From 18dd78fbf0b9c601a2e1dad73edf7cc9552c9d2f Mon Sep 17 00:00:00 2001 From: zhoupengcheng Date: Wed, 31 Jan 2024 15:25:10 +0800 Subject: [PATCH] - adding the configuration and usage of the security certificate - atune-engine check whether the certificate file exists --- Documentation/UserGuide/A-Tune-User-Guide.md | 70 ++++++++++++++++++ ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++ analysis/app.py | 5 ++ 3 files changed, 147 insertions(+) diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md index 0862d449..9a2aa14c 100644 --- a/Documentation/UserGuide/A-Tune-User-Guide.md +++ b/Documentation/UserGuide/A-Tune-User-Guide.md @@ -1516,6 +1516,12 @@ Perform tuning. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ``` +**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.** + +**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS. + +**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2. + # 5 Appendixes @@ -1529,3 +1535,67 @@ Perform tuning. | profile | Set of optimization items and optimal parameter configuration. | +## 5.2 Self-signature Certificate Manufacturing Method + +### 5.2.1 Creating a Certificate Directory + +```shell +CERT_PATH=demo +mkdir $CERT_PATH +``` + +### 5.2.2 Generating the RSA Key Pair for the CA + +```shell +openssl genrsa -out $CERT_PATH/ca.key 2048 +``` + +### 5.2.3 Generating the CA Root Certificate + +```shell +openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt +``` + +### 5.2.4 Generating the Server Certificate + +```shell +# The IP address can be changed according to the actual situation. +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/server.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/server.key -out $CERT_PATH/server.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + +### 5.2.5 Generating the Client Certificate + +```shell +# The IP address can be changed according to the actual situation. +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/client.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/client.key -out $CERT_PATH/client.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + + diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" index 8376b163..db97cd68 100644 --- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" @@ -1501,6 +1501,15 @@ evaluations : 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ``` +**问题4:atuned或atune-engine服务无法启动,提示“Startup failed. Please provide the authentication certificate.”。** + +**原因:** atuned或atune-engine服务中的REST API默认通信协议为https,通信中缺少证书文件 + +**解决方法:** 用户提供权威机构签发的证书文件并放入对应的配置目录下,其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/,atune-engine服务的默认证书目录为/etc/atuned/engine_certs/,也可 +以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发 +调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。 + + # 5 附录 ## 5.1 术语和缩略语 @@ -1512,3 +1521,66 @@ evaluations : | profile | 优化项集合,最佳的参数配置 | +## 5.2 自签名证书制作方法 + +### 5.2.1 证书目录创建 + +```shell +CERT_PATH=demo +mkdir $CERT_PATH +``` + +### 5.2.2 生成CA的RSA密钥对 + +```shell +openssl genrsa -out $CERT_PATH/ca.key 2048 +``` + +### 5.2.3 生成CA根证书 + +```shell +openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt +``` + +### 5.2.4 生成服务器证书 + +```shell +# ip地址可以根据实际情况修改 +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/server.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/server.key -out $CERT_PATH/server.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + +### 5.2.5 生成客户端证书 + +```shell +# ip地址可以根据实际情况修改 +IP_ADDR=localhost +openssl genrsa -out $CERT_PATH/client.key 2048 +cp /etc/pki/tls/openssl.cnf $CERT_PATH +if test $IP_ADDR == localhost; then + echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf +else + echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf + echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf +fi +openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ + -key $CERT_PATH/client.key -out $CERT_PATH/client.csr +openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ + -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt +rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf +``` + diff --git a/analysis/app.py b/analysis/app.py index a51a9ec2..1a4ebf6b 100644 --- a/analysis/app.py +++ b/analysis/app.py @@ -20,6 +20,8 @@ from logging.handlers import SysLogHandler from flask import Flask from flask_restful import Api +LOGGER = logging.getLogger(__name__) + class App: """flask application""" @@ -55,6 +57,9 @@ class App: self.add_resource() context = None if tls: + if not os.path.exists(cert_file) or not os.path.exists(key_file) or not os.path.exists(ca_file): + LOGGER.error("Startup failed. Please provide the authentication certificate.") + raise FileNotFoundError("Startup failed. Please provide the authentication certificate.") context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_cert_chain(certfile=cert_file, keyfile=key_file) context.load_verify_locations(ca_file) -- Gitee