stolon icon indicating copy to clipboard operation
stolon copied to clipboard
verified publisher icon sorintlab

support for consul using unix domain socket

Open stremovsky opened this issue 5 years ago • 4 comments

What would you like to be added:

For security reasons, I do not want to connect to consul using the domain socket.

The following is not working as I expect it to be: "stolon-sentinel --store-backend=consul --store-endpoints unix:///var/run/consul/consul_http.sock"

I am getting the next error:

2020-03-05T20:46:32.998Z FATAL cmd/sentinel.go:1985 cannot create sentinel: cannot create store: cannot create kv store: endpoints scheme must be http or https

Why is this needed:

In short for security reasons. In my project, I am running consul on the same box with the stolon on each node in cluster. Stolon is executed in container while consul as a regular process in the parent machine. I can not access consul using localhost unless I place the stolon service to "host" docker network that is not good too.

stremovsky avatar Mar 05 '20 20:03 stremovsky

@stremovsky libkv currently hardcodes http scheme (https://github.com/docker/libkv/blob/458977154600b9f23984d9f4b82e79570b5ae12b/store/consul/consul.go#L73-L77) and we on the stolon side only support handle http/https scheme in the url (using tcp sockets as default). libkv looks like not maintained anymore so to do this two things are required:

  1. Find a valid and maintained libkv alternative (a solution will be to implement a new stolon consul store directly using the consuli api like already done for the etcdv3 store) supporting a way to define the use of an unix socket.
  2. Find a way to express an endpoint to provide to stolon in a way able to define both the socket type (unix) and the protocol (http/https) since providing only unix:///var/run/consul/consul_http.sock only provides one of the two information, unix defines the socket type (unix socket instead of tcp) but not the protocol (http/https). Perhaps something like http+unix://%2Fvar%2Frun%2Fconsul%2F/consul_http.sock as already used in other projects (like https://github.com/httpie/httpie-unixsocket).

sgotti avatar Mar 05 '20 21:03 sgotti

@stremovsky Another solution/workaround is to use socat to proxy a tcp socket to an unix socket.

Inside the container (you'll need an image providing socat) you could run:

socat TCP4-LISTEN:8500,fork UNIX-CONNECT:/var/run/consul/consul_http.sock

So when stolon tries to connect to http://localhost:8500 it'll connect to the local listening socat that will forward data to the consul unix socket.

sgotti avatar Mar 05 '20 21:03 sgotti

Hi

socat is not installed by default in stolon containers.

I will look at libkv alternatives too.

Thanks!

stremovsky avatar Mar 05 '20 21:03 stremovsky

socat is not installed by default in stolon containers.

yes, as I wrote:

Inside the container (you'll need an image providing socat)

Beware that the provided images, as explained in the doc, are EXAMPLE images since we don't want to support all possible updates, security fixes, requests to add additional extensions, backup tools etc... Just build your own images.

sgotti avatar Mar 06 '20 07:03 sgotti