Skip to content

Commit

Permalink
nsqd: share TLS key with serf
Browse files Browse the repository at this point in the history
  • Loading branch information
mreiferson committed Apr 16, 2016
1 parent 7cf2bad commit 0ddf949
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 2 deletions.
46 changes: 45 additions & 1 deletion nsqd/gossip.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package nsqd

import (
"bytes"
"crypto/rand"
"encoding/base64"
"encoding/json"
"net"
"os"
Expand Down Expand Up @@ -62,7 +64,8 @@ func initSerf(opts *Options,
tcpAddr *net.TCPAddr,
httpAddr *net.TCPAddr,
httpsAddr *net.TCPAddr,
broadcastAddr *net.TCPAddr) (*serf.Serf, error) {
broadcastAddr *net.TCPAddr,
key []byte) (*serf.Serf, error) {

hostname, err := os.Hostname()
if err != nil {
Expand Down Expand Up @@ -93,6 +96,9 @@ func initSerf(opts *Options,
serfConfig.MemberlistConfig.GossipInterval = 100 * time.Millisecond
serfConfig.MemberlistConfig.GossipNodes = 5
serfConfig.MemberlistConfig.LogOutput = logWriter{opts.Logger, []byte("memberlist:")}
if len(key) != 0 {
serfConfig.MemberlistConfig.SecretKey = key
}
serfConfig.EventCh = serfEventChan
serfConfig.EventBuffer = 1024
serfConfig.ReconnectTimeout = time.Hour
Expand Down Expand Up @@ -286,6 +292,13 @@ func (n *NSQD) gossipLoop() {
var topicName string
var channelName string

if n.serf.EncryptionEnabled() {
err := n.rotateGossipKey()
n.logf("FATAL: could not rotate gossip key - %s", err)
n.Exit()
return
}

regossipTicker := time.NewTicker(n.getOpts().GossipRegossipInterval)

if len(n.getOpts().GossipSeedAddresses) > 0 {
Expand Down Expand Up @@ -363,3 +376,34 @@ exit:
regossipTicker.Stop()
n.logf("GOSSIP: exiting")
}

func (n *NSQD) initialGossipKey() []byte {
var key []byte
if n.tlsConfig != nil && len(n.tlsConfig.Certificates) > 0 {
key = n.tlsConfig.Certificates[0].Leaf.Signature
}
if n.gossipKey == nil {
n.gossipKey = key
}
return key
}

func (n *NSQD) rotateGossipKey() error {
if n.gossipKey == nil {
return nil
}

key := make([]byte, 32)
_, err := rand.Reader.Read(key)
strKey := base64.StdEncoding.EncodeToString(key)
_, err = n.serf.KeyManager().InstallKey(strKey)
if err != nil {
return err
}
_, err = n.serf.KeyManager().UseKey(strKey)
if err != nil {
return err
}
_, err = n.serf.KeyManager().RemoveKey(string(n.gossipKey))
return err
}
5 changes: 4 additions & 1 deletion nsqd/nsqd.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type NSQD struct {
serf *serf.Serf
serfEventChan chan serf.Event
gossipChan chan interface{}
gossipKey []byte
rdb *registrationdb.RegistrationDB

idChan chan MessageID
Expand Down Expand Up @@ -286,7 +287,9 @@ func (n *NSQD) Main() {
n.RealTCPAddr(),
n.RealHTTPAddr(),
httpsAddr,
broadcastAddr)
broadcastAddr,
n.initialGossipKey(),
)
if err != nil {
n.logf("FATAL: failed to initialize Serf - %s", err)
os.Exit(1)
Expand Down

0 comments on commit 0ddf949

Please sign in to comment.