meta-ibm: remove nginx from IBM platforms.
Nginx on OpenBMC has a number of issues that matter to openbmc.
1. It increases the binary size. This is an issue given that OpenBMC
targets a relatively minimal flash footprint.
2. It increases the runtime overhead. Running nginx as a reverse proxy
to the application servers causes a runtime overhead, and context switch
for every single page load, as well as an extra socket.
3. nginx doesn't implement any kind of authentication, so auth needs to
be implemented in every application server. This removes a lot of the
advantages of the reverse proxy, and duplicates a lot of code amongst
multiple application servers
4. A number of nginx parameters run from the nginx config file. Some of
these parameters (like cipher suite support) are desired to be changed
at runtime, rather than fixed at compile time.
Related to commit here to move system to bmcweb:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/12933/
(From meta-ibm rev: b6639a209f0089864bef4fc86dcad97880bce682)
Change-Id: I21848eb3a8dfa85968c6c96d6a78f5145402db1d
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
(cherry picked from commit 699e296eb0dbd421bcb2fff4be9d446f47ae7195)
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh
deleted file mode 100644
index 480266f..0000000
--- a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/sh
-
-PEM="/etc/ssl/certs/nginx/cert.pem"
-
-if [ ! -f $PEM ]; then
- openssl req -x509 -sha256 -newkey rsa:2048 -keyout $PEM -out $PEM \
- -days 3650 -subj "/O=openbmc-project.xyz/CN=localhost" \
- -nodes
-fi
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
deleted file mode 100644
index befe986..0000000
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ /dev/null
@@ -1,128 +0,0 @@
-
-user www-data;
-worker_processes 1;
-
-error_log stderr;
-
-pid /run/nginx/nginx.pid;
-
-
-# Nginx requires this section, even if no options
-events {
-}
-
-# Note that a lot of these settings come from the OWASP Secure
-# Configuration guide for nginx
-# https://www.owasp.org/index.php/SCG_WS_nginx
-# and the OWASP Secure Headers project
-# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
-# and the mozilla security guidelines
-# https://wiki.mozilla.org/Security/Server_Side_TLS
-
-http {
- include mime.types;
-
- # For certain locations, only allow one connection per IP
- limit_conn_zone $binary_remote_addr zone=addr:10m;
-
- # Default log format
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- # Comment out to enable access log in /var/log/nginx/
- access_log off;
-
- client_body_timeout 30;
- client_header_timeout 10;
- keepalive_timeout 5 5;
- send_timeout 30;
-
- # Do not return nginx version to clients
- server_tokens off;
-
- client_max_body_size 100k;
- client_body_buffer_size 100K;
- client_header_buffer_size 1k;
- large_client_header_buffers 4 8k;
-
- # redirect all http traffic to https
- server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name _;
- return 301 https://$host$request_uri;
- }
-
- server {
- listen 443 ssl;
- server_name 127.0.0.1;
-
- ssl on;
- ssl_certificate @CERTPATH@/cert.pem;
- ssl_certificate_key @CERTPATH@/cert.pem;
- ssl_session_timeout 5m;
- ssl_protocols TLSv1.2;
- ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
- ssl_prefer_server_ciphers on;
-
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-
- location / {
- # This location lets us serve the static pre-compressed webui
- # content (rooted at /usr/share/www). Also if the URI points to
- # something else (that is unmatched by other locations), we
- # fallback to the rest server. This approach is based on the
- # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
- root /usr/share/www;
- # For clients that support gzip encoding, serve them
- # pre-compressed gzip content. For clients that don't,
- # uncompress on the BMC. The module gunzip requires
- # gzip_static to be set to 'always'; gzip_static is the
- # module that serves compressed content for clients that
- # support gzip.
- gunzip on;
- gzip_static always;
- try_files $uri $uri/ @rest_server;
-
- add_header X-Frame-Options deny;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Content-Type-Options nosniff;
- add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'";
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
- add_header Cache-Control "no-store,no-cache";
- add_header Pragma "no-cache";
- add_header Expires 0;
- }
- location @rest_server {
- # Use 127.0.0.1 instead of localhost since nginx will
- # first use ipv6 address of ::1 which the upstream server
- # is not listening on. This generates an error msg to
- # the journal. Nginx then uses the 127.0.0.1 and everything
- # works fine but want to avoid the error msg to the log.
