[PATCH] [Wok 0/2] Remove dhparams generation from build
This patch moves dhparams.pem file generation to package post-install and server initialization when running on development mode (i.e. running from source) It also fix an issue on nginx configure reloading. If nginx was not up and running, reload command failed, causing tests to break or forcing user to restart nginx manually. Lucio Correia (2): Generate dhparams in post-install and development mode Make sure nginx is running before reloading its config Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 3 +++ contrib/wok.spec.fedora.in | 4 +++- contrib/wok.spec.suse.in | 4 +++- src/Makefile.am | 8 +------- src/wok/proxy.py | 20 ++++++++++++++++---- 7 files changed, 26 insertions(+), 16 deletions(-) -- 2.7.4
The Diffie-Helmann key may be generated in post-install. To make it faster, add a -dsaparam parameter to the command. Also generate it on server initialization for development mode. Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 3 +++ contrib/wok.spec.fedora.in | 4 +++- contrib/wok.spec.suse.in | 4 +++- src/Makefile.am | 8 +------- src/wok/proxy.py | 13 +++++++++---- 7 files changed, 19 insertions(+), 16 deletions(-) diff --git a/Makefile.am b/Makefile.am index 034c6a6..5a5edfc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,8 +152,6 @@ install-data-local: mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/ touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log - mkdir -p $(DESTDIR)/etc/wok/ - $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd mkdir -p $(DESTDIR)/etc/nginx/conf.d diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 16f8afc..ba083b3 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0), texlive-fonts-extra Build-Depends: xsltproc, gettext, - openssl, python-lxml, pkg-config Maintainer: Aline Manera <alinefm@br.ibm.com> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 473e515..73e6935 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -20,6 +20,9 @@ systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?) if test $systemd_exists = "0"; then + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : /bin/systemctl enable wokd > /dev/null 2>&1 /bin/systemctl daemon-reload > /dev/null 2>&1 diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fcada13..fa2cd67 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -23,7 +23,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-devel BuildRequires: libxslt -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -78,6 +77,9 @@ if [ $1 -eq 1 ] ; then # Initial installation /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || : + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index ea2e708..244d75f 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -24,7 +24,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-tools BuildRequires: libxslt-tools -BuildRequires: openssl BuildRequires: python-lxml %if 0%{?suse_version} == 1100 @@ -58,6 +57,9 @@ if [ $1 -eq 1 ] ; then %else chkconfig wokd on %endif + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || : fi exit 0 diff --git a/src/Makefile.am b/src/Makefile.am index abc53ec..5d169e7 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -48,10 +48,4 @@ wokd: wokd.in Makefile wok.conf: wok.conf.in Makefile $(do_substitution) < wok.conf.in > wok.conf -# Generate unique Diffie-Hellman group with 2048-bit -all-local: dhparams.pem - -dhparams.pem: - openssl dhparam -out dhparams.pem 2048 - -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 8ebb869..7376f09 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -30,6 +30,9 @@ from wok import sslcert from wok.config import paths +DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" + + def check_proxy_config(): # When running from a installed system, there is nothing to do if paths.installed: @@ -48,16 +51,18 @@ def check_proxy_config(): # Create a symbolic link in system's dir to prevent errors while # running from source code symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'), - 'link': os.path.join(paths.sys_nginx_conf_dir, - 'wok.conf')}, - {'target': os.path.join(paths.conf_dir, 'dhparams.pem'), - 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}] + 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}] for item in symlinks: link = item['link'] if os.path.isfile(link) or os.path.islink(link): os.remove(link) os.symlink(item['target'], link) + # Generate unique Diffie-Hellman group with 2048-bit + dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem') + if not os.path.exists(dh_file): + os.system(DH_COMMAND % dh_file) + # Create cert files if they don't exist cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem') key = os.path.join(paths.sys_conf_dir, 'wok-key.pem') -- 2.7.4
On 01/24/2017 05:36 PM, Lucio Correia wrote:
The Diffie-Helmann key may be generated in post-install. To make it faster, add a -dsaparam parameter to the command. Also generate it on server initialization for development mode.
Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- Makefile.am | 2 -- contrib/DEBIAN/control.in | 1 - contrib/DEBIAN/postinst | 3 +++ contrib/wok.spec.fedora.in | 4 +++- contrib/wok.spec.suse.in | 4 +++- src/Makefile.am | 8 +------- src/wok/proxy.py | 13 +++++++++---- 7 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/Makefile.am b/Makefile.am index 034c6a6..5a5edfc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -152,8 +152,6 @@ install-data-local: mkdir -p $(DESTDIR)/$(localstatedir)/log/wok/ touch $(DESTDIR)/$(localstatedir)/log/wok/wok-access.log touch $(DESTDIR)/$(localstatedir)/log/wok/wok-error.log - mkdir -p $(DESTDIR)/etc/wok/ - $(INSTALL_DATA) src/dhparams.pem $(DESTDIR)/etc/wok/dhparams.pem mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd mkdir -p $(DESTDIR)/etc/nginx/conf.d diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 16f8afc..ba083b3 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -19,7 +19,6 @@ Depends: python-cherrypy3 (>= 3.2.0), texlive-fonts-extra Build-Depends: xsltproc, gettext, - openssl, python-lxml, pkg-config Maintainer: Aline Manera <alinefm@br.ibm.com> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 473e515..73e6935 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -20,6 +20,9 @@
systemd_exists=$(type /bin/systemctl > /dev/null 2>&1; echo $?) if test $systemd_exists = "0"; then
+ if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
I don't think the openssl command should depend on systemd existence. We just need to make sure to do not override the system config file. So I'd suggest to add the same file existence check to wok-{key/cert}.pem files.
/bin/systemctl enable wokd > /dev/null 2>&1 /bin/systemctl daemon-reload > /dev/null 2>&1 diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fcada13..fa2cd67 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -23,7 +23,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-devel BuildRequires: libxslt -BuildRequires: openssl BuildRequires: python-lxml
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -78,6 +77,9 @@ if [ $1 -eq 1 ] ; then # Initial installation /bin/systemctl enable wokd.service >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+ if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
Same I comment above related to wok-{key/cert}.pem files (I don't it was already there, but as you are working in the same piece of code, it would be great to have it fixed as well.
fi
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index ea2e708..244d75f 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -24,7 +24,6 @@ Requires: logrotate Requires: openssl BuildRequires: gettext-tools BuildRequires: libxslt-tools -BuildRequires: openssl BuildRequires: python-lxml
%if 0%{?suse_version} == 1100 @@ -58,6 +57,9 @@ if [ $1 -eq 1 ] ; then %else chkconfig wokd on %endif + if [ ! -e /etc/wok/dhparams.pem ]; then + openssl dhparam -dsaparam -out /etc/wok/dhparams.pem 2048 >/dev/null 2>&1 || : + fi openssl req -x509 -newkey rsa:4096 -keyout /etc/wok/wok-key.pem -out /etc/wok/wok-cert.pem -days 365 -nodes -subj "/C=US/CN=wok/O=kimchi-project.org" >/dev/null 2>&1 || :
Same here.
fi exit 0 diff --git a/src/Makefile.am b/src/Makefile.am index abc53ec..5d169e7 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -48,10 +48,4 @@ wokd: wokd.in Makefile wok.conf: wok.conf.in Makefile $(do_substitution) < wok.conf.in > wok.conf
-# Generate unique Diffie-Hellman group with 2048-bit -all-local: dhparams.pem - -dhparams.pem: - openssl dhparam -out dhparams.pem 2048 - -CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) dhparams.pem +CLEANFILES = $(bin_SCRIPTS) $(BUILT_SOURCES) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 8ebb869..7376f09 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -30,6 +30,9 @@ from wok import sslcert from wok.config import paths
+DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" + + def check_proxy_config(): # When running from a installed system, there is nothing to do if paths.installed: @@ -48,16 +51,18 @@ def check_proxy_config(): # Create a symbolic link in system's dir to prevent errors while # running from source code symlinks = [{'target': os.path.join(paths.nginx_conf_dir, 'wok.conf'), - 'link': os.path.join(paths.sys_nginx_conf_dir, - 'wok.conf')}, - {'target': os.path.join(paths.conf_dir, 'dhparams.pem'), - 'link': os.path.join(paths.sys_conf_dir, 'dhparams.pem')}] + 'link': os.path.join(paths.sys_nginx_conf_dir, 'wok.conf')}] for item in symlinks: link = item['link'] if os.path.isfile(link) or os.path.islink(link): os.remove(link) os.symlink(item['target'], link)
+ # Generate unique Diffie-Hellman group with 2048-bit + dh_file = os.path.join(paths.sys_conf_dir, 'dhparams.pem') + if not os.path.exists(dh_file): + os.system(DH_COMMAND % dh_file) + # Create cert files if they don't exist cert = os.path.join(paths.sys_conf_dir, 'wok-cert.pem') key = os.path.join(paths.sys_conf_dir, 'wok-key.pem')
Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- src/wok/proxy.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 7376f09..099224c 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -28,6 +28,7 @@ import os from wok import sslcert from wok.config import paths +from wok.utils import run_command DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" @@ -75,4 +76,10 @@ def check_proxy_config(): f.write(ssl_gen.key_pem()) # Reload nginx configuration. + cmd = ['service', 'nginx', 'status'] + output, error, rc = run_command(cmd) + if rc != 0: + cmd = ['service', 'nginx', 'restart'] + output, error, rc = run_command(cmd) + os.system('nginx -s reload') -- 2.7.4
On 01/24/2017 05:36 PM, Lucio Correia wrote:
Signed-off-by: Lucio Correia <luciojhc@linux.vnet.ibm.com> --- src/wok/proxy.py | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 7376f09..099224c 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -28,6 +28,7 @@ import os
from wok import sslcert from wok.config import paths +from wok.utils import run_command
DH_COMMAND = "openssl dhparam -dsaparam -out %s 2048" @@ -75,4 +76,10 @@ def check_proxy_config(): f.write(ssl_gen.key_pem())
# Reload nginx configuration. + cmd = ['service', 'nginx', 'status'] + output, error, rc = run_command(cmd) + if rc != 0: + cmd = ['service', 'nginx', 'restart']
restart? Should it be 'start' ?
+ output, error, rc = run_command(cmd) + os.system('nginx -s reload')
participants (2)
-
Aline Manera -
Lucio Correia