Skip to content

Unix sockets for host <-> container networking#75

Merged
theyoyojo merged 9 commits into
masterfrom
unix_sockets
Apr 1, 2024
Merged

Unix sockets for host <-> container networking#75
theyoyojo merged 9 commits into
masterfrom
unix_sockets

Conversation

@charliemirabile

@charliemirabile charliemirabile commented Apr 1, 2024

Copy link
Copy Markdown
Contributor

This is nice because we do not need to map any host ports to container ports.

Fixes: #63

Depends on: #73

Note, if you want to test these changes in the staging or prod environment, you must make sure you have updated your podman compose to the latest version of our fork because I added one commit that fixes the issue with selinux not being recognized in a verbose mount specification.

If you forget to do this, the symptom is that nginx crashes because it is unable to bind to the unix socket due to EPERM.

Also because the test improvements made curl actually perform ssl cert checking, you may run into it complaining about a hostname mismatch if the ssl certs in your ssl folder are for localhost and you are trying to do testing on staging/prod.

The fix (as a temporary workaround, this will improve after we replace bind mounts with volumes) is to extract the certs that were generated in the file system of the container image (podman image save localhost/singularity_nginx:latest > img.tar extract the tar and find the layer that contains the ssl certs and then extract that layer into the ssl folder tar -xf some_long_hash.tar --strip-components=3 -C /path/to/the/bind/mount/for/ssl/ and then run podman exec singularity_nginx_1 nginx -s reload so it picks up the new certs).

If you forget to do this the symptom is that curl complains that it cannot verify the legitimacy of the server.

We can give extenginx the ability to create self signed certs for
itself during the build process so that folks to not need to run
the create dev keys script.
now that extenginx can create its own keys, this script is not
necessary.
it is possible to just perform a bind mount to insert custom
snippets at runtime whether or not a specific volume is declared
in the containerfile so the complexity is unnecessary.
it is not necessary to explicitly expose the ports of extenginx
since if they are mapped to host ports in the compose (as they are)
they will be reachable nonetheless.
The current envsubst command was starting to reach the limits
of an 80 column terminal and having it one line certainly was not
helping is readability or editability.
insofar as nginx should serve only as an ssl terminating
proxy for the unencrypted upstream servers, it should not
be mucking around with unencrypted plain http connections.

When deployed as one of multiple instances behind a main nginx
proxy, that proxy can handle redirecting connections to the
unencrypted port to the encrypted port (and then later to the
appropriate upstream instance of extenginx)
in order to support changing from ip sockets to unix sockets, dealing
explicitly with ports is not viable. Instead allow the consumer of
extenginx to specify a snippet to go in the listen directive of the
server.
nginx no longer binds to any host port (in fact no containers bind
to any host ports at all). Instead it listens on a unix socket in
a path within a bind mounted folder. This allows dev, staging, & prod
to all be run with rootless podman commands, and it allows more than
one instance of singularity to be running at once on the same machine
(assuming each has a different folder to put its sockets in).

In order to support local development and testing, introduce dev-sockets
helper script. This script spawns socat processes that listen on the
normal tcp ports and redirect connections to the unix sockets from
extenginx. If run as root, it binds to the rootful ports for the services
(443, 465, 995) and if not, it binds to those port numbers + 1000 (i.e.
1443, 1465, 1995). It is designed to be long running in the background
or in a different terminal and does not need to be restarted every time
the containers go up and down.
Instead of needing to run dev_sockets.sh script to proxy tcp connections
to unix socket connections, curl has the ability to directly connect to
a unix socket when making a request.

@theyoyojo theyoyojo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@theyoyojo theyoyojo merged commit f0c6ccf into master Apr 1, 2024
@theyoyojo theyoyojo deleted the unix_sockets branch April 1, 2024 21:47
@charliemirabile charliemirabile mentioned this pull request Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Multi instance deployment

2 participants