def get_haproxy_config(listener_id): _check_listener_exists(listener_id) with open(util.config_path(listener_id), 'r') as file: cfg = file.read() resp = flask.Response(cfg, mimetype='text/plain', ) resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest() return resp
def _check_listener_exists(listener_id): # check if we know about that listener if not os.path.exists(util.config_path(listener_id)): raise exceptions.HTTPException( response=flask.make_response(flask.jsonify(dict( message='Listener Not Found', details="No listener with UUID: {0}".format( listener_id))), 404))
def _check_listener_exists(self, listener_id): # check if we know about that listener if not os.path.exists(util.config_path(listener_id)): raise exceptions.HTTPException( response=webob.Response(json=dict( message='Listener Not Found', details="No listener with UUID: {0}".format( listener_id)), status=404))
def upload_haproxy_config(listener_id): stream = Wrapped(flask.request.stream) if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') with open(name, 'w') as file: b = stream.read(BUFFER) while (b): file.write(b) b = stream.read(BUFFER) # use haproxy to check the config cmd = "haproxy -c -f {config_file}".format(config_file=name) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to verify haproxy file: %s", e) os.remove(name) # delete file return flask.make_response(flask.jsonify(dict( message="Invalid request", details=e.output)), 400) # file ok - move it os.rename(name, util.config_path(listener_id)) if not os.path.exists(util.upstart_path(listener_id)): with open(util.upstart_path(listener_id), 'w') as text_file: text = template.render( haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=util.CONF.haproxy_amphora.respawn_interval ) text_file.write(text) res = flask.make_response(flask.jsonify({ 'message': 'OK'}), 202) res.headers['ETag'] = stream.get_md5() return res
def get_haproxy_config(self, listener_id): """Gets the haproxy config :param listener_id: the id of the listener """ self._check_listener_exists(listener_id) with open(util.config_path(listener_id), 'r') as file: cfg = file.read() resp = webob.Response(cfg, content_type='text/plain') resp.headers['ETag'] = hashlib.md5(six.b(cfg)).hexdigest() # nosec return resp
def _check_listener_status(self, listener_id): if os.path.exists(util.pid_path(listener_id)): if os.path.exists( os.path.join('/proc', util.get_haproxy_pid(listener_id))): # Check if the listener is disabled with open(util.config_path(listener_id), 'r') as file: cfg = file.read() m = re.search('frontend {}'.format(listener_id), cfg) if m: return consts.ACTIVE return consts.OFFLINE else: # pid file but no process... return consts.ERROR else: return consts.OFFLINE
def test_get_haproxy(self, mock_exists): CONTENT = "bibble\nbibble" mock_exists.side_effect = [False] rv = self.app.get('/' + api_server.VERSION + '/listeners/123/haproxy') self.assertEqual(404, rv.status_code) mock_exists.side_effect = [True] path = util.config_path('123') self.useFixture(test_utils.OpenFixture(path, CONTENT)) rv = self.app.get('/' + api_server.VERSION + '/listeners/123/haproxy') self.assertEqual(200, rv.status_code) self.assertEqual(six.b(CONTENT), rv.data) self.assertEqual('text/plain; charset=utf-8', rv.headers['Content-Type'])
def test_check_listener_status(self, mock_pid, mock_exists): mock_pid.return_value = '1245' mock_exists.side_effect = [True, True] config_path = agent_util.config_path(LISTENER_ID1) file_contents = 'frontend {}'.format(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(config_path, file_contents)) self.assertEqual( consts.ACTIVE, listener._check_listener_status(LISTENER_ID1)) mock_exists.side_effect = [True, False] self.assertEqual( consts.ERROR, listener._check_listener_status(LISTENER_ID1)) mock_exists.side_effect = [False] self.assertEqual( consts.OFFLINE, listener._check_listener_status(LISTENER_ID1))
def _parse_haproxy_file(self, listener_id): with open(util.config_path(listener_id), 'r') as file: cfg = file.read() m = re.search('mode\s+(http|tcp)', cfg) if not m: raise ParsingError() mode = m.group(1).upper() m = re.search('stats socket\s+(\S+)', cfg) if not m: raise ParsingError() stats_socket = m.group(1) m = re.search('ssl crt\s+(\S+)', cfg) ssl_crt = None if m: ssl_crt = m.group(1) mode = 'TERMINATED_HTTPS' return dict(mode=mode, stats_socket=stats_socket, ssl_crt=ssl_crt)
