Bug 1256692
| Summary: | When use inconsistent owner of signer key and serial file to create certificate meet crash error | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | DeShuai Ma <dma> |
| Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | weiwei jiang <wjiang> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, dmcphers, wsun |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-12 17:09:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
[fedora@ip-172-18-7-137 master]$ openshift version
openshift v1.1.1-21-gbc1a879
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.2.2
[fedora@ip-172-18-7-137 master]$ ls -l ca*
-rw-r--r--. 1 fedora fedora 1066 Feb 14 05:15 ca.crt
-rw-------. 1 fedora fedora 1675 Feb 14 05:15 ca.key
-rw-r--r--. 1 root root 2 Feb 14 05:26 ca.serial.txt
[fedora@ip-172-18-7-137 master]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.18.7.137' --cert=registry.crt --key=registry.key --v=6
I0214 05:30:55.286711 8312 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc20850a0c0), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:[]string{"docker-registry.dma1.svc.cluster.local", "172.18.7.137"}, Overwrite:true, Output:(*os.File)(0xc20802e008)}
I0214 05:30:55.428845 8312 crypto.go:249] Generating server certificate in registry.crt, key in registry.key
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0xcfabfc]
goroutine 1 [running]:
github.com/openshift/origin/pkg/cmd/server/crypto.encodeCertificates(0xc2084e0560, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:467 +0x2bc
github.com/openshift/origin/pkg/cmd/server/crypto.writeCertificates(0x7fff1cc4351b, 0xc, 0xc2084e0560, 0x2, 0x2, 0x0, 0x0)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:501 +0xdf
github.com/openshift/origin/pkg/cmd/server/crypto.(*TLSCertificateConfig).writeCertConfig(0xc2083eee40, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0x0, 0x0)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:71 +0x67
github.com/openshift/origin/pkg/cmd/server/crypto.(*CA).MakeServerCert(0xc2083eae70, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0xc2083eb230, 0x1, 0x0, 0x0)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:258 +0x5b2
github.com/openshift/origin/pkg/cmd/server/admin.CreateServerCertOptions.CreateServerCert(0xc20850a0c0, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0xc20851e7a0, 0x2, 0x2, 0x1, 0x7f41701a5530, ...)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:116 +0x224
github.com/openshift/origin/pkg/cmd/server/admin.func·015(0xc208503c00, 0xc2085107e0, 0x0, 0x7)
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:59 +0x139
github.com/spf13/cobra.(*Command).execute(0xc208503c00, 0xc208510700, 0x7, 0x7, 0x0, 0x0)
/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:572 +0x82f
github.com/spf13/cobra.(*Command).ExecuteC(0xc2084e8000, 0xc208503c00, 0x0, 0x0)
/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:662 +0x4db
github.com/spf13/cobra.(*Command).Execute(0xc2084e8000, 0x0, 0x0)
/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:618 +0x3a
main.main()
/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/cmd/openshift/openshift.go:22 +0x175
goroutine 5 [syscall]:
os/signal.loop()
/usr/lib/golang/src/os/signal/signal_unix.go:21 +0x1f
created by os/signal.init·1
/usr/lib/golang/src/os/signal/signal_unix.go:27 +0x35
goroutine 10 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x4cdab20)
/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:879 +0x78
created by github.com/golang/glog.init·1
/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:410 +0x2a7
goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/usr/lib/golang/src/runtime/asm_amd64.s:2232 +0x1
This is fixed in master, but has not been tagged into a release yet. Verify this on the latest origin.
