command: use separate key files for LAN/WAN

2014-09-13 11:24:17 -07:00 · 2014-09-13 11:24:17 -07:00 · 353b67826a
parent 67d78628a3
commit 353b67826a
4 changed files with 43 additions and 16 deletions
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@ -20,7 +20,8 @@ import (
 )
 const (
-	SerfKeyring = "serf/keyring"
+	SerfLANKeyring = "serf/local.keyring"
 	SerfWANKeyring = "serf/remote.keyring"
 )
 /*
@ -174,10 +175,6 @@ func (a *Agent) consulConfig() *consul.Config {
 		base.SerfLANConfig.MemberlistConfig.SecretKey = key
 		base.SerfWANConfig.MemberlistConfig.SecretKey = key
 	}
 	if a.config.Server && a.config.keyringFilesExist() {
 		path := filepath.Join(base.DataDir, SerfKeyring)
 		base.SerfLANConfig.KeyringFile = path
 	}
 	if a.config.NodeName != "" {
 		base.NodeName = a.config.NodeName
 	}
@ -276,6 +273,14 @@ func (a *Agent) setupServer() error {
 	config := a.consulConfig()
 	// Load a keyring file, if present
 	keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
 	if _, err := os.Stat(keyfileLAN); err == nil {
 		config.SerfLANConfig.KeyringFile = keyfileLAN
 	}
 	keyfileWAN := filepath.Join(config.DataDir, SerfWANKeyring)
 	if _, err := os.Stat(keyfileWAN); err == nil {
 		config.SerfWANConfig.KeyringFile = keyfileWAN
 	}
 	if err := loadKeyringFile(config.SerfLANConfig); err != nil {
 		return err
 	}
@ -296,6 +301,10 @@ func (a *Agent) setupClient() error {
 	config := a.consulConfig()
 	// Load a keyring file, if present
 	keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
 	if _, err := os.Stat(keyfileLAN); err == nil {
 		config.SerfLANConfig.KeyringFile = keyfileLAN
 	}
 	if err := loadKeyringFile(config.SerfLANConfig); err != nil {
 		return err
 	}
--- a/command/agent/command.go
+++ b/command/agent/command.go
@ -218,7 +218,7 @@ func (c *Command) readConfig() *Config {
 	}
 	// Error if an encryption key is passed while a keyring already exists
-	if config.EncryptKey != "" && config.keyringFilesExist() {
+	if config.EncryptKey != "" && config.keyringFileExists() {
 		c.Ui.Error(fmt.Sprintf("Error: -encrypt specified but keyring files exist"))
 		return nil
 	}
@ -592,7 +592,7 @@ func (c *Command) Run(args []string) int {
 	// Determine if gossip is encrypted
 	gossipEncrypted := false
-	if config.EncryptKey != "" || config.keyringFilesExist() {
+	if config.EncryptKey != "" || config.keyringFileExists() {
 		gossipEncrypted = true
 	}
@ -819,7 +819,6 @@ Options:
  -log-level=info          Log level of the agent.
  -node=hostname           Name of this node. Must be unique in the cluster
  -protocol=N              Sets the protocol version. Defaults to latest.
  -persist-keyring         Enable encryption keyring persistence.
  -rejoin                  Ignores a previous leave and attempts to rejoin the cluster.
  -server                  Switches agent to server mode.
  -syslog                  Enables logging to syslog
--- a/command/agent/config.go
+++ b/command/agent/config.go
@ -411,12 +411,22 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
 	return addr.String(), nil
 }
-// keyringFilesExist checks for existence of the keyring files for Serf
+// keyringFileExists determines if there are encryption key files present
-func (c *Config) keyringFilesExist() bool {
+// in the data directory.
-	if _, err := os.Stat(filepath.Join(c.DataDir, SerfKeyring)); err != nil {
+func (c *Config) keyringFileExists() bool {
 	fileLAN := filepath.Join(c.DataDir, SerfLANKeyring)
 	fileWAN := filepath.Join(c.DataDir, SerfWANKeyring)
 	if _, err := os.Stat(fileLAN); err == nil {
 		return true
 	}
 	if !c.Server {
 		return false
 	}
-	return true
+	if _, err := os.Stat(fileWAN); err == nil {
 		return true
 	}
 	return false
 }
 // DecodeConfig reads the configuration from the given reader in JSON
--- a/command/keyring.go
+++ b/command/keyring.go
@ -67,8 +67,14 @@ func (c *KeyringCommand) Run(args []string) int {
 			c.Ui.Error("Must provide -data-dir")
 			return 1
 		}
-		path := filepath.Join(dataDir, agent.SerfKeyring)
+
-		if err := initializeKeyring(path, init); err != nil {
+		fileLAN := filepath.Join(dataDir, agent.SerfLANKeyring)
 		if err := initializeKeyring(fileLAN, init); err != nil {
 			c.Ui.Error(fmt.Sprintf("Error: %s", err))
 			return 1
 		}
 		fileWAN := filepath.Join(dataDir, agent.SerfWANKeyring)
 		if err := initializeKeyring(fileWAN, init); err != nil {
 			c.Ui.Error(fmt.Sprintf("Error: %s", err))
 			return 1
 		}
@ -84,7 +90,10 @@ func (c *KeyringCommand) Run(args []string) int {
 	}
 	defer client.Close()
-	// For all key-related operations, we must be querying a server node.
+	// For all key-related operations, we must be querying a server node. It is
 	// probably better to enforce this even for LAN pool changes, because other-
 	// wise, the same exact command syntax will have different results depending
 	// on where it was run.
 	s, err := client.Stats()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error: %s", err))
@ -263,7 +272,7 @@ Options:
                            operation may only be performed on keys which are
                            not currently the primary key.
  -list                     List all keys currently in use within the cluster.
-  -init=<key>               Create an initial keyring file for Consul to use
+  -init=<key>               Create the initial keyring files for Consul to use
                            containing the provided key. The -data-dir argument
                            is required with this option.
  -rpc-addr=127.0.0.1:8400  RPC address of the Consul agent.