[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with git repo and ssh

On Thu, Jul 31, 2014 at 7:57 AM, Robert Söderlund <openshift-dev netnerdz se> wrote:
Hello everyone.

I have some problem with ssh access to the gears git repo, but let me first describe my slightly strange setup.

I only have 1 public IP address so what I have done is configured a dedicated machine as a apache reverseproxy as follows (the example is for http, have same for https):
RewriteCond %{HTTP_HOST} ^$ [OR]
RewriteCond %{HTTP_HOST} ^<openshift subdomain>$
RewriteRule ^/?(.*) http://<broker ip>/$1 [L,P]
RewriteCond %{HTTP_HOST} ^.*\.<openshift subdomain>$
RewriteRule ^/?(.*) http://%{HTTP_HOST}/$1 [L,P]
RewriteCond %{HTTP_HOST} !^.*\.<openshift subdomain>$
RewriteRule ^/?(.*) http://%{HTTP_HOST}/$1 [L,R=404]

The external DNS points *..<openshift subdomain> to the public IP and the reverse webproxy is using the internal openshift DNS as resolver.
I know there will be some performance issues later on with a DNS query for each request.

The problem is when I want to update my gears git repo's, for that I need to be able to talk with the node running the gear and that is not possible (the clients can only talk with the webproxy machine).
Have anyone of you written a plugin to either distribute the openshift guest account creation or add the local users in a LDAP directory?
I assume you meant "gear user" when you said "guest account creation." I don't know that either of those have been done. However, it should also be pretty easy to write an OpenSSH AuthorizedKeysCommand that talks to Mongo and use that on the nodes to authenticate gear users by their SSH keys.
Is it possible to change the repo URI from ssh to http(s)?

Do you mean the repo URL as the client/developer would see it? rhc and the console get the git URL from the broker over REST. From a cursory glance, it looks like those are hard-coded in the REST model (in openshift-origin-controller) to be SSH URL's, but I could be misunderstanding how the code works. If that's the case, your best bet (unless you want to patch the controller) may be to pass --no-git to rhc and clone the repository manually after creating the application.

The next step is to mount /var/lib/openshift from webproxy on each machine with the node role.
I know this isn't either best practice but the webproxy needs to be able to access the git repo directory.
Another solution might be to use an external git service like github or gitlab, but the problem with user information (username, uid, $HOME) will still be a nut to crack,
and then we need to create all repo's dynamic and probably a lot of other issues as well.

Would it be possible to configure an extra web server on every node that serves each nodes' git repository over HTTP ? Then the webproxy could reverse proxy the git repos instead of sharing a single /var/lib/openshift. It won't allow your developers to SSH into gears, but it will let them deploy and manage applications.

The users we aiming for is mainly our developers that doesn't want or can setup ssh/ssh-agent forwardings just to check in some code, they are used with continious integration
and would probably expect the new lab/test/dev environment with openshift will be easy to work with.

Robert Soderlund

dev mailing list
dev lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]