Add file lock for protect certs generation

2021-01-13 07:21:31 +00:00 · 2021-01-13 07:21:31 +00:00 · baf929b14e
parent 4b8b2bc6db
commit baf929b14e
6 changed files with 18 additions and 46 deletions
--- a/cmd/minikube/cmd/delete.go
+++ b/cmd/minikube/cmd/delete.go
@ -495,15 +495,6 @@ func deleteProfileDirectory(profile string) {
 			exit.Error(reason.GuestProfileDeletion, "Unable to remove machine directory", err)
 		}
 	}
-
-	certDir := filepath.Join(localpath.MiniPath(), profile)
-	if _, err := os.Stat(certDir); err == nil {
-		out.Step(style.DeletingHost, `Removing {{.directory}} ...`, out.V{"directory": certDir})
-		err := os.RemoveAll(certDir)
-		if err != nil {
-			exit.Error(reason.GuestProfileDeletion, "Unable to remove machine directory", err)
-		}
-	}
 }

 func deleteMachineDirectories(cc *config.ClusterConfig) {
--- a/cmd/minikube/cmd/docker-env.go
+++ b/cmd/minikube/cmd/docker-env.go
@ -306,7 +306,7 @@ var dockerEnvCmd = &cobra.Command{
 			ssh:       sshHost,
 			hostIP:    hostIP,
 			port:      port,
-			certsDir:  localpath.MakeMiniPath(cname),
+			certsDir:  localpath.MakeMiniPath("certs"),
 			noProxy:   noProxy,
 			username:  d.GetSSHUsername(),
 			hostname:  hostname,
--- a/go.mod
+++ b/go.mod
@ -46,6 +46,7 @@ require (
 	github.com/johanneswuerbach/nfsexports v0.0.0-20200318065542-c48c3734757f
 	github.com/juju/clock v0.0.0-20190205081909-9c5c9712527c
 	github.com/juju/errors v0.0.0-20190806202954-0232dcc7464d // indirect
+	github.com/juju/fslock v0.0.0-20160525022230-4d5c94c67b4b
 	github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8 // indirect
 	github.com/juju/mutex v0.0.0-20180619145857-d21b13acf4bf
 	github.com/juju/retry v0.0.0-20180821225755-9058e192b216 // indirect
--- a/go.sum
+++ b/go.sum
@ -720,6 +720,8 @@ github.com/juju/clock v0.0.0-20190205081909-9c5c9712527c h1:3UvYABOQRhJAApj9MdCN
 github.com/juju/clock v0.0.0-20190205081909-9c5c9712527c/go.mod h1:nD0vlnrUjcjJhqN5WuCWZyzfd5AHZAC9/ajvbSx69xA=
 github.com/juju/errors v0.0.0-20190806202954-0232dcc7464d h1:hJXjZMxj0SWlMoQkzeZDLi2cmeiWKa7y1B8Rg+qaoEc=
 github.com/juju/errors v0.0.0-20190806202954-0232dcc7464d/go.mod h1:W54LbzXuIE0boCoNJfwqpmkKJ1O4TCTZMetAt6jGk7Q=
+github.com/juju/fslock v0.0.0-20160525022230-4d5c94c67b4b h1:FQ7+9fxhyp82ks9vAuyPzG0/vVbWwMwLJ+P6yJI5FN8=
+github.com/juju/fslock v0.0.0-20160525022230-4d5c94c67b4b/go.mod h1:HMcgvsgd0Fjj4XXDkbjdmlbI505rUPBs6WBMYg2pXks=
 github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8 h1:UUHMLvzt/31azWTN/ifGWef4WUqvXk0iRqdhdy/2uzI=
 github.com/juju/loggo v0.0.0-20190526231331-6e530bcce5d8/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U=
 github.com/juju/mutex v0.0.0-20180619145857-d21b13acf4bf h1:2d3cilQly1OpAfZcn4QRuwDOdVoHsM4cDTkcKbmO760=
--- a/pkg/minikube/machine/client.go
+++ b/pkg/minikube/machine/client.go
@ -40,6 +40,7 @@ import (
 	"github.com/docker/machine/libmachine/state"
 	"github.com/docker/machine/libmachine/swarm"
 	"github.com/docker/machine/libmachine/version"
+	"github.com/juju/fslock"
 	"github.com/pkg/errors"
 	"k8s.io/klog/v2"
 	"k8s.io/minikube/pkg/minikube/command"
@ -71,6 +72,7 @@ func NewAPIClient(miniHome ...string) (libmachine.API, error) {
 		storePath:    storePath,
 		Filestore:    persist.NewFilestore(storePath, certsDir, certsDir),
 		legacyClient: NewRPCClient(storePath, certsDir),
+		flock:        fslock.New(localpath.MakeMiniPath("fileLock.txt")),
 	}, nil
 }

@ -81,6 +83,7 @@ type LocalClient struct {
 	storePath string
 	*persist.Filestore
 	legacyClient libmachine.API
+	flock        *fslock.Lock
 }

 // NewHost creates a new Host
@ -183,7 +186,16 @@ func (api *LocalClient) Create(h *host.Host) error {
 	}{
 		{
 			"bootstrapping certificates",
-			func() error { return cert.BootstrapCertificates(h.AuthOptions()) },
+			func() error {
+				// CA cert and client cert should be generated atomically, otherwise might cause bad certificate error
+				lockErr := api.flock.LockWithTimeout(time.Second * 5)
+				if lockErr != nil {
+					return fmt.Errorf("falied to acquire lock > " + lockErr.Error())
+				}
+				certErr := cert.BootstrapCertificates(h.AuthOptions())
+				api.flock.Unlock()
+				return certErr
+			},
 		},
 		{
 			"precreate",
--- a/pkg/provision/provision.go
+++ b/pkg/provision/provision.go
@ -40,7 +40,6 @@ import (
 	"k8s.io/minikube/pkg/minikube/assets"
 	"k8s.io/minikube/pkg/minikube/command"
 	"k8s.io/minikube/pkg/minikube/config"
-	"k8s.io/minikube/pkg/minikube/localpath"
 )

 // generic interface for minikube provisioner
@ -103,11 +102,7 @@ func configureAuth(p miniProvisioner) error {
 		return errors.Wrap(err, "error getting ssh hostname during provisioning")
 	}

-	//if err := copyHostCerts(authOptions); err != nil {
-	//	return err
-	//}
-
-	if err := copyCertsForDockEnv(authOptions, machineName); err != nil {
+	if err := copyHostCerts(authOptions); err != nil {
 		return err
 	}

@ -166,35 +161,6 @@ func copyHostCerts(authOptions auth.Options) error {
 	return nil
 }

-func copyCertsForDockEnv(authOptions auth.Options, machineName string) error {
-	klog.Infof("copyCertsForDockEnv")
-
-	storePath := localpath.MakeMiniPath(machineName)
-	err := os.MkdirAll(storePath, 0700)
-	if err != nil {
-		klog.Errorf("mkdir failed: %v", err)
-	}
-
-	hostCerts := map[string]string{
-		authOptions.CaCertPath:     path.Join(storePath, "ca.pem"),
-		authOptions.ClientCertPath: path.Join(storePath, "cert.pem"),
-		authOptions.ClientKeyPath:  path.Join(storePath, "key.pem"),
-	}
-
-	execRunner := command.NewExecRunner(false)
-	for src, dst := range hostCerts {
-		f, err := assets.NewFileAsset(src, path.Dir(dst), filepath.Base(dst), "0777")
-		if err != nil {
-			return errors.Wrapf(err, "open cert file: %s", src)
-		}
-		if err := execRunner.Copy(f); err != nil {
-			return errors.Wrapf(err, "transferring file: %+v", f)
-		}
-	}
-
-	return nil
-}
-
 func copyRemoteCerts(authOptions auth.Options, driver drivers.Driver) error {
 	klog.Infof("copyRemoteCerts")