Skip to content
Snippets Groups Projects
Unverified Commit 7e88c7ec authored by JohannesGarm's avatar JohannesGarm Committed by GitHub
Browse files

Merge pull request #23 from safaci2000/feature/docker_fix

Docker Overall Improvement and workflow changes
parents fd69584f 43d3a1e2
No related branches found
No related tags found
No related merge requests found
Showing with 284 additions and 254 deletions
...@@ -4,3 +4,11 @@ build ...@@ -4,3 +4,11 @@ build
dist dist
.opennsa-test.json .opennsa-test.json
.python-version .python-version
docker/.env
config/opennsa.conf
docker-compose.override.yml
.idea
.devcontainer
twistd.pid
.env
...@@ -4,8 +4,11 @@ ...@@ -4,8 +4,11 @@
clean: clean:
rm -fr _trial_temp rm -fr _trial_temp
find . -name "*.pyc"|xargs rm find . -name "*.pyc" -exec rm -v {} \;
docker-build: down:
docker build -t opennsa docker docker-compose down
docker-build: clean down
docker-compose build --no-cache
...@@ -26,15 +26,15 @@ PORT = 7080 ...@@ -26,15 +26,15 @@ PORT = 7080
def matchState(query_result, expected_state): def matchState(query_result, expected_state):
state = query_result.reservationSummary[0].connectionState state = query_result.reservationSummary[0].connectionState
if state == expected_state: if state == expected_state:
print 'State match (%s)' % expected_state print('State match (%s)' % expected_state)
else: else:
print "State mismatch. Was %s, should have been %s" % (state, expected_state) print("State mismatch. Was %s, should have been %s" % (state, expected_state))
@defer.inlineCallbacks @defer.inlineCallbacks
def doMain(): def doMain():
print 'OpenNSA WS test client' print('OpenNSA WS test client')
wsdl_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'wsdl') wsdl_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'wsdl')
...@@ -70,10 +70,10 @@ def doMain(): ...@@ -70,10 +70,10 @@ def doMain():
global_reservation_id = 'urn:uuid:' + str(uuid.uuid1()) global_reservation_id = 'urn:uuid:' + str(uuid.uuid1())
connection_id = 'urn:uuid:' + str(uuid.uuid1()) connection_id = 'urn:uuid:' + str(uuid.uuid1())
print "Connection id", connection_id print("Connection id", connection_id)
r = yield client.reserve(client_nsa, provider.nsa, None, global_reservation_id, 'Test Connection', connection_id, service_params) r = yield client.reserve(client_nsa, provider.nsa, None, global_reservation_id, 'Test Connection', connection_id, service_params)
print "Reservation created. Connection ID:", connection_id print("Reservation created. Connection ID:", connection_id)
qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] ) qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] )
matchState(qr, 'Reserved') matchState(qr, 'Reserved')
...@@ -84,19 +84,19 @@ def doMain(): ...@@ -84,19 +84,19 @@ def doMain():
matchState(qr, 'Auto-Provision') matchState(qr, 'Auto-Provision')
yield d yield d
print "Connection provisioned" print("Connection provisioned")
qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] ) qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] )
matchState(qr, 'Provisioned') matchState(qr, 'Provisioned')
_ = yield client.release(client_nsa, provider.nsa, None, connection_id) _ = yield client.release(client_nsa, provider.nsa, None, connection_id)
print "Connection released" print("Connection released")
qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] ) qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] )
matchState(qr, 'Scheduled') matchState(qr, 'Scheduled')
_ = yield client.terminate(client_nsa, provider.nsa, None, connection_id) _ = yield client.terminate(client_nsa, provider.nsa, None, connection_id)
print "Reservation terminated" print("Reservation terminated")
qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] ) qr = yield client.query(client_nsa, provider.nsa, None, "Summary", connection_ids = [ connection_id ] )
matchState(qr, 'Terminated') matchState(qr, 'Terminated')
......
