Makeflow: Add SSL Key/Cert for WQ/Vine (cooperative-computing-lab#3874)

* - Added support for ssl_key and ssl_cert in batch_job interface. - batch_job_{vine|work_queue}_create now use ssl in constructor. - Added Makeflow options to set ssl key and cert. * Added ssl key/cert to manual.
tphung3 · Jun 24, 2024 · 4ce19d2 · 4ce19d2
1 parent 112480d
commit 4ce19d2
Show file tree

Hide file tree

Showing 10 changed files with 77 additions and 14 deletions.
diff --git a/batch_job/src/batch_job.c b/batch_job/src/batch_job.c
@@ -88,7 +88,7 @@ void batch_job_info_delete(struct batch_job_info *info)
 	free(info);
 }
 
-struct batch_queue *batch_queue_create(batch_queue_type_t type)
+struct batch_queue *batch_queue_create(batch_queue_type_t type, const char *ssl_key_file, const char *ssl_cert_file )
 {
 	int i;
 	struct batch_queue *q;
@@ -108,7 +108,9 @@ struct batch_queue *batch_queue_create(batch_queue_type_t type)
 	batch_queue_set_feature(q, "output_directories", "yes");
 	batch_queue_set_feature(q, "batch_log_name", "%s.batchlog");
 	batch_queue_set_feature(q, "gc_size", "yes");
-
+	if(ssl_key_file) batch_queue_set_feature(q, "ssl_key_file", strdup(ssl_key_file) );
+	if(ssl_cert_file) batch_queue_set_feature(q, "ssl_cert_file", strdup(ssl_cert_file) );
+
 	q->module = NULL;
 	for (i = 0; batch_queue_modules[i]->type != BATCH_QUEUE_TYPE_UNKNOWN; i++)
 		if (batch_queue_modules[i]->type == type)

diff --git a/batch_job/src/batch_job.h b/batch_job/src/batch_job.h
@@ -80,9 +80,11 @@ void batch_job_info_delete(struct batch_job_info *info);
 
 /** Create a new batch queue.
 @param type The type of the queue.
+@param ssl_key_file The location of the queue manager's ssl key file, if it has one.
+@param ssl_key_file The location of the queue manager's ssl certiciate file, if it has one.
 @return A new batch queue object on success, null on failure.
 */
-struct batch_queue *batch_queue_create(batch_queue_type_t type);
+struct batch_queue *batch_queue_create(batch_queue_type_t type, const char *ssl_key_file, const char *ssl_cert_file );
 
 /** Submit a batch job.
 @param q The queue to submit to.

diff --git a/batch_job/src/batch_job_condor.c b/batch_job/src/batch_job_condor.c
@@ -364,7 +364,7 @@ static int batch_job_condor_remove (struct batch_queue *q, batch_job_id_t jobid)
 	}
 }
 
-static int batch_queue_condor_create (struct batch_queue *q)
+static int batch_queue_condor_create (struct batch_queue *q )
 {
 	strncpy(q->logfile, "condor.logfile", sizeof(q->logfile));
 	batch_queue_set_feature(q, "output_directories", NULL);

diff --git a/batch_job/src/batch_job_vine.c b/batch_job/src/batch_job_vine.c
@@ -181,11 +181,21 @@ static int batch_job_vine_remove (struct batch_queue *q, batch_job_id_t jobid)
 	return 0;
 }
 
-static int batch_queue_vine_create (struct batch_queue *q)
+static int batch_queue_vine_create (struct batch_queue *q )
 {
 	strncpy(q->logfile, "vine.log", sizeof(q->logfile));
-	if ((q->tv_manager = vine_create(0)) == NULL)
-		return -1;
+
+	const char *ssl_key_file = batch_queue_get_option(q,"ssl_key_file");
+	const char *ssl_cert_file = batch_queue_get_option(q,"ssl_cert_file");
+
+	if(ssl_key_file && ssl_cert_file) {
+		q->tv_manager = vine_ssl_create(0,ssl_key_file,ssl_cert_file);
+	} else {
+		q->tv_manager = vine_create(0);
+	}
+
+	if(!q->tv_manager) return -1;
+
 	vine_manager_enable_process_shortcut(q->tv_manager);
 	batch_queue_set_feature(q, "absolute_path", NULL);
 	batch_queue_set_feature(q, "remote_rename", "%s=%s");

diff --git a/batch_job/src/batch_job_work_queue.c b/batch_job/src/batch_job_work_queue.c
@@ -172,11 +172,21 @@ static int batch_job_wq_remove (struct batch_queue *q, batch_job_id_t jobid)
 	return 0;
 }
 
