Issue with TLS in foundationdb docker container

antonprabin · January 5, 2021, 2:45am

Hello team,

I am trying to run a single foundationdb container in my virtual box vm using the TLS setup.

I have created the certs as below:-

root@cb6f5654a2d4:/var/fdb/cert# ls
cert.crt  fdb.pem  private.key

I modified the scripts and fdb.bash for using TLS. The container gets started but the ip is showing unreachable. Without TLS the containers works fine with different configs (cluster created and tested).

Below is the fdb.cluster for the single container.

root@cb6f5654a2d4:/var/fdb# cat fdb.cluster 
docker:docker@172.17.0.13:4500:tls

Process details below

root@cb6f5654a2d4:/var/fdb# ps aux | grep fdbserver
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        18  0.3  0.8 334660 25280 pts/0    Sl+  02:37   0:00 fdbserver --listen_address public --public_address 172.17.0.13:4500:tls --datadir /var/fdb/data --logdir /var/fdb/logs --locality_zoneid cb6f5654a2d4 --locality_machineid cb6f5654a2d4 --class unset --tls_certificate_file /var/fdb/cert/fdb.pem --tls_key_file /var/fdb/cert/private.key --tls_verify_peers Check.Valid=0

Fdbcli status

root@cb6f5654a2d4:/var/fdb# fdbcli
Using cluster file `/var/fdb/fdb.cluster'.

The database is unavailable; type `status' for more information.

Welcome to the fdbcli. For help, type `help'.
fdb> status details

Using cluster file `/var/fdb/fdb.cluster'.

Could not communicate with a quorum of coordination servers:
  172.17.0.13:4500:tls  (unreachable)

fdb>

Could you please let me know if i am doing something wrong here ?

Thanks and regards,
Prabin Poulose

EDIT: Used ``` for code blocks.

alexmiller · January 5, 2021, 3:46am

What is ifconfig or ip addr in your docker container?

(Please note that FDB isn’t tolerant of NAT happening between the server and the clients, so you’ll need to make sure that you’re using host networking if you’re trying to run fdbserver in a container and connect to it from outside docker.)

antonprabin · January 5, 2021, 3:58am

Please see below IP config:-

root@cb6f5654a2d4:/var/fdb# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.13 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:0d txqueuelen 0 (Ethernet)
RX packets 39 bytes 4291 (4.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 100 bytes 25570 (25.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 100 bytes 25570 (25.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

alexmiller · January 5, 2021, 4:28am

Oh, yeah, so not docker networking issues then.

If you’re trying to connect to a TLS cluster, then you need to add the TLS flags to fdbcli.

does fdbcli -C /var/fdb/fdb.cluster --tls_certificate_file /var/fdb/cert/fdb.pem --tls_key_file /var/fdb/cert/private.key --tls_verify_peers Check.Valid=0 work? If not, can you add --log and pastebin the resulting tracelog file?

antonprabin · January 5, 2021, 6:25am

Alex, It’s working with the TLS flags. Thank you very much.