...@@ -7,13 +7,12 @@ logfile= ...@@ -7,13 +7,12 @@ logfile=
#peers=example.org@http://example.org:9080/NSI/topology/example.org.xml #peers=example.org@http://example.org:9080/NSI/topology/example.org.xml
# These are set by the create-compose script # These are set by the create-compose script
dbhost=opennsa-db dbhost=${POSTGRES_HOST}
database=${POSTGRES_DB} database=${POSTGRES_DB}
dbuser=${POSTGRES_USER} dbuser=${POSTGRES_USER}
dbpassword=${POSTGRES_PASSWORD} dbpassword=${POSTGRES_PASSWORD}
tls=false tls=${TLS_ENABLED}
[dud:topology] [dud:topology]
nrmmap=opennsa.nrm nrmmap=${NRM_FILE}
File moved
## rename this file to docker-compose.override.yml any additional settings listed here will be merged with the docker-compose.yml file.
version: "3.7"
services:
opennsa:
image: opennsa:latest
command: Any valid command
## Mount entire project to volume avoids constant rebuilds.
## You may need to load the container as:
## UID=${UID} GID=${GID} docker-compose up linux FS can cause some issues with
## permissioning at times.
#volumes:
# - ./:/home/opennsa/opennsa
# Mount NRM file and leave ENV value the same
#volumes:
# - ./config/myNRMFile.nrm:/home/opennsa/opennsa/config/opennsa.nrm
db:
image: postgres:12
##Expose 5432 locally
ports:
- 5432:5432
version: "3.7"
services:
db:
image: postgres:12
expose:
- 5432
volumes:
- ./datafiles/schema.sql:/docker-entrypoint-initdb.d/schema.sql:ro
- opennsa-pgdata:/var/lib/postgresql/data
env_file: .env
opennsa:
image: opennsa:latest
build:
context: .
dockerfile: docker/Dockerfile
env_file: .env
depends_on:
- db
ports:
- 9080:9080
- 9443:9443
volumes:
- ./config/opennsa.conf:/home/opennsa/opennsa/config/opennsa.conf:ro
- ./config/opennsa.nrm:/home/opennsa/opennsa/opennsa.nrm:ro
volumes:
opennsa-pgdata:
...@@ -2,58 +2,48 @@ ...@@ -2,58 +2,48 @@
FROM debian:stable-slim FROM debian:stable-slim
MAINTAINER Henrik Thostrup Jensen <htj@nordu.net> LABEL maintainer="Henrik Thostrup Jensen <htj@nordu.net>"
# -- Environment -- # -- Environment --
ENV GIT_REPO https://github.com/NORDUnet/opennsa
ENV USER opennsa ENV USER opennsa
# -- User setup -- # -- User setup --
RUN adduser --disabled-password --gecos 'OpenNSA user' $USER RUN adduser --disabled-password --gecos 'OpenNSA user' $USER
ADD . /home/$USER/opennsa/
# --- Base image --- # --- Base image ---
# Update and install dependencies # Update and install dependencies
# pip to install twistar service-identity pyasn1 # pip to install twistar service-identity pyasn1
# pyasn1 and crypto is needed for ssh backends # pyasn1 and crypto is needed for ssh backends
RUN apt update \ RUN apt update \
&& apt install -y \ && apt install -y \
git-core \ libpq-dev \
python3 \ python3 \
python3-twisted-bin \ python3-pip \
python3-openssl \ netcat \
python3-psycopg2 \ iputils-ping \
python3-pip \ && pip3 install -r /home/$USER/opennsa/requirements.txt \
python3-crypto \ && chown $USER:$USER -R /home/opennsa/opennsa \
python3-dateutil \ # -- Cleanup --
&& pip3 install \ && apt remove -y python3-pip \
twistar \ && apt autoremove -y \
service-identity \ && rm -rf /var/lib/apt/lists/* \
pyasn1 \ && cp /home/$USER/opennsa/docker/run_opennsa.sh /home/$USER/opennsa \
# -- Instal OpenNSA -- && cp /home/$USER/opennsa/config/opennsa.conf.template /home/$USER/opennsa/config/opennsa.conf
&& echo git clone $GIT_REPO \
&& su - $USER -c "git clone $GIT_REPO" \
# -- Cleanup -- #RUN
&& apt remove -y \
git-core \
python3-pip \
&& apt autoremove -y \
&& rm -rf /var/lib/apt/lists/*
# -- Switch to OpenNSA directory -- # -- Switch to OpenNSA directory --
USER $USER USER $USER
WORKDIR /home/$USER/opennsa WORKDIR /home/$USER/opennsa
ENV PYTHONPATH . ENV PYTHONPATH .