- proxy_pass http://127.0.0.1:8081;
-
- # WebSocket support
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header X-Forwarded-For $remote_addr;
- }
- location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
- # Marked as 33MB to allow for firmware image updating and dump
- # downloads
- client_max_body_size 33M;
-
- # Only 1 connection at a time here from an IP
- limit_conn addr 1;
-
- proxy_pass http://127.0.0.1:8081;
- }
- location /redfish {
- proxy_pass http://127.0.0.1:8082;
- proxy_http_version 1.1;
- }
-
- include /etc/nginx/sites-enabled/443_*.conf;
- }
-}
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.service b/meta-ibm/recipes-httpd/nginx/files/nginx.service
deleted file mode 100644
index a502026..0000000
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=The NGINX HTTP and reverse proxy server
-After=network.target
-
-[Service]
-Type=forking
-SyslogIdentifier=nginx
-ExecStartPre=/usr/bin/env gen-cert.sh
-ExecStartPre=-/usr/bin/env mkdir /var/volatile/nginx/
-ExecStartPre=/usr/bin/env nginx -t -p /var/volatile/nginx
-ExecStart=/usr/bin/env nginx -p /var/volatile/nginx
-ExecReload=/usr/bin/env gen-cert.sh ; /usr/bin/env kill -s HUP $MAINPID
-ExecStop=/usr/bin/env kill -s QUIT $MAINPID
-PrivateTmp=true
-# First time on system takes longer for initial setup so
-# give double normal timeout
-TimeoutStartSec=180
-
-[Install]
-WantedBy={SYSTEMD_DEFAULT_TARGET}
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.socket b/meta-ibm/recipes-httpd/nginx/files/nginx.socket
deleted file mode 100644
index 24be604..0000000
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.socket
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Nginx
-
-[Socket]
-ListenStream=8081
-
-[Install]
-WantedBy=sockets.target
diff --git a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend
deleted file mode 100644
index ee5ffd5..0000000
--- a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend
+++ /dev/null
@@ -1,38 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-inherit systemd
-inherit obmc-phosphor-systemd
-
-SRC_URI += " \
- file://nginx.conf \
- file://nginx.service \
- file://gen-cert.sh \
- "
-
-RDEPENDS_${PN} += " \
- openssl-bin \
- ${VIRTUAL-RUNTIME_base-utils} \
- "
-
-EXTRA_OECONF =+ " --without-select_module --with-http_gunzip_module"
-
-SSLCERTPATH = "/etc/ssl/certs/nginx/"
-
-
-do_install_append() {
-
- install -m 644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx
- install -m 0755 ${WORKDIR}/gen-cert.sh ${D}${sbindir}/gen-cert.sh
-
- install -d ${D}${SSLCERTPATH}
- chown -R www:www-data ${D}${SSLCERTPATH}
-
-
- echo SSLCERTPATH
- echo ${SSLCERTPATH}
- sed -i 's,@CERTPATH@,${SSLCERTPATH},g' ${D}${sysconfdir}/nginx/nginx.conf
-}
-
-FILES_${PN} += " ${SSLCERTPATH} "
-
-SYSTEMD_SERVICE_${PN} += " nginx.service"
diff --git a/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend b/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend
index 0b0a9c9..27c647a 100644
--- a/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend
+++ b/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend
@@ -1,2 +1,3 @@
RDEPENDS_${PN}-logging += "ibm-logging"
-RDEPENDS_${PN}-extras += "nginx bmcweb"
+RDEPENDS_${PN}-extras += " bmcweb"
+RDEPENDS_${PN}-remove += " phosphor-rest phosphor-gevent"
diff --git a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service b/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service
deleted file mode 100644
index 6b4e77f..0000000
--- a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Phosphor REST Server
-After=network.target
-After=obmc-webserver-pre.target
-
-[Service]
-Restart=always
-ExecStart=/usr/bin/env phosphor-gevent $APPLICATION --no-ssl
-SyslogIdentifier=phosphor-gevent
-Environment="PYTHONUNBUFFERED=1"
-EnvironmentFile={envfiledir}/obmc/wsgi_app
diff --git a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket b/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket
deleted file mode 100644
index f7fde31..0000000
--- a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Phosphor Webserver socket
-
-[Socket]
-ListenStream=127.0.0.1:8081
-
-[Install]
-WantedBy=sockets.target