1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
package endpoints
import (
"fmt"
"log"
"net"
"strings"
"time"
"github.com/lxc/incus/v6/internal/ports"
"github.com/lxc/incus/v6/internal/server/endpoints/listeners"
internalUtil "github.com/lxc/incus/v6/internal/util"
"github.com/lxc/incus/v6/shared/logger"
localtls "github.com/lxc/incus/v6/shared/tls"
"github.com/lxc/incus/v6/shared/util"
)
// NetworkPublicKey returns the public key of the TLS certificate used by the
// network endpoint.
func (e *Endpoints) NetworkPublicKey() []byte {
e.mu.RLock()
defer e.mu.RUnlock()
return e.cert.PublicKey()
}
// NetworkPrivateKey returns the private key of the TLS certificate used by the
// network endpoint.
func (e *Endpoints) NetworkPrivateKey() []byte {
e.mu.RLock()
defer e.mu.RUnlock()
return e.cert.PrivateKey()
}
// NetworkCert returns the full TLS certificate information for this endpoint.
func (e *Endpoints) NetworkCert() *localtls.CertInfo {
e.mu.RLock()
defer e.mu.RUnlock()
return e.cert
}
// NetworkAddress returns the network address of the network endpoint, or an
// empty string if there's no network endpoint.
func (e *Endpoints) NetworkAddress() string {
e.mu.RLock()
defer e.mu.RUnlock()
listener := e.listeners[network]
if listener == nil {
return ""
}
return listener.Addr().String()
}
// NetworkUpdateAddress updates the address for the network endpoint, shutting
// it down and restarting it.
func (e *Endpoints) NetworkUpdateAddress(address string) error {
if address != "" {
address = internalUtil.CanonicalNetworkAddress(address, ports.HTTPSDefaultPort)
}
oldAddress := e.NetworkAddress()
if address == oldAddress {
return nil
}
clusterAddress := e.clusterAddress()
logger.Infof("Update network address")
e.mu.Lock()
defer e.mu.Unlock()
// Close the previous socket
_ = e.closeListener(network)
// If turning off listening, we're done.
if address == "" {
return nil
}
// If the new address covers the cluster one, turn off the cluster
// listener.
if clusterAddress != "" && internalUtil.IsAddressCovered(clusterAddress, address) {
_ = e.closeListener(cluster)
}
// Attempt to setup the new listening socket
getListener := func(address string) (*net.Listener, error) {
var err error
var listener net.Listener
for range 10 { // Ten retries over a second seems reasonable.
listener, err = net.Listen("tcp", address)
if err == nil {
break
}
time.Sleep(100 * time.Millisecond)
}
if err != nil {
return nil, fmt.Errorf("Cannot listen on network HTTPS socket %q: %w", address, err)
}
return &listener, nil
}
// Set up the listener
listener, err := getListener(address)
if err != nil {
// Attempt to revert to the previous address
listener, err1 := getListener(oldAddress)
if err1 == nil {
e.listeners[network] = listeners.NewFancyTLSListener(*listener, e.cert)
e.serve(network)
}
return err
}
e.listeners[network] = listeners.NewFancyTLSListener(*listener, e.cert)
e.serve(network)
return nil
}
// NetworkUpdateCert updates the TLS keypair and CA used by the network
// endpoint.
//
// If the network endpoint is active, in-flight requests will continue using
// the old certificate, and only new requests will use the new one.
func (e *Endpoints) NetworkUpdateCert(cert *localtls.CertInfo) {
e.mu.Lock()
defer e.mu.Unlock()
e.cert = cert
for _, listenerKey := range []kind{network, cluster, vmvsock, storageBuckets, metrics} {
listener, found := e.listeners[listenerKey]
if found {
listener.(*listeners.FancyTLSListener).Config(cert)
}
}
}
// NetworkUpdateTrustedProxy updates the https trusted proxy used by the network endpoint.
func (e *Endpoints) NetworkUpdateTrustedProxy(trustedProxy string) {
var proxies []net.IP
for _, p := range util.SplitNTrimSpace(trustedProxy, ",", -1, true) {
proxyIP := net.ParseIP(p)
if proxyIP == nil {
continue
}
proxies = append(proxies, proxyIP)
}
e.mu.Lock()
defer e.mu.Unlock()
for _, kind := range []kind{network, cluster} {
listener, ok := e.listeners[kind]
if !ok || listener == nil {
continue
}
listener.(*listeners.FancyTLSListener).TrustedProxy(proxies)
}
server, ok := e.servers[network]
if ok && server != nil {
server.ErrorLog = log.New(networkServerErrorLogWriter{proxies: proxies}, "", 0)
}
}
// Create a new net.Listener bound to the tcp socket of the network endpoint.
func networkCreateListener(address string, cert *localtls.CertInfo) (net.Listener, error) {
// Listening on `tcp` network with address 0.0.0.0 will end up with listening
// on both IPv4 and IPv6 interfaces. Pass `tcp4` to make it
// work only on 0.0.0.0. https://go-review.googlesource.com/c/go/+/45771/
listenAddress := internalUtil.CanonicalNetworkAddress(address, ports.HTTPSDefaultPort)
protocol := "tcp"
if strings.HasPrefix(listenAddress, "0.0.0.0") {
protocol = "tcp4"
}
listener, err := net.Listen(protocol, listenAddress)
if err != nil {
return nil, fmt.Errorf("Bind network address: %w", err)
}
return listeners.NewFancyTLSListener(listener, cert), nil
}
|
