Trying to access RHDM7 git repository hosted in an OCP environment.
This is what I have tryied so far:
Create a project in my OCP instance with :
oc new-project demo-rhdm7-dtf
oc create -f https://raw.githubusercontent.com/gpe-mw-training/bxms_decision_mgmt_foundations_lab/master/resources/rhdm7-only.yaml
oc new-app --name=dm-demo -n demo-rhdm7-dtf --template=rhdm7-only -p RHT_IMAGE_STREAM_NAMESPACE=openshift -p KIE_ADMIN_PWD=test1234! -p MAVEN_REPO_PASSWORD=test1234! -p APPLICATION_NAME=demo
Notes:
rhdm7-only is a template created from github repository
the openshift namespace should include the imagestreams from https://raw.githubusercontent.com/jboss-container-images/rhdm-7-openshift-image/rhdm70-dev/rhdm70-image-streams.yaml
The Deployment configs are paused by default, please take a moment to resume the rollout.
Create an space using Decision Central. In my case I am creating the Acme space.
In the created space create a new project, in my case demoinsurance project.
Do a port-forward for the nio git ssh port: 8001. I am following this tutorial example: http://www.schabell.org/2017/03/how-to-access-jboss-brms-internal-git-repo-in-container.html
oc new-project demo-rhdm7-dtf
oc port-forward $(oc get pod -l=deploymentconfig=gpte-rhdmcentr --template='{{ range .items }} {{ .metadata.name }} {{ end }}') 8001:8001
Try to use your favorite git client and clone:
When trying to clone as in the example (using git protocol through the ssh port) I get:
git clone git://127.0.0.1:8001/Acme-myrepo
...
fatal: protocol error: bad line length character: SSH-
When trying with ssh protocol:
git clone ssh://adminUser#127.0.0.1:8001/Acme-myrepo
...
ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 8001: incorrect signature
fatal: Could not read from remote repository.
When forwarding and using git port (9418)
git clone git://127.0.0.1:9418/Acme-myrepo
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
And by the way, by checking the pod's .niogit repository you can see Acme-myrepo.git repository:
$ oc rsh $(oc get pod -l=deploymentconfig=gpte-rhdmcentr --template='{{ range .items }} {{ .metadata.name }} {{ end }}')
$ ls $JBOSS_HOME/standalone/data/bpmsuite/.niogit
Acme-myrepo.git datasets.git datasources.git myrepo.git plugins.git preferences.git security.git system.git system_ou
Please Close.
After further review:
https://github.com/jboss-container-images/rhdm-7-openshift-image/blob/rhdm70-dev/decisioncentral/image.yaml#L67
allows the use of the following environment variable in the template configuration:
JAVA_OPTS_APPEND = "-Dorg.uberfire.nio.git.ssh.algorithm=RSA"
which allows to use ssh protocol:
git clone ssh://#localhost:8001/
and the ssh protocol will request the password for the decision central user.
Note that there is a port-forward from OCP pod to localhost: oc port-forward $(oc get pod -l=deploymeconfig=gpte-rhdmcentr --template='{{ range .items }} {{ .metadata.name }} {{ end }}') 8001:8001
Related
Configuration
I followed the steps in the below links to set up my GCP dynamic inventory.
https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html
http://matthieure.me/2018/12/31/ansible_inventory_plugin.html
In short, it was the below steps
I installed the needed requisites.
$ pip install requests google-auth1
I created a service account with sufficient privileges. and set it's
credentials.
I added the below to the /etc/ansible/ansible.cfg file
[inventory]
enable_plugins = gcp_compute
I created a file called hosts.gcp.yml which holds the dynamic inventory setup (as shown below):
projects:
- my-project-id
hostnames:
- name
filters: []
auth_kind: serviceaccount
service_account_file: my/credentials_path.json
keyed_groups:
- key: zone
and tried to run the below command which worked fine
macbook#MacBooks-MacBook-Pro Ansible % ansible-inventory --graph -i hosts.gcp.yml
#all:
|--#_us_central1_a:
| |--test
|--#ungrouped:
but when running the below command I got the following errors
macbook#MacBooks-MacBook-Pro Ansible % ansible -i hosts.gcp.yml all -m ping
test | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname test: nodename nor servname provided, or not known",
"unreachable": true
}
I then commented out the - name option from the hosts.gcp.yml file but got another error.
macbook#MacBooks-MacBook-Pro Ansible % ansible -i hosts.gcp.yml all -m ping
34.X.X.8 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: macbook#34.X.X.8: Permission denied (publickey).",
"unreachable": true
}
This raises the following questions
1- Is an SSH setup (creating users and copying ssh-keys) needed on the host machines when using dynamic Inventories (I don't think so)?
2- Why is ansible resorting to SSH though a dynamic Inventory is set? What if the host didn't expose SSH to the public or didn't have a public IP?
Your kind support is highly appreciated.
Thanks.
A more verbose output of the test
macbook#MacBooks-MacBook-Pro Ansible % ansible -i hosts.gcp.yml all -vvv -m ping
ansible [core 2.11.6]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/Users/macbook/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/4.7.0/libexec/lib/python3.9/site-packages/ansible
ansible collection location = /Users/macbook/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.9.7 (default, Oct 13 2021, 06:45:31) [Clang 13.0.0 (clang-1300.0.29.3)]
jinja version = 3.0.2
libyaml = True
Using /etc/ansible/ansible.cfg as config file
redirecting (type: inventory) ansible.builtin.gcp_compute to google.cloud.gcp_compute
Parsed /Users/macbook/xxxx/Projects/xxxx/Ansible/hosts.gcp.yml inventory source with ansible_collections.google.cloud.plugins.inventory.gcp_compute plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
META: ran handlers
<34.132.201.8> ESTABLISH SSH CONNECTION FOR USER: None
<34.132.201.8> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/Users/macbook/.ansible/cp/026bb454d7 34.132.201.8 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<34.X.X.8> (255, b'', b'macbook#34.X.X.8: Permission denied (publickey).\r\n')
34.X.X.8 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: macbook#34.X.X.8: Permission denied (publickey).",
"unreachable": true
}
macbook#MacBooks-MacBook-Pro Ansible % ansible -i hosts.gcp.yml all -u ansible -vvv -m ping
ansible [core 2.11.6]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/Users/macbook/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/4.7.0/libexec/lib/python3.9/site-packages/ansible
ansible collection location = /Users/macbook/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.9.7 (default, Oct 13 2021, 06:45:31) [Clang 13.0.0 (clang-1300.0.29.3)]
jinja version = 3.0.2
libyaml = True
Using /etc/ansible/ansible.cfg as config file
redirecting (type: inventory) ansible.builtin.gcp_compute to google.cloud.gcp_compute
Parsed /Users/macbook/xxxx/Projects/xxx/Ansible/hosts.gcp.yml inventory source with ansible_collections.google.cloud.plugins.inventory.gcp_compute plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
META: ran handlers
<34.132.201.8> ESTABLISH SSH CONNECTION FOR USER: ansible
<34.132.201.8> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=10 -o ControlPath=/Users/macbook/.ansible/cp/46d2477dfb 34.132.201.8 '/bin/sh -c '"'"'echo ~ansible && sleep 0'"'"''
<34.X.X.8> (255, b'', b'ansible#34.X.X.8: Permission denied (publickey).\r\n')
34.X.X.8 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: ansible#34.X.X.8: Permission denied (publickey).",
"unreachable": true
}
Dynamic inventory used only for collect data of your machines. If you want to get access into it, you should use SSH.
You must add your ssh-public key into VM's config and specify username
Add these lines in your ansible.cfg into the [defaults] section:
host_key_checking = false
remote_user = <username that you specify in VM's config>
private_key_file = <path to private ssh-key>
Most probably Ansible can't establish ssh connection to the hosts (listed in hosts.gcp.yml) because they don't recognize ssh key of the machine that tries to ping them.
Since you're using a macbook it's clear it's not a GCP VM. This means your GCP VM's don't have it's public ssh key by default.
You can add your macboook's key (found in ~ssh/id_rsa.pub) to the list of authorized keys that all GCP VM's will accept without any action on your side.
As for the first question - it's clearly DNS issue - however I'm not versed enough with this tool so You'd have tell if you can ping all the VM's using their DNS names directly from your mac's terminal. If so then the issue will be with Ansible configuration - otherwise it's DNS issue that prevent's your computer from using DNS names of your VM's.
Additionally - ansible-inventory --graph i /file/path works "offline" and will only show the structure of your inventory regardles if it exists or works.
There are a couple of points in your question, one about inventory and one about connections.
