You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2020/12/21 07:30:45 UTC
[GitHub] [skywalking] buxingzhe opened a new issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
buxingzhe opened a new issue #6040:
URL: https://github.com/apache/skywalking/issues/6040
Please answer these questions before submitting your issue.
- Why do you submit this issue?
Skywallking agent fails to establish gRPC channel with TLS except CA file exists. Actually the CA file is not required by just initial a TLS channel instead of a plian text channel.
- [ ] Question or discussion
- [ ] Bug
- [ ] Requirement
The skywalking agent can establish a TLS channel talking with gRPC without CA file.
- [ ] Feature or performance improvement
___
### Question
- What do you want to know?
___
### Bug
- Which version of SkyWalking, OS, and JRE?
8.3.0
- Which company or project?
- What happened?
If possible, provide a way to reproduce the error. e.g. demo application, component version.
___
### Requirement or improvement
- Please describe your requirements or improvement suggestions.
Skywalking agent can establish a gRPC tls channel without CA file by just setting the negotiation type to TLS instead of plain text.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng closed issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
wu-sheng closed issue #6040:
URL: https://github.com/apache/skywalking/issues/6040
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] buxingzhe commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
buxingzhe commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-749435905
We have placed an ELB in front of OAP servers for load balancing, and our services and OAP servers reside in the same VPC on AWS, so the services send tracing logs to OAP internally, we think it's secure enough.
The main reason is that we don't like to maintain the CA files along with skywalking agents as the certificates should updated when they are expired.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] buxingzhe commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
buxingzhe commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-749466197
> For the changes you proposed, don't use `System.getProperty("skywalking.grpc.tls.enabled"`, you should add a config into `org.apache.skywalking.apm.agent.core.conf.Config`. Feel free to submit a pull request and notice, change the agent setup doc and changelog file.
OK, I'll submit a PR following your guides.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] buxingzhe commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
buxingzhe commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-749465760
> Are you doing this in the product environment? Theoretical, this is not very secure. Because the server side is not being checked. But this is just my advice, not a block.
Yes, it's for product environment. For our case, the ELB is internally accessed only, we just trust the server simply.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] buxingzhe commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
buxingzhe commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-748816625
Suggest to make a change to file org.apache.skywalking.apm.agent.core.remote.TLSChannelBuilder.java as below:
public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
private static String CA_FILE_NAME = "ca" + Constants.PATH_SEPARATOR + "ca.crt";
@Override
public NettyChannelBuilder build(
NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
boolean hasCAFile = caFile.exists() && caFile.isFile();
boolean shouldTlsEnabled = "true".equalsIgnoreCase(System.getProperty("skywalking.grpc.tls.enabled", "true"));
if (hasCAFile || shouldTlsEnabled) {
SslContextBuilder builder = GrpcSslContexts.forClient();
if (hasCAFile) {
builder.trustManager(caFile);
}
managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
.sslContext(builder.build());
}
return managedChannelBuilder;
}
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-748825692
Hi, could you share your use case about why do you need this feature?
> Skywalking agent can establish a gRPC tls channel without CA file by just setting the negotiation type to TLS instead of plain text.
Technically, yes, this could be done.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] buxingzhe commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
buxingzhe commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-748819453
The above change to TLSChannelBuilder.java can establish a tls grpc channel without CA file. Currently, the grpc channel failed to established due to following exceptions:
ERROR 2020-12-21 15:37:07:256 SkywalkingAgent-6-JVMService-consume-0 JVMMetricsSender : send JVM metrics to Collector fail.
org.apache.skywalking.apm.dependencies.io.grpc.StatusRuntimeException: INTERNAL: http2 exception
at org.apache.skywalking.apm.dependencies.io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:262)
at org.apache.skywalking.apm.dependencies.io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:243)
at org.apache.skywalking.apm.dependencies.io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:156)
at org.apache.skywalking.apm.network.language.agent.v3.JVMMetricReportServiceGrpc$JVMMetricReportServiceBlockingStub.collect(JVMMetricReportServiceGrpc.java:181)
at org.apache.skywalking.apm.agent.core.jvm.JVMMetricsSender.run(JVMMetricsSender.java:82)
at org.apache.skywalking.apm.util.RunnableWithExceptionProtection.run(RunnableWithExceptionProtection.java:33)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.skywalking.apm.dependencies.io.netty.handler.codec.http2.Http2Exception: First received frame was not SETTINGS. Hex dump for first 5 bytes: 485454502f
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.http2.Http2Exception.connectionError(Http2Exception.java:103)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.http2.Http2ConnectionHandler$PrefaceDecoder.verifyFirstFrameIsSettings(Http2ConnectionHandler.java:338)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.http2.Http2ConnectionHandler$PrefaceDecoder.decode(Http2ConnectionHandler.java:239)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.http2.Http2ConnectionHandler.decode(Http2ConnectionHandler.java:438)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
at org.apache.skywalking.apm.dependencies.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at org.apache.skywalking.apm.dependencies.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at org.apache.skywalking.apm.dependencies.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at org.apache.skywalking.apm.dependencies.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at org.apache.skywalking.apm.dependencies.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at org.apache.skywalking.apm.dependencies.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at org.apache.skywalking.apm.dependencies.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at org.apache.skywalking.apm.dependencies.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at org.apache.skywalking.apm.dependencies.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at org.apache.skywalking.apm.dependencies.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at org.apache.skywalking.apm.dependencies.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at org.apache.skywalking.apm.dependencies.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at org.apache.skywalking.apm.dependencies.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at org.apache.skywalking.apm.dependencies.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at org.apache.skywalking.apm.dependencies.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at org.apache.skywalking.apm.dependencies.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
... 1 more
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [skywalking] wu-sheng commented on issue #6040: Skywalking agent fails to establish gRPC channel with TLS when no CA files
Posted by GitBox <gi...@apache.org>.
wu-sheng commented on issue #6040:
URL: https://github.com/apache/skywalking/issues/6040#issuecomment-749441087
> The main reason is that we don't like to maintain the CA files along with skywalking agents as the certificates should updated when they are expired.
Are you doing this in the product environment? Theoretical, this is not very secure. Because the server side is not being checked. But this is just my advice, not a block.
For the changes you proposed, don't use `System.getProperty("skywalking.grpc.tls.enabled"`, you should add a config into `org.apache.skywalking.apm.agent.core.conf.Config`. Feel free to submit a pull request and notice, change the agent setup doc and changelog file.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org