[Kimchi-devel] [PATCH] [Wok 1/2] Generate dhparams in post-install and development mode

Aline Manera alinefm at linux.vnet.ibm.com
Wed Jan 25 16:01:59 UTC 2017 


On 01/24/2017 05:36 PM, Lucio Correia wrote:
> The Diffie-Helmann key may be generated in post-install. To
> make it faster, add a -dsaparam parameter to the command.
> Also generate it on server initialization for development
> mode.
>
> Signed-off-by: Lucio Correia <luciojhc at linux.vnet.ibm.com>
> ---
>   Makefile.am                |  2 --
>   contrib/DEBIAN/control.in  |  1 -
>   contrib/DEBIAN/postinst    |  3 +++
>   contrib/wok.spec.fedora.in |  4 +++-
>   contrib/wok.spec.suse.in   |  4 +++-
>   src/Makefile.am            |  8 +-------
>   src/wok/proxy.py           | 13 +++++++++----
>   7 files changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/Makefile.am b/Makefile.am
> index 034c6a6..5a5edfc 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -152,8 +152,6 @@ install-data-local:
>   	mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/
>   	touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log
>   	touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log
> -	mkdir -p $(DESTDIR)/etc/wok/
> -	$(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem
>   	mkdir -p $(DESTDIR)/etc/logrotate.d/
>   	$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
>   	mkdir -p $(DESTDIR)/etc/nginx/conf.d
> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
> index 16f8afc..ba083b3 100644
> --- a/contrib/DEBIAN/control.in
> +++ b/contrib/DEBIAN/control.in
> @@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0),
>            texlive-fonts-extra
>   Build-Depends: xsltproc,
>                  gettext,
> -               openssl,
>                  python-lxml,
>                  pkg-config
>   Maintainer: Aline Manera <alinefm at br.ibm.com>
> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
> index 473e515..73e6935 100755
> --- a/contrib/DEBIAN/postinst
> +++ b/contrib/DEBIAN/postinst
> @@ -20,6 +20,9 @@
>
>   systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?)
>   if test $systemd_exists = "0"; then

> +    if [ ! -e /etc/wok/dhparams.pem ]; then
> +        openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
> +    fi
>       openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :

I don't think the openssl command should depend on systemd existence.

We just need to make sure to do not override the system config file. So 
I'd suggest to add the same file existence check to wok-{key/cert}.pem 
files.

>       /bin/systemctl enable wokd > /dev/null 2>&1
>       /bin/systemctl daemon-reload > /dev/null 2>&1
> diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
> index fcada13..fa2cd67 100644
> --- a/contrib/wok.spec.fedora.in
> +++ b/contrib/wok.spec.fedora.in
> @@ -23,7 +23,6 @@ Requires:	logrotate
>   Requires:	openssl
>   BuildRequires:	gettext-devel
>   BuildRequires:	libxslt
> -BuildRequires:	openssl
>   BuildRequires:	python-lxml
>
>   %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
> @@ -78,6 +77,9 @@ if [ $1 -eq 1 ] ; then
>       # Initial installation
>       /bin/systemctl enable wokd.service >/dev/null 2>&1 || :
>       /bin/systemctl daemon-reload >/dev/null 2>&1 || :

> +    if [ ! -e /etc/wok/dhparams.pem ]; then
> +        openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
> +    fi
>       openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :

Same I comment above related to wok-{key/cert}.pem files (I don't it was 
already there, but as you are working in the same piece of code, it 
would be great to have it fixed as well.

>   fi
>
> diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
> index ea2e708..244d75f 100644
> --- a/contrib/wok.spec.suse.in
> +++ b/contrib/wok.spec.suse.in
> @@ -24,7 +24,6 @@ Requires:	logrotate
>   Requires:	openssl
>   BuildRequires:	gettext-tools
>   BuildRequires:	libxslt-tools
> -BuildRequires:	openssl
>   BuildRequires:	python-lxml
>
>   %if 0%{?suse_version} == 1100
> @@ -58,6 +57,9 @@ if [ $1 -eq 1 ] ; then
>       %else
>           chkconfig wokd on
>       %endif
> +    if [ ! -e /etc/wok/dhparams.pem ]; then
> +        openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || :
> +    fi
>       openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :

Same here.

>   fi
>   exit 0
> diff --git a/src/Makefile.am b/src/Makefile.am
> index abc53ec..5d169e7 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -48,10 +48,4 @@ wokd: wokd.in Makefile
>   wok.conf: wok.conf.in Makefile
>   	$(do_substitution) < wok.conf.in > wok.conf
>
> -# Generate unique Diffie-Hellman group with 2048-bit
> -all-local: dhparams.pem
> -
> -dhparams.pem:
> -	openssl dhparam -out dhparams.pem 2048
> -
> -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem
> +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES)
> diff --git a/src/wok/proxy.py b/src/wok/proxy.py
> index 8ebb869..7376f09 100644
> --- a/src/wok/proxy.py
> +++ b/src/wok/proxy.py
> @@ -30,6 +30,9 @@ from wok import sslcert
>   from wok.config import paths
>
>
> +DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048"
> +
> +
>   def check_proxy_config():
>       # When running from a installed system, there is nothing to do
>       if paths.installed:
> @@ -48,16 +51,18 @@ def check_proxy_config():
>       # Create a symbolic link in system's dir to prevent errors while
>       # running from source code
>       symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'),
> -                 'link': os.path.join(paths.sys_nginx_conf_dir,
> -                                      'wok.conf')},
> -                {'target': os.path.join(paths.conf_dir, 'dhparams.pem'),
> -                 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}]
> +                 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}]
>       for item in symlinks:
>           link = item['link']
>           if os.path.isfile(link) or os.path.islink(link):
>               os.remove(link)
>           os.symlink(item['target'], link)
>
> +    # Generate unique Diffie-Hellman group with 2048-bit
> +    dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem')
> +    if not os.path.exists(dh_file):
> +        os.system(DH_COMMAND % dh_file)
> +
>       # Create cert files if they don't exist
>       cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem')
>       key = os.path.join(paths.sys_conf_dir, 'wok-key.pem')

More information about the Kimchi-devel mailing list