[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Calling expose_port for domain scoped cartridges



The container work + the ability to tag packets with SELinux labels will give us more control over networking and traffic that goes over
forwarded ports. Perhaps we should wait for that before exposing cartridge ports over a domain or to the public.

--kr

On Jun 17, 2013, at 10:56 AM, "Robert L. Millner" <rmillner redhat com> wrote:

> On Mon, 2013-06-17 at 08:38 -0400, Andy Goldstein wrote:
>> On Jun 17, 2013, at 5:21 AM, Brenton Leanhardt wrote:
>> 
>>> Today we only call expose port for scaled applications.  Would it be
>>> possible to also call it for domain scoped cartridges?
>> 
>> +1. I think this would be extremely useful. I would even think this would be useful for normal (non-domain, non-scaled) apps.
> 
> We added a call to expose port for non-scalable apps in this sprint for
> cartridges that expose a direct SSL endpoint.
> 
> https://trello.com/c/XlyArnlR
> 
> The TCP proxy solution we use is haproxy which is fast and stable but
> adding/removing ports causes services to become unavailable while the
> daemon hands-off its connections to a new one (why didn't they implement
> a normal SIGHUP like everyone else?).  It was a known down-side we
> accepted because at the time it was the least buggy solution otherwise
> that could scale to our requirements.
> 
> Fortunately, Fedora 19 and RHEL 7 will finally allow DNAT to loopback
> addresses and we can toss the proxy entirely.
> 
>    Cheers,
>    Rob
> 
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]