Skip to content

Commit

Permalink
Moving secure ports to servenv.
Browse files Browse the repository at this point in the history
That way all of our binaries can have it.
  • Loading branch information
alainjobart committed Mar 6, 2014
1 parent edd9d18 commit 500c34e
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 39 deletions.
7 changes: 1 addition & 6 deletions go/cmd/vtgate/vtgate.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,6 @@ var (
retryDelay = flag.Duration("retry-delay", 200*time.Millisecond, "retry delay")
retryCount = flag.Int("retry-count", 10, "retry count")
timeout = flag.Duration("timeout", 5*time.Second, "connection and call timeout")

securePort = flag.Int("secure-port", 0, "port for the secure server")
cert = flag.String("cert", "", "cert file")
key = flag.String("key", "", "key file")
caCert = flag.String("ca-cert", "", "ca-cert file")
)

var topoReader *TopoReader
Expand All @@ -45,5 +40,5 @@ func main() {
topo.RegisterTopoReader(topoReader)

vtgate.Init(rts, *cell, *retryDelay, *retryCount, *timeout)
servenv.RunSecure(*port, *securePort, *cert, *key, *caCert)
servenv.Run(*port)
}
9 changes: 2 additions & 7 deletions go/cmd/vttablet/vttablet.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,6 @@ var (
enableRowcache = flag.Bool("enable-rowcache", false, "enable rowcacche")
overridesFile = flag.String("schema-override", "", "schema overrides file")

securePort = flag.Int("secure-port", 0, "port for the secure server")
cert = flag.String("cert", "", "cert file")
key = flag.String("key", "", "key file")
caCert = flag.String("ca-cert", "", "ca-cert file")

agent *tabletmanager.ActionAgent
)

Expand Down Expand Up @@ -62,7 +57,7 @@ func main() {
binlog.RegisterUpdateStreamService(mycnf)

// Depends on both query and updateStream.
agent, err = vttablet.InitAgent(tabletAlias, dbcfgs, mycnf, *port, *securePort, *overridesFile)
agent, err = vttablet.InitAgent(tabletAlias, dbcfgs, mycnf, *port, *servenv.SecurePort, *overridesFile)
if err != nil {
log.Fatal(err)
}
Expand All @@ -75,5 +70,5 @@ func main() {
topo.CloseServers()
agent.Stop()
})
servenv.RunSecure(*port, *securePort, *cert, *key, *caCert)
servenv.Run(*port)
}
3 changes: 2 additions & 1 deletion go/cmd/zkocc/zkocc.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ import (
var usage = `Cache open zookeeper connections and allow cheap read requests
through a lightweight RPC interface. The optional parameters are cell
names to try to connect to at startup, versus waiting for the first
request to connect.`
request to connect.
`

var (
resolveLocal = flag.Bool("resolve-local", false, "if specified, will try to resolve /zk/local/ paths. If not set, they will fail.")
Expand Down
16 changes: 3 additions & 13 deletions go/vt/servenv/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,8 @@ var (

// Run starts listening for RPC and HTTP requests on the given port,
// and blocks until it the process gets a signal.
// It may also listen on a secure port, or on a unix socket.
func Run(port int) {
onRunHooks.Fire()
RunSecure(port, 0, "", "", "")
}

// RunSecure is like Run, but it additionally listens for RPC and HTTP
// requests using TLS on securePort, using the passed certificate,
// key, and CA certificate.
func RunSecure(port int, securePort int, cert, key, caCert string) {
onRunHooks.Fire()
ServeRPC()

Expand All @@ -51,12 +44,9 @@ func RunSecure(port int, securePort int, cert, key, caCert string) {
}

go http.Serve(l, nil)

if securePort != 0 {
log.Infof("listening on secure port %v", securePort)
SecureServe(fmt.Sprintf(":%d", securePort), cert, key, caCert)
}
serveSecurePort()
serveSocketFile()

proc.Wait()
l.Close()
Close()
Expand Down
33 changes: 22 additions & 11 deletions go/vt/servenv/secure.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"crypto/tls"
"crypto/x509"
"flag"
"fmt"
"io/ioutil"
"net/http"

Expand All @@ -16,42 +17,52 @@ import (
)

var (
SecurePort = flag.Int("secure-port", 0, "port for the secure server")
certFile = flag.String("cert", "", "cert file")
keyFile = flag.String("key", "", "key file")
caCertFile = flag.String("ca_cert", "", "ca cert file")
secureThrottle = flag.Int64("secure-accept-rate", 64, "Maximum number of secure connection accepts per second")
secureMaxBuffer = flag.Int("secure-max-buffer", 1500, "Maximum number of secure accepts allowed to accumulate")
)

// SecureListen obtains a listener that accepts
// secure connections
func SecureServe(addr string, certFile, keyFile, caFile string) {
// serverSecurePort obtains a listener that accepts secure connections.
// All of this is based on *SecurePort being non-zero.
func serveSecurePort() {
if *SecurePort == 0 {
log.Info("Not listening on secure port")
return
}

config := tls.Config{}

// load the server cert / key
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
log.Fatalf("%s", err)
log.Fatalf("SecureServe.LoadX509KeyPair(%v, %v) failed: %v", *certFile, *keyFile, err)
}
config.Certificates = []tls.Certificate{cert}

// load the ca if necessary
// FIXME(alainjobart) this doesn't quite work yet, have
// to investigate
if caFile != "" {
if *caCertFile != "" {
config.ClientCAs = x509.NewCertPool()

pemCerts, err := ioutil.ReadFile(caFile)
pemCerts, err := ioutil.ReadFile(*caCertFile)
if err != nil {
log.Fatalf("%s", err)
log.Fatalf("SecureServe: cannot read ca file %v: %v", *caCertFile, err)
}
if !config.ClientCAs.AppendCertsFromPEM(pemCerts) {
log.Fatalf("%s", err)
log.Fatalf("SecureServe: AppendCertsFromPEM failed: %v", err)
}

config.ClientAuth = tls.RequireAndVerifyClientCert
}
l, err := tls.Listen("tcp", addr, &config)
l, err := tls.Listen("tcp", fmt.Sprintf(":%d", *SecurePort), &config)
if err != nil {
log.Fatalf("%s", err)
log.Fatalf("Error listening on secure port %v: %v", *SecurePort, err)
}
log.Infof("Listening on secure port %v", *SecurePort)
throttled := NewThrottledListener(l, *secureThrottle, *secureMaxBuffer)
cl := proc.Published(throttled, "SecureConnections", "SecureAccepts")
go http.Serve(cl, nil)
Expand Down
3 changes: 2 additions & 1 deletion go/vt/servenv/unix_socket.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,14 @@ var (

func serveSocketFile() {
if *socketFile == "" {
log.Infof("Not listening on socket file")
return
}

log.Infof("Listening on socket file %v", *socketFile)
l, err := net.Listen("unix", *socketFile)
if err != nil {
log.Fatalf("Error listening on socket file %v: %v", *socketFile, err)
}
log.Infof("Listening on socket file %v", *socketFile)
go http.Serve(l, nil)
}

0 comments on commit 500c34e

Please sign in to comment.