// RunEtcd starts an etcd server and runs it forever
func RunEtcd(etcdServerConfig *configapi.EtcdConfig) {
cfg := &config{
name: defaultName,
dir: etcdServerConfig.StorageDir,
TickMs: 100,
ElectionMs: 1000,
maxSnapFiles: 5,
maxWalFiles: 5,
initialClusterToken: "etcd-cluster",
}
var err error
if configapi.UseTLS(etcdServerConfig.ServingInfo) {
cfg.clientTLSInfo.CAFile = etcdServerConfig.ServingInfo.ClientCA
cfg.clientTLSInfo.CertFile = etcdServerConfig.ServingInfo.ServerCert.CertFile
cfg.clientTLSInfo.KeyFile = etcdServerConfig.ServingInfo.ServerCert.KeyFile
}
if cfg.lcurls, err = urlsFromStrings(etcdServerConfig.ServingInfo.BindAddress, cfg.clientTLSInfo); err != nil {
glog.Fatalf("Unable to build etcd client URLs: %v", err)
}
if configapi.UseTLS(etcdServerConfig.PeerServingInfo) {
cfg.peerTLSInfo.CAFile = etcdServerConfig.PeerServingInfo.ClientCA
cfg.peerTLSInfo.CertFile = etcdServerConfig.PeerServingInfo.ServerCert.CertFile
cfg.peerTLSInfo.KeyFile = etcdServerConfig.PeerServingInfo.ServerCert.KeyFile
}
if cfg.lpurls, err = urlsFromStrings(etcdServerConfig.PeerServingInfo.BindAddress, cfg.peerTLSInfo); err != nil {
glog.Fatalf("Unable to build etcd peer URLs: %v", err)
}
if cfg.acurls, err = urlsFromStrings(etcdServerConfig.Address, cfg.clientTLSInfo); err != nil {
glog.Fatalf("Unable to build etcd announce client URLs: %v", err)
}
if cfg.apurls, err = urlsFromStrings(etcdServerConfig.PeerAddress, cfg.peerTLSInfo); err != nil {
glog.Fatalf("Unable to build etcd announce peer URLs: %v", err)
}
if err := cfg.resolveUrls(); err != nil {
glog.Fatalf("Unable to resolve etcd URLs: %v", err)
}
cfg.initialCluster = fmt.Sprintf("%s=%s", cfg.name, cfg.apurls[0].String())
stopped, err := startEtcd(cfg)
if err != nil {
glog.Fatalf("Unable to start etcd: %v", err)
}
go func() {
glog.Infof("Started etcd at %s", etcdServerConfig.Address)
<-stopped
}()
}
开发者ID:RomainVabre,项目名称:origin,代码行数:54,代码来源:run.go
示例2: Run
// Run starts an http server for the static assets listening on the configured
// bind address
func (c *AssetConfig) Run() {
publicURL, err := url.Parse(c.Options.PublicURL)
if err != nil {
glog.Fatal(err)
}
mux := http.NewServeMux()
err = c.addHandlers(mux)
if err != nil {
glog.Fatal(err)
}
if publicURL.Path != "/" {
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
http.Redirect(w, req, publicURL.Path, http.StatusFound)
})
}
timeout := c.Options.ServingInfo.RequestTimeoutSeconds
if timeout == -1 {
timeout = 0
}
server := &http.Server{
Addr: c.Options.ServingInfo.BindAddress,
Handler: mux,
ReadTimeout: time.Duration(timeout) * time.Second,
WriteTimeout: time.Duration(timeout) * time.Second,
MaxHeaderBytes: 1 << 20,
}
isTLS := configapi.UseTLS(c.Options.ServingInfo.ServingInfo)
go util.Forever(func() {
if isTLS {
extraCerts, err := configapi.GetNamedCertificateMap(c.Options.ServingInfo.NamedCertificates)
if err != nil {
glog.Fatal(err)
}
server.TLSConfig = &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Set SNI certificate func
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}
glog.Infof("Web console listening at https://%s", c.Options.ServingInfo.BindAddress)
glog.Fatal(cmdutil.ListenAndServeTLS(server, c.Options.ServingInfo.BindNetwork, c.Options.ServingInfo.ServerCert.CertFile, c.Options.ServingInfo.ServerCert.KeyFile))
} else {
glog.Infof("Web console listening at http://%s", c.Options.ServingInfo.BindAddress)
glog.Fatal(server.ListenAndServe())
}
}, 0)
// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
cmdutil.WaitForSuccessfulDial(isTLS, c.Options.ServingInfo.BindNetwork, c.Options.ServingInfo.BindAddress, 100*time.Millisecond, 100*time.Millisecond, 100)
glog.Infof("Web console available at %s", c.Options.PublicURL)
}
开发者ID:sztsian,项目名称:origin,代码行数:60,代码来源:asset.go
示例3: newAuthenticator
func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptions.Getter, tokenGetter serviceaccount.ServiceAccountTokenGetter, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {
authenticators := []authenticator.Request{}
// ServiceAccount token
if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
publicKeys := []*rsa.PublicKey{}
for _, keyFile := range config.ServiceAccountConfig.PublicKeyFiles {
publicKey, err := serviceaccount.ReadPublicKey(keyFile)
if err != nil {
return nil, fmt.Errorf("Error reading service account key file %s: %v", keyFile, err)
}
publicKeys = append(publicKeys, publicKey)
}
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(publicKeys, true, tokenGetter)
authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
}
// OAuth token
if config.OAuthConfig != nil {
tokenAuthenticator, err := getEtcdTokenAuthenticator(restOptionsGetter, groupMapper)
if err != nil {
return nil, fmt.Errorf("Error building OAuth token authenticator: %v", err)
}
tokenRequestAuthenticators := []authenticator.Request{
bearertoken.New(tokenAuthenticator, true),
// Allow token as access_token param for WebSockets
paramtoken.New("access_token", tokenAuthenticator, true),
}
authenticators = append(authenticators,
// if you have a bearer token, you're a human (usually)
// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
group.NewGroupAdder(unionrequest.NewUnionAuthentication(tokenRequestAuthenticators...), []string{bootstrappolicy.AuthenticatedOAuthGroup}))
}
if configapi.UseTLS(config.ServingInfo.ServingInfo) {
// build cert authenticator
// TODO: add "system:" prefix in authenticator, limit cert to username
// TODO: add "system:" prefix to groups in authenticator, limit cert to group name
opts := x509request.DefaultVerifyOptions()
opts.Roots = apiClientCAs
certauth := x509request.New(opts, x509request.SubjectToUserConversion)
authenticators = append(authenticators, certauth)
}
ret := &unionrequest.Authenticator{
FailOnError: true,
Handlers: []authenticator.Request{
// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}),
anonymous.NewAuthenticator(),
},
}
return ret, nil
}
// ValidateEtcdConnectionInfo validates the connection info. If a server EtcdConfig is provided,
// it ensures the connection info includes a URL for it, and has a client cert/key if the server requires
// client certificate authentication
func ValidateEtcdConnectionInfo(config api.EtcdConnectionInfo, server *api.EtcdConfig, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
if len(config.URLs) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("urls"), ""))
}
for i, u := range config.URLs {
_, urlErrs := ValidateURL(u, fldPath.Child("urls").Index(i))
if len(urlErrs) > 0 {
allErrs = append(allErrs, urlErrs...)
}
}
if len(config.CA) > 0 {
allErrs = append(allErrs, ValidateFile(config.CA, fldPath.Child("ca"))...)
}
allErrs = append(allErrs, ValidateCertInfo(config.ClientCert, false, fldPath)...)
// If we have server config info, make sure the client connection info will work with it
if server != nil {
var builtInAddress string
if api.UseTLS(server.ServingInfo) {
builtInAddress = fmt.Sprintf("https://%s", server.Address)
} else {
builtInAddress = fmt.Sprintf("http://%s", server.Address)
}
// Require a client cert to connect to an etcd that requires client certs
if len(server.ServingInfo.ClientCA) > 0 {
if len(config.ClientCert.CertFile) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("certFile"), "A client certificate must be provided for this etcd server"))
}
}
// Require the etcdClientInfo to include the address of the internal etcd
clientURLs := sets.NewString(config.URLs...)
if !clientURLs.Has(builtInAddress) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("urls"), strings.Join(clientURLs.List(), ","), fmt.Sprintf("must include the etcd address %s", builtInAddress)))
}
}
return allErrs
}
func StartConfiguredNode(nodeConfig *configapi.NodeConfig) error {
kubernetes.SetFakeCadvisorInterfaceForIntegrationTest()
_, nodePort, err := net.SplitHostPort(nodeConfig.ServingInfo.BindAddress)
if err != nil {
return err
}
nodeTLS := configapi.UseTLS(nodeConfig.ServingInfo)
if err := start.StartNode(*nodeConfig); err != nil {
return err
}
// wait for the server to come up for 30 seconds (average time on desktop is 2 seconds, but Jenkins timed out at 10 seconds)
if err := cmdutil.WaitForSuccessfulDial(nodeTLS, "tcp", net.JoinHostPort(nodeConfig.NodeName, nodePort), 100*time.Millisecond, 1*time.Second, 30); err != nil {
return err
}
return nil
}
//.........这里部分代码省略.........
cfg.DockerExecHandler = dockerExecHandler
// Setup auth
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(originClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubeletserver.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubeletserver.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
// RequestClientCert lets us request certs, but allow requests without client certs
// Verification is done by the authn layer
ClientAuth: tls.RequestClientCert,
ClientCAs: clientCAs,
// Set SNI certificate func
// Do not use NameToCertificate, since that requires certificates be included in the server's tlsConfig.Certificates list,
// which we do not control when running with http.Server#ListenAndServeTLS
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}),
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
// Prepare cloud provider
cloud, err := cloudprovider.InitCloudProvider(server.CloudProvider, server.CloudConfigFile)
if err != nil {
return nil, err
}
if cloud != nil {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", server.CloudProvider, server.CloudConfigFile)
}
cfg.Cloud = cloud
请发表评论