# -- Entrypoint -- # -- Entrypoint --
EXPOSE 9080 EXPOSE 9080
EXPOSE 9443 EXPOSE 9443
ENTRYPOINT rm -f twistd.pid; twistd -ny opennsa.tac # USER root
CMD /home/$USER/opennsa/run_opennsa.sh
...@@ -11,20 +11,18 @@ $ make docker-build ( from opennsa directory ) ...@@ -11,20 +11,18 @@ $ make docker-build ( from opennsa directory )
As OpenNSA requires a Postgres database, docker-compose is used to coordinate As OpenNSA requires a Postgres database, docker-compose is used to coordinate
the setup of the two containers. the setup of the two containers.
1. Edit opennsa.conf.template and opennsa.nrm 1. $ ./generate-docker-config
Leave the database config as-is. This will mainly generate a password and create a .env file for you. You may update the settings in .env if you wish to use a different nrm file (Keep in mind you'll need to mount it as a volume if you stray from the defaults or rebuild the image)
2. $ ./create-compose
This will substitute stuff in the templates and create docker-compose.yml and opennsa.conf
3. $ docker-compose up 3. $ docker-compose up
This should bring up a PostgreSQL instance and OpenNSA. This should bring up a PostgreSQL instance and OpenNSA.
## Advanced Features
You may have to edit template.yml to expose OpenNSA ports publically, mount in 1. In order to override any settings copy the docker-compose.override.yml_placeholder to docker-compose.override.yml. You can use to mount additional volumes, expose additional ports etc. Some common patterns are already there and commented out.
certificates, or similar.
2. Configuration options are almost all exposed via ENV variables. If you wish to directly mount your config file, make a copy of config/opennsa.conf.template to config/opennsa.conf. Update any entries as desired and restart all DB container.
TODO: Make OpenNSA able to take database configuration via environment, so we 3. The entry point is left as just bash, so if you wish to override the initial command you may simply set the `command:` line in your override file to anything you like. If you want, you may also invoke the run_opennsa.sh with arguments, it will wait for the database to come up with run the command you issues.
don't have to do replacement in opennsa.conf
For example: run_opennsa.sh sleep 50 ==> will wait for DB to come up then sleep for 50 seconds.
\ No newline at end of file
#!/bin/sh
set -a # load source environment variables into scope
. env.sh
cat template.yml | envsubst > docker-compose.yml
cat opennsa.conf.template | envsubst > opennsa.conf
echo "Start OpenNSA with: docker-compose up"
#!/bin/sh
POSTGRES_DB=opennsa
POSTGRES_USER=opennsa
POSTGRES_PASSWORD=$(openssl rand -base64 18)
SCHEMA_FILE=$PWD/../datafiles/schema.sql
OPENNSA_CONF_FILE=$PWD/opennsa.conf
OPENNSA_NRM_FILE=$PWD/opennsa.nrm
#!/usr/bin/env bash
function check_db()
{
## Wait for DB container to be up
until nc -z -v -w30 $POSTGRES_HOST $POSTGRES_PORT
do
echo "Waiting 5 second until the database is receiving connections..."
# wait for a second before checking again
sleep 5
done
}
function run_app()
{
cd $HOME/opennsa
rm -f twistd.pid; $cmd
}
if [ $# -gt 0 ]; then
cmd=$@
else
cmd='twistd -ny opennsa.tac'
fi
check_db
run_app $cmd
version: '3'
services:
opennsa-db:
image: postgres:9.6.5
volumes:
- ${SCHEMA_FILE}:/docker-entrypoint-initdb.d/schema.sql:ro
- opennsa-pgdata:/var/lib/postgresql/data
environment:
- POSTGRES_DB=${POSTGRES_DB}
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
opennsa:
image: opennsa:latest
depends_on:
- opennsa-db
- waitforpg
ports:
- 127.0.0.1:9080:9080
- 127.0.0.1:9443:9443
links:
- opennsa-db
volumes:
- ${OPENNSA_CONF_FILE}:/home/opennsa/opennsa/opennsa.conf:ro
- ${OPENNSA_NRM_FILE}:/home/opennsa/opennsa/opennsa.nrm:ro
waitforpg:
image: dadarek/wait-for-dependencies
depends_on:
- opennsa-db
command: opennsa-db:5432
volumes:
opennsa-pgdata:
File added
POSTGRES_DB=opennsa
POSTGRES_USER=opennsa
POSTGRES_PASSWORD=PASSWD_REPLACE
POSTGRES_HOST=opennsa-db
POSTGRES_PORT=5432
TLS_ENABLED=false
NRM_FILE=config/opennsa.nrm
#!/bin/sh
cp docker/opennsa.conf.template config/opennsa.conf
sed -e "s/PASSWD_REPLACE/$(openssl rand -base64 18)/" env.template > .env
echo "Start OpenNSA with: docker-compose up"
# This is a configuration file for running an OpenNSA service directly from the development directory
[service]
# Change network name at will
domain=example.net
# This means we output log to stdout
logfile=
#peers=example.org@http://example.org:9080/NSI/topology/example.org.xml
# You will need to set these
database=opennsa
dbuser=opennsa
dbpassword=opennsa
tls=false
[dud:topology]
nrmmap=opennsa.nrm
...@@ -7,7 +7,10 @@ ...@@ -7,7 +7,10 @@
from opennsa import setup from opennsa import setup
from dotenv import load_dotenv
load_dotenv() ## Loads ENV values from .env file
# you can get debug and/or payload info in the log by setting one of the flags to true # you can get debug and/or payload info in the log by setting one of the flags to true
application = setup.createApplication('opennsa.conf', payload=False, debug=False) application = setup.createApplication('config/opennsa.conf', payload=False, debug=False)
...@@ -11,138 +11,138 @@ import configparser ...@@ -11,138 +11,138 @@ import configparser
from opennsa import constants as cnt from opennsa import constants as cnt
# defaults # defaults
DEFAULT_CONFIG_FILE = '/etc/opennsa.conf' DEFAULT_CONFIG_FILE = '/etc/opennsa.conf'
DEFAULT_LOG_FILE = '/var/log/opennsa.log' DEFAULT_LOG_FILE = '/var/log/opennsa.log'
DEFAULT_TLS = 'true' DEFAULT_TLS = 'true'
DEFAULT_TOPOLOGY_FILE = '/usr/local/share/nsi/topology.owl' DEFAULT_TOPOLOGY_FILE = '/usr/local/share/nsi/topology.owl'
DEFAULT_TCP_PORT = 9080 DEFAULT_TCP_PORT = 9080
DEFAULT_TLS_PORT = 9443 DEFAULT_TLS_PORT = 9443
DEFAULT_VERIFY = True DEFAULT_VERIFY = True
DEFAULT_CERTIFICATE_DIR = '/etc/ssl/certs' # This will work on most mordern linux distros # This will work on most mordern linux distros
DEFAULT_CERTIFICATE_DIR = '/etc/ssl/certs'
# config blocks and options # config blocks and options
BLOCK_SERVICE = 'service' BLOCK_SERVICE = 'service'
BLOCK_DUD = 'dud' BLOCK_DUD = 'dud'
BLOCK_JUNIPER_EX = 'juniperex' BLOCK_JUNIPER_EX = 'juniperex'
BLOCK_JUNIPER_VPLS = 'junipervpls' BLOCK_JUNIPER_VPLS = 'junipervpls'
BLOCK_FORCE10 = 'force10' BLOCK_FORCE10 = 'force10'
BLOCK_BROCADE = 'brocade' BLOCK_BROCADE = 'brocade'
BLOCK_NCSVPN = 'ncsvpn' BLOCK_NCSVPN = 'ncsvpn'
BLOCK_PICA8OVS = 'pica8ovs' BLOCK_PICA8OVS = 'pica8ovs'
BLOCK_JUNOSMX = 'junosmx' BLOCK_JUNOSMX = 'junosmx'
BLOCK_JUNOSEX = 'junosex' BLOCK_JUNOSEX = 'junosex'
BLOCK_JUNOSSPACE = 'junosspace' BLOCK_JUNOSSPACE = 'junosspace'
BLOCK_OESS = 'oess' BLOCK_OESS = 'oess'
BLOCK_CUSTOM_BACKEND = 'custombackend' BLOCK_CUSTOM_BACKEND = 'custombackend'
# service block # service block
DOMAIN = 'domain' # mandatory DOMAIN = 'domain' # mandatory
NETWORK_NAME = 'network' # legacy, used to be mandatory NETWORK_NAME = 'network' # legacy, used to be mandatory
LOG_FILE = 'logfile' LOG_FILE = 'logfile'
HOST = 'host' HOST = 'host'
PORT = 'port' PORT = 'port'
TLS = 'tls' TLS = 'tls'
REST = 'rest' REST = 'rest'
NRM_MAP_FILE = 'nrmmap' NRM_MAP_FILE = 'nrmmap'
PEERS = 'peers' PEERS = 'peers'
