You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by da...@apache.org on 2019/04/17 22:01:07 UTC
[trafficcontrol] branch master updated: Ciab.ssl.lock.fix (#3489)
This is an automated email from the ASF dual-hosted git repository.
dangogh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 21e50ee Ciab.ssl.lock.fix (#3489)
21e50ee is described below
commit 21e50eedf1b824f11869d678fd9439a3d4a73d3c
Author: Jonathan G <jh...@users.noreply.github.com>
AuthorDate: Wed Apr 17 16:01:01 2019 -0600
Ciab.ssl.lock.fix (#3489)
Fixes #3486
* Replace SSL generation completed file with a second lock on a variable inside the target env shell script instead
---
infrastructure/cdn-in-a-box/edge/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/enroller/run.sh | 11 ++++++++---
infrastructure/cdn-in-a-box/mid/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/optional/grafana/run-grafana.sh | 9 +++++++--
infrastructure/cdn-in-a-box/optional/vnc/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/origin/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/traffic_monitor/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/traffic_ops/config.sh | 12 ++++++++++--
infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh | 3 +--
infrastructure/cdn-in-a-box/traffic_ops/run-go.sh | 10 +---------
infrastructure/cdn-in-a-box/traffic_portal/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/traffic_router/run.sh | 9 +++++++--
infrastructure/cdn-in-a-box/traffic_stats/run-influxdb.sh | 9 +++++++--
infrastructure/cdn-in-a-box/traffic_stats/run.sh | 9 +++++++--
.../cdn-in-a-box/traffic_vault/prestart.d/00-config.sh | 9 +++++++--
infrastructure/cdn-in-a-box/variables.env | 1 -
16 files changed, 97 insertions(+), 39 deletions(-)
diff --git a/infrastructure/cdn-in-a-box/edge/run.sh b/infrastructure/cdn-in-a-box/edge/run.sh
index 93e5646..7c20b82 100755
--- a/infrastructure/cdn-in-a-box/edge/run.sh
+++ b/infrastructure/cdn-in-a-box/edge/run.sh
@@ -27,14 +27,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/enroller/run.sh b/infrastructure/cdn-in-a-box/enroller/run.sh
index ac28f8a..50bdb7c 100755
--- a/infrastructure/cdn-in-a-box/enroller/run.sh
+++ b/infrastructure/cdn-in-a-box/enroller/run.sh
@@ -29,15 +29,20 @@ export TO_USER=$TO_ADMIN_USER
export TO_PASSWORD=$TO_ADMIN_PASSWORD
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source "$X509_CA_ENV_FILE"
-
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
+
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
cp "$X509_CA_CERT_FULL_CHAIN_FILE" /usr/local/share/ca-certificates
update-ca-certificates
diff --git a/infrastructure/cdn-in-a-box/mid/run.sh b/infrastructure/cdn-in-a-box/mid/run.sh
index 9e5915c..5d1e252 100755
--- a/infrastructure/cdn-in-a-box/mid/run.sh
+++ b/infrastructure/cdn-in-a-box/mid/run.sh
@@ -27,14 +27,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/optional/grafana/run-grafana.sh b/infrastructure/cdn-in-a-box/optional/grafana/run-grafana.sh
index 8a69a6d..ff782d1 100755
--- a/infrastructure/cdn-in-a-box/optional/grafana/run-grafana.sh
+++ b/infrastructure/cdn-in-a-box/optional/grafana/run-grafana.sh
@@ -26,14 +26,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source "$X509_CA_ENV_FILE"
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Copy the CIAB-CA certificate to here so it can be added to the trust store
cp "$X509_CA_CERT_FULL_CHAIN_FILE" /usr/local/share/ca-certificates
