Closed biozit closed 2 months ago
I am confused. Why use https for unauthenticated data?
Using the Pelican Software, the ports are the same for both services.
It looks like we can use both https and plain http on that port if that's better.
That doesn't help me. Why change the Denver cache to use https port 8443 for CVMFS?
Separately, you do have me curious too: why does Pelican use the same port for both services? Are you saying it always uses https on port 8443 for authenticated and unauthenticated services, or that it always uses port 8443 for both http and https?
Pelican only has a single instance of xrootd, listening on port 8443. This can be used for both auth and unauth access; if you don't need to pass a credential, you can use plain http on that same port.
Oh, this is Pelican server software. I didn't know that was a thing, I only heard about the client.
So then the question is why should the server software be non-standard? Why not have it also listen on port 8000, for http? If nothing else it will save a lot of effort in changing the cvmfs configuration over one by one as the servers are converted. As it is there will be transition problems as the servers are cut over, because cvmfs only reads the configuration at mount time. A repository can stay mounted for weeks or even months.
It's also possible to set up iptables to forward one port to another. I assume nftables has a way too although I haven't yet tried it.
Let me try something using k8s tricks
--Fábio Andrijauskas
On Tue, Apr 30, 2024 at 2:40 PM DrDaveD @.***> wrote:
It's also possible to set up iptables to forward one port to another. I assume nftables has a way too although I haven't yet tried it.
— Reply to this email directly, view it on GitHub https://github.com/cvmfs-contrib/config-repo/pull/253#issuecomment-2087427867, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEEH77HIKOLSROPDQOAHPDZAAFWDAVCNFSM6AAAAABHAZK5FOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBXGQZDOOBWG4 . You are receiving this because you authored the thread.Message ID: @.***>
I can't use k8s tricks here, we are checking the best solution.
@biozit - can you open a second Kubernetes port in the deploy and map it to the same port inside the container? That'll provide the backward compatibility that @DrDaveD is looking for.
In the meantime, I think it'd be good to merge this to try and discover any issues. If we map both ports to the single port inside the container, we could do a single subsequent update for all the other caches.
Brain, all OSDF k8s hosts are using “hostnetwork,” we can't do that
--Fábio Andrijauskas
On Wed, May 1, 2024, at 2:02 PM Brian P Bockelman @.***> wrote:
@biozit https://github.com/biozit - can you open a second Kubernetes port in the deploy and map it to the same port inside the container? That'll provide the backward compatibility that @DrDaveD https://github.com/DrDaveD is looking for.
In the meantime, I think it'd be good to merge this to try and discover any issues. If we map both ports to the single port inside the container, we could do a single subsequent update for all the other caches.
— Reply to this email directly, view it on GitHub https://github.com/cvmfs-contrib/config-repo/pull/253#issuecomment-2089135446, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEEH77IXL7A3LCHQF7NM5TZAFJ7PAVCNFSM6AAAAABHAZK5FOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGEZTKNBUGY . You are receiving this because you were mentioned.Message ID: @.***>
In the meantime, I think it'd be good to merge this to try and discover any issues.
If we need to merge it temporarily I'd rather have it be http than https. Also this is on the master branch and it needs to be on the osg branch in order to be ready to deploy. If it's just a temporary change then we might as well make it only on the osg branch.
If we map both ports to the single port inside the container, we could do a single subsequent update for all the other caches.
One change is better than lots, but if it is set up to listen on both 8000 and 8443, wouldn't we just switch this one back and leave it on 8000? It's very unusual/surprising to use http on port 8443.
@bbockelm @DrDaveD, could we approve this PR to start the tests?
I would rather have a PR against the osg branch that uses http instead of https.
We can do that - but it's going to guarantee that there's going to be subsequent updates. Long-term, we plan to transition to HTTPS-only.
Long-term, we plan to transition to HTTPS-only.
What's the point of doing that for CVMFS, which is already guaranteeing the integrity at a higher level?
I believe this is resolved with #254. Please reopen if needed.
Setting Denver cache to use pelican/osdf cache