Une MAJ de sécurité est nécessaire sur notre version actuelle. Elle sera effectuée lundi 02/08 entre 12h30 et 13h. L'interruption de service devrait durer quelques minutes (probablement moins de 5 minutes).

Commit c5689bf4 authored by GARNIER Laurent's avatar GARNIER Laurent
Browse files

Merge branch 'qualif-fixes' into 'django'

fixes for the qualif deployment

Closes #356, #349, #345, #309, allgo.inria.fr#8, #347, #338, allgo.inria.fr#7, allgo.inria.fr#5, and #44

See merge request !205
parents 57df3228 ccf8ad31
Pipeline #136771 failed with stages
in 1 second
......@@ -41,6 +41,7 @@ import json
import logging
import os
import re
import ssl
import sys
import time
import weakref
......@@ -328,7 +329,7 @@ class AllgoAio:
return self.http_client.request(method, self.django_url+path, *k, **kw)
async def run(self, fork, pidfile):
async def run(self, fork, pidfile, cafile):
"""main task (run the server)"""
assert self._shutdown_requested is None, "run() must not be called multiple times"
......@@ -339,6 +340,20 @@ class AllgoAio:
# create the aiohttp client
self.http_client = aiohttp.ClientSession()
# load the CA certificate
try:
# ugly hack: store the ssl context directy in the connector (the aiohttp client v1.2
# does not support explicit ssl contextes)
assert aiohttp.__version__ == '1.2.0'
self.http_client.connector._ssl_context = ssl.create_default_context(cafile=cafile)
except OSError as e:
k = "unable to load CA file %r (%s)", cafile, e
if isinstance(e, FileNotFoundError) and cafile == "/vol/ro/certs/registry.crt":
log.warning(*k)
else:
log.error(*k)
sys.exit(1)
# create redis client
self.redis_client = await self.create_redis(reconnecting=True)
......
......@@ -63,6 +63,8 @@ parser.add_argument("--daemon", action="store_true",
help="daemonise after startup")
parser.add_argument("--pidfile", metavar="PATH", default="/run/aio.pid",
help="daemon pid file (default: /run/aio.pid)")
parser.add_argument("--cafile", metavar="PEMFILE", default="/vol/ro/certs/registry.crt",
help="path to the registry CA certificate (default: /vol/ro/certs/registry.crt)")
args = parser.parse_args()
......@@ -83,7 +85,7 @@ try:
loop.add_signal_handler(signal.SIGTERM, app.shutdown)
#loop.add_signal_handler(signal.SIGHUP, app.reload)
loop.run_until_complete(app.run(args.daemon, args.pidfile))
loop.run_until_complete(app.run(args.daemon, args.pidfile, args.cafile))
finally:
loop.remove_signal_handler(signal.SIGINT)
loop.remove_signal_handler(signal.SIGTERM)
......
......@@ -12,10 +12,10 @@ APPS_DIR = os.path.join(ROOT_DIR, 'allgo')
#FIXME: we should rather do these type conversions in config/env.py because
# this is very error prone
def parse_bool(value):
if value.lower() in (1, "true"):
def parse_bool(value: str):
if value.lower() in ("1", "true"):
return True
if value.lower() in (0, "false"):
if value.lower() in ("0", "false", ""):
return False
raise ValueError("invalid value %r (expected 'true' or 'false')" % value)
......
......@@ -27,7 +27,6 @@ fi
echo "CREATE DATABASE allgo CHARACTER SET 'utf8';" | mysql_cmd
# generate the missing migrations (in qualif/dev only)
# TODO: remove this when we deploy in production
if [ "$ENV" = dev ] || [ "$ENV" = qualif ] ; then
python3 manage.py makemigrations
fi
......
#!/bin/sh
set -e -x
# wait until the mysql server is ready
wait-mysql
mkdir -p /vol/cache/allgo
# generate the missing migrations (in qualif/dev only)
if [ "$ENV" = dev ] || [ "$ENV" = qualif ] ; then
python3 manage.py makemigrations
fi
# create the tables (apply the migrations)
python3 manage.py migrate
......@@ -119,6 +119,8 @@ server
proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
proxy_redirect off;
proxy_buffering off;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /vol/ro/certs/registry.crt;
location ~ ^/v2/.*/manifests/[^/]*$ {
proxy_pass http://aio;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment