From 05cf26126b9705e7602958f80e16a62e67524264 Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 26 Jan 2017 15:17:29 -0600 Subject: [PATCH 1/9] [ER-459] Add crypto2 to the Erlang load path in FIPS mode Signed-off-by: tyler-ball --- omnibus/config/projects/chef-server.rb | 1 + omnibus/config/software/bookshelf.rb | 2 +- omnibus/config/software/erlang-crypto2.rb | 39 +++++++++++++++++ omnibus/config/software/oc_bifrost.rb | 2 +- omnibus/config/software/oc_erchef.rb | 2 +- omnibus/config/software/opscode-chef-mover.rb | 2 +- .../private-chef/recipes/bookshelf.rb | 14 +++++++ .../private-chef/recipes/oc_bifrost.rb | 14 +++++++ .../recipes/opscode-chef-mover.rb | 13 ++++++ .../private-chef/recipes/opscode-erchef.rb | 14 +++++++ .../templates/default/bookshelf.vm.args.erb | 42 +++++++++++++++++++ .../templates/default/oc_bifrost.vm.args.erb | 31 ++++++++++++++ .../templates/default/oc_erchef.config.erb | 5 +++ .../templates/default/oc_erchef.vm.args.erb | 38 +++++++++++++++++ .../default/opscode-chef-mover.vm.args.erb | 29 +++++++++++++ omnibus/omnibus.rb | 5 ++- src/oc_erchef/rebar.config | 5 --- 17 files changed, 247 insertions(+), 11 deletions(-) create mode 100644 omnibus/config/software/erlang-crypto2.rb create mode 100644 omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb create mode 100644 omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb create mode 100644 omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb create mode 100644 omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb diff --git a/omnibus/config/projects/chef-server.rb b/omnibus/config/projects/chef-server.rb index c508492619..bb2f5dc050 100644 --- a/omnibus/config/projects/chef-server.rb +++ b/omnibus/config/projects/chef-server.rb @@ -97,6 +97,7 @@ dependency "private-chef-upgrades" dependency "private-chef-cookbooks" dependency "chef-ha-plugin-config" +dependency "erlang-crypto2" dependency "chef" # for embedded chef-client -z runs (built from master - build last) dependency "cleanup" # MUST BE LAST DO NOT MOVE diff --git a/omnibus/config/software/bookshelf.rb b/omnibus/config/software/bookshelf.rb index ec6595adcc..a8e7ab68f6 100644 --- a/omnibus/config/software/bookshelf.rb +++ b/omnibus/config/software/bookshelf.rb @@ -24,7 +24,7 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = fips_mode? ? "fips" : "default" + profile_name = "default" env['REL_VERSION'] = "#{project.build_version}" env['REBAR_PROFILE'] = profile_name diff --git a/omnibus/config/software/erlang-crypto2.rb b/omnibus/config/software/erlang-crypto2.rb new file mode 100644 index 0000000000..208360efe0 --- /dev/null +++ b/omnibus/config/software/erlang-crypto2.rb @@ -0,0 +1,39 @@ +# +# Copyright 2012-2017 Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name "erlang-crypto2" +default_version "er-459/update-crypto" + +source git: "https://github.com/chef/erlang-crypto2.git" + +license "BSD-3-Clause" +license_file "LICENSE" +# https://github.com/chef/license_scout/issues/61 +skip_transitive_dependency_licensing true + +dependency "erlang" +dependency "rebar" + +build do + env = with_standard_compiler_flags(with_embedded_path) + + command "rebar compile", env: env + + crypto2_dir = "#{install_dir}/embedded/lib/erlang-crypto2" + mkdir crypto2_dir + copy "#{project_dir}/ebin", "#{crypto2_dir}/ebin" + copy "#{project_dir}/priv", "#{crypto2_dir}/priv" +end diff --git a/omnibus/config/software/oc_bifrost.rb b/omnibus/config/software/oc_bifrost.rb index ee3cd080a0..dcc2612344 100644 --- a/omnibus/config/software/oc_bifrost.rb +++ b/omnibus/config/software/oc_bifrost.rb @@ -25,7 +25,7 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = fips_mode? ? "fips" : "default" + profile_name = "default" env['REL_VERSION'] = "#{project.build_version}" env['REBAR_PROFILE'] = profile_name diff --git a/omnibus/config/software/oc_erchef.rb b/omnibus/config/software/oc_erchef.rb index e874c0f07f..4617572f25 100644 --- a/omnibus/config/software/oc_erchef.rb +++ b/omnibus/config/software/oc_erchef.rb @@ -32,7 +32,7 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = fips_mode? ? "fips" : "default" + profile_name = "default" env['USE_SYSTEM_GECODE'] = "1" env['REL_VERSION'] = "#{project.build_version}" diff --git a/omnibus/config/software/opscode-chef-mover.rb b/omnibus/config/software/opscode-chef-mover.rb index 0e05dce486..4a9fe1effb 100644 --- a/omnibus/config/software/opscode-chef-mover.rb +++ b/omnibus/config/software/opscode-chef-mover.rb @@ -21,7 +21,7 