search

irods / irods_client_nfsrods

An nfs4j Virtual File System implementation supporting the iRODS Data Grid
BSD 3-Clause "New" or "Revised" License
8 stars 9 forks source link

When I try to run Docker container, the error [SSL is required on the server, but not on the client] is output. #193

Closed Narushima2030 closed 7 months ago

Narushima2030 commented 7 months ago

When I try to run Docker container, the error [SSL is required on the server, but not on the client] is output.

Unable to start Docker container when connecting with SSL

The iRODS server is configured with SSL. His SSL connection exists from the client to the server.

The following error occurs with the docker run command

status [SYS_INVALID_INPUT_PARAM] errno [] -- message [SSL is required on the server, but not on the client]

What does this message confirm? I want to know the settings for passing

CS_NEG_REQUIRE is specified in nfsrods_config/server.json "ssl_negotiation_policy": "CS_NEG_REQUIRE",

nfsrods_config/server.json

2023-11-16 02:19:05.151 INFO  Thread-1 [ServerMain] - main - Server config ==> {
  "nfs_server" : {
    "port" : 2049,
    "irods_mount_point" : "testZone",
    "user_information_refresh_time_in_milliseconds" : 3600000,
    "file_information_refresh_time_in_milliseconds" : 1000,
    "user_access_refresh_time_in_milliseconds" : 1000,
    "object_type_refresh_time_in_milliseconds" : 300000,
    "user_permissions_refresh_time_in_milliseconds" : 300000,
    "user_type_refresh_time_in_milliseconds" : 300000,
    "list_operation_query_results_refresh_time_in_milliseconds" : 30000,
    "allow_overwrite_of_existing_files" : true,
    "using_oracle_database" : false
  },
  "irods_client" : {
    "host" : "dmsirods.test.jp",
    "port" : 1247,
    "zone" : "testZone",
    "default_resource" : "irodsResc",
    "ssl_negotiation_policy" : "CS_NEG_REQUIRE",
    "connection_timeout_in_seconds" : 600,
    "proxy_admin_account" : {
      "username" : "rods",
      "password" : "*************"
    }
  }
}

When running docker run, specify the certificate with -v.

-v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.cer

sudo docker run -d --name nfsrods -p 50049:2049 \
-v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro \
-v /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro \
-v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.cer:ro \
local/nfsrods

Output at runtime

ubuntu@dmsirods:~$ sudo docker run -it --name nfsrods -p 50049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro -v
 /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.cer:ro local/nfs
rods
Cert not found for NFSRODS - not importing
2023-11-16 02:54:07.948 INFO  Thread-1 [ServerMain] - Build Time    => 2023-11-10T01:37:14+0000
2023-11-16 02:54:07.948 INFO  Thread-1 [ServerMain] - Build Version => 2.1.0
2023-11-16 02:54:07.948 INFO  Thread-1 [ServerMain] - Build SHA     => 3e479bb2e4b855970d4cb67aa53763f9c710def0
2023-11-16 02:54:08.101 INFO  Thread-1 [ServerMain] - main - Server config ==> {
  "nfs_server" : {
    "port" : 2049,
    "irods_mount_point" : "testZone",
    "user_information_refresh_time_in_milliseconds" : 3600000,
    "file_information_refresh_time_in_milliseconds" : 1000,
    "user_access_refresh_time_in_milliseconds" : 1000,
    "object_type_refresh_time_in_milliseconds" : 300000,
    "user_permissions_refresh_time_in_milliseconds" : 300000,
    "user_type_refresh_time_in_milliseconds" : 300000,
    "list_operation_query_results_refresh_time_in_milliseconds" : 30000,
    "allow_overwrite_of_existing_files" : true,
    "using_oracle_database" : false
  },
  "irods_client" : {
    "host" : "dmsirods.test.jp",
    "port" : 1247,
    "zone" : "testZone",
    "default_resource" : "irodsResc",
    "ssl_negotiation_policy" : "CS_NEG_REQUIRE",
    "connection_timeout_in_seconds" : 600,
    "proxy_admin_account" : {
      "username" : "rods",
      "password" : "*************"
    }
  }
}
2023-11-16 02:54:08.122 DEBUG Thread-1 [ServerMain] - configureClientServerNegotiationPolicy - Policy = CS_NEG_REQUIRE
2023-11-16 02:54:08.232 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - iRODS mount point = testZone
2023-11-16 02:54:08.232 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - Creating proxy for username [rods] ...
2023-11-16 02:54:08.648 DEBUG Thread-1 [IRODSIdMapper] - InodeToPathMapper - iRODS mount point = testZone
korydraughn commented 7 months ago

start.sh within the Dockerfile is explicitly looking for /nfsrods_ssl.crt.

https://github.com/irods/irods_client_nfsrods/blob/3e479bb2e4b855970d4cb67aa53763f9c710def0/start.sh#L5

You are passing /nfsrods_ssl.cer. Try the following instead.

-v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro
Narushima2030 commented 7 months ago

thanks for the advice

I changed nfsrods_ssl.crt → nfsrods_ssl.crt and tried running it. But it's not resolved.

The output "Cert not found for NFSRODS - not importing" changed to "Done". However, I cannot start docker.

In the irods log (/var/log/irods/irods.log), the following output is unchanged from before the change.

status [SYS_INVALID_INPUT_PARAM] errno [] -- message [SSL is required by the server but not requested by the client]

/irods_source/server/core/src/irods_server_negotiation.cpp:113:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]

Can you give me some advice on where to check? I would be grateful if you could help me.

Message at runtime:

ubuntu@dmsirods:~$ sudo docker run -it --name nfsrods -p 50049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro -v
 /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro local/nfs
rods
Cert found for NFSRODS
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <mycert> does not exist
Importing cert to OpenJDK keystore
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
Done
2023-11-20 00:24:18.101 INFO  Thread-1 [ServerMain] - Build Time    => 2023-11-10T01:37:14+0000
2023-11-20 00:24:18.102 INFO  Thread-1 [ServerMain] - Build Version => 2.1.0
2023-11-20 00:24:18.102 INFO  Thread-1 [ServerMain] - Build SHA     => 3e479bb2e4b855970d4cb67aa53763f9c710def0
2023-11-20 00:24:18.257 INFO  Thread-1 [ServerMain] - main - Server config ==> {
  "nfs_server" : {
    "port" : 2049,
    "irods_mount_point" : "/testZone",
    "user_information_refresh_time_in_milliseconds" : 3600000,
    "file_information_refresh_time_in_milliseconds" : 1000,
    "user_access_refresh_time_in_milliseconds" : 1000,
    "object_type_refresh_time_in_milliseconds" : 300000,
    "user_permissions_refresh_time_in_milliseconds" : 300000,
    "user_type_refresh_time_in_milliseconds" : 300000,
    "list_operation_query_results_refresh_time_in_milliseconds" : 30000,
    "allow_overwrite_of_existing_files" : true,
    "using_oracle_database" : false
  },
  "irods_client" : {
    "host" : "dmsirods.test.jp",
    "port" : 1247,
    "zone" : "testZone",
    "default_resource" : "irodsResc",
    "ssl_negotiation_policy" : "CS_NEG_REQUIRE",
    "connection_timeout_in_seconds" : 600,
    "proxy_admin_account" : {
      "username" : "rods",
      "password" : "*************"
    }
  }
}
2023-11-20 00:24:18.277 DEBUG Thread-1 [ServerMain] - configureClientServerNegotiationPolicy - Policy = CS_NEG_REQUIRE
2023-11-20 00:24:18.385 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - iRODS mount point = /testZone
2023-11-20 00:24:18.385 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - Creating proxy for username [rods] ...
2023-11-20 00:24:18.817 DEBUG Thread-1 [IRODSIdMapper] - InodeToPathMapper - iRODS mount point = /testZone
korydraughn commented 7 months ago

Hmm, the keytool errors are suspicious. Have you tried investigating them?

Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <mycert> does not exist
Importing cert to OpenJDK keystore
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore

Can you post what you have for the acPreConnect rule in the iRODS server's core.re file? I'm assuming you have CS_NEG_REQUIRE?

Is that certificate being used by other clients as well?

korydraughn commented 7 months ago

I've reproduced this issue.

Working on a fix now.

korydraughn commented 7 months ago

I think the reason why SSL is broken in tip of main is due to https://github.com/DICE-UNC/jargon/commit/8d949c4ad3fe5bfb8415b2251c6955036225c960.

