Juju Charms Collection
neutron-contrail package

Merge lp:~vds/charms/trusty/neutron-contrail/tls-patch into lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk

  1. Trusty Tahr (14.04)
  2. tls-patch
  3. Merge into trunk
Proposed by Vincenzo Di Somma
Status: Rejected
Rejected by: Michał Ajduk
Proposed branch: lp:~vds/charms/trusty/neutron-contrail/tls-patch
Merge into: lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk
Diff against target: 200 lines (+114/-5)
5 files modified
hooks/neutron_contrail_hooks.py (+51/-4)
hooks/neutron_contrail_utils.py (+47/-1)
metadata.yaml (+2/-0)
scripts/vhost-phys.sh (+6/-0)
templates/contrail-vrouter-agent.conf (+8/-0)
To merge this branch: bzr merge lp:~vds/charms/trusty/neutron-contrail/tls-patch
Reviewer Review Type Date Requested Status
Gábor Mészáros (community) Disapprove
Robert Ayres Pending
Review via email: mp+331349@code.launchpad.net

Description of the change

Port of TLS support from DTAG.

To post a comment you must log in.
Revision history for this message
Gábor Mészáros (gabor.meszaros) wrote :

obsolete, and the patch contains also TLS support which works in an incorfrect way. The TLS support is not used anywhere at the moment.

