From d8be601606da444de2e7c09b9a045b749831baae Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Tue, 6 Apr 2021 08:48:45 +0200 Subject: [PATCH] * To configure native mode use: `configure --with-restconf=native`, changed from: `configure --with-restconf=evhtp` --- CHANGELOG.md | 5 +++-- apps/cli/Makefile.in | 2 +- apps/restconf/Makefile.in | 6 ++--- apps/restconf/README.md | 10 ++++----- ...conf_api_evhtp.c => restconf_api_native.c} | 0 ...nf_main_evhtp.c => restconf_main_native.c} | 0 configure | 16 +++++++------- configure.ac | 16 +++++++------- .../{Dockerfile.evhtp => Dockerfile.internal} | 0 test/certs.sh | 4 ++-- test/cicd/cicd.sh | 2 +- test/cicd/clixon-config.sh | 2 +- test/config.sh.in | 10 ++++----- test/lib.sh | 2 +- test/site.sh | 5 +++++ test/test_restconf.sh | 22 +++++++++---------- test/test_restconf_basic_auth.sh | 8 +++---- test/test_restconf_netns.sh | 6 ++--- test/test_restconf_ssl_certs.sh | 4 ++-- test/vagrant/Makefile.in | 4 ++-- test/vagrant/vagrant.sh | 20 ++++++++--------- yang/clixon/clixon-config@2021-03-08.yang | 2 +- 22 files changed, 76 insertions(+), 70 deletions(-) rename apps/restconf/{restconf_api_evhtp.c => restconf_api_native.c} (100%) rename apps/restconf/{restconf_main_evhtp.c => restconf_main_native.c} (100%) rename docker/main/{Dockerfile.evhtp => Dockerfile.internal} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd3d027e..c43207c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,11 +33,12 @@ Expected: April ### New features - ### API changes on existing protocol/config features -* Restconf "evhtp" mode MUST use libevhtp from https://github.com/clixon/clixon-libevhtp.git instead from criticalstack +* Native RESTCONF mode + * Restconf "evhtp" mode MUST use libevhtp from https://github.com/clixon/clixon-libevhtp.git instead from criticalstack + * To configure native mode use: `configure --with-restconf=native`, changed from: `configure --with-restconf=evhtp` * NETCONF Hello message semantics has been made stricter according to RFC 6241 Sec 8.1, for example: * A client MUST send a element. * Each peer MUST send at least the base NETCONF capability, "urn:ietf:params:netconf:base:1.1" (or 1.0 for RFC 4741) diff --git a/apps/cli/Makefile.in b/apps/cli/Makefile.in index ddf69489..bb2439c2 100644 --- a/apps/cli/Makefile.in +++ b/apps/cli/Makefile.in @@ -78,7 +78,7 @@ endif # even though it may exist in $(libdir). But the new version may not have been installed yet. LIBDEPS = $(top_srcdir)/lib/src/$(CLIXON_LIB) -LIBS = -L$(top_srcdir)/lib/src $(top_srcdir)/lib/src/$(CLIXON_LIB) @LIBS@ #-lpthread +LIBS = -L$(top_srcdir)/lib/src $(top_srcdir)/lib/src/$(CLIXON_LIB) @LIBS@ INCLUDES = -I. -I$(top_srcdir)/lib -I$(top_srcdir)/include -I$(top_srcdir) @INCLUDES@ diff --git a/apps/restconf/Makefile.in b/apps/restconf/Makefile.in index 6358e3a7..2bb71892 100644 --- a/apps/restconf/Makefile.in +++ b/apps/restconf/Makefile.in @@ -59,7 +59,7 @@ HOST_VENDOR = @host_vendor@ # XXX why is not wwwdir under prefix? wwwdir = @wwwdir@ wwwuser = @wwwuser@ -# one of fcgi or evhtp: +# one of fcgi or native: with_restconf = @with_restconf@ SH_SUFFIX = @SH_SUFFIX@ @@ -89,10 +89,10 @@ INCLUDES = -I. -I$(top_srcdir)/lib/src -I$(top_srcdir)/lib -I$(top_srcdir)/inclu # Application APPL = clixon_restconf -# Common source - not accessible from plugin - independent of restconf package (fcgi|evhtp) +# Common source - not accessible from plugin - independent of restconf package (fcgi|native) APPSRC = APPSRC += restconf_api.c # maybe empty -APPSRC += restconf_api_$(with_restconf).c # cant be .so since libevhtp is a. +APPSRC += restconf_api_$(with_restconf).c APPSRC += restconf_err.c APPSRC += restconf_methods.c APPSRC += restconf_methods_post.c diff --git a/apps/restconf/README.md b/apps/restconf/README.md index 260704a4..308b20a0 100644 --- a/apps/restconf/README.md +++ b/apps/restconf/README.md @@ -1,6 +1,6 @@ # Clixon Restconf - * [Evhtp](#evhtp) + * [Native](#native) * [Nginx](#nginx) * [Streams](#streams) * [Nchan Streams](#nchan) @@ -8,9 +8,9 @@ There are two installation instructions: for libevhtp and nginx. -## Evhtp +## Native -Download, build and install libevhtp from source. Prereqs: libevent and cmake. +Download, build and install libevhtp from source. Prereqs: libevent and ssl ``` sudo git clone https://github.com/clicon/clixon-libevhtp.git cd clixon-libevhtp @@ -19,9 +19,9 @@ Download, build and install libevhtp from source. Prereqs: libevent and cmake. sudo make install ``` -Configure clixon with evhtp: +Configure clixon with native restconf: ``` - ./configure --with-restconf=evhtp + ./configure --with-restconf=native ``` Ensure www-data is member of the CLICON_SOCK_GROUP (default clicon). If not, add it: diff --git a/apps/restconf/restconf_api_evhtp.c b/apps/restconf/restconf_api_native.c similarity index 100% rename from apps/restconf/restconf_api_evhtp.c rename to apps/restconf/restconf_api_native.c diff --git a/apps/restconf/restconf_main_evhtp.c b/apps/restconf/restconf_main_native.c similarity index 100% rename from apps/restconf/restconf_main_evhtp.c rename to apps/restconf/restconf_main_native.c diff --git a/configure b/configure index cead653a..28479cda 100755 --- a/configure +++ b/configure @@ -1374,7 +1374,7 @@ Optional Packages: --with-cligen=dir Use CLIGEN installation in this dir --with-restconf=fcgi FCGI interface for stand-alone web rev-proxy eg nginx (default) - --with-restconf=evhtp Integrate restconf with libevhtp server + --with-restconf=native Integrate restconf with embedded http server --without-restconf Disable restconf altogether --with-wwwuser= Set www user different from www-data --with-configfile=FILE Set default path to config file @@ -3352,7 +3352,7 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - # Set to evhtp or fcgi -> compile apps/restconf + # Set to native or fcgi -> compile apps/restconf # Web user default (ie what RESTCONF daemon runs as). @@ -4980,10 +4980,10 @@ else fi -# This is for restconf. There are three options: -# --without-restconf No restconf support -# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx -# --with-restconf=evhtp Integration with embedded web server libevhtp +# This is for restconf. There are three options: +# --without-restconf No restconf support +# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx +# --with-restconf=native Integration with embedded web server # Check whether --with-restconf was given. if test "${with_restconf+set}" = set; then : @@ -5042,7 +5042,7 @@ else as_fn_error $? "libfcgi-dev missing" "$LINENO" 5 fi -elif test "x${with_restconf}" == xevhtp; then +elif test "x${with_restconf}" == xnative; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL_init_ssl in -lssl" >&5 $as_echo_n "checking for OPENSSL_init_ssl in -lssl... " >&6; } if ${ac_cv_lib_ssl_OPENSSL_init_ssl_+:} false; then : @@ -5208,7 +5208,7 @@ if ${ac_cv_lib_evhtp_evhtp_new+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-levhtp -lpthread -levent -levent_openssl -lssl -lcrypto $LIBS" +LIBS="-levhtp -levent -lssl -lcrypto $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ diff --git a/configure.ac b/configure.ac index 0a453c6c..4ec7245f 100644 --- a/configure.ac +++ b/configure.ac @@ -95,7 +95,7 @@ AC_SUBST(CLIXON_DEFAULT_CONFIG) AC_SUBST(LIBS) AC_SUBST(SH_SUFFIX) AC_SUBST(LINKAGE) -AC_SUBST(with_restconf) # Set to evhtp or fcgi -> compile apps/restconf +AC_SUBST(with_restconf) # Set to native or fcgi -> compile apps/restconf AC_SUBST(with_libxml2) AC_SUBST(enable_optyangs) # Web user default (ie what RESTCONF daemon runs as). @@ -197,10 +197,10 @@ AC_CHECK_HEADERS(cligen/cligen.h,, AC_MSG_ERROR([CLIgen missing. Try: git clone AC_CHECK_LIB(cligen, cligen_init,, AC_MSG_ERROR([CLIgen missing. Try: git clone https://github.com/clicon/cligen.git])) -# This is for restconf. There are three options: -# --without-restconf No restconf support -# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx -# --with-restconf=evhtp Integration with embedded web server libevhtp +# This is for restconf. There are three options: +# --without-restconf No restconf support +# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx +# --with-restconf=native Integration with embedded web server AC_ARG_WITH([restconf], AS_HELP_STRING([--with-restconf=fcgi],[FCGI interface for stand-alone web rev-proxy eg nginx (default)]), , @@ -209,7 +209,7 @@ AC_ARG_WITH([restconf], if test "x${with_restconf}" == xfcgi; then # Lives in libfcgi-dev AC_CHECK_LIB(fcgi, FCGX_Init,, AC_MSG_ERROR([libfcgi-dev missing])) -elif test "x${with_restconf}" == xevhtp; then +elif test "x${with_restconf}" == xnative; then AC_CHECK_LIB(ssl, OPENSSL_init_ssl ,, AC_MSG_ERROR([libssl missing])) AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, , AC_MSG_ERROR([libcrypto missing])) AC_CHECK_LIB(event, event_init,, AC_MSG_ERROR([libevent missing])) @@ -220,7 +220,7 @@ elif test "x${with_restconf}" == xevhtp; then #define EVHTP_DISABLE_REGEX #define EVHTP_DISABLE_EVTHR ]]) - AC_CHECK_LIB(evhtp, evhtp_new,, AC_MSG_ERROR([libevhtp missing]),[-lpthread -levent -levent_openssl -lssl -lcrypto]) + AC_CHECK_LIB(evhtp, evhtp_new,, AC_MSG_ERROR([libevhtp missing]),[-levent -lssl -lcrypto]) elif test "x${with_restconf}" == xno; then # Cant get around "no" as an answer for --without-restconf that is reset here to undefined with_restconf= @@ -237,7 +237,7 @@ fi AC_ARG_WITH([restconf], AS_HELP_STRING([--with-restconf=fcgi],[FCGI interface for stand-alone web rev-proxy eg nginx (default)])) AC_ARG_WITH([restconf], - AS_HELP_STRING([--with-restconf=evhtp],[Integrate restconf with libevhtp server])) + AS_HELP_STRING([--with-restconf=native],[Integrate restconf with embedded http server])) AC_ARG_WITH([restconf], AS_HELP_STRING([--without-restconf],[Disable restconf altogether])) diff --git a/docker/main/Dockerfile.evhtp b/docker/main/Dockerfile.internal similarity index 100% rename from docker/main/Dockerfile.evhtp rename to docker/main/Dockerfile.internal diff --git a/test/certs.sh b/test/certs.sh index 492f742d..ddfe3f0e 100644 --- a/test/certs.sh +++ b/test/certs.sh @@ -19,7 +19,7 @@ default_crl_days = 9999 default_md = md5 [ req ] -default_bits = 1024 +default_bits = ${CERTKEYLEN} days = 1 distinguished_name = req_distinguished_name attributes = req_attributes @@ -58,7 +58,7 @@ subjectAltName = DNS:clicon.org EOF # Generate server key -openssl genrsa -out $srvkey 1024 +openssl genrsa -out $srvkey ${CERTKEYLEN} # Generate CSR (signing request) openssl req -new -config $dir/srv.cnf -key $srvkey -out $certdir/srv_csr.pem diff --git a/test/cicd/cicd.sh b/test/cicd/cicd.sh index f8d4587f..0c750b21 100755 --- a/test/cicd/cicd.sh +++ b/test/cicd/cicd.sh @@ -23,7 +23,7 @@ set -eux # x if [ $# -ne 2 ]; then echo "usage: $0 " - echo " where is fcgi or evhtp" + echo " where is fcgi or native" exit -1 fi diff --git a/test/cicd/clixon-config.sh b/test/cicd/clixon-config.sh index ec90ea06..15c9aa4e 100644 --- a/test/cicd/clixon-config.sh +++ b/test/cicd/clixon-config.sh @@ -4,7 +4,7 @@ set -eux if [ $# -ne 1 ]; then echo "usage: $0 " - echo " where is fcgi or evhtp" + echo " where is fcgi or native" exit -1 fi restconf=$1 diff --git a/test/config.sh.in b/test/config.sh.in index f7db74de..8459cd1a 100755 --- a/test/config.sh.in +++ b/test/config.sh.in @@ -33,11 +33,11 @@ # Generated from autotools, ie from the ./configure run, # See configure.ac for source -# This is for RESTCONF. There are three options: -# --without-restconf No restconf support -# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx -# --with-restconf=evhtp Integration with embedded web server libevhtp -WITH_RESTCONF=@with_restconf@ # evhtp, fcgi or "" +# This is for RESTCONF. There are three options: +# --without-restconf No restconf support +# --with-restconf=fcgi FCGI interface for separate web reverse proxy like nginx +# --with-restconf=native Integration with embedded web server libevhtp +WITH_RESTCONF=@with_restconf@ # native, fcgi or "" # This is for libxml2 XSD regex engine # Note this only enables the compiling of the code. In order to actually diff --git a/test/lib.sh b/test/lib.sh index 6bc10e80..f14cc4ec 100755 --- a/test/lib.sh +++ b/test/lib.sh @@ -339,7 +339,7 @@ function stop_restconf(){ # Wait for restconf to stop sending 502 Bad Gateway # @see start_restconf -# Reasons for not working: if you run evhtp is nginx running? +# Reasons for not working: if you run native is nginx running? # @note assumes port=80 if RCPROTO=http and port=443 if RCPROTO=https function wait_restconf(){ # echo "curl $CURLOPTS $* $RCPROTO://localhost/restconf" diff --git a/test/site.sh b/test/site.sh index 66ed9658..7b5d9aec 100644 --- a/test/site.sh +++ b/test/site.sh @@ -28,3 +28,8 @@ IPv6=true # This check is optional because some installs, such as vagrant make a non-systemd/direct # start NGINXCHECK=true + +# Lenght of TSL RSA key +# Problem with small key such as 1024 not allowed in centos8 for example (why is this) +# Problem with long keys are they take time to generate, eg on ARM +CERTKEYLEN=2048 diff --git a/test/test_restconf.sh b/test/test_restconf.sh index 97b96184..de21710d 100755 --- a/test/test_restconf.sh +++ b/test/test_restconf.sh @@ -1,18 +1,18 @@ #!/usr/bin/env bash # Restconf basic functionality also uri encoding using eth/0/0 -# Note there are many variants: (1)fcgi/evhtp, (2) http/https, (3) IPv4/IPv6, (4)local or backend-config -# (1) fcgi/evhtp -# This is compile-time --with-restconf=fcgi or evhtp, so either or +# Note there are many variants: (1)fcgi/native, (2) http/https, (3) IPv4/IPv6, (4)local or backend-config +# (1) fcgi/native +# This is compile-time --with-restconf=fcgi or native, so either or # - fcgi: Assume http server setup, such as nginx described in apps/restconf/README.md -# - evhtp: test both