From 3ebfdf05e1939e915e50bd88548926711decce8b Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 31 Jan 2022 16:11:23 +0100 Subject: [PATCH] Support listening on a Unix socket When using nginx to terminate TLS (like it's done in Bifrost), it's more secure to use a Unix socket for communication, so that local users cannot access plain text communication. Change-Id: I37b762cca035b5855deb92635c29e8eb97a87c20 --- ironic_inspector/conf/default.py | 16 +++++++++++++ ironic_inspector/wsgi_service.py | 24 +++++++++++++++---- .../notes/unix-socket-2f4281f8db5dd80a.yaml | 5 ++++ 3 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml diff --git a/ironic_inspector/conf/default.py b/ironic_inspector/conf/default.py index 01866a89f..f4728ba13 100644 --- a/ironic_inspector/conf/default.py +++ b/ironic_inspector/conf/default.py @@ -14,10 +14,20 @@ import socket from oslo_config import cfg +from oslo_config import types as cfg_types from ironic_inspector.common.i18n import _ +class Octal(cfg_types.Integer): + + def __call__(self, value): + if isinstance(value, int): + return value + else: + return int(str(value), 8) + + _OPTS = [ cfg.StrOpt('listen_address', default='::', @@ -25,6 +35,12 @@ _OPTS = [ cfg.PortOpt('listen_port', default=5050, help=_('Port to listen on.')), + cfg.StrOpt('listen_unix_socket', + help=_('Unix socket to listen on. Disables listen_address and ' + 'listen_port.')), + cfg.Opt('listen_unix_socket_mode', type=Octal(), + help=_('File mode (an octal number) of the unix socket to ' + 'listen on. Ignored if listen_unix_socket is not set.')), cfg.StrOpt('host', default=socket.getfqdn(), sample_default='localhost', diff --git a/ironic_inspector/wsgi_service.py b/ironic_inspector/wsgi_service.py index f8e55942d..0b32fd9e0 100644 --- a/ironic_inspector/wsgi_service.py +++ b/ironic_inspector/wsgi_service.py @@ -10,6 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. +import socket + +from ironic_lib import utils as il_utils from oslo_config import cfg from oslo_log import log from oslo_service import service @@ -26,11 +29,20 @@ class WSGIService(service.Service): def __init__(self): self.app = main.get_app() - self.server = wsgi.Server(CONF, 'ironic_inspector', - self.app, - host=CONF.listen_address, - port=CONF.listen_port, - use_ssl=CONF.use_ssl) + if CONF.listen_unix_socket: + il_utils.unlink_without_raise(CONF.listen_unix_socket) + self.server = wsgi.Server(CONF, 'ironic_inspector', + self.app, + socket_family=socket.AF_UNIX, + socket_file=CONF.listen_unix_socket, + socket_mode=CONF.listen_unix_socket_mode, + use_ssl=CONF.use_ssl) + else: + self.server = wsgi.Server(CONF, 'ironic_inspector', + self.app, + host=CONF.listen_address, + port=CONF.listen_port, + use_ssl=CONF.use_ssl) def start(self): """Start serving this service using loaded configuration. @@ -45,6 +57,8 @@ class WSGIService(service.Service): :returns: None """ self.server.stop() + if CONF.listen_unix_socket: + il_utils.unlink_without_raise(CONF.listen_unix_socket) def wait(self): """Wait for the service to stop serving this API. diff --git a/releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml b/releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml new file mode 100644 index 000000000..14fefaf73 --- /dev/null +++ b/releasenotes/notes/unix-socket-2f4281f8db5dd80a.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Supports listening on a Unix socket instead of a normal TCP socket. + This is useful with an HTTP server such as nginx in proxy mode.