|
|
|
|
@ -19,6 +19,11 @@ import (
|
|
|
|
|
"github.com/hashicorp/serf/serf" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
const ( |
|
|
|
|
serfLANKeyring = "serf/local.keyring" |
|
|
|
|
serfWANKeyring = "serf/remote.keyring" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
The agent is the long running process that is run on every machine. |
|
|
|
|
It exposes an RPC interface that is used by the CLI to control the |
|
|
|
|
@ -116,37 +121,14 @@ func Create(config *Config, logOutput io.Writer) (*Agent, error) {
|
|
|
|
|
|
|
|
|
|
// Setup encryption keyring files
|
|
|
|
|
if config.PersistKeyring && config.EncryptKey != "" { |
|
|
|
|
serfDir := filepath.Join(config.DataDir, "serf") |
|
|
|
|
if err := os.MkdirAll(serfDir, 0700); err != nil { |
|
|
|
|
return nil, err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
keys := []string{config.EncryptKey} |
|
|
|
|
keyringBytes, err := json.MarshalIndent(keys, "", " ") |
|
|
|
|
if err != nil { |
|
|
|
|
return nil, err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
paths := []string{ |
|
|
|
|
filepath.Join(serfDir, "keyring_lan"), |
|
|
|
|
filepath.Join(serfDir, "keyring_wan"), |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
for _, path := range paths { |
|
|
|
|
if _, err := os.Stat(path); err == nil { |
|
|
|
|
continue |
|
|
|
|
} |
|
|
|
|
fh, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600) |
|
|
|
|
if err != nil { |
|
|
|
|
return nil, err |
|
|
|
|
} |
|
|
|
|
defer fh.Close() |
|
|
|
|
|
|
|
|
|
if _, err := fh.Write(keyringBytes); err != nil { |
|
|
|
|
os.Remove(path) |
|
|
|
|
if config.Server { |
|
|
|
|
if err := agent.initKeyringFile(serfWANKeyring); err != nil { |
|
|
|
|
return nil, err |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
if err := agent.initKeyringFile(serfLANKeyring); err != nil { |
|
|
|
|
return nil, err |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Setup either the client or the server
|
|
|
|
|
@ -206,9 +188,8 @@ func (a *Agent) consulConfig() *consul.Config {
|
|
|
|
|
base.SerfWANConfig.MemberlistConfig.SecretKey = key |
|
|
|
|
} |
|
|
|
|
if a.config.PersistKeyring { |
|
|
|
|
lanKeyring := filepath.Join(base.DataDir, "serf", "keyring_lan") |
|
|
|
|
wanKeyring := filepath.Join(base.DataDir, "serf", "keyring_wan") |
|
|
|
|
|
|
|
|
|
lanKeyring := filepath.Join(base.DataDir, serfLANKeyring) |
|
|
|
|
wanKeyring := filepath.Join(base.DataDir, serfWANKeyring) |
|
|
|
|
base.SerfLANConfig.KeyringFile = lanKeyring |
|
|
|
|
base.SerfWANConfig.KeyringFile = wanKeyring |
|
|
|
|
} |
|
|
|
|
@ -825,3 +806,39 @@ func (a *Agent) RemoveKeyLAN(key string) (*serf.KeyResponse, error) {
|
|
|
|
|
km := a.client.KeyManagerLAN() |
|
|
|
|
return km.RemoveKey(key) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// initKeyringFile is used to create and initialize a persistent keyring file
|
|
|
|
|
// for gossip encryption keys. It is used at agent startup to dump the initial
|
|
|
|
|
// encryption key into a keyfile if persistence is enabled.
|
|
|
|
|
func (a *Agent) initKeyringFile(path string) error { |
|
|
|
|
serfDir := filepath.Join(a.config.DataDir, "serf") |
|
|
|
|
if err := os.MkdirAll(serfDir, 0700); err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
keys := []string{a.config.EncryptKey} |
|
|
|
|
keyringBytes, err := json.MarshalIndent(keys, "", " ") |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
keyringFile := filepath.Join(a.config.DataDir, path) |
|
|
|
|
|
|
|
|
|
// If the keyring file already exists, don't re-initialize
|
|
|
|
|
if _, err := os.Stat(keyringFile); err == nil { |
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
fh, err := os.OpenFile(keyringFile, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
defer fh.Close() |
|
|
|
|
|
|
|
|
|
if _, err := fh.Write(keyringBytes); err != nil { |
|
|
|
|
os.Remove(keyringFile) |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return nil |
|
|
|
|
} |
|
|
|
|
|
Ryan Uber
10 years ago