From e4885d51e6d9e323ab106dfc82d9acb9e4039b00 Mon Sep 17 00:00:00 2001 From: Dave Cornejo Date: Wed, 14 Apr 2021 09:42:37 -1000 Subject: [PATCH 1/3] Add ability to enable core dumps from RESTCONF process Contributed by Rubicon Communications LLC, dbs Netgate --- apps/restconf/restconf_main_native.c | 16 ++ yang/clixon/Makefile.in | 2 +- yang/clixon/clixon-restconf@2021-04-12.yang | 223 ++++++++++++++++++++ 3 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 yang/clixon/clixon-restconf@2021-04-12.yang diff --git a/apps/restconf/restconf_main_native.c b/apps/restconf/restconf_main_native.c index ee2d7822..2e485b4d 100644 --- a/apps/restconf/restconf_main_native.c +++ b/apps/restconf/restconf_main_native.c @@ -138,6 +138,7 @@ #include #include #include +#include #include #include @@ -1448,6 +1449,21 @@ restconf_openssl_init(clicon_handle h, yang_spec_dump(clicon_dbspec_yang(h), dbg); } } + if ((x = xpath_first(xrestconf, nsc, "enable-core-dump")) != NULL) { + /* core dump is enabled on RESTCONF process */ + struct rlimit rlp; + if (strcmp(xml_body(x), "true") == 0) { + rlp.rlim_cur = RLIM_INFINITY; + rlp.rlim_max = RLIM_INFINITY; + clicon_log(LOG_NOTICE, "%s: core dump emanbled", __func__); + } else { + rlp.rlim_cur = 0; + rlp.rlim_max = 0; + clicon_log(LOG_NOTICE, "%s: core dump disnbled", __func__); + } + int status = setrlimit(RLIMIT_CORE, &rlp); + clicon_log(LOG_NOTICE, "%s: setrlimit=%ld", __func__, status); + } if (init_openssl() < 0) goto done; diff --git a/yang/clixon/Makefile.in b/yang/clixon/Makefile.in index 206876c3..61d5050a 100644 --- a/yang/clixon/Makefile.in +++ b/yang/clixon/Makefile.in @@ -45,7 +45,7 @@ YANGSPECS = clixon-config@2021-03-08.yang YANGSPECS += clixon-lib@2021-03-08.yang YANGSPECS += clixon-rfc5277@2008-07-01.yang YANGSPECS += clixon-xml-changelog@2019-03-21.yang -YANGSPECS += clixon-restconf@2021-03-15.yang +YANGSPECS += clixon-restconf@2021-04-12.yang APPNAME = clixon # subdir ehere these files are installed diff --git a/yang/clixon/clixon-restconf@2021-04-12.yang b/yang/clixon/clixon-restconf@2021-04-12.yang new file mode 100644 index 00000000..065dcf7d --- /dev/null +++ b/yang/clixon/clixon-restconf@2021-04-12.yang @@ -0,0 +1,223 @@ +module clixon-restconf { + yang-version 1.1; + namespace "http://clicon.org/restconf"; + prefix "clrc"; + + import ietf-inet-types { + prefix inet; + } + + organization + "Clixon"; + + contact + "Olof Hagsand "; + + description + "This YANG module provides a data-model for the Clixon RESTCONF daemon. + ***** BEGIN LICENSE BLOCK ***** + Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate) + + This file is part of CLIXON + + Licensed under the Apache License, Version 2.0 (the \"License\"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an \"AS IS\" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Alternatively, the contents of this file may be used under the terms of + the GNU General Public License Version 3 or later (the \"GPL\"), + in which case the provisions of the GPL are applicable instead + of those above. If you wish to allow use of your version of this file only + under the terms of the GPL, and not to allow others to + use your version of this file under the terms of Apache License version 2, + indicate your decision by deleting the provisions above and replace them with + the notice and other provisions required by the GPL. If you do not delete + the provisions above, a recipient may use your version of this file under + the terms of any one of the Apache License version 2 or the GPL. + + ***** END LICENSE BLOCK *****"; + + revision 2021-04-12 { + description + "Added flag to enable core dumps"; + } + revision 2021-03-15 { + description + "make authentication-type none a feature"; + } + revision 2020-12-30 { + description + "Added: debug field + Added 'none' as default value for auth-type + Changed http-auth-type enum from 'password' to 'user'"; + } + revision 2020-10-30 { + description + "Initial release"; + } + + feature fcgi { + description + "This feature indicates that the restconf server supports the fast-cgi reverse + proxy solution. + That is, a reverse proxy is the HTTP front-end and the restconf daemon listens + to a fcgi socket. + The alternative is the internal HTTP solution using evhtp."; + } + + feature allow-auth-none { + description + "This feature allows the use of authentication-type none."; + } + + typedef http-auth-type { + type enumeration { + enum none { + if-feature "allow-auth-none"; + description + "Incoming message are set to authenticated by default. No ca-auth callback is called, + Authenticated user is set to special user 'none'. + Typically assumes NACM is not enabled."; + } + enum client-certificate { + description + "TLS client certificate validation is made on each incoming message. If it passes + the authenticated user is extracted from the SSL_CN parameter + The ca-auth callback can be used to revise this behavior."; + } + enum user { + description + "User-defined authentication as defined by the ca-auth callback. + One example is some form of password authentication, such as basic auth."; + } + } + description + "Enumeration of HTTP authorization types."; + } + grouping clixon-restconf{ + description + "HTTP RESTCONF configuration."; + leaf enable { + type boolean; + default "false"; + description + "Enables RESTCONF functionality. + Note that starting/stopping of a restconf daemon is different from it being + enabled or not. + For example, if the restconf daemon is under systemd management, the restconf + daemon will only start if enable=true."; + } + leaf auth-type { + type http-auth-type; + description + "The authentication type. + Note client-certificate applies only if ssl-enable is true and socket has ssl"; + default user; + } + leaf debug { + description + "Set debug level of restconf daemon. + 0 is no debug, 1 is debugging, more is detailed debug. + Debug logs will be directed to syslog with + ident: clixon_restconf and PID + facility: LOG_USER + level: LOG_DEBUG"; + type uint32; + default 0; + } + leaf enable-core-dump { + description + "enable core dumps. + this is a no-op on systems that don't support it."; + type boolean; + default false; + } + leaf pretty { + type boolean; + default true; + description + "Restconf return value pretty print. + Restconf clients may add HTTP header: + Accept: application/yang-data+json, or + Accept: application/yang-data+xml + to get return value in XML or JSON. + RFC 8040 examples print XML and JSON in pretty-printed form. + Setting this value to false makes restconf return not pretty-printed + which may be desirable for performance or tests + This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang"; + } + /* From this point only specific options + * First fcgi-specific options + */ + leaf fcgi-socket { + if-feature fcgi; /* Set by default by fcgi clixon_restconf daemon */ + type string; + default "/www-data/fastcgi_restconf.sock"; + description + "Path to FastCGI unix socket. Should be specified in webserver + Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock + Only if with-restconf=fcgi, NOT evhtp + This replaces CLICON_RESTCONF_PATH option in clixon-config.yang"; + } + /* Second, evhtp-specific options */ + leaf server-cert-path { + type string; + description + "Path to server certificate file. + Note only applies if socket has ssl enabled"; + } + leaf server-key-path { + type string; + description + "Path to server key file + Note only applies if socket has ssl enabled"; + } + leaf server-ca-cert-path { + type string; + description + "Path to server CA cert file + Note only applies if socket has ssl enabled"; + } + list socket { + description + "List of server sockets that the restconf daemon listens to"; + key "namespace address port"; + leaf namespace { + type string; + description + "Network namespace. + On platforms where namespaces are not suppported, always 'default'"; + } + leaf address { + type inet:ip-address; + description "IP address to bind to"; + } + leaf port { + type inet:port-number; + description "TCP port to bind to"; + } + leaf ssl { + type boolean; + default true; + description "Enable for HTTPS otherwise HTTP protocol"; + } + } + } + container restconf { + description + "This presence is strictly not necessary since the enable flag + in clixon-restconf is the flag bearing the actual semantics. + However, removing the presence leads to default config in all + clixon installations, even those which do not use backend-started restconf. + One could see this as mostly cosmetically annoying. + Alternative would be to make the inclusion of this yang conditional."; + presence "Enables RESTCONF"; + uses clixon-restconf; + } +} From ec0c5118a4abdabf399face9b7a4321abcda7028 Mon Sep 17 00:00:00 2001 From: Dave Cornejo Date: Thu, 15 Apr 2021 07:30:26 -1000 Subject: [PATCH 2/3] Cleanup pull request Remove clixon-restconf 2021-04-12, add changes to 2021-03-15 Remove noisy debug logging --- apps/restconf/restconf_main_native.c | 6 +- yang/clixon/clixon-restconf@2021-03-15.yang | 10 +- yang/clixon/clixon-restconf@2021-04-12.yang | 223 -------------------- 3 files changed, 12 insertions(+), 227 deletions(-) delete mode 100644 yang/clixon/clixon-restconf@2021-04-12.yang diff --git a/apps/restconf/restconf_main_native.c b/apps/restconf/restconf_main_native.c index 2e485b4d..04908006 100644 --- a/apps/restconf/restconf_main_native.c +++ b/apps/restconf/restconf_main_native.c @@ -1455,14 +1455,14 @@ restconf_openssl_init(clicon_handle h, if (strcmp(xml_body(x), "true") == 0) { rlp.rlim_cur = RLIM_INFINITY; rlp.rlim_max = RLIM_INFINITY; - clicon_log(LOG_NOTICE, "%s: core dump emanbled", __func__); } else { rlp.rlim_cur = 0; rlp.rlim_max = 0; - clicon_log(LOG_NOTICE, "%s: core dump disnbled", __func__); } int status = setrlimit(RLIMIT_CORE, &rlp); - clicon_log(LOG_NOTICE, "%s: setrlimit=%ld", __func__, status); + if (status != 0) { + clicon_log(LOG_NOTICE, "%s: setrlimit() failed, %s", __func__, strerror(errno)); + } } if (init_openssl() < 0) diff --git a/yang/clixon/clixon-restconf@2021-03-15.yang b/yang/clixon/clixon-restconf@2021-03-15.yang index 25ec9b21..ef0604da 100644 --- a/yang/clixon/clixon-restconf@2021-03-15.yang +++ b/yang/clixon/clixon-restconf@2021-03-15.yang @@ -45,7 +45,8 @@ module clixon-restconf { revision 2021-03-15 { description - "make authentication-type none a feature"; + "make authentication-type none a feature + Added flag to enable core dumps"; } revision 2020-12-30 { description @@ -127,6 +128,13 @@ module clixon-restconf { type uint32; default 0; } + leaf enable-core-dump { + description + "enable core dumps. + this is a no-op on systems that don't support it."; + type boolean; + default false; + } leaf pretty { type boolean; default true; diff --git a/yang/clixon/clixon-restconf@2021-04-12.yang b/yang/clixon/clixon-restconf@2021-04-12.yang deleted file mode 100644 index 065dcf7d..00000000 --- a/yang/clixon/clixon-restconf@2021-04-12.yang +++ /dev/null @@ -1,223 +0,0 @@ -module clixon-restconf { - yang-version 1.1; - namespace "http://clicon.org/restconf"; - prefix "clrc"; - - import ietf-inet-types { - prefix inet; - } - - organization - "Clixon"; - - contact - "Olof Hagsand "; - - description - "This YANG module provides a data-model for the Clixon RESTCONF daemon. - ***** BEGIN LICENSE BLOCK ***** - Copyright (C) 2020 Olof Hagsand and Rubicon Communications, LLC(Netgate) - - This file is part of CLIXON - - Licensed under the Apache License, Version 2.0 (the \"License\"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an \"AS IS\" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - Alternatively, the contents of this file may be used under the terms of - the GNU General Public License Version 3 or later (the \"GPL\"), - in which case the provisions of the GPL are applicable instead - of those above. If you wish to allow use of your version of this file only - under the terms of the GPL, and not to allow others to - use your version of this file under the terms of Apache License version 2, - indicate your decision by deleting the provisions above and replace them with - the notice and other provisions required by the GPL. If you do not delete - the provisions above, a recipient may use your version of this file under - the terms of any one of the Apache License version 2 or the GPL. - - ***** END LICENSE BLOCK *****"; - - revision 2021-04-12 { - description - "Added flag to enable core dumps"; - } - revision 2021-03-15 { - description - "make authentication-type none a feature"; - } - revision 2020-12-30 { - description - "Added: debug field - Added 'none' as default value for auth-type - Changed http-auth-type enum from 'password' to 'user'"; - } - revision 2020-10-30 { - description - "Initial release"; - } - - feature fcgi { - description - "This feature indicates that the restconf server supports the fast-cgi reverse - proxy solution. - That is, a reverse proxy is the HTTP front-end and the restconf daemon listens - to a fcgi socket. - The alternative is the internal HTTP solution using evhtp."; - } - - feature allow-auth-none { - description - "This feature allows the use of authentication-type none."; - } - - typedef http-auth-type { - type enumeration { - enum none { - if-feature "allow-auth-none"; - description - "Incoming message are set to authenticated by default. No ca-auth callback is called, - Authenticated user is set to special user 'none'. - Typically assumes NACM is not enabled."; - } - enum client-certificate { - description - "TLS client certificate validation is made on each incoming message. If it passes - the authenticated user is extracted from the SSL_CN parameter - The ca-auth callback can be used to revise this behavior."; - } - enum user { - description - "User-defined authentication as defined by the ca-auth callback. - One example is some form of password authentication, such as basic auth."; - } - } - description - "Enumeration of HTTP authorization types."; - } - grouping clixon-restconf{ - description - "HTTP RESTCONF configuration."; - leaf enable { - type boolean; - default "false"; - description - "Enables RESTCONF functionality. - Note that starting/stopping of a restconf daemon is different from it being - enabled or not. - For example, if the restconf daemon is under systemd management, the restconf - daemon will only start if enable=true."; - } - leaf auth-type { - type http-auth-type; - description - "The authentication type. - Note client-certificate applies only if ssl-enable is true and socket has ssl"; - default user; - } - leaf debug { - description - "Set debug level of restconf daemon. - 0 is no debug, 1 is debugging, more is detailed debug. - Debug logs will be directed to syslog with - ident: clixon_restconf and PID - facility: LOG_USER - level: LOG_DEBUG"; - type uint32; - default 0; - } - leaf enable-core-dump { - description - "enable core dumps. - this is a no-op on systems that don't support it."; - type boolean; - default false; - } - leaf pretty { - type boolean; - default true; - description - "Restconf return value pretty print. - Restconf clients may add HTTP header: - Accept: application/yang-data+json, or - Accept: application/yang-data+xml - to get return value in XML or JSON. - RFC 8040 examples print XML and JSON in pretty-printed form. - Setting this value to false makes restconf return not pretty-printed - which may be desirable for performance or tests - This replaces the CLICON_RESTCONF_PRETTY option in clixon-config.yang"; - } - /* From this point only specific options - * First fcgi-specific options - */ - leaf fcgi-socket { - if-feature fcgi; /* Set by default by fcgi clixon_restconf daemon */ - type string; - default "/www-data/fastcgi_restconf.sock"; - description - "Path to FastCGI unix socket. Should be specified in webserver - Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock - Only if with-restconf=fcgi, NOT evhtp - This replaces CLICON_RESTCONF_PATH option in clixon-config.yang"; - } - /* Second, evhtp-specific options */ - leaf server-cert-path { - type string; - description - "Path to server certificate file. - Note only applies if socket has ssl enabled"; - } - leaf server-key-path { - type string; - description - "Path to server key file - Note only applies if socket has ssl enabled"; - } - leaf server-ca-cert-path { - type string; - description - "Path to server CA cert file - Note only applies if socket has ssl enabled"; - } - list socket { - description - "List of server sockets that the restconf daemon listens to"; - key "namespace address port"; - leaf namespace { - type string; - description - "Network namespace. - On platforms where namespaces are not suppported, always 'default'"; - } - leaf address { - type inet:ip-address; - description "IP address to bind to"; - } - leaf port { - type inet:port-number; - description "TCP port to bind to"; - } - leaf ssl { - type boolean; - default true; - description "Enable for HTTPS otherwise HTTP protocol"; - } - } - } - container restconf { - description - "This presence is strictly not necessary since the enable flag - in clixon-restconf is the flag bearing the actual semantics. - However, removing the presence leads to default config in all - clixon installations, even those which do not use backend-started restconf. - One could see this as mostly cosmetically annoying. - Alternative would be to make the inclusion of this yang conditional."; - presence "Enables RESTCONF"; - uses clixon-restconf; - } -} From bd20553362deb1058cb9581f145af535935b8302 Mon Sep 17 00:00:00 2001 From: Dave Cornejo Date: Thu, 15 Apr 2021 07:36:48 -1000 Subject: [PATCH 3/3] missed a Makefile change --- yang/clixon/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yang/clixon/Makefile.in b/yang/clixon/Makefile.in index 61d5050a..206876c3 100644 --- a/yang/clixon/Makefile.in +++ b/yang/clixon/Makefile.in @@ -45,7 +45,7 @@ YANGSPECS = clixon-config@2021-03-08.yang YANGSPECS += clixon-lib@2021-03-08.yang YANGSPECS += clixon-rfc5277@2008-07-01.yang YANGSPECS += clixon-xml-changelog@2019-03-21.yang -YANGSPECS += clixon-restconf@2021-04-12.yang +YANGSPECS += clixon-restconf@2021-03-15.yang APPNAME = clixon # subdir ehere these files are installed