From 353b67826a62e4671a3a82245b6d92dab2ccca76 Mon Sep 17 00:00:00 2001 From: Ryan Uber Date: Sat, 13 Sep 2014 11:24:17 -0700 Subject: [PATCH] command: use separate key files for LAN/WAN --- command/agent/agent.go | 19 ++++++++++++++----- command/agent/command.go | 5 ++--- command/agent/config.go | 18 ++++++++++++++---- command/keyring.go | 17 +++++++++++++---- 4 files changed, 43 insertions(+), 16 deletions(-) diff --git a/command/agent/agent.go b/command/agent/agent.go index d0f62fc3e6..b19645f167 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -20,7 +20,8 @@ import ( ) const ( - SerfKeyring = "serf/keyring" + SerfLANKeyring = "serf/local.keyring" + SerfWANKeyring = "serf/remote.keyring" ) /* @@ -174,10 +175,6 @@ func (a *Agent) consulConfig() *consul.Config { base.SerfLANConfig.MemberlistConfig.SecretKey = key base.SerfWANConfig.MemberlistConfig.SecretKey = key } - if a.config.Server && a.config.keyringFilesExist() { - path := filepath.Join(base.DataDir, SerfKeyring) - base.SerfLANConfig.KeyringFile = path - } if a.config.NodeName != "" { base.NodeName = a.config.NodeName } @@ -276,6 +273,14 @@ func (a *Agent) setupServer() error { config := a.consulConfig() // Load a keyring file, if present + keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring) + if _, err := os.Stat(keyfileLAN); err == nil { + config.SerfLANConfig.KeyringFile = keyfileLAN + } + keyfileWAN := filepath.Join(config.DataDir, SerfWANKeyring) + if _, err := os.Stat(keyfileWAN); err == nil { + config.SerfWANConfig.KeyringFile = keyfileWAN + } if err := loadKeyringFile(config.SerfLANConfig); err != nil { return err } @@ -296,6 +301,10 @@ func (a *Agent) setupClient() error { config := a.consulConfig() // Load a keyring file, if present + keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring) + if _, err := os.Stat(keyfileLAN); err == nil { + config.SerfLANConfig.KeyringFile = keyfileLAN + } if err := loadKeyringFile(config.SerfLANConfig); err != nil { return err } diff --git a/command/agent/command.go b/command/agent/command.go index bacc099d53..c02b8135c6 100644 --- a/command/agent/command.go +++ b/command/agent/command.go @@ -218,7 +218,7 @@ func (c *Command) readConfig() *Config { } // Error if an encryption key is passed while a keyring already exists - if config.EncryptKey != "" && config.keyringFilesExist() { + if config.EncryptKey != "" && config.keyringFileExists() { c.Ui.Error(fmt.Sprintf("Error: -encrypt specified but keyring files exist")) return nil } @@ -592,7 +592,7 @@ func (c *Command) Run(args []string) int { // Determine if gossip is encrypted gossipEncrypted := false - if config.EncryptKey != "" || config.keyringFilesExist() { + if config.EncryptKey != "" || config.keyringFileExists() { gossipEncrypted = true } @@ -819,7 +819,6 @@ Options: -log-level=info Log level of the agent. -node=hostname Name of this node. Must be unique in the cluster -protocol=N Sets the protocol version. Defaults to latest. - -persist-keyring Enable encryption keyring persistence. -rejoin Ignores a previous leave and attempts to rejoin the cluster. -server Switches agent to server mode. -syslog Enables logging to syslog diff --git a/command/agent/config.go b/command/agent/config.go index 60bd730321..69097984d9 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -411,12 +411,22 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) { return addr.String(), nil } -// keyringFilesExist checks for existence of the keyring files for Serf -func (c *Config) keyringFilesExist() bool { - if _, err := os.Stat(filepath.Join(c.DataDir, SerfKeyring)); err != nil { +// keyringFileExists determines if there are encryption key files present +// in the data directory. +func (c *Config) keyringFileExists() bool { + fileLAN := filepath.Join(c.DataDir, SerfLANKeyring) + fileWAN := filepath.Join(c.DataDir, SerfWANKeyring) + + if _, err := os.Stat(fileLAN); err == nil { + return true + } + if !c.Server { return false } - return true + if _, err := os.Stat(fileWAN); err == nil { + return true + } + return false } // DecodeConfig reads the configuration from the given reader in JSON diff --git a/command/keyring.go b/command/keyring.go index 17d1c5c4c4..aed55c0397 100644 --- a/command/keyring.go +++ b/command/keyring.go @@ -67,8 +67,14 @@ func (c *KeyringCommand) Run(args []string) int { c.Ui.Error("Must provide -data-dir") return 1 } - path := filepath.Join(dataDir, agent.SerfKeyring) - if err := initializeKeyring(path, init); err != nil { + + fileLAN := filepath.Join(dataDir, agent.SerfLANKeyring) + if err := initializeKeyring(fileLAN, init); err != nil { + c.Ui.Error(fmt.Sprintf("Error: %s", err)) + return 1 + } + fileWAN := filepath.Join(dataDir, agent.SerfWANKeyring) + if err := initializeKeyring(fileWAN, init); err != nil { c.Ui.Error(fmt.Sprintf("Error: %s", err)) return 1 } @@ -84,7 +90,10 @@ func (c *KeyringCommand) Run(args []string) int { } defer client.Close() - // For all key-related operations, we must be querying a server node. + // For all key-related operations, we must be querying a server node. It is + // probably better to enforce this even for LAN pool changes, because other- + // wise, the same exact command syntax will have different results depending + // on where it was run. s, err := client.Stats() if err != nil { c.Ui.Error(fmt.Sprintf("Error: %s", err)) @@ -263,7 +272,7 @@ Options: operation may only be performed on keys which are not currently the primary key. -list List all keys currently in use within the cluster. - -init= Create an initial keyring file for Consul to use + -init= Create the initial keyring files for Consul to use containing the provided key. The -data-dir argument is required with this option. -rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.