diff --git a/add-FAQ-and-self-signature-certificate-manufacturing.patch b/add-FAQ-and-self-signature-certificate-manufacturing.patch new file mode 100644 index 0000000000000000000000000000000000000000..d527f2e929d44d587b720fd80b995fdde6a6f828 --- /dev/null +++ b/add-FAQ-and-self-signature-certificate-manufacturing.patch @@ -0,0 +1,186 @@ +From 4a9bebbc534837cd317a96eaac043b16f0b53835 Mon Sep 17 00:00:00 2001 +From: hanxinke +Date: Wed, 5 Jan 2022 15:28:32 +0800 +Subject: [PATCH] add FAQ and self-signature certificate manufacturing method + +Signed-off-by: hanxinke +--- + Documentation/UserGuide/A-Tune-User-Guide.md | 70 ++++++++++++++++++ + ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++ + 2 files changed, 142 insertions(+) + +diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md +index bffface..78968c3 100644 +--- a/Documentation/UserGuide/A-Tune-User-Guide.md ++++ b/Documentation/UserGuide/A-Tune-User-Guide.md +@@ -1046,6 +1046,12 @@ Perform tuning. + 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ``` + ++**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.** ++ ++**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS. ++ ++**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2. ++ + + + # 5 Appendixes +@@ -1060,3 +1066,67 @@ Perform tuning. + | profile | Set of optimization items and optimal parameter configuration. | + + ++ ++## 5.2 Self-signature Certificate Manufacturing Method ++ ++### 5.2.1 Creating a Certificate Directory ++ ++```shell ++CERT_PATH=demo ++mkdir $CERT_PATH ++``` ++ ++### 5.2.2 Generating the RSA Key Pair for the CA ++ ++```shell ++openssl genrsa -out $CERT_PATH/ca.key 2048 ++``` ++ ++### 5.2.3 Generating the CA Root Certificate ++ ++```shell ++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt ++``` ++ ++### 5.2.4 Generating the Server Certificate ++ ++```shell ++# The IP address can be changed according to the actual situation. ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/server.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ ++### 5.2.5 Generating the Client Certificate ++ ++```shell ++# The IP address can be changed according to the actual situation. ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/client.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ +diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +index 070aefc..788b0a3 100644 +--- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" ++++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +@@ -1052,6 +1052,14 @@ project: "example" + 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ``` + ++**问题4:atuned或atune-engine服务无法启动,提示“Startup failed. Please provide the authentication certificate.”。** ++ ++**原因:** atuned或atune-engine服务中的REST API默认通信协议为https,通信中缺少证书文件 ++ ++**解决方法:** 用户提供权威机构签发的证书文件并放入对应的配置目录下,其中atuned服务的默认证书目录为/etc/atuned/rest_certs/,atune-engine服务的默认证书目录为/etc/atuned/engine_certs/,也可以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。 ++ ++ ++ + # 5 附录 + + ## 5.1 术语和缩略语 +@@ -1064,3 +1072,67 @@ project: "example" + | profile | 优化项集合,最佳的参数配置 | + + ++ ++## 5.2 自签名证书制作方法 ++ ++### 5.2.1 证书目录创建 ++ ++```shell ++CERT_PATH=demo ++mkdir $CERT_PATH ++``` ++ ++### 5.2.2 生成CA的RSA密钥对 ++ ++```shell ++openssl genrsa -out $CERT_PATH/ca.key 2048 ++``` ++ ++### 5.2.3 生成CA根证书 ++ ++```shell ++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt ++``` ++ ++### 5.2.4 生成服务器证书 ++ ++```shell ++# ip地址可以根据实际情况修改 ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/server.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ ++### 5.2.5 生成客户端证书 ++ ++```shell ++# ip地址可以根据实际情况修改 ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/client.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ +-- +2.27.0 + diff --git a/atune.spec b/atune.spec index 0d37ace9e2eb3a46a42e9a2b4409218cfe1da560..a4b370a0e21aa678d5daae4e4ff4127676df9817 100755 --- a/atune.spec +++ b/atune.spec @@ -3,7 +3,7 @@ Summary: AI auto tuning system Name: atune Version: 0.3 -Release: 0.8 +Release: 0.9 License: Mulan PSL v2 URL: https://gitee.com/openeuler/A-Tune Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz @@ -14,6 +14,8 @@ Patch6002: backport-atune-update-test-case.patch Patch6003: backport-atune-support-for-Go-1.15.patch Patch6004: backport-atune-add-successExitStatus-100-to-atuned.service.patch Patch6005: backport-atune-bugfix-atune-adm-check-error-before-atune-adm-profile.patch +Patch9000: check-whether-the-certificate-file-exists.patch +Patch9001: add-FAQ-and-self-signature-certificate-manufacturing.patch BuildRequires: rpm-build golang-bin procps-ng BuildRequires: sqlite >= 3.24.0 openssl @@ -68,9 +70,6 @@ atune engine tool for manage atuned AI tuning system. %autosetup -n A-Tune -p1 %build -sed -i "s/^rest_tls.*/rest_tls = false/" misc/atuned.cnf -sed -i "s/^engine_tls.*/engine_tls = false/" misc/atuned.cnf -sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf make models %make_build @@ -81,61 +80,68 @@ make models %files %license License/LICENSE -%defattr(0640,root,root,-) -%attr(0640,root,root) /usr/lib/atuned/modules/daemon_profile_server.so +%defattr(0640,root,root,0750) +%attr(0550,root,root) /usr/lib/atuned/modules/daemon_profile_server.so %attr(0640,root,root) %{_unitdir}/atuned.service -%attr(0750,root,root) %{_bindir}/atuned -%attr(0750,root,root) /usr/libexec/atuned/scripts/* -%attr(0750,root,root) /usr/libexec/atuned/analysis/* -%attr(0640,root,root) /usr/lib/atuned/profiles/* +%attr(0550,root,root) %{_bindir}/atuned +%attr(0550,root,root) /usr/libexec/atuned/scripts/* +%attr(0550,root,root) /usr/libexec/atuned/analysis/* +/usr/lib/atuned/profiles/* %exclude /usr/libexec/atuned/analysis/app_engine.py %exclude /usr/libexec/atuned/analysis/models/ %exclude /usr/libexec/atuned/analysis/optimizer/ %exclude /usr/libexec/atuned/analysis/engine/ +%exclude /usr/libexec/atuned/analysis/dataset/ %attr(0750,root,root) %dir /usr/lib/atuned -%attr(0750,root,root) %dir /usr/lib/atuned/modules +%attr(0550,root,root) %dir /usr/lib/atuned/modules %attr(0750,root,root) %dir /usr/lib/atuned/profiles %attr(0750,root,root) %dir /usr/libexec/atuned -%attr(0750,root,root) %dir /usr/libexec/atuned/scripts -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/scripts +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis %attr(0750,root,root) %dir /usr/share/atuned %attr(0750,root,root) %dir /etc/atuned %attr(0750,root,root) %dir /etc/atuned/rules +%attr(0750,root,root) %dir /etc/atuned/tuning %attr(0750,root,root) %dir /var/atuned %attr(0640,root,root) /etc/atuned/atuned.cnf +%attr(0700,root,root) %dir /etc/atuned/engine_certs +%attr(0700,root,root) %dir /etc/atuned/rest_certs %exclude /etc/atuned/engine_certs/* %exclude /etc/atuned/rest_certs/* %files client -%attr(0750,root,root) %{_bindir}/atune-adm -%attr(0640,root,root) /usr/share/bash-completion/completions/atune-adm +%attr(0550,root,root) %{_bindir}/atune-adm +%attr(0550,root,root) /usr/share/bash-completion/completions/atune-adm %files db %attr(0750,root,root) %dir /var/lib/atuned %attr(0750,root,root) %dir /var/run/atuned -%attr(0750,root,root) /var/lib/atuned/atuned.db +%attr(0640,root,root) /var/lib/atuned/atuned.db %attr(0750,root,root) %dir /usr/libexec/atuned -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis/models -%attr(0750,root,root) /usr/libexec/atuned/analysis/models/* +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis/models +%attr(0550,root,root) /usr/libexec/atuned/analysis/models/* %files engine %license License/LICENSE -%defattr(0640,root,root,-) +%defattr(0640,root,root,0750) %attr(0640,root,root) %{_unitdir}/atune-engine.service -%attr(0750,root,root) /usr/libexec/atuned/analysis/* -%attr(0750,root,root) /usr/libexec/atuned/resources/* -%attr(0750,root,root) /etc/atuned/* -%exclude /usr/libexec/atuned/analysis/app.py +%attr(0550,root,root) /usr/libexec/atuned/analysis/* +%attr(0550,root,root) /usr/libexec/atuned/resources/* +/etc/atuned/* +%exclude /usr/libexec/atuned/analysis/app_rest.py %exclude /usr/libexec/atuned/analysis/plugin/ %exclude /usr/libexec/atuned/analysis/atuned/ -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis -%attr(0750,root,root) %dir /usr/libexec/atuned/resources +%attr(0750,root,root) %dir /usr/libexec/atuned +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/resources %attr(0750,root,root) %dir /etc/atuned %exclude /etc/atuned/atuned.cnf %exclude /etc/atuned/rules +%exclude /etc/atuned/tuning +%attr(0700,root,root) %dir /etc/atuned/engine_certs %exclude /etc/atuned/engine_certs/* -%exclude /etc/atuned/rest_certs/* +%exclude /etc/atuned/rest_certs %post %systemd_post atuned.service @@ -147,6 +153,9 @@ make models %systemd_postun_with_restart atuned.service %changelog +* Tue Jan 4 2022 hanxinke - 0.3-0.9 +- enable certificate authentication by default and modify file permissions + * Sat May 29 2021 gaoruoshu - 0.3-0.8 - fix atune-adm check error diff --git a/check-whether-the-certificate-file-exists.patch b/check-whether-the-certificate-file-exists.patch new file mode 100644 index 0000000000000000000000000000000000000000..a508561f98fa58c94768024363789e6f58379f3b --- /dev/null +++ b/check-whether-the-certificate-file-exists.patch @@ -0,0 +1,36 @@ +From 8aa9e66cf1d59dadd9700ecb84f9165a4b35dd14 Mon Sep 17 00:00:00 2001 +From: hanxinke +Date: Tue, 4 Jan 2022 09:49:57 +0800 +Subject: [PATCH] check whether the certificate file exists + +Signed-off-by: hanxinke +--- + analysis/app.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/analysis/app.py b/analysis/app.py +index b6cd262..859da76 100644 +--- a/analysis/app.py ++++ b/analysis/app.py +@@ -22,6 +22,8 @@ from logging.handlers import SysLogHandler + from flask import Flask + from flask_restful import Api + ++LOGGER = logging.getLogger(__name__) ++ + + class App: + """flask application""" +@@ -66,6 +68,9 @@ class App: + cert_file = config.get("server", cert_tag) + key_file = config.get("server", key_tag) + ca_file = config.get("server", ca_tag) ++ if not os.path.exists(cert_file) or not os.path.exists(key_file) or not os.path.exists(ca_file): ++ LOGGER.error("Startup failed. Please provide the authentication certificate.") ++ raise FileNotFoundError("Startup failed. Please provide the authentication certificate.") + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.load_cert_chain(certfile=cert_file, keyfile=key_file) + context.load_verify_locations(ca_file) +-- +2.27.0 +