rgw: openssl 3 #10335
rgw: openssl 3 #10335
Conversation
|
please pull this asap! :) |
mdw-at-linuxbox
force-pushed
the
wip-rgw-openssl-3
branch
from
1573596
to
8c573ee
Compare
|
somebody rearranged all the cmake stuff. I've force pushed a fix for that. |
|
@mdw-at-linuxbox the CMake aspect of this looks fine to me. @tchaikov anything look out of place to you? |
| config->get_val("port", 80, &port); | ||
|
|
||
| RGWProcessEnv env = { store, &rest, olog, port }; | ||
| RGWProcessEnv env = { store, &rest, olog, 0 }; |
There was a problem hiding this comment.
@mdw-at-linuxbox you can't remove the port here without addressing its use at RGWMongoose::init_env()
There was a problem hiding this comment.
Ok, that's related to : http://tracker.ceph.com/issues/16548 . I sent mail 20160628 about that where I went through the code that does this. The basic problem is that the current code path that uses that assumes that it can guess the server port based solely on whether the request came in with ssl or not. That means not more than 1 ssl and 1 non-ssl port. Do we really want to enforce that?
There was a problem hiding this comment.
@mdw-at-linuxbox we need to have some solution to that, a 0 port number is not a proper one.
There was a problem hiding this comment.
We could either
- parse port=".." the way civetweb does, ie. allow ip:port combo, r, s params that civetweb allows etc.
- alternatively, we can set override the env.port after initializing port from civetweb and getting the value of ports civetweb parses using the
mg_get_portsapi ?; ie something like this in rgw_civetweb_frontend:
(assume ports = new int [num ports] etc)
size_t len = mg_get_ports(ctx, num_ports, ports, ssl_ports)
if (len){
env.port = ports[0] ;}etc
?
|
@mdw-at-linuxbox Does this PR fix http://tracker.ceph.com/issues/13718 ? If so, could you add immediately above the |
|
Yes, this pull request would address #13718 - excepting that the problem Yehuda raised above makes this more complicated and probably a separate patch. The top level CMakeLists.txt sets "HAVE_OPENSSL". It should instead set USE_OPENSSL. The "extra" blank line is because I had stuck a large glop of SSL obscurity in just before, and I didn't think the "add_subdirectory(rgw)" was obviously intentional without the extra blank lines. Sure "if(LIBSSL_SONAME)" would work too - I take it we prefer this construction? |
yeah. i think it's more concise. @mdw-at-linuxbox ping |
|
this should probably address http://tracker.ceph.com/issues/16581 as well |
mdw-at-linuxbox
force-pushed
the
wip-rgw-openssl-3
branch
from
8c573ee
to
8548d97
Compare
|
I've updated the branch wip-rgw-openssl-3. I've removed "Replace + with , in civetweb port string.". Whatever we do for that should be a separate pull request. I've revised the doc accordingly. I also spelled USE_OPENSSL right and removed DEFINED. Finally I rebased on the latest master. Passed my testing. Hopefully gitbuilder will still like it. |
| if (portno <= 0 || portno > 65535) { | ||
| derr << "ERROR: port out of range " << port << dendl; | ||
| return -1; | ||
| } |
There was a problem hiding this comment.
what happens if we pass an ip:port combo which currently works, albeit setting SERVER_PORT to 0, here don't we end up not starting rgw at all ?
There was a problem hiding this comment.
Well, actually, civetweb doesn't start up if you give it a bad port. It fails in a much more confusing way later on.
However, you are right, it's possible to pass an ip:port in. Or [ipv6]:port. And append one of [sr,]. And it's possible to pass in non-zero bits >65535 in portno and have them ignored. The ssl redir feature isn't useful to us currently, since we don't yet support listening for both ssl|non-ssl. And we'll never pass in a , because the config file parser eats those elsewhere. I don't mind breaking rgw for people who set high order bits in portno.
But being able to specify a specific ipaddr is useful, sigh.
This fixes a regression where USE_IPV6 is no longer defined. Formerly, this was set in a terribly confusing and weird way. The civetweb source was customized with a file "include/civetweb_conf.h" that defined USE_IPV6. This file isn't used or referenced anywhere in the civetweb source (or build). The ceph automake build has its own separate process to make civetweb.o, which doesn't use any part of the build logic in civetweb. Instead, it builds civetweb.o with its own rule passing in the compiler option "--include $(srcdir)/civetweb/include/civetweb_conf.h". This is both silly and confusing, plus it makes it harder to update the civetweb source. Instead of passing in --include X, we can just pass in -DUSE_IPV6. In cmake that gets set using COMPILE_DEFINITIONS. Cmake doesn't support doing that on a per-file basis, but it's perfectly happy doing that for an object library containing one object. This is not coincidentally just exactly how we're already building civetweb.c.o with cmake. Signed-off-by: Marcus Watts <mwatts@redhat.com>
This includes information on file format and configuration file syntax. Signed-off-by: Marcus Watts <mwatts@redhat.com>
mdw-at-linuxbox
force-pushed
the
wip-rgw-openssl-3
branch
from
8548d97
to
261b91c
Compare
If building with radosgw, always look for openssl library (even when building with nss). Then, use objdump to fetch SONAME from the copies of libssl and libcrypto that were found. When building civetweb; pass the library soname values in as the libraries to load with "dlopen". This is a problem that went away for a bit, but came back with some changes for http://tracker.ceph.com/issues/16535 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1341775 Fixes: http://tracker.ceph.com/issues/11239 Signed-off-by: Marcus Watts <mwatts@redhat.com>
To do https: append an 's' to portno. The code that actually passes that to civetweb is elsewhere. But apparently we need to set "port" in the frontend here because logic elsewhere in radosgw needs to know on which port a connection was accepted, and there's no logic in civetweb to indicate that. Signed-off-by: Marcus Watts <mwatts@redhat.com>
mdw-at-linuxbox
force-pushed
the
wip-rgw-openssl-3
branch
from
261b91c
to
9244166
Compare
| static int parse_civetweb_portno(const string &port) { | ||
| char *portend; | ||
| const char *portstart = port.c_str(); | ||
| const char *cp = strrchr(portstart, ':'); |
There was a problem hiding this comment.
@mdw-at-linuxbox could just use port.find_last_of()
| int portno = strtol(cp, &portend, 10); | ||
| if (cp == portend) { | ||
| derr << "ERROR: cannot parse port " << port << dendl; | ||
| return -1; |
There was a problem hiding this comment.
also other occurances in this function
|
port=0s can't work - you already pointed out why. port=0 would result in a random port assignment. How is that useful? |
|
@mdw-at-linuxbox see my comments on the last commit, other than that I think it's ok |
|
this seems to have gotten stuck? |
|
I've created a new PR that has just the soname fix and the documentation fix. That is now PR #11571. |
|
need rebase? |
[ this is an updated copy of PR #8339 ]
Augment configuration so it's easy to support http & https in one civetweb frontend.
Get rid of an incorrect warning when using openssl.
Document the thing so people can use it.
And load shared libraries by soname.