Inventory
Your hosts.gcp.yml file is for a dynamic inventory plugin, as you said. What that means is that Ansible will run the GCP inventory plugin using the settings in that file, and the plugin will call GCP's API and generate a list of hosts to use as inventory. What the ansible-inventory command returns is what the ansible command will use also. In the example bit of output you pasted into your question, it looks like "test" is the only host it sees.
Connections
When you run the ansible command it will run the module against each host. It will first get the hostname returned by inventory, and then connect to that host using the transport type you specified. This is true even for the ping module. From the ping module's doc page: "This is NOT ICMP ping, this is just a trivial test module that requires Python on the remote-node." Meaning, it makes a connection.
Potential Gotchas
Is inventory returning the correct hostname for your environment?
What is the connection type you're using?
As for hostname, you set "hostnames" to "name" in your inventory file. Just be sure that's right. It might not be in your case.
As for connection type, if you haven't configured it, then by default it will be "smart", which uses SSH. You can find what you're using by doing this:
ansible-config dump | grep DEFAULT_TRANSPORT
You can change the connection type with the --connection option to the ansible command, or any of the other ways ansible lets you specify config options. Connection type is set independently from inventory type. They are two separate steps. The connection type is set via config or the command line option and is not based on what inventory plugin you're using.
Your Problem
To resolve your problem, figure out what hostnames ansible-inventory is actually returning, and what connection type you're using. Then see if you can connect to that hostname using that connection type. If the hostname being returned is "test" and your connection type is "smart" or "ssh", then try actually connecting with ssh to "test". From the command line, literally do ssh test. If that succeeds, then ansible should successfully connect to that host when it's run. If that doesn't succeed, then you have to do whatever you need to do to fix it in order for ansible to run successfully. Likewise, if you set a connection plugin different from SSH, then you should try to connect to your host using whatever that connection method uses in order to ensure that those types of connections are actually working.
More info about all this can be found in ansible's user guide. See, for example, "Connecting to remote nodes".
I have developed a plugin for the apache superset,for which I have followed the following tutorial https://preset.io/blog/2020-07-02-hello-world/
In this tutorial the setup only works for development environment. So I need to run the backend server and frontend server separately using these commands.
for backend:
superset run -p 8088 -h 0.0.0.0 --with-threads --reload --debugger
for frontend:
npm run dev-server
In inboud rules in the security group for my EC2 instance, I have set the inbound rules to custom tcp where I have allowed the traffic for port 9000, 8088.
however I am unable to ping publicDNS of EC2:9000
this is not the case when I ping publicDNS of EC2:8088
turns out if we edit the webpack.config.js file and add an additional parameter for for host by passing devserverHost = '0.0.0.0' and then replacing the 'localhost' with ${devserverHost} solves the problem, additionally this also has to be done for the webpack.proxy.config.js file
I have a django site which I would like to deploy to a Digital Ocean server everytime a branch is merged to master. I have it mostly working and have followed this tutorial.
.travis.yml
language: python
python:
- '2.7'
env:
- DJANGO_VERSION=1.10.3
addons:
ssh_known_hosts: mywebsite.com
git:
depth: false
before_install:
- openssl aes-256-cbc -K *removed encryption details* -in travis_rsa.enc -out travis_rsa -d
- chmod 600 travis_rsa
install:
- pip install -r backend/requirements.txt
- pip install -q Django==$DJANGO_VERSION
before_script:
- cp backend/local.env backend/.env
script: python manage.py test
deploy:
skip_cleanup: true
provider: script
script: "./travis-deploy.sh"
on:
all_branches: true
travis-deploy.sh - runs when the travis 'deploy' task calls it
#!/bin/bash
# print outputs and exit on first failure
set -xe
if [ $TRAVIS_BRANCH == "master" ] ; then
# setup ssh agent, git config and remote
echo -e "Host mywebsite.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
eval "$(ssh-agent -s)"
ssh-add travis_rsa
git remote add deploy "travis#mywebsite.com:/home/dean/se_dockets"
git config user.name "Travis CI"
git config user.email "travis#mywebsite.com"
git add .
git status # debug
git commit -m "Deploy compressed files"
git push -f deploy HEAD:master
echo "Git Push Done"
ssh -i travis_rsa -o UserKnownHostsFile=/dev/null travis#mywebsite.com 'cd /home/dean/se_dockets/backend; echo hello; ./on_update.sh'
else
echo "No deploy script for branch '$TRAVIS_BRANCH'"
fi
Everything works find until things get to the 'deploy' stage. I keep getting error messages like:
###########################################################
# WARNING: POSSIBLE DNS SPOOFING DETECTED! #
###########################################################
The ECDSA host key for mywebsite.com has changed,
and the key for the corresponding IP address *REDACTED FOR STACK OVERFLOW*
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
* REDACTED FOR STACK OVERFLOW *
Please contact your system administrator.