-static int batch_queue_wq_create (struct batch_queue *q)
+static int batch_queue_wq_create (struct batch_queue *q )
 {
 	strncpy(q->logfile, "wq.log", sizeof(q->logfile));
-	if ((q->wq_manager = work_queue_create(0)) == NULL)
-		return -1;
+
+	const char *ssl_key_file = batch_queue_get_option(q,"ssl_key_file");
+	const char *ssl_cert_file = batch_queue_get_option(q,"ssl_cert_file");
+
+	if(ssl_key_file && ssl_cert_file) {
+		q->wq_manager = work_queue_ssl_create(0,ssl_key_file,ssl_cert_file);
+	} else {
+		q->wq_manager = work_queue_create(0);
+	}
+
+	if(!q->wq_manager) return -1;
+
 	work_queue_enable_process_module(q->wq_manager);
 	batch_queue_set_feature(q, "absolute_path", NULL);
 	batch_queue_set_feature(q, "remote_rename", "%s=%s");

diff --git a/batch_job/src/vine_factory.c b/batch_job/src/vine_factory.c
@@ -1648,7 +1648,7 @@ int main(int argc, char *argv[])
 	signal(SIGTERM, handle_abort);
 	signal(SIGHUP, ignore_signal);
 
-	queue = batch_queue_create(batch_queue_type);
+	queue = batch_queue_create(batch_queue_type,0,0);
 	if(!queue) {
 		fprintf(stderr,"vine_factory: couldn't establish queue type %s",batch_queue_type_to_string(batch_queue_type));
 		return 1;

diff --git a/batch_job/src/work_queue_factory.c b/batch_job/src/work_queue_factory.c
@@ -1678,7 +1678,7 @@ int main(int argc, char *argv[])
 	signal(SIGTERM, handle_abort);
 	signal(SIGHUP, ignore_signal);
 
-	queue = batch_queue_create(batch_queue_type);
+	queue = batch_queue_create(batch_queue_type,0,0);
 	if(!queue) {
 		fprintf(stderr,"work_queue_factory: couldn't establish queue type %s",batch_queue_type_to_string(batch_queue_type));
 		return 1;

diff --git a/doc/man/m4/makeflow.m4 b/doc/man/m4/makeflow.m4
@@ -106,6 +106,8 @@ OPTION_ARG(t, keepalive-timeout, #)Work Queue keepalive timeout (default: 30s)
 OPTION_ARG(u, keepalive-interval, #)Work Queue keepalive interval (default: 120s)
 OPTION_ARG(W, schedule, mode)WorkQueue scheduling algorithm. (time|files|fcfs)
 OPTION_ARG_LONG(password, pwfile)Password file for authenticating workers.
+OPTION_ARG_LONG(ssl_cert) Set the SSL certificate file for encrypting connection.
+OPTION_ARG_LONG(ssl_key) Set the SSL certificate file for encrypting connection.
 OPTION_FLAG_LONG(cache-mode) Control worker caching mode. (never|workflow|forever)
 OPTION_ARG_LONG(preferred-connection,connection)Indicate preferred connection. Chose one of by_ip or by_hostname. (default is by_ip)
 OPTIONS_END

diff --git a/doc/manuals/makeflow/index.md b/doc/manuals/makeflow/index.md
@@ -783,6 +783,26 @@ $ makeflow --password mypwfile ...
 $ vine_worker --password mypwfile ...
 ```
 
+### SSL Encryption
+
+We also recommend the use of SSL for encrypting the manager-worker connection
+when operating on a wide area network.
+
+If you do not have a key and certificate at hand, but you want the
+communications to be encrypted, you can create your own key and certificate like this:
+
+```sh
+openssl req -x509 -newkey rsa:4096 -keyout MY_KEY.pem -out MY_CERT.pem -sha256 -days 365 -nodes
+```
+
+To activate SSL encryption, indicate the paths to the key and certificate when
+running `makeflow` as well as the workers:
+
+```sh
+$ makeflow --ssl-key MY_KEY.pem --ssl-cert MY_CERT.pem ...
+$ vine_worker --ssl ...
+```
+
 ## Container Environments
 
 Makeflow can interoperate with a variety of container technologies, including

diff --git a/makeflow/src/makeflow.c b/makeflow/src/makeflow.c
@@ -261,6 +261,13 @@ Options related to TLQ debugging
 */
 static int tlq_port = 0;
 
+/*
+Location of SSL key and cert for use by TaskVine or Work Queue
+*/
+
+static char *ssl_key_file = 0;
+static char *ssl_cert_file = 0;
+
 /*
 If enabled, then all environment variables are sent
 from the submission site to the job execution site.
@@ -1504,6 +1511,8 @@ int main(int argc, char *argv[])
 		LONG_OPT_SINGULARITY,
 		LONG_OPT_SINGULARITY_OPT,
 		LONG_OPT_SHARED_FS,
+		LONG_OPT_SSL_KEY,
+		LONG_OPT_SSL_CERT,
 		LONG_OPT_ARCHIVE,
 		LONG_OPT_ARCHIVE_S3,
 		LONG_OPT_ARCHIVE_S3_NO_CHECK,
@@ -1583,6 +1592,8 @@ int main(int argc, char *argv[])
 		{"send-environment", no_argument, 0, LONG_OPT_SEND_ENVIRONMENT},
 		{"shared-fs", required_argument, 0, LONG_OPT_SHARED_FS},
 		{"show-output", no_argument, 0, 'O'}, // Deprecated
+		{"ssl-key", required_argument, 0, LONG_OPT_SSL_KEY},
+		{"ssl-cert", required_argument, 0, LONG_OPT_SSL_CERT},
 		{"storage-type", required_argument, 0, LONG_OPT_STORAGE_TYPE},
 		{"storage-limit", required_argument, 0, LONG_OPT_STORAGE_LIMIT},
 		{"storage-print", required_argument, 0, LONG_OPT_STORAGE_PRINT},
@@ -1933,6 +1944,12 @@ int main(int argc, char *argv[])
 					jx_insert(hook_args, jx_string("shared_fs_list"),jx_array(NULL));
 				jx_array_append(jx_lookup(hook_args, "shared_fs_list"), jx_string(optarg));
 				break;
+			case LONG_OPT_SSL_KEY:
+				ssl_key_file = optarg;
+				break;
+			case LONG_OPT_SSL_CERT:
+				ssl_cert_file = optarg;
+				break;
 			case LONG_OPT_STORAGE_TYPE:
 				if (makeflow_hook_register(&makeflow_hook_storage_allocation, &hook_args) == MAKEFLOW_HOOK_FAILURE)
 					goto EXIT_WITH_FAILURE;
@@ -2341,7 +2358,7 @@ int main(int argc, char *argv[])
 
 	printf("max running local jobs: %d\n",local_jobs_max);
 
-	remote_queue = batch_queue_create(batch_queue_type);
+	remote_queue = batch_queue_create(batch_queue_type,ssl_key_file,ssl_cert_file);
 	if(!remote_queue) {
 		fprintf(stderr, "makeflow: couldn't create batch queue.\n");
 		if(port != 0)
@@ -2417,7 +2434,7 @@ int main(int argc, char *argv[])
 	if(!batch_queue_supports_feature(remote_queue, "local_job_queue")) {
 		local_queue = 0;
 	} else {
-		local_queue = batch_queue_create(BATCH_QUEUE_TYPE_LOCAL);
+		local_queue = batch_queue_create(BATCH_QUEUE_TYPE_LOCAL,0,0);
 		if(!local_queue) {
 			fatal("couldn't create local job queue.");
 		}