[ER-459] Add crypto2 to the Erlang load path in FIPS mode #1065
Conversation
omnibus/Gemfile.lock
Outdated
| specs: | ||
| license_scout (0.1.2) | ||
| ffi-yajl (~> 2.2) | ||
| mixlib-shellout (~> 2.2) | ||
|
|
||
| GIT | ||
| remote: git://github.com/chef/omnibus-software.git | ||
| revision: 9f7c4536e484ab68fcbae96e527a3fbaf961bb15 | ||
| revision: d55178fb6d2afbafee17b7e95ed0d1bad4736e22 |
There was a problem hiding this comment.
I think these changes will go away if you rebase on master.
|
|
||
| # TODO get Jay to convert this to Apache 2 | ||
| license "Reserved" | ||
| license_file "LICENSE" |
There was a problem hiding this comment.
The LICENSE file looks like a 3-clause BSD license, so I think we are fine here, just need to change "Reserved" to BSD-3
| license_file "LICENSE" | ||
|
|
||
| dependency "erlang" | ||
| dependency "rebar" |
There was a problem hiding this comment.
This will be rebar 2. Does this compile with rebar3? If so, it might be good to make a rebar3 software definition (we can pull their prebuilt binary and copy it into embedded/bin) so we don't have to deal with both rebar 2 and rebar 3 when figuring out build issues in the future.
There was a problem hiding this comment.
It compiled successfully with rebar 2 in my tests. So I figured I would try that instead of trying to bring in rebar 3.
I thought that chef-server was using rebar 2? Thats the default version of the rebar definition (and there is no rebar3 binary)
There was a problem hiding this comment.
@tyler-ball Chef Server uses rebar3 everywhere. We moved to rebar3 during the beta so we vendored rebar3 into each app at the time of conversion. We have a long-standing TODO to get to a single version now that it is stable. (You'll see src/oc_erchef/rebar3, src/bookshelf/rebar3, etc).
| build do | ||
| env = with_standard_compiler_flags(with_embedded_path) | ||
|
|
||
| env['USE_SYSTEM_GECODE'] = "1" |
There was a problem hiding this comment.
Are these environment variables necessary for erlang-crypto2? I don't seem them referenced in Jay's repo.
There was a problem hiding this comment.
I have no idea - I can try removing them and seeing if it still compiles. I just copied the erchef definition and left in whatever was there
| @@ -59,6 +59,12 @@ | |||
| notifies :restart, 'runit_service[opscode-erchef]' unless backend_secondary? | |||
| end | |||
|
|
|||
| template "/opt/opscode/embedded/service/opscode-erchef/vm.args" do | |||
| source "oc_erchef.vm.args.erb" | |||
There was a problem hiding this comment.
I believe we'll eventually want to do this for the other erlang apps as well so we'll likely want this to be a more generic template that we can pass the app name into.
There was a problem hiding this comment.
But the other vm.args I looked at was pretty different. I'll see if I can make some common template parts I will. If they are all different, I'll leave them as separate templates.
| @@ -59,6 +59,12 @@ | |||
| notifies :restart, 'runit_service[opscode-erchef]' unless backend_secondary? | |||
| end | |||
|
|
|||
| template "/opt/opscode/embedded/service/opscode-erchef/vm.args" do | |||
There was a problem hiding this comment.
For sys.config we write the template into /var/opt/opscode/opscode-erchef and then symlink that into /opt/opscode/embedded/service/opscode-erchef/. Perhaps we should do the same here for symmetry?
There was a problem hiding this comment.
I saw that. I didn't know the reasoning behind symlinking instead of just writing the file. If you think thats the right thing to do, then I'll do that!
There was a problem hiding this comment.
@tyler-ball I am honestly unsure on the original intent of these symlinks. I think we've been carting them around for a while. @marcparadise Do you know?
tyler-ball
force-pushed
the
er-454/crypto2
branch
from
395e595 to
f7c2aba
Compare
tyler-ball
changed the title
tyler-ball
force-pushed
the
er-454/crypto2
branch
from
a19a302 to
f0d437f
Compare
|
I need to test this some more and see if there are any tests I can add/update, but I would love to start getting eyes on this. /cc @chef/chef-server-maintainers |
tyler-ball
force-pushed
the
er-454/crypto2
branch
from
8e429e7 to
23d4dcd
Compare
There was a problem hiding this comment.
Nice! Thanks for fighting through this one. I like the approach y'all landed on.
I've left a few comments but the only ones I think is blocking is to clean up all of the rebar.config's and the re-ordering of the project file.
I think that eventually we could unify those templates but don't want that to block this moving forward.
| @@ -97,6 +97,7 @@ | |||
| dependency "private-chef-upgrades" | |||
| dependency "private-chef-cookbooks" | |||
| dependency "chef-ha-plugin-config" | |||
| dependency "erlang-crypto2" | |||
There was a problem hiding this comment.
Let's move this further up. My guess is this code will not be changing often after we have it stable.
There was a problem hiding this comment.
Done, moved into the global commented block
| @@ -25,7 +25,7 @@ | |||
|
|
|||
| build do | |||
| env = with_standard_compiler_flags(with_embedded_path) | |||
| profile_name = fips_mode? ? "fips" : "default" | |||
| profile_name = "default" | |||
There was a problem hiding this comment.
Not important right now, but we can probably remove the profile_name stuff completely and just assume "default" which is what rebar3 will build by...default.
There was a problem hiding this comment.
I assumed it would do that but wanted to introduce as few changes as possible. I'll go ahead and remove this though since it does default by... default 😁
| @@ -101,11 +101,6 @@ | |||
| ]}, | |||
| {erl_opts, [export_all]} | |||
| ]}, | |||
| {fips, [ | |||
There was a problem hiding this comment.
Can we do similar cleanups in other erlang apps?
| owner OmnibusHelper.new(node).ownership['owner'] | ||
| group OmnibusHelper.new(node).ownership['group'] | ||
| mode "644" | ||
| notifies :restart, 'runit_service[oc_bifrost]' unless backend_secondary? |
There was a problem hiding this comment.
Note to other reviewers: The differences in the restart strategies across the various apps match the already existing differences from the sys.config files for these apps. My guess is that this can be sorted out so they are all the same, but I don't think it should be a blocker for this.
|
@stevendanna Updated per your comments! |
|
Pedant tests passed with a local build |
| # | ||
|
|
||
| name "erlang-crypto2" | ||
| default_version "er-459/update-crypto" |
There was a problem hiding this comment.
Reminder to change this once the branch lands
| skip_transitive_dependency_licensing true | ||
|
|
||
| dependency "erlang" | ||
| dependency "rebar" |
There was a problem hiding this comment.
This will pull in rebar2 which we're trying to eradicate. It's not great, but our current practice is to include the rebar3 binary within the project.
There was a problem hiding this comment.
I'm fine with updating to rebar3. How is that binary included in chef-server right now? I don't see an omnibus software dependency on it. I definitely want to build this using whatever other rebar tools we use.
There was a problem hiding this comment.
I see that it is just copied into the 4 Erlang applications. I'm going to use the .../src/bookshelf/rebar3 instance to build this application.
|
@marcparadise I had to restore the Restoring It looks like the |
tyler-ball
force-pushed
the
er-454/crypto2
branch
from
76c8d8f to
2b1a534
Compare
doc/HOW_THINGS_WORK.md
Outdated
| * Build the erlang-crypto2 app as a separate omnibus definition using the same | ||
| Erlang libraries used to build all other Erlang apps. Copy the `ebin` and `priv` | ||
| folders from the build into a custom location inside the omnibus package. | ||
| * If `fips true` is set and the server reconfigured, we update the `vm.args` |
There was a problem hiding this comment.
s/server reconfigured/server is reconfigured
Signed-off-by: tyler-ball <[email protected]>
…g FIPS module does not support TLS Signed-off-by: tyler-ball <[email protected]>
Signed-off-by: tyler-ball <[email protected]>
Signed-off-by: tyler-ball <[email protected]>
…ave a rebar 2 binary in the final package Signed-off-by: tyler-ball <[email protected]>
…template now Signed-off-by: tyler-ball <[email protected]>
They fail because the missing vm.args file causes the oc_bifrost application to load vm.args and sys.config from the releases folder. These files have default / empty values and the oc_bifrost application then fails to start. Signed-off-by: tyler-ball <[email protected]>
Signed-off-by: tyler-ball <[email protected]>
tyler-ball
force-pushed
the
er-454/crypto2
branch
from
2b1a534 to
950e768
Compare
This templatizes
vm.argsto include the crypot2 module at the front of the load path if FIPS mode is enabled. This means that after addingfips truetochef-server.rband reconfiguring, the Erlang app will be using the crypto2 module to access the OpenSSL FIPS module.We include the
erlang-crypto2module in all omnibus distributions, but users chose to activate it at runtime.