Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy

© Hitachi Solutions, Ltd. 2016. All rights reserved.

Hitachi Solutions Ltd.,2016/11/11

Toshio Maki

Cloud Foundry over the Proxy


Toshio Maki / Hitachi Solutions Ltd.,

Working at R&D division

Our missions are• Technical assistance• Software productivity improvement• Develop and operate our platform

I started Cloud Foundry at Jan 2016. (In our company, we started researching from April 2015.)

2

About me


Our platform

3

We are building DevOps platform on Public Cloud.• Limit access only our network (not VPN)• Permit only HTTPS protocol

Developer

Our company

Source Code Management

ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

Public IaaS


Our platform

4

We are building DevOps platform on Public Cloud.• Limit access only our network (not VPN)• Permit only HTTPS protocol• Our accesses are restricted by Proxy with LDAP authentication

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

Public IaaS


Our problems are…

5

How to integrate Cloud Foundry over proxy?


Case 1: “cf login”

6


How to integrate LDAP authentication over proxy?

7

We would like to use LDAP authentication. But…

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

Public IaaS



8

We would like to use LDAP authentication. But…• We can’t move LDAP server to Public Cloud(security reason)

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

Public IaaS



9

We would like to use LDAP authentication. But…• We can’t move LDAP server to Public Cloud(security reason)• Cloud Foundry can’t access LDAP server directly.

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

NG

Public IaaS

© Hitachi Solutions, Ltd. 2016. All rights reserved. 10

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

We solved this problem using SAML by IDP server


Public IaaS


Cloud Foundry login sequence with SAML provider

11

developer OpenAM UAALDAP

1. Run “cf login --sso” and it requires one time token from uaa.2. When I access uaa, redirect to IDP server.3. When I authenticate LDAP user, IDP returns SAML token.4. I get one time token from uaa, and “cf login” is successful.

Run “cf login --sso”

Access https://login.xxxxxxxxxxxxxxx.com/passcode

Redirect to IDP server

Access Login page and insert ID/PasswordAuthenticate

Success

Post SAML token to UAAReturns one time token

Insert one time token and authenticate

Returns SAML Token


Case 2: “cf push” and “cf logs”

12


How to get stream logs via WebSocket over proxy?

13

“cf push/logs” does not work fine when over proxy.• Failed to get stream logs from doppler via WebSocket• Failed to proxy authentication• This problem was reported cf-cli issues#127 about 1 year ago

WEBSOCKET REQUEST: [2016-09-02T12:43:56+09:00]GET /apps/a1dfce70-2517-4dab-bb3e-a79c15cc2ab1/stream HTTP/1.1Host: wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443Upgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: [HIDDEN]Origin: http://localhostAuthorization: [PRIVATE DATA HIDDEN]

失敗

Error dialing traffic controller server: Proxy Authentication Required.

Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://doppler.xxxxxxxxxxxxxxxxxxxxxx.com:443).


How to get stream logs via WebSocket over proxy?

14

We have found this problem.• Noaa is not supported proxy credentials• We created a patch and send to Cloud Foundry committer• In current version, this problem is fixed. (Thanks Gwenn!)

https://github.com/cloudfoundry/cli/releases/tag/v6.22.0


Case 3: “cf ssh”

15


How to connect Cloud Foundry via SSH over proxy?

16

“cf ssh” does not work fine in our environment.• We can not connect external DNS directly• We can not resolve hostname• Even if we can resolve hostname, Proxy blocks SSH connection

% cf ssh sample-application FAILEDError opening SSH connection: dial tcp: lookup ssh.xxxxxxxxxxxxxx.com on 127.0.1.1:53: no such host



17

1. Write hostname and IP address in /etc/hosts.2. Get app guid by “cf app --guid”

% cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714

3. Write SSH configuration in .ssh/config.Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p

4. Get one time token by “cf ssh-code”.% cf ssh-code4MhakB

5. Run ssh command with proxy password and one time token% ssh sample-applicationEnter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP passwordThe authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established.RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.cf:[email protected]'s password: -> Enter 4MhakBvcap@k97dor3qruf:~$

This is important to connect SSH over proxy.



18

1. Write hostname and IP address in /etc/hosts.2. Get app guid by “cf app --guid”

% cf app sample-application --guid 14ed7f28-289a-4134-8ba0-e6535f733714

3. Write SSH configuration in .ssh/config.Host sample-application HostName ssh.xxxxxxxxxxxxxx.com User cf:14ed7f28-289a-4134-8ba0-e6535f733714/0 # cf:$(cf app app-name --guid)/0 Port 2222 ProxyCommand connect -H ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp:8080 %h %p

4. Get one time token by “cf ssh-code”.% cf ssh-code4MhakB

5. Run ssh command with proxy password and one time token% ssh sample-applicationEnter proxy authentication password for ($LDAP_ID)@proxy.xxxxxxxxxxxxxx.co.jp: -> Enter LDAP passwordThe authenticity of host '[ssh.xxxxxxxxxxxxxx.com]:2222 (<no hostip for proxy command>)' can't be established.RSA key fingerprint is a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[ssh.xxxxxxxxxxxxxx.com]:2222' (RSA) to the list of known hosts.cf:[email protected]'s password: -> Enter 4MhakBvcap@k97dor3qruf:~$

This is important to connect SSH over proxy.It’s so crazy!


We are considering more simple solution

19

We will set up terminal on docker container.• We can access terminal via WebSocket over proxy.• Run “cf ssh” on docker container.

Developer

Our company


ＰａａＳ

Developer

Developer

LDAP

drone

CI/CD

Docker Cluster

cf sshWebSocket

Public IaaS


Trademarks

20

• Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc in the United States and/or other countries.

• Drone is either trademarks or registrered trademarks of Drone.io in the United States and/or other countries.

• GitLab is either trademarks or registered trademarks of GITLAB BV CORPORATION in the United States and/or other countries.

• OpenAM is registered trademarks of Open Source Solution Technology Corporation.

• Cloud Foundry is either trademarks or registered trademarks of Pivotal Software, Inc. in the United States, Japan and/or other countries.

Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy

Technology

Transcript of Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy