Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added topic SSL

This commit is contained in:
Frank Celler 2017-02-12 18:19:24 +01:00
parent 1e78acad49
commit 9f63ca6d21
5 changed files with 78 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
arangod/RestServer/FileDescriptorsFeature.cpp
View File

@ -35,8 +35,7 @@ using namespace arangodb::options;
FileDescriptorsFeature::FileDescriptorsFeature(
application_features::ApplicationServer* server)
: ApplicationFeature(server, "FileDescriptors"),
_descriptorsMinimum(1024) {
: ApplicationFeature(server, "FileDescriptors"), _descriptorsMinimum(1024) {
setOptional(false);
requiresElevatedPrivileges(false);
startsAfter("Logger");
@ -53,9 +52,7 @@ void FileDescriptorsFeature::collectOptions(
#endif
}
void FileDescriptorsFeature::prepare() {
adjustFileDescriptors();
}
void FileDescriptorsFeature::prepare() { adjustFileDescriptors(); }
#ifdef TRI_HAVE_GETRLIMIT
template <typename T>
@ -74,9 +71,10 @@ void FileDescriptorsFeature::start() {
int res = getrlimit(RLIMIT_NOFILE, &rlim);
if (res == 0) {
LOG_TOPIC(INFO, arangodb::Logger::FIXME) << "file-descriptors (nofiles) hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
LOG_TOPIC(INFO, arangodb::Logger::SYSCALL)
<< "file-descriptors (nofiles) hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
}
#endif
}
@ -88,19 +86,21 @@ void FileDescriptorsFeature::adjustFileDescriptors() {
int res = getrlimit(RLIMIT_NOFILE, &rlim);
if (res != 0) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "cannot get the file descriptor limit: " << strerror(errno);
LOG_TOPIC(FATAL, arangodb::Logger::FIXME)
<< "cannot get the file descriptor limit: " << strerror(errno);
FATAL_ERROR_EXIT();
}
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME) << "file-descriptors (nofiles) hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME)
<< "file-descriptors (nofiles) hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
bool changed = false;
if (rlim.rlim_max < _descriptorsMinimum) {
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME) << "hard limit " << rlim.rlim_max
<< " is too small, trying to raise";
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME)
<< "hard limit " << rlim.rlim_max << " is too small, trying to raise";
rlim.rlim_max = _descriptorsMinimum;
rlim.rlim_cur = _descriptorsMinimum;
@ -108,23 +108,25 @@ void FileDescriptorsFeature::adjustFileDescriptors() {
res = setrlimit(RLIMIT_NOFILE, &rlim);
if (res < 0) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "cannot raise the file descriptor limit to "
<< _descriptorsMinimum << ": " << strerror(errno);
LOG_TOPIC(FATAL, arangodb::Logger::FIXME)
<< "cannot raise the file descriptor limit to "
<< _descriptorsMinimum << ": " << strerror(errno);
FATAL_ERROR_EXIT();
}
changed = true;
} else if (rlim.rlim_cur < _descriptorsMinimum) {
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME) << "soft limit " << rlim.rlim_cur
<< " is too small, trying to raise";
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME)
<< "soft limit " << rlim.rlim_cur << " is too small, trying to raise";
rlim.rlim_cur = _descriptorsMinimum;
res = setrlimit(RLIMIT_NOFILE, &rlim);
if (res < 0) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "cannot raise the file descriptor limit to "
<< _descriptorsMinimum << ": " << strerror(errno);
LOG_TOPIC(FATAL, arangodb::Logger::FIXME)
<< "cannot raise the file descriptor limit to "
<< _descriptorsMinimum << ": " << strerror(errno);
FATAL_ERROR_EXIT();
}
@ -135,14 +137,15 @@ void FileDescriptorsFeature::adjustFileDescriptors() {
res = getrlimit(RLIMIT_NOFILE, &rlim);
if (res != 0) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "cannot get the file descriptor limit: "
<< strerror(errno);
LOG_TOPIC(FATAL, arangodb::Logger::SYSCALL)
<< "cannot get the file descriptor limit: " << strerror(errno);
FATAL_ERROR_EXIT();
}
LOG_TOPIC(INFO, arangodb::Logger::FIXME) << "file-descriptors (nofiles) new hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", new soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
LOG_TOPIC(INFO, arangodb::Logger::SYSCALL)
<< "file-descriptors (nofiles) new hard limit is "
<< StringifyLimitValue(rlim.rlim_max) << ", new soft limit is "
<< StringifyLimitValue(rlim.rlim_cur);
}
}
#endif

1
lib/Logger/LogTopic.cpp
View File

@ -57,6 +57,7 @@ LogTopic Logger::PERFORMANCE("performance", LogLevel::FATAL); // suppress
LogTopic Logger::QUERIES("queries", LogLevel::INFO);
LogTopic Logger::REPLICATION("replication", LogLevel::INFO);
LogTopic Logger::REQUESTS("requests", LogLevel::FATAL); // suppress
LogTopic Logger::SSL("ssl", LogLevel::WARN);
LogTopic Logger::STARTUP("startup", LogLevel::INFO);
LogTopic Logger::SUPERVISION("supervision", LogLevel::INFO);
LogTopic Logger::SYSCALL("syscall", LogLevel::WARN);

8
lib/Logger/LogTopic.h
View File

@ -46,11 +46,15 @@ class LogTopic {
LogTopic(std::string const& name, LogLevel level);
LogTopic(LogTopic const& that) : _id(that._id), _name(that._name), _displayName(that._displayName) {
LogTopic(LogTopic const& that)
: _id(that._id), _name(that._name), _displayName(that._displayName) {
_level.store(that._level, std::memory_order_relaxed);
}
LogTopic(LogTopic&& that) noexcept : _id(that._id), _name(std::move(that._name)), _displayName(std::move(that._displayName)) {
LogTopic(LogTopic&& that) noexcept
: _id(that._id),
_name(std::move(that._name)),
_displayName(std::move(that._displayName)) {
_level.store(that._level, std::memory_order_relaxed);
}

1
lib/Logger/Logger.h
View File

@ -143,6 +143,7 @@ class Logger {
static LogTopic QUERIES;
static LogTopic REPLICATION;
static LogTopic REQUESTS;
static LogTopic SSL;
static LogTopic STARTUP;
static LogTopic SUPERVISION;
static LogTopic SYSCALL;

68
lib/Ssl/SslServerFeature.cpp
View File

@ -91,10 +91,12 @@ void SslServerFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
}
void SslServerFeature::prepare() {
LOG_TOPIC(INFO, arangodb::Logger::FIXME) << "using SSL options: " << stringifySslOptions(_sslOptions);
LOG_TOPIC(INFO, arangodb::Logger::SSL) << "using SSL options: "
<< stringifySslOptions(_sslOptions);
if (!_cipherList.empty()) {
LOG_TOPIC(INFO, arangodb::Logger::FIXME) << "using SSL cipher-list '" << _cipherList << "'";
LOG_TOPIC(INFO, arangodb::Logger::SSL) << "using SSL cipher-list '"
<< _cipherList << "'";
}
UniformCharacter r(
@ -105,35 +107,40 @@ void SslServerFeature::prepare() {
}
void SslServerFeature::unprepare() {
LOG_TOPIC(TRACE, arangodb::Logger::FIXME) << "unpreparing ssl: " << stringifySslOptions(_sslOptions);
LOG_TOPIC(TRACE, arangodb::Logger::SSL) << "unpreparing ssl: "
<< stringifySslOptions(_sslOptions);
}
void SslServerFeature::verifySslOptions() {
// check keyfile
if (_keyfile.empty()) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "keyfile empty'" << _keyfile << "'";
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "keyfile empty'" << _keyfile
<< "'";
FATAL_ERROR_EXIT();
}
// validate protocol
if (_sslProtocol <= SSL_UNKNOWN || _sslProtocol >= SSL_LAST) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "invalid SSL protocol version specified. Please use a valid "
"value for '--ssl.protocol'.";
LOG_TOPIC(FATAL, arangodb::Logger::SSL)
<< "invalid SSL protocol version specified. Please use a valid "
"value for '--ssl.protocol'.";
FATAL_ERROR_EXIT();
}
LOG_TOPIC(DEBUG, arangodb::Logger::FIXME) << "using SSL protocol version '"
<< protocolName((protocol_e)_sslProtocol) << "'";
LOG_TOPIC(DEBUG, arangodb::Logger::SSL)
<< "using SSL protocol version '"
<< protocolName((protocol_e)_sslProtocol) << "'";
if (!FileUtils::exists(_keyfile)) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "unable to find SSL keyfile '" << _keyfile << "'";
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "unable to find SSL keyfile '"
<< _keyfile << "'";
FATAL_ERROR_EXIT();
}
try {
createSslContext();
} catch (...) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) << "cannot create SSL context";
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "cannot create SSL context";
FATAL_ERROR_EXIT();
}
}
@ -155,7 +162,8 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
auto sslContextOpt = ::sslContext(protocol_e(_sslProtocol), _keyfile);
if (!sslContextOpt) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "failed to create SSL context, cannot create HTTPS server";
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "failed to create SSL context, cannot create HTTPS server";
throw std::runtime_error("cannot create SSL context");
}
@ -175,7 +183,7 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
: SSL_SESS_CACHE_OFF);
if (_sessionCache) {
LOG_TOPIC(TRACE, arangodb::Logger::FIXME) << "using SSL session caching";
LOG_TOPIC(TRACE, arangodb::Logger::SSL) << "using SSL session caching";
}
// set options
@ -183,8 +191,9 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
if (!_cipherList.empty()) {
if (SSL_CTX_set_cipher_list(nativeContext, _cipherList.c_str()) != 1) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "cannot set SSL cipher list '" << _cipherList
<< "': " << lastSSLError();
LOG_TOPIC(ERR, arangodb::Logger::SSL) << "cannot set SSL cipher list '"
<< _cipherList
<< "': " << lastSSLError();
throw std::runtime_error("cannot create SSL context");
}
}
@ -195,16 +204,18 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
sslEcdhNid = OBJ_sn2nid(_ecdhCurve.c_str());
if (sslEcdhNid == 0) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "SSL error: " << lastSSLError()
<< " Unknown curve name: " << _ecdhCurve;
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "SSL error: " << lastSSLError()
<< " Unknown curve name: " << _ecdhCurve;
throw std::runtime_error("cannot create SSL context");
}
// https://www.openssl.org/docs/manmaster/apps/ecparam.html
ecdhKey = EC_KEY_new_by_curve_name(sslEcdhNid);
if (ecdhKey == nullptr) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "SSL error: " << lastSSLError()
<< " Unable to create curve by name: " << _ecdhCurve;
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "SSL error: " << lastSSLError()
<< " Unable to create curve by name: " << _ecdhCurve;
throw std::runtime_error("cannot create SSL context");
}
@ -218,20 +229,23 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
nativeContext, (unsigned char const*)_rctx.c_str(), (int)_rctx.size());
if (res != 1) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "cannot set SSL session id context '" << _rctx
<< "': " << lastSSLError();
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "cannot set SSL session id context '" << _rctx
<< "': " << lastSSLError();
throw std::runtime_error("cannot create SSL context");
}
// check CA
if (!_cafile.empty()) {
LOG_TOPIC(TRACE, arangodb::Logger::FIXME) << "trying to load CA certificates from '" << _cafile << "'";
LOG_TOPIC(TRACE, arangodb::Logger::SSL)
<< "trying to load CA certificates from '" << _cafile << "'";
int res = SSL_CTX_load_verify_locations(nativeContext, _cafile.c_str(), 0);
if (res == 0) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "cannot load CA certificates from '" << _cafile
<< "': " << lastSSLError();
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "cannot load CA certificates from '" << _cafile
<< "': " << lastSSLError();
throw std::runtime_error("cannot create SSL context");
}
@ -240,8 +254,9 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
certNames = SSL_load_client_CA_file(_cafile.c_str());
if (certNames == nullptr) {
LOG_TOPIC(ERR, arangodb::Logger::FIXME) << "cannot load CA certificates from '" << _cafile
<< "': " << lastSSLError();
LOG_TOPIC(ERR, arangodb::Logger::SSL)
<< "cannot load CA certificates from '" << _cafile
<< "': " << lastSSLError();
throw std::runtime_error("cannot create SSL context");
}
@ -260,7 +275,8 @@ boost::asio::ssl::context SslServerFeature::createSslContext() const {
char* r;
long len = BIO_get_mem_data(bout._bio, &r);
LOG_TOPIC(TRACE, arangodb::Logger::FIXME) << "name: " << std::string(r, len);
LOG_TOPIC(TRACE, arangodb::Logger::SSL) << "name: "
<< std::string(r, len);
}
}
}