set cinder_api_packages = [
                'cinder-api',
@ -28,10 +30,12 @@ RUN echo > /etc/apache2/ports.conf
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set cinder_api_packages = [
                'httpd',
-                'mod_wsgi'
+                'mod_wsgi',
+                'mod_ssl'
        ] %}
 {{ macros.install_packages(cinder_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}
        {% set cinder_api_packages = [
                'apache2',
--- a/docker/freezer/freezer-api/Dockerfile.j2
+++ b/docker/freezer/freezer-api/Dockerfile.j2
@ -15,12 +15,14 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
    {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
        {% set freezer_api_packages = [
            'mod_wsgi',
+            'mod_ssl',
            'httpd'
        ] %}

 {{ macros.install_packages(freezer_api_packages | customizable("packages")) }}

-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu', 'debian'] %}
        {% set freezer_api_packages = [
            'libapache2-mod-wsgi',
--- a/docker/gnocchi/gnocchi-base/Dockerfile.j2
+++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2
@ -14,12 +14,14 @@ MAINTAINER {{ maintainer }}
            'openstack-gnocchi-common',
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool',
            'python-rados'
        ] %}

 {{ macros.install_packages(gnocchi_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}

       {% set gnocchi_base_packages = [
@ -40,12 +42,14 @@ RUN truncate -s 0 /etc/apache2/ports.conf
       {% set gnocchi_base_packages = [
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool',
            'python-rados'
        ] %}
 {{ macros.install_packages(gnocchi_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/gnocchi \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu', 'debian'] %}

       {% set gnocchi_base_packages = [
--- a/docker/heat/heat-base/Dockerfile.j2
+++ b/docker/heat/heat-base/Dockerfile.j2
@ -13,10 +13,12 @@ MAINTAINER {{ maintainer }}
    {% set heat_base_packages = [
        'openstack-heat-common',
        'httpd',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
    ] %}
 {{ macros.install_packages(heat_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% elif base_distro in ['ubuntu'] %}
    {% set heat_base_packages = [
        'heat-common',
@ -33,11 +35,12 @@ RUN echo > /etc/apache2/ports.conf

    {% set heat_base_packages = [
        'httpd',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
    ] %}
-
 {{ macros.install_packages(heat_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

 {% elif base_distro in ['ubuntu'] %}

--- a/docker/horizon/Dockerfile.j2
+++ b/docker/horizon/Dockerfile.j2
@ -14,6 +14,7 @@ MAINTAINER {{ maintainer }}
                'openstack-dashboard',
                'httpd',
                'mod_wsgi',
+                'mod_ssl',
                'gettext',
                'openstack-cloudkitty-ui',
                'openstack-ironic-ui',
@ -30,6 +31,7 @@ MAINTAINER {{ maintainer }}

 {% block horizon_redhat_binary_setup %}
 RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf \
    && ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
    && ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
    && chown -R horizon: /etc/openstack-dashboard /usr/share/openstack-dashboard \
@ -81,13 +83,15 @@ RUN echo > /etc/apache2/ports.conf \
        {% set horizon_packages = [
                'httpd',
                'mod_wsgi',
+                'mod_ssl',
                'gettext'
        ] %}

 {{ macros.install_packages(horizon_packages | customizable("packages")) }}

 {% block horizon_redhat_source_setup %}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% endblock %}

    {% elif base_distro in ['ubuntu', 'debian'] %}
--- a/docker/ironic/ironic-pxe/Dockerfile.j2
+++ b/docker/ironic/ironic-pxe/Dockerfile.j2
@ -11,10 +11,12 @@ MAINTAINER {{ maintainer }}
        'syslinux-tftpboot',
        'httpd',
        'ipxe-bootimgs',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
    ] %}
 {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% elif base_distro in ['ubuntu', 'debian'] %}
    {% set ironic_pxe_packages = [
        'tftpd-hpa',
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@ -14,6 +14,7 @@ MAINTAINER {{ maintainer }}
            'python-keystoneclient',
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}

@ -21,7 +22,8 @@ MAINTAINER {{ maintainer }}
 RUN mkdir -p /var/www/cgi-bin/keystone \
    && cp -a /usr/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
    && cp -a /usr/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu'] %}
        {% set keystone_base_packages = [
@ -44,10 +46,12 @@ RUN mkdir -p /var/www/cgi-bin/keystone \
        {% set keystone_base_packages = [
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}
 {{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu', 'debian'] %}
        {% set keystone_base_packages = [
--- a/docker/nova/nova-api/Dockerfile.j2
+++ b/docker/nova/nova-api/Dockerfile.j2
@ -11,10 +11,12 @@ MAINTAINER {{ maintainer }}
        {% set nova_api_packages = [
            'openstack-nova-api',
            'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
        ] %}
 {{ macros.install_packages(nova_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu'] %}

@ -35,10 +37,12 @@ RUN echo > /etc/apache2/ports.conf

        {% set nova_api_packages = [
            'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
        ] %}
 {{ macros.install_packages(nova_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu'] %}

--- a/docker/nova/nova-placement-api/Dockerfile.j2
+++ b/docker/nova/nova-placement-api/Dockerfile.j2
@ -11,11 +11,13 @@ MAINTAINER {{ maintainer }}
        {% set nova_placement_api_packages = [
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'openstack-nova-placement-api'
        ] %}

 {{ macros.install_packages(nova_placement_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu'] %}

@ -34,11 +36,13 @@ RUN truncate -s 0 /etc/apache2/ports.conf

        {% set nova_placement_api_packages = [
            'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
        ] %}

 {{ macros.install_packages(nova_placement_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu'] %}

        {% set nova_placement_api_packages = [
--- a/docker/panko/panko-base/Dockerfile.j2
+++ b/docker/panko/panko-base/Dockerfile.j2
@ -14,11 +14,13 @@ MAINTAINER {{ maintainer }}
            'openstack-panko-common',
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}

 {{ macros.install_packages(panko_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
    {% elif base_distro in ['ubuntu', 'debian'] %}

 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@ -31,10 +33,12 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
       {% set panko_base_packages = [
            'httpd',
            'mod_wsgi',
+            'mod_ssl',
            'python-ldappool'
        ] %}
 {{ macros.install_packages(panko_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf

    {% elif base_distro in ['ubuntu', 'debian'] %}

--- a/releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml
+++ b/releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - Images that contain services that run over httpd now ship mod_ssl as well.
+    This is useful when deployers want to configure these services to serve TLS
+    in the internal network instead of just relying on HAProxy for the TLS
+    termination. Note that currently this only applies to RHEL-based images.