1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
19 "git.arvados.org/arvados.git/sdk/go/arvados"
22 // Run an Nginx process that proxies the supervisor's configured
23 // ExternalURLs to the appropriate InternalURLs.
24 type runNginx struct{}
26 func (runNginx) String() string {
30 func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) error {
31 err := super.wait(ctx, createCertificates{})
35 vars := map[string]string{
36 "LISTENHOST": super.ListenHost,
37 "SSLCERT": filepath.Join(super.tempdir, "server.crt"),
38 "SSLKEY": filepath.Join(super.tempdir, "server.key"),
39 "ACCESSLOG": filepath.Join(super.tempdir, "nginx_access.log"),
40 "ERRORLOG": filepath.Join(super.tempdir, "nginx_error.log"),
41 "TMPDIR": super.wwwtempdir,
43 ctrlHost, _, err := net.SplitHostPort(super.cluster.Services.Controller.ExternalURL.Host)
45 return fmt.Errorf("SplitHostPort(Controller.ExternalURL.Host): %w", err)
47 if f, err := os.Open("/var/lib/acme/live/" + ctrlHost + "/privkey"); err == nil {
49 vars["SSLCERT"] = "/var/lib/acme/live/" + ctrlHost + "/cert"
50 vars["SSLKEY"] = "/var/lib/acme/live/" + ctrlHost + "/privkey"
52 for _, cmpt := range []struct {
56 {"CONTROLLER", super.cluster.Services.Controller},
57 {"KEEPWEB", super.cluster.Services.WebDAV},
58 {"KEEPWEBDL", super.cluster.Services.WebDAVDownload},
59 {"KEEPPROXY", super.cluster.Services.Keepproxy},
60 {"GIT", super.cluster.Services.GitHTTP},
61 {"HEALTH", super.cluster.Services.Health},
62 {"WORKBENCH1", super.cluster.Services.Workbench1},
63 {"WORKBENCH2", super.cluster.Services.Workbench2},
64 {"WS", super.cluster.Services.Websocket},
67 if len(cmpt.svc.InternalURLs) == 0 {
68 // We won't run this service, but we need an
69 // upstream port to write in our templated
70 // nginx config. Choose a port that will
71 // return 502 Bad Gateway.
73 } else if host, port, err = internalPort(cmpt.svc); err != nil {
74 return fmt.Errorf("%s internal port: %w (%v)", cmpt.varname, err, cmpt.svc)
75 } else if ok, err := addrIsLocal(net.JoinHostPort(host, port)); !ok || err != nil {
76 return fmt.Errorf("%s addrIsLocal() failed for host %q port %q: %v", cmpt.varname, host, port, err)
78 vars[cmpt.varname+"PORT"] = port
80 port, err = externalPort(cmpt.svc)
82 return fmt.Errorf("%s external port: %w (%v)", cmpt.varname, err, cmpt.svc)
84 listenAddr := net.JoinHostPort(super.ListenHost, port)
85 if ok, err := addrIsLocal(listenAddr); !ok || err != nil {
86 return fmt.Errorf("%s addrIsLocal(%q) failed: %w", cmpt.varname, listenAddr, err)
88 vars[cmpt.varname+"SSLPORT"] = port
90 var conftemplate string
91 if super.ClusterType == "production" {
92 conftemplate = "/var/lib/arvados/share/nginx.conf"
94 conftemplate = filepath.Join(super.SourcePath, "sdk", "python", "tests", "nginx.conf")
96 tmpl, err := ioutil.ReadFile(conftemplate)
100 conf := regexp.MustCompile(`{{.*?}}`).ReplaceAllStringFunc(string(tmpl), func(src string) string {
104 return vars[src[2:len(src)-2]]
106 conffile := filepath.Join(super.tempdir, "nginx.conf")
107 err = ioutil.WriteFile(conffile, []byte(conf), 0755)
112 if _, err := exec.LookPath(nginx); err != nil {
113 for _, dir := range []string{"/sbin", "/usr/sbin", "/usr/local/sbin"} {
114 if _, err = os.Stat(dir + "/nginx"); err == nil {
115 nginx = dir + "/nginx"
122 "-g", "error_log stderr info;",
123 "-g", "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + ";",
126 // Nginx ignores "user www-data;" when running as a non-root
127 // user... except that it causes it to ignore our other -g
128 // options. So we still have to decide for ourselves whether
130 if u, err := user.Current(); err != nil {
131 return fmt.Errorf("user.Current(): %w", err)
132 } else if u.Uid == "0" {
133 args = append([]string{"-g", "user www-data;"}, args...)
136 super.waitShutdown.Add(1)
138 defer super.waitShutdown.Done()
139 fail(super.RunProgram(ctx, ".", runOptions{}, nginx, args...))
141 // Choose one of the ports where Nginx should listen, and wait
142 // here until we can connect. If ExternalURL is https://foo (with no port) then we connect to "foo:https"
143 testurl := url.URL(super.cluster.Services.Controller.ExternalURL)
144 if testurl.Port() == "" {
145 testurl.Host = net.JoinHostPort(testurl.Host, testurl.Scheme)
147 return waitForConnect(ctx, testurl.Host)