review: Disapprove

Unmerged revisions

73. By Vincenzo Di Somma

Port of TLS patch from DTAG

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'hooks/neutron_contrail_hooks.py'
--- hooks/neutron_contrail_hooks.py 2017-09-20 19:59:00 +0000
+++ hooks/neutron_contrail_hooks.py 2017-09-26 14:06:23 +0000
@@ -21,7 +21,8 @@
21 log,21 log,
22 relation_get,22 relation_get,
23 relation_ids,23 relation_ids,
24 relation_set24 relation_set,
25 local_unit,
25)26)
2627
27from charmhelpers.core.host import (28from charmhelpers.core.host import (
@@ -44,6 +45,7 @@
44 CONTRAIL_VERSION,45 CONTRAIL_VERSION,
45 OPENSTACK_VERSION,46 OPENSTACK_VERSION,
46 configure_vrouter,47 configure_vrouter,
48 control_network_ip,
47 disable_vrouter_vgw,49 disable_vrouter_vgw,
48 dpkg_version,50 dpkg_version,
49 drop_caches,51 drop_caches,
@@ -72,11 +74,13 @@
72 write_nodemgr_config,74 write_nodemgr_config,
73 write_vnc_api_config,75 write_vnc_api_config,
74 write_vrouter_config,76 write_vrouter_config,
75 write_vrouter_vgw_interfaces77 write_vrouter_vgw_interfaces,
78 write_xmpp_tls_files,
76)79)
7780
78PACKAGES = [ "contrail-utils", "python-jinja2", "python-netifaces",81PACKAGES = ["contrail-vrouter-dkms", "contrail-vrouter-agent",
79 "python-netaddr", "contrail-nodemgr" ]82 "contrail-utils", "python-jinja2", "python-netifaces",
83 "python-netaddr", "contrail-nodemgr"]
8084
81PACKAGES_DPDK = [ "contrail-dpdk-kernel-modules-dkms", "contrail-vrouter-dpdk",85PACKAGES_DPDK = [ "contrail-dpdk-kernel-modules-dkms", "contrail-vrouter-dpdk",
82 "contrail-vrouter-dpdk-init", "contrail-vrouter-agent",86 "contrail-vrouter-dpdk-init", "contrail-vrouter-agent",
@@ -435,6 +439,49 @@
435 settings = { "metadata-shared-secret": config["local-metadata-secret"] }439 settings = { "metadata-shared-secret": config["local-metadata-secret"] }
436 relation_set(relation_settings=settings)440 relation_set(relation_settings=settings)
437441
442@hooks.hook('tls-certificates-relation-joined')
443def tls_certificates_relation_joined():
444 # a hostname could also be provided as a SAN
445 # (Subject Alternative Name) but having this one
446 # has certain implications
447 # https://tools.ietf.org/html/rfc2818#section-3.1
448 # "If a subjectAltName extension of type dNSName
449 # is present, that MUST be used as the identity"
450 # Therefore it is not used here as we don't need
451 # a DNS infrastructure dependency
452 ip_san = control_network_ip()
453 settings = {
454 'sans': json.dumps([ip_san, '127.0.0.1']),
455 'common_name': ip_san,
456 'certificate_name': local_unit().replace('/', '_')
457 }
458 relation_set(relation_settings=settings)
459
460
461@hooks.hook('tls-certificates-relation-changed')
462def tls_certificates_relation_changed():
463 # check that the -provides side have set the data we need
464 # and render the affected files
465 unitname = local_unit().replace('/', '_')
466 cert = '{0}.server.cert'.format(unitname)
467 key = '{0}.server.key'.format(unitname)
468 certv = relation_get(cert)
469 keyv = relation_get(key)
470 ca = relation_get('ca')
471
472 if certv and keyv and ca:
473 write_xmpp_tls_files(certv, keyv, ca)
474 config["tls-certificates-ready"] = True
475 else:
476 log('tls-certificates relation data is not fully available')
477 config["tls-certificates-ready"] = False
478
479
480@hooks.hook('tls-certificates-relation-departed')
481def tls_certificates_relation_departed():
482 config["tls-certificates-ready"] = False
483
484
438def main():485def main():
439 try:486 try:
440 hooks.execute(sys.argv)487 hooks.execute(sys.argv)
441488
=== modified file 'hooks/neutron_contrail_utils.py'
--- hooks/neutron_contrail_utils.py 2017-09-20 19:59:00 +0000
+++ hooks/neutron_contrail_utils.py 2017-09-26 14:06:23 +0000
@@ -27,7 +27,9 @@
27 relation_get,27 relation_get,
28 relation_ids,28 relation_ids,
29 relation_type,29 relation_type,
30 remote_unit30 remote_unit,
31 unit_private_ip,
32 network_get_primary_address,
31)33)
3234
33from charmhelpers.core.host import (35from charmhelpers.core.host import (
@@ -572,6 +574,50 @@
572 render("contrail-vrouter-agent.conf",574 render("contrail-vrouter-agent.conf",
573 "/etc/contrail/contrail-vrouter-agent.conf", ctx, perms=0440)575 "/etc/contrail/contrail-vrouter-agent.conf", ctx, perms=0440)
574576
577
575def write_vrouter_vgw_interfaces():578def write_vrouter_vgw_interfaces():
576 ctx = vrouter_vgw_ctx()579 ctx = vrouter_vgw_ctx()
577 render("vrouter-vgw.cfg", "/etc/network/interfaces.d/vrouter-vgw.cfg", ctx)580 render("vrouter-vgw.cfg", "/etc/network/interfaces.d/vrouter-vgw.cfg", ctx)
581
582
583def control_network_ip():
584 '''
585 With Juju 2.x, uses an endpoint (relation)
586 network space binding if unspecified will use a "unit private address"
587 which is far less explicit if you look at the Juju implementation.
588 If you use Juju 2.x and above - bind the control-node endpoint to a network
589 space to get a proper address in this function.
590
591 If network-get throws an exception (juju 1.x or spaces are not supported)
592 will try to fall back to a private-address as returned by Juju.
593 '''
594 try:
595 address = network_get_primary_address('control-node')
596 except NotImplementedError:
597 log('Network spaces are not implemented - falling back to'
598 ' getting a private address')
599 address = unit_private_ip()
600 return address
601
602
603def write_xmpp_tls_files(serv_cert, priv_key, ca):
604 prefix = '/etc/contrail/ssl'
605 certs = os.path.join(prefix, 'certs')
606 private = os.path.join(prefix, 'private')
607
608 entry = pwd.getpwnam('contrail')
609 for p in [prefix, certs, private]:
610 if not os.path.exists(p):
611 os.makedirs(p, 0o750)
612 os.chown(p, entry.pw_uid, entry.pw_gid)
613
614 fcontent = {
615 os.path.join(certs, 'server.pem'): serv_cert,
616 os.path.join(private, 'server-privkey.pem'): priv_key,
617 os.path.join(certs, 'ca-cert.pem'): ca,
618 }
619
620 for filepath, content in fcontent.iteritems():
621 with open(filepath, 'w+') as f:
622 f.truncate(0)
623 f.write(content)
578624
=== added symlink 'hooks/tls-certificates-relation-changed'
=== target is u'neutron_contrail_hooks.py'
=== added symlink 'hooks/tls-certificates-relation-departed'
=== target is u'neutron_contrail_hooks.py'
=== added symlink 'hooks/tls-certificates-relation-joined'
=== target is u'neutron_contrail_hooks.py'
=== modified file 'metadata.yaml'
--- metadata.yaml 2015-10-13 11:03:57 +0000
+++ metadata.yaml 2017-09-26 14:06:23 +0000
@@ -37,3 +37,5 @@
37 interface: keystone-admin37 interface: keystone-admin
38 neutron-metadata:38 neutron-metadata:
39 interface: neutron-metadata39 interface: neutron-metadata
40 tls-certificates:
41 interface: tls-certificates
4042
=== added file 'scripts/vhost-phys.sh'
--- scripts/vhost-phys.sh 1970-01-01 00:00:00 +0000
+++ scripts/vhost-phys.sh 2017-09-26 14:06:23 +0000
@@ -0,0 +1,6 @@
1#!/bin/sh -e
2#
3# Script used to determine physical interface of vhost0
4
5mac=$(cat /sys/class/net/vhost0/address)
6vif --list | awk -v mac=$mac 'BEGIN { RS="\n\n" }; $3 != "vhost0" && $0 ~ "HWaddr:" mac { print $3; exit 0 }'
07
=== modified file 'templates/contrail-vrouter-agent.conf'
--- templates/contrail-vrouter-agent.conf 2017-07-17 05:03:53 +0000
+++ templates/contrail-vrouter-agent.conf 2017-09-26 14:06:23 +0000
@@ -3,6 +3,14 @@
3# Configuration file maintained by Juju. Local changes may be overwritten.3# Configuration file maintained by Juju. Local changes may be overwritten.
4###############################################################################4###############################################################################
55
6{% if tls_implemented -%}
7[DEFAULT]
8xmpp_auth_enable=true
9xmpp_server_cert=/etc/contrail/ssl/certs/server.pem
10xmpp_server_key=/etc/contrail/ssl/private/server-privkey.pem
11xmpp_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
12{% endif -%}
13
6{%- if control_nodes %}14{%- if control_nodes %}
715
8[CONTROL-NODE]16[CONTROL-NODE]

Subscribers

People subscribed via source and target branches