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = fips_mode? ? "fips" : "default" + profile_name = "default" env['USE_SYSTEM_GECODE'] = "1" env['REL_VERSION'] = "#{project.build_version}" diff --git a/omnibus/files/private-chef-cookbooks/private-chef/recipes/bookshelf.rb b/omnibus/files/private-chef-cookbooks/private-chef/recipes/bookshelf.rb index 625ea469a8..cf9b923d5c 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/recipes/bookshelf.rb +++ b/omnibus/files/private-chef-cookbooks/private-chef/recipes/bookshelf.rb @@ -64,4 +64,18 @@ to bookshelf_config end +vmargs_config = File.join(bookshelf_dir, "vm.args") + +template vmargs_config do + source "bookshelf.vm.args.erb" + owner OmnibusHelper.new(node).ownership['owner'] + group OmnibusHelper.new(node).ownership['group'] + mode "644" + notifies :restart, 'runit_service[bookshelf]' if is_data_master? +end + +link "/opt/opscode/embedded/service/bookshelf/vm.args" do + to vmargs_config +end + component_runit_service "bookshelf" diff --git a/omnibus/files/private-chef-cookbooks/private-chef/recipes/oc_bifrost.rb b/omnibus/files/private-chef-cookbooks/private-chef/recipes/oc_bifrost.rb index 22b308487e..ff6a3eb179 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/recipes/oc_bifrost.rb +++ b/omnibus/files/private-chef-cookbooks/private-chef/recipes/oc_bifrost.rb @@ -60,4 +60,18 @@ to oc_bifrost_config end +vmargs_config = File.join(oc_bifrost_dir, "vm.args") + +template vmargs_config do + source "oc_bifrost.vm.args.erb" + owner OmnibusHelper.new(node).ownership['owner'] + group OmnibusHelper.new(node).ownership['group'] + mode "644" + notifies :restart, 'runit_service[oc_bifrost]' unless backend_secondary? +end + +link "/opt/opscode/embedded/service/oc_bifrost/vm.args" do + to vmargs_config +end + component_runit_service "oc_bifrost" diff --git a/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-chef-mover.rb b/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-chef-mover.rb index f3e2337849..96949cffc0 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-chef-mover.rb +++ b/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-chef-mover.rb @@ -42,6 +42,19 @@ to mover_config end +vmargs_config = File.join(opscode_chef_mover_dir, "vm.args") + +template vmargs_config do + source "opscode-chef-mover.vm.args.erb" + owner OmnibusHelper.new(node).ownership['owner'] + group OmnibusHelper.new(node).ownership['group'] + mode "644" +end + +link "/opt/opscode/embedded/service/opscode-chef-mover/vm.args" do + to vmargs_config +end + # We want the service defined, but dead component_runit_service "opscode-chef-mover" do action :down diff --git a/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-erchef.rb b/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-erchef.rb index 9482e26a33..ff67e7a28a 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-erchef.rb +++ b/omnibus/files/private-chef-cookbooks/private-chef/recipes/opscode-erchef.rb @@ -80,4 +80,18 @@ to erchef_config end +vmargs_config = File.join(opscode_erchef_dir, "vm.args") + +template vmargs_config do + source "oc_erchef.vm.args.erb" + owner OmnibusHelper.new(node).ownership['owner'] + group OmnibusHelper.new(node).ownership['group'] + mode "644" + notifies :restart, 'runit_service[opscode-erchef]' unless backend_secondary? +end + +link "/opt/opscode/embedded/service/opscode-erchef/vm.args" do + to vmargs_config +end + component_runit_service "opscode-erchef" diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb new file mode 100644 index 0000000000..78915f4b89 --- /dev/null +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb @@ -0,0 +1,42 @@ +## Name of the node +-name bookshelf@127.0.0.1 + +## Cookie for distributed erlang +-setcookie bookshelf + +## Add a directory to the code path where hot patches can be +## placed and easily accessed. +-pa lib/patches + +## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive +## (Disabled by default..use with caution!) +##-heart + +## Enable kernel poll ++K true + +## Increase maximum IO ports from default (65536) to 196608 +## This change helps bookshelf cope with bursty +## concurrent load +## Once we are on R16, we should use: +Q 196608 +-env ERL_MAX_PORTS 196608 + +## Increase maximum concurrent Erlang process from +## default (262144) to 524288 +## NOTE: This value MUST be a power of 2 +## N band (N - 1) == 0 ++P 524288 + +## Increase async worker thread pool size from +## R15 default of 0 to R16 default of 10. +## Async workers prevents IO from blocking the +## schedulers and increases performance of IO-heavy +## apps, like bookshelf. ++A 10 + +<%- if node['private_chef']['fips_enabled'] -%> +## Runtime switches to enable loading custom crypto module +## that supports OpenSSL-FIPS +-env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv +-pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +<%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb new file mode 100644 index 0000000000..2c4d84e18e --- /dev/null +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb @@ -0,0 +1,31 @@ +## Name of the node +-name oc_bifrost@127.0.0.1 + +## Cookie for distributed erlang +-setcookie oc_bifrost + +## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive +## (Disabled by default..use with caution!) +##-heart + +## Enable kernel poll and a few async threads ++K true ++A 10 + ++P 262144 + +## Increase number of concurrent ports/sockets +-env ERL_MAX_PORTS 65536 + +## Tweak GC to run more often +-env ERL_FULLSWEEP_AFTER 10 + +## Increase logfile size to 10M +-env RUN_ERL_LOG_MAXSIZE 10000000 + +<%- if node['private_chef']['fips_enabled'] -%> +## Runtime switches to enable loading custom crypto module +## that supports OpenSSL-FIPS +-env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv +-pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +<%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.config.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.config.erb index c251ec9404..873e4df7e2 100755 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.config.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.config.erb @@ -130,7 +130,12 @@ {password, <<"<%= @node['private_chef']['rabbitmq']['management_password'] %>">>}, % rabbitmq management http connection pool {rabbitmq_management_service, [ + <% if node['private_chef']['fips_enabled'] -%> + %% See note about Bookshelf + {root_url, "http://<%= @actions_vip %>:<%= @node['private_chef']['rabbitmq']['management_port'] %>/api"}, + <% else -%> {root_url, "https://<%= @actions_vip %>:<%= @node['private_chef']['rabbitmq']['management_port'] %>/api"}, + <% end %> {timeout, <%= @node['private_chef']['rabbitmq']['rabbit_mgmt_timeout'] %>}, {init_count, <%= @node['private_chef']['rabbitmq']['rabbit_mgmt_http_init_count'] %>}, {max_count, <%= @node['private_chef']['rabbitmq']['rabbit_mgmt_http_max_count'] %>}, diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb new file mode 100644 index 0000000000..a655218c24 --- /dev/null +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb @@ -0,0 +1,38 @@ +## Name of the node +-name erchef@127.0.0.1 + +## Cookie for distributed erlang +-setcookie erchef + +## Enable SMP even on single-core machines +## The Erchef keygen cache feature uses +## enif_send, which does not work on single- +## core machines unless SMP is enabled. +-smp enable + +## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive +## (Disabled by default..use with caution!) +##-heart + +## Enable kernel poll and a few async threads ++K true ++A 5 + +## Increase number of concurrent ports/sockets +-env ERL_MAX_PORTS 4096 + +## Add directory for hot patches to the front of the code path +-pa lib/patches + +## Tweak GC to run more often +-env ERL_FULLSWEEP_AFTER 10 + +## Increase logfile size to 10M +-env RUN_ERL_LOG_MAXSIZE 10000000 + +<%- if node['private_chef']['fips_enabled'] -%> +## Runtime switches to enable loading custom crypto module +## that supports OpenSSL-FIPS +-env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv +-pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +<%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb new file mode 100644 index 0000000000..bc1c9c2300 --- /dev/null +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb @@ -0,0 +1,29 @@ +## Name of the node +-name mover@127.0.0.1 + +## Cookie for distributed erlang +-setcookie mover + +## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive +## (Disabled by default..use with caution!) +##-heart + +## Enable kernel poll and a few async threads ++K true ++A 5 + +## Increase number of concurrent ports/sockets +-env ERL_MAX_PORTS 4096 + +## Tweak GC to run more often +-env ERL_FULLSWEEP_AFTER 10 + +## Increase logfile size to 10M +-env RUN_ERL_LOG_MAXSIZE 10000000 + +<%- if node['private_chef']['fips_enabled'] -%> +## Runtime switches to enable loading custom crypto module +## that supports OpenSSL-FIPS +-env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv +-pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +<%- end -%> diff --git a/omnibus/omnibus.rb b/omnibus/omnibus.rb index 472100cdbb..41a1337d17 100644 --- a/omnibus/omnibus.rb +++ b/omnibus/omnibus.rb @@ -21,5 +21,6 @@ fatal_transitive_dependency_licensing_warnings true -# PROJECT_NAME should be set by jenkins during the build -fips_mode ((ENV["PROJECT_NAME"] || "").downcase == "chef-server-fips") +# Build in FIPS compatability mode +# ------------------------------ +fips_mode (ENV['OMNIBUS_FIPS_MODE'] || '').downcase == "true" diff --git a/src/oc_erchef/rebar.config b/src/oc_erchef/rebar.config index 41d0558490..7dbeb7e18e 100644 --- a/src/oc_erchef/rebar.config +++ b/src/oc_erchef/rebar.config @@ -101,11 +101,6 @@ ]}, {erl_opts, [export_all]} ]}, - {fips, [ - {deps, [ - {crypto, {git,"git://github.com/jaym/erlang-crypto2", {branch, "master"}}} - ]} - ]}, {dev, [ {relx, [{dev_mode, true}, {include_src, true} From a54b78074804beebd8fc166f87bb868388963764 Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Wed, 1 Feb 2017 12:38:02 -0600 Subject: [PATCH 2/9] Disable rabbitmq SSL mode when running fips_enabled because our Erlang FIPS module does not support TLS Signed-off-by: tyler-ball --- .../private-chef/templates/default/rabbitmq.config.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/rabbitmq.config.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/rabbitmq.config.erb index 7f90cab907..2339d4e8ac 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/rabbitmq.config.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/rabbitmq.config.erb @@ -11,9 +11,8 @@ [{listener, [ {ip, "<%= node['private_chef']['rabbitmq']['node_ip_address'] %>"}, {port, <%= node['private_chef']['rabbitmq']['management_port'] %> }, - {ssl, true} + {ssl, <%= node['private_chef']['fips_enabled'] ? false : true %> } % The Rabbit Management Plugin will use the global Rabbit SSL Config ]} ]} ]. - From 011273f484b7d7bc9220950e1bcad910b6866d1d Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Wed, 1 Feb 2017 14:14:53 -0600 Subject: [PATCH 3/9] Removing missed instances of the fips relx profile Signed-off-by: tyler-ball --- omnibus/config/projects/chef-server.rb | 2 +- omnibus/config/software/bookshelf.rb | 4 +--- omnibus/config/software/oc_bifrost.rb | 4 +--- omnibus/config/software/oc_erchef.rb | 4 +--- omnibus/config/software/opscode-chef-mover.rb | 4 +--- src/bookshelf/rebar.config | 5 ----- src/chef-mover/rebar.config | 5 ----- src/oc_bifrost/rebar.config | 5 ----- 8 files changed, 5 insertions(+), 28 deletions(-) diff --git a/omnibus/config/projects/chef-server.rb b/omnibus/config/projects/chef-server.rb index bb2f5dc050..471b0afb2b 100644 --- a/omnibus/config/projects/chef-server.rb +++ b/omnibus/config/projects/chef-server.rb @@ -50,6 +50,7 @@ dependency "runit" dependency "chef_backup-gem" # chef-server-ctl backup dependency "veil-gem" # chef-server-ctl rotate-credentials +dependency "erlang-crypto2" # the backend dependency "postgresql92" @@ -97,7 +98,6 @@ dependency "private-chef-upgrades" dependency "private-chef-cookbooks" dependency "chef-ha-plugin-config" -dependency "erlang-crypto2" dependency "chef" # for embedded chef-client -z runs (built from master - build last) dependency "cleanup" # MUST BE LAST DO NOT MOVE diff --git a/omnibus/config/software/bookshelf.rb b/omnibus/config/software/bookshelf.rb index a8e7ab68f6..e2d2b03a4b 100644 --- a/omnibus/config/software/bookshelf.rb +++ b/omnibus/config/software/bookshelf.rb @@ -24,13 +24,11 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = "default" env['REL_VERSION'] = "#{project.build_version}" - env['REBAR_PROFILE'] = profile_name make "omnibus", env: env - sync "#{project_dir}/_build/#{profile_name}/rel/bookshelf/", "#{install_dir}/embedded/service/bookshelf/" + sync "#{project_dir}/_build/default/rel/bookshelf/", "#{install_dir}/embedded/service/bookshelf/" delete "#{install_dir}/embedded/service/bookshelf/log" end diff --git a/omnibus/config/software/oc_bifrost.rb b/omnibus/config/software/oc_bifrost.rb index dcc2612344..0e15726a69 100644 --- a/omnibus/config/software/oc_bifrost.rb +++ b/omnibus/config/software/oc_bifrost.rb @@ -25,14 +25,12 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = "default" env['REL_VERSION'] = "#{project.build_version}" - env['REBAR_PROFILE'] = profile_name make "omnibus", env: env - sync "#{project_dir}/_build/#{profile_name}/rel/oc_bifrost/", "#{install_dir}/embedded/service/oc_bifrost/" + sync "#{project_dir}/_build/default/rel/oc_bifrost/", "#{install_dir}/embedded/service/oc_bifrost/" sync "#{project_dir}/schema", "#{install_dir}/embedded/service/oc_bifrost/db/" delete "#{install_dir}/embedded/service/oc_bifrost/log" end diff --git a/omnibus/config/software/oc_erchef.rb b/omnibus/config/software/oc_erchef.rb index 4617572f25..87f2c89f41 100644 --- a/omnibus/config/software/oc_erchef.rb +++ b/omnibus/config/software/oc_erchef.rb @@ -32,14 +32,12 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = "default" env['USE_SYSTEM_GECODE'] = "1" env['REL_VERSION'] = "#{project.build_version}" - env['REBAR_PROFILE'] = profile_name make "omnibus", env: env - sync "#{project_dir}/_build/#{profile_name}/rel/oc_erchef/", "#{install_dir}/embedded/service/opscode-erchef/", exclude: ['**/.git', '**/.gitignore'] + sync "#{project_dir}/_build/default/rel/oc_erchef/", "#{install_dir}/embedded/service/opscode-erchef/", exclude: ['**/.git', '**/.gitignore'] delete "#{install_dir}/embedded/service/opscode-erchef/log" end diff --git a/omnibus/config/software/opscode-chef-mover.rb b/omnibus/config/software/opscode-chef-mover.rb index 4a9fe1effb..c0dd242be5 100644 --- a/omnibus/config/software/opscode-chef-mover.rb +++ b/omnibus/config/software/opscode-chef-mover.rb @@ -21,15 +21,13 @@ build do env = with_standard_compiler_flags(with_embedded_path) - profile_name = "default" env['USE_SYSTEM_GECODE'] = "1" env['REL_VERSION'] = "#{project.build_version}" - env['REBAR_PROFILE'] = profile_name make "omnibus", env: env - sync "#{project_dir}/_build/#{profile_name}/rel/mover/", "#{install_dir}/embedded/service/opscode-chef-mover/" + sync "#{project_dir}/_build/default/rel/mover/", "#{install_dir}/embedded/service/opscode-chef-mover/" delete "#{install_dir}/embedded/service/opscode-chef-mover/log" mkdir "#{install_dir}/embedded/service/opscode-chef-mover/scripts" diff --git a/src/bookshelf/rebar.config b/src/bookshelf/rebar.config index f767513254..5493262d1d 100644 --- a/src/bookshelf/rebar.config +++ b/src/bookshelf/rebar.config @@ -102,11 +102,6 @@ {include_src, true} ]} ]}, - {fips, [ - {deps, [ - {crypto, {git,"git://github.com/jaym/erlang-crypto2", {branch, "master"}}} - ]} - ]}, {test, [ {deps, [ {cth_readable, diff --git a/src/chef-mover/rebar.config b/src/chef-mover/rebar.config index d20e60a510..6d3fe2f182 100644 --- a/src/chef-mover/rebar.config +++ b/src/chef-mover/rebar.config @@ -49,11 +49,6 @@ {git, "https://github.com/ferd/cth_readable.git", {branch, "master"}}} ]} ]}, - {fips, [ - {deps, [ - {crypto, {git,"git://github.com/jaym/erlang-crypto2", {branch, "master"}}} - ]} - ]}, {dev, [ {relx, [{dev_mode, true}, {include_src, true} diff --git a/src/oc_bifrost/rebar.config b/src/oc_bifrost/rebar.config index 7f273485b7..35fefb8c76 100644 --- a/src/oc_bifrost/rebar.config +++ b/src/oc_bifrost/rebar.config @@ -47,11 +47,6 @@ {include_src, true} ]} ]}, - {fips, [ - {deps, [ - {crypto, {git,"git://github.com/jaym/erlang-crypto2", {branch, "master"}}} - ]} - ]}, {test, [ {deps, [ {cth_readable, From 3014e321f4ea82ce28b11bfb32ab6c576d6d567d Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 09:41:43 -0600 Subject: [PATCH 4/9] Using crypto2 repo from the chef org since we moved it Signed-off-by: tyler-ball --- omnibus/config/software/erlang-crypto2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omnibus/config/software/erlang-crypto2.rb b/omnibus/config/software/erlang-crypto2.rb index 208360efe0..ae28e669c7 100644 --- a/omnibus/config/software/erlang-crypto2.rb +++ b/omnibus/config/software/erlang-crypto2.rb @@ -15,7 +15,7 @@ # name "erlang-crypto2" -default_version "er-459/update-crypto" +default_version "master" source git: "https://github.com/chef/erlang-crypto2.git" From 1ab7b3cafca7b539df2517b72602da36667d9e7b Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 11:23:01 -0600 Subject: [PATCH 5/9] Using existing rebar3 binary to compile erlang-crypto2 so we don't leave a rebar 2 binary in the final package Signed-off-by: tyler-ball --- omnibus/config/software/erlang-crypto2.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/omnibus/config/software/erlang-crypto2.rb b/omnibus/config/software/erlang-crypto2.rb index ae28e669c7..6851938457 100644 --- a/omnibus/config/software/erlang-crypto2.rb +++ b/omnibus/config/software/erlang-crypto2.rb @@ -25,15 +25,19 @@ skip_transitive_dependency_licensing true dependency "erlang" -dependency "rebar" build do env = with_standard_compiler_flags(with_embedded_path) - command "rebar compile", env: env + # All of the apps include a rebar3 executable. Just use one of them to build + # this application. We do not want to include rebar in the final package + # so don't use a software dependency + rebar3_path = "#{project.files_path}/../../src/bookshelf/rebar3" + + command "#{rebar3_path} compile", env: env crypto2_dir = "#{install_dir}/embedded/lib/erlang-crypto2" mkdir crypto2_dir - copy "#{project_dir}/ebin", "#{crypto2_dir}/ebin" + copy "#{project_dir}/_build/default/lib/fips_crypto/ebin", "#{crypto2_dir}/ebin" copy "#{project_dir}/priv", "#{crypto2_dir}/priv" end From d6f6bc50fb06af9555807044eb1e8ab71b67bf06 Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 11:23:30 -0600 Subject: [PATCH 6/9] Removing default vm.args files because we are generating them from a template now Signed-off-by: tyler-ball --- src/bookshelf/config/vm.args | 35 ----------------------------------- src/bookshelf/rebar.config | 3 +-- src/chef-mover/config/vm.args | 23 ----------------------- src/chef-mover/rebar.config | 1 - src/oc_bifrost/config/vm.args | 24 ------------------------ src/oc_bifrost/rebar.config | 3 +-- src/oc_erchef/config/vm.args | 32 -------------------------------- src/oc_erchef/rebar.config | 1 - 8 files changed, 2 insertions(+), 120 deletions(-) delete mode 100644 src/bookshelf/config/vm.args delete mode 100644 src/chef-mover/config/vm.args delete mode 100644 src/oc_bifrost/config/vm.args delete mode 100644 src/oc_erchef/config/vm.args diff --git a/src/bookshelf/config/vm.args b/src/bookshelf/config/vm.args deleted file mode 100644 index c1b82dcda2..0000000000 --- a/src/bookshelf/config/vm.args +++ /dev/null @@ -1,35 +0,0 @@ -## Name of the node --name bookshelf@127.0.0.1 - -## Cookie for distributed erlang --setcookie bookshelf - -## Add a directory to the code path where hot patches can be -## placed and easily accessed. --pa lib/patches - -## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive -## (Disabled by default..use with caution!) -##-heart - -## Enable kernel poll -+K true - -## Increase maximum IO ports from default (65536) to 196608 -## This change helps bookshelf cope with bursty -## concurrent load -## Once we are on R16, we should use: +Q 196608 --env ERL_MAX_PORTS 196608 - -## Increase maximum concurrent Erlang process from -## default (262144) to 524288 -## NOTE: This value MUST be a power of 2 -## N band (N - 1) == 0 -+P 524288 - -## Increase async worker thread pool size from -## R15 default of 0 to R16 default of 10. -## Async workers prevents IO from blocking the -## schedulers and increases performance of IO-heavy -## apps, like bookshelf. -+A 10 \ No newline at end of file diff --git a/src/bookshelf/rebar.config b/src/bookshelf/rebar.config index 5493262d1d..bfa414ced9 100644 --- a/src/bookshelf/rebar.config +++ b/src/bookshelf/rebar.config @@ -130,8 +130,7 @@ {include_src, false}, {extended_start_script,true}, - {overlay,[{template,"config/vm.args","vm.args"}, - {template,"config/app.config","sys.config"}, + {overlay,[{template,"config/app.config","sys.config"}, {copy,"schema","."} ]} ]}. diff --git a/src/chef-mover/config/vm.args b/src/chef-mover/config/vm.args deleted file mode 100644 index ad8275abd6..0000000000 --- a/src/chef-mover/config/vm.args +++ /dev/null @@ -1,23 +0,0 @@ -## Name of the node --name mover@127.0.0.1 - -## Cookie for distributed erlang --setcookie mover - -## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive -## (Disabled by default..use with caution!) -##-heart - -## Enable kernel poll and a few async threads -+K true -+A 5 - -## Increase number of concurrent ports/sockets --env ERL_MAX_PORTS 4096 - -## Tweak GC to run more often --env ERL_FULLSWEEP_AFTER 10 - -## Increase logfile size to 10M --env RUN_ERL_LOG_MAXSIZE 10000000 - diff --git a/src/chef-mover/rebar.config b/src/chef-mover/rebar.config index 6d3fe2f182..8e3afc37b8 100644 --- a/src/chef-mover/rebar.config +++ b/src/chef-mover/rebar.config @@ -137,7 +137,6 @@ {mkdir,"log/sasl"}, {mkdir,"etc/keys"}, {copy,"scripts", "scripts"}, - {template,"config/vm.args","vm.args"}, {template,"config/sys.config","sys.config"} ]} ]}. diff --git a/src/oc_bifrost/config/vm.args b/src/oc_bifrost/config/vm.args deleted file mode 100644 index 24bb75ab0c..0000000000 --- a/src/oc_bifrost/config/vm.args +++ /dev/null @@ -1,24 +0,0 @@ -## Name of the node --name oc_bifrost@127.0.0.1 - -## Cookie for distributed erlang --setcookie oc_bifrost - -## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive -## (Disabled by default..use with caution!) -##-heart - -## Enable kernel poll and a few async threads -+K true -+A 10 - -+P 262144 - -## Increase number of concurrent ports/sockets --env ERL_MAX_PORTS 65536 - -## Tweak GC to run more often --env ERL_FULLSWEEP_AFTER 10 - -## Increase logfile size to 10M --env RUN_ERL_LOG_MAXSIZE 10000000 diff --git a/src/oc_bifrost/rebar.config b/src/oc_bifrost/rebar.config index 35fefb8c76..d3dc0182c6 100644 --- a/src/oc_bifrost/rebar.config +++ b/src/oc_bifrost/rebar.config @@ -91,6 +91,5 @@ {include_src, false}, {extended_start_script,true}, - {overlay,[{template,"config/vm.args","vm.args"}, - {template,"config/sys.config","sys.config"}]} + {overlay,[{template,"config/sys.config","sys.config"}]} ]}. diff --git a/src/oc_erchef/config/vm.args b/src/oc_erchef/config/vm.args deleted file mode 100644 index 71d44e3147..0000000000 --- a/src/oc_erchef/config/vm.args +++ /dev/null @@ -1,32 +0,0 @@ -## Name of the node --name erchef@127.0.0.1 - -## Cookie for distributed erlang --setcookie erchef - -## Enable SMP even on single-core machines -## The Erchef keygen cache feature uses -## enif_send, which does not work on single- -## core machines unless SMP is enabled. --smp enable - -## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive -## (Disabled by default..use with caution!) -##-heart - -## Enable kernel poll and a few async threads -+K true -+A 5 - -## Increase number of concurrent ports/sockets --env ERL_MAX_PORTS 4096 - -## Add directory for hot patches to the front of the code path --pa lib/patches - -## Tweak GC to run more often --env ERL_FULLSWEEP_AFTER 10 - -## Increase logfile size to 10M --env RUN_ERL_LOG_MAXSIZE 10000000 - diff --git a/src/oc_erchef/rebar.config b/src/oc_erchef/rebar.config index 7dbeb7e18e..935162ac1d 100644 --- a/src/oc_erchef/rebar.config +++ b/src/oc_erchef/rebar.config @@ -146,6 +146,5 @@ {copy,"schema","."}, {copy,"priv/reindex-opc-organization", "bin/reindex-opc-organization"}, - {template,"config/vm.args","vm.args"}, {template,"config/app.config","sys.config"}]} ]}. From 5bc6c832035fe8f7a0c83e2f753093130ec34c39 Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 13:53:29 -0600 Subject: [PATCH 7/9] Adding back oc_bifrost vm.args because pedant tests fail without it They fail because the missing vm.args file causes the oc_bifrost application to load vm.args and sys.config from the releases folder. These files have default / empty values and the oc_bifrost application then fails to start. Signed-off-by: tyler-ball --- src/oc_bifrost/config/vm.args | 24 ++++++++++++++++++++++++ src/oc_bifrost/rebar.config | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 src/oc_bifrost/config/vm.args diff --git a/src/oc_bifrost/config/vm.args b/src/oc_bifrost/config/vm.args new file mode 100644 index 0000000000..24bb75ab0c --- /dev/null +++ b/src/oc_bifrost/config/vm.args @@ -0,0 +1,24 @@ +## Name of the node +-name oc_bifrost@127.0.0.1 + +## Cookie for distributed erlang +-setcookie oc_bifrost + +## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive +## (Disabled by default..use with caution!) +##-heart + +## Enable kernel poll and a few async threads ++K true ++A 10 + ++P 262144 + +## Increase number of concurrent ports/sockets +-env ERL_MAX_PORTS 65536 + +## Tweak GC to run more often +-env ERL_FULLSWEEP_AFTER 10 + +## Increase logfile size to 10M +-env RUN_ERL_LOG_MAXSIZE 10000000 diff --git a/src/oc_bifrost/rebar.config b/src/oc_bifrost/rebar.config index d3dc0182c6..35fefb8c76 100644 --- a/src/oc_bifrost/rebar.config +++ b/src/oc_bifrost/rebar.config @@ -91,5 +91,6 @@ {include_src, false}, {extended_start_script,true}, - {overlay,[{template,"config/sys.config","sys.config"}]} + {overlay,[{template,"config/vm.args","vm.args"}, + {template,"config/sys.config","sys.config"}]} ]}. From 4160a18946b07b9559786abfb32a1976f52008ca Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 14:49:25 -0600 Subject: [PATCH 8/9] Updating HOW_THINGS_WORK.md with an explanation of FIPS mode --- doc/HOW_THINGS_WORK.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/doc/HOW_THINGS_WORK.md b/doc/HOW_THINGS_WORK.md index a79e4ff4a7..a5edbf8b6d 100644 --- a/doc/HOW_THINGS_WORK.md +++ b/doc/HOW_THINGS_WORK.md @@ -226,3 +226,36 @@ object types and organizations. 5. Erchef responds to the API request either (in the case of a normal search) with the full document or (in the case of a partial search via a POST) with a reduced version of the document. + +## FIPS Integration + +This assumes you understand what the FIPS 140-2 validation is. Putting the +Chef Server into *FIPS mode* means: + +1. It sets `OPENSSL_FIPS=1` in the environment, so shelling out to `openssl` +will activate the FIPS module. +2. Using the erlang-crypto2 app it activates the FIPS module for any native +calls. +3. Also using the erlang-crypto2 app it overwrites certain crypto calls that are +unsupported (IE, MD5) in the OpenSSL FIPS module with direct Erlang code. + +The server can be switched into and out of FIPS mode at runtime. Edit the +`chef-server.rb` config by adding `fips true` or `fips false` to force FIPS +mode as necessary. On systems where FIPS is enabled at the kernel level this +config is defaulted to true. On all other systems it is defaulted to false. FIPS +mode is currently only supported on RHEL systems. + +### FIPS Implementation Details + +The erlang-crypto2 app provides `crypto` module implementation. To support +switching to this crypto module at runtime we perform the following: + +* Build the erlang-crypto2 app as a separate omnibus definition using the same +Erlang libraries used to build all other Erlang apps. Copy the `ebin` and `priv` +folders from the build into a custom location inside the omnibus package. +* If `fips true` is set and the server is reconfigured, we update the `vm.args` +to put the erlang-crypto2 `ebin` folder at the front of the load path. +* We also export the path to the `priv` folder as an environment variable. When +the erlang-crypto2 app is loaded it uses an `on_load` function to load the +crypto NIFs. We could not figure out how to specify the correct `priv` folder +except by hardcoding it into this environment variable. From 950e768baaf808c72a8308c089b720424814735b Mon Sep 17 00:00:00 2001 From: tyler-ball Date: Thu, 2 Feb 2017 14:54:17 -0600 Subject: [PATCH 9/9] Hardcoding /opt/opscode is bad, mkay Signed-off-by: tyler-ball --- .../private-chef/templates/default/bookshelf.vm.args.erb | 4 ++-- .../private-chef/templates/default/oc_bifrost.vm.args.erb | 4 ++-- .../private-chef/templates/default/oc_erchef.vm.args.erb | 4 ++-- .../templates/default/opscode-chef-mover.vm.args.erb | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb index 78915f4b89..0878886967 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/bookshelf.vm.args.erb @@ -37,6 +37,6 @@ <%- if node['private_chef']['fips_enabled'] -%> ## Runtime switches to enable loading custom crypto module ## that supports OpenSSL-FIPS --env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv --pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +-env ERLANG_CRYPTO2_PATH <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/priv") =%> +-pa <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/ebin") =%> <%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb index 2c4d84e18e..ad975e8509 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_bifrost.vm.args.erb @@ -26,6 +26,6 @@ <%- if node['private_chef']['fips_enabled'] -%> ## Runtime switches to enable loading custom crypto module ## that supports OpenSSL-FIPS --env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv --pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +-env ERLANG_CRYPTO2_PATH <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/priv") =%> +-pa <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/ebin") =%> <%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb index a655218c24..ea0aab675b 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/oc_erchef.vm.args.erb @@ -33,6 +33,6 @@ <%- if node['private_chef']['fips_enabled'] -%> ## Runtime switches to enable loading custom crypto module ## that supports OpenSSL-FIPS --env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv --pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +-env ERLANG_CRYPTO2_PATH <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/priv") =%> +-pa <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/ebin") =%> <%- end -%> diff --git a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb index bc1c9c2300..ef87bb5eeb 100644 --- a/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb +++ b/omnibus/files/private-chef-cookbooks/private-chef/templates/default/opscode-chef-mover.vm.args.erb @@ -24,6 +24,6 @@ <%- if node['private_chef']['fips_enabled'] -%> ## Runtime switches to enable loading custom crypto module ## that supports OpenSSL-FIPS --env ERLANG_CRYPTO2_PATH /opt/opscode/embedded/lib/erlang-crypto2/priv --pa /opt/opscode/embedded/lib/erlang-crypto2/ebin +-env ERLANG_CRYPTO2_PATH <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/priv") =%> +-pa <%= File.join(node['private_chef']['install_path'], "/embedded/lib/erlang-crypto2/ebin") =%> <%- end -%>