summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2023-11-28 14:19:00 -0600
committerGitHub <noreply@github.com>2023-11-28 14:19:00 -0600
commit7ec55fca91f2fd606e16325166b96a18dcb3d2c5 (patch)
treed81255ceabf5fcb32761fb0c3f9985d99c0b4654 /src/conf_mode
parent6d9feb9df38bfcad7c68c2cbbdba7868a715ccef (diff)
parent3fbb1c602bb5a5003f218e437b83401664e02227 (diff)
downloadvyos-1x-7ec55fca91f2fd606e16325166b96a18dcb3d2c5.tar.gz
vyos-1x-7ec55fca91f2fd606e16325166b96a18dcb3d2c5.zip
Merge pull request #2542 from jestabro/single-owner-https-config
http-api: T5782: use single config-mode script for https and http-api
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/http-api.py112
-rwxr-xr-xsrc/conf_mode/https.py73
2 files changed, 67 insertions, 118 deletions
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
deleted file mode 100755
index 855d444c6..000000000
--- a/src/conf_mode/http-api.py
+++ /dev/null
@@ -1,112 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import os
-import json
-
-from time import sleep
-
-import vyos.defaults
-
-from vyos.config import Config
-from vyos.configdep import set_dependents, call_dependents
-from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.process import is_systemd_service_running
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-api_config_state = '/tmp/api-config-state'
-systemd_service = '/run/systemd/system/vyos-http-api.service'
-
-vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
-
-def get_config(config=None):
- if config:
- conf = config
- else:
- conf = Config()
-
- # reset on creation/deletion of 'api' node
- https_base = ['service', 'https']
- if conf.exists(https_base):
- set_dependents("https", conf)
-
- base = ['service', 'https', 'api']
- if not conf.exists(base):
- return None
-
- http_api = conf.get_config_dict(base, key_mangling=('-', '_'),
- no_tag_node_value_mangle=True,
- get_first_key=True,
- with_recursive_defaults=True)
-
- # Do we run inside a VRF context?
- vrf_path = ['service', 'https', 'vrf']
- if conf.exists(vrf_path):
- http_api['vrf'] = conf.return_value(vrf_path)
-
- if http_api.from_defaults(['graphql']):
- del http_api['graphql']
-
- return http_api
-
-def verify(_http_api):
- return
-
-def generate(http_api):
- if http_api is None:
- if os.path.exists(systemd_service):
- os.unlink(systemd_service)
- return
-
- with open(api_config_state, 'w') as f:
- json.dump(http_api, f, indent=2)
-
- render(systemd_service, 'https/vyos-http-api.service.j2', http_api)
-
-def apply(http_api):
- # Reload systemd manager configuration
- call('systemctl daemon-reload')
- service_name = 'vyos-http-api.service'
-
- if http_api is not None:
- if is_systemd_service_running(f'{service_name}'):
- call(f'systemctl reload {service_name}')
- else:
- call(f'systemctl restart {service_name}')
- else:
- call(f'systemctl stop {service_name}')
-
- # Let uvicorn settle before restarting Nginx
- sleep(1)
-
- call_dependents()
-
- if os.path.exists(api_config_state):
- os.unlink(api_config_state)
-
-if __name__ == '__main__':
- try:
- c = get_config()
- verify(c)
- generate(c)
- apply(c)
- except ConfigError as e:
- print(e)
- sys.exit(1)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 81e510b0d..40b7de557 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -16,19 +16,24 @@
import os
import sys
+import json
from copy import deepcopy
+from time import sleep
import vyos.defaults
import vyos.certbot_util
from vyos.config import Config
+from vyos.configdiff import get_config_diff
from vyos.configverify import verify_vrf
from vyos import ConfigError
from vyos.pki import wrap_certificate
from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.utils.process import call
+from vyos.utils.process import is_systemd_service_running
+from vyos.utils.process import is_systemd_service_active
from vyos.utils.network import check_port_availability
from vyos.utils.network import is_listen_port_bind_service
from vyos.utils.file import write_file
@@ -42,6 +47,9 @@ cert_dir = '/etc/ssl/certs'
key_dir = '/etc/ssl/private'
certbot_dir = vyos.defaults.directories['certbot']
+api_config_state = '/run/http-api-state'
+systemd_service = '/run/systemd/system/vyos-http-api.service'
+
# https config needs to coordinate several subsystems: api, certbot,
# self-signed certificate, as well as the virtual hosts defined within the
# https config definition itself. Consequently, one needs a general dict,
@@ -67,11 +75,35 @@ def get_config(config=None):
if not conf.exists(base):
return None
+ diff = get_config_diff(conf)
+
https = conf.get_config_dict(base, get_first_key=True)
if https:
https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ no_tag_node_value_mangle=True,
+ get_first_key=True)
+
+ https['children_changed'] = diff.node_changed_children(base)
+ https['api_add_or_delete'] = diff.node_changed_presence(base + ['api'])
+
+ if 'api' not in https:
+ return https
+
+ http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'),
+ no_tag_node_value_mangle=True,
+ get_first_key=True,
+ with_recursive_defaults=True)
+
+ if http_api.from_defaults(['graphql']):
+ del http_api['graphql']
+
+ # Do we run inside a VRF context?
+ vrf_path = ['service', 'https', 'vrf']
+ if conf.exists(vrf_path):
+ http_api['vrf'] = conf.return_value(vrf_path)
+
+ https['api'] = http_api
return https
@@ -103,7 +135,7 @@ def verify(https):
if 'certbot' in https['certificates']:
vhost_names = []
- for vh, vh_conf in https.get('virtual-host', {}).items():
+ for _, vh_conf in https.get('virtual-host', {}).items():
vhost_names += vh_conf.get('server-name', [])
domains = https['certificates']['certbot'].get('domain-name', [])
domains_found = [domain for domain in domains if domain in vhost_names]
@@ -167,6 +199,14 @@ def generate(https):
if https is None:
return None
+ if 'api' not in https:
+ if os.path.exists(systemd_service):
+ os.unlink(systemd_service)
+ else:
+ render(systemd_service, 'https/vyos-http-api.service.j2', https['api'])
+ with open(api_config_state, 'w') as f:
+ json.dump(https['api'], f, indent=2)
+
server_block_list = []
# organize by vhosts
@@ -254,10 +294,31 @@ def generate(https):
def apply(https):
# Reload systemd manager configuration
call('systemctl daemon-reload')
- if https is not None:
- call('systemctl restart nginx.service')
- else:
- call('systemctl stop nginx.service')
+ http_api_service_name = 'vyos-http-api.service'
+ https_service_name = 'nginx.service'
+
+ if https is None:
+ if is_systemd_service_active(f'{http_api_service_name}'):
+ call(f'systemctl stop {http_api_service_name}')
+ call(f'systemctl stop {https_service_name}')
+ return
+
+ if 'api' in https['children_changed']:
+ if 'api' in https:
+ if is_systemd_service_running(f'{http_api_service_name}'):
+ call(f'systemctl reload {http_api_service_name}')
+ else:
+ call(f'systemctl restart {http_api_service_name}')
+ # Let uvicorn settle before (possibly) restarting nginx
+ sleep(1)
+ else:
+ if is_systemd_service_active(f'{http_api_service_name}'):
+ call(f'systemctl stop {http_api_service_name}')
+
+ if (not is_systemd_service_running(f'{https_service_name}') or
+ https['api_add_or_delete'] or
+ set(https['children_changed']) - set(['api'])):
+ call(f'systemctl restart {https_service_name}')
if __name__ == '__main__':
try: