[ARVADOS] updated: 1.3.0-61-g3259e9de3
Git user
git at public.curoverse.com
Fri Jan 4 11:30:35 EST 2019
Summary of changes:
tools/arvbox/lib/arvbox/docker/api-setup.sh | 4 +-
tools/arvbox/lib/arvbox/docker/common.sh | 3 +-
.../service/{api => certificate}/log/main/.gitstub | 0
.../docker/service/{api => certificate}/log/run | 0
.../service/{sso/run-service => certificate/run} | 85 ++--------------------
.../lib/arvbox/docker/service/gitolite/run-service | 2 +-
.../lib/arvbox/docker/service/nginx/run-service | 17 +++++
.../lib/arvbox/docker/service/sso/run-service | 64 +---------------
.../arvbox/docker/service/websockets/run-service | 2 +-
.../arvbox/docker/service/workbench/run-service | 6 +-
10 files changed, 32 insertions(+), 151 deletions(-)
copy tools/arvbox/lib/arvbox/docker/service/{api => certificate}/log/main/.gitstub (100%)
copy tools/arvbox/lib/arvbox/docker/service/{api => certificate}/log/run (100%)
copy tools/arvbox/lib/arvbox/docker/service/{sso/run-service => certificate/run} (56%)
via 3259e9de3d048f7a0b27e67098811640e9da8230 (commit)
from 2a6cb99cf7a21a273efe8dc793929b74149871f6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 3259e9de3d048f7a0b27e67098811640e9da8230
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Fri Jan 4 11:28:12 2019 -0500
14660: Proxy keep-web for https. Install root cert inside the container.
Now services inside the container can talk to each other without the
"insecure" flag.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/tools/arvbox/lib/arvbox/docker/api-setup.sh b/tools/arvbox/lib/arvbox/docker/api-setup.sh
index ca706ea81..0f283830f 100755
--- a/tools/arvbox/lib/arvbox/docker/api-setup.sh
+++ b/tools/arvbox/lib/arvbox/docker/api-setup.sh
@@ -55,7 +55,7 @@ $RAILS_ENV:
sso_app_secret: $sso_app_secret
sso_app_id: arvados-server
sso_provider_url: "https://$localip:${services[sso]}"
- sso_insecure: true
+ sso_insecure: false
workbench_address: "https://$localip/"
websocket_address: "wss://$localip:${services[websockets-ssl]}/websocket"
git_repo_ssh_base: "git@$localip:"
@@ -67,7 +67,7 @@ $RAILS_ENV:
auto_setup_new_users_with_repository: true
default_collection_replication: 1
docker_image_formats: ["v2"]
- keep_web_service_url: http://$localip:${services[keep-web]}/
+ keep_web_service_url: https://$localip:${services[keep-web-ssl]}/
ManagementToken: $management_token
EOF
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index d14e45d0b..56d0fa013 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -28,7 +28,8 @@ services=(
[sso]=8900
[composer]=4200
[arv-git-httpd]=9001
- [keep-web]=9002
+ [keep-web]=9003
+ [keep-web-ssl]=9002
[keepproxy]=25100
[keepstore0]=25107
[keepstore1]=25108
diff --git a/tools/arvbox/lib/arvbox/docker/service/certificate/log/main/.gitstub b/tools/arvbox/lib/arvbox/docker/service/certificate/log/main/.gitstub
new file mode 100644
index 000000000..e69de29bb
diff --git a/tools/arvbox/lib/arvbox/docker/service/certificate/log/run b/tools/arvbox/lib/arvbox/docker/service/certificate/log/run
new file mode 120000
index 000000000..d6aef4a77
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/certificate/log/run
@@ -0,0 +1 @@
+/usr/local/lib/arvbox/logger
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/certificate/run
similarity index 56%
copy from tools/arvbox/lib/arvbox/docker/service/sso/run-service
copy to tools/arvbox/lib/arvbox/docker/service/certificate/run
index 278d94e82..2b802f2ab 100755
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/certificate/run
@@ -8,33 +8,6 @@ set -ex -o pipefail
. /usr/local/lib/arvbox/common.sh
-cd /usr/src/sso
-if test -s /var/lib/arvados/sso_rails_env ; then
- export RAILS_ENV=$(cat /var/lib/arvados/sso_rails_env)
-else
- export RAILS_ENV=development
-fi
-
-run_bundler --without=development
-bundle exec passenger-config build-native-support
-bundle exec passenger-config install-standalone-runtime
-
-if test "$1" = "--only-deps" ; then
- exit
-fi
-
-set -u
-
-if ! test -s /var/lib/arvados/sso_uuid_prefix ; then
- ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"' > /var/lib/arvados/sso_uuid_prefix
-fi
-uuid_prefix=$(cat /var/lib/arvados/sso_uuid_prefix)
-
-if ! test -s /var/lib/arvados/sso_secret_token ; then
- ruby -e 'puts rand(2**400).to_s(36)' > /var/lib/arvados/sso_secret_token
-fi
-secret_token=$(cat /var/lib/arvados/sso_secret_token)
-
if test ! -s /var/lib/arvados/root-cert.pem ; then
# req signing request sub-command
# -new new certificate request
@@ -60,6 +33,7 @@ if test ! -s /var/lib/arvados/root-cert.pem ; then
-out /var/lib/arvados/root-cert.pem \
-keyout /var/lib/arvados/root-cert.key \
-days 365
+ chown arvbox:arvbox /var/lib/arvados/root-cert.*
fi
if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
@@ -97,60 +71,11 @@ if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
-extfile <(cat /etc/ssl/openssl.cnf \
<(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
-extensions x509_ext
-fi
-
-cat >config/application.yml <<EOF
-$RAILS_ENV:
- uuid_prefix: $uuid_prefix
- secret_token: $secret_token
- default_link_url: "http://$localip"
- allow_account_registration: true
-EOF
-(cd config && /usr/local/lib/arvbox/yml_override.py application.yml)
-
-if ! test -f /var/lib/arvados/sso_database_pw ; then
- ruby -e 'puts rand(2**128).to_s(36)' > /var/lib/arvados/sso_database_pw
-fi
-database_pw=$(cat /var/lib/arvados/sso_database_pw)
-
-if ! (psql postgres -c "\du" | grep "^ arvados_sso ") >/dev/null ; then
- psql postgres -c "create user arvados_sso with password '$database_pw'"
- psql postgres -c "ALTER USER arvados_sso CREATEDB;"
-fi
-
-sed "s/password:.*/password: $database_pw/" <config/database.yml.example >config/database.yml
-
-if ! test -f /var/lib/arvados/sso_database_setup ; then
- bundle exec rake db:setup
-
- if ! test -s /var/lib/arvados/sso_app_secret ; then
- ruby -e 'puts rand(2**400).to_s(36)' > /var/lib/arvados/sso_app_secret
- fi
- app_secret=$(cat /var/lib/arvados/sso_app_secret)
-
- bundle exec rails console <<EOF
-c = Client.new
-c.name = "joshid"
-c.app_id = "arvados-server"
-c.app_secret = "$app_secret"
-c.save!
-EOF
-
- touch /var/lib/arvados/sso_database_setup
+ chown arvbox:arvbox /var/lib/arvados/server-cert-${localip}.*
fi
-rm -rf tmp
-mkdir -p tmp/cache
-
-bundle exec rake assets:precompile
-bundle exec rake db:migrate
-
-set +u
-if test "$1" = "--only-setup" ; then
- exit
-fi
+cp /var/lib/arvados/root-cert.pem /usr/local/share/ca-certificates/arvados-testing-cert.crt
+update-ca-certificates
-exec bundle exec passenger start --port=${services[sso]} \
- --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
- --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key
+sv stop certificate
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/gitolite/run-service b/tools/arvbox/lib/arvbox/docker/service/gitolite/run-service
index eea0e120b..6055efc47 100755
--- a/tools/arvbox/lib/arvbox/docker/service/gitolite/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/gitolite/run-service
@@ -114,7 +114,7 @@ $RAILS_ENV:
gitolite_tmp: /var/lib/arvados/git
arvados_api_host: $localip:${services[controller-ssl]}
arvados_api_token: "$ARVADOS_API_TOKEN"
- arvados_api_host_insecure: true
+ arvados_api_host_insecure: false
gitolite_arvados_git_user_key: "$git_user_key"
EOF
diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
index f2b0a89d2..089306970 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
@@ -88,6 +88,23 @@ server {
}
}
+ upstream keep-web {
+ server localhost:${services[keep-web]};
+ }
+ server {
+ listen *:${services[keep-web-ssl]} ssl default_server;
+ server_name keep-web;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ location / {
+ proxy_pass http://keep-web;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
}
EOF
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
index 278d94e82..af49d4b3c 100755
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
@@ -35,69 +35,7 @@ if ! test -s /var/lib/arvados/sso_secret_token ; then
fi
secret_token=$(cat /var/lib/arvados/sso_secret_token)
-if test ! -s /var/lib/arvados/root-cert.pem ; then
- # req signing request sub-command
- # -new new certificate request
- # -nodes "no des" don't encrypt key
- # -sha256 include sha256 fingerprint
- # -x509 generate self-signed certificate
- # -subj certificate subject
- # -reqexts certificate request extension for subjectAltName
- # -extensions certificate request extension for subjectAltName
- # -config certificate generation configuration plus subjectAltName
- # -out certificate output
- # -keyout private key output
- # -days certificate lifetime
- openssl req \
- -new \
- -nodes \
- -sha256 \
- -x509 \
- -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
- -extensions x509_ext \
- -config <(cat /etc/ssl/openssl.cnf \
- <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
- -out /var/lib/arvados/root-cert.pem \
- -keyout /var/lib/arvados/root-cert.key \
- -days 365
-fi
-
-if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
- # req signing request sub-command
- # -new new certificate request
- # -nodes "no des" don't encrypt key
- # -sha256 include sha256 fingerprint
- # -subj certificate subject
- # -reqexts certificate request extension for subjectAltName
- # -extensions certificate request extension for subjectAltName
- # -config certificate generation configuration plus subjectAltName
- # -out certificate output
- # -keyout private key output
- # -days certificate lifetime
- openssl req \
- -new \
- -nodes \
- -sha256 \
- -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
- -reqexts x509_ext \
- -extensions x509_ext \
- -config <(cat /etc/ssl/openssl.cnf \
- <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
- -out /var/lib/arvados/server-cert-${localip}.csr \
- -keyout /var/lib/arvados/server-cert-${localip}.key \
- -days 365
-
- openssl x509 \
- -req \
- -in /var/lib/arvados/server-cert-${localip}.csr \
- -CA /var/lib/arvados/root-cert.pem \
- -CAkey /var/lib/arvados/root-cert.key \
- -out /var/lib/arvados/server-cert-${localip}.pem \
- -set_serial $RANDOM$RANDOM \
- -extfile <(cat /etc/ssl/openssl.cnf \
- <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
- -extensions x509_ext
-fi
+test -s /var/lib/arvados/server-cert-${localip}.pem
cat >config/application.yml <<EOF
$RAILS_ENV:
diff --git a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
index 417130852..cc3303247 100755
--- a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
@@ -28,7 +28,7 @@ database_pw=$(cat /var/lib/arvados/api_database_pw)
cat >/var/lib/arvados/arvados-ws.yml <<EOF
Client:
APIHost: $localip:${services[controller-ssl]}
- Insecure: true
+ Insecure: false
Postgres:
dbname: arvados_$RAILS_ENV
user: arvados
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
index 5d3757755..68c87233f 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
@@ -38,9 +38,9 @@ $RAILS_ENV:
secret_token: $secret_token
arvados_login_base: https://$localip:${services[controller-ssl]}/login
arvados_v1_base: https://$localip:${services[controller-ssl]}/arvados/v1
- arvados_insecure_https: true
- keep_web_download_url: http://$localip:${services[keep-web]}/c=%{uuid_or_pdh}
- keep_web_url: http://$localip:${services[keep-web]}/c=%{uuid_or_pdh}
+ arvados_insecure_https: false
+ keep_web_download_url: https://$localip:${services[keep-web-ssl]}/c=%{uuid_or_pdh}
+ keep_web_url: https://$localip:${services[keep-web-ssl]}/c=%{uuid_or_pdh}
arvados_docsite: http://$localip:${services[doc]}/
force_ssl: false
composer_url: http://$localip:${services[composer]}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list