[PATCH V2] [Wok 0/2] Remove dhparams generation from build
This patch moves dhparams.pem file generation to package post-install and server initialization when running on development mode (i.e. running from source) It also fix an issue on nginx configure reloading. If nginx was not up and running, reload command failed, causing tests to break or forcing user to restart nginx manually. V2: - Review comments - Updated copyright Lucio Correia (2): Generate dhparams in post-install and development mode Make sure nginx is running before reloading its config Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 16 ++++++++++++++-- contrib/wok.spec.fedora.in | 8 ++++++-- contrib/wok.spec.suse.in | 8 ++++++-- src/Makefile.am | 10 ++-------- src/wok/proxy.py | 23 +++++++++++++++++------ 7 files changed, 45 insertions(+), 23 deletions(-) -- 2.7.4
The Diffie-Helmann key may be generated in post-install. To make it faster, add a -dsaparam parameter to the command. Also generate it on server initialization for development mode. Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 16 ++++++++++++++-- contrib/wok.spec.fedora.in | 8 ++++++-- contrib/wok.spec.suse.in | 8 ++++++-- src/Makefile.am | 10 ++-------- src/wok/proxy.py | 15 ++++++++++----- 7 files changed, 38 insertions(+), 22 deletions(-) diff --git a/Makefile.am b/Makefile.am index 034c6a6..5a5edfc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,8 +152,6 @@ install-data-local: mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/ touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log - mkdir -p $(DESTDIR)/etc/wok/ - $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd mkdir -p $(DESTDIR)/etc/nginx/conf.d diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 16f8afc..ba083b3 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0), texlive-fonts-extra Build-Depends: xsltproc, gettext, - openssl, python-lxml, pkg-config Maintainer: Aline Manera <alinefm@br.ibm.com> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 473e515..9bfed32 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -2,7 +2,7 @@ # # Project Wok # -# Copyright IBM Corp, 2013-2016 +# Copyright IBM Corp, 2013-2017 # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -18,9 +18,21 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +DHPARAMS_PEM=/etc/wok/dhparams.pem +WOKCERT_PEM=/etc/wok/wok-cert.pem +WOKKEY_PEM=/etc/wok/wok-key.pem + +if [ ! -e "$DHPARAMS_PEM" ]; then + openssl dhparam -dsaparam -out "$DHPARAMS_PEM" 2048 >/dev/null 2>&1 || : +fi +if [ ! -e "$WOKCERT_PEM" ] || [ ! -e "$WOKKEY_PEM" ]; then + openssl req -x509 -newkey rsa:4096 -keyout "$WOKKEY_PEM" \ + -out "$WOKCERT_PEM" -days 365 -nodes \ + -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : +fi + systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?) if test $systemd_exists = "0"; then - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : /bin/systemctl enable wokd > /dev/null 2>&1 /bin/systemctl daemon-reload > /dev/null 2>&1 /bin/systemctl start wokd > /dev/null 2>&1 diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fcada13..6af8222 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -23,7 +23,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-devel BuildRequires: libxslt -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -75,10 +74,15 @@ install -Dm 0755 contrib/wokd.sysvinit %{buildroot}%{_initrddir}/wokd %post if [ $1 -eq 1 ] ; then + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi + if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then + openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : + fi # Initial installation /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi %preun diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index ea2e708..db31616 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -24,7 +24,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-tools BuildRequires: libxslt-tools -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?suse_version} == 1100 @@ -52,13 +51,18 @@ make DESTDIR=%{buildroot} install %post if [ $1 -eq 1 ] ; then + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi + if [ ! -e /etc/wok/wok-key.pem ] || [ ! -e /etc/wok/wok-cert.pem ]; then + openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : + fi %if 0%{?with_systemd} /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : %else chkconfig wokd on %endif - openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi exit 0 diff --git a/src/Makefile.am b/src/Makefile.am index abc53ec..531c20b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2013-2016 +# Copyright IBM Corp, 2013-2017 # # Code derived from Project Kimchi # @@ -48,10 +48,4 @@ wokd: wokd.in Makefile wok.conf: wok.conf.in Makefile $(do_substitution) < wok.conf.in > wok.conf -# Generate unique Diffie-Hellman group with 2048-bit -all-local: dhparams.pem - -dhparams.pem: - openssl dhparam -out dhparams.pem 2048 - -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 8ebb869..c26925d 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -2,7 +2,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015-2016 +# Copyright IBM Corp, 2015-2017 # # Code derived from Project Kimchi # @@ -30,6 +30,9 @@ from wok import sslcert from wok.config import paths +DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" + + def check_proxy_config(): # When running from a installed system, there is nothing to do if paths.installed: @@ -48,16 +51,18 @@ def check_proxy_config(): # Create a symbolic link in system's dir to prevent errors while # running from source code symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'), - 'link': os.path.join(paths.sys_nginx_conf_dir, - 'wok.conf')}, - {'target': os.path.join(paths.conf_dir, 'dhparams.pem'), - 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}] + 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}] for item in symlinks: link = item['link'] if os.path.isfile(link) or os.path.islink(link): os.remove(link) os.symlink(item['target'], link) + # Generate unique Diffie-Hellman group with 2048-bit + dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem') + if not os.path.exists(dh_file): + os.system(DH_COMMAND % dh_file) + # Create cert files if they don't exist cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem') key = os.path.join(paths.sys_conf_dir, 'wok-key.pem') -- 2.7.4
Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- src/wok/proxy.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index c26925d..2d4653e 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -28,6 +28,7 @@ import os from wok import sslcert from wok.config import paths +from wok.utils import run_command DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" @@ -75,4 +76,9 @@ def check_proxy_config(): f.write(ssl_gen.key_pem()) # Reload nginx configuration. - os.system('nginx -s reload') + cmd = ['service', 'nginx', 'status'] + output, error, rc = run_command(cmd) + if rc != 0: + os.system('service nginx start') + else: + os.system('nginx -s reload') -- 2.7.4
participants (2)
-
Aline Manera -
Lucio Correia