Skip to content

Add an http2 required ciphersuite for raft server#4

Open
saitanayd wants to merge 1 commit intocockroach-masterfrom
kronos-tls-saides
Open

Add an http2 required ciphersuite for raft server#4
saitanayd wants to merge 1 commit intocockroach-masterfrom
kronos-tls-saides

Conversation

@saitanayd
Copy link
Copy Markdown
Contributor

@saitanayd saitanayd commented Jul 22, 2024

Summary:
The RAFT server on port 5766 needs either
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 in
the list of cipher suites in the config. Not
including one of those cipher suites would
prevent the server from starting with an error
like this:

2024-07-22T00:45:02.219	INFO	78	1@runtime/asm_amd64.s:1594	the server is terminating due to a fatal error (see the KRONOS channel for details)
2024-07-22T00:45:02.219	FATAL	78	13@runtime/asm_amd64.s:1594	Failed to serve rafthttp (‹http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)›)goroutine 78 [running]:
runtime/debug.Stack()
	GOROOT/src/runtime/debug/stack.go:24 +0x65
github.com/cockroachdb/cockroach/pkg/util/log.(*loggerT).outputLogEntry(0xc00006cc00, {{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, 0x17e4625b63df8148, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/clog.go:261 +0xb8
github.com/cockroachdb/cockroach/pkg/util/log.logfDepthInternal({0x641aff8, 0xc000128000}, 0x4, 0x4, 0xd, 0x0?, {0x555afe6, 0x1d}, {0xc00077a490, 0x1, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:106 +0x645
github.com/cockroachdb/cockroach/pkg/util/log.logfDepth(...)
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:39
github.com/cockroachdb/cockroach/pkg/util/log.loggerKronos.FatalfDepth(...)
	github.com/cockroachdb/cockroach/bazel-out/k8-fastbuild/bin/pkg/util/log/log_channels_generated.go:6386
github.com/rubrikinc/kronos/kronosutil/log.Fatalf(...)
	github.com/rubrikinc/kronos/kronosutil/log/external/com_github_rubrikinc_kronos/kronosutil/log/log.go:108
github.com/rubrikinc/kronos/oracle.(*raftNode).serveRaft(0xc001c4a2c0, {0x641aff8, 0xc000128000}, 0xc002721260, 0xc0009987b0)
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:1245 +0x6af
created by github.com/rubrikinc/kronos/oracle.(*raftNode).startRaft
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:984 +0x152a

This diff ensures that one of those values
is always added to the cipher suites list
before starting the server.

Test Plan: Manual test

Reviewers: grammar-police!, Sir.Alfred

JIRA Issues: CDM-437246

Differential Revision: https://phabricator.rubrik.com/D332775

@saitanayd saitanayd self-assigned this Jul 22, 2024
@saitanayd saitanayd force-pushed the kronos-tls-saides branch 5 times, most recently from ec285c0 to 5ea0ad1 Compare July 22, 2024 05:51
@saitanayd
Add an http2 required ciphersuite for raft server
ac5a527 
Summary:
The RAFT server on port 5766 needs either
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 in
the list of cipher suites in the config. Not
including one of those cipher suites would
prevent the server from starting with an error
like this:

```
2024-07-22T00:45:02.219	INFO	78	1@runtime/asm_amd64.s:1594	the server is terminating due to a fatal error (see the KRONOS channel for details)
2024-07-22T00:45:02.219	FATAL	78	13@runtime/asm_amd64.s:1594	Failed to serve rafthttp (‹http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)›)goroutine 78 [running]:
runtime/debug.Stack()
	GOROOT/src/runtime/debug/stack.go:24 +0x65
github.com/cockroachdb/cockroach/pkg/util/log.(*loggerT).outputLogEntry(0xc00006cc00, {{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, 0x17e4625b63df8148, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/clog.go:261 +0xb8
github.com/cockroachdb/cockroach/pkg/util/log.logfDepthInternal({0x641aff8, 0xc000128000}, 0x4, 0x4, 0xd, 0x0?, {0x555afe6, 0x1d}, {0xc00077a490, 0x1, ...})
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:106 +0x645
github.com/cockroachdb/cockroach/pkg/util/log.logfDepth(...)
	github.com/cockroachdb/cockroach/pkg/util/log/channels.go:39
github.com/cockroachdb/cockroach/pkg/util/log.loggerKronos.FatalfDepth(...)

	github.com/cockroachdb/cockroach/bazel-out/k8-fastbuild/bin/pkg/util/log/log_channels_generated.go:6386
github.com/rubrikinc/kronos/kronosutil/log.Fatalf(...)
	github.com/rubrikinc/kronos/kronosutil/log/external/com_github_rubrikinc_kronos/kronosutil/log/log.go:108
github.com/rubrikinc/kronos/oracle.(*raftNode).serveRaft(0xc001c4a2c0, {0x641aff8, 0xc000128000}, 0xc002721260, 0xc0009987b0)
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:1245 +0x6af
created by github.com/rubrikinc/kronos/oracle.(*raftNode).startRaft
	github.com/rubrikinc/kronos/oracle/external/com_github_rubrikinc_kronos/oracle/raft.go:984 +0x152a
```

This diff adds one of those cipher suites
(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
to the default values.

Test Plan: Manual test

Reviewers: Sir.Alfred, grammar-police!

JIRA Issues: CDM-437246

Differential Revision: https://phabricator.rubrik.com/D332815
@saitanayd saitanayd force-pushed the kronos-tls-saides branch from 5ea0ad1 to ac5a527 Compare July 22, 2024 22:38
@mohan-garimella mohan-garimella force-pushed the cockroach-master branch 2 times, most recently from 45c7e18 to 9104d65 Compare September 6, 2024 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@saitanayd saitanayd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saitanayd