Add correct host key in /home/travis/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/travis/.ssh/known_hosts:11
remove with: ssh-keygen -f "/home/travis/.ssh/known_hosts" -R mywebsite.com
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Script failed with status 128
INTERESTINGLY - If I re-run this job the 'git push' command will succeed at pushing to the deploy remote (my server). However, the next step in the deploy script which is to SSH into the server and run some postupdate commands will fail for the same reason (hosts fingerprint change or something). Or, it will ask for travis#mywebsite.com password (it has none) and will hang on the input prompt.
Additionally when I debug the Travis CI build and use the SSH url you're given to SSH into the machine Travis CI runs on - I can SSH into my own server from it. However it takes multiple tries to get around the errors.
So - this seems to be a fluid problem with stuff persisting from builds into the next on retries causing different errors/endings.
As you can see in my .yml file and the deploy script I have attempted to disable various host name checks and added the domain to known hosts etc... all to no avail.
I know I have things 99% set up correctly as things do mostly succeed when I retry the job a few times.
Anyone seen this before?
Cheers,
Dean
So i created a new EC2 Instance and installed docker on it.
I deployed code from ( https://github.com/commonsearch/cosr-front/blob/master/INSTALL.md ) and followed install instructions.
Install was successfull and i started the server:
[ec2-user#ip-172-30-0-127 cosr-front]$ make docker_devserver
docker run -e DOCKER_HOST --rm -v "/home/ec2-user/cosr-front:/go/src/github.com/commonsearch/cosr-front:rw" -w /go/src/github.com/commonsearch/cosr-front -p 9700:9700 -i -t commonsearch/local-front make devserver
mkdir -p build
go build -o build/cosr-front.bin ./server
GODEBUG=gctrace=1 COSR_DEBUG=1 ./build/cosr-front.bin
2016/05/28 16:32:38 Using Docker host IP: 172.17.0.1
2016/05/28 16:32:38 Server listening on 127.0.0.1:9700 - You should open http://127.0.0.1:9700 in your browser!
Well, now when i want to access it from outside, i cant! Not even curl the local server.
When i run docker ps it gives me correct port forwarding:
[ec2-user#ip-172-30-0-127 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a9f77e1eeb1 commonsearch/local-front "make devserver" 4 minutes ago Up 4 minutes 0.0.0.0:9700->9700/tcp stoic_hopper
9ff00fe3e70d commonsearch/local-elasticsearch-devindex "/docker-entrypoint.s" 4 minutes ago Up 4 minutes 0.0.0.0:39200->9200/tcp, 0.0.0.0:39300->9300/tcp kickass_wilson
These are my docker images:
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
<none> <none> 3e205118cd3f 17 minutes ago 853.3 MB
<none> <none> 1d233da1fa59 2 hours ago 955.7 MB
debian jessie ce58426c830c 4 days ago 125.1 MB
commonsearch/local-front latest 30de7ab48d43 7 weeks ago 1.024 GB
commonsearch/local-elasticsearch-devindex latest b1156ada5a24 11 weeks ago 383.2 MB
commonsearch/local-elasticsearch latest 808e72f49b4a 3 months ago 355.2 MB
I have tryed disabling ipv6 and all kind of nonsense google offered me, but without success.
Any ideas ?
EDIT:
Also, if i enter the docker container for frontend( using docker exec ), then I CAN PING AND CULR the frontend.
But i cant from the outside( nor ssh, not from my home pc using browser ).
Also my docker version:
Client:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5/1.9.1
Built:
OS/Arch: linux/amd64
Server:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5/1.9.1
Built:
OS/Arch: linux/amd64
I made a issue at github as swell and one guy saved the day.
Here's he's response:
Server listening on 127.0.0.1:9700
Your application is listening on localhost. localhost is scoped to the container itself. Thus to be able to connect to it, you would have to be inside the container.
To fix, you need to get your application to listen on 0.0.0.0 instead.
127.0.0.1 is the loopback address for the local (EC2) instance. I just recreated your problem following the same instructions and setting up the server in a docker container on an EC2 instance.
If you open another ssh session to your EC2 instance you CAN curl the loopback address, which just spits out the HTML shown below.
<!DOCTYPE html><html lang="en"><head><title>
Common Search
</title><meta content="/apple-touch-icon-precomposed.png" itemprop="image"><link href="/favicon.ico" rel="shortcut icon"><!-- CSS: This will be replaced in templates.go:preprocessTemplate() by the inline, compiled CSS
if the file build/static/css/index.css exists --><link rel="stylesheet" href="/css/global.css"/><link rel="stylesheet" href="/css/header.css"/><link rel="stylesheet" href="/css/footer.css"/><link rel="stylesheet" href="/css/hits.css"/><link rel="stylesheet" href="/css/responsive.css"/><!-- ENDCSS --><meta name="viewport" content="width=device-width, initial-scale=1"></head><body class="full"><header id="h"><div class="about">About</div><form id="f" action="/" method="GET" data-init="{"q":"","p":1,"g":""}">Common Search<div id="w"><div id="qw"><input id="q" name="q" type="text" size="60" value="" autofocus tabindex="3"/></div><span id="g"><select name="g" tabindex="4"><option value="ar">AR</option><option value="de">DE</option><option selected value="en">EN</option><option value="es">ES</option><option value="fr">FR</option><option value="it">IT</option><option value="ja">JA</option><option value="ko">KO</option><option value="nl">NL</option><option value="pl">PL</option><option value="pt">PT</option><option value="ru">RU</option><option value="vi">VI</option><option value="zh">ZH</option><option value="all">ALL</option></select></span><input id="s" type="submit" value="🔍" tabindex="5"/></div></form></header><div id="hits"></div><div id="dbg"></div><div id="pager" data-page="1"></div><script src="/js/index.js" type="text/javascript"></script></body></html>
However I doubt this is what you actually want..
If you want to be able to access the hosted server from your (or any other) computer you need to edit the security group for your EC2 instance.
From the nav bar on the left side of the AWS console, select Network & Security -> Security Groups. Select the security group that applies to your current EC2 instance (assuming you made it with the launch wizard, it will have a name like: 'launch-wizard-1 created 2016-05-28T12:57:23.487-04:00'). In the lower half of the console, select the Inbound tab. Edit a new rule to allow TCP on port 9700 from any (or a specific range of) IP(s). The resulting entry should look something like this:
My TCP rule is set up to allow inbound traffic from ANY IP address on that port, you may want to configure it differently for security purposes.
Once the rule is set up, you should be able to access the web server at the public IP of your EC2 instance (which can be found on the Instances page of the AWS console). The address you should access should be :9700
Hope this helps!
I'm using boot2docker on OSX 10.10 to try to run the WSO2 governance registry. I cannot reach the app from the host machine (OSX).
Here's my Dockerfile:
FROM dockerfile/java:openjdk-7-jdk
MAINTAINER Andrew Matthews
COPY wso2greg-4.6.0.zip /opt/
RUN unzip /opt/wso2greg-4.6.0.zip -d /opt && \
rm /opt/wso2greg-4.6.0.zip
EXPOSE 9443
CMD ["/opt/wso2greg-4.6.0/bin/wso2server.sh"]
This follows a pattern used by others on docker.io for other wso2 apps.
I built it with:
docker build -t="usmsnp/wso2greg" .
and ran it with
docker run -i -t -P usmsnp/wso2greg
everything seems to proceed nicely - I get as far as the wso2 announcement:
Mgt Console URL : https://172.17.0.27:9443/carbon/
I have the boot2docker vm IP address aliased as dockerhost in my /etc/hosts file, and when I navigate to https://dockerhost:9443/carbon/ using curl I get connection refused.
Any ideas?
UPDATE: 2014-11-28
When I deploy the image to AWS using tutum, it works. So, mission accomplished, I suppose. But I'm still confused about why it doesn't work. I understand that boot2docker requires a different IP address, but I used that.
When you use docker run -P you're telling Docker to allocate a random port on the Docker daemon host - not to use 9443.
So in this case, you'll need to run docker ports <containerid> to find out what port its been mapped to.
alternativly, you need to use docker run -p 9443:9443 ... to tell Docker to map the external 9443 to the container's 9443