Thread: [buildfarm-members] Moving to HTTPS

[buildfarm-members] Moving to HTTPS

From
Andrew Dunstan
Date:
In common with the rest of the PostgreSQL infrastructure, we will
shortly be moving the buildfarm server to supporting HTTPS, and
eventually will stop support for plain HTTP. Many installations on
buildfarm animals will not need any great adjustment, others will need
some extra modules installed. Here's a simple test that should help tell
if your animal needs some extra stuff installed. Run something like this
on your animal, making sure that the perl in your path is the one used
to run the buildfarm client:


    perl -MLWP::Simple -e 'head(q{https://www.postgresql.org});


If this doesn't complain you should be good. If it does, you probably
need to install the LWP::Protocol::https module, and anything it depends
on (e.g. crypto libraries).

This isn't enabled yet, I'm just being proactive so you don't get caught
having to adjust in a hurry.

Windows users probably don't need to worry - this works on every
installation of AS perl I have.


cheers


andrew



Re: [buildfarm-members] Moving to HTTPS

From
Noah Misch
Date:
On Sat, Jan 07, 2017 at 04:37:47PM -0500, Andrew Dunstan wrote:
> Here's a simple test that should help tell if your animal needs some extra
> stuff installed. Run something like this on your animal, making sure that
> the perl in your path is the one used to run the buildfarm client:
>
>
>    perl -MLWP::Simple -e 'head(q{https://www.postgresql.org});

I get no complaint from that, but I also get no complaint from these:

  perl -MLWP::Simple -e 'head(q{https://nonsense.postgresql.org});'; echo $?
  perl -MLWP::Simple -e 'head(q{nonsense://nonsense});'; echo $?

Maybe use this:

  perl -MData::Dumper -MLWP::Simple -e 'print Dumper [head(q{https://www.postgresql.org}) || "BAD"]'


Re: [buildfarm-members] Moving to HTTPS

From
Andrew Dunstan
Date:

On 01/07/2017 04:55 PM, Noah Misch wrote:
> On Sat, Jan 07, 2017 at 04:37:47PM -0500, Andrew Dunstan wrote:
>> Here's a simple test that should help tell if your animal needs some extra
>> stuff installed. Run something like this on your animal, making sure that
>> the perl in your path is the one used to run the buildfarm client:
>>
>>
>>     perl -MLWP::Simple -e 'head(q{https://www.postgresql.org});
> I get no complaint from that, but I also get no complaint from these:
>
>    perl -MLWP::Simple -e 'head(q{https://nonsense.postgresql.org});'; echo $?
>    perl -MLWP::Simple -e 'head(q{nonsense://nonsense});'; echo $?
>
> Maybe use this:
>
>    perl -MData::Dumper -MLWP::Simple -e 'print Dumper [head(q{https://www.postgresql.org}) || "BAD"]'
>


Yeah, you're right. Or perhaps even more simply we could do:

        perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'

cheers

andrew

--
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: [buildfarm-members] Moving to HTTPS

From
Tom Lane
Date:
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> Yeah, you're right. Or perhaps even more simply we could do:
>         perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'

Hmm, so that reports BAD on all four of my buildfarm critters :-(.

On longfin, which is running a current macOS release, "cpan install
LWP::Protocol::https" seems to be enough to fix it; but on the other
three, I get various flavors of failure.  It looks like the root cause is
that the versions of the relevant modules that are currently available
from CPAN assume newer versions of OpenSSL and/or other Perl modules than
these machines have installed.

I could embark on a massive update binge, but that would sort of defeat
the purpose of testing against old Perl versions.  Thoughts?

            regards, tom lane


Re: [buildfarm-members] Moving to HTTPS

From
Andrew Dunstan
Date:

On 01/07/2017 07:12 PM, Tom Lane wrote:
> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
>> Yeah, you're right. Or perhaps even more simply we could do:
>>          perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'
> Hmm, so that reports BAD on all four of my buildfarm critters :-(.
>
> On longfin, which is running a current macOS release, "cpan install
> LWP::Protocol::https" seems to be enough to fix it; but on the other
> three, I get various flavors of failure.  It looks like the root cause is
> that the versions of the relevant modules that are currently available
> from CPAN assume newer versions of OpenSSL and/or other Perl modules than
> these machines have installed.
>
> I could embark on a massive update binge, but that would sort of defeat
> the purpose of testing against old Perl versions.  Thoughts?
>


Ugh. I was afraid of something like that. We might need to look at
providing a proxy or something.




cheers

andrew

--

Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: [buildfarm-members] Moving to HTTPS

From
David Fetter
Date:
On Sat, Jan 07, 2017 at 07:12:07PM -0500, Tom Lane wrote:
> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> > Yeah, you're right. Or perhaps even more simply we could do:
> >         perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'
>
> Hmm, so that reports BAD on all four of my buildfarm critters :-(.
>
> On longfin, which is running a current macOS release, "cpan install
> LWP::Protocol::https" seems to be enough to fix it; but on the other
> three, I get various flavors of failure.  It looks like the root cause is
> that the versions of the relevant modules that are currently available
> from CPAN assume newer versions of OpenSSL and/or other Perl modules than
> these machines have installed.
>
> I could embark on a massive update binge, but that would sort of defeat
> the purpose of testing against old Perl versions.  Thoughts?

You could use install a more modern Perl version just for the
buildfarm client while keeping the system perl marooned however far in
the past we promise to support.  Don't know just how painful that is
on those machines...

Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david(dot)fetter(at)gmail(dot)com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate


Re: [buildfarm-members] Moving to HTTPS

From
Dave Page
Date:


On Sunday, January 8, 2017, Andrew Dunstan <andrew.dunstan@2ndquadrant.com> wrote:


On 01/07/2017 07:12 PM, Tom Lane wrote:
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
Yeah, you're right. Or perhaps even more simply we could do:
        perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'
Hmm, so that reports BAD on all four of my buildfarm critters :-(.

On longfin, which is running a current macOS release, "cpan install
LWP::Protocol::https" seems to be enough to fix it; but on the other
three, I get various flavors of failure.  It looks like the root cause is
that the versions of the relevant modules that are currently available
from CPAN assume newer versions of OpenSSL and/or other Perl modules than
these machines have installed.

I could embark on a massive update binge, but that would sort of defeat
the purpose of testing against old Perl versions.  Thoughts?

I get the same on the machine hosting casteroides and protociurus:

-bash-3.00$ /opt/csw/bin/perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'
BAD

installing LWP::Protocol::https failed miserably with both Sun Studio and GCC :-(
 
Ugh. I was afraid of something like that. We might need to look at providing a proxy or something.

That would kinda defeat the point of us trying to secure everything :-( 


--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: [buildfarm-members] Moving to HTTPS

From
Tom Lane
Date:
David Fetter <david@fetter.org> writes:
> On Sat, Jan 07, 2017 at 07:12:07PM -0500, Tom Lane wrote:
>> I could embark on a massive update binge, but that would sort of defeat
>> the purpose of testing against old Perl versions.  Thoughts?

> You could use install a more modern Perl version just for the
> buildfarm client while keeping the system perl marooned however far in
> the past we promise to support.  Don't know just how painful that is
> on those machines...

Yeah, I was thinking about the same: build a modern perl somewhere off to
the side (not in the normal PATH) and run the buildfarm script using that
while the build per se continues to use the system Perl.  The pain here
is going to mostly come from the buildfarm script itself, I'm afraid.
One thing I noticed right away is it's got /usr/bin/perl hardwired into
all its shebang lines.  Don't know what other gotchas there are.

            regards, tom lane


Re: [buildfarm-members] Moving to HTTPS

From
Andrew Dunstan
Date:

On 01/08/2017 10:34 AM, Tom Lane wrote:
> David Fetter <david@fetter.org> writes:
>> On Sat, Jan 07, 2017 at 07:12:07PM -0500, Tom Lane wrote:
>>> I could embark on a massive update binge, but that would sort of defeat
>>> the purpose of testing against old Perl versions.  Thoughts?
>> You could use install a more modern Perl version just for the
>> buildfarm client while keeping the system perl marooned however far in
>> the past we promise to support.  Don't know just how painful that is
>> on those machines...
> Yeah, I was thinking about the same: build a modern perl somewhere off to
> the side (not in the normal PATH) and run the buildfarm script using that
> while the build per se continues to use the system Perl.  The pain here
> is going to mostly come from the buildfarm script itself, I'm afraid.
> One thing I noticed right away is it's got /usr/bin/perl hardwired into
> all its shebang lines.  Don't know what other gotchas there are.
>
>



That's more or less how the Msys stuff works. The buildfarm scripts run
using the Msys DTK client (so we get the virtual paths right) but builds
against AS perl.

And in fact there is provision for running the web transaction using a
different perl. Right now it's only used in very limited circumstances
(older Msys where LWP isn't supported at all in the DTK perl) but we
could expand it. For example, we could run it any time aux_path is
actually set. See the code starting around line 2097 of run_build.pl.

There's no great urgency about this. And I want to do it with minimal
disturbance, so let's get it right.

cheers

andrew


Re: [buildfarm-members] Moving to HTTPS

From
Tom Lane
Date:
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> On 01/07/2017 07:12 PM, Tom Lane wrote:
>> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
>>> Yeah, you're right. Or perhaps even more simply we could do:
>>> perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'

>> Hmm, so that reports BAD on all four of my buildfarm critters :-(.

> Ugh. I was afraid of something like that. We might need to look at
> providing a proxy or something.

After further fooling with this, it seems the root cause is that you
need Perl (specifically Net::SSLeay) to be linked to OpenSSL 0.9.8
or later.  Since we require at least 0.9.8 for PG itself, this does
not seem like an unreasonably heavy lift.

I found that some of the involved modules, particularly IO::Socket::SSL
and LWP::Protocol::https, fail a few of their regression tests even
with 0.9.8.  But if you tell cpan to ignore that and install them
anyway, it seems like things work; at least, the simple test proposed
above now works on all four of my buildfarm critters.  It will be
interesting to see whether that equates to "buildfarm script can talk
to https server".  Do we have any more-thorough test case available?

BTW, if anyone else is like me and has a more modern openssl installed
in a non-default location on an old machine, the secret sauce for getting
Net::SSLeay to use that is to set environment variable OPENSSL_PREFIX
to the openssl install prefix path before building Net::SSLeay.

            regards, tom lane


Re: [buildfarm-members] Moving to HTTPS

From
Andrew Dunstan
Date:

On 01/15/2017 03:39 AM, Tom Lane wrote:
> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
>> On 01/07/2017 07:12 PM, Tom Lane wrote:
>>> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
>>>> Yeah, you're right. Or perhaps even more simply we could do:
>>>> perl -MLWP::Simple -e 'print qq{BAD\n} unless head(q{https://www.postgresql.org});'
>>> Hmm, so that reports BAD on all four of my buildfarm critters :-(.
>> Ugh. I was afraid of something like that. We might need to look at
>> providing a proxy or something.
> After further fooling with this, it seems the root cause is that you
> need Perl (specifically Net::SSLeay) to be linked to OpenSSL 0.9.8
> or later.  Since we require at least 0.9.8 for PG itself, this does
> not seem like an unreasonably heavy lift.
>
> I found that some of the involved modules, particularly IO::Socket::SSL
> and LWP::Protocol::https, fail a few of their regression tests even
> with 0.9.8.  But if you tell cpan to ignore that and install them
> anyway, it seems like things work; at least, the simple test proposed
> above now works on all four of my buildfarm critters.  It will be
> interesting to see whether that equates to "buildfarm script can talk
> to https server".  Do we have any more-thorough test case available?



The test should be thorough enough. If you want to try it for real and
you're using the same that you built against, just change the URLs in
your config file, i.e.:

     sed -i -e
s,http://www.pgbuildfarm.org/,https://buildfarm.postgresql.org/,
your-config-file


cheers

andrew


--
Andrew Dunstan                https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



Re: [buildfarm-members] Moving to HTTPS

From
Mikael Kjellström
Date:
On 2017-01-15 14:59, Andrew Dunstan wrote:

> The test should be thorough enough. If you want to try it for real and
> you're using the same that you built against, just change the URLs in
> your config file, i.e.:
>
>     sed -i -e
> s,http://www.pgbuildfarm.org/,https://buildfarm.postgresql.org/,
> your-config-file

I tried to surf to:

https://pgbuildfarm.org/

and I am getting that the certificate is invalid.  I see that you are
using let's encrypt service for the SSL-certificate.  Just configure it
to include all the DNS-names that you are using.   Currently the
installed certificate is configured for the DNS-name:

buildfarm.postgresql.org

and with the SAN:

DNS Name: brentalia.postgresql.org
DNS Name: buildfarm.postgresql.org

I would suggest adding pgbuildfarm.org, www.pgbuildfarm.org etc also as
SAN:s.

It's a pity that they don't support wildcard-certs though.

/Mikael


Re: [buildfarm-members] Moving to HTTPS

From
Tom Lane
Date:
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> On 01/15/2017 03:39 AM, Tom Lane wrote:
>> ... it seems like things work; at least, the simple test proposed
>> above now works on all four of my buildfarm critters.  It will be
>> interesting to see whether that equates to "buildfarm script can talk
>> to https server".  Do we have any more-thorough test case available?

> The test should be thorough enough. If you want to try it for real and
> you're using the same that you built against, just change the URLs in
> your config file, i.e.:

>      sed -i -e
> s,http://www.pgbuildfarm.org/,https://buildfarm.postgresql.org/,
> your-config-file

Done, and all of my machines have successfully reported builds using
this URL.  I'll leave them like that unless you say I shouldn't.

            regards, tom lane


Re: [buildfarm-members] Moving to HTTPS

From
Stefan Kaltenbrunner
Date:
On 01/15/2017 03:09 PM, Mikael Kjellström wrote:
> On 2017-01-15 14:59, Andrew Dunstan wrote:
>
>> The test should be thorough enough. If you want to try it for real and
>> you're using the same that you built against, just change the URLs in
>> your config file, i.e.:
>>
>>     sed -i -e
>> s,http://www.pgbuildfarm.org/,https://buildfarm.postgresql.org/,
>> your-config-file
>
> I tried to surf to:
>
> https://pgbuildfarm.org/
>
> and I am getting that the certificate is invalid.  I see that you are
> using let's encrypt service for the SSL-certificate.  Just configure it
> to include all the DNS-names that you are using.   Currently the
> installed certificate is configured for the DNS-name:
>
> buildfarm.postgresql.org
>
> and with the SAN:
>
> DNS Name: brentalia.postgresql.org
> DNS Name: buildfarm.postgresql.org
>
> I would suggest adding pgbuildfarm.org, www.pgbuildfarm.org etc also as
> SAN:s.

Thanks for the suggestion, but that is not easily doable in our current
infrastructure - our letsencrypt deployment is fully automated and
completely integrated with our internal config management and nameserver
infrastructure and therefor only works with domains we also host and
manage through/on pginfra.




regards


Stefan


Re: [buildfarm-members] Moving to HTTPS

From
Mikael Kjellström
Date:
On 2017-01-16 10:24, Stefan Kaltenbrunner wrote:

>> I would suggest adding pgbuildfarm.org, www.pgbuildfarm.org etc also as
>> SAN:s.
>
> Thanks for the suggestion, but that is not easily doable in our current
> infrastructure - our letsencrypt deployment is fully automated and
> completely integrated with our internal config management and nameserver
> infrastructure and therefor only works with domains we also host and
> manage through/on pginfra.

Ok, I see.   It was only a suggestion.  Maybe it isn't that important to
use HTTPS on the pgbuildfarm-domain.

/Mikael