From 618353f2f0f77fa881cd06b0feb5efe2f428de90 Mon Sep 17 00:00:00 2001 From: Allen Bailey Date: Wed, 6 Sep 2017 17:43:03 -0400 Subject: [PATCH] [ FAB-2919 ] Set postgres SSL environment function setupSSLClientCertificates() in vendored code vendor/github.com/lib/pq/conn.go calls user.Current() if the environmentvariables PGSSLCERT PGSSLKEY are null: sslkey := o.Get("sslkey") sslcert := o.Get("sslcert") if sslkey != "" && sslcert != "" { ... } else { user, err := user.Current() user.Current in turn, invokes system c code in /opt/go/src/os/user/lookup_unix.go via getpwuid_r() This can cause a sporadic and unpredictable panic due to a gcc bug, provided that the executable was built with the -static flag (which is the default). Consequently an easy workaround for this particular instance is to merely set the PGSSLCERT and PGSSLKEY environment variables. (Note that this does not guarantee that other system calls will not potentially be subject to this malaise.) This change allows the postgres tests using TLS to be re-enabled. Change-Id: I3670bb2191ca8591d576ac8bfec2b9d3c4ba6d5e Signed-off-by: Allen Bailey --- images/fabric-ca-fvt/Dockerfile.in | 2 ++ scripts/fvt/fabric-ca_setup.sh | 3 ++- scripts/fvt/intermediateca_test.sh | 26 +++++++++++++++++++------- scripts/fvt/reenroll_test.sh | 2 +- scripts/fvt/roundrobin_test.sh | 4 ++-- 5 files changed, 26 insertions(+), 11 deletions(-) diff --git a/images/fabric-ca-fvt/Dockerfile.in b/images/fabric-ca-fvt/Dockerfile.in index a00132e2f..f52082234 100644 --- a/images/fabric-ca-fvt/Dockerfile.in +++ b/images/fabric-ca-fvt/Dockerfile.in @@ -11,6 +11,8 @@ ENV PATH="/usr/local/go/bin/:${PATH}" \ PGDATA="/usr/local/pgsql/data/" \ PGUSER="postgres" \ PGPASSWORD="postgres" \ + PGSSLCERT="/etc/hyperledger/fabric-ca/FabricTlsClientEEcert.pem" \ + PGSSLKEY="/etc/hyperledger/fabric-ca/FabricTlsClientEEkey.pem" \ PGVER=_PGVER_ \ HOSTADDR="127.0.0.1" \ LDAPPORT="389" \ diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh index 02e2ec5df..6e61d2a2c 100755 --- a/scripts/fvt/fabric-ca_setup.sh +++ b/scripts/fvt/fabric-ca_setup.sh @@ -338,6 +338,7 @@ export CA_CFG_PATH # honor the command-line setting to turn on TLS # else honor the envvar # else (default) turn off tls +sslmode=disable if test -n "$TLS_ON"; then TLS_DISABLE='false'; LDAP_PORT=636; LDAP_PROTO="ldaps://";sslmode="require";mysqlTls='&tls=custom' else @@ -356,7 +357,7 @@ test -n "$SRC_KEY" && cp "$SRC_KEY" $DST_KEY RUNCONFIG="$DATADIR/runFabricCaFvt.yaml" case $DRIVER in - postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=disable" ;; + postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=$sslmode" ;; sqlite3) DATASRC="$DATADIR/$DBNAME" ;; mysql) DATASRC="root:mysql@tcp(localhost:$MYSQL_PORT)/$DBNAME?parseTime=true$mysqlTls" ;; esac diff --git a/scripts/fvt/intermediateca_test.sh b/scripts/fvt/intermediateca_test.sh index 11b535494..be4890cdb 100755 --- a/scripts/fvt/intermediateca_test.sh +++ b/scripts/fvt/intermediateca_test.sh @@ -43,7 +43,7 @@ function setupTLScerts() { -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ -e 20370101000000Z -s 20160101000000Z -p subTlsCa- >/dev/null 2>&1 # EE TLS certs - i=0;while test $((i++)) -lt $NUMINTCAS; do + i=0;while test $((i++)) -lt $((NUMINTCAS+1)); do rm -rf $TLSDIR/intFabCaTls${i}* $SCRIPTDIR/utils/pki -f newcert -a subTlsCa -t ec -l 256 -d sha512 \ -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=intFabCaTls${i}/" -S "IP:127.0.