Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
keylime
cloud_verifier_tornado-use-fork_processes.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File cloud_verifier_tornado-use-fork_processes.patch of Package keylime
From 3ffdf86d6e3f2377520a07da0202cd6ba4c6f711 Mon Sep 17 00:00:00 2001 From: Alberto Planas <aplanas@suse.com> Date: Mon, 7 Feb 2022 17:00:02 +0100 Subject: [PATCH 1/2] cloud_verifier_tornado: use fork_processes If the cloud_verifier/multiprocessing_pool_num_workers is different from 1, the call to the `.start()` process will fails, as previous call to `.add_stockets()` is already initializing the internal ioloop. The raised exception will be: Traceback (most recent call last): File "/usr/bin/keylime_verifier", line 11, in <module> load_entry_point('keylime==6.3.0', 'console_scripts', 'keylime_verifier')() File "/usr/lib/python3.6/site-packages/keylime/cmd/verifier.py", line 21, in main cloud_verifier_tornado.main() File "/usr/lib/python3.6/site-packages/keylime/cloud_verifier_tornado.py", line 1122, in main server.start(config.getint('cloud_verifier', 'multiprocessing_pool_num_workers')) File "/usr/lib64/python3.6/site-packages/tornado/tcpserver.py", line 220, in start process.fork_processes(num_processes) File "/usr/lib64/python3.6/site-packages/tornado/process.py", line 129, in fork_processes raise RuntimeError("Cannot run in multiple processes: IOLoop instance " RuntimeError: Cannot run in multiple processes: IOLoop instance has already been initialized. You cannot call IOLoop.instance() before calling start_processes() This was introduced in https://github.com/keylime/keylime/commit/50661f8b33f6b7335104cd4c0dfff711705ee96e This patch revert back to call `.process.fork_processes()` after the `.bind_sockets()` line, that is happening before the `.start()`, and drop the optional parameter in the last method call. Signed-off-by: Alberto Planas <aplanas@suse.com> --- keylime/cloud_verifier_tornado.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Index: keylime-v6.3.0/keylime/cloud_verifier_tornado.py =================================================================== --- keylime-v6.3.0.orig/keylime/cloud_verifier_tornado.py +++ keylime-v6.3.0/keylime/cloud_verifier_tornado.py @@ -1113,13 +1113,16 @@ def main(): sockets = tornado.netutil.bind_sockets( int(cloudverifier_port), address=cloudverifier_host) + tornado.process.fork_processes(config.getint( + 'cloud_verifier', 'multiprocessing_pool_num_workers')) + server = tornado.httpserver.HTTPServer(app, ssl_options=context, max_buffer_size=max_upload_size) server.add_sockets(sockets) signal.signal(signal.SIGTERM, lambda *_: sys.exit(0)) try: - server.start(config.getint('cloud_verifier', 'multiprocessing_pool_num_workers')) + server.start() if tornado.process.task_id() == 0: # Start the revocation notifier only on one process if config.getboolean('cloud_verifier', 'revocation_notifier'): Index: keylime-v6.3.0/keylime/crypto.py =================================================================== --- keylime-v6.3.0.orig/keylime/crypto.py +++ keylime-v6.3.0/keylime/crypto.py @@ -211,5 +211,5 @@ def generate_selfsigned_cert(name, key, .serial_number(x509.random_serial_number())\ .not_valid_before(datetime.datetime.utcnow())\ .not_valid_after(valid_until)\ - .sign(key, hashes.SHA256()) + .sign(key, hashes.SHA256(), backend=default_backend()) return cert Index: keylime-v6.3.0/keylime/keylime_agent.py =================================================================== --- keylime-v6.3.0.orig/keylime/keylime_agent.py +++ keylime-v6.3.0/keylime/keylime_agent.py @@ -30,6 +30,7 @@ import subprocess import psutil from cryptography import x509 +from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from keylime import config @@ -422,7 +423,7 @@ class CloudAgentHTTPServer(ThreadingMixI if os.path.isfile(certname): logger.debug("Using existing mTLS cert in %s", certname) with open(certname, "rb") as f: - mtls_cert = x509.load_pem_x509_certificate(f.read()) + mtls_cert = x509.load_pem_x509_certificate(f.read(), backend=default_backend()) else: logger.debug("No mTLS certificate found generating a new one") with open(certname, "wb") as f:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor