Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve certs folder checking and container image load #14

Merged
merged 1 commit into from Jul 16, 2019
Merged

Improve certs folder checking and container image load #14

merged 1 commit into from Jul 16, 2019

Conversation

jmolmo
Copy link
Member

@jmolmo jmolmo commented Jul 12, 2019

Doing tests we saw that if the base certs folder was deleted (by default /etc/ansible-runner-service/certs), there was an error generating the certificates because the target folders were not created.

I have move and improve the check for the certificates target folders. Now certificates are always generated even if no "etc" folder exists.

It was very uncomfortable to deal with two variables to set the full path of the container image. In fact, for our tests , it was impossible to set it properly using the PROJECT and the CONTAINER_IMAGE vars.
because the full path is something like:

brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ansible-runner-service:ceph-4.0-rhel-8-containers-candidate-23773-20190712110332

I have change this to use only one variable to support this full path, it replaces the PROJECT var functionality.

Now in order to start we should use:

# export REGISTRY_IMAGE_PATH="brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ansible-runner-service:ceph-4.0-rhel-8-containers-candidate-23773-20190712110332"
# ./ansible-runner-service.sh -v

Another improvement is about to pull or not the image from an external registry.
Now we use the "CONTAINER_IMAGE_NAME" var to check if we have a local image with this name. if this is the case we use the "image id" to start the container.

TESTS:

Start without certs folders:

[root@fakehost04 ~]# rm -rf /etc/ansible-runner-service/certs
[root@fakehost04 ~]# 
[root@fakehost04 ~]# ./ansible-runner-service.sh -v
Checking environment is ready
	docker is present
	openssl is present
	curl is present
Checking container is active
Checking/creating directories
Checking SSL certificate configuration
Creating directories in </etc/ansible-runner-service> for server certificates
Creating the CA Key and Certificate for signing Client Certs
- Using cert identity - /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerServer/CN=fakehost04
Generating RSA private key, 4096 bit long modulus
..........................................................................................................................................................................................................................................................................................................................................................................++
............++
e is 65537 (0x10001)
Creating the Server Key, CSR, and Certificate
Generating RSA private key, 4096 bit long modulus
.......................++
..................................................................................................................................++
e is 65537 (0x10001)
writing RSA key
Self-signing the certificate with our CA cert
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerServer/CN=fakehost04
Getting CA Private Key
Creating directories in </etc/ansible-runner-service> for client certificates
Creating the Client Key and CSR
- Using client identity - /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerClient/CN=fakehost04
Generating RSA private key, 4096 bit long modulus
...............................++
.......................................++
e is 65537 (0x10001)
writing RSA key
Signing the client certificate with our CA cert
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerClient/CN=fakehost04
Getting CA Private Key
Using the ansible_runner_service container already downloaded
Starting runner-service container
Started runner-service container
Waiting for runner-service container to respond
- probe (1/10)
runner-service container is available and responding to requests

Start without cert folders and without local image:

[root@fakehost04 ~]# ./ansible-runner-service.sh -v
Checking environment is ready
	docker is present
	openssl is present
	curl is present
Checking container is active
Checking/creating directories
Checking SSL certificate configuration
Creating directories in </etc/ansible-runner-service> for server certificates
Creating the CA Key and Certificate for signing Client Certs
- Using cert identity - /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerServer/CN=fakehost04
Generating RSA private key, 4096 bit long modulus
................++
.......................................................................................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Creating the Server Key, CSR, and Certificate
Generating RSA private key, 4096 bit long modulus
...++
...........................................................................................................................................................................................++
e is 65537 (0x10001)
writing RSA key
Self-signing the certificate with our CA cert
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerServer/CN=fakehost04
Getting CA Private Key
Creating directories in </etc/ansible-runner-service> for client certificates
Creating the Client Key and CSR
- Using client identity - /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerClient/CN=fakehost04
Generating RSA private key, 4096 bit long modulus
......++
......++
e is 65537 (0x10001)
writing RSA key
Signing the client certificate with our CA cert
Signature ok
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=RunnerClient/CN=fakehost04
Getting CA Private Key
Fetching ansible runner service container. Please wait...
Trying to pull repository brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ansible-runner-service ... 
ceph-4.0-rhel-8-containers-candidate-23773-20190712110332: Pulling from brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ansible-runner-service
5edbc1d7ef1c: Pull complete 
b2073162c17b: Pull complete 
fc46ce19a39a: Pull complete 
Digest: sha256:308fe8bcc8a68046eb530512ef47fe5385e51fcd8abebcd9449bd19f9dc0fa50
Status: Downloaded newer image for brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/ansible-runner-service:ceph-4.0-rhel-8-containers-candidate-23773-20190712110332
Starting runner-service container
Started runner-service container
Waiting for runner-service container to respond
- probe (1/10)
runner-service container is available and responding to requests

pcuzner
pcuzner approved these changes Jul 16, 2019
View reviewed changes
Copy link
Collaborator

@pcuzner pcuzner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM will merge

@pcuzner pcuzner merged commit 85f2f1a into red-hat-storage:master Jul 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcuzner pcuzner pcuzner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jmolmo @pcuzner