${i}.1" \ @@ -60,12 +60,14 @@ EOF function createRootCA() { # Start RootCA - $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ - --tls.keyfile $TLSDIR/rootTlsCa-key.pem" + $($FABRIC_TLS) && tlsopts="--tls.enabled \ + --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ + --tls.keyfile $TLSDIR/rootTlsCa-key.pem \ + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY" mkdir -p "$TDIR/root" $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/root" -d $driver -m $MAXENROLL - sed -i "s@\(^[[:blank:]]*certfile:\).*.pem@\1 $TLSDIR/rootTlsCa-cert.pem@" $TDIR/root/runFabricCaFvt.yaml - sed -i "s@\(^[[:blank:]]*keyfile:\).*.pem@\1 $TLSDIR/rootTlsCa-key.pem@" $TDIR/root/runFabricCaFvt.yaml FABRIC_CA_SERVER_HOME="$TDIR/root" fabric-ca-server start \ --csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \ $tlsopts -c $TDIR/root/runFabricCaFvt.yaml -d 2>&1 | @@ -80,7 +82,12 @@ function createIntCA() { cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${i}/runFabricCaFvt.yaml" $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ --tls.keyfile $TLSDIR/intFabCaTls${i}-key.pem \ - --intermediate.tls.certfiles $TLSDIR/tlsroots.pem" + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY \ + --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ + --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ + --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${i}-key.pem" ADDR=127.0.${i}.1 FABRIC_CA_SERVER_HOME="$TDIR/int${i}" fabric-ca-server start --csr.hosts $ADDR -c $TDIR/int${i}/runFabricCaFvt.yaml \ --address $ADDR $tlsopts -b admin:adminpw \ @@ -99,7 +106,12 @@ function createFailingCA { cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${last}/runFabricCaFvt.yaml" $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ --tls.keyfile $TLSDIR/intFabCaTls${last}-key.pem \ - --intermediate.tls.certfiles $TLSDIR/tlsroots.pem" + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY \ + --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ + --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ + --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${last}-key.pem" FABRIC_CA_SERVER_HOME="$TDIR/int${last}" fabric-ca-server init --csr.hosts 127.0.${last}.1 -c "$TDIR/int${last}/runFabricCaFvt.yaml" \ --address 127.0.${last}.1 $tlsopts -b admin:adminpw \ -u ${PROTO}intermediateCa${last}:intermediateCa${last}pw@$ADDR:$CA_DEFAULT_PORT -d 2>&1 | tee $TDIR/int${last}/server.log diff --git a/scripts/fvt/reenroll_test.sh b/scripts/fvt/reenroll_test.sh index 25e0d27f8..325267a00 100755 --- a/scripts/fvt/reenroll_test.sh +++ b/scripts/fvt/reenroll_test.sh @@ -23,7 +23,7 @@ now=$(date +"%g%m%d%H%M%SZ") future=$(date +"$next_year%m%d%H%M%SZ") NUM_SERVERS=4 -USER_SERVER_RATIO=8 +USER_SERVER_RATIO=8 for u in $(eval echo {1..$((NUM_SERVERS*USER_SERVER_RATIO-1))}); do USERS[u]="user$u" done diff --git a/scripts/fvt/roundrobin_test.sh b/scripts/fvt/roundrobin_test.sh index c62b74b9f..8161f4833 100755 --- a/scripts/fvt/roundrobin_test.sh +++ b/scripts/fvt/roundrobin_test.sh @@ -35,10 +35,10 @@ for driver in sqlite3 mysql postgres ; do $SCRIPTDIR/registerAndEnroll.sh -u "${USERS[*]}" test $? -ne 0 && ErrorMsg "registerAndEnroll failed" reenroll admin - if ! $(${FABRIC_TLS:-false}); then + if ! $(${FABRIC_TLS:-false}); then nums=$((NUM_SERVERS-1)) for s in $(eval echo {0..$nums}); do - curl -s http://$HOST/ | + curl -s http://$HOST/ | awk -v s="server${s}\"" '$0~s'| html2text | egrep "HTTP|server${s}"