Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Chu Peng 楚鹏
minikube
提交
3b394df8
M
minikube
项目概览
Chu Peng 楚鹏
/
minikube
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
M
minikube
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
3b394df8
编写于
9月 11, 2019
作者:
T
Thomas Stromberg
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add mutex around generateCerts to avoid TOCTOU race
上级
951cea7f
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
21 addition
and
1 deletion
+21
-1
pkg/minikube/bootstrapper/certs.go
pkg/minikube/bootstrapper/certs.go
+17
-1
pkg/util/crypto.go
pkg/util/crypto.go
+4
-0
未找到文件。
pkg/minikube/bootstrapper/certs.go
浏览文件 @
3b394df8
...
@@ -25,6 +25,7 @@ import (
...
@@ -25,6 +25,7 @@ import (
"path"
"path"
"path/filepath"
"path/filepath"
"strings"
"strings"
"time"
"github.com/golang/glog"
"github.com/golang/glog"
"github.com/pkg/errors"
"github.com/pkg/errors"
...
@@ -37,6 +38,9 @@ import (
...
@@ -37,6 +38,9 @@ import (
"k8s.io/minikube/pkg/minikube/constants"
"k8s.io/minikube/pkg/minikube/constants"
"k8s.io/minikube/pkg/minikube/kubeconfig"
"k8s.io/minikube/pkg/minikube/kubeconfig"
"k8s.io/minikube/pkg/util"
"k8s.io/minikube/pkg/util"
"github.com/juju/clock"
"github.com/juju/mutex"
)
)
const
(
const
(
...
@@ -122,13 +126,25 @@ func SetupCerts(cmd command.Runner, k8s config.KubernetesConfig) error {
...
@@ -122,13 +126,25 @@ func SetupCerts(cmd command.Runner, k8s config.KubernetesConfig) error {
}
}
func
generateCerts
(
k8s
config
.
KubernetesConfig
)
error
{
func
generateCerts
(
k8s
config
.
KubernetesConfig
)
error
{
// TODO: Instead of racey manipulation of a shared certificate, use per-profile certs
spec
:=
mutex
.
Spec
{
Name
:
"generateCerts"
,
Clock
:
clock
.
WallClock
,
Delay
:
10
*
time
.
Second
,
}
glog
.
Infof
(
"acquiring lock: %+v"
,
spec
)
releaser
,
err
:=
mutex
.
Acquire
(
spec
)
if
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"unable to acquire lock for %+v"
,
spec
)
}
defer
releaser
.
Release
()
serviceIP
,
err
:=
util
.
GetServiceClusterIP
(
k8s
.
ServiceCIDR
)
serviceIP
,
err
:=
util
.
GetServiceClusterIP
(
k8s
.
ServiceCIDR
)
if
err
!=
nil
{
if
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"getting service cluster ip"
)
return
errors
.
Wrap
(
err
,
"getting service cluster ip"
)
}
}
localPath
:=
constants
.
GetMinipath
()
localPath
:=
constants
.
GetMinipath
()
caCertPath
:=
filepath
.
Join
(
localPath
,
"ca.crt"
)
caCertPath
:=
filepath
.
Join
(
localPath
,
"ca.crt"
)
caKeyPath
:=
filepath
.
Join
(
localPath
,
"ca.key"
)
caKeyPath
:=
filepath
.
Join
(
localPath
,
"ca.key"
)
...
...
pkg/util/crypto.go
浏览文件 @
3b394df8
...
@@ -30,6 +30,7 @@ import (
...
@@ -30,6 +30,7 @@ import (
"path/filepath"
"path/filepath"
"time"
"time"
"github.com/golang/glog"
"github.com/pkg/errors"
"github.com/pkg/errors"
"k8s.io/minikube/pkg/util/lock"
"k8s.io/minikube/pkg/util/lock"
)
)
...
@@ -65,6 +66,7 @@ func GenerateCACert(certPath, keyPath string, name string) error {
...
@@ -65,6 +66,7 @@ func GenerateCACert(certPath, keyPath string, name string) error {
// GenerateSignedCert generates a signed certificate and key
// GenerateSignedCert generates a signed certificate and key
func
GenerateSignedCert
(
certPath
,
keyPath
,
cn
string
,
ips
[]
net
.
IP
,
alternateDNS
[]
string
,
signerCertPath
,
signerKeyPath
string
)
error
{
func
GenerateSignedCert
(
certPath
,
keyPath
,
cn
string
,
ips
[]
net
.
IP
,
alternateDNS
[]
string
,
signerCertPath
,
signerKeyPath
string
)
error
{
glog
.
Infof
(
"Generating cert %s with IP's: %s"
,
certPath
,
ips
)
signerCertBytes
,
err
:=
ioutil
.
ReadFile
(
signerCertPath
)
signerCertBytes
,
err
:=
ioutil
.
ReadFile
(
signerCertPath
)
if
err
!=
nil
{
if
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"Error reading file: signerCertPath"
)
return
errors
.
Wrap
(
err
,
"Error reading file: signerCertPath"
)
...
@@ -152,6 +154,7 @@ func writeCertsAndKeys(template *x509.Certificate, certPath string, signeeKey *r
...
@@ -152,6 +154,7 @@ func writeCertsAndKeys(template *x509.Certificate, certPath string, signeeKey *r
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
certPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
certPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"Error creating certificate directory"
)
return
errors
.
Wrap
(
err
,
"Error creating certificate directory"
)
}
}
glog
.
Infof
(
"Writing cert to %s ..."
,
certPath
)
if
err
:=
lock
.
WriteFile
(
certPath
,
certBuffer
.
Bytes
(),
os
.
FileMode
(
0644
));
err
!=
nil
{
if
err
:=
lock
.
WriteFile
(
certPath
,
certBuffer
.
Bytes
(),
os
.
FileMode
(
0644
));
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"Error writing certificate to cert path"
)
return
errors
.
Wrap
(
err
,
"Error writing certificate to cert path"
)
}
}
...
@@ -159,6 +162,7 @@ func writeCertsAndKeys(template *x509.Certificate, certPath string, signeeKey *r
...
@@ -159,6 +162,7 @@ func writeCertsAndKeys(template *x509.Certificate, certPath string, signeeKey *r
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
keyPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
if
err
:=
os
.
MkdirAll
(
filepath
.
Dir
(
keyPath
),
os
.
FileMode
(
0755
));
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"Error creating key directory"
)
return
errors
.
Wrap
(
err
,
"Error creating key directory"
)
}
}
glog
.
Infof
(
"Writing key to %s ..."
,
keyPath
)
if
err
:=
lock
.
WriteFile
(
keyPath
,
keyBuffer
.
Bytes
(),
os
.
FileMode
(
0600
));
err
!=
nil
{
if
err
:=
lock
.
WriteFile
(
keyPath
,
keyBuffer
.
Bytes
(),
os
.
FileMode
(
0600
));
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"Error writing key file"
)
return
errors
.
Wrap
(
err
,
"Error writing key file"
)
}
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录