MQ V9.1.3.0 (#348)

* MQ 9.1.3 changes * Use crtmqdir -a * Allow generation of TLS certificate with given hostname * Remove check for certificate env variable * Updated manifests and changelog for 913 * Use MQ externals to configure console frame ancestors * Create /run/mqm * Go sec fixes * Set SAN when generating certificates * Remove image source and commit
2019-07-24 12:01:21 +01:00
parent dc00231ec1
commit b8a7167c4e
18 changed files with 149 additions and 116 deletions
--- a/cmd/runmqserver/main.go
+++ b/cmd/runmqserver/main.go
@@ -117,29 +117,6 @@ func doMain() error {
 		return err
 	}

-	// handle /var/mqm/ permissions in upgrade to UBI
-	if *initFlag {
-		varMqmDirs := []string{
-			"/var/mqm/config",
-			"/var/mqm/conv",
-			"/var/mqm/errors",
-			"/var/mqm/exits",
-			"/var/mqm/exits64",
-			"/var/mqm/log",
-			"/var/mqm/mqft",
-			"/var/mqm/qmgrs",
-			"/var/mqm/shared",
-			"/var/mqm/sockets",
-			"/var/mqm/trace",
-			"/var/mqm/web",
-		}
-		err = configureOwnership(varMqmDirs)
-		if err != nil {
-			logTermination(err)
-			return err
-		}
-	}
-
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil
--- a/cmd/runmqserver/qmgr.go
+++ b/cmd/runmqserver/qmgr.go
@@ -24,8 +24,6 @@ import (
 	"path/filepath"
 	"strings"

-	"golang.org/x/sys/unix"
-
 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntime "github.com/ibm-messaging/mq-container/internal/containerruntime"
 	"github.com/ibm-messaging/mq-container/internal/mqscredact"
@@ -34,7 +32,7 @@ import (

 // createDirStructure creates the default MQ directory structure under /var/mqm
 func createDirStructure() error {
-	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-s")
+	out, _, err := command.Run("/opt/mqm/bin/crtmqdir", "-f", "-a")
 	if err != nil {
 		log.Printf("Error creating directory structure: %v\n", string(out))
 		return err
@@ -43,47 +41,6 @@ func createDirStructure() error {
 	return nil
 }

-// configureOwnership recursively handles ownership of files within the given filepath
-func configureOwnership(paths []string) error {
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
-	var fileInfo *unix.Stat_t
-	fileInfo = new(unix.Stat_t)
-	for _, root := range paths {
-		_, err = os.Stat(root)
-		if err != nil {
-			if os.IsNotExist(err) {
-				continue
-			}
-			return err
-		}
-		err = filepath.Walk(root, func(from string, info os.FileInfo, err error) error {
-			if err != nil {
-				return err
-			}
-			to := fmt.Sprintf("%v%v", root, from[len(root):])
-			err = unix.Stat(to, fileInfo)
-			if err != nil {
-				return err
-			}
-			fileUID := fmt.Sprint(fileInfo.Uid)
-			if strings.Compare(fileUID, "999") == 0 {
-				err = os.Chown(to, uid, gid)
-				if err != nil {
-					return err
-				}
-			}
-			return nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // createQueueManager creates a queue manager, if it doesn't already exist.
 // It returns true if one was created (or a standby was created), or false if one already existed
 func createQueueManager(name string) (bool, error) {
--- a/cmd/runmqserver/tls.go
+++ b/cmd/runmqserver/tls.go
@@ -22,6 +22,7 @@ import (
 	"strings"

 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/tls"
 )
@@ -38,7 +39,7 @@ const trustDir = "/etc/mqm/pki/trust"
 // configureWebTLS configures TLS for Web Console
 func configureWebTLS(label string) error {
 	// Return immediately if we have no certificate to use as identity
-	if label == "" {
+	if label == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") == "" {
 		return nil
 	}

@@ -129,8 +130,30 @@ func configureSSOTLS(p12TrustStore tls.KeyStoreData) (string, error) {
 	// Check keystore exists
 	ks := filepath.Join(keyStoreDir, webKeyStoreName)
 	_, err := os.Stat(ks)
-	if err != nil {
-		return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+	// Now we know if the file exists let's check whether we should have it or not.
+	// Check if we're being told to generate the certificate
+	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
+	if genHostName != "" {
+		// We've got to generate the certificate with the hostname given
+		if err == nil {
+			log.Printf("Replacing existing keystore %s - generating new certificate", ks)
+		}
+		// Keystore doesn't exist so create it and populate a certificate
+		newKS := keystore.NewPKCS12KeyStore(ks, p12TrustStore.Password)
+		err = newKS.Create()
+		if err != nil {
+			return "", fmt.Errorf("Failed to create keystore %s: %v", ks, err)
+		}
+
+		err = newKS.CreateSelfSignedCertificate("default", fmt.Sprintf("CN=%s", genHostName), genHostName)
+		if err != nil {
+			return "", fmt.Errorf("Failed to generate certificate in keystore %s with DN of 'CN=%s': %v", ks, genHostName, err)
+		}
+	} else {
+		// Keystore should already exist
+		if err != nil {
+			return "", fmt.Errorf("Failed to find existing keystore %s: %v", ks, err)
+		}
 	}

 	// Check truststore exists
--- a/cmd/runmqserver/version.go
+++ b/cmd/runmqserver/version.go
@@ -38,11 +38,11 @@ func logDateStamp() {
 }

 func logGitRepo() {
-	log.Printf("Image revision: %v", ImageRevision)
+	// log.Printf("Image revision: %v", ImageRevision)
 }

 func logGitCommit() {
-	log.Printf("Image source: %v", ImageSource)
+	// log.Printf("Image source: %v", ImageSource)
 }

 func logImageTag() {
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -92,7 +92,6 @@ func configureSSO(p12TrustStore tls.KeyStoreData) (string, error) {
 		"MQ_OIDC_TOKEN_ENDPOINT",
 		"MQ_OIDC_JWK_ENDPOINT",
 		"MQ_OIDC_ISSUER_IDENTIFIER",
-		"MQ_OIDC_CERTIFICATE",
 	}
 	for _, envVar := range requiredEnvVars {
 		if len(os.Getenv(envVar)) == 0 {