def _parse_haproxy_file(listener_id): with open(util.config_path(listener_id), 'r') as file: cfg = file.read() m = re.search('mode\s+(http|tcp)', cfg) if not m: raise ParsingError() mode = m.group(1).upper() m = re.search('stats socket\s+(\S+)', cfg) if not m: raise ParsingError() stats_socket = m.group(1) m = re.search('ssl crt\s+(\S+)', cfg) ssl_crt = None if m: ssl_crt = m.group(1) mode = 'TERMINATED_HTTPS' return dict(mode=mode, stats_socket=stats_socket, ssl_crt=ssl_crt)
def test_parse_haproxy_config(self): # template_tls tls_tupe = sample_configs.sample_tls_container_tuple( certificate='imaCert1', private_key='imaPrivateKey1', primary_cn='FakeCN') rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple(proto='TERMINATED_HTTPS', tls=True, sni=True), tls_tupe) path = agent_util.config_path(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TERMINATED_HTTPS', res['mode']) self.assertEqual('/var/lib/octavia/sample_listener_id_1.sock', res['stats_socket']) self.assertEqual( '/var/lib/octavia/certs/sample_listener_id_1/FakeCN.pem', res['ssl_crt']) # render_template_tls_no_sni rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple( proto='TERMINATED_HTTPS', tls=True), tls_cert=sample_configs.sample_tls_container_tuple( certificate='ImAalsdkfjCert', private_key='ImAsdlfksdjPrivateKey', primary_cn="FakeCN")) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TERMINATED_HTTPS', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertEqual( BASE_CRT_PATH + '/sample_listener_id_1/FakeCN.pem', res['ssl_crt']) # render_template_http rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple()) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('HTTP', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertIsNone(res['ssl_crt']) # template_https rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple(proto='HTTPS')) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TCP', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertIsNone(res['ssl_crt']) # Bogus format self.useFixture(test_utils.OpenFixture(path, 'Bogus')) try: res = listener._parse_haproxy_file(LISTENER_ID1) self.fail("No Exception?") except listener.ParsingError: pass
def upload_haproxy_config(self, amphora_id, listener_id): """Upload the haproxy config :param amphora_id: The id of the amphora to update :param listener_id: The id of the listener """ stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR b = stream.read(BUFFER) s_io = io.StringIO() while b: # Write haproxy configuration to StringIO s_io.write(b.decode('utf8')) b = stream.read(BUFFER) # Since haproxy user_group is now auto-detected by the amphora agent, # remove it from haproxy configuration in case it was provided # by an older Octavia controller. This is needed in order to prevent # a duplicate entry for 'group' in haproxy configuration, which will # result an error when haproxy starts. new_config = re.sub(r"\s+group\s.+", "", s_io.getvalue()) # Handle any haproxy version compatibility issues new_config = haproxy_compatibility.process_cfg_for_version_compat( new_config) with os.fdopen(os.open(name, flags, mode), 'w') as file: file.write(new_config) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file} -f {haproxy_ug}".format( config_file=name, peer=peer_name, haproxy_ug=consts.HAPROXY_USER_GROUP_CFG) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error("Failed to verify haproxy file: %s %s", e, e.output) # Save the last config that failed validation for debugging os.rename(name, ''.join([name, '-failed'])) return webob.Response( json=dict(message="Invalid request", details=e.output), status=400) # file ok - move it os.rename(name, util.config_path(listener_id)) try: init_system = util.get_os_init_system() LOG.debug('Found init system: %s', init_system) init_path = util.init_path(listener_id, init_system) if init_system == consts.INIT_SYSTEMD: template = SYSTEMD_TEMPLATE # Render and install the network namespace systemd service util.install_netns_systemd_service() util.run_systemctl_command( consts.ENABLE, consts.AMP_NETNS_SVC_PREFIX + '.service') elif init_system == consts.INIT_UPSTART: template = UPSTART_TEMPLATE elif init_system == consts.INIT_SYSVINIT: template = SYSVINIT_TEMPLATE init_enable_cmd = "insserv {file}".format(file=init_path) else: raise util.UnknownInitError() except util.UnknownInitError: LOG.error("Unknown init system found.") return webob.Response(json=dict( message="Unknown init system in amphora", details="The amphora image is running an unknown init " "system. We can't create the init configuration " "file for the load balancing process."), status=500) if init_system == consts.INIT_SYSTEMD: # mode 00644 mode = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) else: # mode 00755 mode = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) hap_major, hap_minor = haproxy_compatibility.get_haproxy_versions() if not os.path.exists(init_path): with os.fdopen(os.open(init_path, flags, mode), 'w') as text_file: text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), haproxy_user_group_cfg=consts.HAPROXY_USER_GROUP_CFG, respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=(util.CONF.haproxy_amphora. respawn_interval), amphora_netns=consts.AMP_NETNS_SVC_PREFIX, amphora_nsname=consts.AMPHORA_NAMESPACE, HasIFUPAll=self._osutils.has_ifup_all(), haproxy_major_version=hap_major, haproxy_minor_version=hap_minor ) text_file.write(text) # Make sure the new service is enabled on boot if init_system == consts.INIT_SYSTEMD: util.run_systemctl_command( consts.ENABLE, "haproxy-{list}".format(list=listener_id)) elif init_system == consts.INIT_SYSVINIT: try: subprocess.check_output(init_enable_cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error("Failed to enable haproxy-%(list)s service: " "%(err)s %(out)s", {'list': listener_id, 'err': e, 'out': e.output}) return webob.Response(json=dict( message="Error enabling haproxy-{0} service".format( listener_id), details=e.output), status=500) res = webob.Response(json={'message': 'OK'}, status=202) res.headers['ETag'] = stream.get_md5() return res
def test_parse_haproxy_config(self): self.CONF.config(group="haproxy_amphora", base_cert_dir='/fake_cert_dir') FAKE_CRT_LIST_FILENAME = os.path.join( CONF.haproxy_amphora.base_cert_dir, 'sample_loadbalancer_id_1/sample_listener_id_1.pem') rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [ sample_configs_combined.sample_listener_tuple( proto='TERMINATED_HTTPS', tls=True, sni=True) ]) path = util.config_path(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] # NOTE: parse_haproxy_file makes mode TERMINATED_HTTPS even though # the haproxy.cfg needs mode HTTP self.assertEqual('TERMINATED_HTTPS', listener_dict['mode']) self.assertEqual('/var/lib/octavia/sample_loadbalancer_id_1.sock', res[0]) self.assertEqual(FAKE_CRT_LIST_FILENAME, listener_dict['ssl_crt']) # render_template_tls_no_sni rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [ sample_configs_combined.sample_listener_tuple( proto='TERMINATED_HTTPS', tls=True) ]) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('TERMINATED_HTTPS', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertEqual(FAKE_CRT_LIST_FILENAME, listener_dict['ssl_crt']) # render_template_http rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [sample_configs_combined.sample_listener_tuple()]) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('HTTP', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertIsNone(listener_dict.get('ssl_crt', None)) # template_https rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [sample_configs_combined.sample_listener_tuple(proto='HTTPS')]) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('TCP', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertIsNone(listener_dict.get('ssl_crt', None)) # Bogus format self.useFixture(test_utils.OpenFixture(path, 'Bogus')) try: res = util.parse_haproxy_file(LISTENER_ID1) self.fail("No Exception?") except util.ParsingError: pass # Bad listener mode fake_cfg = 'stats socket foo\nfrontend {}\nmode\n'.format(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, fake_cfg)) self.assertRaises(util.ParsingError, util.parse_haproxy_file, LISTENER_ID1)
def test_parse_haproxy_config(self): # template_tls tls_tupe = sample_configs.sample_tls_container_tuple( id='tls_container_id', certificate='imaCert1', private_key='imaPrivateKey1', primary_cn='FakeCN') rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple(proto='TERMINATED_HTTPS', tls=True, sni=True), tls_tupe) path = agent_util.config_path(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = self.test_listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TERMINATED_HTTPS', res['mode']) self.assertEqual('/var/lib/octavia/sample_listener_id_1.sock', res['stats_socket']) self.assertEqual( '/var/lib/octavia/certs/sample_listener_id_1/tls_container_id.pem', res['ssl_crt']) # render_template_tls_no_sni rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple(proto='TERMINATED_HTTPS', tls=True), tls_cert=sample_configs.sample_tls_container_tuple( id='tls_container_id', certificate='ImAalsdkfjCert', private_key='ImAsdlfksdjPrivateKey', primary_cn="FakeCN")) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = self.test_listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TERMINATED_HTTPS', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertEqual( BASE_CRT_PATH + '/sample_listener_id_1/tls_container_id.pem', res['ssl_crt']) # render_template_http rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple()) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = self.test_listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('HTTP', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertIsNone(res['ssl_crt']) # template_https rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs.sample_amphora_tuple(), sample_configs.sample_listener_tuple(proto='HTTPS')) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = self.test_listener._parse_haproxy_file(LISTENER_ID1) self.assertEqual('TCP', res['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_listener_id_1.sock', res['stats_socket']) self.assertIsNone(res['ssl_crt']) # Bogus format self.useFixture(test_utils.OpenFixture(path, 'Bogus')) try: res = self.test_listener._parse_haproxy_file(LISTENER_ID1) self.fail("No Exception?") except listener.ParsingError: pass
def upload_haproxy_config(amphora_id, listener_id): stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR with os.fdopen(os.open(name, flags, mode), 'w') as file: b = stream.read(BUFFER) while (b): file.write(b) b = stream.read(BUFFER) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file}".format(config_file=name, peer=peer_name) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to verify haproxy file: %s", e) os.remove(name) # delete file return flask.make_response( flask.jsonify(dict(message="Invalid request", details=e.output)), 400) # file ok - move it os.rename(name, util.config_path(listener_id)) use_upstart = util.CONF.haproxy_amphora.use_upstart file = util.init_path(listener_id) # mode 00755 mode = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) if not os.path.exists(file): with os.fdopen(os.open(file, flags, mode), 'w') as text_file: template = UPSTART_TEMPLATE if use_upstart else SYSVINIT_TEMPLATE text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=util.CONF.haproxy_amphora.respawn_interval, amphora_nsname=consts.AMPHORA_NAMESPACE) text_file.write(text) if not use_upstart: insrvcmd = ("insserv {file}".format(file=file)) try: subprocess.check_output(insrvcmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to make %(file)s executable: %(err)s", { 'file': file, 'err': e }) return flask.make_response( flask.jsonify( dict(message="Error making file {0} executable".format( file), details=e.output)), 500) res = flask.make_response(flask.jsonify({'message': 'OK'}), 202) res.headers['ETag'] = stream.get_md5() return res
def upload_haproxy_config(self, amphora_id, listener_id): """Upload the haproxy config :param amphora_id: The id of the amphora to update :param listener_id: The id of the listener """ stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR with os.fdopen(os.open(name, flags, mode), 'wb') as file: b = stream.read(BUFFER) while (b): file.write(b) b = stream.read(BUFFER) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file}".format(config_file=name, peer=peer_name) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error(_LE("Failed to verify haproxy file: %s"), e) os.remove(name) # delete file return flask.make_response( flask.jsonify(dict(message="Invalid request", details=e.output)), 400) # file ok - move it os.rename(name, util.config_path(listener_id)) try: init_system = util.get_os_init_system() LOG.debug('Found init system: {0}'.format(init_system)) init_path = util.init_path(listener_id, init_system) if init_system == consts.INIT_SYSTEMD: template = SYSTEMD_TEMPLATE init_enable_cmd = "systemctl enable haproxy-{list}".format( list=listener_id) elif init_system == consts.INIT_UPSTART: template = UPSTART_TEMPLATE elif init_system == consts.INIT_SYSVINIT: template = SYSVINIT_TEMPLATE init_enable_cmd = "insserv {file}".format(file=init_path) else: raise util.UnknownInitError() except util.UnknownInitError: LOG.error(_LE("Unknown init system found.")) return flask.make_response( flask.jsonify( dict( message="Unknown init system in amphora", details="The amphora image is running an unknown init " "system. We can't create the init configuration " "file for the load balancing process.")), 500) if init_system == consts.INIT_SYSTEMD: # mode 00644 mode = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) else: # mode 00755 mode = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) if not os.path.exists(init_path): with os.fdopen(os.open(init_path, flags, mode), 'w') as text_file: text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=( util.CONF.haproxy_amphora.respawn_interval), amphora_nsname=consts.AMPHORA_NAMESPACE, HasIFUPAll=self._osutils.has_ifup_all()) text_file.write(text) # Make sure the new service is enabled on boot if init_system != consts.INIT_UPSTART: try: subprocess.check_output(init_enable_cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error( _LE("Failed to enable haproxy-%(list)s " "service: %(err)s"), { 'list': listener_id, 'err': e }) return flask.make_response( flask.jsonify( dict(message="Error enabling haproxy-{0} service". format(listener_id), details=e.output)), 500) res = flask.make_response(flask.jsonify({'message': 'OK'}), 202) res.headers['ETag'] = stream.get_md5() return res
def upload_haproxy_config(amphora_id, listener_id): stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') with open(name, 'w') as file: b = stream.read(BUFFER) while (b): file.write(b) b = stream.read(BUFFER) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file}".format(config_file=name, peer=peer_name) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to verify haproxy file: %s", e) os.remove(name) # delete file return flask.make_response(flask.jsonify(dict( message="Invalid request", details=e.output)), 400) # file ok - move it os.rename(name, util.config_path(listener_id)) use_upstart = util.CONF.haproxy_amphora.use_upstart if not os.path.exists(util.init_path(listener_id)): with open(util.init_path(listener_id), 'w') as text_file: template = UPSTART_TEMPLATE if use_upstart else SYSVINIT_TEMPLATE text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=util.CONF.haproxy_amphora.respawn_interval ) text_file.write(text) if not use_upstart: # make init.d script executable file = util.init_path(listener_id) permcmd = ("chmod 755 {file}".format(file=file)) insrvcmd = ("insserv {file}".format(file=file)) try: subprocess.check_output(permcmd.split(), stderr=subprocess.STDOUT) subprocess.check_output(insrvcmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to make %(file)s executable: %(err)s", {'file': file, 'err': e}) return flask.make_response(flask.jsonify(dict( message="Error making file {0} executable".format(file), details=e.output)), 500) res = flask.make_response(flask.jsonify({ 'message': 'OK'}), 202) res.headers['ETag'] = stream.get_md5() return res
