Reload Ironic to get the new certificate

metal3-io · May 7, 2021 · e1e3864 · e1e3864
1 parent 3d71300
commit e1e3864
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 1 deletion.
diff --git a/prepare-image.sh b/prepare-image.sh
@@ -5,12 +5,14 @@ set -euxo pipefail
 dnf install -y python3 python3-requests
 curl https://raw.githubusercontent.com/openstack/tripleo-repos/master/tripleo_repos/main.py | python3 - -b master current-tripleo --no-stream
 dnf upgrade -y
+
 xargs -rtd'\n' dnf --setopt=install_weak_deps=False install -y < /tmp/${PKGS_LIST}
 if [[ ! -z ${EXTRA_PKGS_LIST:-} ]]; then
     if [[ -s /tmp/${EXTRA_PKGS_LIST} ]]; then
         xargs -rtd'\n' dnf --setopt=install_weak_deps=False install -y < /tmp/${EXTRA_PKGS_LIST}
     fi
 fi
+dnf install -y https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/i/inotify-tools-3.14-19.el8.x86_64.rpm
 
 dnf clean all
 rm -rf /var/cache/{yum,dnf}/*

diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh
@@ -8,6 +8,7 @@ export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
 export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
 export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
+export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 
 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information

diff --git a/scripts/runhttpd b/scripts/runhttpd
@@ -10,6 +10,7 @@ INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
 export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
 export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-"false"}
+export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 
 # Whether to enable fast_track provisioning or not
 IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
@@ -74,4 +75,10 @@ sed -i -e 's|\(^[[:space:]]*\)\(DocumentRoot\)\(.*\)|\1\2 "/shared/html"|' \
 sed -i -e 's%^ \+CustomLog.*%    CustomLog /dev/stderr combined%g' /etc/httpd/conf/httpd.conf
 sed -i -e 's%^ErrorLog.*%ErrorLog /dev/stderr%g' /etc/httpd/conf/httpd.conf
 
+if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true"  && "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read file event; do
+      kill -WINCH $(pgrep httpd)
+    done &
+fi
+
 exec /usr/sbin/httpd -DFOREGROUND
diff --git a/scripts/runironic-api b/scripts/runironic-api
@@ -19,5 +19,12 @@ done
 
 python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /etc/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
 sed -i "/Listen 80/c\#Listen 80" /etc/httpd/conf/httpd.conf
+
+if [[ "$IRONIC_TLS_SETUP" == "true"  && "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read file event; do
+      kill -WINCH $(pgrep httpd)
+    done &
+fi
+
 exec /usr/sbin/httpd -DFOREGROUND
 
diff --git a/scripts/runironic-conductor b/scripts/runironic-conductor
@@ -13,4 +13,11 @@ until ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade; do
   echo "WARNING: ironic-dbsync failed, retrying"
   sleep 1
 done
+
+if [[ "$IRONIC_TLS_SETUP" == "true"  && "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read file event; do
+     kill $(pgrep ironic)
+    done &
+fi
+
 exec /usr/bin/ironic-conductor
diff --git a/scripts/runmariadb b/scripts/runmariadb
@@ -5,6 +5,7 @@ MARIADB_PASSWORD=${MARIADB_PASSWORD:-"change_me"}
 MARIADB_CONF_FILE="/etc/my.cnf.d/mariadb-server.cnf"
 MARIADB_CERT_FILE=/certs/mariadb/tls.crt
 MARIADB_KEY_FILE=/certs/mariadb/tls.key
+RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"true"}
 
 mkdir -p $(dirname ${MARIADB_CERT_FILE})
 if [ -f "$MARIADB_CERT_FILE" ] && [ ! -f "$MARIADB_KEY_FILE" ] ; then
@@ -19,6 +20,13 @@ fi
 ln -sf /proc/self/fd/1 /var/log/mariadb/mariadb.log
 rm -f /usr/bin/mysqld_safe_helper # Avoid this script being used which results in a permission denied error.
 
+# Restart mysqld when the certificate is updated
+if [[ -f "$MARIADB_CERT_FILE" && "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    inotifywait -m -e delete_self "${MARIADB_CERT_FILE}" | while read file event; do
+       kill $(pgrep -f mysqld)
+    done &
+fi
+
 if [ ! -d "${DATADIR}/mysql" ]; then
     crudini --set "$MARIADB_CONF_FILE" mysqld max_connections 64
     crudini --set "$MARIADB_CONF_FILE" mysqld max_heap_table_size 1M
@@ -45,7 +53,6 @@ DROP DATABASE IF EXISTS test ;
 CREATE DATABASE IF NOT EXISTS  ironic ;
 FLUSH PRIVILEGES ;
 EOSQL
-
     # mysqld_safe closes stdout/stderr if no bash options are set ($- == '')
     # turn on tracing to prevent this
     exec bash -x /usr/bin/mysqld_safe --init-file /tmp/configure-mysql.sql