diff --git a/infrastructure/cdn-in-a-box/optional/vnc/run.sh b/infrastructure/cdn-in-a-box/optional/vnc/run.sh
index 344130c..6717eb0 100755
--- a/infrastructure/cdn-in-a-box/optional/vnc/run.sh
+++ b/infrastructure/cdn-in-a-box/optional/vnc/run.sh
@@ -25,14 +25,19 @@ set +m
[[ -f "/usr/local/sbin/set-dns.sh" ]] && /usr/local/sbin/set-dns.sh
[[ -f "/usr/local/sbin/insert-self-into-dns.sh" ]] && /usr/local/sbin/insert-self-into-dns.sh
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/origin/run.sh b/infrastructure/cdn-in-a-box/origin/run.sh
index 29c45ae..98faa56 100755
--- a/infrastructure/cdn-in-a-box/origin/run.sh
+++ b/infrastructure/cdn-in-a-box/origin/run.sh
@@ -27,14 +27,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source "$X509_CA_ENV_FILE"
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
cp $X509_CA_CERT_FULL_CHAIN_FILE /usr/local/share/ca-certificates
diff --git a/infrastructure/cdn-in-a-box/traffic_monitor/run.sh b/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
index b2ad4dd..b40bfc6 100755
--- a/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_monitor/run.sh
@@ -44,14 +44,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/config.sh b/infrastructure/cdn-in-a-box/traffic_ops/config.sh
index bbefc7e..22619ad 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/config.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/config.sh
@@ -42,12 +42,20 @@ do
if [[ -z $$v ]]; then echo "$v is unset"; exit 1; fi
done
-until [ -f "$X509_CA_DONE_FILE" ] ; do
+until [[ -f "$X509_CA_ENV_FILE" ]]
+do
echo "Waiting on SSL certificate generation."
sleep 2
done
-source "$X509_CA_ENV_FILE"
+# these expected to be stored in $X509_CA_ENV_FILE, but a race condition could render the contents
+# blank until it gets sync'd. Ensure vars defined before writing cdn.conf.
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Add the CA certificate to sysem TLS trust store
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh b/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
index 790118c..e879f0e 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/generate-certs.sh
@@ -72,7 +72,6 @@ x509v3_init()
export X509_CA_CERT_FULL_CHAIN_FILE="$X509_CA_DIR/${X509_CA_NAME}-fullchain.crt"
export X509_CA_ENV_FILE="$X509_CA_DIR/environment"
- export X509_CA_DONE_FILE="$X509_CA_DIR/completed"
# If no X509_CA directory exists, create it
if [ -d "$X509_CA_DIR" ] ; then
@@ -405,6 +404,7 @@ x509v3_create_cert()
echo "X509_${env_name}_CERT_FILE=\"$cert_file\"" >> "$X509_CA_ENV_FILE"
echo "X509_${env_name}_KEY_FILE=\"$key_file\"" >> "$X509_CA_ENV_FILE"
echo "X509_${env_name}_REQUEST_FILE=\"$request_file\"" >> "$X509_CA_ENV_FILE"
+ echo "X509_GENERATION_COMPLETE=\"YES\"" >> "$X509_CA_ENV_FILE"
}
@@ -417,6 +417,5 @@ x509v3_dump_env()
set | grep -E '^X509_' >> "$tmp_file"
sort "$tmp_file" | uniq | sed 's/^/export /' > "$X509_CA_ENV_FILE"
sync ; sleep 1
- touch "$X509_CA_DONE_FILE"
rm -f "$tmp_file"
}
diff --git a/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh b/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
index 4ba9de1..cbb6434 100755
--- a/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
+++ b/infrastructure/cdn-in-a-box/traffic_ops/run-go.sh
@@ -48,15 +48,8 @@ insert-self-into-dns.sh
# Source to-access functions and FQDN vars
source /to-access.sh
-until [ -f "$X509_CA_DONE_FILE" ] ; do
- echo "Waiting on SSL certificate generation."
- sleep 2
-done
-
# Write config files
-if [[ -x /config.sh ]]; then
- /config.sh
-fi
+/config.sh
while ! nc "$TO_PERL_FQDN" $TO_PERL_PORT </dev/null 2>/dev/null; do
echo "waiting for $TO_PERL_FQDN:$TO_PERL_PORT"
@@ -94,7 +87,6 @@ while true; do
done
### Add SSL keys for demo1 delivery service
-source "$X509_CA_ENV_FILE"
demo1_sslkeys_verified=false
demo1_version=1
while [[ "$demo1_sslkeys_verified" = false ]]; do
diff --git a/infrastructure/cdn-in-a-box/traffic_portal/run.sh b/infrastructure/cdn-in-a-box/traffic_portal/run.sh
index 4217576..e350594 100755
--- a/infrastructure/cdn-in-a-box/traffic_portal/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_portal/run.sh
@@ -33,14 +33,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/traffic_router/run.sh b/infrastructure/cdn-in-a-box/traffic_router/run.sh
index 77ab502..e7a935a 100755
--- a/infrastructure/cdn-in-a-box/traffic_router/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_router/run.sh
@@ -55,14 +55,19 @@ export TO_PROPERTIES TM_PROPERTIES
export CATALINA_HOME CATALINA_BASE CATALINA_OPTS CATALINA_OUT CATALINA_PID
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
cp $X509_CA_ROOT_CERT_FILE $CATALINA_BASE/conf
diff --git a/infrastructure/cdn-in-a-box/traffic_stats/run-influxdb.sh b/infrastructure/cdn-in-a-box/traffic_stats/run-influxdb.sh
index c35f776..9ec16a5 100755
--- a/infrastructure/cdn-in-a-box/traffic_stats/run-influxdb.sh
+++ b/infrastructure/cdn-in-a-box/traffic_stats/run-influxdb.sh
@@ -26,14 +26,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source "$X509_CA_ENV_FILE"
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Copy the CIAB-CA certificate to here so it can be added to the trust store
cp "$X509_CA_CERT_FULL_CHAIN_FILE" /usr/local/share/ca-certificates
diff --git a/infrastructure/cdn-in-a-box/traffic_stats/run.sh b/infrastructure/cdn-in-a-box/traffic_stats/run.sh
index d5cb6dd..cb580f4 100755
--- a/infrastructure/cdn-in-a-box/traffic_stats/run.sh
+++ b/infrastructure/cdn-in-a-box/traffic_stats/run.sh
@@ -43,14 +43,19 @@ insert-self-into-dns.sh
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source $X509_CA_ENV_FILE
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Trust the CIAB-CA at the System level
cp $X509_CA_CERT_FULL_CHAIN_FILE /etc/pki/ca-trust/source/anchors
diff --git a/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh b/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
index 94b6a1e..85e72fd 100644
--- a/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
+++ b/infrastructure/cdn-in-a-box/traffic_vault/prestart.d/00-config.sh
@@ -20,14 +20,19 @@
source /to-access.sh
# Wait on SSL certificate generation
-until [ -f "$X509_CA_DONE_FILE" ]
+until [[ -f "$X509_CA_ENV_FILE" ]]
do
echo "Waiting on Shared SSL certificate generation"
sleep 3
done
# Source the CIAB-CA shared SSL environment
-source "$X509_CA_ENV_FILE"
+until [[ -n "$X509_GENERATION_COMPLETE" ]]
+do
+ echo "Waiting on X509 vars to be defined"
+ sleep 1
+ source "$X509_CA_ENV_FILE"
+done
# Copy the CIAB-CA certificate to the traffic_router conf so it can be added to the trust store
cp $X509_CA_CERT_FULL_CHAIN_FILE /usr/local/share/ca-certificates
diff --git a/infrastructure/cdn-in-a-box/variables.env b/infrastructure/cdn-in-a-box/variables.env
index cca9308..098788f 100644
--- a/infrastructure/cdn-in-a-box/variables.env
+++ b/infrastructure/cdn-in-a-box/variables.env
@@ -35,7 +35,6 @@ X509_CA_UMASK=0000
X509_CA_DIR=/shared/ssl
X509_CA_PERSIST_DIR=/ca
X509_CA_PERSIST_ENV_FILE=/ca/environment
-X509_CA_DONE_FILE=/shared/ssl/completed
X509_CA_ENV_FILE=/shared/ssl/environment
DB_NAME=traffic_ops
DB_PORT=5432