Setting Default Application in Openshift Nodes

Background

The default behavior of Openshift nodes is to redirect requests for unknown applications to host/getting_started.html, usually causing endless redirect loop.
On some cases we might want this behavior to be changed, for example when we want a default page (Application not found) to show up. Or when tools such as Acunetix scanning tool incorrectly detected such redirect as medium vulnerability because the redirect uses the injected host header.

The Openshift Origin platform in use for this article is Origin Release 4, with the nodes using apache-mod-rewrite frontent plugin (rubygem-openshift-origin-frontend-apache-mod-rewrite-0.7.1.1-1.el6.noarch). 

Mechanism

The default mechanism can be read in /etc/httpd/conf.d/000001_openshift_origin_node.conf :
As we can see, routes are loaded from openshift_route.include. 
The file is full of route rules, but the interesting part are the RewriteMap clauses in the top of the file :


Nodes and aliases are loaded from DBM files : nodes.db, aliases.db. These files are created from nodes.txt and aliases.txt. 

Solution Strategy

To implement default routes for unknown application, we are going to add a  __default__ route in the bottom of routes.txt, inspired from Openshift comprehensive deployment guide (https://docs.openshift.org/origin-m4/oo_deployment_guide_comprehensive.html#apache-mod-rewrite-plugin) :
[ Reference ]
cat < /tmp/nodes.broker_routes.txt
__default__ REDIRECT:/console
__default__/console TOHTTPS:127.0.0.1:8118/console
__default__/broker TOHTTPS:127.0.0.1:8080/broker
EOF

From the reference above, we understand that the __default__ keyword could be used in the left hand side. For the right hand side, seek the application that we are going to use as the default application. 
[ /etc/httpd/conf.d/openshift/nodes.txt ]
testmed54-test.aon.telkom.co.id 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b000002
testmed54-test.aon.telkom.co.id/health HEALTH|550d80da98988b065b000002|550d80da98988b065b000002
testmed54-test.aon.telkom.co.id/haproxy-status 127.12.87.131:8080/|550d80da98988b065b000002|550d80da98988b065b000002

Choose the line without health nor haproxy-status, which is the first line. Copy the right hand side.
 
Backup the nodes.txt and nodes.db file before changing anything.

In the last nodes.txt line, append a new line, combining __default__ in the left hand side with 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b000002 in the right hand side :
__default__ 127.12.87.130:8080|550d80da98988b065b000002|550d80da98988b065b00000

Convert nodes.txt to nodes.db :
httxt2dbm -f DB -i /etc/httpd/conf.d/openshift/nodes.txt -o /etc/httpd/conf.d/openshift/nodes.db
It might be necessary to restart httpd after the conversion.

Result

After the change outlined above, the node will direct requests with unknown applications to the default application (for example, testmed54-test).


Comments

Post a Comment

Popular posts from this blog

Long running process in Linux using PHP

Background To do stuff, I usually create web-based applications written in PHP. Sometimes we need to run something that takes a long time, far longer than the 10 second psychological limit for web pages. A bit of googling in stack overflow found us this  http://stackoverflow.com/questions/2212635/best-way-to-manage-long-running-php-script , but I will tell the similar story with a different solution. One of the long running tasks that need to be run is a Pentaho data integration transformation. Difficulties in long running PHP scripts I encountered some problems when trying to make PHP do long running tasks : PHP script timeout. This could be solved by running set_time_limit(0); before the long running tasks. Memory leaks. The framework I normally use have a bit of memory issues, this can be solved either by patching the framework (ok, it is a bit difficult to do, but I did something similar in the past ) or splitting the data to process into several batches. And if you
Read more

Reverse Engineering Reptile Kernel module to Extract Authentication code

Image
 This time I will show how to (partially) reverse engineer a linux kernel module. The linux kernel module is larger than usual kernel module because it is actually a Reptile-based rootkit dropped by some hacker.  Part 1. Get basic module information First we gather basic module info by using modinfo : [root@lb lkrg-0.9.1]# modinfo falc0n filename:       /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n.ko intree:         Y license:         GPL retpoline:       Y rhelversion:     7.8 srcversion:     81F508029A53F7490CCDB44 depends:         vermagic:       3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversions   We could also refer to the kernel module file not yet installed in the OS : [root@lb lkrg-0.9.1]# file falc0n.ko falc0n.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=1bde6abf4732eb620983032a47fbcf07689ece11, not stripped [root@lb lkrg-0.9.1]# modinfo falc0n.ko filename:       /root/lkrg-0.9.1/falc0n.ko intree:         Y license:         GPL retp
Read more

SAP System Copy Lessons Learned

Image
Background Earlier this year I was part of a team that does System Copy for a 20 terabyte plus SAP ERP RM-CA System. And just now I am involved in doing two system copy in just over one week, for much lesser amount of data. I think I would note some lessons learned from the experience in this blog. For the record, we are migrating from HP/UX and AIX to Linux x86 platform. Things that go wrong First, following the System Copy guide carefully is quite a lot of work - mainly because some important stuff are hidden in references in the guide. And reading a SAP note that are referenced in another SAP note, that are referenced in Installation Guide.. is a bit too much. Let me describe what thing goes wrong. VM Time drift The Oracle RAC Cluster have time drift problem, killing one instance when the other is shutting down. The cure for our VMWare-based Linux database server is hidden in SAP Note 989963 "Linux VMWARE Timing", which is basically add a tinker panic 0 in the
Read more