| Summary: | ssl_to_gear does not take effect after added it into cartridge manifest | ||
|---|---|---|---|
| Product: | OpenShift Online | Reporter: | Meng Bo <bmeng> |
| Component: | Containers | Assignee: | Andy Goldstein <agoldste> |
| Status: | CLOSED NOTABUG | QA Contact: | libra bugs <libra-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 2.x | CC: | agoldste, bmeng |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-09 13:18:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Please use a port other than 8443 - the node web proxy binds to all interfaces on port 8443 and cartridges can't use 8443. Currently, the only thing that ssl_to_gear in the manifest does is expose any endpoint that has the option ssl_to_gear: true to the node port proxy, *** even for non-scaled apps ***. The primary feature of ssl_to_gear currently is that it creates a proxy port for that endpoint with the node port proxy for nonscaled apps (as well as for scaled). The only way to test this currently is to validate that you can talk SSL through the proxy port. In your example above, that is port 35561. Also, is your custom perl cartridge configured with a certificate to serve SSL? After change the manifest to the following:
Endpoints:
- Private-IP-Name: IP
Private-Port-Name: PORT
Private-Port: 8080
Public-Port-Name: PROXY_PORT
Options: { "ssl_to_gear": true}
- Private-IP-Name: SSL_IP
Private-Port-Name: SSL_PORT
Private-Port: 15535
Public-Port-Name: SSL_PROXY_PORT
Options: { "ssl_to_gear": true}
The app has following port been exposed.
> env|grep PORT
OPENSHIFT_PERL_SSL_PORT=15535
OPENSHIFT_PERL_SSL_PROXY_PORT=38152
OPENSHIFT_PERL_PROXY_PORT=38151
OPENSHIFT_PERL_PORT=8080
And can find the ports are listening
> netstat -tnl|grep 3815
tcp 0 0 10.40.93.30:38151 0.0.0.0:* LISTEN
tcp 0 0 10.40.93.30:38152 0.0.0.0:* LISTEN
But when I trying to access the app_url from https, there still no tcp connection can be detected via tcpdump.
# tcpdump -s0 -ilo port 38151
# tcpdump -s0 -ilo port 38152
And my app does not configured with certificate.
I just know we can add a self signed certificate to an alias of application. How to the certificate support for a cartridge?
Your app has be listening on the port in question. In this case, you need to be listening on port 15535. If your cartridge is not coded to listen to that port, attempting to access the application via OPENSHIFT_PERL_SSL_PROXY_PORT will fail. Given that you are seeing the node port proxy listening on port 38152, that should be sufficient to consider ssl_to_gear functional (at least as it is currently implemented). Is it ok, if I am using the default PROXY_PORT 8080 for this testing?
Like,
Endpoints:
- Private-IP-Name: IP
Private-Port-Name: PORT
Private-Port: 8080
Public-Port-Name: PROXY_PORT
Options: { "ssl_to_gear": true}
Or I must setup the SSL_PROXY_PORT myself?
Thanks.
It's fine to use PROXY_PORT. In that case, you'd want to verify OPENSHIFT_PERL_PROXY_PORT. I don't believe this is a bug - could you please review my comments and let me know if you disagree? Reassigning to myself, adding needinfo flag Hi Andy, Sorry for the delay response. According to your comments, I can get the PROXY_PORT is listening when set the ssl_to_gear flag for cartridge. It is ok for me for the current status. Ok, thanks, I'm going to close this. |
Description of problem: Create a custom cartridge with following ssl port settings: Endpoints: - Private-IP-Name: IP Private-Port-Name: PORT Private-Port: 8080 Public-Port-Name: PROXY_PORT Mappings: - Frontend: "" Backend: "" Options: { websocket: true } - Frontend: "/health" Backend: "" Options: { health: true } - Private-IP-Name: SSL_IP Private-Port-Name: SSL_PORT Private-Port: 8443 Public-Port-Name: SSL_PROXY_PORT Options: { "ssl_to_gear": true} Version-Release number of selected component (if applicable): devenv_3726 How reproducible: always Steps to Reproduce: 1.Create app via the download cartridge rhc app create app1 "https://cartreflect-claytondev.rhcloud.com/reflect?github=bmeng/bmeng_cart_perl&commit=20a46d1464376083c8cc85fbe1e1cf297caedce7" 2.Login to instance and check the lo connections #tcpdump -i lo port 8443 3.Visit the https://app_url:8443/ Actual results: There is nothing generated in step2 Expected results: The internal connections should use 8443 port. Additional info: There is no error during the app creation in platform.log: August 30 04:35:16 INFO IPs already allocated for 8443 in gear 5220593cfce147b0de0000aa: ["127.0.253.1"] August 30 04:35:16 INFO Created private endpoint for cart perl in gear 5220593cfce147b0de0000aa: [OPENSHIFT_PERL_SSL_IP=127.0.253.2, OPENSHIFT_PERL_SSL_PORT=8443] August 30 04:35:16 INFO ssl_to_gear option set for the endpoint August 30 04:35:16 INFO Shell command 'openshift-port-proxy-cfg showproxy 35561 | awk '{ print $2 }'' ran. rc=0 out= August 30 04:35:16 INFO Shell command 'openshift-port-proxy-cfg setproxy 35561 "127.0.253.2:8443"' ran. rc=0 out= August 30 04:35:16 INFO Created public endpoint for cart perl in gear 5220593cfce147b0de0000aa: [OPENSHIFT_PERL_SSL_PROXY_PORT=35561] August 30 04:35:16 INFO Shell command '/sbin/runuser -s /bin/sh 5220593cfce147b0de0000aa -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c506' /bin/sh -c \"/usr/sbin/lsof -i @127.0.253.1:8080 -i @127.0.253.2:8443\""' ran. rc=1 out=