Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Download as PPTX, PDF0 likes7,997 views
Toshio Maki of Hitachi Solutions discusses integrating Cloud Foundry with their company's development platform running on public cloud infrastructure behind a proxy. They solved issues with authentication (using SAML), getting application logs (fixing a proxy authentication bug), and SSH access (using a custom ProxyCommand). They are now considering running a Docker container with a terminal to simplify SSH access over the proxy.
![© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to get stream logs via WebSocket over proxy?
12
“cf push/logs” does not work fine when over proxy.
• Failed to get stream logs from doppler via WebSocket
• Failed to proxy authentication
• This problem was reported cf-cli issues#127 about 1 year ago
WEBSOCKET REQUEST: [2016-09-02T12:43:56+09:00]
GET /apps/a1dfce70-2517-4dab-bb3e-a79c15cc2ab1/stream HTTP/1.1
Host: wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [HIDDEN]
Origin: http://localhost
Authorization: [PRIVATE DATA HIDDEN]
失敗
Error dialing traffic controller server: Proxy Authentication Required.
Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller
is wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443).](https://image.slidesharecdn.com/cloudfoundrydaylt-161112134838/85/Cloud-Foundry-Day-in-Tokyo-Lightning-Talk-Cloud-Foundry-over-the-Proxy-13-320.jpg)
![© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
16
1. Write hostname and IP address in /etc/hosts.
2. Get app guid by “cf app --guid”
% cf app sample-application --guid
14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.
Host sample-application
HostName ssh.xxxxxxxxxxxxxx.com
User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0
Port 2222
ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.
% cf ssh-code
4MhakB
5. Run ssh command with proxy password and one time token
% ssh sample-application
Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP
password
The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be
established.
RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.
This is important to connect SSH over proxy.](https://image.slidesharecdn.com/cloudfoundrydaylt-161112134838/85/Cloud-Foundry-Day-in-Tokyo-Lightning-Talk-Cloud-Foundry-over-the-Proxy-17-320.jpg)
![© Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
17
1. Write hostname and IP address in /etc/hosts.
2. Get app guid by “cf app --guid”
% cf app sample-application --guid
14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.
Host sample-application
HostName ssh.xxxxxxxxxxxxxx.com
User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0
Port 2222
ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.
% cf ssh-code
4MhakB
5. Run ssh command with proxy password and one time token
% ssh sample-application
Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP
password
The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be
established.
RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.
This is important to connect SSH over proxy.
It’s so crazy!](https://image.slidesharecdn.com/cloudfoundrydaylt-161112134838/85/Cloud-Foundry-Day-in-Tokyo-Lightning-Talk-Cloud-Foundry-over-the-Proxy-18-320.jpg)
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
- 1. © Hitachi Solutions, Ltd. 2016. All rights reserved. Hitachi Solutions Ltd., 2016/11/11 Toshio Maki Cloud Foundry over the Proxy
- 2. © Hitachi Solutions, Ltd. 2016. All rights reserved. Toshio Maki / Hitachi Solutions Ltd., Working at R&D division Our missions are • Technical assistance • Software productivity improvement • Develop and operate our platform I started Cloud Foundry at Jan 2016. (In our company, we started researching from April 2015.) 1 About me
- 3. © Hitachi Solutions, Ltd. 2016. All rights reserved. Our platform 2 We are building DevOps platform on Public Cloud. • Limit access only our network (not VPN) • Permit only HTTPS protocol Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD Public IaaS
- 4. © Hitachi Solutions, Ltd. 2016. All rights reserved. Our platform 3 We are building DevOps platform on Public Cloud. • Limit access only our network (not VPN) • Permit only HTTPS protocol • Our accesses are restricted by Proxy with LDAP authentication Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD Public IaaS
- 5. © Hitachi Solutions, Ltd. 2016. All rights reserved. Our problems are… 4 How to integrate Cloud Foundry over proxy?
- 6. © Hitachi Solutions, Ltd. 2016. All rights reserved. Case 1: “cf login” 5
- 7. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to integrate LDAP authentication over proxy? 6 We would like to use LDAP authentication. But… Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD Public IaaS
- 8. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to integrate LDAP authentication over proxy? 7 We would like to use LDAP authentication. But… • We can’t move LDAP server to Public Cloud(security reason) Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD Public IaaS
- 9. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to integrate LDAP authentication over proxy? 8 We would like to use LDAP authentication. But… • We can’t move LDAP server to Public Cloud(security reason) • Cloud Foundry can’t access LDAP server directly. Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD NG Public IaaS
- 10. © Hitachi Solutions, Ltd. 2016. All rights reserved. 9 Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD We solved this problem using SAML by IDP server How to integrate LDAP authentication over proxy? Public IaaS
- 11. © Hitachi Solutions, Ltd. 2016. All rights reserved. Cloud Foundry login sequence with SAML provider 10 developer OpenAM UAALDAP 1. Run “cf login --sso” and it requires one time token from uaa. 2. When I access uaa, redirect to IDP server. 3. When I authenticate LDAP user, IDP returns SAML token. 4. I get one time token from uaa, and “cf login” is successful. Run “cf login --sso” Access https://login.xxxxxxxxxxxxxxx.com/passcode Redirect to IDP server Access Login page and insert ID/Password Authenticate Success Post SAML token to UAA Returns one time token Insert one time token and authenticate Returns SAML Token
- 12. © Hitachi Solutions, Ltd. 2016. All rights reserved. Case 2: “cf push” and “cf logs” 11
- 13. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to get stream logs via WebSocket over proxy? 12 “cf push/logs” does not work fine when over proxy. • Failed to get stream logs from doppler via WebSocket • Failed to proxy authentication • This problem was reported cf-cli issues#127 about 1 year ago WEBSOCKET REQUEST: [2016-09-02T12:43:56+09:00] GET /apps/a1dfce70-2517-4dab-bb3e-a79c15cc2ab1/stream HTTP/1.1 Host: wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Version: 13 Sec-WebSocket-Key: [HIDDEN] Origin: http://localhost Authorization: [PRIVATE DATA HIDDEN] 失敗 Error dialing traffic controller server: Proxy Authentication Required. Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443).
- 14. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to get stream logs via WebSocket over proxy? 13 We have found this problem. • Noaa is not supported proxy credentials • We created a patch and send to Cloud Foundry committer • In current version, this problem is fixed. (Thanks Gwenn!) https://github.com/cloudfoundry/cli/releases/tag/v6.22.0
- 15. © Hitachi Solutions, Ltd. 2016. All rights reserved. Case 3: “cf ssh” 14
- 16. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to connect Cloud Foundry via SSH over proxy? 15 “cf ssh” does not work fine in our environment. • We can not connect external DNS directly • We can not resolve hostname • Even if we can resolve hostname, Proxy blocks SSH connection % cf ssh sample-application FAILED Error opening SSH connection: dial tcp: lookup ssh.xxxxxxxxxxxxxx.com on 127.0.1.1:53: no such host
- 17. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to connect Cloud Foundry via SSH over proxy? 16 1. Write hostname and IP address in /etc/hosts. 2. Get app guid by “cf app --guid” % cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714 3. Write SSH configuration in .ssh/config. Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p 4. Get one time token by “cf ssh-code”. % cf ssh-code 4MhakB 5. Run ssh command with proxy password and one time token % ssh sample-application Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP password The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established. RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts. This is important to connect SSH over proxy.
- 18. © Hitachi Solutions, Ltd. 2016. All rights reserved. How to connect Cloud Foundry via SSH over proxy? 17 1. Write hostname and IP address in /etc/hosts. 2. Get app guid by “cf app --guid” % cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714 3. Write SSH configuration in .ssh/config. Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p 4. Get one time token by “cf ssh-code”. % cf ssh-code 4MhakB 5. Run ssh command with proxy password and one time token % ssh sample-application Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP password The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established. RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts. This is important to connect SSH over proxy. It’s so crazy!
- 19. © Hitachi Solutions, Ltd. 2016. All rights reserved. We are considering more simple solution 18 We will set up terminal on docker container. • We can access terminal via WebSocket over proxy. • Run “cf ssh” on docker container. Developer Our company Source Code Management PaaS Developer Developer LDAP drone CI/CD Docker Cluster cf sshWebSocket Public IaaS
- 20. © Hitachi Solutions, Ltd. 2016. All rights reserved. Trademarks 19 • Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc in the United States and/or other countries. • Drone is either trademarks or registrered trademarks of Drone.io in the United States and/or other countries. • GitLab is either trademarks or registered trademarks of GITLAB BV CORPORATION in the United States and/or other countries. • OpenAM is registered trademarks of Open Source Solution Technology Corporation. • Cloud Foundry is either trademarks or registered trademarks of Pivotal Software, Inc. in the United States, Japan and/or other countries.