kvm-cluster: setup apache http server for sharing files with vms

8d221be7 · Alain Takoudjou · 80b99e40 · 8d221be7 · 8d221be7 · 8d221be7
Commit 8d221be7 authored Jul 22, 2015 by Alain Takoudjou
6 changed files
--- a/software/kvm/common.cfg
+++ b/software/kvm/common.cfg
@@ -87,7 +87,7 @@ command =
 [template]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance.cfg.in
-md5sum = cf67212d3155767d0d0d8a6d75d2d8ad
+md5sum = 3bca2c959d19881270c64f94ad1ebba8
 output = ${buildout:directory}/template.cfg
 mode = 0644

@@ -95,7 +95,7 @@ mode = 0644
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/instance-kvm.cfg.jinja2
 mode = 644
-md5sum = 55eb9cb0d85dedbda0f03986cef261db
+md5sum = ea1e8f4a7c1878beec83267fd40728c2
 download-only = true
 on-update = true

@@ -103,7 +103,7 @@ on-update = true
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/instance-kvm-cluster.cfg.jinja2.in
 mode = 644
-md5sum = 1e4d8eade6d291480e5112ef9f31f031
+md5sum = 5a864099760e3a37fa4604044d708657
 download-only = true
 on-update = true

@@ -173,7 +173,7 @@ recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/template/apache.conf.in
 mode = 644
 filename = apache.conf.in
-md5sum = 91f05377aff35ffbac7f2687e90b5dcc
+md5sum = e9c9fd88d71e9dc7416149af5bcfb951
 download-only = true
 on-update = true

@@ -191,9 +191,10 @@ recipe = slapos.recipe.template:jinja2
 filename = template-httpd.cfg
 template = ${:_profile_base_location_}/instance-kvm-http.cfg.in
 rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/instance-kvm-http.cfg
-md5sum = 84b96dfc78e8d2611bf7210b8b6bb9c5
+md5sum = fc8b3259942d6dedbc01065358a00d71
 context =
    key apache_location apache:location
+    raw openssl_executable_location ${openssl:location}/bin/openssl
    raw template_apache_conf ${template-apache-conf:location}/${template-apache-conf:filename}


--- a/software/kvm/instance-kvm-cluster.cfg.jinja2.in
+++ b/software/kvm/instance-kvm-cluster.cfg.jinja2.in
@@ -66,19 +66,19 @@ config-data-to-vm = {{ dumps(kvm_parameter_dict.get('data-to-vm', '')) }}
 {% endif -%}

 # Enable simple http server on ipv6 so all VMs will access it
-config-document-host = ${http-server:host}
-config-document-port = ${http-server:port}
-config-document-path = ${http-server:path}
+config-document-host = ${apache-conf:ip}
+config-document-port = ${apache-conf:port}
+config-document-path = ${hash-code:passwd}

 return = 
  backend-url
  url
-{% if use_nat.lower() -%}
+{% if str(use_nat).lower() -%}
 {%   for port in nat_rules_list -%}
 {{ '  ' }}nat-rule-url-{{ port }}
 {%   endfor -%}
 {% endif -%}
-{% if kvm_parameter_dict.get('use-tap', 'True').lower() == 'true' -%}
+{% if str(kvm_parameter_dict.get('use-tap', 'True')).lower() == 'true' -%}
 {{ '  ' }}tap-ipv4

 {% do publish_dict.__setitem__('lan-' ~ instance_name, '${' ~ section ~ ':connection-tap-ipv4}') -%}
@@ -135,6 +135,11 @@ sla-instance_guid = {{ slave_frontend_iguid }}
 {% endfor %}

 # Enable simple http server on ipv6 so all VMs will access it
+[hash-code]
+recipe = slapos.cookbook:generate.password
+storage-path = ${directory:etc}/code
+bytes = 24
+
 [directory]
 recipe = slapos.cookbook:mkdirectory
 etc = ${buildout:directory}/etc
@@ -144,34 +149,19 @@ var = ${buildout:directory}/var
 log = ${:var}/log
 scripts = ${:etc}/run
 services = ${:etc}/service
-document = ${:srv}/document
+webroot = ${:srv}/document
 promises = ${:etc}/promise
 ssl = ${:etc}/ssl

-[http-ssl]
-recipe = plone.recipe.command
-command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
-key = ${directory:ssl}/key
-cert = ${directory:ssl}/cert
-update-command = 
-stop-on-error = true
-
-[http-server]
-recipe = slapos.cookbook:simplehttpserver
-host = {{ ipv6 }}
+[directory-doc]
+recipe = slapos.cookbook:mkdirectory
+document = ${directory:webroot}/${hash-code:passwd}
+
+[apache-conf]
+denied-root-access = true
+root = ${directory:webroot}/
+index = ${directory:webroot}/${hash-code:passwd}
 port = 9002
-base-path = ${directory:document}
-wrapper = ${directory:services}/simple-http-server
-log-file = ${directory:log}/http.log
-cert-file = ${http-ssl:cert}
-key-file = ${http-ssl:key}
-use-hash-url = true
-
-[http-promise]
-recipe = slapos.cookbook:check_port_listening
-path = ${directory:promises}/http-server
-hostname = ${http-server:host}
-port = ${http-server:port}

 {% if len(kvm_hostname_list) -%}
 {%   do part_list.append('write-vm-hostname') -%}
@@ -179,7 +169,7 @@ port = ${http-server:port}
 recipe = slapos.recipe.template:jinja2
 template = {{ template_content }}
 filename = hosts
-rendered = ${http-server:root-dir}/${:filename}
+rendered = ${directory:webroot}/${hash-code:passwd}/${:filename}
 context =
    raw content_list {{ kvm_hostname_list | join('#') }}
    raw sep #
@@ -207,10 +197,14 @@ recipe = slapos.cookbook:publish
 {{   name }} = {{ value }}
 {% endfor %}
 [buildout]
+extends = 
+  {{ template_httpd_cfg }}
+
 parts = 
-  http-server
-  http-promise
+  httpd
+  httpd-promise
  publish
+  directory-doc
 # Complete parts with sections
  {{ part_list | join('\n  ') }}
 

--- a/software/kvm/instance-kvm-http.cfg.in
+++ b/software/kvm/instance-kvm-http.cfg.in
@@ -14,33 +14,48 @@ log = ${:var}/log
 services = ${:etc}/service
 promises = ${:etc}/promise
 run = ${:var}/run
+document = ${:srv}/document
+ssl = ${:etc}/ssl

 [apache-conf]
 recipe = slapos.recipe.template:jinja2
 template = {{ template_apache_conf }}
 rendered = ${directory:etc}/apache.conf
-#ipv6 = ${slap-network-information:global-ipv6}
-ipv4 = ${slap-network-information:local-ipv4}
+ip = ${slap-network-information:global-ipv6}
+#ipv4 = ${slap-network-information:local-ipv4}
 port = ${slap-parameter:httpd-port}
 error-log = ${directory:log}/apache-error.log
 access-log = ${directory:log}/apache-access.log
 pid-file = ${directory:run}/apache.pid
 index = ${directory:public}
+root = {:index}
+denied-root-access = false
 context = 
  key port :port
-  key ip :ipv4
+  key ip :ip
  key access_log :access-log
  key error_log :error-log
  key pid_file :pid-file
  key index_folder :index
+  key cert httpd-ssl:cert
+  key key httpd-ssl:key
+  key document_root :root

 [httpd]
 recipe = slapos.cookbook:wrapper
 wrapper-path = ${directory:services}/httpd
 command-line = "{{ apache_location }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND

+[httpd-ssl]
+recipe = plone.recipe.command
+command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${directory:ssl}/key
+cert = ${directory:ssl}/cert
+update-command = 
+stop-on-error = true
+
 [httpd-promise]
 recipe = slapos.cookbook:check_port_listening
 path = ${directory:promises}/apache-httpd
-hostname = ${apache-conf:ipv4}
+hostname = ${apache-conf:ip}
 port = ${apache-conf:port}
\ No newline at end of file
--- a/software/kvm/instance-kvm.cfg.jinja2
+++ b/software/kvm/instance-kvm.cfg.jinja2
@@ -135,7 +135,7 @@ external-disk-number = ${slap-parameter:external-disk-number}
 external-disk-size = ${slap-parameter:external-disk-size}
 external-disk-format = ${slap-parameter:external-disk-format}

-{% if enable_http == 'tue' or ( use_tap == 'true' and tap_network_dict.has_key('ipv4') ) -%}
+{% if enable_http == 'true' or ( use_tap == 'true' and tap_network_dict.has_key('ipv4') ) -%}
 httpd-port = ${slap-parameter:httpd-port}
 {% else -%}
 httpd-port = 0

--- a/software/kvm/instance.cfg.in
+++ b/software/kvm/instance.cfg.in
@@ -67,6 +67,7 @@ filename = template-kvm-cluster.cfg
 extra-context =
  section parameter_dict dynamic-template-kvm-cluster-parameters
  raw template_content ${template-content:location}/${template-content:filename}
+  raw template_httpd_cfg ${template-httpd:rendered}

 [dynamic-template-kvm]
 recipe = slapos.recipe.template:jinja2

--- a/software/kvm/template/apache.conf.in
+++ b/software/kvm/template/apache.conf.in
@@ -27,6 +27,17 @@ ServerTokens Prod
 ServerSignature Off
 TraceEnable Off

+SSLEngine on  
+
+SSLCertificateFile {{ cert }}
+SSLCertificateKeyFile {{ key }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLProtocol All -SSLv2
+SSLProxyEngine On
+
+DocumentRoot {{ document_root }}
+
 ErrorLog "{{ error_log }}"
 # Default apache log format with request time in microsecond at the end
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
@@ -40,10 +51,11 @@ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
    Require all denied
 </Directory>

-DocumentRoot {{ index_folder }}
 <Directory {{ index_folder }}>
  Options Indexes FollowSymLinks
-  Require ip {{ ip }}
+  # Require ip {{ ip }}
  # Require env forwarded '{{ ip }}'
-  Require all denied
+  # Require all denied
+  AllowOverride None
+  Require all granted
 </Directory>
\ No newline at end of file