Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Roque
slapos
Commits
a07fa66b
Commit
a07fa66b
authored
Jul 13, 2023
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
dufs, restic: Use hash-existing-file to restart services after certificate renewal
See merge request
nexedi/slapos!1407
parents
70b7c017
81ce2902
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
108 additions
and
4 deletions
+108
-4
software/dufs/buildout.hash.cfg
software/dufs/buildout.hash.cfg
+1
-1
software/dufs/instance.cfg.in
software/dufs/instance.cfg.in
+15
-0
software/dufs/software.cfg
software/dufs/software.cfg
+0
-1
software/dufs/test/test.py
software/dufs/test/test.py
+38
-0
software/restic-rest-server/buildout.hash.cfg
software/restic-rest-server/buildout.hash.cfg
+1
-1
software/restic-rest-server/instance.cfg.in
software/restic-rest-server/instance.cfg.in
+15
-0
software/restic-rest-server/test/test.py
software/restic-rest-server/test/test.py
+38
-1
No files found.
software/dufs/buildout.hash.cfg
View file @
a07fa66b
...
...
@@ -15,4 +15,4 @@
[instance.cfg.in]
filename = instance.cfg.in
md5sum =
9ed5d03f4f0cdc022f28b39e8ff1323e
md5sum =
6edf5c64bf25dfd2e6e8a4e74c9b9812
software/dufs/instance.cfg.in
View file @
a07fa66b
...
...
@@ -55,7 +55,20 @@ dash_path = {{ dash_bin }}
curl_path = {{ curl_bin }}
# Caucase
[dufs-certificate-init-certificate]
recipe = slapos.recipe.build
init =
# pre-create a file at the path of the certificate,
# so that we can use hash-existing-files options
import pathlib
cert_file = pathlib.Path(self.buildout['dufs-certificate']['cert-file'])
if not cert_file.parent.exists():
cert_file.parent.mkdir()
if not cert_file.exists():
cert_file.touch()
[dufs-certificate]
init = ${dufs-certificate-init-certificate:init}
key-file = ${directory:etc}/${:_buildout_section_name_}.key
cert-file = ${directory:etc}/${:_buildout_section_name_}.crt
common-name = ${:_buildout_section_name_}
...
...
@@ -154,6 +167,8 @@ wrapper-path = ${directory:service}/${:_buildout_section_name_}
port = 19080
ip = ${instance-parameter:ipv6-random}
url = https://[${:ip}]:${:port}
hash-existing-files =
${dufs-certificate:cert-file}
[dufs-listen-promise]
<= check-port-listening-promise
...
...
software/dufs/software.cfg
View file @
a07fa66b
...
...
@@ -10,7 +10,6 @@ parts =
caucase-eggs
instance.cfg.in
[dufs]
recipe = slapos.recipe.cmmi
shared = true
...
...
software/dufs/test/test.py
View file @
a07fa66b
...
...
@@ -25,8 +25,11 @@
#
##############################################################################
import
contextlib
import
io
import
os
import
pathlib
import
subprocess
import
tempfile
import
urllib.parse
...
...
@@ -115,3 +118,38 @@ class TestFileServer(SlapOSInstanceTestCase):
)
self
.
assertEqual
(
resp
.
text
,
'hello'
)
self
.
assertEqual
(
resp
.
status_code
,
requests
.
codes
.
ok
)
def
test_renew_certificate
(
self
):
def
_getpeercert
():
# XXX low level way to get get the server certificate
with
requests
.
Session
()
as
session
:
pool
=
session
.
get
(
self
.
connection_parameters
[
'public-url'
],
verify
=
self
.
ca_cert
,
).
raw
.
_pool
.
pool
with
contextlib
.
closing
(
pool
.
get
())
as
cnx
:
return
cnx
.
sock
.
_sslobj
.
getpeercert
()
cert_before
=
_getpeercert
()
# execute certificate updater two month later, when it's time to renew certificate.
# use a timeout, because this service runs forever
subprocess
.
run
(
(
'timeout'
,
'5'
,
'faketime'
,
'+2 months'
,
os
.
path
.
join
(
self
.
computer_partition_root_path
,
'etc/service/dufs-certificate-updater'
),
),
capture_output
=
not
self
.
_debug
,
)
# reprocess instance to get the new certificate, after removing the timestamp
# to force execution
(
pathlib
.
Path
(
self
.
computer_partition_root_path
)
/
'.timestamp'
).
unlink
()
self
.
waitForInstance
()
cert_after
=
_getpeercert
()
self
.
assertNotEqual
(
cert_before
[
'notAfter'
],
cert_after
[
'notAfter'
])
software/restic-rest-server/buildout.hash.cfg
View file @
a07fa66b
...
...
@@ -15,4 +15,4 @@
[instance.cfg.in]
filename = instance.cfg.in
md5sum =
573e23c88fea6a11ab5c79b1eb106601
md5sum =
69237df07b8819e2eb683702b8cd199a
software/restic-rest-server/instance.cfg.in
View file @
a07fa66b
...
...
@@ -54,7 +54,20 @@ dash_path = {{ dash_bin }}
curl_path = {{ curl_bin }}
# Caucase
[rest-server-certificate-init-certificate]
recipe = slapos.recipe.build
init =
# pre-create a file at the path of the certificate,
# so that we can use hash-existing-files options
import pathlib
cert_file = pathlib.Path(self.buildout['rest-server-certificate']['cert-file'])
if not cert_file.parent.exists():
cert_file.parent.mkdir()
if not cert_file.exists():
cert_file.touch()
[rest-server-certificate]
init = ${rest-server-certificate-init-certificate:init}
key-file = ${directory:etc}/${:_buildout_section_name_}.key
cert-file = ${directory:etc}/${:_buildout_section_name_}.crt
common-name = ${:_buildout_section_name_}
...
...
@@ -165,6 +178,8 @@ ip = ${instance-parameter:ipv6-random}
url = https://[${:ip}]:${:port}
depends =
${rest-server-htpassword:recipe}
hash-existing-files =
${rest-server-certificate:cert-file}
[rest-server-listen-promise]
<= check-port-listening-promise
...
...
software/restic-rest-server/test/test.py
View file @
a07fa66b
...
...
@@ -25,8 +25,9 @@
#
##############################################################################
import
glo
b
import
contextli
b
import
os
import
pathlib
import
subprocess
import
tempfile
import
urllib.parse
...
...
@@ -35,6 +36,7 @@ import requests
from
slapos.testing.testcase
import
makeModuleSetUpAndTestCaseClass
setUpModule
,
SlapOSInstanceTestCase
=
makeModuleSetUpAndTestCaseClass
(
os
.
path
.
abspath
(
os
.
path
.
join
(
os
.
path
.
dirname
(
__file__
),
'..'
,
'software.cfg'
)))
...
...
@@ -143,3 +145,38 @@ class TestResticRestServer(SlapOSInstanceTestCase):
self
.
assertIn
(
'restoring <Snapshot'
,
out
)
with
open
(
os
.
path
.
join
(
restore_directory
,
backup_path
,
'data'
))
as
f
:
self
.
assertEqual
(
f
.
read
(),
'data to backup'
)
def
test_renew_certificate
(
self
):
def
_getpeercert
():
# XXX low level way to get get the server certificate
with
requests
.
Session
()
as
session
:
pool
=
session
.
get
(
self
.
connection_parameters
[
'url'
],
verify
=
self
.
ca_cert
,
).
raw
.
_pool
.
pool
with
contextlib
.
closing
(
pool
.
get
())
as
cnx
:
return
cnx
.
sock
.
_sslobj
.
getpeercert
()
cert_before
=
_getpeercert
()
# execute certificate updater two month later, when it's time to renew certificate.
# use a timeout, because this service runs forever
subprocess
.
run
(
(
'timeout'
,
'5'
,
'faketime'
,
'+2 months'
,
os
.
path
.
join
(
self
.
computer_partition_root_path
,
'etc/service/rest-server-certificate-updater'
),
),
capture_output
=
not
self
.
_debug
,
)
# reprocess instance to get the new certificate, after removing the timestamp
# to force execution
(
pathlib
.
Path
(
self
.
computer_partition_root_path
)
/
'.timestamp'
).
unlink
()
self
.
waitForInstance
()
cert_after
=
_getpeercert
()
self
.
assertNotEqual
(
cert_before
[
'notAfter'
],
cert_after
[
'notAfter'
])
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment