[ FAB-2919 ] Set postgres SSL environment

function setupSSLClientCertificates() in vendored code vendor/github.com/lib/pq/conn.go calls user.Current() if the environmentvariables PGSSLCERT PGSSLKEY are null: sslkey := o.Get("sslkey") sslcert := o.Get("sslcert") if sslkey != "" && sslcert != "" { ... } else { user, err := user.Current() user.Current in turn, invokes system c code in /opt/go/src/os/user/lookup_unix.go via getpwuid_r() This can cause a sporadic and unpredictable panic due to a gcc bug, provided that the executable was built with the -static flag (which is the default). Consequently an easy workaround for this particular instance is to merely set the PGSSLCERT and PGSSLKEY environment variables. (Note that this does not guarantee that other system calls will not potentially be subject to this malaise.) This change allows the postgres tests using TLS to be re-enabled. Change-Id: I3670bb2191ca8591d576ac8bfec2b9d3c4ba6d5e Signed-off-by: Allen Bailey <[email protected]>
hyperledger · Sep 29, 2017 · 618353f · 618353f
1 parent 9ee95a3
commit 618353f
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 11 deletions.
diff --git a/images/fabric-ca-fvt/Dockerfile.in b/images/fabric-ca-fvt/Dockerfile.in
@@ -11,6 +11,8 @@ ENV PATH="/usr/local/go/bin/:${PATH}" \
     PGDATA="/usr/local/pgsql/data/" \
     PGUSER="postgres" \
     PGPASSWORD="postgres" \
+    PGSSLCERT="/etc/hyperledger/fabric-ca/FabricTlsClientEEcert.pem" \
+    PGSSLKEY="/etc/hyperledger/fabric-ca/FabricTlsClientEEkey.pem" \
     PGVER=_PGVER_ \
     HOSTADDR="127.0.0.1" \
     LDAPPORT="389" \

diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh
@@ -338,6 +338,7 @@ export CA_CFG_PATH
 #    honor the command-line setting to turn on TLS
 #      else honor the envvar
 #        else (default) turn off tls
+sslmode=disable
 if test -n "$TLS_ON"; then
    TLS_DISABLE='false'; LDAP_PORT=636; LDAP_PROTO="ldaps://";sslmode="require";mysqlTls='&tls=custom'
 else
@@ -356,7 +357,7 @@ test -n "$SRC_KEY" && cp "$SRC_KEY" $DST_KEY
 RUNCONFIG="$DATADIR/runFabricCaFvt.yaml"
 
 case $DRIVER in
-   postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=disable" ;;
+   postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=$sslmode" ;;
    sqlite3)  DATASRC="$DATADIR/$DBNAME" ;;
    mysql)    DATASRC="root:mysql@tcp(localhost:$MYSQL_PORT)/$DBNAME?parseTime=true$mysqlTls" ;;
 esac

diff --git a/scripts/fvt/intermediateca_test.sh b/scripts/fvt/intermediateca_test.sh
@@ -43,7 +43,7 @@ function setupTLScerts() {
                         -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \
                         -e 20370101000000Z -s 20160101000000Z -p subTlsCa- >/dev/null 2>&1
    # EE TLS certs
-   i=0;while test $((i++)) -lt $NUMINTCAS; do
+   i=0;while test $((i++)) -lt $((NUMINTCAS+1)); do
    rm -rf $TLSDIR/intFabCaTls${i}*
    $SCRIPTDIR/utils/pki -f newcert -a subTlsCa -t ec -l 256 -d sha512 \
                         -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=intFabCaTls${i}/" -S "IP:127.0.${i}.1" \
@@ -60,12 +60,14 @@ EOF
 
 function createRootCA() {
    # Start RootCA
-   $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/rootTlsCa-cert.pem \
-                              --tls.keyfile $TLSDIR/rootTlsCa-key.pem"
+   $($FABRIC_TLS) && tlsopts="--tls.enabled \
+                              --tls.certfile $TLSDIR/rootTlsCa-cert.pem \
+                              --tls.keyfile $TLSDIR/rootTlsCa-key.pem \
+                              --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \
+                              --db.tls.client.certfile $PGSSLCERT \
+                              --db.tls.client.keyfile $PGSSLKEY"
    mkdir -p "$TDIR/root"
    $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/root" -d $driver -m $MAXENROLL
-   sed -i "s@\(^[[:blank:]]*certfile:\).*.pem@\1 $TLSDIR/rootTlsCa-cert.pem@" $TDIR/root/runFabricCaFvt.yaml
-   sed -i "s@\(^[[:blank:]]*keyfile:\).*.pem@\1 $TLSDIR/rootTlsCa-key.pem@" $TDIR/root/runFabricCaFvt.yaml
    FABRIC_CA_SERVER_HOME="$TDIR/root" fabric-ca-server start \
                                       --csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \
                                       $tlsopts -c $TDIR/root/runFabricCaFvt.yaml -d 2>&1 |
@@ -80,7 +82,12 @@ function createIntCA() {
       cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${i}/runFabricCaFvt.yaml"
       $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${i}-cert.pem \
                                  --tls.keyfile $TLSDIR/intFabCaTls${i}-key.pem \
-                                 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem"
+                                 --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \
+                                 --db.tls.client.certfile $PGSSLCERT \
+                                 --db.tls.client.keyfile $PGSSLKEY \
+                                 --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \
+                                 --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${i}-cert.pem \
+                                 --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${i}-key.pem"
       ADDR=127.0.${i}.1
       FABRIC_CA_SERVER_HOME="$TDIR/int${i}" fabric-ca-server start --csr.hosts $ADDR -c $TDIR/int${i}/runFabricCaFvt.yaml \
                                            --address $ADDR $tlsopts -b admin:adminpw \
@@ -99,7 +106,12 @@ function createFailingCA {
    cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${last}/runFabricCaFvt.yaml"
    $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${last}-cert.pem \
                               --tls.keyfile $TLSDIR/intFabCaTls${last}-key.pem \
-                              --intermediate.tls.certfiles $TLSDIR/tlsroots.pem"
+                              --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \
+                              --db.tls.client.certfile $PGSSLCERT \
+                              --db.tls.client.keyfile $PGSSLKEY \
+                              --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \
+                              --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${last}-cert.pem \
+                              --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${last}-key.pem"
    FABRIC_CA_SERVER_HOME="$TDIR/int${last}" fabric-ca-server init --csr.hosts 127.0.${last}.1 -c "$TDIR/int${last}/runFabricCaFvt.yaml" \
                                            --address 127.0.${last}.1 $tlsopts -b admin:adminpw \
                                            -u ${PROTO}intermediateCa${last}:intermediateCa${last}pw@$ADDR:$CA_DEFAULT_PORT -d 2>&1 | tee $TDIR/int${last}/server.log

diff --git a/scripts/fvt/reenroll_test.sh b/scripts/fvt/reenroll_test.sh
@@ -23,7 +23,7 @@ now=$(date +"%g%m%d%H%M%SZ")
 future=$(date +"$next_year%m%d%H%M%SZ")
 
 NUM_SERVERS=4
-USER_SERVER_RATIO=8 
+USER_SERVER_RATIO=8
 for u in $(eval echo {1..$((NUM_SERVERS*USER_SERVER_RATIO-1))}); do
    USERS[u]="user$u"
 done

diff --git a/scripts/fvt/roundrobin_test.sh b/scripts/fvt/roundrobin_test.sh
@@ -35,10 +35,10 @@ for driver in sqlite3 mysql postgres ; do
    $SCRIPTDIR/registerAndEnroll.sh -u "${USERS[*]}"
    test $? -ne 0 && ErrorMsg "registerAndEnroll failed"
    reenroll admin
-   if ! $(${FABRIC_TLS:-false}); then 
+   if ! $(${FABRIC_TLS:-false}); then
       nums=$((NUM_SERVERS-1))
       for s in $(eval echo {0..$nums}); do
-         curl -s http://$HOST/ | 
+         curl -s http://$HOST/ |
             awk -v s="server${s}\"" '$0~s'|
                html2text |
                   egrep "HTTP|server${s}"