Skip to content
This repository has been archived by the owner on Dec 4, 2024. It is now read-only.

Switch to an opt-in model for generating HAProxy configuration #402

Closed
vishnu2kmohan opened this issue Jan 16, 2017 · 4 comments
Closed

Switch to an opt-in model for generating HAProxy configuration #402

vishnu2kmohan opened this issue Jan 16, 2017 · 4 comments
Labels
enhancement

Comments

@vishnu2kmohan
Copy link

Say I have the following Marathon App definition where an app may listen on multiple ports but only requires one port PORT0 to be exposed externally

{
  "id": "/pywebs",
  "cmd": "sh -c '(/opt/mesosphere/bin/python -m http.server $PORT0 &) && (/opt/mesosphere/bin/python -m http.server $PORT1 &) && (/opt/mesosphere/bin/python -m http.server $PORT2 &) && /opt/mesosphere/bin/python -m http.server $PORT3'",
  "cpus": 1,
  "mem": 128,
  "disk": 0,
  "instances": 1,
  "labels": {
    "HAPROXY_GROUP": "external",
    "HAPROXY_1_FRONTEND_HEAD": "",
    "HAPROXY_1_FRONTEND_BACKEND_GLUE": "",
    "HAPROXY_2_FRONTEND_HEAD": "",
    "HAPROXY_2_FRONTEND_BACKEND_GLUE": "",
    "HAPROXY_3_FRONTEND_HEAD": "",
    "HAPROXY_3_FRONTEND_BACKEND_GLUE": ""
  },
  "portDefinitions": [
    {
      "port": 0,
      "protocol": "tcp",
      "name": "web0",
      "labels": {
        "VIP_0": "/pywebs:8080"
      }
    },
    {
      "port": 0,
      "protocol": "tcp",
      "name": "web1",
      "labels": {
        "VIP_1": "/pywebs:8081"
      }
    },
    {
      "port": 0,
      "protocol": "tcp",
      "name": "web2",
      "labels": {
        "VIP_2": "/pywebs:8082"
      }
    },
    {
      "port": 0,
      "protocol": "tcp",
      "name": "web3",
      "labels": {
        "VIP_3": "/pywebs:8083"
      }
    }
  ],
  "healthChecks": [
    {
      "path": "/",
      "protocol": "HTTP",
      "portIndex": 0,
      "gracePeriodSeconds": 10,
      "intervalSeconds": 20,
      "timeoutSeconds": 10,
      "maxConsecutiveFailures": 3,
      "ignoreHttp1xx": false
    },
    {
      "path": "/",
      "protocol": "HTTP",
      "portIndex": 1,
      "gracePeriodSeconds": 10,
      "intervalSeconds": 20,
      "timeoutSeconds": 10,
      "maxConsecutiveFailures": 3,
      "ignoreHttp1xx": false
    },
    {
      "path": "/",
      "protocol": "HTTP",
      "portIndex": 2,
      "gracePeriodSeconds": 10,
      "intervalSeconds": 20,
      "timeoutSeconds": 10,
      "maxConsecutiveFailures": 3,
      "ignoreHttp1xx": false
    },
    {
      "path": "/",
      "protocol": "HTTP",
      "portIndex": 3,
      "gracePeriodSeconds": 10,
      "intervalSeconds": 20,
      "timeoutSeconds": 10,
      "maxConsecutiveFailures": 3,
      "ignoreHttp1xx": false
    }
  ]
}

I currently have to manually opt-out PORT1, PORT2 and PORT3 by adding the following labels:

  "labels": {
    "HAPROXY_GROUP": "external",
    "HAPROXY_1_FRONTEND_HEAD": "",
    "HAPROXY_1_FRONTEND_BACKEND_GLUE": "",
    "HAPROXY_2_FRONTEND_HEAD": "",
    "HAPROXY_2_FRONTEND_BACKEND_GLUE": "",
    "HAPROXY_3_FRONTEND_HEAD": "",
    "HAPROXY_3_FRONTEND_BACKEND_GLUE": ""
  },

Furtheremore if I didn't want even the backend configuration for those ports generated I'd have to add more HAPROXY_{n}_BACKEND_<> options to ensure that Marthon-LB doesn't render from the backend templates.

Instead, it would be nicer if we only had to opt-in PORT0 explicitly.

This would also make for a secure-by-default configuration whereby no ports that have not explicitly been labeled will be advertised.
@vishnu2kmohan vishnu2kmohan mentioned this issue Jan 16, 2017
Closed
@JohnOmernik
Copy link

I concur with this model for security in marathon-lb. In speaking to vishnu on slack, we discussed how forcing users to define those ports that will be exposed is more secure by default because it ensures ports that the user may not have intended to expose via the load-balancer are not accidentally exposed.

@brndnmtthws
Copy link
Contributor

While I generally think this is a good idea, the biggest problem will be that it may break backward compatibility for a lot of users. Perhaps a sane default would be to expose the first port by default, and disable the others unless it's explicitly enabled.

brndnmtthws added a commit that referenced this issue Jan 24, 2017
@brndnmtthws
Introduce new --strict-mode option.
f7d4b16 
This also adds a new `HAPROXY_{n}_ENABLED` option, which lets you
enabled/disable individual backends for an app.

This resolves issues #402 and #403.
@brndnmtthws brndnmtthws mentioned this issue Jan 24, 2017
Merged
@brndnmtthws
Copy link
Contributor

Please share your thoughts on #410.

brndnmtthws added a commit that referenced this issue Jan 24, 2017
@brndnmtthws
Introduce new --strict-mode option.
00df6ce 
This also adds a new `HAPROXY_{n}_ENABLED` option, which lets you
enabled/disable individual backends for an app.

This resolves issues #402 and #403.
brndnmtthws added a commit that referenced this issue Jan 24, 2017
@brndnmtthws
Introduce new --strict-mode option. (#410)
b46ace4 
This also adds a new `HAPROXY_{n}_ENABLED` option, which lets you
enabled/disable individual backends for an app.

This resolves issues #402 and #403.
@vishnu2kmohan
Copy link
Author

Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JohnOmernik @vishnu2kmohan @brndnmtthws