Merge lp:~vds/charms/trusty/neutron-contrail/tls-patch into lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk

Proposed by Vincenzo Di Somma on 2017-09-26
Status: Rejected
Rejected by: Michał Ajduk on 2018-11-05
Proposed branch: lp:~vds/charms/trusty/neutron-contrail/tls-patch
Merge into: lp:~sdn-charmers/charms/trusty/neutron-contrail/trunk
Diff against target: 200 lines (+114/-5)
5 files modified
hooks/neutron_contrail_hooks.py (+51/-4)
hooks/neutron_contrail_utils.py (+47/-1)
metadata.yaml (+2/-0)
scripts/vhost-phys.sh (+6/-0)
templates/contrail-vrouter-agent.conf (+8/-0)
To merge this branch: bzr merge lp:~vds/charms/trusty/neutron-contrail/tls-patch
Reviewer Review Type Date Requested Status
Gábor Mészáros (community) Disapprove on 2018-10-31
Robert Ayres 2017-09-26 Pending
Review via email: mp+331349@code.launchpad.net

Description of the change

Port of TLS support from DTAG.

To post a comment you must log in.
Gábor Mészáros (gabor.meszaros) wrote :

obsolete, and the patch contains also TLS support which works in an incorfrect way. The TLS support is not used anywhere at the moment.

