Mais conteúdo relacionado Semelhante a Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy (20) Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy1. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Hitachi Solutions Ltd.,
2016/11/11
Toshio Maki
Cloud Foundry over the Proxy
2. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Toshio Maki / Hitachi Solutions Ltd.,
Working at R&D division
Our missions are
• Technical assistance
• Software productivity improvement
• Develop and operate our platform
I started Cloud Foundry at Jan 2016.
(In our company, we started researching from April 2015.)
1
About me
3. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Our platform
2
We are building DevOps platform on Public Cloud.
• Limit access only our network (not VPN)
• Permit only HTTPS protocol
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
4. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Our platform
3
We are building DevOps platform on Public Cloud.
• Limit access only our network (not VPN)
• Permit only HTTPS protocol
• Our accesses are restricted by Proxy with LDAP authentication
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
5. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Our problems are…
4
How to integrate Cloud Foundry over proxy?
7. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
6
We would like to use LDAP authentication. But…
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
8. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
7
We would like to use LDAP authentication. But…
• We can’t move LDAP server to Public Cloud(security reason)
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Public IaaS
9. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to integrate LDAP authentication over proxy?
8
We would like to use LDAP authentication. But…
• We can’t move LDAP server to Public Cloud(security reason)
• Cloud Foundry can’t access LDAP server directly.
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
NG
Public IaaS
10. © Hitachi Solutions, Ltd. 2016. All rights reserved. 9
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
We solved this problem using SAML by IDP server
How to integrate LDAP authentication over proxy?
Public IaaS
11. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Cloud Foundry login sequence with SAML provider
10
developer OpenAM UAALDAP
1. Run “cf login --sso” and it requires one time token from uaa.
2. When I access uaa, redirect to IDP server.
3. When I authenticate LDAP user, IDP returns SAML token.
4. I get one time token from uaa, and “cf login” is successful.
Run “cf login --sso”
Access https://login.xxxxxxxxxxxxxxx.com/passcode
Redirect to IDP server
Access Login page and insert ID/Password
Authenticate
Success
Post SAML token to UAA
Returns one time token
Insert one time token and authenticate
Returns SAML Token
13. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to get stream logs via WebSocket over proxy?
12
“cf push/logs” does not work fine when over proxy.
• Failed to get stream logs from doppler via WebSocket
• Failed to proxy authentication
• This problem was reported cf-cli issues#127 about 1 year ago
WEBSOCKET REQUEST: [2016-09-02T12:43:56+09:00]
GET /apps/a1dfce70-2517-4dab-bb3e-a79c15cc2ab1/stream HTTP/1.1
Host: wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [HIDDEN]
Origin: http://localhost
Authorization: [PRIVATE DATA HIDDEN]
失敗
Error dialing traffic controller server: Proxy Authentication Required.
Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller
is wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443).
14. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to get stream logs via WebSocket over proxy?
13
We have found this problem.
• Noaa is not supported proxy credentials
• We created a patch and send to Cloud Foundry committer
• In current version, this problem is fixed. (Thanks Gwenn!)
https://github.com/cloudfoundry/cli/releases/tag/v6.22.0
16. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
15
“cf ssh” does not work fine in our environment.
• We can not connect external DNS directly
• We can not resolve hostname
• Even if we can resolve hostname, Proxy blocks SSH connection
% cf ssh sample-application
FAILED
Error opening SSH connection: dial tcp: lookup ssh.xxxxxxxxxxxxxx.com on 127.0.1.1:53: no
such host
17. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
16
1. Write hostname and IP address in /etc/hosts.
2. Get app guid by “cf app --guid”
% cf app sample-application --guid
14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.
Host sample-application
HostName ssh.xxxxxxxxxxxxxx.com
User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0
Port 2222
ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.
% cf ssh-code
4MhakB
5. Run ssh command with proxy password and one time token
% ssh sample-application
Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP
password
The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be
established.
RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.
This is important to connect SSH over proxy.
18. © Hitachi Solutions, Ltd. 2016. All rights reserved.
How to connect Cloud Foundry via SSH over proxy?
17
1. Write hostname and IP address in /etc/hosts.
2. Get app guid by “cf app --guid”
% cf app sample-application --guid
14ed7f28-289a-4134-8ba0-e6535f733714
3. Write SSH configuration in .ssh/config.
Host sample-application
HostName ssh.xxxxxxxxxxxxxx.com
User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0
Port 2222
ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p
4. Get one time token by “cf ssh-code”.
% cf ssh-code
4MhakB
5. Run ssh command with proxy password and one time token
% ssh sample-application
Enter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP
password
The authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be
established.
RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.
This is important to connect SSH over proxy.
It’s so crazy!
19. © Hitachi Solutions, Ltd. 2016. All rights reserved.
We are considering more simple solution
18
We will set up terminal on docker container.
• We can access terminal via WebSocket over proxy.
• Run “cf ssh” on docker container.
Developer
Our company
Source Code Management
PaaS
Developer
Developer
LDAP
drone
CI/CD
Docker Cluster
cf sshWebSocket
Public IaaS
20. © Hitachi Solutions, Ltd. 2016. All rights reserved.
Trademarks
19
• Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc in the
United States and/or other countries.
• Drone is either trademarks or registrered trademarks of Drone.io in the United States and/or
other countries.
• GitLab is either trademarks or registered trademarks of GITLAB BV CORPORATION in the
United States and/or other countries.
• OpenAM is registered trademarks of Open Source Solution Technology Corporation.
• Cloud Foundry is either trademarks or registered trademarks of Pivotal Software, Inc. in the
United States, Japan and/or other countries.