def test_parse_haproxy_config(self): # template_tls tls_tupe = { 'cont_id_1': sample_configs_combined.sample_tls_container_tuple( id='tls_container_id', certificate='imaCert1', private_key='imaPrivateKey1', primary_cn='FakeCN') } rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [ sample_configs_combined.sample_listener_tuple( proto='TERMINATED_HTTPS', tls=True, sni=True) ], tls_tupe) path = util.config_path(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('TERMINATED_HTTPS', listener_dict['mode']) self.assertEqual('/var/lib/octavia/sample_loadbalancer_id_1.sock', res[0]) self.assertEqual( '/var/lib/octavia/certs/sample_loadbalancer_id_1/' 'tls_container_id.pem crt /var/lib/octavia/certs/' 'sample_loadbalancer_id_1', listener_dict['ssl_crt']) # render_template_tls_no_sni rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [ sample_configs_combined.sample_listener_tuple( proto='TERMINATED_HTTPS', tls=True) ], tls_certs={ 'cont_id_1': sample_configs_combined.sample_tls_container_tuple( id='tls_container_id', certificate='ImAalsdkfjCert', private_key='ImAsdlfksdjPrivateKey', primary_cn="FakeCN") }) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('TERMINATED_HTTPS', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertEqual( BASE_CRT_PATH + '/sample_loadbalancer_id_1/tls_container_id.pem', listener_dict['ssl_crt']) # render_template_http rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [sample_configs_combined.sample_listener_tuple()]) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('HTTP', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertIsNone(listener_dict.get('ssl_crt', None)) # template_https rendered_obj = self.jinja_cfg.render_loadbalancer_obj( sample_configs_combined.sample_amphora_tuple(), [sample_configs_combined.sample_listener_tuple(proto='HTTPS')]) self.useFixture(test_utils.OpenFixture(path, rendered_obj)) res = util.parse_haproxy_file(LISTENER_ID1) listener_dict = res[1]['sample_listener_id_1'] self.assertEqual('TCP', listener_dict['mode']) self.assertEqual(BASE_AMP_PATH + '/sample_loadbalancer_id_1.sock', res[0]) self.assertIsNone(listener_dict.get('ssl_crt', None)) # Bogus format self.useFixture(test_utils.OpenFixture(path, 'Bogus')) try: res = util.parse_haproxy_file(LISTENER_ID1) self.fail("No Exception?") except util.ParsingError: pass # Bad listener mode fake_cfg = 'stats socket foo\nfrontend {}\nmode\n'.format(LISTENER_ID1) self.useFixture(test_utils.OpenFixture(path, fake_cfg)) self.assertRaises(util.ParsingError, util.parse_haproxy_file, LISTENER_ID1)
def upload_haproxy_config(self, amphora_id, listener_id): """Upload the haproxy config :param amphora_id: The id of the amphora to update :param listener_id: The id of the listener """ stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR b = stream.read(BUFFER) s_io = io.StringIO() while b: # Write haproxy configuration to StringIO s_io.write(b.decode('utf8')) b = stream.read(BUFFER) # Since haproxy user_group is now auto-detected by the amphora agent, # remove it from haproxy configuration in case it was provided # by an older Octavia controller. This is needed in order to prevent # a duplicate entry for 'group' in haproxy configuration, which will # result an error when haproxy starts. new_config = re.sub(r"\s+group\s.+", "", s_io.getvalue()) # Handle any haproxy version compatibility issues new_config = haproxy_compatibility.process_cfg_for_version_compat( new_config) with os.fdopen(os.open(name, flags, mode), 'w') as file: file.write(new_config) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file} -f {haproxy_ug}".format( config_file=name, peer=peer_name, haproxy_ug=consts.HAPROXY_USER_GROUP_CFG) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error("Failed to verify haproxy file: %s %s", e, e.output) # Save the last config that failed validation for debugging os.rename(name, ''.join([name, '-failed'])) return webob.Response(json=dict(message="Invalid request", details=e.output), status=400) # file ok - move it os.rename(name, util.config_path(listener_id)) try: init_system = util.get_os_init_system() LOG.debug('Found init system: %s', init_system) init_path = util.init_path(listener_id, init_system) if init_system == consts.INIT_SYSTEMD: template = SYSTEMD_TEMPLATE # Render and install the network namespace systemd service util.install_netns_systemd_service() util.run_systemctl_command( consts.ENABLE, consts.AMP_NETNS_SVC_PREFIX + '.service') elif init_system == consts.INIT_UPSTART: template = UPSTART_TEMPLATE elif init_system == consts.INIT_SYSVINIT: template = SYSVINIT_TEMPLATE init_enable_cmd = "insserv {file}".format(file=init_path) else: raise util.UnknownInitError() except util.UnknownInitError: LOG.error("Unknown init system found.") return webob.Response(json=dict( message="Unknown init system in amphora", details="The amphora image is running an unknown init " "system. We can't create the init configuration " "file for the load balancing process."), status=500) if init_system == consts.INIT_SYSTEMD: # mode 00644 mode = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) else: # mode 00755 mode = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) hap_major, hap_minor = haproxy_compatibility.get_haproxy_versions() if not os.path.exists(init_path): with os.fdopen(os.open(init_path, flags, mode), 'w') as text_file: text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), haproxy_user_group_cfg=consts.HAPROXY_USER_GROUP_CFG, respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=( util.CONF.haproxy_amphora.respawn_interval), amphora_netns=consts.AMP_NETNS_SVC_PREFIX, amphora_nsname=consts.AMPHORA_NAMESPACE, HasIFUPAll=self._osutils.has_ifup_all(), haproxy_major_version=hap_major, haproxy_minor_version=hap_minor) text_file.write(text) # Make sure the new service is enabled on boot if init_system == consts.INIT_SYSTEMD: util.run_systemctl_command( consts.ENABLE, "haproxy-{list}".format(list=listener_id)) elif init_system == consts.INIT_SYSVINIT: try: subprocess.check_output(init_enable_cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.error( "Failed to enable haproxy-%(list)s service: " "%(err)s %(out)s", { 'list': listener_id, 'err': e, 'out': e.output }) return webob.Response(json=dict( message="Error enabling haproxy-{0} service".format( listener_id), details=e.output), status=500) res = webob.Response(json={'message': 'OK'}, status=202) res.headers['ETag'] = stream.get_md5() return res
def upload_haproxy_config(self, amphora_id, listener_id): """Upload the haproxy config :param amphora_id: The id of the amphora to update :param listener_id: The id of the listener """ stream = Wrapped(flask.request.stream) # We have to hash here because HAProxy has a string length limitation # in the configuration file "peer <peername>" lines peer_name = octavia_utils.base64_sha1_string(amphora_id).rstrip('=') if not os.path.exists(util.haproxy_dir(listener_id)): os.makedirs(util.haproxy_dir(listener_id)) name = os.path.join(util.haproxy_dir(listener_id), 'haproxy.cfg.new') flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR with os.fdopen(os.open(name, flags, mode), 'w') as file: b = stream.read(BUFFER) while (b): file.write(b) b = stream.read(BUFFER) # use haproxy to check the config cmd = "haproxy -c -L {peer} -f {config_file}".format(config_file=name, peer=peer_name) try: subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to verify haproxy file: %s", e) os.remove(name) # delete file return flask.make_response(flask.jsonify(dict( message="Invalid request", details=e.output)), 400) # file ok - move it os.rename(name, util.config_path(listener_id)) use_upstart = util.CONF.haproxy_amphora.use_upstart file = util.init_path(listener_id) # mode 00755 mode = (stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) if not os.path.exists(file): with os.fdopen(os.open(file, flags, mode), 'w') as text_file: template = (UPSTART_TEMPLATE if use_upstart else SYSVINIT_TEMPLATE) text = template.render( peer_name=peer_name, haproxy_pid=util.pid_path(listener_id), haproxy_cmd=util.CONF.haproxy_amphora.haproxy_cmd, haproxy_cfg=util.config_path(listener_id), respawn_count=util.CONF.haproxy_amphora.respawn_count, respawn_interval=(util.CONF.haproxy_amphora. respawn_interval), amphora_nsname=consts.AMPHORA_NAMESPACE ) text_file.write(text) if not use_upstart: insrvcmd = ("insserv {file}".format(file=file)) try: subprocess.check_output(insrvcmd.split(), stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: LOG.debug("Failed to make %(file)s executable: %(err)s", {'file': file, 'err': e}) return flask.make_response(flask.jsonify(dict( message="Error making file {0} executable".format(file), details=e.output)), 500) res = flask.make_response(flask.jsonify({ 'message': 'OK'}), 202) res.headers['ETag'] = stream.get_md5() return res