rack icon indicating copy to clipboard operation
rack copied to clipboard
verified publisher icon convox

feat-420: Run docker in tls mode for secure docker comminication

Open nightfury1204 opened this issue 3 years ago • 4 comments

https://github.com/convox/issues-private/issues/420

Here, generated self signed certificate using aws cloudformation custom resource and kept in the ssm parameter store. User don't have to provide any parameter for this.

Tested upgrade from existing version to this version and rollback from this version to previous version.

https://user-images.githubusercontent.com/12232198/186508805-2dfce371-5622-4bb2-9452-c668254d27bd.mp4

https://user-images.githubusercontent.com/12232198/186508841-e453b353-9c03-4ffd-836c-4c0b0331eb50.mp4

nightfury1204 avatar Aug 18 '22 17:08 nightfury1204

Does the user need to pass the parameters DockerTls*? Maybe we can use StackId as the value?

@Twsouza User don't have to provide this, when user install a v2 rack or updates v2 rack to this version we will add it for them from our code https://github.com/convox/rack/blob/c2d83c5685d345c6b11fb7ae49d9f7ba2f19376d/provider/aws/system.go#L235 https://github.com/convox/rack/blob/c2d83c5685d345c6b11fb7ae49d9f7ba2f19376d/provider/aws/system.go#L541

this DockerTls values come from docker labels (if rack installs with this version) https://github.com/convox/rack/blob/c2d83c5685d345c6b11fb7ae49d9f7ba2f19376d/provider/aws/aws.go#L119

nightfury1204 avatar Aug 19 '22 10:08 nightfury1204

Codecov Report

Base: 36.19% // Head: 36.20% // Increases project coverage by +0.00% :tada:

Coverage data is based on head (3446a4e) compared to base (e087555). Patch coverage: 13.63% of modified lines in pull request are covered.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3568   +/-   ##
=======================================
  Coverage   36.19%   36.20%           
=======================================
  Files         168      168           
  Lines       18413    18434   +21     
=======================================
+ Hits         6665     6674    +9     
- Misses      10616    10627   +11     
- Partials     1132     1133    +1
Impacted Files Coverage Δ
provider/aws/aws.go 23.30% <0.00%> (-2.24%) :arrow_down:
provider/aws/docker.go 66.66% <75.00%> (ø)
pkg/logstorage/logstorage.go 87.91% <0.00%> (+7.69%) :arrow_up:

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov[bot] avatar Aug 19 '22 10:08 codecov[bot]

SSH is working properly?

convox instances keyroll

convox instances ssh {instance-id}

Twsouza avatar Aug 19 '22 13:08 Twsouza

@Twsouza yes ssh works

nightfury1204 avatar Aug 19 '22 14:08 nightfury1204

aws/update test is failing for this reason, Screenshot from 2022-09-24 03-18-03

nightfury1204 avatar Sep 23 '22 21:09 nightfury1204

@nightfury1204 I believe this change has borked convox run, convox exec, and alike:

convox exec <pid> sh --app <app>
ERROR: Get "https://10.1.2.4:2376/containers/json?all=1&filters=%7B%22label%22%3A%5B%22com.amazonaws.ecs.task-arn%3Darn%3Aaws%3Aecs%3Aus-east-1%3A924748183198%3Atask%2Fmyrack-Cluster-SUZR61FH8VHZ%2F6f2895b834cf4b09a7df955826c4adb1%22%2C%22convox.release%22%5D%7D": http: server gave HTTP response to HTTPS client

exalted avatar Oct 26 '22 10:10 exalted

@nightfury1204 I believe this change has borked convox run, convox exec, and alike:

convox exec <pid> sh --app <app>
ERROR: Get "https://10.1.2.4:2376/containers/json?all=1&filters=%7B%22label%22%3A%5B%22com.amazonaws.ecs.task-arn%3Darn%3Aaws%3Aecs%3Aus-east-1%3A924748183198%3Atask%2Fmyrack-Cluster-SUZR61FH8VHZ%2F6f2895b834cf4b09a7df955826c4adb1%22%2C%22convox.release%22%5D%7D": http: server gave HTTP response to HTTPS client

Hey @exalted I have tested it for one of my rack and it's working fine. If you are still facing this issue, please open a support ticket in the console(https://console.convox.com/) or use our forums https://community.convox.com/.

nightfury1204 avatar Oct 26 '22 16:10 nightfury1204

We figured our issue was due to our custom InstanceBootCommand which didn't include recently added --tls --tlscacert /etc/ca.pem --tlscert /etc/cert.pem --tlskey /etc/key.pem parameters for Docker.

I wish this breaking change was mentioned in the release notes. ✌️

exalted avatar Oct 27 '22 09:10 exalted

We figured our issue was due to our custom InstanceBootCommand which didn't include recently added --tls --tlscacert /etc/ca.pem --tlscert /etc/cert.pem --tlskey /etc/key.pem parameters for Docker.

I wish this breaking change was mentioned in the release notes. v

Thanks for pointing that out, we'll include it!

heronrs avatar Oct 27 '22 14:10 heronrs

@exalted I guess your InstanceBootCommand was overriding /etc/sysconfig/docker? Just to confirm

heronrs avatar Oct 27 '22 14:10 heronrs

@heronrs correct!

exalted avatar Oct 27 '22 14:10 exalted