The message sent by NFSRODS when SSL is enabled is:

<StartupPack_PI><irodsProt>1</irodsProt>
<reconnFlag>0</reconnFlag>
<connectCnt>0</connectCnt>
<proxyUser>rods</proxyUser>
<proxyRcatZone>tempZone</proxyRcatZone>
<clientUser>rods</clientUser>
<clientRcatZone>tempZone</clientRcatZone>
<relVersion>rods3.2</relVersion>
<apiVersion>d</apiVersion>
<option>NFSRODS</option>
</StartupPack_PI>

Where ils sends this:

<StartupPack_PI>          
<irodsProt>0</irodsProt>                                                                       
<reconnFlag>0</reconnFlag> 
<connectCnt>0</connectCnt>                                                                     
<proxyUser>rods</proxyUser>
<proxyRcatZone>tempZone</proxyRcatZone>
<clientUser>rods</clientUser>
<clientRcatZone>tempZone</clientRcatZone>
<relVersion>rods4.3.1</relVersion>                                                             
<apiVersion>d</apiVersion>                
<option>ilsrequest_server_negotiation</option>                                                 
</StartupPack_PI>

Notice the value of <option> is different for each application. This means the bug is in Jargon.

Will report more once I've looked into why Jargon doesn't include request_server_negotiation anymore.

korydraughn commented 7 months ago

@Narushima2030 I've opened PRs to address this issue.

The PRs can be found here:

Please give them a try and let us know if they work.

You'll need to compile Jargon before NFSRODS (since NFSRODS depends on Jargon).

Narushima2030 commented 7 months ago

Thank you for your response.

As a result of applying the PRs shown and re-running it, I was able to confirm that docker was running.

ubuntu@dmsirods:~/irods_client_nfsrods$ sudo docker ps -a
CONTAINER ID   IMAGE           COMMAND        CREATED         STATUS         PORTS                         NAMES
dcc6dec5ca21   local/nfsrods   "./start.sh"   2 minutes ago   Up 2 minutes   0.0.0.0:50049->2049/tcp, :::50049->2049/tcp   nfsrods

Now let's check mount. It was helpful. thank you.

korydraughn commented 7 months ago

Great! Let us know how it goes.

Narushima2030 commented 7 months ago

I realize this is different from the original question. Any advice would be greatly appreciated.

I tried mounting it. I was able to mount it, but I'm having trouble with something else.

docker run

~/nfsrods_config/server.json specifies "username": "rods".

ubuntu@dmsirods:~$ sudo docker run -d --name nfsrods -p 50049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro -v /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro local/nfsrods
e0cf242111b6ee54c6e030563b090a396c81ec4cb32e90060e365d7d5916be96

mount ubuntu@dmsirods:~$ sudo mount -o sec=sys,port=50049 10.1.19.4:/ /local/home/ubuntu/nfsrodsdir/

mount result

ubuntu@dmsirods:~$ mount
10.1.19.4:/ on /local/home/ubuntu/nfsrodsdir type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=50049,timeo=600,retrans=2,sec=sys,clientaddr=10.1.19.4,local_lock=none,addr=10.1.19.4)

Root privileges are required to view the files. I want to operate files as a general user, do I need to make any settings? Or is there a problem with the way I'm configuring it?

ubuntu@dmsirods:~$ ls -la nfsrodsdir/home/rods
ls: cannot open directory 'nfsrodsdir/home/rods': Permission denied
ubuntu@dmsirods:~$ sudo ls -la nfsrodsdir/home/rods
total 1048577
drwx------ 1 root   nogroup      0 Nov 15 09:23 .
drwx------ 1 nobody nogroup      0 Nov 13 14:51 ..
-rw------- 1 root   nogroup 1073741824 Nov 13 18:02 testdata_1g
-rw------- 1 root   nogroup     10 Nov 15 09:23 testfile

The file owner is 'rods'. The "rods" user has been added to /etc/passwd.

ubuntu@dmsirods:~$ ils -L
/testZone/home/rods:
  rods          0 s3rdmresc   1073741824 2023-11-13.18:02 & testdata_1g
    generic    /rdm/prefix/in/bucket/home/rods/testdata_1g
  rods          0 irodsResc       10 2023-11-15.09:23 & testfile
    generic    /home/irodsResc/home/rods/testfile
korydraughn commented 7 months ago

Remember, NFSRODS honors all iRODS permissions.

Does the ubuntu user have permission to view the rods user's files in iRODS? Is the ubuntu user a valid username in the iRODS zone?

Narushima2030 commented 7 months ago

We have reviewed the permissions based on your advice. I have confirmed that there is no problem.

It was helpful. thank you.

korydraughn commented 7 months ago

Great!

We'll get these changes merged then.