review: Disapprove

Unmerged revisions

73. By Vincenzo Di Somma on 2017-09-26

Port of TLS patch from DTAG

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/neutron_contrail_hooks.py'
2--- hooks/neutron_contrail_hooks.py 2017-09-20 19:59:00 +0000
3+++ hooks/neutron_contrail_hooks.py 2017-09-26 14:06:23 +0000
4@@ -21,7 +21,8 @@
5 log,
6 relation_get,
7 relation_ids,
8- relation_set
9+ relation_set,
10+ local_unit,
11 )
12
13 from charmhelpers.core.host import (
14@@ -44,6 +45,7 @@
15 CONTRAIL_VERSION,
16 OPENSTACK_VERSION,
17 configure_vrouter,
18+ control_network_ip,
19 disable_vrouter_vgw,
20 dpkg_version,
21 drop_caches,
22@@ -72,11 +74,13 @@
23 write_nodemgr_config,
24 write_vnc_api_config,
25 write_vrouter_config,
26- write_vrouter_vgw_interfaces
27+ write_vrouter_vgw_interfaces,
28+ write_xmpp_tls_files,
29 )
30
31-PACKAGES = [ "contrail-utils", "python-jinja2", "python-netifaces",
32- "python-netaddr", "contrail-nodemgr" ]
33+PACKAGES = ["contrail-vrouter-dkms", "contrail-vrouter-agent",
34+ "contrail-utils", "python-jinja2", "python-netifaces",
35+ "python-netaddr", "contrail-nodemgr"]
36
37 PACKAGES_DPDK = [ "contrail-dpdk-kernel-modules-dkms", "contrail-vrouter-dpdk",
38 "contrail-vrouter-dpdk-init", "contrail-vrouter-agent",
39@@ -435,6 +439,49 @@
40 settings = { "metadata-shared-secret": config["local-metadata-secret"] }
41 relation_set(relation_settings=settings)
42
43+@hooks.hook('tls-certificates-relation-joined')
44+def tls_certificates_relation_joined():
45+ # a hostname could also be provided as a SAN
46+ # (Subject Alternative Name) but having this one
47+ # has certain implications
48+ # https://tools.ietf.org/html/rfc2818#section-3.1
49+ # "If a subjectAltName extension of type dNSName
50+ # is present, that MUST be used as the identity"
51+ # Therefore it is not used here as we don't need
52+ # a DNS infrastructure dependency
53+ ip_san = control_network_ip()
54+ settings = {
55+ 'sans': json.dumps([ip_san, '127.0.0.1']),
56+ 'common_name': ip_san,
57+ 'certificate_name': local_unit().replace('/', '_')
58+ }
59+ relation_set(relation_settings=settings)
60+
61+
62+@hooks.hook('tls-certificates-relation-changed')
63+def tls_certificates_relation_changed():
64+ # check that the -provides side have set the data we need
65+ # and render the affected files
66+ unitname = local_unit().replace('/', '_')
67+ cert = '{0}.server.cert'.format(unitname)
68+ key = '{0}.server.key'.format(unitname)
69+ certv = relation_get(cert)
70+ keyv = relation_get(key)
71+ ca = relation_get('ca')
72+
73+ if certv and keyv and ca:
74+ write_xmpp_tls_files(certv, keyv, ca)
75+ config["tls-certificates-ready"] = True
76+ else:
77+ log('tls-certificates relation data is not fully available')
78+ config["tls-certificates-ready"] = False
79+
80+
81+@hooks.hook('tls-certificates-relation-departed')
82+def tls_certificates_relation_departed():
83+ config["tls-certificates-ready"] = False
84+
85+
86 def main():
87 try:
88 hooks.execute(sys.argv)
89
90=== modified file 'hooks/neutron_contrail_utils.py'
91--- hooks/neutron_contrail_utils.py 2017-09-20 19:59:00 +0000
92+++ hooks/neutron_contrail_utils.py 2017-09-26 14:06:23 +0000
93@@ -27,7 +27,9 @@
94 relation_get,
95 relation_ids,
96 relation_type,
97- remote_unit
98+ remote_unit,
99+ unit_private_ip,
100+ network_get_primary_address,
101 )
102
103 from charmhelpers.core.host import (
104@@ -572,6 +574,50 @@
105 render("contrail-vrouter-agent.conf",
106 "/etc/contrail/contrail-vrouter-agent.conf", ctx, perms=0440)
107
108+
109 def write_vrouter_vgw_interfaces():
110 ctx = vrouter_vgw_ctx()
111 render("vrouter-vgw.cfg", "/etc/network/interfaces.d/vrouter-vgw.cfg", ctx)
112+
113+
114+def control_network_ip():
115+ '''
116+ With Juju 2.x, uses an endpoint (relation)
117+ network space binding if unspecified will use a "unit private address"
118+ which is far less explicit if you look at the Juju implementation.
119+ If you use Juju 2.x and above - bind the control-node endpoint to a network
120+ space to get a proper address in this function.
121+
122+ If network-get throws an exception (juju 1.x or spaces are not supported)
123+ will try to fall back to a private-address as returned by Juju.
124+ '''
125+ try:
126+ address = network_get_primary_address('control-node')
127+ except NotImplementedError:
128+ log('Network spaces are not implemented - falling back to'
129+ ' getting a private address')
130+ address = unit_private_ip()
131+ return address
132+
133+
134+def write_xmpp_tls_files(serv_cert, priv_key, ca):
135+ prefix = '/etc/contrail/ssl'
136+ certs = os.path.join(prefix, 'certs')
137+ private = os.path.join(prefix, 'private')
138+
139+ entry = pwd.getpwnam('contrail')
140+ for p in [prefix, certs, private]:
141+ if not os.path.exists(p):
142+ os.makedirs(p, 0o750)
143+ os.chown(p, entry.pw_uid, entry.pw_gid)
144+
145+ fcontent = {
146+ os.path.join(certs, 'server.pem'): serv_cert,
147+ os.path.join(private, 'server-privkey.pem'): priv_key,
148+ os.path.join(certs, 'ca-cert.pem'): ca,
149+ }
150+
151+ for filepath, content in fcontent.iteritems():
152+ with open(filepath, 'w+') as f:
153+ f.truncate(0)
154+ f.write(content)
155
156=== added symlink 'hooks/tls-certificates-relation-changed'
157=== target is u'neutron_contrail_hooks.py'
158=== added symlink 'hooks/tls-certificates-relation-departed'
159=== target is u'neutron_contrail_hooks.py'
160=== added symlink 'hooks/tls-certificates-relation-joined'
161=== target is u'neutron_contrail_hooks.py'
162=== modified file 'metadata.yaml'
163--- metadata.yaml 2015-10-13 11:03:57 +0000
164+++ metadata.yaml 2017-09-26 14:06:23 +0000
165@@ -37,3 +37,5 @@
166 interface: keystone-admin
167 neutron-metadata:
168 interface: neutron-metadata
169+ tls-certificates:
170+ interface: tls-certificates
171
172=== added file 'scripts/vhost-phys.sh'
173--- scripts/vhost-phys.sh 1970-01-01 00:00:00 +0000
174+++ scripts/vhost-phys.sh 2017-09-26 14:06:23 +0000
175@@ -0,0 +1,6 @@
176+#!/bin/sh -e
177+#
178+# Script used to determine physical interface of vhost0
179+
180+mac=$(cat /sys/class/net/vhost0/address)
181+vif --list | awk -v mac=$mac 'BEGIN { RS="\n\n" }; $3 != "vhost0" && $0 ~ "HWaddr:" mac { print $3; exit 0 }'
182
183=== modified file 'templates/contrail-vrouter-agent.conf'
184--- templates/contrail-vrouter-agent.conf 2017-07-17 05:03:53 +0000
185+++ templates/contrail-vrouter-agent.conf 2017-09-26 14:06:23 +0000
186@@ -3,6 +3,14 @@
187 # Configuration file maintained by Juju. Local changes may be overwritten.
188 ###############################################################################
189
190+{% if tls_implemented -%}
191+[DEFAULT]
192+xmpp_auth_enable=true
193+xmpp_server_cert=/etc/contrail/ssl/certs/server.pem
194+xmpp_server_key=/etc/contrail/ssl/private/server-privkey.pem
195+xmpp_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
196+{% endif -%}
197+
198 {%- if control_nodes %}
199
200 [CONTROL-NODE]

Subscribers

People subscribed via source and target branches