starlingx/integ
Code Issues Proposed changes

CentOS 8: Upgrade haproxy to version 1.8.15

Browse Source 
(1)Release Version Upgrade
(2)Matching code changes with el7 to el8
(3)Delete haproxy-env-var.patch, as el8.src.rpm contains the patch info
the new version 1.8.15 contains the functionality provided by the patch
(as opposed to el8.src.rpm). Looking at the history, haproxy-1.6 added the ability
to use environment variables in the configuration file, which is what was patched back,
about patch haproxy-env-var.patch, so delete it.

Change-Id: I44f5182f233d3a59f750e90b4af15f49c5da3543
Story: 2006729
Task: 37680
Depends-On: https://review.opendev.org/#/c/696481/
Depends-On: https://review.opendev.org/#/c/696050/
Signed-off-by: Long Li <lilong-neu@neusoft.com>
This commit is contained in:
Long Li 2019-11-22 14:59:08 +08:00
parent 9035cd1be8
commit 00b9337a88
6 changed files with 85 additions and 341 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
base/haproxy/centos/build_srpm.data
View File

@ -1,2 +1,2 @@
SRC_DIR="files"
TIS_PATCH_VER=8
TIS_PATCH_VER=1

15
base/haproxy/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch
View File

@ -1,26 +1,27 @@
From 55d52d8bc9f649b4871336aaffd87fb7d931eac8 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: [PATCH] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Subject: [PATCH] 0001-Update-package-versioning-for-TIS-format.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Signed-off-by: Long Li <lilong-neu@neusoft.com>
---
SPECS/haproxy.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 39c0c86..b0d5862 100644
index b28896f..a7af312 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -8,7 +8,7 @@
Name: haproxy
Version: 1.5.18
-Release: 8%{?dist}
+Release: 8.el7%{?_tis_dist}.%{tis_patch_ver}
Summary: TCP/HTTP proxy and load balancer for high availability environments
Version: 1.8.15
-Release: 5%{?dist}
+Release: 5.el8%{?_tis_dist}.%{tis_patch_ver}
Summary: HAProxy reverse proxy for high availability environments
Group: System Environment/Daemons
--
1.8.3.1
2.7.4

39
base/haproxy/centos/meta_patches/spec-include-TiS-changes.patch
View File

@ -1,27 +1,27 @@
From 0b326ac9fcee3fbac7e41e3bc269cc7251dcf9dd Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:12:36 -0400
Subject: WRS: spec-include-TiS-changes.patch
Subject: spec-include-TiS-changes.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Signed-off-by: Long Li <lilong-neu@neusoft.com>
---
SPECS/haproxy.spec | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
SPECS/haproxy.spec | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 30dca25..53def97 100644
index 490d006..b28896f 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -26,6 +26,8 @@ Patch0: halog-unused-variables.patch
Patch1: iprange-return-type.patch
Patch2: haproxy-tcp-user-timeout.patch
Patch3: haproxy-systemd-wrapper-exit-code.patch
+Patch4: haproxy-env-var.patch
+Patch5: haproxy-tpm-support.patch
@@ -23,6 +23,7 @@ Source4: %{name}.sysconfig
Source5: halog.1
Patch0: bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
+Patch1: haproxy-tpm-support.patch
BuildRequires: lua-devel
BuildRequires: pcre-devel
BuildRequires: zlib-devel
@@ -37,6 +39,8 @@ Requires(post): systemd
@@ -36,6 +37,8 @@ Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@ -30,16 +30,15 @@ index 30dca25..53def97 100644
%description
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
availability environments. Indeed, it can:
@@ -57,6 +61,8 @@ availability environments. Indeed, it can:
%patch1 -p0
%patch2 -p1
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
@@ -53,6 +56,7 @@ availability environments. Indeed, it can:
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
regparm_opts=
@@ -79,7 +85,7 @@ popd
@@ -75,7 +79,7 @@ popd
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
@ -49,5 +48,5 @@ index 30dca25..53def97 100644
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
--
1.8.3.1
2.7.4

245
base/haproxy/centos/patches/haproxy-env-var.patch
View File

@ -1,245 +0,0 @@
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 39abf6b..6a7f80c 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -5821,12 +5821,19 @@ out:
*/
int readcfgfile(const char *file)
{
- char thisline[LINESIZE];
+ char *thisline;
+ int linesize = LINESIZE;
FILE *f;
int linenum = 0;
int err_code = 0;
struct cfg_section *cs = NULL;
struct cfg_section *ics;
+ int readbytes = 0;
+
+ if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) {
+ Alert("parsing [%s] : out of memory.\n", file);
+ return -1;
+ }
/* Register internal sections */
if (!cfg_register_section("listen", cfg_parse_listen) ||
@@ -5842,11 +5849,14 @@ int readcfgfile(const char *file)
if ((f=fopen(file,"r")) == NULL)
return -1;
- while (fgets(thisline, sizeof(thisline), f) != NULL) {
+next_line:
+ while (fgets(thisline + readbytes, linesize - readbytes, f) != NULL) {
int arg, kwm = KWM_STD;
char *end;
char *args[MAX_LINE_ARGS + 1];
char *line = thisline;
+ int dquote = 0; /* double quote */
+ int squote = 0; /* simple quote */
linenum++;
@@ -5856,11 +5866,25 @@ int readcfgfile(const char *file)
/* Check if we reached the limit and the last char is not \n.
* Watch out for the last line without the terminating '\n'!
*/
- Alert("parsing [%s:%d]: line too long, limit: %d.\n",
- file, linenum, (int)sizeof(thisline)-1);
- err_code |= ERR_ALERT | ERR_FATAL;
+ char *newline;
+ int newlinesize = linesize * 2;
+
+ newline = realloc(thisline, sizeof(*thisline) * newlinesize);
+ if (newline == NULL) {
+ Alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
+ file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ continue;
+ }
+
+ readbytes = linesize - 1;
+ linesize = newlinesize;
+ thisline = newline;
+ continue;
}
+ readbytes = 0;
+
/* skip leading spaces */
while (isspace((unsigned char)*line))
line++;
@@ -5869,10 +5893,26 @@ int readcfgfile(const char *file)
args[arg] = line;
while (*line && arg < MAX_LINE_ARGS) {
- /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
- * C equivalent value. Other combinations left unchanged (eg: \1).
- */
- if (*line == '\\') {
+ if (*line == '"' && !squote) { /* double quote outside single quotes */
+ if (dquote)
+ dquote = 0;
+ else
+ dquote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\'' && !dquote) { /* single quote outside double quotes */
+ if (squote)
+ squote = 0;
+ else
+ squote = 1;
+ memmove(line, line + 1, end - line);
+ end--;
+ }
+ else if (*line == '\\' && !squote) {
+ /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
+ * C equivalent value. Other combinations left unchanged (eg: \1).
+ */
int skip = 0;
if (line[1] == ' ' || line[1] == '\\' || line[1] == '#') {
*line = line[1];
@@ -5904,6 +5944,15 @@ int readcfgfile(const char *file)
Alert("parsing [%s:%d] : invalid or incomplete '\\x' sequence in '%s'.\n", file, linenum, args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
}
+ } else if (line[1] == '"') {
+ *line = '"';
+ skip = 1;
+ } else if (line[1] == '\'') {
+ *line = '\'';
+ skip = 1;
+ } else if (line[1] == '$' && dquote) { /* escaping of $ only inside double quotes */
+ *line = '$';
+ skip = 1;
}
if (skip) {
memmove(line + 1, line + 1 + skip, end - (line + skip));
@@ -5911,23 +5960,117 @@ int readcfgfile(const char *file)
}
line++;
}
- else if (*line == '#' || *line == '\n' || *line == '\r') {
+ else if ((!squote && !dquote && *line == '#') || *line == '\n' || *line == '\r') {
/* end of string, end of loop */
*line = 0;
break;
}
- else if (isspace((unsigned char)*line)) {
+ else if (!squote && !dquote && isspace((unsigned char)*line)) {
/* a non-escaped space is an argument separator */
*line++ = '\0';
while (isspace((unsigned char)*line))
line++;
args[++arg] = line;
}
+ else if (dquote && *line == '$') {
+ /* environment variables are evaluated inside double quotes */
+ char *var_beg;
+ char *var_end;
+ char save_char;
+ char *value;
+ int val_len;
+ int newlinesize;
+ int braces = 0;
+
+ var_beg = line + 1;
+ var_end = var_beg;
+
+ if (*var_beg == '{') {
+ var_beg++;
+ var_end++;
+ braces = 1;
+ }
+
+ if (!isalpha((int)(unsigned char)*var_beg) && *var_beg != '_') {
+ Alert("parsing [%s:%d] : Variable expansion: Unrecognized character '%c' in variable name.\n", file, linenum, *var_beg);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+
+ while (isalnum((int)(unsigned char)*var_end) || *var_end == '_')
+ var_end++;
+
+ save_char = *var_end;
+ *var_end = '\0';
+ value = getenv(var_beg);
+ *var_end = save_char;
+ val_len = value ? strlen(value) : 0;
+
+ if (braces) {
+ if (*var_end == '}') {
+ var_end++;
+ braces = 0;
+ } else {
+ Alert("parsing [%s:%d] : Variable expansion: Mismatched braces.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* skip current line */
+ }
+ }
+
+ newlinesize = (end - thisline) - (var_end - line) + val_len + 1;
+
+ /* if not enough space in thisline */
+ if (newlinesize > linesize) {
+ char *newline;
+
+ newline = realloc(thisline, newlinesize * sizeof(*thisline));
+ if (newline == NULL) {
+ Alert("parsing [%s:%d] : Variable expansion: Not enough memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto next_line; /* slip current line */
+ }
+ /* recompute pointers if realloc returns a new pointer */
+ if (newline != thisline) {
+ int i;
+ int diff;
+
+ for (i = 0; i <= arg; i++) {
+ diff = args[i] - thisline;
+ args[i] = newline + diff;
+ }
+
+ diff = var_end - thisline;
+ var_end = newline + diff;
+ diff = end - thisline;
+ end = newline + diff;
+ diff = line - thisline;
+ line = newline + diff;
+ thisline = newline;
+ }
+ linesize = newlinesize;
+ }
+
+ /* insert value inside the line */
+ memmove(line + val_len, var_end, end - var_end + 1);
+ memcpy(line, value, val_len);
+ end += val_len - (var_end - line);
+ line += val_len;
+ }
else {
line++;
}
}
+ if (dquote) {
+ Alert("parsing [%s:%d] : Mismatched double quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
+ if (squote) {
+ Alert("parsing [%s:%d] : Mismatched simple quotes.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+
/* empty line */
if (!**args)
continue;
@@ -5998,6 +6141,7 @@ int readcfgfile(const char *file)
break;
}
cursection = NULL;
+ free(thisline);
fclose(f);
return err_code;
}

123
base/haproxy/centos/patches/haproxy-tpm-support.patch
View File

@ -1,22 +1,22 @@
From a2a25214f6f4913b774bdd6c0b80d3ea424d3a1b Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Wed, 22 Mar 2017 12:07:24 -0400
Subject: [PATCH] haproxy tpm support
From 9ec23c9ac2ba1a0379bf96359e0741c07b4d190e Mon Sep 17 00:00:00 2001
From: Long Li <lilong-neu@neusoft.com>
Date: Tue, 5 Nov 2019 10:29:32 +0800
Subject: [PATCH] haproxy-tpm-support
---
include/types/global.h | 13 +++++
include/types/global.h | 12 ++++
src/cfgparse.c | 28 ++++++++++
src/haproxy.c | 26 ++++++++-
src/haproxy.c | 24 ++++++++
src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------
4 files changed, 197 insertions(+), 17 deletions(-)
4 files changed, 194 insertions(+), 17 deletions(-)
diff --git a/include/types/global.h b/include/types/global.h
index f1525ae..2e9c077 100644
index bd7761c..ff750ea 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -30,6 +30,10 @@
#include <types/proxy.h>
@@ -34,6 +34,10 @@
#include <types/task.h>
#include <types/vars.h>
+#ifdef USE_OPENSSL
+#include <openssl/engine.h>
@ -25,11 +25,10 @@ index f1525ae..2e9c077 100644
#ifndef UNIX_MAX_PATH
#define UNIX_MAX_PATH 108
#endif
@@ -71,6 +75,14 @@ enum {
@@ -83,6 +87,13 @@ enum {
SSL_SERVER_VERIFY_REQUIRED = 1,
};
+// WRS: Define a new TPM configuration structure
+struct tpm_conf {
+ char *tpm_object;
+ char *tpm_engine;
@ -39,22 +38,22 @@ index f1525ae..2e9c077 100644
+
/* FIXME : this will have to be redefined correctly */
struct global {
#ifdef USE_OPENSSL
@@ -87,6 +99,7 @@ struct global {
char *connect_default_ciphers;
int listen_default_ssloptions;
int connect_default_ssloptions;
+ struct tpm_conf tpm; // tpm configuration
#endif
int uid;
@@ -98,6 +109,7 @@ struct global {
int ssl_used_frontend; /* non-zero if SSL is used in a frontend */
int ssl_used_backend; /* non-zero if SSL is used in a backend */
int ssl_used_async_engines; /* number of used async engines */
+ struct tpm_conf tpm; /* tpm configuration*/
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
struct freq_ctr sess_per_sec;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6a7f80c..3bc6e79 100644
index 94f2963..198cdbf 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1541,6 +1541,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
goto out;
#endif
@@ -1865,6 +1865,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
env++;
}
}
+ else if (!strcmp(args[0], "tpm-object")) {
+ if (global.tpm.tpm_object) {
@ -88,10 +87,10 @@ index 6a7f80c..3bc6e79 100644
struct cfg_kw_list *kwl;
int index;
diff --git a/src/haproxy.c b/src/haproxy.c
index 862697d..2a1a0dc 100644
index 8100f27..6983444 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -959,6 +959,24 @@ static void deinit_stick_rules(struct list *rules)
@@ -1994,6 +1994,24 @@ static void deinit_stick_rules(struct list *rules)
}
}
@ -115,13 +114,11 @@ index 862697d..2a1a0dc 100644
+
void deinit(void)
{
struct proxy *p = proxy, *p0;
@@ -1218,7 +1236,13 @@ void deinit(void)
struct proxy *p = proxies_list, *p0;
@@ -2282,6 +2300,12 @@ void deinit(void)
free(uap);
}
-
+
+ /* if HAProxy was in TPM mode then deinit
+ * that configuration as well.
+ */
@ -130,20 +127,12 @@ index 862697d..2a1a0dc 100644
+
userlist_free(userlist);
protocol_unbind_all();
cfg_unregister_sections();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ead4c7b..4e16026 100644
index 24ccc4b..da88025 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -50,6 +50,7 @@
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#include <openssl/engine.h>
#include <common/buffer.h>
#include <common/compat.h>
@@ -1115,6 +1116,80 @@ end:
@@ -3322,6 +3322,80 @@ end:
return ret;
}
@ -221,10 +210,10 @@ index ead4c7b..4e16026 100644
+ return 1;
+}
+
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
char **sni_filter, int fcount, char **err)
{
int ret;
@@ -1127,26 +1202,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
@@ -3335,26 +3409,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
return 1;
}
@ -233,7 +222,14 @@ index ead4c7b..4e16026 100644
- err && *err ? *err : "", path);
- SSL_CTX_free(ctx);
- return 1;
+ /* NOTE (knasim-wrs): US93721: TPM support
- }
-
- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, ssl_conf, sni_filter, fcount);
- if (ret <= 0) {
- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- if (ret < 0) /* serious error, must do that ourselves */
+ /* NOTE: TPM support
+ * This SSL context applies to SSL frontends only.
+ * If the TPM option is set then the Private key
+ * is stored in TPM.
@ -247,25 +243,19 @@ index ead4c7b..4e16026 100644
+ ret = ssl_sock_load_tpm_key(ctx, err);
+ if (ret > 0) {
+ /* tpm configuration failed */
+ SSL_CTX_free(ctx);
+ return 1;
+ }
}
-
- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
- if (ret <= 0) {
- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- if (ret < 0) /* serious error, must do that ourselves */
+ else { /* non TPM mode */
+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
SSL_CTX_free(ctx);
- return 1;
+ return 1;
+ }
}
+ else { /* non TPM mode */
+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ SSL_CTX_free(ctx);
+ return 1;
+ }
+ }
- if (SSL_CTX_check_private_key(ctx) <= 0) {
- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
@ -295,12 +285,11 @@ index ead4c7b..4e16026 100644
}
/* we must not free the SSL_CTX anymore below, since it's already in
@@ -1725,6 +1828,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
cfgerr++;
return cfgerr;
}
+
+ /* NOTE (knasim-wrs): US93721: TPM support
@@ -4597,6 +4699,17 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
SSL_CTX_set_mode(ctx, mode);
srv->ssl_ctx.ctx = ctx;
+ /* NOTE: TPM support
+ * This SSL context applies to SSL backends only.
+ * Since Titanium backends don't support SSL, there
+ * is no need to offload these keys in TPM or reuse the
@ -313,7 +302,7 @@ index ead4c7b..4e16026 100644
+ */
if (srv->ssl_ctx.client_crt) {
if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
ha_alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
--
1.8.3.1
2.7.4

2
base/haproxy/centos/srpm_path
View File

@ -1 +1 @@
mirror:Source/haproxy-1.5.18-8.el7.src.rpm
mirror:Source/haproxy-1.8.15-5.el8.src.rpm