local config and get config from backend +# - native: test both local config and get config from backend # (2) http/https # - fcgi: relies on nginx has https setup -# - evhtp: generate self-signed server certs +# - native: generate self-signed server certs # (3) IPv4/IPv6 (only loopback 127.0.0.1 / ::1) # - The tests runs through both # - IPv6 by default disabled since docker does not support it out-of-the box -# (4) local/backend config. Evhtp only -# - The tests runs through both (if compiled with evhtp) +# (4) local/backend config. Native only +# - The tests runs through both (if compiled with native) # See also test_restconf2.sh # See test_restconf_rpc.sh for cases when CLICON_BACKEND_RESTCONF_PROCESS is set @@ -40,7 +40,7 @@ else cp /usr/local/share/clixon/$y $dir/ fi -if [ "${WITH_RESTCONF}" = "evhtp" ]; then +if [ "${WITH_RESTCONF}" = "native" ]; then # Create server certs certdir=$dir/certs srvkey=$certdir/srv_key.pem @@ -402,12 +402,12 @@ function testrun() # Go thru all combinations of IPv4/IPv6, http/https, local/backend config protos="http" -if [ "${WITH_RESTCONF}" = "evhtp" ]; then - # http only relevant for evhtp (for fcgi: need nginx config) +if [ "${WITH_RESTCONF}" = "native" ]; then + # http only relevant for internal (for fcgi: need nginx config) protos="$protos https" fi for proto in $protos; do - addrs="127.0.0.1" +# addrs="127.0.0.1" if $IPv6 ; then addrs="$addrs \[::1\]" fi diff --git a/test/test_restconf_basic_auth.sh b/test/test_restconf_basic_auth.sh index 735ef07b..ce610879 100755 --- a/test/test_restconf_basic_auth.sh +++ b/test/test_restconf_basic_auth.sh @@ -3,7 +3,7 @@ # Note this is not supported by core clixon: you need ca-auth callback implemented a la the example # For auth-type=none and auth-type=user, # For auth-type=ssl-certs, See test_restconf.sh test_restconf_ssl_certs.sh -# evhtp? and http only +# native? and http only # Use the following user settings: # 1. none (eg no -u to curl) # 2. anonymous - the registered anonymous user @@ -29,7 +29,7 @@ fyang=$dir/myexample.yang # No ssl RCPROTO=http -# Start with common config, then append fcgi/evhtp specific config +# Start with common config, then append fcgi/native specific config cat < $cfg $cfg @@ -52,7 +52,7 @@ cat < $cfg EOF -# Start with common config, then append fcgi/evhtp specific config +# Start with common config, then append fcgi/native specific config cat < $cfg $cfg @@ -195,7 +195,7 @@ function testrun() # Change restconf configuration before start restconf daemon restconf_config $auth false - # Start with common config, then append fcgi/evhtp specific config + # Start with common config, then append fcgi/native specific config cat < $cfg $cfg diff --git a/test/test_restconf_netns.sh b/test/test_restconf_netns.sh index 04712b52..89f433ab 100755 --- a/test/test_restconf_netns.sh +++ b/test/test_restconf_netns.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Restconf evhtp using socket network namespace (netns) support +# Restconf native using socket network namespace (netns) support # Listen to a default and a separate netns # Init running with a=42 # Get the config from default and netns namespace with/without SSL @@ -8,8 +8,8 @@ # Magic line must be first in script (see README.md) s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi -# Skip if other than evhtp -if [ "${WITH_RESTCONF}" != "evhtp" ]; then +# Skip if other than native +if [ "${WITH_RESTCONF}" != "native" ]; then if [ "$s" = $0 ]; then exit 0; else return 0; fi # skip fi diff --git a/test/test_restconf_ssl_certs.sh b/test/test_restconf_ssl_certs.sh index f9888b3b..6365671a 100755 --- a/test/test_restconf_ssl_certs.sh +++ b/test/test_restconf_ssl_certs.sh @@ -7,8 +7,8 @@ # Magic line must be first in script (see README.md) s="$_" ; . ./lib.sh || if [ "$s" = $0 ]; then exit 0; else return 0; fi -# Only works with evhtp and https -if [ "${WITH_RESTCONF}" != "evhtp" ]; then +# Only works with native and https +if [ "${WITH_RESTCONF}" != "native" ]; then if [ "$s" = $0 ]; then exit 0; else return 0; fi # skip fi diff --git a/test/vagrant/Makefile.in b/test/vagrant/Makefile.in index 97e59562..fb0fa68e 100644 --- a/test/vagrant/Makefile.in +++ b/test/vagrant/Makefile.in @@ -47,8 +47,8 @@ SHELL = /bin/sh # VAGRANTS += freebsd/FreeBSD-12.1-STABLE VAGRANTS = -# evhtp or fcgi -RESTCONF=evhtp +# internal or fcgi +RESTCONF=internal -include site.mk diff --git a/test/vagrant/vagrant.sh b/test/vagrant/vagrant.sh index 4a43b576..c96721e8 100755 --- a/test/vagrant/vagrant.sh +++ b/test/vagrant/vagrant.sh @@ -5,7 +5,7 @@ # 3. Compile and install clixon # 4. Run tests # Example run: ./vagrant.sh generic/centos8 2>&1 | tee cilog -# Default runs evhtp (not fcgi) +# Default runs native (not fcgi) set -eux # @@ -17,7 +17,7 @@ fi box=$1 # As defined in https://vagrantcloud.com/search #with_restconf=fcgi -: ${with_restconf:=evhtp} +: ${with_restconf:=native} echo "with-restconf:${with_restconf}" VCPUS=1 @@ -111,7 +111,7 @@ case $release in fcgi) $sshcmd sudo pkg install -y fcgi-devkit nginx ;; - evhtp) + native) ;; esac ;; @@ -128,7 +128,7 @@ case $release in fcgi) $sshcmd sudo pkg install -y fcgi-devkit nginx ;; - evhtp) + native) $sshcmd sudo pkg install -y libevent ;; esac @@ -154,7 +154,7 @@ case $release in # $sshcmd sudo yum update $sshcmd sudo yum install -y nginx ;; - evhtp) + native) $sshcmd sudo yum install -y libevent openssl $sshcmd sudo yum install -y libevent-devel openssl-devel ;; @@ -177,7 +177,7 @@ case $release in $sshcmd sudo zypper install -y nginx buildfcgi=true # build fcgi from source ;; - evhtp) + native) ;; esac ;; @@ -199,7 +199,7 @@ case $release in buildfcgi=true # some ubuntu dont have fcgi-dev $sshcmd sudo apt install -y nginx ;; - evhtp) + native) # $sshcmd sudo apt install -y libevent-2.1 $sshcmd sudo apt install -y libevent-dev libssl-dev ;; @@ -215,7 +215,7 @@ case $release in fcgi) $sshcmd sudo apk add --update nginx fcgi-dev ;; - evhtp) + native) ;; esac ;; @@ -230,7 +230,7 @@ case $release in fcgi) $sshcmd sudo pacman -Syu --noconfirm nginx fcgi ;; - evhtp) + native) $sshcmd sudo pacman -Syu --noconfirm libevent ;; esac @@ -253,7 +253,7 @@ case ${with_restconf} in # Hide all complex nginx config in sub-script . ./nginx.sh $dir $idfile $port $wwwuser ;; - evhtp) + native) $sshcmd << EOF test -d src || mkdir src cd src diff --git a/yang/clixon/clixon-config@2021-03-08.yang b/yang/clixon/clixon-config@2021-03-08.yang index bbdbb844..1dbf3ba7 100644 --- a/yang/clixon/clixon-config@2021-03-08.yang +++ b/yang/clixon/clixon-config@2021-03-08.yang @@ -465,7 +465,7 @@ module clixon-config { description "FastCGI unix socket. Should be specified in webserver Eg in nginx: fastcgi_pass unix:/www-data/clicon_restconf.sock - Only if with-restconf=fcgi, NOT evhtp + Only if with-restconf=fcgi, NOT native Note: Obsolete, use fcgi-socket in clixon-restconf.yang instead"; status obsolete; }