forked from Deuxfleurs/garage
Félix Baylac Jacqué
f83fa02193
Sometimes, the secret files permissions checks gets in the way. It's by no mean complete, it doesn't take the Posix ACLs into account among other things. Correctly checking the ACLs would be too involving (see Deuxfleurs/garage#658 (comment)) and would likely still fail in some weird chmod settings. We're adding a new configuration file key allowing the user to disable this permission check altogether. The (already existing) env variable counterpart always take precedence to this config file option. That's useful in cases where the configuration file is static and cannot be easily altered. Fixes Deuxfleurs/garage#658 Co-authored-by: Florian Klink <flokli@flokli.de>
555 lines
16 KiB
Rust
555 lines
16 KiB
Rust
//! Contains type and functions related to Garage configuration file
|
|
use std::convert::TryFrom;
|
|
use std::io::Read;
|
|
use std::net::SocketAddr;
|
|
use std::path::PathBuf;
|
|
|
|
use serde::{de, Deserialize};
|
|
|
|
use crate::error::Error;
|
|
use crate::socket_address::UnixOrTCPSocketAddress;
|
|
|
|
/// Represent the whole configuration
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct Config {
|
|
/// Path where to store metadata. Should be fast, but low volume
|
|
pub metadata_dir: PathBuf,
|
|
/// Path where to store data. Can be slower, but need higher volume
|
|
pub data_dir: PathBuf,
|
|
|
|
/// Size of data blocks to save to disk
|
|
#[serde(
|
|
deserialize_with = "deserialize_capacity",
|
|
default = "default_block_size"
|
|
)]
|
|
pub block_size: usize,
|
|
|
|
/// Replication mode. Supported values:
|
|
/// - none, 1 -> no replication
|
|
/// - 2 -> 2-way replication
|
|
/// - 3 -> 3-way replication
|
|
// (we can add more aliases for this later)
|
|
pub replication_mode: String,
|
|
|
|
/// Zstd compression level used on data blocks
|
|
#[serde(
|
|
deserialize_with = "deserialize_compression",
|
|
default = "default_compression"
|
|
)]
|
|
pub compression_level: Option<i32>,
|
|
|
|
/// Skip the permission check of secret files. Useful when
|
|
/// POSIX ACLs (or more complex chmods) are used.
|
|
#[serde(default)]
|
|
pub allow_world_readable_secrets: bool,
|
|
|
|
/// RPC secret key: 32 bytes hex encoded
|
|
pub rpc_secret: Option<String>,
|
|
/// Optional file where RPC secret key is read from
|
|
pub rpc_secret_file: Option<String>,
|
|
/// Address to bind for RPC
|
|
pub rpc_bind_addr: SocketAddr,
|
|
/// Public IP address of this node
|
|
pub rpc_public_addr: Option<String>,
|
|
|
|
/// Timeout for Netapp's ping messagess
|
|
pub rpc_ping_timeout_msec: Option<u64>,
|
|
/// Timeout for Netapp RPC calls
|
|
pub rpc_timeout_msec: Option<u64>,
|
|
|
|
// -- Bootstraping and discovery
|
|
/// Bootstrap peers RPC address
|
|
#[serde(default)]
|
|
pub bootstrap_peers: Vec<String>,
|
|
|
|
/// Configuration for automatic node discovery through Consul
|
|
#[serde(default)]
|
|
pub consul_discovery: Option<ConsulDiscoveryConfig>,
|
|
/// Configuration for automatic node discovery through Kubernetes
|
|
#[serde(default)]
|
|
pub kubernetes_discovery: Option<KubernetesDiscoveryConfig>,
|
|
|
|
// -- DB
|
|
/// Database engine to use for metadata (options: sled, sqlite, lmdb)
|
|
#[serde(default = "default_db_engine")]
|
|
pub db_engine: String,
|
|
|
|
