Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an http2 required ciphersuite for raft server #4

Open
wants to merge 1 commit into
base: cockroach-master
Choose a base branch
from

Conversation

saitanayd
Copy link

Summary:
The RAFT server on port 5766 needs either
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 in
the list of cipher suites in the config. Not
including one of those cipher suites would
prevent the server from starting with an error
like this:

2024-07-22T00:45:02.219	INFO	78	1@runtime/asm_amd64.s:1594	the server is terminating due to a fatal error (see the KRONOS channel for details)
2024-07-22T00:45:02.219	FATAL	78	13@runtime/asm_amd64.s:1594	Failed to serve rafthttp (‹http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)›)goroutine 78 [running]:
runtime/debug.Stack()
	GOROOT/src/runtime/debug/stack.go:24 +0x65
github.com/cockroachdb/cockroach/pkg/util/log.(*loggerT).outputLogEntry(0xc00006cc00, {{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, 0x17e4625b63df8148, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/clog.go:261 +0xb8
github.com/cockroachdb/cockroach/pkg/util/log.logfDepthInternal({0x641aff8, 0xc000128000}, 0x4, 0x4, 0xd, 0x0?, {0x555afe6, 0x1d}, {0xc00077a490, 0x1, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:106 +0x645
github.com/cockroachdb/cockroach/pkg/util/log.logfDepth(...)
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:39
github.com/cockroachdb/cockroach/pkg/util/log.loggerKronos.FatalfDepth(...)
	github.com/cockroachdb/cockroach/bazel-out/k8-fastbuild/bin/pkg/util/log/log_channels_generated.go:6386
github.com/rubrikinc/kronos/kronosutil/log.Fatalf(...)
	github.com/rubrikinc/kronos/kronosutil/log/external/com_github_rubrikinc_kronos/kronosutil/log/log.go:108
github.com/rubrikinc/kronos/oracle.(*raftNode).serveRaft(0xc001c4a2c0, {0x641aff8, 0xc000128000}, 0xc002721260, 0xc0009987b0)
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:1245 +0x6af
created by github.com/rubrikinc/kronos/oracle.(*raftNode).startRaft
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:984 +0x152a

This diff ensures that one of those values
is always added to the cipher suites list
before starting the server.

Test Plan: Manual test

Reviewers: grammar-police!, Sir.Alfred

JIRA Issues: CDM-437246

Differential Revision: https://phabricator.rubrik.com/D332775

@saitanayd saitanayd self-assigned this Jul 22, 2024
@saitanayd saitanayd force-pushed the kronos-tls-saides branch 5 times, most recently from ec285c0 to 5ea0ad1 Compare July 22, 2024 05:51
Summary:
The RAFT server on port 5766 needs either
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 in
the list of cipher suites in the config. Not
including one of those cipher suites would
prevent the server from starting with an error
like this:

```
2024-07-22T00:45:02.219	INFO	78	1@runtime/asm_amd64.s:1594	the server is terminating due to a fatal error (see the KRONOS channel for details)
2024-07-22T00:45:02.219	FATAL	78	13@runtime/asm_amd64.s:1594	Failed to serve rafthttp (‹http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)›)goroutine 78 [running]:
runtime/debug.Stack()
	GOROOT/src/runtime/debug/stack.go:24 +0x65
github.com/cockroachdb/cockroach/pkg/util/log.(*loggerT).outputLogEntry(0xc00006cc00, {{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, 0x17e4625b63df8148, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/clog.go:261 +0xb8
github.com/cockroachdb/cockroach/pkg/util/log.logfDepthInternal({0x641aff8, 0xc000128000}, 0x4, 0x4, 0xd, 0x0?, {0x555afe6, 0x1d}, {0xc00077a490, 0x1, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:106 +0x645
github.com/cockroachdb/cockroach/pkg/util/log.logfDepth(...)
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:39
github.com/cockroachdb/cockroach/pkg/util/log.loggerKronos.FatalfDepth(...)

	github.com/cockroachdb/cockroach/bazel-out/k8-fastbuild/bin/pkg/util/log/log_channels_generated.go:6386
github.com/rubrikinc/kronos/kronosutil/log.Fatalf(...)
	github.com/rubrikinc/kronos/kronosutil/log/external/com_github_rubrikinc_kronos/kronosutil/log/log.go:108
github.com/rubrikinc/kronos/oracle.(*raftNode).serveRaft(0xc001c4a2c0, {0x641aff8, 0xc000128000}, 0xc002721260, 0xc0009987b0)
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:1245 +0x6af
created by github.com/rubrikinc/kronos/oracle.(*raftNode).startRaft
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:984 +0x152a
```

This diff adds one of those cipher suites
(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
to the default values.

Test Plan: Manual test

Reviewers: Sir.Alfred, grammar-police!

JIRA Issues: CDM-437246

Differential Revision: https://phabricator.rubrik.com/D332815
@saitanayd saitanayd force-pushed the kronos-tls-saides branch from 5ea0ad1 to ac5a527 Compare July 22, 2024 22:38
@mohanr-rubrik mohanr-rubrik force-pushed the cockroach-master branch 2 times, most recently from 45c7e18 to 9104d65 Compare September 6, 2024 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant