Skip to content

Enable SSL support#6

Open
dannyvernals wants to merge 15 commits intovcheny:masterfrom
dannyvernals:master
Open

Enable SSL support#6
dannyvernals wants to merge 15 commits intovcheny:masterfrom
dannyvernals:master

Conversation

@dannyvernals
Copy link

@dannyvernals dannyvernals commented Jun 23, 2020

I've been testing ist.py on SSL enabled hosts so I needed to add passing certs and key file to requests.

Please let me know what you think

@dannyvernals
Copy link
Author

dannyvernals commented Jun 23, 2020

One thing I notice is the cli command is very long with this functionality added, maybe SSL certs should be passed as environment vars or added to the script as global constants? e.g.

python ssl.py --ca_file /etc/contrail/ssl/certs/ca-cert.pem --cert_file /etc/contrail/ssl/certs/server.pem --key_file /etc/contrail/ssl/private/server-privkey.pem vr intf

@pinggit
Copy link
Collaborator

pinggit commented Aug 12, 2020

hi @dannyvernals

  1. can you give a full example of using ssl in contrail setup so I will test it out?
    e.g. how to generate these set_ssl_envs values and how to use them.

  2. I'm seeing the PR changes the script's behavior by enforcing these new values to be given either by env or cli options. correct me if I'm wrong. ideally these should be optional only. correct me if I'm wrong.

@dannyvernals
Copy link
Author

dannyvernals commented Aug 13, 2020

Hi @pinggit

I'll answer point (2) first. These env or cli options are completely optional. If they are not specified the script will run as you initially designed it. See below, this is a non SSL backend:

danny@newtop:~/vm-shared-disk/script_clones/contrail-introspect-cli$ python ist.py --host 172.16.0.134 vr status
Introspect Host: 172.16.0.134
module_id: contrail-vrouter-agent
state: Functional
description
+-----------+---------------------------+---------------------+--------+-------------+
| type      | name                      | server_addrs        | status | description |
+-----------+---------------------------+---------------------+--------+-------------+
| XMPP      | control-node:172.16.0.102 |   172.16.0.102:5269 | Up     | OpenSent    |
| XMPP      | dns-server:172.16.0.102   |   172.16.0.102:53   | Up     | OpenSent    |
| Collector | n/a                       |   172.16.0.104:8086 | Up     | Established |
+-----------+---------------------------+---------------------+--------+-------------+

@dannyvernals
Copy link
Author

dannyvernals commented Aug 13, 2020
edited
Loading

Now point (1):
If you have an SSL enabled backend, run as normal, you get errors:

root@b14:/home/ubuntu/contrail-introspect-cli# python ./ist.py vr status
Failed to reach destination
URL: http://127.0.0.1:8085/Snh_SandeshUVECacheReq?tname=NodeStatus
Reason:  ('Connection aborted.', BadStatusLine('No status line received - the server has closed the connection',))
root@b14:/home/ubuntu/contrail-introspect-cli#

So you enable SSL support in one of two ways:

  1. env vars:
root@b14:/home/ubuntu/contrail-introspect-cli# cat set_ssl_envs
export SSL_KEY_FILE="/etc/contrail/ssl/private/server-privkey.pem"
export SSL_CA_FILE="/etc/contrail/ssl/certs/ca-cert.pem"
export SSL_CERT_FILE="/etc/contrail/ssl/certs/server.pem"
root@b14:/home/ubuntu/contrail-introspect-cli# source set_ssl_envs
root@b14:/home/ubuntu/contrail-introspect-cli# python ./ist.py vr status
module_id: contrail-vrouter-agent
state: Functional
description
+-----------+--------------------------+---------------------+--------+-------------+
| type      | name                     | server_addrs        | status | description |
+-----------+--------------------------+---------------------+--------+-------------+
| XMPP      | control-node:172.16.4.11 |   172.16.4.11:5269  | Up     | OpenConfirm |
| XMPP      | control-node:172.16.4.12 |   172.16.4.12:5269  | Up     | OpenConfirm |
| XMPP      | dns-server:172.16.4.11   |   172.16.4.11:53    | Up     | OpenConfirm |
| XMPP      | dns-server:172.16.4.12   |   172.16.4.12:53    | Up     | OpenConfirm |
| Collector | n/a                      |   10.4.195.169:8086 | Up     | Established |
+-----------+--------------------------+---------------------+--------+-------------+
root@b14:/home/ubuntu/contrail-introspect-cli#
  1. CLI arguments
root@b14:/home/ubuntu/contrail-introspect-cli# env | grep SSL
root@b14:/home/ubuntu/contrail-introspect-cli# python ./ist.py  --key_file /etc/contrail/ssl/private/server-privkey.pem  --ca_file /etc/contrail/ssl/certs/ca-cert.pem --cert_file /etc/contrail/ssl/certs/server.pem vr status
module_id: contrail-vrouter-agent
state: Functional
description
+-----------+--------------------------+---------------------+--------+-------------+
| type      | name                     | server_addrs        | status | description |
+-----------+--------------------------+---------------------+--------+-------------+
| XMPP      | control-node:172.16.4.11 |   172.16.4.11:5269  | Up     | OpenConfirm |
| XMPP      | control-node:172.16.4.12 |   172.16.4.12:5269  | Up     | OpenConfirm |
| XMPP      | dns-server:172.16.4.11   |   172.16.4.11:53    | Up     | OpenConfirm |
| XMPP      | dns-server:172.16.4.12   |   172.16.4.12:53    | Up     | OpenConfirm |
| Collector | n/a                      |   10.4.195.169:8086 | Up     | Established |
+-----------+--------------------------+---------------------+--------+-------------+
root@b14:/home/ubuntu/contrail-introspect-cli#

The location of the certs Contrail uses is configured in /etc/contrail so if you are running the script on the server itself you can get them from:

root@b14:~# cat /etc/contrail/common_vrouter.env | grep SERVER_
SERVER_CERTFILE=/etc/contrail/ssl/certs/server.pem
SERVER_KEYFILE=/etc/contrail/ssl/private/server-privkey.pem
SERVER_CA_CERTFILE=/etc/contrail/ssl/certs/ca-cert.pem
root@b14:~#

However if you are running from a remote host, you would need to have a cert / key pair that is signed by the same CA as the certs installed on the Contrail servers

@pinggit
Copy link
Collaborator

pinggit commented Aug 13, 2020

hi @dannyvernals , thanks!
for (1) I got it now.
for (2), I meant how do I enable ssl in contrail? just want to verify it quickly in my setup.
also, I may request some customer to test it out in their lab before the PR get merged.

@dannyvernals
Copy link
Author

dannyvernals commented Aug 13, 2020

Hey @pinggit sorry I miss-understood.

With juju deployment this pretty simple:
https://github.com/tungstenfabric/tf-charms/blob/master/contrail-agent/README.md (see SSL section)
i.e. just use the easyrsa charm.

For other deployments I'm not sure, maybe creating a self signed cert & CA manually on the compute host and pointing contrail at them with env vars?

cat /etc/contrail/common_vrouter.env | egrep "SERVER_|SSL_ENABLE"
SSL_ENABLE=True
SERVER_CERTFILE=/etc/contrail/ssl/certs/server.pem
SERVER_KEYFILE=/etc/contrail/ssl/private/server-privkey.pem
SERVER_CA_CERTFILE=/etc/contrail/ssl/certs/ca-cert.pem

@pinggit
Copy link
Collaborator

pinggit commented Aug 19, 2020
edited
Loading

thanks Danny! I tested the script with ssl support in my setup without enabling the ssl, and I don't see a problem.
however I can't test with ssl. and currently I don't see such a request from any one on this feature.
@vcheny I guess we can create a ssl branch for now. so whenever any one from the field need this can check it out.

@dannyvernals
Copy link
Author

dannyvernals commented Aug 21, 2020
edited
Loading

Hi @pinggit yes that makes sense.
If you ever do want to test this, I have been through the code of the easyRSA charm so you can use the same process to enable SSL on any Contrail deployment.

The process you would follow is:

  1. Download this and install on: a server you want to act as the CA, the server you want to run isy.py from and to the Contrail components you want to enable SSL on: https://github.com/OpenVPN/easy-rsa
    (all the following steps are clearly covered in https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md)

  2. Generate a CA cert on the central server (./easyrsa init-pki && ./easyrsa build-ca)

  3. Generate key/cert pair on all contrail components (./easyrsa init-pki && ./easyrsa gen-req EntityName)

  4. Generate signing requests on all contrail components (./easyrsa import-req /tmp/path/to/import.req EntityName)

  5. Copy signing requests to CA and sign them (./easyrsa sign-req client EntityName)

  6. Copy signed certs & CA to contrail components

  7. Configure contrail to enable SSL and use the certs you have copied over.

FYI, these are the config changes that were made by juju on an agent (vrouter):

2020-08-19 12:51:24 DEBUG juju-log tls-certificates:60: Writing file /etc/contrail/common_vrouter.env root:root 600
2020-08-19 12:51:24 INFO juju-log tls-certificates:60: New lines set:
CONFIG_API_SSL_ENABLE=True
RABBITMQ_USE_SSL=True
CASSANDRA_SSL_ENABLE=True
SSL_ENABLE=True
SERVER_CA_CERTFILE=/etc/contrail/ssl/certs/ca-cert.pem
SERVER_CERTFILE=/etc/contrail/ssl/certs/server.pem
REDIS_SSL_ENABLE=True
SERVER_KEYFILE=/etc/contrail/ssl/private/server-privkey.pem
ANALYTICS_API_SSL_ENABLE=True

2020-08-19 12:51:24 INFO juju-log tls-certificates:60: Old lines set:
ANALYTICS_API_SSL_ENABLE=False
CONFIG_API_SSL_ENABLE=False
RABBITMQ_USE_SSL=False
REDIS_SSL_ENABLE=False
CASSANDRA_SSL_ENABLE=False
SSL_ENABLE=False

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dannyvernals @pinggit