POLICY = 'policy' POLICY = 'policy'
PLUGIN = 'plugin' PLUGIN = 'plugin'
SERVICE_ID_START = 'serviceid_start' SERVICE_ID_START = 'serviceid_start'
# database # database
DATABASE = 'database' # mandatory DATABASE = 'database' # mandatory
DATABASE_USER = 'dbuser' # mandatory DATABASE_USER = 'dbuser' # mandatory
DATABASE_PASSWORD = 'dbpassword' # can be none (os auth) DATABASE_PASSWORD = 'dbpassword' # can be none (os auth)
DATABASE_HOST = 'dbhost' # can be none (local db) DATABASE_HOST = 'dbhost' # can be none (local db)
# tls # tls
KEY = 'key' # mandatory, if tls is set KEY = 'key' # mandatory, if tls is set
CERTIFICATE = 'certificate' # mandatory, if tls is set CERTIFICATE = 'certificate' # mandatory, if tls is set
CERTIFICATE_DIR = 'certdir' # mandatory (but dir can be empty) CERTIFICATE_DIR = 'certdir' # mandatory (but dir can be empty)
VERIFY_CERT = 'verify' VERIFY_CERT = 'verify'
ALLOWED_HOSTS = 'allowedhosts' # comma seperated list ALLOWED_HOSTS = 'allowedhosts' # comma seperated list
# generic stuff # generic stuff
_SSH_HOST = 'host' _SSH_HOST = 'host'
_SSH_PORT = 'port' _SSH_PORT = 'port'
_SSH_HOST_FINGERPRINT = 'fingerprint' _SSH_HOST_FINGERPRINT = 'fingerprint'
_SSH_USER = 'user' _SSH_USER = 'user'
_SSH_PASSWORD = 'password' _SSH_PASSWORD = 'password'
_SSH_PUBLIC_KEY = 'publickey' _SSH_PUBLIC_KEY = 'publickey'
_SSH_PRIVATE_KEY = 'privatekey' _SSH_PRIVATE_KEY = 'privatekey'
AS_NUMBER = 'asnumber' AS_NUMBER = 'asnumber'
# TODO: Don't do backend specifics for everything, it causes confusion, and doesn't really solve anything # TODO: Don't do backend specifics for everything, it causes confusion, and doesn't really solve anything
# juniper block - same for mx / ex backends # juniper block - same for mx / ex backends
JUNIPER_HOST = _SSH_HOST JUNIPER_HOST = _SSH_HOST
JUNIPER_PORT = _SSH_PORT JUNIPER_PORT = _SSH_PORT
JUNIPER_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT JUNIPER_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT
JUNIPER_USER = _SSH_USER JUNIPER_USER = _SSH_USER
JUNIPER_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY JUNIPER_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY
JUNIPER_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY JUNIPER_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY
# force10 block # force10 block
FORCE10_HOST = _SSH_HOST FORCE10_HOST = _SSH_HOST
FORCE10_PORT = _SSH_PORT FORCE10_PORT = _SSH_PORT
FORCE10_USER = _SSH_USER FORCE10_USER = _SSH_USER
FORCE10_PASSWORD = _SSH_PASSWORD FORCE10_PASSWORD = _SSH_PASSWORD
FORCE10_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT FORCE10_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT
FORCE10_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY FORCE10_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY
FORCE10_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY FORCE10_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY
# Brocade block # Brocade block
BROCADE_HOST = _SSH_HOST BROCADE_HOST = _SSH_HOST
BROCADE_PORT = _SSH_PORT BROCADE_PORT = _SSH_PORT
BROCADE_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT BROCADE_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT
BROCADE_USER = _SSH_USER BROCADE_USER = _SSH_USER
BROCADE_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY BROCADE_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY
BROCADE_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY BROCADE_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY
BROCADE_ENABLE_PASSWORD = 'enablepassword' BROCADE_ENABLE_PASSWORD = 'enablepassword'
# Pica8 OVS # Pica8 OVS
PICA8OVS_HOST = _SSH_HOST PICA8OVS_HOST = _SSH_HOST
PICA8OVS_PORT = _SSH_PORT PICA8OVS_PORT = _SSH_PORT
PICA8OVS_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT PICA8OVS_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT
PICA8OVS_USER = _SSH_USER PICA8OVS_USER = _SSH_USER
PICA8OVS_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY PICA8OVS_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY
PICA8OVS_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY PICA8OVS_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY
PICA8OVS_DB_IP = 'dbip' PICA8OVS_DB_IP = 'dbip'
# NCS VPN Backend # NCS VPN Backend
NCS_SERVICES_URL = 'url' NCS_SERVICES_URL = 'url'
NCS_USER = 'user' NCS_USER = 'user'
NCS_PASSWORD = 'password' NCS_PASSWORD = 'password'
# JUNOS block # JUNOS block
JUNOS_HOST = _SSH_HOST JUNOS_HOST = _SSH_HOST
JUNOS_PORT = _SSH_PORT JUNOS_PORT = _SSH_PORT
JUNOS_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT JUNOS_HOST_FINGERPRINT = _SSH_HOST_FINGERPRINT
JUNOS_USER = _SSH_USER JUNOS_USER = _SSH_USER
JUNOS_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY JUNOS_SSH_PUBLIC_KEY = _SSH_PUBLIC_KEY
JUNOS_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY JUNOS_SSH_PRIVATE_KEY = _SSH_PRIVATE_KEY
JUNOS_ROUTERS = 'routers' JUNOS_ROUTERS = 'routers'
#Junosspace backend # Junosspace backend
SPACE_USER = 'space_user' SPACE_USER = 'space_user'
SPACE_PASSWORD = 'space_password' SPACE_PASSWORD = 'space_password'
SPACE_API_URL = 'space_api_url' SPACE_API_URL = 'space_api_url'
SPACE_ROUTERS = 'routers' SPACE_ROUTERS = 'routers'
SPACE_CONFIGLET_ACTIVATE_LOCAL = 'configlet_activate_local' SPACE_CONFIGLET_ACTIVATE_LOCAL = 'configlet_activate_local'
SPACE_CONFIGLET_ACTIVATE_REMOTE = 'configlet_activate_remote' SPACE_CONFIGLET_ACTIVATE_REMOTE = 'configlet_activate_remote'
SPACE_CONFIGLET_DEACTIVATE_LOCAL = 'configlet_deactivate_local' SPACE_CONFIGLET_DEACTIVATE_LOCAL = 'configlet_deactivate_local'
SPACE_CONFIGLET_DEACTIVATE_REMOTE = 'configlet_deactivate_remote' SPACE_CONFIGLET_DEACTIVATE_REMOTE = 'configlet_deactivate_remote'
# OESS # OESS
OESS_URL = 'url' OESS_URL = 'url'
OESS_USER = 'username' OESS_USER = 'username'
OESS_PASSWORD = 'password' OESS_PASSWORD = 'password'
OESS_WORKGROUP = 'workgroup' OESS_WORKGROUP = 'workgroup'
class ConfigurationError(Exception): class ConfigurationError(Exception):
...@@ -158,18 +158,22 @@ class Peer(object): ...@@ -158,18 +158,22 @@ class Peer(object):
self.cost = cost self.cost = cost
class EnvInterpolation(configparser.BasicInterpolation):
"""Interpolation which expands environment variables in values."""
def readConfig(filename): def before_get(self, parser, section, option, value, defaults):
value = super().before_get(parser, section, option, value, defaults)
return os.path.expandvars(value)
cfg = configparser.SafeConfigParser()
def readConfig(filename):
cfg = configparser.ConfigParser(interpolation=EnvInterpolation())
cfg.add_section(BLOCK_SERVICE) cfg.add_section(BLOCK_SERVICE)
cfg.read( [ filename ] ) cfg.read([filename])
return cfg return cfg
def readVerifyConfig(cfg): def readVerifyConfig(cfg):
""" """
Read a config and verify that things are correct. Will also fill in Read a config and verify that things are correct. Will also fill in
...@@ -188,7 +192,8 @@ def readVerifyConfig(cfg): ...@@ -188,7 +192,8 @@ def readVerifyConfig(cfg):
try: try:
cfg.get(BLOCK_SERVICE, NRM_MAP_FILE) cfg.get(BLOCK_SERVICE, NRM_MAP_FILE)
raise ConfigurationError('NRM Map file should be specified under backend') raise ConfigurationError(
'NRM Map file should be specified under backend')
