diff --git a/add-FAQ-and-self-signature-certificate-manufacturing.patch b/add-FAQ-and-self-signature-certificate-manufacturing.patch new file mode 100644 index 0000000..df24f25 --- /dev/null +++ b/add-FAQ-and-self-signature-certificate-manufacturing.patch @@ -0,0 +1,185 @@ +From d14414365e8fa9590e46b63a29754fb29f81778c Mon Sep 17 00:00:00 2001 +From: gaoruoshu +Date: Wed, 16 Feb 2022 14:41:47 +0800 +Subject: [PATCH] add FAQ and self signature certificate manufacturing + +--- + Documentation/UserGuide/A-Tune-User-Guide.md | 70 ++++++++++++++++++ + ...50\346\210\267\346\214\207\345\215\227.md" | 72 +++++++++++++++++++ + 2 files changed, 142 insertions(+) + +diff --git a/Documentation/UserGuide/A-Tune-User-Guide.md b/Documentation/UserGuide/A-Tune-User-Guide.md +index cd99cd4..cbb9d66 100644 +--- a/Documentation/UserGuide/A-Tune-User-Guide.md ++++ b/Documentation/UserGuide/A-Tune-User-Guide.md +@@ -1235,6 +1235,12 @@ Perform tuning. + 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ``` + ++**Q4: The atuned or atune-engine service cannot be started, and the message "Startup failed. Please provide the authentication certificate." is displayed.** ++ ++**Cause:** Missing the certificate file during communication. The default communication protocol of REST APIs in the atuned or atune-engine service is HTTPS. ++ ++**Solution:** Providing the certificate file issued by the authority and saving it to the corresponding configuration directory. The default certificate directory of the atuned service is /etc/atuned/rest_certs/, and the default certificate directory of the atune-engine service is /etc/atuned/engine_certs/. You can also change the default certificate directory and certificate file name in the atuned.cnf and engine.cnf files under the /etc/atuned/ directory. For the development and commissioning environment, you can also make self-service signature certificate by following section 5.2. ++ + + + # 5 Appendixes +@@ -1248,3 +1254,67 @@ Perform tuning. + | profile | Set of optimization items and optimal parameter configuration. | + + ++## 5.2 Self-signature Certificate Manufacturing Method ++ ++### 5.2.1 Creating a Certificate Directory ++ ++```shell ++CERT_PATH=demo ++mkdir $CERT_PATH ++``` ++ ++### 5.2.2 Generating the RSA Key Pair for the CA ++ ++```shell ++openssl genrsa -out $CERT_PATH/ca.key 2048 ++``` ++ ++### 5.2.3 Generating the CA Root Certificate ++ ++```shell ++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt ++``` ++ ++### 5.2.4 Generating the Server Certificate ++ ++```shell ++# The IP address can be changed according to the actual situation. ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/server.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ ++### 5.2.5 Generating the Client Certificate ++ ++```shell ++# The IP address can be changed according to the actual situation. ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/client.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ ++ +diff --git "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +index 59b25e0..064708c 100644 +--- "a/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" ++++ "b/Documentation/UserGuide/A-Tune\347\224\250\346\210\267\346\214\207\345\215\227.md" +@@ -1247,6 +1247,15 @@ evaluations : + 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 + ``` + ++**问题4:atuned或atune-engine服务无法启动,提示“Startup failed. Please provide the authentication certificate.”。** ++ ++**原因:** atuned或atune-engine服务中的REST API默认通信协议为https,通信中缺少证书文件 ++ ++**解决方法:** 用户提供权威机构签发的证书文件并放入对应的配置目录下,其中atuned服务的默认证书>目录为/etc/atuned/rest_certs/,atune-engine服务的默认证书目录为/etc/atuned/engine_certs/,也可 ++以通过/etc/atuned/目录下的atuned.cnf和engine.cnf配置文件修改默认证书目录和证书文件名。对于开发 ++调试环境也可以通过5.2节方法制作的自签名证书进行服务通信。 ++ ++ + # 5 附录 + + ## 5.1 术语和缩略语 +@@ -1258,3 +1267,66 @@ evaluations : + | profile | 优化项集合,最佳的参数配置 | + + ++## 5.2 自签名证书制作方法 ++ ++### 5.2.1 证书目录创建 ++ ++```shell ++CERT_PATH=demo ++mkdir $CERT_PATH ++``` ++ ++### 5.2.2 生成CA的RSA密钥对 ++ ++```shell ++openssl genrsa -out $CERT_PATH/ca.key 2048 ++``` ++ ++### 5.2.3 生成CA根证书 ++ ++```shell ++openssl req -new -x509 -days 3650 -subj "/CN=ca" -key $CERT_PATH/ca.key -out $CERT_PATH/ca.crt ++``` ++ ++### 5.2.4 生成服务器证书 ++ ++```shell ++# ip地址可以根据实际情况修改 ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/server.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/server.key -out $CERT_PATH/server.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/server.csr -out $CERT_PATH/server.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ ++### 5.2.5 生成客户端证书 ++ ++```shell ++# ip地址可以根据实际情况修改 ++IP_ADDR=localhost ++openssl genrsa -out $CERT_PATH/client.key 2048 ++cp /etc/pki/tls/openssl.cnf $CERT_PATH ++if test $IP_ADDR == localhost; then ++ echo "[SAN]\nsubjectAltName=DNS:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=DNS:$IP_ADDR" > $CERT_PATH/extfile.cnf ++else ++ echo "[SAN]\nsubjectAltName=IP:$IP_ADDR" >> $CERT_PATH/openssl.cnf ++ echo "subjectAltName=IP:$IP_ADDR" > $CERT_PATH/extfile.cnf ++fi ++openssl req -new -subj "/CN=$IP_ADDR" -config $CERT_PATH/openssl.cnf \ ++ -key $CERT_PATH/client.key -out $CERT_PATH/client.csr ++openssl x509 -req -sha256 -CA $CERT_PATH/ca.crt -CAkey $CERT_PATH/ca.key -CAcreateserial -days 3650 \ ++ -extfile $CERT_PATH/extfile.cnf -in $CERT_PATH/client.csr -out $CERT_PATH/client.crt ++rm -rf $CERT_PATH/*.srl $CERT_PATH/*.csr $CERT_PATH/*.cnf ++``` ++ +-- +2.30.0 + diff --git a/atune.spec b/atune.spec index db4d846..4adc6ad 100755 --- a/atune.spec +++ b/atune.spec @@ -3,15 +3,18 @@ Summary: AI auto tuning system Name: atune Version: 1.0.0 -Release: 1 +Release: 2 License: Mulan PSL v2 URL: https://gitee.com/openeuler/A-Tune Source: https://gitee.com/openeuler/A-Tune/repository/archive/v%{version}.tar.gz +Patch9000: check-whether-the-certificate-file-exists.patch +Patch9001: add-FAQ-and-self-signature-certificate-manufacturing.patch + BuildRequires: rpm-build golang-bin procps-ng BuildRequires: sqlite >= 3.24.0 openssl BuildRequires: python3-scikit-optimize python3-pandas python3-xgboost -BuildRequires: python3-pyyaml python3-numpy +BuildRequires: python3-pyyaml Requires: systemd Requires: atune-client Requires: atune-db @@ -19,7 +22,6 @@ Requires: python3-dict2xml Requires: python3-flask-restful Requires: python3-pandas Requires: python3-pyyaml -Requires: python3-numpy %ifarch aarch64 Requires: prefetch_tuning %endif @@ -56,7 +58,7 @@ Requires: python3-xgboost Requires: python3-flask-restful Requires: python3-pandas Requires: python3-lhsmdu -Conflicts: atune < 0.3-0.3 +Conflicts: atune < 0.3-0.9 %description engine atune engine tool for manage atuned AI tuning system. @@ -65,9 +67,6 @@ atune engine tool for manage atuned AI tuning system. %autosetup -n A-Tune-v%{version} -p1 %build -sed -i "s/^rest_tls.*/rest_tls = false/" misc/atuned.cnf -sed -i "s/^engine_tls.*/engine_tls = false/" misc/atuned.cnf -sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf %make_build %install @@ -77,55 +76,64 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf %files %license License/LICENSE -%defattr(0640,root,root,-) -%attr(0640,root,root) /usr/lib/atuned/modules/daemon_profile_server.so +%defattr(0640,root,root,0750) +%attr(0550,root,root) /usr/lib/atuned/modules/daemon_profile_server.so %attr(0640,root,root) %{_unitdir}/atuned.service -%attr(0750,root,root) %{_bindir}/atuned -%attr(0750,root,root) /usr/libexec/atuned/analysis/* -%attr(0640,root,root) /usr/lib/atuned/profiles/* +%attr(0550,root,root) %{_bindir}/atuned +%attr(0550,root,root) /usr/libexec/atuned/analysis/* +/usr/lib/atuned/profiles/* %exclude /usr/libexec/atuned/analysis/app_engine.py %exclude /usr/libexec/atuned/analysis/models/ %exclude /usr/libexec/atuned/analysis/optimizer/ %exclude /usr/libexec/atuned/analysis/engine/ %exclude /usr/libexec/atuned/analysis/dataset/ %attr(0750,root,root) %dir /usr/lib/atuned -%attr(0750,root,root) %dir /usr/lib/atuned/modules +%attr(0550,root,root) %dir /usr/lib/atuned/modules %attr(0750,root,root) %dir /usr/lib/atuned/profiles %attr(0750,root,root) %dir /usr/libexec/atuned -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis %attr(0750,root,root) %dir /usr/share/atuned %attr(0750,root,root) %dir /etc/atuned %attr(0750,root,root) %dir /etc/atuned/rules +%attr(0750,root,root) %dir /etc/atuned/tuning %attr(0750,root,root) %dir /var/atuned %attr(0640,root,root) /etc/atuned/atuned.cnf +%attr(0700,root,root) %dir /etc/atuned/engine_certs +%attr(0700,root,root) %dir /etc/atuned/rest_certs %exclude /etc/atuned/engine_certs/* %exclude /etc/atuned/rest_certs/* + %files client -%attr(0750,root,root) %{_bindir}/atune-adm -%attr(0640,root,root) /usr/share/bash-completion/completions/atune-adm +%attr(0550,root,root) %{_bindir}/atune-adm +%attr(0550,root,root) /usr/share/bash-completion/completions/atune-adm %files db %attr(0750,root,root) %dir /var/lib/atuned %attr(0750,root,root) %dir /var/run/atuned -%attr(0750,root,root) /var/lib/atuned/atuned.db +%attr(0640,root,root) /var/lib/atuned/atuned.db %attr(0750,root,root) %dir /usr/libexec/atuned +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis/models +%attr(0550,root,root) /usr/libexec/atuned/analysis/models/* %files engine %license License/LICENSE -%defattr(0640,root,root,-) +%defattr(0640,root,root,0750) %attr(0640,root,root) %{_unitdir}/atune-engine.service -%attr(0750,root,root) /usr/libexec/atuned/analysis/* -%attr(0750,root,root) /etc/atuned/* +%attr(0550,root,root) /usr/libexec/atuned/analysis/* +/etc/atuned/* %exclude /usr/libexec/atuned/analysis/app_rest.py %exclude /usr/libexec/atuned/analysis/plugin/ %exclude /usr/libexec/atuned/analysis/atuned/ -%attr(0750,root,root) %dir /usr/libexec/atuned/analysis +%attr(0550,root,root) %dir /usr/libexec/atuned/analysis %attr(0750,root,root) %dir /etc/atuned %exclude /etc/atuned/atuned.cnf %exclude /etc/atuned/rules +%exclude /etc/atuned/tuning +%attr(0700,root,root) %dir /etc/atuned/engine_certs %exclude /etc/atuned/engine_certs/* -%exclude /etc/atuned/rest_certs/* +%exclude /etc/atuned/rest_certs %post %systemd_post atuned.service @@ -137,6 +145,9 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf %systemd_postun_with_restart atuned.service %changelog +* Fri Mar 04 2022 gaoruoshu - 1.0.0-2 +- enable certificate authentication by default and modify file permissions + * Tue Nov 16 2021 hanxinke - 1.0.0-1 - upgrade to v1.0.0 @@ -172,3 +183,4 @@ sed -i "s/^engine_tls.*/engine_tls = false/" misc/engine.cnf * Tue Nov 12 2019 openEuler Buildteam - 0.1-0.1 - Package init + diff --git a/check-whether-the-certificate-file-exists.patch b/check-whether-the-certificate-file-exists.patch new file mode 100644 index 0000000..431d666 --- /dev/null +++ b/check-whether-the-certificate-file-exists.patch @@ -0,0 +1,34 @@ +From 8d7596125161bea13641644fca2384411e00a4e5 Mon Sep 17 00:00:00 2001 +From: gaoruoshu +Date: Tue, 15 Feb 2022 17:03:40 +0800 +Subject: [PATCH] check whether the certificate file exists + +--- + analysis/app.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/analysis/app.py b/analysis/app.py +index 31b5f51..b25e784 100644 +--- a/analysis/app.py ++++ b/analysis/app.py +@@ -22,6 +22,8 @@ from logging.handlers import SysLogHandler + from flask import Flask + from flask_restful import Api + ++LOGGER = logging.getLogger(__name__) ++ + + class App: + """flask application""" +@@ -51,6 +51,9 @@ class App: + + def startup_app(self, host, port, tls, cert_file, key_file, ca_file, log_level): + """start flask app""" ++ if not os.path.exists(cert_file) or not os.path.exists(key_file) or not os.path.exists(ca_file): ++ LOGGER.error("Startup failed. Please provide the authentication certificate.") ++ raise FileNotFoundError("Startup failed. Please provide the authentication certificate.") + level = logging.getLevelName(log_level.upper()) + self.config_log(level) + self.add_resource() +-- +2.30.0