若用户开启MindIE Server的TLS认证功能(HTTPS或GRPC)时,通信客户端需要校验服务端证书的IP,由于podIP的动态性,需要在Pod启动时生成具有podIP别名的服务证书,以实现MindIE Server中master和slave间的通信,以及MindIE MS对MindIE Server的证书认证和校验。MindIE提供证书生成能力,具体操作步骤如下所示。
启动MindIE Server Pod调用生成证书接口如果出现“failed to read random number from system.”报错,大概率是由于环境熵不足,需要在计算节点安装haveged组件补熵。详情请参考《MindIE安装指南》中章节,将熵补至4096。
前提条件
在部署服务前准备MindIE Server服务端的CA证书和加密私钥。
操作步骤
- 本地已通过MindIE证书管理工具import_cert接口导入CA证书和私钥,输入证书私钥口令、生成KMC加密口令文件和KMC密钥库文件。
- 准备生成证书的输入输出配置文件(gen_cert.json)。
{ "ca_cert": "./security/ca/ca.pem", "ca_key": "./security/ca/ca.key.pem", "ca_key_pwd": "./security/ca/ca_passwd.txt", "cert_config": "./cert_info.json", "output_path": "./gen_cert_output", "kmc_ksf_master": "./tools/pmt/master/ksfa", "kmc_ksf_standby": "./tools/pmt/standby/ksfb" }server管理面证书输入输出配置文件(gen_management_cert.json)。
{ "ca_cert": "./security/ca/management_ca.pem", "ca_key": "./security/ca/management_ca.key.pem", "ca_key_pwd": "./security/ca/management_ca_passwd.txt", "cert_config": "./cert_info.json", "output_path": "./gen_cert_output", "kmc_ksf_master": "./tools/pmt/master/ksfa", "kmc_ksf_standby": "./tools/pmt/standby/ksfb" } - 准备待生成证书的配置文件(cert_config.json)。
{ "subject": "subject_name", "expired_time": 365, "serial_number": 123, "req_distinguished_name": { "C": "***", "ST": "***", "L": "***", "O": "***", "OU": "***", "CN": "***" }, "alt_names": { "IP": [], "DNS": [] } } - 将1~3的文件放在《MindIE安装指南》的“容器化部署和镜像制作 > 制作MindIE镜像”章节中的Dockerfile所在目录,随其他文件一起复制至容器内的/tmp路径下,并在Dockerfile文件中添加以下命令将这些文件移动至mindie-service目录下。
RUN chmod 400 ./ca* && \ chmod 400 ./management_ca* &&\ chmod 600 ./cert_info.json &&\ chmod 600 ./gen_management_cert.json &&\ chmod 600 ./gen_cert.json &&\ chmod 600 ./tools/pmt/master/ksfa &&\ chmod 600 ./tools/pmt/standby/ksfb &&\ mv ./ca.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./ca.key.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./ca_passwd.txt /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./management_ca.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./management_ca.key.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./management_ca_passwd.txt /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/ca && \ mv ./tools /home/{用户名称}/Ascend/mindie/latest/mindie-service/tools && \ mv ./gen_cert.json /home/{用户名称}/Ascend/mindie/latest/mindie-service/ && \ mv ./gen_management_cert.json /home/{用户名称}/Ascend/mindie/latest/mindie-service/ && \ mv ./cert_info.json /home/{用户名称}/Ascend/mindie/latest/mindie-service/ && \{用户名称}为容器内的用户账号。
- 在单机场景非root用户镜像启动脚本样例中“./bin/mindieservice_daemon”所在行之前添加以下生成证书的命令。
export WORK_DIR=/home/{用户名称}/Ascend/mindie/latest/mindie-service/ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$WORK_DIR/lib export HSECEASY_PATH=$WORK_DIR/lib cd $WORK_DIR chmod 500 ./bin/gen_cert mkdir gen_cert_output python3 ./scripts/config_mindie_server_tls_cert.py ./ gen_cert ./gen_cert.json --ip=$MIES_CONTAINER_IP,{host_ip} chmod 400 ./gen_cert_output/* cp ./gen_cert_output/cert.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/certs/server.pem cp ./gen_cert_output/cert.key.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/keys/server.key.pem cp ./gen_cert_output/cert_passwd.txt /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/pass/mindie_server_key_pwd.txt rm -rf ./gen_cert_output/* python3 ./scripts/config_mindie_server_tls_cert.py ./ gen_cert ./gen_management_cert.json --ip=$MIES_CONTAINER_IP,{host_ip} chmod 400 ./gen_cert_output/* cp ./gen_cert_output/cert.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/certs/management_server.pem cp ./gen_cert_output/cert.key.pem /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/keys/management_server.key.pem cp ./gen_cert_output/cert_passwd.txt /home/{用户名称}/Ascend/mindie/latest/mindie-service/security/pass/management_mindie_server_key_pwd.txt rm -rf ./gen_cert_output/*{host_ip}:为提供推理API的物理机IP。