From 1b22ff168472098e86065f3db7b8932a9838b8cf Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 15 Mar 2024 14:14:18 +0100 Subject: [PATCH 1/4] Remove support for API/conductor split Signed-off-by: Dmitry Tantsur --- ironic-config/httpd-ironic-api.conf.j2 | 24 ------------------------ ironic-config/ironic.conf.j2 | 4 ++-- scripts/auth-common.sh | 18 ++++++++++-------- scripts/configure-ironic.sh | 2 -- scripts/runironic-api | 13 ------------- scripts/runironic-conductor | 20 -------------------- 6 files changed, 12 insertions(+), 69 deletions(-) delete mode 100755 scripts/runironic-api delete mode 100755 scripts/runironic-conductor diff --git a/ironic-config/httpd-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2 index bda581669..4b29c1262 100644 --- a/ironic-config/httpd-ironic-api.conf.j2 +++ b/ironic-config/httpd-ironic-api.conf.j2 @@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} {% endif %} - {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %} - {% if env.IRONIC_PRIVATE_PORT == "unix" %} ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/" ProxyPassReverse "/" "unix:/shared/ironic.sock|http://127.0.0.1/" @@ -29,11 +27,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/" {% endif %} - {% else %} - WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP} - WSGIScriptAlias / /usr/bin/ironic-api-wsgi - {% endif %} - SetEnv APACHE_RUN_USER ironic SetEnv APACHE_RUN_GROUP ironic WSGIProcessGroup ironic @@ -49,7 +42,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }} {% endif %} - {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %} {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %} AuthType Basic @@ -58,22 +50,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} Require valid-user {% endif %} - {% else %} - - WSGIProcessGroup ironic - WSGIApplicationGroup %{GLOBAL} - AllowOverride None - - {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %} - AuthType Basic - AuthName "Restricted WSGI area" - AuthUserFile "/etc/ironic/htpasswd" - Require valid-user - {% else %} - Require all granted - {% endif %} - - {% endif %} Require all granted diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2 index 517ae01d2..ad724b00a 100644 --- a/ironic-config/ironic.conf.j2 +++ b/ironic-config/ironic.conf.j2 @@ -25,7 +25,7 @@ use_stderr = true # NOTE(dtantsur): the default md5 is not compatible with FIPS mode hash_ring_algorithm = sha256 my_ip = {{ env.IRONIC_IP }} -{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %} +{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %} # if access is unauthenticated, we bind only to localhost - use that as the # host name also, so that the client can find the server # If we run both API and conductor in the same pod, use localhost @@ -191,7 +191,7 @@ cipher_suite_versions = 3,17 # containers are in host networking. auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }} http_basic_auth_user_file = /etc/ironic/htpasswd-rpc -{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %} +{% if env.JSON_RPC_AUTH_STRATEGY == "noauth" %} # if access is unauthenticated, we bind only to localhost - use that as the # host name also, so that the client can find the server host_ip = localhost diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh index b63c9e403..17e69310f 100644 --- a/scripts/auth-common.sh +++ b/scripts/auth-common.sh @@ -4,10 +4,16 @@ set -euxo pipefail export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}} export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}} -export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}" export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false} export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false} +# Backward compatibility +if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then + export IRONIC_EXPOSE_JSON_RPC=true +else + export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}" +fi + IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd @@ -25,13 +31,9 @@ configure_client_basic_auth() configure_json_rpc_auth() { export JSON_RPC_AUTH_STRATEGY="noauth" - if [[ -n "${IRONIC_HTPASSWD}" ]]; then - if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then - export JSON_RPC_AUTH_STRATEGY="http_basic" - printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc" - else - printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}" - fi + if [[ -n "${IRONIC_HTPASSWD}" && "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then + export JSON_RPC_AUTH_STRATEGY="http_basic" + printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc" fi } diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh index 07ae200e0..29c81d8b2 100755 --- a/scripts/configure-ironic.sh +++ b/scripts/configure-ironic.sh @@ -2,7 +2,6 @@ set -euxo pipefail -IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}" IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}" # Define the VLAN interfaces to be included in introspection report, e.g. @@ -38,7 +37,6 @@ fi export NUMWORKERS=${NUMWORKERS:-$NUMPROC} export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true} -export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true} # Whether to enable fast_track provisioning or not export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true} diff --git a/scripts/runironic-api b/scripts/runironic-api deleted file mode 100755 index 986a8e357..000000000 --- a/scripts/runironic-api +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/bash - -export IRONIC_DEPLOYMENT="API" - -# shellcheck disable=SC1091 -. /bin/configure-ironic.sh - -export IRONIC_REVERSE_PROXY_SETUP=false - -python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf - -# shellcheck disable=SC1091 -. /bin/runhttpd diff --git a/scripts/runironic-conductor b/scripts/runironic-conductor deleted file mode 100755 index e48e980c3..000000000 --- a/scripts/runironic-conductor +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/bash - -export IRONIC_DEPLOYMENT="Conductor" - -# shellcheck disable=SC1091 -. /bin/configure-ironic.sh - -# Ramdisk logs -mkdir -p /shared/log/ironic/deploy - -run_ironic_dbsync - -if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then - # shellcheck disable=SC2034 - inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do - kill $(pgrep ironic) - done & -fi - -exec /usr/bin/ironic-conductor From 62c83396a0fc88a454c877bff54cf4360dc1d425 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 15 Mar 2024 14:17:32 +0100 Subject: [PATCH 2/4] Require authentication for JSON RPC Signed-off-by: Dmitry Tantsur --- ironic-config/ironic.conf.j2 | 15 +-------------- scripts/auth-common.sh | 8 +++++--- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2 index ad724b00a..c3f89bcb4 100644 --- a/ironic-config/ironic.conf.j2 +++ b/ironic-config/ironic.conf.j2 @@ -25,14 +25,7 @@ use_stderr = true # NOTE(dtantsur): the default md5 is not compatible with FIPS mode hash_ring_algorithm = sha256 my_ip = {{ env.IRONIC_IP }} -{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %} -# if access is unauthenticated, we bind only to localhost - use that as the -# host name also, so that the client can find the server -# If we run both API and conductor in the same pod, use localhost -host = localhost -{% else %} host = {{ env.IRONIC_CONDUCTOR_HOST }} -{% endif %} # If a path to a certificate is defined, use that first for webserver {% if env.WEBSERVER_CACERT_FILE %} @@ -189,15 +182,9 @@ cipher_suite_versions = 3,17 # authentication over localhost, using the same credentials as API, to prevent # unauthenticated connections from other processes in the same host since the # containers are in host networking. -auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }} +auth_strategy = http_basic http_basic_auth_user_file = /etc/ironic/htpasswd-rpc -{% if env.JSON_RPC_AUTH_STRATEGY == "noauth" %} -# if access is unauthenticated, we bind only to localhost - use that as the -# host name also, so that the client can find the server -host_ip = localhost -{% else %} host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %} -{% endif %} {% if env.IRONIC_TLS_SETUP == "true" %} use_ssl = true cafile = {{ env.IRONIC_CACERT_FILE }} diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh index 17e69310f..989eef73f 100644 --- a/scripts/auth-common.sh +++ b/scripts/auth-common.sh @@ -30,9 +30,11 @@ configure_client_basic_auth() configure_json_rpc_auth() { - export JSON_RPC_AUTH_STRATEGY="noauth" - if [[ -n "${IRONIC_HTPASSWD}" && "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then - export JSON_RPC_AUTH_STRATEGY="http_basic" + if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then + if [[ -z "${IRONIC_HTPASSWD}" ]]; then + echo "FATAL: enabling JSON RPC requires authentication" + exit 1 + fi printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc" fi } From fb592448aadb056eec68d14935cc524b9ee79db2 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 15 Mar 2024 14:21:52 +0100 Subject: [PATCH 3/4] runironic: do not override IRONIC_EXPOSE_JSON_RPC Signed-off-by: Dmitry Tantsur --- scripts/runironic | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scripts/runironic b/scripts/runironic index f9391b161..6b3450f45 100755 --- a/scripts/runironic +++ b/scripts/runironic @@ -1,9 +1,7 @@ #!/usr/bin/bash -# These settings must go before configure-ironic since it has different -# defaults. +# This setting must go before configure-ironic since it has different defaults. export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false} -export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false} # shellcheck disable=SC1091 . /bin/configure-ironic.sh From 06a225ec36744b6bb23de15cbe8f7b2ac7f1f8e5 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 15 Mar 2024 14:24:10 +0100 Subject: [PATCH 4/4] Remove dependency on mod_wsgi Signed-off-by: Dmitry Tantsur --- ironic-config/httpd-ironic-api.conf.j2 | 1 - ironic-config/httpd-modules.conf | 1 - main-packages-list.txt | 1 - scripts/auth-common.sh | 3 +-- 4 files changed, 1 insertion(+), 5 deletions(-) diff --git a/ironic-config/httpd-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2 index 4b29c1262..adebe3bef 100644 --- a/ironic-config/httpd-ironic-api.conf.j2 +++ b/ironic-config/httpd-ironic-api.conf.j2 @@ -29,7 +29,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} SetEnv APACHE_RUN_USER ironic SetEnv APACHE_RUN_GROUP ironic - WSGIProcessGroup ironic ErrorLog /dev/stderr LogLevel debug diff --git a/ironic-config/httpd-modules.conf b/ironic-config/httpd-modules.conf index e2d9e4d40..72b0267b5 100644 --- a/ironic-config/httpd-modules.conf +++ b/ironic-config/httpd-modules.conf @@ -5,7 +5,6 @@ LoadModule dir_module modules/mod_dir.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule unixd_module modules/mod_unixd.so LoadModule mpm_event_module modules/mod_mpm_event.so -LoadModule wsgi_module modules/mod_wsgi_python3.so LoadModule ssl_module modules/mod_ssl.so LoadModule env_module modules/mod_env.so LoadModule proxy_module modules/mod_proxy.so diff --git a/main-packages-list.txt b/main-packages-list.txt index 599393a72..eb233a57a 100644 --- a/main-packages-list.txt +++ b/main-packages-list.txt @@ -8,7 +8,6 @@ iproute mod_ssl procps python3-jinja2 -python3-mod_wsgi qemu-img sqlite syslinux-nonlinux diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh index 989eef73f..09fcbfe6e 100644 --- a/scripts/auth-common.sh +++ b/scripts/auth-common.sh @@ -22,8 +22,7 @@ configure_client_basic_auth() local auth_config_file="/auth/$1/auth-config" local dest="${2:-/etc/ironic/ironic.conf}" if [[ -f "${auth_config_file}" ]]; then - # Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file - # when running the api as a WSGI app. + # Merge configurations in the "auth" directory into the default ironic configuration file crudini --merge "${dest}" < "${auth_config_file}" fi }