Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'mathias-CRP-1539-add-socket-for-crypto-vault-metrics' i…
…nto 'master' feat(crypto): CRP-1539: Add socket for retrieving metrics from crypto csp vault Add a new Unix domain socket to allow the replica to retrieve metrics from the crypto CSP vault process. This follows the similar approach taken for the Bitcoin adapters, and the canister HTTP adapter. Adding the Unix domain socket is the first step in enabling metrics to be retrieved from the crypto CSP vault process - the rest of the functionality will be added in follow-up MRs. This MR also adds a system test verifying that a socket has been created, and checks that the permission of the metrics socket, as well as the existing socket, are correct. See merge request dfinity-lab/public/ic!14634
- Loading branch information
Showing
7 changed files
with
189 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#[rustfmt::skip] | ||
|
||
use anyhow::Result; | ||
use ic_tests::crypto::ic_crypto_csp_socket_test::ic_crypto_csp_socket_test; | ||
use ic_tests::crypto::ic_crypto_csp_socket_test::setup_with_single_node; | ||
use ic_tests::driver::group::SystemTestGroup; | ||
use ic_tests::systest; | ||
|
||
fn main() -> Result<()> { | ||
SystemTestGroup::new() | ||
.with_setup(setup_with_single_node) | ||
.add_test(systest!(ic_crypto_csp_socket_test)) | ||
.execute_from_args()?; | ||
Ok(()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
/* tag::catalog[] | ||
Title:: ic-crypto-csp socket test | ||
Goal:: Ensure that the Unix domain sockets for the crypto csp are created and have the correct | ||
permissions. In particular, ensure that `socket` and `metrics` sockets in the | ||
`/run/ic-node/crypto-csp/` directory have read and write permissions for the `ic-csp-vault` user | ||
(the owner) and the `ic-csp-vault-socket` group, and no permissions for others, and has the | ||
`ic-csp-vault` owner and `ic-csp-vault-socket` group (which contains the `ic-replica` user). | ||
Runbook:: | ||
. Set up a subnet with a single node | ||
. Wait for the node to start up correctly and be healthy | ||
. Retrieve the file metadata (permissions, timestamp, inode number) of the sockets | ||
. Verify that the permissions, owner, and group of the sockets are correct | ||
Success:: Both sockets for the crypto csp exist, and that they have the correct permissions, owner, | ||
and group. | ||
Coverage:: | ||
. The sockets for the crypto csp are created | ||
. The permissions, owner, and group, of the sockets are set correctly for the `ic-crypto-csp` process | ||
end::catalog[] */ | ||
|
||
use crate::driver::ic::InternetComputer; | ||
use crate::driver::test_env::TestEnv; | ||
use crate::driver::test_env_api::{ | ||
GetFirstHealthyNodeSnapshot, HasTopologySnapshot, IcNodeContainer, IcNodeSnapshot, SshSession, | ||
}; | ||
use ic_registry_subnet_type::SubnetType; | ||
use slog::{info, Logger}; | ||
|
||
pub fn setup_with_single_node(env: TestEnv) { | ||
InternetComputer::new() | ||
.add_fast_single_node_subnet(SubnetType::System) | ||
.setup_and_start(&env) | ||
.expect("failed to setup IC under test"); | ||
|
||
env.topology_snapshot() | ||
.subnets() | ||
.for_each(|subnet| subnet.await_all_nodes_healthy().unwrap()); | ||
} | ||
|
||
const SOCKET_DIR: &str = "/run/ic-node/crypto-csp"; | ||
const SOCKET_NAMES: [&str; 2] = ["socket", "metrics"]; | ||
|
||
pub fn ic_crypto_csp_socket_test(env: TestEnv) { | ||
let logger = env.logger(); | ||
let node = env.get_first_healthy_node_snapshot(); | ||
|
||
for socket_name in &SOCKET_NAMES { | ||
let socket_metadata = SocketMetadata::retrieve(socket_name, SOCKET_DIR, &node, &logger); | ||
info!( | ||
logger, | ||
"{}/{} socket metadata: {:?}", SOCKET_DIR, socket_name, socket_metadata | ||
); | ||
|
||
// The socket shall have permissions '660'. | ||
// This corresponds to '-rw-rw----', i.e., read & write for the owner and the group, but | ||
// no permissions for others. | ||
assert!(socket_metadata.has_permissions(660)); | ||
assert!(socket_metadata.has_owner("ic-csp-vault")); | ||
assert!(socket_metadata.has_group("ic-csp-vault-socket")); | ||
assert!(socket_metadata.has_type("socket")); | ||
} | ||
} | ||
|
||
#[derive(Debug)] | ||
struct SocketMetadata { | ||
permissions: u16, | ||
owner: String, | ||
group: String, | ||
file_type: String, | ||
} | ||
|
||
impl From<String> for SocketMetadata { | ||
fn from(value: String) -> Self { | ||
// Example output from "stat -c '%a %U %G %F' /var/lib/ic/crypto/sks_data.pb". | ||
// Columns are: | ||
// - file permissions in octal | ||
// - owner | ||
// - group | ||
// - file type | ||
// 660 ic-csp-vault ic-csp-vault-socket socket | ||
let mut field_iter = value.split_whitespace(); | ||
let permissions = field_iter.next().expect("no permissions field"); | ||
let owner = field_iter.next().expect("no owner field"); | ||
let group = field_iter.next().expect("no group field"); | ||
let file_type = field_iter.next().expect("no file type field"); | ||
let no_more_fields = field_iter.next(); | ||
assert!( | ||
no_more_fields.is_none(), | ||
"unexpected field: {:?}", | ||
no_more_fields | ||
); | ||
|
||
SocketMetadata { | ||
permissions: permissions.parse().expect("error parsing permissions"), | ||
owner: String::from(owner), | ||
group: String::from(group), | ||
file_type: String::from(file_type), | ||
} | ||
} | ||
} | ||
|
||
impl SocketMetadata { | ||
fn retrieve(socket: &str, path: &str, node: &IcNodeSnapshot, logger: &Logger) -> Self { | ||
let stat_cmd = format!("sudo stat -c '%a %U %G %F' {}/{}", path, socket); | ||
info!( | ||
logger, | ||
"retrieving socket metadata using command: {}", stat_cmd | ||
); | ||
let stat_output = node | ||
.block_on_bash_script(stat_cmd.as_str()) | ||
.expect("unable to get socket metadata using SSH") | ||
.trim() | ||
.to_string(); | ||
SocketMetadata::from(stat_output) | ||
} | ||
|
||
fn has_permissions(&self, permissions: u16) -> bool { | ||
self.permissions == permissions | ||
} | ||
|
||
fn has_group(&self, group: &str) -> bool { | ||
self.group == group | ||
} | ||
|
||
fn has_owner(&self, owner: &str) -> bool { | ||
self.owner == owner | ||
} | ||
|
||
fn has_type(&self, file_type: &str) -> bool { | ||
self.file_type == file_type | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters