Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
-
Upload
maki-toshio -
Category
Technology
-
view
6.844 -
download
0
Transcript of Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Hitachi Solutions Ltd.,2016/11/11
Toshio Maki
Cloud Foundry over the Proxy
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Toshio Maki / Hitachi Solutions Ltd.,
Working at R&D division
Our missions are• Technical assistance• Software productivity improvement• Develop and operate our platform
I started Cloud Foundry at Jan 2016. (In our company, we started researching from April 2015.)
2
About me
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Our platform
3
We are building DevOps platform on Public Cloud.• Limit access only our network (not VPN)• Permit only HTTPS protocol
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Our platform
4
We are building DevOps platform on Public Cloud.• Limit access only our network (not VPN)• Permit only HTTPS protocol• Our accesses are restricted by Proxy with LDAP authentication
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Our problems are…
5
How to integrate Cloud Foundry over proxy?
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Case 1: “cf login”
6
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
7
We would like to use LDAP authentication. But…
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
8
We would like to use LDAP authentication. But…• We can’t move LDAP server to Public Cloud(security reason)
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
9
We would like to use LDAP authentication. But…• We can’t move LDAP server to Public Cloud(security reason)• Cloud Foundry can’t access LDAP server directly.
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
NG
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved. 10
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
We solved this problem using SAML by IDP server
How to integrate LDAP authentication over proxy?
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Cloud Foundry login sequence with SAML provider
11
developer OpenAM UAALDAP
1. Run “cf login --sso” and it requires one time token from uaa.2. When I access uaa, redirect to IDP server.3. When I authenticate LDAP user, IDP returns SAML token.4. I get one time token from uaa, and “cf login” is successful.
Run “cf login --sso”
Access https://login.xxxxxxxxxxxxxxx.com/passcode
Redirect to IDP server
Access Login page and insert ID/PasswordAuthenticate
Success
Post SAML token to UAAReturns one time token
Insert one time token and authenticate
Returns SAML Token
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Case 2: “cf push” and “cf logs”
12
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to get stream logs via WebSocket over proxy?
13
“cf push/logs” does not work fine when over proxy.• Failed to get stream logs from doppler via WebSocket• Failed to proxy authentication• This problem was reported cf-cli issues#127 about 1 year ago
WEBSOCKET REQUEST: [2016-09-02T12:43:56+09:00]GET /apps/a1dfce70-2517-4dab-bb3e-a79c15cc2ab1/stream HTTP/1.1Host: wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443Upgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: [HIDDEN]Origin: http://localhostAuthorization: [PRIVATE DATA HIDDEN]
失敗
Error dialing traffic controller server: Proxy Authentication Required.
Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443).
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to get stream logs via WebSocket over proxy?
14
We have found this problem.• Noaa is not supported proxy credentials• We created a patch and send to Cloud Foundry committer• In current version, this problem is fixed. (Thanks Gwenn!)
https://github.com/cloudfoundry/cli/releases/tag/v6.22.0
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Case 3: “cf ssh”
15
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
16
“cf ssh” does not work fine in our environment.• We can not connect external DNS directly• We can not resolve hostname• Even if we can resolve hostname, Proxy blocks SSH connection
% cf ssh sample-application FAILEDError opening SSH connection: dial tcp: lookup ssh.xxxxxxxxxxxxxx.com on 127.0.1.1:53: no such host
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
17
1. Write hostname and IP address in /etc/hosts.2. Get app guid by “cf app --guid”
% cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.% cf ssh-code4MhakB
5. Run ssh command with proxy password and one time token% ssh sample-applicationEnter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP passwordThe authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established.RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.cf:[email protected]'s password: -> Enter 4MhakBvcap@k97dor3qruf:~$
This is important to connect SSH over proxy.
© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
18
1. Write hostname and IP address in /etc/hosts.2. Get app guid by “cf app --guid”
% cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.% cf ssh-code4MhakB
5. Run ssh command with proxy password and one time token% ssh sample-applicationEnter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP passwordThe authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established.RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.cf:[email protected]'s password: -> Enter 4MhakBvcap@k97dor3qruf:~$
This is important to connect SSH over proxy.It’s so crazy!
© Hitachi Solutions, Ltd. 2016. All rights reserved.
We are considering more simple solution
19
We will set up terminal on docker container.• We can access terminal via WebSocket over proxy.• Run “cf ssh” on docker container.
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Docker Cluster
cf sshWebSocket
Public IaaS
© Hitachi Solutions, Ltd. 2016. All rights reserved.
Trademarks
20
• Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc in the United States and/or other countries.
• Drone is either trademarks or registrered trademarks of Drone.io in the United States and/or other countries.
• GitLab is either trademarks or registered trademarks of GITLAB BV CORPORATION in the United States and/or other countries.
• OpenAM is registered trademarks of Open Source Solution Technology Corporation.
• Cloud Foundry is either trademarks or registered trademarks of Pivotal Software, Inc. in the United States, Japan and/or other countries.