dewrich closed pull request #2329: TO postinstall - generateCert no longer
overwrites cdn.conf
URL: https://github.com/apache/incubator-trafficcontrol/pull/2329
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/traffic_ops/install/bin/generateCert
b/traffic_ops/install/bin/generateCert
index 713288f01..eafce341e 100755
--- a/traffic_ops/install/bin/generateCert
+++ b/traffic_ops/install/bin/generateCert
@@ -21,9 +21,7 @@ use lib qw(/opt/traffic_ops/install/lib
/opt/traffic_ops/app/local/lib/perl5 /op
use JSON;
use InstallUtils;
-use File::Temp;
use Data::Dumper;
-use File::Copy;
my $ca = "/etc/pki/tls/certs/localhost.ca";
my $csr = "/etc/pki/tls/certs/localhost.csr";
@@ -43,62 +41,40 @@ my $msg = << 'EOF';
EOF
-sub writeCdn_conf {
+# Check the cdn.conf for the cert and key file references -- abort if they
don't match what's defined here
+# This normally wouldn't happen unless the user modified the cdn.conf to
reference different file names, and in that
+# case, they're probably generating certs outside of this anyway: this check
is just here for safety..
+sub checkCdnConf {
my $cdn_conf = shift;
+ my $conf;
+ # load cdn.conf
+ {
+ local $/; # slurp mode
+ open my $fh, '<', $cdn_conf or die "Cannot load $cdn_conf\n";
+ $conf = decode_json(scalar <$fh>);
+ }
+ my $listen = $conf->{hypnotoad}{listen}[0];
+ my $msg;
- # load as perl hash to find string to be replaced
- my $cdnh = do $cdn_conf;
-
- # get existing port, if any
- my $listen = $cdnh->{hypnotoad}{listen}[0];
- my ($port) = $listen =~ /:(\d+)/;
- if (!defined($port)) {
- $port = 60443;
+ if (!defined $listen) {
+ my $msg = <<"EOF";
+ The "listen" portion of $cdn_conf is missing from $cdn_conf.
+ Please ensure it contains the same structure as the one originally
installed.
+EOF
}
- # listen param to be inserted
- my $listen_str =
"https://[::]:${port}?cert=${cert}&key=${key}&ca=${ca}&verify=0x00&ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED";;
- if ( exists $cdnh->{hypnotoad} ) {
- $cdnh->{hypnotoad}{listen} = [$listen_str];
- }
- else {
-
- # add the whole hypnotoad config without affecting anything
else in the config
- $cdnh->{hypnotoad} = {
- listen => [$listen_str],
- user => 'trafops',
- group => 'trafops',
- pid_file => '/var/run/traffic_ops.pid',
- workers => 48,
- };
+ if ($listen !~ m@cert=$cert@ || $listen !~ m@key=$key@) {
+ $msg = << "EOF";
+ The "listen" portion of $cdn_conf is:
+ $listen
+ and does not reference the same "cert=" and "key=" values as are
created here.
+ Please modify $cdn_conf to add the following as parameters:
+ ?cert=$cert&key=$key
+EOF
}
- # dump conf data in compact but readable form
- my $dumper = Data::Dumper->new( [$cdnh] );
- $dumper->Indent(1)->Terse(1)->Quotekeys(0);
-
- # write whole config to temp file in pwd (keeps in same filesystem)
- my $tmpfile = File::Temp->new(DIR => '.');
- print $tmpfile $dumper->Dump();
- close $tmpfile;
-
- # make backup of current file
- my $backup_num = 0;
- my $backup_name;
- do {
- $backup_num++;
- $backup_name = "$cdn_conf.backup$backup_num";
- } while ( -e $backup_name );
- rename( $cdn_conf, $backup_name ) or die("rename(): $!");
-
- # rename temp file to cdn.conf and set ownership/permissions same as
backup
- my @stats = stat($backup_name);
- my ( $uid, $gid, $perm ) = @stats[ 4, 5, 2 ];
- move( "$tmpfile", $cdn_conf ) or die("move(): $!");
-
- chown $uid, $gid, $cdn_conf;
- chmod $perm, $cdn_conf;
+ return $msg;
}
InstallUtils::execCommand( "/usr/bin/tput", "clear" );
@@ -195,8 +171,6 @@ if ( $result != 0 ) {
$result = InstallUtils::execCommand( "/bin/chmod", "664", "$csr" );
$result = InstallUtils::execCommand( "/bin/chown", "trafops:trafops", "$csr" );
-writeCdn_conf($cdn_conf);
-
my $msg = << 'EOF';
The self signed certificate has now been installed.
@@ -210,4 +184,10 @@ EOF
print $msg, "\n";
+my $error = checkCdnConf($cdn_conf);
+if ($error) {
+ print $error;
+ exit 1;
+}
+
exit 0;
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
