Closed Narushima2030 closed 7 months ago
start.sh
within the Dockerfile is explicitly looking for /nfsrods_ssl.crt
.
You are passing /nfsrods_ssl.cer
. Try the following instead.
-v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro
thanks for the advice
I changed nfsrods_ssl.crt → nfsrods_ssl.crt and tried running it. But it's not resolved.
The output "Cert not found for NFSRODS - not importing" changed to "Done". However, I cannot start docker.
In the irods log (/var/log/irods/irods.log), the following output is unchanged from before the change.
status [SYS_INVALID_INPUT_PARAM]
errno [] --
message [SSL is required by the server but not requested by the client]
/irods_source/server/core/src/irods_server_negotiation.cpp:113:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) : status [SYS_INVALID_INPUT_PARAM] errno [] -- message [SSL is required by the server but not requested by the client]
Can you give me some advice on where to check? I would be grateful if you could help me.
Message at runtime:
ubuntu@dmsirods:~$ sudo docker run -it --name nfsrods -p 50049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro -v
/local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro local/nfs
rods
Cert found for NFSRODS
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <mycert> does not exist
Importing cert to OpenJDK keystore
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
Done
2023-11-20 00:24:18.101 INFO Thread-1 [ServerMain] - Build Time => 2023-11-10T01:37:14+0000
2023-11-20 00:24:18.102 INFO Thread-1 [ServerMain] - Build Version => 2.1.0
2023-11-20 00:24:18.102 INFO Thread-1 [ServerMain] - Build SHA => 3e479bb2e4b855970d4cb67aa53763f9c710def0
2023-11-20 00:24:18.257 INFO Thread-1 [ServerMain] - main - Server config ==> {
"nfs_server" : {
"port" : 2049,
"irods_mount_point" : "/testZone",
"user_information_refresh_time_in_milliseconds" : 3600000,
"file_information_refresh_time_in_milliseconds" : 1000,
"user_access_refresh_time_in_milliseconds" : 1000,
"object_type_refresh_time_in_milliseconds" : 300000,
"user_permissions_refresh_time_in_milliseconds" : 300000,
"user_type_refresh_time_in_milliseconds" : 300000,
"list_operation_query_results_refresh_time_in_milliseconds" : 30000,
"allow_overwrite_of_existing_files" : true,
"using_oracle_database" : false
},
"irods_client" : {
"host" : "dmsirods.test.jp",
"port" : 1247,
"zone" : "testZone",
"default_resource" : "irodsResc",
"ssl_negotiation_policy" : "CS_NEG_REQUIRE",
"connection_timeout_in_seconds" : 600,
"proxy_admin_account" : {
"username" : "rods",
"password" : "*************"
}
}
}
2023-11-20 00:24:18.277 DEBUG Thread-1 [ServerMain] - configureClientServerNegotiationPolicy - Policy = CS_NEG_REQUIRE
2023-11-20 00:24:18.385 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - iRODS mount point = /testZone
2023-11-20 00:24:18.385 DEBUG Thread-1 [IRODSIdMapper] - IRODSUser - Creating proxy for username [rods] ...
2023-11-20 00:24:18.817 DEBUG Thread-1 [IRODSIdMapper] - InodeToPathMapper - iRODS mount point = /testZone
Hmm, the keytool errors are suspicious. Have you tried investigating them?
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Exception: Alias <mycert> does not exist
Importing cert to OpenJDK keystore
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
Can you post what you have for the acPreConnect
rule in the iRODS server's core.re file?
I'm assuming you have CS_NEG_REQUIRE
?
Is that certificate being used by other clients as well?
I've reproduced this issue.
Working on a fix now.
I think the reason why SSL is broken in tip of main is due to https://github.com/DICE-UNC/jargon/commit/8d949c4ad3fe5bfb8415b2251c6955036225c960.
The message sent by NFSRODS when SSL is enabled is:
<StartupPack_PI><irodsProt>1</irodsProt>
<reconnFlag>0</reconnFlag>
<connectCnt>0</connectCnt>
<proxyUser>rods</proxyUser>
<proxyRcatZone>tempZone</proxyRcatZone>
<clientUser>rods</clientUser>
<clientRcatZone>tempZone</clientRcatZone>
<relVersion>rods3.2</relVersion>
<apiVersion>d</apiVersion>
<option>NFSRODS</option>
</StartupPack_PI>
Where ils
sends this:
<StartupPack_PI>
<irodsProt>0</irodsProt>
<reconnFlag>0</reconnFlag>
<connectCnt>0</connectCnt>
<proxyUser>rods</proxyUser>
<proxyRcatZone>tempZone</proxyRcatZone>
<clientUser>rods</clientUser>
<clientRcatZone>tempZone</clientRcatZone>
<relVersion>rods4.3.1</relVersion>
<apiVersion>d</apiVersion>
<option>ilsrequest_server_negotiation</option>
</StartupPack_PI>
Notice the value of <option>
is different for each application. This means the bug is in Jargon.
Will report more once I've looked into why Jargon doesn't include request_server_negotiation
anymore.
@Narushima2030 I've opened PRs to address this issue.
The PRs can be found here:
Please give them a try and let us know if they work.
You'll need to compile Jargon before NFSRODS (since NFSRODS depends on Jargon).
Thank you for your response.
As a result of applying the PRs shown and re-running it, I was able to confirm that docker was running.
ubuntu@dmsirods:~/irods_client_nfsrods$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dcc6dec5ca21 local/nfsrods "./start.sh" 2 minutes ago Up 2 minutes 0.0.0.0:50049->2049/tcp, :::50049->2049/tcp nfsrods
Now let's check mount. It was helpful. thank you.
Great! Let us know how it goes.
I realize this is different from the original question. Any advice would be greatly appreciated.
I tried mounting it. I was able to mount it, but I'm having trouble with something else.
docker run
~/nfsrods_config/server.json specifies "username": "rods".
ubuntu@dmsirods:~$ sudo docker run -d --name nfsrods -p 50049:2049 -v /local/home/ubuntu/nfsrods_config:/nfsrods_config:ro -v /local/home/ubuntu/nfsrods_config/passwd:/etc/passwd:ro -v /etc/irods/ssl/dmsirods.test.jp.cer:/nfsrods_ssl.crt:ro local/nfsrods
e0cf242111b6ee54c6e030563b090a396c81ec4cb32e90060e365d7d5916be96
mount
ubuntu@dmsirods:~$ sudo mount -o sec=sys,port=50049 10.1.19.4:/ /local/home/ubuntu/nfsrodsdir/
mount result
ubuntu@dmsirods:~$ mount
10.1.19.4:/ on /local/home/ubuntu/nfsrodsdir type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=50049,timeo=600,retrans=2,sec=sys,clientaddr=10.1.19.4,local_lock=none,addr=10.1.19.4)
Root privileges are required to view the files. I want to operate files as a general user, do I need to make any settings? Or is there a problem with the way I'm configuring it?
ubuntu@dmsirods:~$ ls -la nfsrodsdir/home/rods
ls: cannot open directory 'nfsrodsdir/home/rods': Permission denied
ubuntu@dmsirods:~$ sudo ls -la nfsrodsdir/home/rods
total 1048577
drwx------ 1 root nogroup 0 Nov 15 09:23 .
drwx------ 1 nobody nogroup 0 Nov 13 14:51 ..
-rw------- 1 root nogroup 1073741824 Nov 13 18:02 testdata_1g
-rw------- 1 root nogroup 10 Nov 15 09:23 testfile
The file owner is 'rods'. The "rods" user has been added to /etc/passwd.
ubuntu@dmsirods:~$ ils -L
/testZone/home/rods:
rods 0 s3rdmresc 1073741824 2023-11-13.18:02 & testdata_1g
generic /rdm/prefix/in/bucket/home/rods/testdata_1g
rods 0 irodsResc 10 2023-11-15.09:23 & testfile
generic /home/irodsResc/home/rods/testfile
Remember, NFSRODS honors all iRODS permissions.
Does the ubuntu user have permission to view the rods user's files in iRODS? Is the ubuntu user a valid username in the iRODS zone?
We have reviewed the permissions based on your advice. I have confirmed that there is no problem.
It was helpful. thank you.
Great!
We'll get these changes merged then.
When I try to run Docker container, the error [SSL is required on the server, but not on the client] is output.
Unable to start Docker container when connecting with SSL
The iRODS server is configured with SSL. His SSL connection exists from the client to the server.
The following error occurs with the docker run command
status [SYS_INVALID_INPUT_PARAM] errno [] -- message [SSL is required on the server, but not on the client]
What does this message confirm? I want to know the settings for passing
CS_NEG_REQUIRE is specified in nfsrods_config/server.json "ssl_negotiation_policy": "CS_NEG_REQUIRE",
When running docker run, specify the certificate with -v.
Output at runtime