/// Sled cache size, in bytes
|
|
#[serde(
|
|
deserialize_with = "deserialize_capacity",
|
|
default = "default_sled_cache_capacity"
|
|
)]
|
|
pub sled_cache_capacity: usize,
|
|
/// Sled flush interval in milliseconds
|
|
#[serde(default = "default_sled_flush_every_ms")]
|
|
pub sled_flush_every_ms: u64,
|
|
|
|
/// LMDB map size
|
|
#[serde(deserialize_with = "deserialize_capacity", default)]
|
|
pub lmdb_map_size: usize,
|
|
|
|
// -- APIs
|
|
/// Configuration for S3 api
|
|
pub s3_api: S3ApiConfig,
|
|
|
|
/// Configuration for K2V api
|
|
pub k2v_api: Option<K2VApiConfig>,
|
|
|
|
/// Configuration for serving files as normal web server
|
|
pub s3_web: Option<WebConfig>,
|
|
|
|
/// Configuration for the admin API endpoint
|
|
#[serde(default = "Default::default")]
|
|
pub admin: AdminConfig,
|
|
}
|
|
|
|
/// Configuration for S3 api
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct S3ApiConfig {
|
|
/// Address and port to bind for api serving
|
|
pub api_bind_addr: Option<UnixOrTCPSocketAddress>,
|
|
/// S3 region to use
|
|
pub s3_region: String,
|
|
/// Suffix to remove from domain name to find bucket. If None,
|
|
/// vhost-style S3 request are disabled
|
|
pub root_domain: Option<String>,
|
|
}
|
|
|
|
/// Configuration for K2V api
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct K2VApiConfig {
|
|
/// Address and port to bind for api serving
|
|
pub api_bind_addr: UnixOrTCPSocketAddress,
|
|
}
|
|
|
|
/// Configuration for serving files as normal web server
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct WebConfig {
|
|
/// Address and port to bind for web serving
|
|
pub bind_addr: UnixOrTCPSocketAddress,
|
|
/// Suffix to remove from domain name to find bucket
|
|
pub root_domain: String,
|
|
}
|
|
|
|
/// Configuration for the admin and monitoring HTTP API
|
|
#[derive(Deserialize, Debug, Clone, Default)]
|
|
pub struct AdminConfig {
|
|
/// Address and port to bind for admin API serving
|
|
pub api_bind_addr: Option<UnixOrTCPSocketAddress>,
|
|
|
|
/// Bearer token to use to scrape metrics
|
|
pub metrics_token: Option<String>,
|
|
/// File to read metrics token from
|
|
pub metrics_token_file: Option<String>,
|
|
|
|
/// Bearer token to use to access Admin API endpoints
|
|
pub admin_token: Option<String>,
|
|
/// File to read admin token from
|
|
pub admin_token_file: Option<String>,
|
|
|
|
/// OTLP server to where to export traces
|
|
pub trace_sink: Option<String>,
|
|
}
|
|
|
|
#[derive(Deserialize, Debug, Clone, Default)]
|
|
#[serde(rename_all = "lowercase")]
|
|
pub enum ConsulDiscoveryAPI {
|
|
#[default]
|
|
Catalog,
|
|
Agent,
|
|
}
|
|
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct ConsulDiscoveryConfig {
|
|
/// The consul api to use when registering: either `catalog` (the default) or `agent`
|
|
#[serde(default)]
|
|
pub api: ConsulDiscoveryAPI,
|
|
/// Consul http or https address to connect to to discover more peers
|
|
pub consul_http_addr: String,
|
|
/// Consul service name to use
|
|
pub service_name: String,
|
|
/// CA TLS certificate to use when connecting to Consul
|
|
pub ca_cert: Option<String>,
|
|
/// Client TLS certificate to use when connecting to Consul
|
|
pub client_cert: Option<String>,
|
|
/// Client TLS key to use when connecting to Consul
|
|
pub client_key: Option<String>,
|
|
/// /// Token to use for connecting to consul
|
|
pub token: Option<String>,
|
|
/// Skip TLS hostname verification
|
|
#[serde(default)]
|
|
pub tls_skip_verify: bool,
|
|
/// Additional tags to add to the service
|
|
#[serde(default)]
|
|
pub tags: Vec<String>,
|
|
/// Additional service metadata to add
|
|
#[serde(default)]
|
|
pub meta: Option<std::collections::HashMap<String, String>>,
|
|
}
|
|
|
|
#[derive(Deserialize, Debug, Clone)]
|
|
pub struct KubernetesDiscoveryConfig {
|
|
/// Kubernetes namespace the service discovery resources are be created in
|
|
pub namespace: String,
|
|
/// Service name to filter for in k8s custom resources
|
|
pub service_name: String,
|
|
/// Skip creation of the garagenodes CRD
|
|
#[serde(default)]
|
|
pub skip_crd: bool,
|
|
}
|
|
|
|
fn default_db_engine() -> String {
|
|
"sled".into()
|
|
}
|
|
|
|
fn default_sled_cache_capacity() -> usize {
|
|
128 * 1024 * 1024
|
|
}
|
|
fn default_sled_flush_every_ms() -> u64 {
|
|
2000
|
|
}
|
|
fn default_block_size() -> usize {
|
|
1048576
|
|
}
|
|
|
|
/// Read and parse configuration
|
|
pub fn read_config(config_file: PathBuf) -> Result<Config, Error> {
|
|
let mut file = std::fs::OpenOptions::new()
|
|
.read(true)
|
|
.open(config_file.as_path())?;
|
|
|
|
let mut config = String::new();
|
|
file.read_to_string(&mut config)?;
|
|
|
|
let mut parsed_config: Config = toml::from_str(&config)?;
|
|
|
|
secret_from_file(
|
|
&mut parsed_config.rpc_secret,
|
|
&parsed_config.rpc_secret_file,
|
|
"rpc_secret",
|
|
parsed_config.allow_world_readable_secrets,
|
|
)?;
|
|
secret_from_file(
|
|
&mut parsed_config.admin.metrics_token,
|
|
&parsed_config.admin.metrics_token_file,
|
|
"admin.metrics_token",
|
|
parsed_config.allow_world_readable_secrets,
|
|
)?;
|
|
secret_from_file(
|
|
&mut parsed_config.admin.admin_token,
|
|
&parsed_config.admin.admin_token_file,
|
|
"admin.admin_token",
|
|
parsed_config.allow_world_readable_secrets,
|
|
)?;
|
|
|
|
Ok(parsed_config)
|
|
}
|
|
|
|
pub fn read_secret_file(file_path: &String) -> Result<String, Error> {
|
|
#[cfg(unix)]
|
|
if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") {
|
|
use std::os::unix::fs::MetadataExt;
|
|
let metadata = std::fs::metadata(file_path)?;
|
|
if metadata.mode() & 0o077 != 0 {
|
|
return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
|
|
}
|
|
}
|
|
let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?;
|
|
let mut secret_buf = String::new();
|
|
file.read_to_string(&mut secret_buf)?;
|
|
|
|
// trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
|
|
// also editors sometimes add a trailing newline
|
|
Ok(String::from(secret_buf.trim_end()))
|
|
}
|
|
|
|
fn secret_from_file(
|
|
secret: &mut Option<String>,
|
|
secret_file: &Option<String>,
|
|
name: &'static str,
|
|
conf_allow_world_readable: bool,
|
|
) -> Result<(), Error> {
|
|
match (&secret, &secret_file) {
|
|
(_, None) => {
|
|
// no-op
|
|
}
|
|
(Some(_), Some(_)) => {
|
|
return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
|
|
}
|
|
(None, Some(file_path)) => {
|
|
#[cfg(unix)]
|
|
// decide whether to ignore or check permission
|
|
// bits. GARAGE_ALLOW_WORLD_READABLE_SECRETS
|
|
// always takes precedence over what's specified
|
|
// in the config file, to allow overriding it in
|
|
// case the config file is read-only.
|
|
let ignore_perms = {
|
|
let ignore_perms_env = std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS");
|
|
if ignore_perms_env.as_deref() == Ok("true") {
|
|
true
|
|
} else if ignore_perms_env.as_deref() == Ok("false") {
|
|
false
|
|
} else {
|
|
conf_allow_world_readable
|
|
}
|
|
};
|
|
if !ignore_perms {
|
|
use std::os::unix::fs::MetadataExt;
|
|
let metadata = std::fs::metadata(file_path)?;
|
|
if metadata.mode() & 0o077 != 0 {
|
|
return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
|
|
}
|
|
}
|
|
let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?;
|
|
let mut secret_buf = String::new();
|
|
file.read_to_string(&mut secret_buf)?;
|
|
// trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
|
|
// also editors sometimes add a trailing newline
|
|
*secret = Some(String::from(secret_buf.trim_end()));
|
|
}
|
|
}
|
|
Ok(())
|
|
}
|
|
|
|
fn default_compression() -> Option<i32> {
|
|
Some(1)
|
|
}
|
|
|
|
fn deserialize_compression<'de, D>(deserializer: D) -> Result<Option<i32>, D::Error>
|
|
where
|
|
D: de::Deserializer<'de>,
|
|
{
|
|
struct OptionVisitor;
|
|
|
|
impl<'de> serde::de::Visitor<'de> for OptionVisitor {
|
|
type Value = Option<i32>;
|
|
fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
|
|
formatter.write_str("int or 'none'")
|
|
}
|
|
|
|
fn visit_str<E>(self, value: &str) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
if value.eq_ignore_ascii_case("none") {
|
|
Ok(None)
|
|
} else {
|
|
Err(E::custom(format!(
|
|
"Invalid compression level: '{}', should be a number, or 'none'",
|
|
value
|
|
)))
|
|
}
|
|
}
|
|
|
|
fn visit_i64<E>(self, v: i64) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
i32::try_from(v)
|
|
.map(Some)
|
|
.map_err(|_| E::custom("Compression level out of bound".to_owned()))
|
|
}
|
|
|
|
fn visit_u64<E>(self, v: u64) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
i32::try_from(v)
|
|
.map(Some)
|
|
.map_err(|_| E::custom("Compression level out of bound".to_owned()))
|
|
}
|
|
}
|
|
|
|
deserializer.deserialize_any(OptionVisitor)
|
|
}
|
|
|
|
fn deserialize_capacity<'de, D>(deserializer: D) -> Result<usize, D::Error>
|
|
where
|
|
D: de::Deserializer<'de>,
|
|
{
|
|
struct CapacityVisitor;
|
|
|
|
impl<'de> serde::de::Visitor<'de> for CapacityVisitor {
|
|
type Value = usize;
|
|
fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
|
|
formatter.write_str("int or '<capacity>'")
|
|
}
|
|
|
|
fn visit_str<E>(self, value: &str) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
value
|
|
.parse::<bytesize::ByteSize>()
|
|
.map(|x| x.as_u64())
|
|
.map_err(|e| E::custom(format!("invalid capacity value: {}", e)))
|
|
.and_then(|v| {
|
|
usize::try_from(v)
|
|
.map_err(|_| E::custom("capacity value out of bound".to_owned()))
|
|
})
|
|
}
|
|
|
|
fn visit_i64<E>(self, v: i64) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
usize::try_from(v).map_err(|_| E::custom("capacity value out of bound".to_owned()))
|
|
}
|
|
|
|
fn visit_u64<E>(self, v: u64) -> Result<Self::Value, E>
|
|
where
|
|
E: de::Error,
|
|
{
|
|
usize::try_from(v).map_err(|_| E::custom("capacity value out of bound".to_owned()))
|
|
}
|
|
}
|
|
|
|
deserializer.deserialize_any(CapacityVisitor)
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use crate::error::Error;
|
|
use std::fs::File;
|
|
use std::io::Write;
|
|
|
|
#[test]
|
|
fn test_rpc_secret() -> Result<(), Error> {
|
|
let path2 = mktemp::Temp::new_file()?;
|
|
let mut file2 = File::create(path2.as_path())?;
|
|
writeln!(
|
|
file2,
|
|
r#"
|
|
metadata_dir = "/tmp/garage/meta"
|
|
data_dir = "/tmp/garage/data"
|
|
replication_mode = "3"
|
|
rpc_bind_addr = "[::]:3901"
|
|
rpc_secret = "foo"
|
|
|
|
[s3_api]
|
|
s3_region = "garage"
|
|
api_bind_addr = "[::]:3900"
|
|
"#
|
|
)?;
|
|
|
|
let config = super::read_config(path2.to_path_buf())?;
|
|
assert_eq!("foo", config.rpc_secret.unwrap());
|
|
drop(path2);
|
|
drop(file2);
|
|
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn test_rpc_secret_file_works() -> Result<(), Error> {
|
|
let path_secret = mktemp::Temp::new_file()?;
|
|
let mut file_secret = File::create(path_secret.as_path())?;
|
|
writeln!(file_secret, "foo")?;
|
|
drop(file_secret);
|
|
|
|
let path_config = mktemp::Temp::new_file()?;
|
|
let mut file_config = File::create(path_config.as_path())?;
|
|
let path_secret_path = path_secret.as_path();
|
|
writeln!(
|
|
file_config,
|
|
r#"
|
|
metadata_dir = "/tmp/garage/meta"
|
|
data_dir = "/tmp/garage/data"
|
|
replication_mode = "3"
|
|
rpc_bind_addr = "[::]:3901"
|
|
rpc_secret_file = "{}"
|
|
|
|
[s3_api]
|
|
s3_region = "garage"
|
|
api_bind_addr = "[::]:3900"
|
|
"#,
|
|
path_secret_path.display()
|
|
)?;
|
|
|
|
// Second configuration file, same as previous one
|
|
// except it allows world-readable secrets.
|
|
let path_config_allow_world_readable = mktemp::Temp::new_file()?;
|
|
let mut file_config_allow_world_readable =
|
|
File::create(path_config_allow_world_readable.as_path())?;
|
|
writeln!(
|
|
file_config_allow_world_readable,
|
|
r#"
|
|
metadata_dir = "/tmp/garage/meta"
|
|
data_dir = "/tmp/garage/data"
|
|
replication_mode = "3"
|
|
rpc_bind_addr = "[::]:3901"
|
|
rpc_secret_file = "{}"
|
|
allow_world_readable_secrets = true
|
|
|
|
[s3_api]
|
|
s3_region = "garage"
|
|
api_bind_addr = "[::]:3900"
|
|
"#,
|
|
path_secret_path.display()
|
|
)?;
|
|
|
|
let mut config = super::read_config(path_config.to_path_buf())?;
|
|
assert_eq!("foo", config.rpc_secret.unwrap());
|
|
#[cfg(unix)]
|
|
{
|
|
// Check non world-readable secrets config
|
|
use std::os::unix::fs::PermissionsExt;
|
|
let metadata = std::fs::metadata(&path_secret_path)?;
|
|
let mut perm = metadata.permissions();
|
|
perm.set_mode(0o660);
|
|
std::fs::set_permissions(&path_secret_path, perm)?;
|
|
|
|
std::env::set_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS", "false");
|
|
assert!(super::read_config(path_config.to_path_buf()).is_err());
|
|
|
|
std::env::set_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS", "true");
|
|
assert!(super::read_config(path_config.to_path_buf()).is_ok());
|
|
|
|
std::env::remove_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS");
|
|
|
|
// Check world-readable secrets config.
|
|
assert!(super::read_config(path_config_allow_world_readable.to_path_buf()).is_ok());
|
|
|
|
std::env::set_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS", "false");
|
|
assert!(super::read_config(path_config_allow_world_readable.to_path_buf()).is_err());
|
|
|
|
std::env::set_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS", "true");
|
|
assert!(super::read_config(path_config_allow_world_readable.to_path_buf()).is_ok());
|
|
}
|
|
std::env::remove_var("GARAGE_ALLOW_WORLD_READABLE_SECRETS");
|
|
drop(path_config);
|
|
drop(path_secret);
|
|
drop(file_config);
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn test_rcp_secret_and_rpc_secret_file_cannot_be_set_both() -> Result<(), Error> {
|
|
let path_config = mktemp::Temp::new_file()?;
|
|
let mut file_config = File::create(path_config.as_path())?;
|
|
writeln!(
|
|
file_config,
|
|
r#"
|
|
metadata_dir = "/tmp/garage/meta"
|
|
data_dir = "/tmp/garage/data"
|
|
replication_mode = "3"
|
|
rpc_bind_addr = "[::]:3901"
|
|
rpc_secret= "dummy"
|
|
rpc_secret_file = "dummy"
|
|
|
|
[s3_api]
|
|
s3_region = "garage"
|
|
api_bind_addr = "[::]:3900"
|
|
"#
|
|
)?;
|
|
assert_eq!(
|
|
"only one of `rpc_secret` and `rpc_secret_file` can be set",
|
|
super::read_config(path_config.to_path_buf())
|
|
.unwrap_err()
|
|
.to_string()
|
|
);
|
|
drop(path_config);
|
|
drop(file_config);
|
|
Ok(())
|
|
}
|
|
}
|