Bug 1002917 - ssl_to_gear does not take effect after added it into cartridge manifest
ssl_to_gear does not take effect after added it into cartridge manifest
Status: CLOSED NOTABUG
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Andy Goldstein
libra bugs
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-30 04:50 EDT by Meng Bo
Modified: 2015-05-14 19:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-09 09:18:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Meng Bo 2013-08-30 04:50:33 EDT
Description of problem:
Create a custom cartridge with following ssl port settings:
Endpoints:
  - Private-IP-Name:   IP
    Private-Port-Name: PORT
    Private-Port:      8080
    Public-Port-Name:  PROXY_PORT
    Mappings:
      - Frontend:      ""
        Backend:       ""
        Options:       { websocket: true }
      - Frontend:      "/health"
        Backend:       ""
        Options:       { health: true }
  - Private-IP-Name:   SSL_IP
    Private-Port-Name: SSL_PORT
    Private-Port:      8443
    Public-Port-Name:  SSL_PROXY_PORT
    Options:       { "ssl_to_gear": true}


Version-Release number of selected component (if applicable):
devenv_3726

How reproducible:
always

Steps to Reproduce:
1.Create app via the download cartridge 
rhc app create app1 "https://cartreflect-claytondev.rhcloud.com/reflect?github=bmeng/bmeng_cart_perl&commit=20a46d1464376083c8cc85fbe1e1cf297caedce7"

2.Login to instance and check the lo connections
#tcpdump -i lo port 8443

3.Visit the https://app_url:8443/

Actual results:
There is nothing generated in step2

Expected results:
The internal connections should use 8443 port.

Additional info:
There is no error during the app creation in platform.log:

August 30 04:35:16 INFO IPs already allocated for 8443 in gear 5220593cfce147b0de0000aa: ["127.0.253.1"]
August 30 04:35:16 INFO Created private endpoint for cart perl in gear 5220593cfce147b0de0000aa: [OPENSHIFT_PERL_SSL_IP=127.0.253.2, OPENSHIFT_PERL_SSL_PORT=8443]
August 30 04:35:16 INFO ssl_to_gear option set for the endpoint
August 30 04:35:16 INFO Shell command 'openshift-port-proxy-cfg showproxy 35561 | awk '{ print $2 }'' ran. rc=0 out=
August 30 04:35:16 INFO Shell command 'openshift-port-proxy-cfg setproxy 35561 "127.0.253.2:8443"' ran. rc=0 out=
August 30 04:35:16 INFO Created public endpoint for cart perl in gear 5220593cfce147b0de0000aa: [OPENSHIFT_PERL_SSL_PROXY_PORT=35561]
August 30 04:35:16 INFO Shell command '/sbin/runuser -s /bin/sh 5220593cfce147b0de0000aa -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c506' /bin/sh -c \"/usr/sbin/lsof -i @127.0.253.1:8080 -i @127.0.253.2:8443\""' ran. rc=1 out=
Comment 1 Andy Goldstein 2013-08-30 10:39:51 EDT
Please use a port other than 8443 - the node web proxy binds to all interfaces on port 8443 and cartridges can't use 8443.

Currently, the only thing that ssl_to_gear in the manifest does is expose any endpoint that has the option ssl_to_gear: true to the node port proxy, *** even for non-scaled apps ***. The primary feature of ssl_to_gear currently is that it creates a proxy port for that endpoint with the node port proxy for nonscaled apps (as well as for scaled).

The only way to test this currently is to validate that you can talk SSL through the proxy port. In your example above, that is port 35561.

Also, is your custom perl cartridge configured with a certificate to serve SSL?
Comment 2 Meng Bo 2013-09-02 07:21:53 EDT
After change the manifest to the following:
Endpoints:
  - Private-IP-Name:   IP
    Private-Port-Name: PORT
    Private-Port:      8080
    Public-Port-Name:  PROXY_PORT
    Options:       { "ssl_to_gear": true}
  - Private-IP-Name:   SSL_IP
    Private-Port-Name: SSL_PORT
    Private-Port:      15535
    Public-Port-Name:  SSL_PROXY_PORT
    Options:       { "ssl_to_gear": true}

The app has following port been exposed.
> env|grep PORT
OPENSHIFT_PERL_SSL_PORT=15535
OPENSHIFT_PERL_SSL_PROXY_PORT=38152
OPENSHIFT_PERL_PROXY_PORT=38151
OPENSHIFT_PERL_PORT=8080

And can find the ports are listening
> netstat -tnl|grep 3815
tcp        0      0 10.40.93.30:38151           0.0.0.0:*                   LISTEN      
tcp        0      0 10.40.93.30:38152           0.0.0.0:*                   LISTEN   

But when I trying to access the app_url from https, there still no tcp connection can be detected via tcpdump.

# tcpdump -s0 -ilo port 38151 
# tcpdump -s0 -ilo port 38152


And my app does not configured with certificate.
I just know we can add a self signed certificate to an alias of application. How to the certificate support for a cartridge?
Comment 3 Andy Goldstein 2013-09-03 07:45:18 EDT
Your app has be listening on the port in question. In this case, you need to be listening on port 15535. If your cartridge is not coded to listen to that port, attempting to access the application via OPENSHIFT_PERL_SSL_PROXY_PORT will fail.

Given that you are seeing the node port proxy listening on port 38152, that should be sufficient to consider ssl_to_gear functional (at least as it is currently implemented).
Comment 4 Meng Bo 2013-09-04 07:15:53 EDT
Is it ok, if I am using the default PROXY_PORT 8080 for this testing?

Like,
Endpoints:
  - Private-IP-Name:   IP
    Private-Port-Name: PORT
    Private-Port:      8080
    Public-Port-Name:  PROXY_PORT
    Options:       { "ssl_to_gear": true}

Or I must setup the SSL_PROXY_PORT myself?

Thanks.
Comment 5 Andy Goldstein 2013-09-04 09:16:18 EDT
It's fine to use PROXY_PORT. In that case, you'd want to verify OPENSHIFT_PERL_PROXY_PORT.
Comment 6 Andy Goldstein 2013-09-06 12:40:03 EDT
I don't believe this is a bug - could you please review my comments and let me know if you disagree?
Comment 7 Andy Goldstein 2013-09-06 13:12:32 EDT
Reassigning to myself, adding needinfo flag
Comment 8 Meng Bo 2013-09-09 06:32:49 EDT
Hi Andy,

Sorry for the delay response. According to your comments, I can get the PROXY_PORT is listening when set the ssl_to_gear flag for cartridge.

It is ok for me for the current status.
Comment 9 Andy Goldstein 2013-09-09 09:18:07 EDT
Ok, thanks, I'm going to close this.

Note You need to log in before you can comment on or make changes to this bug.