From c97f45a1a8502e0e31c4f538f6a5a2a93869b35c Mon Sep 17 00:00:00 2001 From: Rawlin Peters Date: Tue, 21 Sep 2021 14:06:15 -0600 Subject: [PATCH] Compile ToDnssecRefresh binary into TO rpm, update cron job to use it (#6224) Closes: #6179 (cherry picked from commit 23ee354a1e871d6bb5670f50fe47c16006767b11) --- CHANGELOG.md | 1 + traffic_ops/build/build_rpm.sh | 5 +++++ traffic_ops/build/traffic_ops.spec | 13 +++++++++++++ traffic_ops/etc/cron.d/trafops_dnssec_refresh | 3 ++- 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1fd6704260..f060218d75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -132,6 +132,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - CDN in a Box now uses Apache Traffic Server 8.1. - Customer names in payloads sent to the `/deliveryservices/request` Traffic Ops API endpoint can no longer contain characters besides alphanumerics, @, !, #, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability that allowed email content injection. - Go version 1.17 is used to compile Traffic Ops, T3C, Traffic Monitor, Traffic Stats, and Grove. +- [#6179](https://github.com/apache/trafficcontrol/issues/6179) Updated the Traffic Ops rpm to include the `ToDnssecRefresh` binary and make the `trafops_dnssec_refresh` cron job use it ### Deprecated - The Riak Traffic Vault backend is now deprecated and its support may be removed in a future release. It is highly recommended to use the new PostgreSQL backend instead. diff --git a/traffic_ops/build/build_rpm.sh b/traffic_ops/build/build_rpm.sh index bdae8f4d5e..e035df2430 100755 --- a/traffic_ops/build/build_rpm.sh +++ b/traffic_ops/build/build_rpm.sh @@ -75,6 +75,11 @@ initBuildArea() { go build -v -o admin -gcflags "$gcflags" -ldflags "$ldflags" -tags "$tags" || \ { echo "Could not build db/admin binary"; return 1;}) + # compile ToDnssecRefresh.go + (cd app/bin/checks/DnssecRefresh + go build -v -o ToDnssecRefresh -gcflags "$gcflags" -ldflags "$ldflags" -tags "$tags" || \ + { echo "Could not build ToDnssecRefresh binary"; return 1;}) + # compile db/reencrypt (cd app/db/reencrypt go build -v -o reencrypt || \ diff --git a/traffic_ops/build/traffic_ops.spec b/traffic_ops/build/traffic_ops.spec index fc427ba065..ae487a6222 100644 --- a/traffic_ops/build/traffic_ops.spec +++ b/traffic_ops/build/traffic_ops.spec @@ -81,6 +81,13 @@ db_admin_dir=src/github.com/apache/trafficcontrol/traffic_ops/app/db cp "$TC_DIR"/traffic_ops/app/db/admin . ) || { echo "Could not copy go db admin at $(pwd): $!"; exit 1; }; +# copy ToDnssecRefresh +to_dnssec_refresh_dir=src/github.com/apache/trafficcontrol/traffic_ops/app/bin/checks/DnssecRefresh +( mkdir -p "$to_dnssec_refresh_dir" && \ + cd "$to_dnssec_refresh_dir" && \ + cp "$TC_DIR"/traffic_ops/app/bin/checks/DnssecRefresh/ToDnssecRefresh . +) || { echo "Could not copy ToDnssecRefresh at $(pwd): $!"; exit 1; }; + # copy TV DB reencrypt reencrypt_dir=src/github.com/apache/trafficcontrol/traffic_ops/app/db/reencrypt ( mkdir -p "$reencrypt_dir" && \ @@ -133,6 +140,11 @@ db_admin_src=src/github.com/apache/trafficcontrol/traffic_ops/app/db %__rm $RPM_BUILD_ROOT/%{PACKAGEDIR}/app/db/*.go %__rm -r $RPM_BUILD_ROOT/%{PACKAGEDIR}/app/db/trafficvault/test +to_dnssec_refresh_src=src/github.com/apache/trafficcontrol/traffic_ops/app/bin/checks/DnssecRefresh +%__cp -p "$to_dnssec_refresh_src"/ToDnssecRefresh "${RPM_BUILD_ROOT}"/opt/traffic_ops/app/bin/checks/DnssecRefresh/ToDnssecRefresh +%__rm $RPM_BUILD_ROOT/%{PACKAGEDIR}/app/bin/checks/DnssecRefresh/*.go +%__rm -r $RPM_BUILD_ROOT/%{PACKAGEDIR}/app/bin/checks/DnssecRefresh/config + reencrypt_src=src/github.com/apache/trafficcontrol/traffic_ops/app/db/reencrypt %__cp -p "$reencrypt_src"/reencrypt "${RPM_BUILD_ROOT}"/opt/traffic_ops/app/db/reencrypt/reencrypt %__rm $RPM_BUILD_ROOT/%{PACKAGEDIR}/app/db/reencrypt/*.go @@ -239,6 +251,7 @@ fi %exclude %{PACKAGEDIR}/app/db/SQUASH.md %exclude %{PACKAGEDIR}/app/db/squash_migrations.sh %attr(755, %{TRAFFIC_OPS_USER},%{TRAFFIC_OPS_GROUP}) %{PACKAGEDIR}/install/bin/convert_profile/convert_profile +%attr(755, %{TRAFFIC_OPS_USER},%{TRAFFIC_OPS_GROUP}) %{PACKAGEDIR}/app/bin/checks/DnssecRefresh/ToDnssecRefresh %attr(755, %{TRAFFIC_OPS_USER},%{TRAFFIC_OPS_GROUP}) %{PACKAGEDIR}/app/db/reencrypt/reencrypt %attr(755, %{TRAFFIC_OPS_USER},%{TRAFFIC_OPS_GROUP}) %{PACKAGEDIR}/app/db/traffic_vault_migrate/traffic_vault_migrate %{PACKAGEDIR}/etc diff --git a/traffic_ops/etc/cron.d/trafops_dnssec_refresh b/traffic_ops/etc/cron.d/trafops_dnssec_refresh index f6114b80f2..435b8050e7 100644 --- a/traffic_ops/etc/cron.d/trafops_dnssec_refresh +++ b/traffic_ops/etc/cron.d/trafops_dnssec_refresh @@ -15,4 +15,5 @@ # specific language governing permissions and limitations # under the License. # -*/5 * * * * trafops export PERL5LIB=/opt/traffic_ops/app/local/lib/perl5:/opt/traffic_ops/app/lib; /opt/traffic_ops/app/bin/checks/ToDnssecRefresh.pl -c '{ "base_url": "https://127.0.0.1" }' -l 1 > /var/log/traffic_ops/trafops_dnssec_refresh.log 2>&1 +*/5 * * * * trafops /opt/traffic_ops/app/bin/checks/DnssecRefresh/ToDnssecRefresh --traffic-ops-url https://localhost --traffic-ops-user admin --traffic-ops-password twelve --log-location-error /var/log/traffic_ops/trafops_dnssec_refresh.log --log-location-warning /var/log/traffic_ops/trafops_dnssec_refresh.log --log-location-info /var/log/traffic_ops/trafops_dnssec_refresh.log +