зеркало из https://github.com/github/vitess-gh.git
Moving secure ports to servenv.
That way all of our binaries can have it.
This commit is contained in:
Alain Jobart
Родитель
edd9d18786
Коммит
500c34e604
|
|
@ -20,11 +20,6 @@ var (
|
|||
retryDelay = flag.Duration("retry-delay", 200*time.Millisecond, "retry delay")
|
||||
retryCount = flag.Int("retry-count", 10, "retry count")
|
||||
timeout = flag.Duration("timeout", 5*time.Second, "connection and call timeout")
|
||||
|
||||
securePort = flag.Int("secure-port", 0, "port for the secure server")
|
||||
cert = flag.String("cert", "", "cert file")
|
||||
key = flag.String("key", "", "key file")
|
||||
caCert = flag.String("ca-cert", "", "ca-cert file")
|
||||
)
|
||||
|
||||
var topoReader *TopoReader
|
||||
|
|
@ -45,5 +40,5 @@ func main() {
|
|||
topo.RegisterTopoReader(topoReader)
|
||||
|
||||
vtgate.Init(rts, *cell, *retryDelay, *retryCount, *timeout)
|
||||
servenv.RunSecure(*port, *securePort, *cert, *key, *caCert)
|
||||
servenv.Run(*port)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,11 +27,6 @@ var (
|
|||
enableRowcache = flag.Bool("enable-rowcache", false, "enable rowcacche")
|
||||
overridesFile = flag.String("schema-override", "", "schema overrides file")
|
||||
|
||||
securePort = flag.Int("secure-port", 0, "port for the secure server")
|
||||
cert = flag.String("cert", "", "cert file")
|
||||
key = flag.String("key", "", "key file")
|
||||
caCert = flag.String("ca-cert", "", "ca-cert file")
|
||||
|
||||
agent *tabletmanager.ActionAgent
|
||||
)
|
||||
|
||||
|
|
@ -62,7 +57,7 @@ func main() {
|
|||
binlog.RegisterUpdateStreamService(mycnf)
|
||||
|
||||
// Depends on both query and updateStream.
|
||||
agent, err = vttablet.InitAgent(tabletAlias, dbcfgs, mycnf, *port, *securePort, *overridesFile)
|
||||
agent, err = vttablet.InitAgent(tabletAlias, dbcfgs, mycnf, *port, *servenv.SecurePort, *overridesFile)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
|
@ -75,5 +70,5 @@ func main() {
|
|||
topo.CloseServers()
|
||||
agent.Stop()
|
||||
})
|
||||
servenv.RunSecure(*port, *securePort, *cert, *key, *caCert)
|
||||
servenv.Run(*port)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,8 @@ import (
|
|||
var usage = `Cache open zookeeper connections and allow cheap read requests
|
||||
through a lightweight RPC interface. The optional parameters are cell
|
||||
names to try to connect to at startup, versus waiting for the first
|
||||
request to connect.`
|
||||
request to connect.
|
||||
`
|
||||
|
||||
var (
|
||||
resolveLocal = flag.Bool("resolve-local", false, "if specified, will try to resolve /zk/local/ paths. If not set, they will fail.")
|
||||
|
|
|
|||
|
|
@ -20,15 +20,8 @@ var (
|
|||
|
||||
// Run starts listening for RPC and HTTP requests on the given port,
|
||||
// and blocks until it the process gets a signal.
|
||||
// It may also listen on a secure port, or on a unix socket.
|
||||
func Run(port int) {
|
||||
onRunHooks.Fire()
|
||||
RunSecure(port, 0, "", "", "")
|
||||
}
|
||||
|
||||
// RunSecure is like Run, but it additionally listens for RPC and HTTP
|
||||
// requests using TLS on securePort, using the passed certificate,
|
||||
// key, and CA certificate.
|
||||
func RunSecure(port int, securePort int, cert, key, caCert string) {
|
||||
onRunHooks.Fire()
|
||||
ServeRPC()
|
||||
|
||||
|
|
@ -51,12 +44,9 @@ func RunSecure(port int, securePort int, cert, key, caCert string) {
|
|||
}
|
||||
|
||||
go http.Serve(l, nil)
|
||||
|
||||
if securePort != 0 {
|
||||
log.Infof("listening on secure port %v", securePort)
|
||||
SecureServe(fmt.Sprintf(":%d", securePort), cert, key, caCert)
|
||||
}
|
||||
serveSecurePort()
|
||||
serveSocketFile()
|
||||
|
||||
proc.Wait()
|
||||
l.Close()
|
||||
Close()
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
|
||||
|
|
@ -16,42 +17,52 @@ import (
|
|||
)
|
||||
|
||||
var (
|
||||
SecurePort = flag.Int("secure-port", 0, "port for the secure server")
|
||||
certFile = flag.String("cert", "", "cert file")
|
||||
keyFile = flag.String("key", "", "key file")
|
||||
caCertFile = flag.String("ca_cert", "", "ca cert file")
|
||||
secureThrottle = flag.Int64("secure-accept-rate", 64, "Maximum number of secure connection accepts per second")
|
||||
secureMaxBuffer = flag.Int("secure-max-buffer", 1500, "Maximum number of secure accepts allowed to accumulate")
|
||||
)
|
||||
|
||||
// SecureListen obtains a listener that accepts
|
||||
// secure connections
|
||||
func SecureServe(addr string, certFile, keyFile, caFile string) {
|
||||
// serverSecurePort obtains a listener that accepts secure connections.
|
||||
// All of this is based on *SecurePort being non-zero.
|
||||
func serveSecurePort() {
|
||||
if *SecurePort == 0 {
|
||||
log.Info("Not listening on secure port")
|
||||
return
|
||||
}
|
||||
|
||||
config := tls.Config{}
|
||||
|
||||
// load the server cert / key
|
||||
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
||||
cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
|
||||
if err != nil {
|
||||
log.Fatalf("%s", err)
|
||||
log.Fatalf("SecureServe.LoadX509KeyPair(%v, %v) failed: %v", *certFile, *keyFile, err)
|
||||
}
|
||||
config.Certificates = []tls.Certificate{cert}
|
||||
|
||||
// load the ca if necessary
|
||||
// FIXME(alainjobart) this doesn't quite work yet, have
|
||||
// to investigate
|
||||
if caFile != "" {
|
||||
if *caCertFile != "" {
|
||||
config.ClientCAs = x509.NewCertPool()
|
||||
|
||||
pemCerts, err := ioutil.ReadFile(caFile)
|
||||
pemCerts, err := ioutil.ReadFile(*caCertFile)
|
||||
if err != nil {
|
||||
log.Fatalf("%s", err)
|
||||
log.Fatalf("SecureServe: cannot read ca file %v: %v", *caCertFile, err)
|
||||
}
|
||||
if !config.ClientCAs.AppendCertsFromPEM(pemCerts) {
|
||||
log.Fatalf("%s", err)
|
||||
log.Fatalf("SecureServe: AppendCertsFromPEM failed: %v", err)
|
||||
}
|
||||
|
||||
config.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
l, err := tls.Listen("tcp", addr, &config)
|
||||
l, err := tls.Listen("tcp", fmt.Sprintf(":%d", *SecurePort), &config)
|
||||
if err != nil {
|
||||
log.Fatalf("%s", err)
|
||||
log.Fatalf("Error listening on secure port %v: %v", *SecurePort, err)
|
||||
}
|
||||
log.Infof("Listening on secure port %v", *SecurePort)
|
||||
throttled := NewThrottledListener(l, *secureThrottle, *secureMaxBuffer)
|
||||
cl := proc.Published(throttled, "SecureConnections", "SecureAccepts")
|
||||
go http.Serve(cl, nil)
|
||||
|
|
|
|||
|
|
@ -18,13 +18,14 @@ var (
|
|||
|
||||
func serveSocketFile() {
|
||||
if *socketFile == "" {
|
||||
log.Infof("Not listening on socket file")
|
||||
return
|
||||
}
|
||||
|
||||
log.Infof("Listening on socket file %v", *socketFile)
|
||||
l, err := net.Listen("unix", *socketFile)
|
||||
if err != nil {
|
||||
log.Fatalf("Error listening on socket file %v: %v", *socketFile, err)
|
||||
}
|
||||
log.Infof("Listening on socket file %v", *socketFile)
|
||||
go http.Serve(l, nil)
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче