Disable mlock when running in containers

Its not possible to use mlock when running vault inside a
container; automatically disable vault mlock when this is
detected.

mlock status is now always reflected in juju status output
for full transparency.

Change-Id: I57cf1d19e2783ec41e2d37cb4300a55828212cc3
This commit is contained in:
James Page 2018-05-14 09:40:21 +01:00
parent 30a3a2fcc6
commit ea1910f9cd
2 changed files with 42 additions and 15 deletions

View File

@ -30,6 +30,7 @@ from charmhelpers.core.host import (
service_restart,
service_running,
write_file,
is_container,
)
from charmhelpers.core.templating import (
@ -144,7 +145,7 @@ def snap_refresh():
def configure_vault(context):
log("Running configure_vault", level=DEBUG)
context['disable_mlock'] = config()['disable-mlock']
context['disable_mlock'] = is_container() or config('disable-mlock')
context['ssl_available'] = is_state('vault.ssl.available')
if is_flag_set('etcd.tls.available'):
@ -596,14 +597,13 @@ def _assess_status():
status_set('blocked', 'Unit is sealed')
return
if config('disable-mlock'):
status_set(
'active',
'WARNING: DISABLE-MLOCK IS SET -- SECRETS MAY BE LEAKED'
)
else:
status_set(
'active',
'Unit is ready '
'(active: {})'.format(str(not health['standby']).lower())
mlock_disabled = is_container() or config('disable-mlock')
status_set(
'active',
'Unit is ready '
'(active: {}, mlock: {})'.format(
str(not health['standby']).lower(),
'disabled' if mlock_disabled else 'enabled'
)
)

View File

@ -69,8 +69,10 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
'is_flag_set',
'set_flag',
'clear_flag',
'is_container',
]
self.patch_all()
self.is_container.return_value = False
def test_ssl_available(self):
self.assertFalse(handlers.ssl_available({
@ -89,7 +91,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
@patch.object(handlers.vault, 'can_restart')
def test_configure_vault(self, can_restart):
can_restart.return_value = True
self.config.return_value = {'disable-mlock': False}
self.config.return_value = False
self.is_state.return_value = True
db_context = {
'storage_name': 'psql',
@ -117,9 +119,10 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
]
self.open_port.assert_called_once_with(8200)
self.render.assert_has_calls(render_calls)
self.config.assert_called_with('disable-mlock')
# Check flipping disable-mlock makes it to the context
self.config.return_value = {'disable-mlock': True}
self.config.return_value = True
expected_context['disable_mlock'] = True
handlers.configure_vault(db_context)
render_calls = [
@ -136,6 +139,29 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
]
self.render.assert_has_calls(render_calls)
self.service.assert_called_with('enable', 'vault')
self.config.assert_called_with('disable-mlock')
# Ensure is_container will override config option
self.config.return_value = False
self.is_container.return_value = True
expected_context['disable_mlock'] = True
handlers.configure_vault(db_context)
render_calls = [
mock.call(
'vault.hcl.j2',
'/var/snap/vault/common/vault.hcl',
expected_context,
perms=0o600),
mock.call(
'vault.service.j2',
'/etc/systemd/system/vault.service',
{},
perms=0o644)
]
self.render.assert_has_calls(render_calls)
self.service.assert_called_with('enable', 'vault')
self.config.assert_called_with('disable-mlock')
self.is_container.assert_called_with()
@patch.object(handlers, 'configure_vault')
def test_configure_vault_psql(self, configure_vault):
@ -224,7 +250,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
can_restart.return_value = True
get_api_url.return_value = 'http://this-unit:8200'
get_cluster_url.return_value = 'http://this-unit:8201'
self.config.return_value = {'disable-mlock': False}
self.config.return_value = False
etcd_mock = mock.MagicMock()
etcd_mock.connection_string.return_value = 'http://etcd'
self.is_flag_set.return_value = True
@ -260,6 +286,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
ca=expected_context['etcd_tls_ca_file'],
)
self.is_flag_set.assert_called_with('etcd.tls.available')
self.config.assert_called_with('disable-mlock')
@patch.object(handlers, '_assess_interface_groups')
@patch.object(handlers.vault, 'get_vault_health')
@ -274,7 +301,7 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
self.application_version_set.assert_called_with(
self._health_response['version'])
self.status_set.assert_called_with(
'active', 'Unit is ready (active: true)')
'active', 'Unit is ready (active: true, mlock: enabled)')
self.config.assert_called_with('disable-mlock')
_assess_interface_groups.assert_has_calls([
mock.call(handlers.REQUIRED_INTERFACES,