From 63e0dba2133220565ccb3b58e4e309732c230dd1 Mon Sep 17 00:00:00 2001 From: Hans Svensson Date: Wed, 25 Mar 2020 09:07:41 +0100 Subject: [PATCH 1/2] bbmustache does HTML-encode ampersands, don't use --- rel/files/riak-admin | 1 + rel/files/riak-repl | 1 + rel/vars.config | 2 +- rel/vars/dev_vars.config.src | 2 +- rel/vars/perf_vars.config.src | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/rel/files/riak-admin b/rel/files/riak-admin index 1b1b2657e..4dceaf8e5 100755 --- a/rel/files/riak-admin +++ b/rel/files/riak-admin @@ -6,6 +6,7 @@ ORIGINAL_DIR=$(pwd) # Make sure CWD is set to runner run dir +RUNNER_BASE_DIR={{runner_base_dir}} cd $RUNNER_BASE_DIR # Identify the script name diff --git a/rel/files/riak-repl b/rel/files/riak-repl index 487b4acd6..f2122d94a 100755 --- a/rel/files/riak-repl +++ b/rel/files/riak-repl @@ -6,6 +6,7 @@ ORIGINAL_DIR=$(pwd) # Make sure CWD is set to runner run dir +RUNNER_BASE_DIR={{runner_base_dir}} cd $RUNNER_BASE_DIR # Identify the script name diff --git a/rel/vars.config b/rel/vars.config index f4da0b9c1..2bc5cab41 100644 --- a/rel/vars.config +++ b/rel/vars.config @@ -41,7 +41,7 @@ %% %% bin/riak %% -{runner_script_dir, "\`cd \\`dirname $0\\` && /bin/pwd\`"}. +{runner_script_dir, "\`! cd \\`dirname $0\\` || /bin/pwd\`"}. {runner_base_dir, "{{runner_script_dir}}/.."}. {runner_etc_dir, "$RUNNER_BASE_DIR/etc"}. {runner_log_dir, "$RUNNER_BASE_DIR/log"}. diff --git a/rel/vars/dev_vars.config.src b/rel/vars/dev_vars.config.src index d935eabec..f37bf3e00 100644 --- a/rel/vars/dev_vars.config.src +++ b/rel/vars/dev_vars.config.src @@ -43,7 +43,7 @@ %% %% bin/riak %% -{runner_script_dir, "\`cd \\`dirname $0\\` && /bin/pwd\`"}. +{runner_script_dir, "\`! cd \\`dirname $0\\` || /bin/pwd\`"}. {runner_base_dir, "{{runner_script_dir}}/.."}. {runner_etc_dir, "$RUNNER_BASE_DIR/etc"}. {runner_log_dir, "$RUNNER_BASE_DIR/log"}. diff --git a/rel/vars/perf_vars.config.src b/rel/vars/perf_vars.config.src index 51ad2bbda..7c0ce6d09 100644 --- a/rel/vars/perf_vars.config.src +++ b/rel/vars/perf_vars.config.src @@ -49,7 +49,7 @@ %% %% bin/riak %% -{runner_script_dir, "\`cd \\`dirname $0\\` && /bin/pwd\`"}. +{runner_script_dir, "\`! cd \\`dirname $0\\` || /bin/pwd\`"}. {runner_base_dir, "{{runner_script_dir}}/.."}. {runner_etc_dir, "$RUNNER_BASE_DIR/etc"}. {runner_log_dir, "$RUNNER_BASE_DIR/log"}. From c38c66267c792d2537b95051b448dee95e026c27 Mon Sep 17 00:00:00 2001 From: Hans Svensson Date: Wed, 25 Mar 2020 11:45:10 +0100 Subject: [PATCH 2/2] Building a TLS-version of Riak --- priv/riak.schema | 6 +++++ rebar.config | 9 ++++--- rel/files/phoney_cert.pem | 49 +++++++++++++++++++++++++++++++++++++++ rel/files/riak_ssl.conf | 6 +++++ 4 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 rel/files/phoney_cert.pem create mode 100644 rel/files/riak_ssl.conf diff --git a/priv/riak.schema b/priv/riak.schema index bb280b43a..447f5cf26 100644 --- a/priv/riak.schema +++ b/priv/riak.schema @@ -218,6 +218,12 @@ merge ]}. +%% TLS/SSL setting +{mapping, "erlang.proto_dist", "vm_args.-proto_dist", [ + %% {default, "inet_tcp"} + {default, "inet_tls -ssl_dist_optfile etc/riak_ssl.conf"} +]}. + {{#devrel}} %% Because of the 'merge' keyword in the proplist below, the docs and datatype %% are pulled from the leveldb schema. diff --git a/rebar.config b/rebar.config index 81d49c700..75e634235 100644 --- a/rebar.config +++ b/rebar.config @@ -45,14 +45,15 @@ {relx, [{release, {riak, "3.0"}, [kernel, stdlib, - lager, - sasl, + crypto, + asn1, public_key, ssl, + sasl, + lager, exometer_core, riak_sysmon, os_mon, - crypto, runtime_tools, xmerl, mochiweb, @@ -77,6 +78,8 @@ {mkdir, "data/ring"}, {template, "rel/files/advanced.config", "etc/advanced.config"}, + {copy, "rel/files/riak_ssl.conf", "etc/riak_ssl.conf"}, + {copy, "rel/files/phoney_cert.pem", "etc/phoney_cert.pem"}, %% Copy additional bin scripts {template, "rel/files/riak-admin", "bin/riak-admin"}, diff --git a/rel/files/phoney_cert.pem b/rel/files/phoney_cert.pem new file mode 100644 index 000000000..161361093 --- /dev/null +++ b/rel/files/phoney_cert.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDbjCCAlYCCQCAvNvby7tjaDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJT +RTEMMAoGA1UECAwDTi9BMRMwEQYDVQQHDApHb3RoZW5idXJnMRUwEwYDVQQKDAxF +eGFtcGxlLCBMTEMxETAPBgNVBAMMCFF1dmlxIEFCMR0wGwYJKoZIhvcNAQkBFg5j +ZXJ0QHF1dmlxLmNvbTAeFw0yMDAyMjQxMzIxMjVaFw0yMTAyMjMxMzIxMjVaMHkx +CzAJBgNVBAYTAlNFMQwwCgYDVQQIDANOL0ExEzARBgNVBAcMCkdvdGhlbmJ1cmcx +FTATBgNVBAoMDEV4YW1wbGUsIExMQzERMA8GA1UEAwwIUXV2aXEgQUIxHTAbBgkq +hkiG9w0BCQEWDmNlcnRAcXV2aXEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAm3Gp3Vmr+jQOut67+h9e7G0u4E2tE8GmTNA/g60vwE6aHkBsQxHz +Xz5OuRCLQZdVgK31Ex+fSHbJZ7xf7HotpN/byzT2H2O6JnTA5yWAVyQmqd45r8eN +4+CsNl4YLDBArFwfadFC6thGfjKPcM5VmgjWrzSfrQg8AgSphsb3zXViLPxMdU1R +E/94/TOmRG6MA4en4wkEsjjspHH1GnzpuLYTTD/HvwpF/PWwchjb9NMo71j0v7ja +P3s605FRqcukgJz7gZ7Qv+e05UfOC2YuSCEshxHsoiaRy9hsN971kDtmmcj6w0zy +SVGa8URCXYDmueSfeFvcrdvsSHz2E2o9owIDAQABMA0GCSqGSIb3DQEBCwUAA4IB +AQA4vegr55hJHbecx8ry7xBizlK33nDVaZkkMyDy/RiJoj1mlNtTRjLLvSbVe68x +rtsAvEaBu6yPJTn+8x8HqH73eVsMYrB5XRLMNNzWE1Dn1bMwXYfLFg8GLh1U8JDS +1hzOjlWdvjXPE545N0OU8Fv2YWoRp0B7okvoQEoUahx0Wd0HIdBjZMbv1JiV+qi6 +7PnUak2AQxddyolwOmgZrF+ssXhfOkd0XuYsn8ycrFoTjmJujxnEzjA7twIjllw1 +kPw0qy6kpa7VZnjL3stNSl3g3nupLm/SL1wckZrTQs+3qEPLf5R/GyTMC4v22DMZ +dR70apXT2gF7BbTKAhLGx7IJ +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbcandWav6NA66 +3rv6H17sbS7gTa0TwaZM0D+DrS/ATpoeQGxDEfNfPk65EItBl1WArfUTH59Idsln +vF/sei2k39vLNPYfY7omdMDnJYBXJCap3jmvx43j4Kw2XhgsMECsXB9p0ULq2EZ+ +Mo9wzlWaCNavNJ+tCDwCBKmGxvfNdWIs/Ex1TVET/3j9M6ZEbowDh6fjCQSyOOyk +cfUafOm4thNMP8e/CkX89bByGNv00yjvWPS/uNo/ezrTkVGpy6SAnPuBntC/57Tl +R84LZi5IISyHEeyiJpHL2Gw33vWQO2aZyPrDTPJJUZrxREJdgOa55J94W9yt2+xI +fPYTaj2jAgMBAAECggEAZVZbfB+qm2n2tGLiv3RWKOIhLj/VdszHQsp8rbZpLADS +PqiXK753H/95yPJ9JpynNEW0QOxbph0yvjszefJI8XSzUK3NSrd0Mv/ohoiPO8Ao +qJNknjEFUqs0+hirv5sRfoxsOksfSgUHJ9yEYPFTIyFh/ETdWCvHGzW441GxWTKK +ToakF/wcKacioqTeNGYU9+Rz4LMVMkYppbUpEHq247f/HQNtWk9/olNOL0jRTboB +4wpj3nh9wTNsRiAuhebOfX7+my9oBR9h5tYtkeS+EaU4jzmgDcksGWCS/55uYuUL +Xv3Xbs3i+1V94QFmQzbpxaUZj66XlUIZAdwqJT2SiQKBgQDL1kF0ufc5P3B29Qmq +/pHeM0AHQa8xtNqZ2pXysCWuwEPo57XRusRTixS0kQF4gkGA1g/La3s2rfvu8luP +qeFdY2n4us89k0AdKX7mue+6p0OAMuy5g2NhiHxIkO8JjlWzjNxjSr5tScByF7bW +8iFcOFIKArXqT+O7FpaxRtlF7QKBgQDDORg9QlxIIC3wXQXgNNBJI67o3dmztFBt +ydMZ2fzIJBEnOp97O/Ah+RD+Qq4PmdTYWDK3d7K5N/Xp05T2uJlCnMYgiW5BNZYG +SwZDZNadSwgR6UAW2S2gsKuhXXUDDMmslED+6N2BO/AJ4Au+SE7fNYBZehTMso1B +OSePuu8fzwKBgFiNWNxT2dIV/E7BfxS5CTelviAo6epHLlx+eHv5CDXVsurglr1p +TNcaacFT6Xan57sHw87Uf6+uf+87fIl5/LzsbmIvDc8rREQm/clQZ5QIDCwKc4rY +SHlbqNqBlEbrfdHF1QyRsQ6bZq5qHPVeNR3yHbnZmZwUXtOtKYQUSlm1AoGAWuJD +pJE2QOWqPVIxIBW2ObaBASv247A4GURyIIDZK5uO2MJz6H0Y59f5z0Tfn6ev7R/y +THNPIucodrjnioyZ3Ob7Xb5dM8Jsm3Vl7w4M06FQmnYKPhjRIxPccvz9MnRLlypV +r9Zc+IMc1pwVG3qyLTvNCtrIwBsHo6ul/UW7eQUCgYEAmvaVViCdQO1SzY57P88t +SFQ59qcbVf35rsWjGK6VavCtQnzoiViDn8DRo7WHfAc2d9sLUGswDoFtNr5PX9Eg +Y9fsyN2xg4wE2IEvanPRu96CGAg7/PU05TFbCvdeljRNP+0oJ+OIqMH4tmFGhcAt +hh7ODr+2KSCXlCLn5I+mCSo= +-----END PRIVATE KEY----- diff --git a/rel/files/riak_ssl.conf b/rel/files/riak_ssl.conf new file mode 100644 index 000000000..252df0f3a --- /dev/null +++ b/rel/files/riak_ssl.conf @@ -0,0 +1,6 @@ +[{server, + [{certfile, "./etc/phoney_cert.pem"}, + {server_fail_if_no_peer_cert, true}, + {secure_renegotiate, true}]}, + {client, + [{secure_renegotiate, true}]}].