except configparser.NoOptionError: except configparser.NoOptionError:
pass pass
...@@ -197,11 +202,13 @@ def readVerifyConfig(cfg): ...@@ -197,11 +202,13 @@ def readVerifyConfig(cfg):
try: try:
vc[DOMAIN] = cfg.get(BLOCK_SERVICE, DOMAIN) vc[DOMAIN] = cfg.get(BLOCK_SERVICE, DOMAIN)
except configparser.NoOptionError: except configparser.NoOptionError:
raise ConfigurationError('No domain name specified in configuration file (mandatory, see docs/migration)') raise ConfigurationError(
'No domain name specified in configuration file (mandatory, see docs/migration)')
try: try:
cfg.get(BLOCK_SERVICE, NETWORK_NAME) cfg.get(BLOCK_SERVICE, NETWORK_NAME)
raise ConfigurationError('Network name no longer used, use domain (see docs/migration)') raise ConfigurationError(
'Network name no longer used, use domain (see docs/migration)')
except configparser.NoOptionError: except configparser.NoOptionError:
pass pass
...@@ -213,7 +220,8 @@ def readVerifyConfig(cfg): ...@@ -213,7 +220,8 @@ def readVerifyConfig(cfg):
try: try:
nrm_map_file = cfg.get(BLOCK_SERVICE, NRM_MAP_FILE) nrm_map_file = cfg.get(BLOCK_SERVICE, NRM_MAP_FILE)
if not os.path.exists(nrm_map_file): if not os.path.exists(nrm_map_file):
raise ConfigurationError('Specified NRM mapping file does not exist (%s)' % nrm_map_file) raise ConfigurationError(
'Specified NRM mapping file does not exist (%s)' % nrm_map_file)
vc[NRM_MAP_FILE] = nrm_map_file vc[NRM_MAP_FILE] = nrm_map_file
except configparser.NoOptionError: except configparser.NoOptionError:
vc[NRM_MAP_FILE] = None vc[NRM_MAP_FILE] = None
...@@ -225,7 +233,7 @@ def readVerifyConfig(cfg): ...@@ -225,7 +233,7 @@ def readVerifyConfig(cfg):
try: try:
peers_raw = cfg.get(BLOCK_SERVICE, PEERS) peers_raw = cfg.get(BLOCK_SERVICE, PEERS)
vc[PEERS] = [ Peer(purl.strip(), 1) for purl in peers_raw.split('\n') ] vc[PEERS] = [Peer(purl.strip(), 1) for purl in peers_raw.split('\n')]
except configparser.NoOptionError: except configparser.NoOptionError:
vc[PEERS] = None vc[PEERS] = None
...@@ -262,12 +270,14 @@ def readVerifyConfig(cfg): ...@@ -262,12 +270,14 @@ def readVerifyConfig(cfg):
try: try:
vc[DATABASE] = cfg.get(BLOCK_SERVICE, DATABASE) vc[DATABASE] = cfg.get(BLOCK_SERVICE, DATABASE)
except configparser.NoOptionError: except configparser.NoOptionError:
raise ConfigurationError('No database specified in configuration file (mandatory)') raise ConfigurationError(
'No database specified in configuration file (mandatory)')
try: try:
vc[DATABASE_USER] = cfg.get(BLOCK_SERVICE, DATABASE_USER) vc[DATABASE_USER] = cfg.get(BLOCK_SERVICE, DATABASE_USER)
except configparser.NoOptionError: except configparser.NoOptionError:
raise ConfigurationError('No database user specified in configuration file (mandatory)') raise ConfigurationError(
'No database user specified in configuration file (mandatory)')
try: try:
vc[DATABASE_PASSWORD] = cfg.get(BLOCK_SERVICE, DATABASE_PASSWORD) vc[DATABASE_PASSWORD] = cfg.get(BLOCK_SERVICE, DATABASE_PASSWORD)
...@@ -288,7 +298,8 @@ def readVerifyConfig(cfg): ...@@ -288,7 +298,8 @@ def readVerifyConfig(cfg):
try: try:
certdir = cfg.get(BLOCK_SERVICE, CERTIFICATE_DIR) certdir = cfg.get(BLOCK_SERVICE, CERTIFICATE_DIR)
if not os.path.exists(certdir): if not os.path.exists(certdir):
raise ConfigurationError('Specified certdir does not exist (%s)' % certdir) raise ConfigurationError(
'Specified certdir does not exist (%s)' % certdir)
vc[CERTIFICATE_DIR] = certdir vc[CERTIFICATE_DIR] = certdir
except configparser.NoOptionError: except configparser.NoOptionError:
vc[CERTIFICATE_DIR] = DEFAULT_CERTIFICATE_DIR vc[CERTIFICATE_DIR] = DEFAULT_CERTIFICATE_DIR
...@@ -300,13 +311,15 @@ def readVerifyConfig(cfg): ...@@ -300,13 +311,15 @@ def readVerifyConfig(cfg):
# tls # tls
if vc[TLS]: if vc[TLS]:
try: try:
hostkey = cfg.get(BLOCK_SERVICE, KEY) hostkey = cfg.get(BLOCK_SERVICE, KEY)
hostcert = cfg.get(BLOCK_SERVICE, CERTIFICATE) hostcert = cfg.get(BLOCK_SERVICE, CERTIFICATE)
if not os.path.exists(hostkey): if not os.path.exists(hostkey):
raise ConfigurationError('Specified hostkey does not exist (%s)' % hostkey) raise ConfigurationError(
'Specified hostkey does not exist (%s)' % hostkey)
if not os.path.exists(hostcert): if not os.path.exists(hostcert):
raise ConfigurationError('Specified hostcert does not exist (%s)' % hostcert) raise ConfigurationError(
'Specified hostcert does not exist (%s)' % hostcert)
vc[KEY] = hostkey vc[KEY] = hostkey
vc[CERTIFICATE] = hostcert vc[CERTIFICATE] = hostcert
...@@ -321,7 +334,6 @@ def readVerifyConfig(cfg): ...@@ -321,7 +334,6 @@ def readVerifyConfig(cfg):
# Not enough options for configuring tls context # Not enough options for configuring tls context
raise ConfigurationError('Missing TLS option: %s' % str(e)) raise ConfigurationError('Missing TLS option: %s' % str(e))
# backends # backends
backends = {} backends = {}
...@@ -331,18 +343,19 @@ def readVerifyConfig(cfg): ...@@ -331,18 +343,19 @@ def readVerifyConfig(cfg):
continue continue
if ':' in section: if ':' in section:
backend_type, name = section.split(':',2) backend_type, name = section.split(':', 2)
else: else:
backend_type = section backend_type = section
name = '' name = ''
if name in backends: if name in backends:
raise ConfigurationError('Can only have one backend named "%s"' % name) raise ConfigurationError(
'Can only have one backend named "%s"' % name)
if backend_type in (BLOCK_DUD, BLOCK_JUNIPER_EX, BLOCK_JUNIPER_VPLS, BLOCK_JUNOSMX, BLOCK_FORCE10, BLOCK_BROCADE, if backend_type in (BLOCK_DUD, BLOCK_JUNIPER_EX, BLOCK_JUNIPER_VPLS, BLOCK_JUNOSMX, BLOCK_FORCE10, BLOCK_BROCADE,
BLOCK_NCSVPN, BLOCK_PICA8OVS, BLOCK_OESS, BLOCK_JUNOSSPACE, BLOCK_JUNOSEX, BLOCK_NCSVPN, BLOCK_PICA8OVS, BLOCK_OESS, BLOCK_JUNOSSPACE, BLOCK_JUNOSEX,
BLOCK_CUSTOM_BACKEND, 'asyncfail'): BLOCK_CUSTOM_BACKEND, 'asyncfail'):
backend_conf = dict( cfg.items(section) ) backend_conf = dict(cfg.items(section))
backend_conf['_backend_type'] = backend_type backend_conf['_backend_type'] = backend_type
backends[name] = backend_conf backends[name] = backend_conf
......
...@@ -44,11 +44,14 @@ class opennsaTlsContext: ...@@ -44,11 +44,14 @@ class opennsaTlsContext:
try: try:
CACertificates.append(ssl.Certificate.loadPEM(CAFileContent)) CACertificates.append(ssl.Certificate.loadPEM(CAFileContent))
except crypto.Error as error: except crypto.Error as error:
log.msg('Cannot load CA certificate from %s: %s' % (CAFilename, error), system = LOG_SYSTEM) log.msg(f'Cannot load CA certificate from {CAFilename}: {error}', system=LOG_SYSTEM)
else: else:
log.msg('Loaded CA certificate %s' % (str(CACertificates[-1].getSubject())), system = LOG_SYSTEM) try:
log.msg(f'Loaded CA certificate {CACertificates[-1].getSubject()}', system=LOG_SYSTEM)
except:
log.msg("Failed to serialize Certificate Subject")
if len(CACertificates) == 0: if len(CACertificates) == 0:
print('No certificiates loaded for CTX verificiation. CA verification will not work.') print('No certificates loaded for CTX verification. CA verification will not work.')
return ssl.trustRootFromCertificates(CACertificates) return ssl.trustRootFromCertificates(CACertificates)
def getTrustRoot(self): def getTrustRoot(self):
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment