[docker-restapi]: Fix authentication in restapi (#4383)

- enabling http/https endpoint and mounting the certificates directory - updating the sonic-restapi submodule
sonic-net · Apr 15, 2020 · 12400a4 · 12400a4
1 parent a02255e
commit 12400a4
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 6 deletions.
diff --git a/dockers/docker-sonic-restapi/Dockerfile.j2 b/dockers/docker-sonic-restapi/Dockerfile.j2
@@ -20,6 +20,9 @@ RUN apt-get update
 ## Clean up
 RUN apt-get clean -y; apt-get autoclean -y; apt-get autoremove -y
 
+COPY ["start.sh", "restapi.sh", "/usr/bin/"]
 COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
+COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
+COPY ["critical_processes", "/etc/supervisor"]
 
 ENTRYPOINT ["/usr/bin/supervisord"]
diff --git a/dockers/docker-sonic-restapi/base_image_files/monit_restapi b/dockers/docker-sonic-restapi/base_image_files/monit_restapi
@@ -0,0 +1,7 @@
+###############################################################################
+## Monit configuration for restapi container
+## process list:
+##  restapi
+###############################################################################
+check process restapi matching "/usr/sbin/go-server-server"
+    if does not exist for 5 times within 5 cycles then alert
diff --git a/dockers/docker-sonic-restapi/critical_processes b/dockers/docker-sonic-restapi/critical_processes
@@ -0,0 +1 @@
+restapi
diff --git a/dockers/docker-sonic-restapi/restapi.sh b/dockers/docker-sonic-restapi/restapi.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+RESTAPI_ARGS=""
+while true
+do
+    client_auth=`sonic-cfggen -d -v "RESTAPI['config']['client_auth']"`
+    if [[ $client_auth == 'true' ]]; then
+        certs=`sonic-cfggen -d -v "RESTAPI['certs']"`
+        allow_insecure=`sonic-cfggen -d -v "RESTAPI['config']['allow_insecure']"`
+        if [[ $allow_insecure == 'true' ]]; then
+            RESTAPI_ARGS=" -enablehttp=true"
+        else
+            RESTAPI_ARGS=" -enablehttp=false"
+        fi
+        if [[ -n "$certs" ]]; then
+                SERVER_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['server_crt']"`
+                SERVER_KEY=`sonic-cfggen -d -v "RESTAPI['certs']['server_key']"`
+                CLIENT_CA_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['client_ca_crt']"`
+                CLIENT_CRT_CNAME=`sonic-cfggen -d -v "RESTAPI['certs']['client_crt_cname']"`
+                if [[ -f $SERVER_CRT && -f $SERVER_KEY && -f $CLIENT_CA_CRT ]]; then
+                    RESTAPI_ARGS+=" -enablehttps=true -servercert=$SERVER_CRT -serverkey=$SERVER_KEY -clientcert=$CLIENT_CA_CRT -clientcertcommonname=$CLIENT_CRT_CNAME"
+                    break
+                fi
+        fi
+    fi
+    logger "Waiting for certificates..."
+    sleep 60
+done
+
+LOG_LEVEL=`sonic-cfggen -d -v "RESTAPI['config']['log_level']"`
+if [ ! -z $LOG_LEVEL ]; then
+    RESTAPI_ARGS+=" -loglevel=$LOG_LEVEL"
+else
+    RESTAPI_ARGS+=" -loglevel=trace"
+fi 
+
+logger "RESTAPI_ARGS: $RESTAPI_ARGS"
+exec /usr/sbin/go-server-server ${RESTAPI_ARGS}
diff --git a/dockers/docker-sonic-restapi/start.sh b/dockers/docker-sonic-restapi/start.sh
@@ -6,5 +6,4 @@ echo "# Config files managed by sonic-config-engine" > /var/sonic/config_status
 rm -f /var/run/rsyslogd.pid
 
 supervisorctl start rsyslogd
-
 supervisorctl start restapi
diff --git a/dockers/docker-sonic-restapi/supervisord.conf b/dockers/docker-sonic-restapi/supervisord.conf
@@ -3,10 +3,32 @@ logfile_maxbytes=1MB
 logfile_backups=2
 nodaemon=true
 
-[program:restapi]
-command=/usr/sbin/go-server-server -loglevel trace
+[eventlistener:supervisor-proc-exit-listener]
+command=/usr/bin/supervisor-proc-exit-listener --container-name restapi
+events=PROCESS_STATE_EXITED
+autostart=true
+autorestart=false
+
+[program:start.sh]
+command=/usr/bin/start.sh
 priority=1
 autostart=true
 autorestart=false
-stdout_logfile=/tmp/rest-api.out.log
-stderr_logfile=/tmp/rest-api.err.log
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:restapi]
+command=/usr/bin/restapi.sh
+priority=1
+autostart=false
+autorestart=true
+stdout_logfile=syslog
+stderr_logfile=syslog
+
+[program:rsyslogd]
+command=/usr/sbin/rsyslogd -n
+priority=2
+autostart=false
+autorestart=true
+stdout_logfile=syslog
+stderr_logfile=syslog
diff --git a/rules/docker-restapi.mk b/rules/docker-restapi.mk
@@ -18,5 +18,11 @@ endif
 
 $(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
 $(DOCKER_RESTAPI)_RUN_OPT += --cap-add NET_ADMIN --privileged -t
+$(DOCKER_RESTAPI)_RUN_OPT += --network="host"
 $(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
+$(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/certificates:/etc/sonic/certificates:ro
+$(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp
 $(DOCKER_RESTAPI)_RUN_OPT += -p=8090:8090/tcp
+
+$(DOCKER_RESTAPI)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
+$(DOCKER_RESTAPI)_BASE_IMAGE_FILES += monit_restapi:/etc/monit/conf.d
diff --git a/src/sonic-restapi b/src/sonic-restapi