[pbs-devel] [PATCH backup 7/7] hot-reload proxy certificate when updating via the API
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue May 11 15:54:00 CEST 2021
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
src/api2/node/certificates.rs | 26 +++++++++++++-------------
src/config.rs | 17 ++---------------
src/server.rs | 9 +++++++++
3 files changed, 24 insertions(+), 28 deletions(-)
diff --git a/src/api2/node/certificates.rs b/src/api2/node/certificates.rs
index e6ad59b3..79df5d0f 100644
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@@ -175,12 +175,13 @@ pub fn get_info() -> Result<Vec<CertificateInfo>, Error> {
node: { schema: NODE_SCHEMA },
certificates: { description: "PEM encoded certificate (chain)." },
key: { description: "PEM encoded private key." },
+ // FIXME: widget-toolkit should have an option to disable using these 2 parameters...
restart: {
- description: "Restart proxmox-backup-proxy",
+ description: "UI compatibility parameter, ignored",
+ type: Boolean,
optional: true,
default: false,
},
- // FIXME: widget-toolkit should have an option to disable using this parameter...
force: {
description: "Force replacement of existing files.",
type: Boolean,
@@ -200,10 +201,9 @@ pub fn get_info() -> Result<Vec<CertificateInfo>, Error> {
protected: true,
)]
/// Upload a custom certificate.
-pub fn upload_custom_certificate(
+pub async fn upload_custom_certificate(
certificates: String,
key: String,
- restart: bool,
) -> Result<Vec<CertificateInfo>, Error> {
let certificates = X509::stack_from_pem(certificates.as_bytes())
.map_err(|err| format_err!("failed to decode certificate chain: {}", err))?;
@@ -223,7 +223,8 @@ pub fn upload_custom_certificate(
let key = key.private_key_to_pem_pkcs8()?;
- crate::config::set_proxy_certificate(&certificates, &key, restart)?;
+ crate::config::set_proxy_certificate(&certificates, &key)?;
+ crate::server::reload_proxy_certificate().await?;
get_info()
}
@@ -233,7 +234,8 @@ pub fn upload_custom_certificate(
properties: {
node: { schema: NODE_SCHEMA },
restart: {
- description: "Restart proxmox-backup-proxy",
+ description: "UI compatibility parameter, ignored",
+ type: Boolean,
optional: true,
default: false,
},
@@ -245,7 +247,7 @@ pub fn upload_custom_certificate(
protected: true,
)]
/// Delete the current certificate and regenerate a self signed one.
-pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> {
+pub async fn delete_custom_certificate() -> Result<(), Error> {
let cert_path = configdir!("/proxy.pem");
// Here we fail since if this fails nothing else breaks anyway
std::fs::remove_file(&cert_path)
@@ -263,10 +265,7 @@ pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> {
}
crate::config::update_self_signed_cert(true)?;
-
- if restart {
- crate::config::reload_proxy()?;
- }
+ crate::server::reload_proxy_certificate().await?;
Ok(())
}
@@ -535,7 +534,8 @@ fn spawn_certificate_worker(
WorkerTask::spawn(name, None, auth_id, true, move |worker| async move {
if let Some(cert) = order_certificate(worker, &node_config).await? {
- crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem, true)?;
+ crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
+ crate::server::reload_proxy_certificate().await?;
}
Ok(())
})
@@ -572,7 +572,7 @@ pub fn revoke_acme_cert(rpcenv: &mut dyn RpcEnvironment) -> Result<String, Error
worker.log("Revoking old certificate");
acme.revoke_certificate(cert_pem.as_bytes(), None).await?;
worker.log("Deleting certificate and regenerating a self-signed one");
- delete_custom_certificate(true)?;
+ delete_custom_certificate().await?;
Ok(())
},
)
diff --git a/src/config.rs b/src/config.rs
index 22c293c9..b9cd6281 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -187,16 +187,12 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
let x509 = x509.build();
let cert_pem = x509.to_pem()?;
- set_proxy_certificate(&cert_pem, &priv_pem, false)?;
+ set_proxy_certificate(&cert_pem, &priv_pem)?;
Ok(())
}
-pub(crate) fn set_proxy_certificate(
- cert_pem: &[u8],
- key_pem: &[u8],
- reload: bool,
-) -> Result<(), Error> {
+pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(), Error> {
let backup_user = crate::backup::backup_user()?;
let options = CreateOptions::new()
.perm(Mode::from_bits_truncate(0o0640))
@@ -211,14 +207,5 @@ pub(crate) fn set_proxy_certificate(
replace_file(&cert_path, &cert_pem, options)
.map_err(|err| format_err!("error writing certificate file - {}", err))?;
- if reload {
- reload_proxy()?;
- }
-
Ok(())
}
-
-pub(crate) fn reload_proxy() -> Result<(), Error> {
- crate::tools::systemd::reload_unit("proxmox-backup-proxy")
- .map_err(|err| format_err!("error signaling reload to pbs proxy: {}", err))
-}
diff --git a/src/server.rs b/src/server.rs
index b6a37b92..ba25617d 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -7,6 +7,7 @@
use anyhow::{format_err, Error};
use lazy_static::lazy_static;
use nix::unistd::Pid;
+use serde_json::Value;
use proxmox::sys::linux::procfs::PidStat;
@@ -91,3 +92,11 @@ pub use report::*;
pub mod ticket;
pub mod auth;
+
+pub(crate) async fn reload_proxy_certificate() -> Result<(), Error> {
+ let proxy_pid = crate::server::read_pid(buildcfg::PROXMOX_BACKUP_PROXY_PID_FN)?;
+ let sock = crate::server::ctrl_sock_from_pid(proxy_pid);
+ let _: Value = crate::server::send_raw_command(sock, "{\"command\":\"reload-certificate\"}\n")
+ .await?;
+ Ok(())
+}
--
2.20.1
More information about the pbs-devel
mailing list