[fedora@ip-172-18-14-193 master]$ openshift version
openshift v1.1.2-301-gcf704a1
kubernetes v1.2.0-origin
etcd 2.2.2+git
[fedora@ip-172-18-14-193 master]$ ls -l ca*
-rw-r--r--. 1 fedora fedora 1070 Feb 17 04:49 ca.crt
-rw-------. 1 fedora fedora 1679 Feb 17 04:49 ca.key
-rw-r--r--. 1 root root 2 Feb 17 04:49 ca.serial.txt
[fedora@ip-172-18-14-193 master]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.18.7.137' --cert=registry.crt --key=registry.key --v=6
I0217 05:06:33.096226 6223 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc82048af00), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:[]string{"docker-registry.dma1.svc.cluster.local", "172.18.7.137"}, Overwrite:true, Output:(*os.File)(0xc82002c010)}
I0217 05:06:33.097217 6223 crypto.go:249] Generating server certificate in registry.crt, key in registry.key
I0217 05:06:33.303345 6223 create_servercert.go:121] Generated new server certificate as registry.crt, key as registry.key
F0217 05:06:33.303399 6223 helpers.go:104] error: open ca.serial.txt: permission denied
|
Description of problem: When use "oadm ca create-server-cert" to create a key and server certificate, if the owner of signer key and serial file is inconsistent, it always failed with "panic: runtime error: invalid memory address or nil pointer dereference" Version-Release number of selected component (if applicable): openshift v1.0.4-502-g96963b6 kubernetes v1.1.0-alpha.0-1605-g44c91b1 How reproducible: Always Steps to Reproduce: 1.Check the file ca privilege [fedora@ip-10-237-174-172 sample-app]$ ls -l ca.* -rw-r--r--. 1 fedora fedora 1066 Aug 25 01:49 ca.crt -rw-------. 1 fedora fedora 1675 Aug 25 01:49 ca.key -rw-r--r--. 1 fedora fedora 2 Aug 25 09:10 ca.serial.txt 2.Create a key and server certificate [fedora@ip-10-237-174-172 sample-app]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.30.24.194' --cert=registry.crt --key=registry.key --v=6 I0825 09:19:27.146680 5635 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc2080e47c0), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:util.StringList{"docker-registry.dma1.svc.cluster.local", "172.30.24.194"}, Overwrite:true, Output:(*os.File)(0xc20802e008)} I0825 09:19:27.494220 5635 crypto.go:218] Generating server certificate in registry.crt, key in registry.key I0825 09:19:27.974290 5635 create_servercert.go:121] Generated new server certificate as registry.crt, key as registry.key 3.Change ca.serial.txt owner to root:root [fedora@ip-10-237-174-172 sample-app]$ sudo chown root:root ca.serial.txt [fedora@ip-10-237-174-172 sample-app]$ ls -l ca.* -rw-r--r--. 1 fedora fedora 1066 Aug 25 01:49 ca.crt -rw-------. 1 fedora fedora 1675 Aug 25 01:49 ca.key -rw-r--r--. 1 root root 2 Aug 25 09:19 ca.serial.txt 4. Create a key and server certificate again [fedora@ip-10-237-174-172 sample-app]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.30.24.194' --cert=registry.crt --key=registry.key --v=6 I0825 09:21:09.348837 5710 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc2080e4800), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:util.StringList{"docker-registry.dma1.svc.cluster.local", "172.30.24.194"}, Overwrite:true, Output:(*os.File)(0xc20802e008)} I0825 09:21:10.129751 5710 crypto.go:218] Generating server certificate in registry.crt, key in registry.key panic: runtime error: invalid memory address or nil pointer dereference [signal 0xb code=0x1 addr=0x0 pc=0xbb979c] goroutine 1 [running]: github.com/openshift/origin/pkg/cmd/server/crypto.encodeCertificates(0xc2081fd0e0, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:429 +0x2bc github.com/openshift/origin/pkg/cmd/server/crypto.writeCertificates(0x7fff5128c547, 0xc, 0xc2081fd0e0, 0x2, 0x2, 0x0, 0x0) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:463 +0xdf github.com/openshift/origin/pkg/cmd/server/crypto.(*TLSCertificateConfig).writeCertConfig(0xc20833f200, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0x0, 0x0) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:43 +0x67 github.com/openshift/origin/pkg/cmd/server/crypto.(*CA).MakeServerCert(0xc20833ecc0, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0xc20833ecf0, 0x7fff5128c56b, 0x0, 0x0) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:227 +0x5b2 github.com/openshift/origin/pkg/cmd/server/admin.CreateServerCertOptions.CreateServerCert(0xc2080e4800, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0xc208348340, 0x2, 0x2, 0x1, 0x7f3e3215e6f0, ...) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:116 +0x224 github.com/openshift/origin/pkg/cmd/server/admin.func·013(0xc2083276c0, 0xc208320d20, 0x0, 0x7) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:59 +0x139 github.com/spf13/cobra.(*Command).execute(0xc2083276c0, 0xc208320c40, 0x7, 0x7, 0x0, 0x0) /go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:477 +0x3d4 github.com/spf13/cobra.(*Command).Execute(0xc208036b60, 0x0, 0x0) /go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:551 +0x414 main.main() /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/cmd/openshift/openshift.go:22 +0x175 goroutine 5 [syscall]: os/signal.loop() /usr/lib/golang/src/os/signal/signal_unix.go:21 +0x1f created by os/signal.init·1 /usr/lib/golang/src/os/signal/signal_unix.go:27 +0x35 goroutine 8 [chan receive]: github.com/golang/glog.(*loggingT).flushDaemon(0x401e4a0) /go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:879 +0x78 created by github.com/golang/glog.init·1 /go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:410 +0x2a7 goroutine 17 [syscall, locked to thread]: runtime.goexit() /usr/lib/golang/src/runtime/asm_amd64.s:2232 +0x1 Actual results: 4.crash with error "panic: runtime error: invalid memory address or nil pointer dereference" Expected results: 4.Should not fail or tip info not crash. Additional info: