These are chat archives for spring-cloud/spring-cloud

6th
Jul 2016
bitsofinfo
@bitsofinfo
Jul 06 2016 01:08
anyone have any ideas on how to wire a HostnameVerifier for the eureka discovery client?
2016-07-05 18:53:58.676  INFO 655 --- [nfoReplicator-0] com.netflix.discovery.DiscoveryClient    : DiscoveryClient_MYAPP/hosa222:myapp-config:8888: registering service...
2016-07-05 18:53:58.683 ERROR 655 --- [nfoReplicator-0] c.n.d.s.t.d.RedirectingEurekaHttpClient  : Request execution error

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: Certificate for <localhost> doesn't match common name of the certificate subject: my-ssl-test
        at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
        at com.sun.jersey.api.client.filter.GZIPContentEncodingFilter.handle(GZIPContentEncodingFilter.java:123) ~[jersey-client-1.19.1.jar:1.19.1]
        at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.4.8.jar:1.4.8]
        at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar:1.19.1]
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar:1.19.1]
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar:1.19.1]
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570) ~[jersey-client-1.19.1.jar:1.19.1]
        at com.netflix.discovery.shared.transport.jersey.AbstractJerseyEurekaHttpClient.register(AbstractJerseyEurekaHttpClient.java:56) ~[eureka-client-1.4.8.jar:1.4.8]
        at com.netflix.discovery.shared.transport.decorator.EurekaHttpClientDecorator$1.execute(EurekaHttpClientDecorator.java:59) [eureka-client-1.4.8.jar:1.4.8]
        at com.netflix.discovery.shared.transport.decorator.MetricsCollectingEurekaHttpClient.execute(MetricsCollectingEurekaHttpClient.java:73) ~[eureka-client-1.4.8.jar:
Spencer Gibb
@spencergibb
Jul 06 2016 01:09
spring-cloud/spring-cloud-netflix#1138
sorry, that’s not for discovery client
bitsofinfo
@bitsofinfo
Jul 06 2016 01:11
yeah was just reading it, looks diff
Spencer Gibb
@spencergibb
Jul 06 2016 01:11
only read discovery client after I pasted
not sure off the top of my head
bitsofinfo
@bitsofinfo
Jul 06 2016 01:22
Netflix/eureka#234
Spencer Gibb
@spencergibb
Jul 06 2016 01:23
nice
bitsofinfo
@bitsofinfo
Jul 06 2016 01:23
also spring-cloud/spring-cloud-netflix#1077 looks like he tried it too to no avail, just tried myself, does not seem to work. still seems to be using apaches socket factory
bitsofinfo
@bitsofinfo
Jul 06 2016 01:53
setting that prop com.netflix.eureka.shouldSSLConnectionsUseSystemSocketFactory=true does not traverse the code that actually enables uses of the system socket factory.
bitsofinfo
@bitsofinfo
Jul 06 2016 02:16
i think this issue as well is fundamentally due to the same root issue in the eureka lib spring-cloud/spring-cloud-netflix#1077
Spencer Gibb
@spencergibb
Jul 06 2016 02:20
great investigation. Might it be the way we are constructing things?
bitsofinfo
@bitsofinfo
Jul 06 2016 02:22
well not sure, I suspect not. I mean when I was reading through the code after stepping through it, down in the Eureka lib they have a switch that obeys this argument in a builder, but then completely overwrite the requested change in another method with a different generated client builder. I posted some info here, its not great but a start on where to look: Netflix/eureka#812
Spencer Gibb
@spencergibb
Jul 06 2016 02:27
We could force a client in DiscoveryClient.scheduleServerEndpointTask
via the DiscoveryClientOptionalArgs constructor arg. That could be your work around since we support supplying one of those as an optional bean.
bitsofinfo
@bitsofinfo
Jul 06 2016 02:29
hmm, yes I see what you mean
Spencer Gibb
@spencergibb
Jul 06 2016 02:29
then you can set the option.
bitsofinfo
@bitsofinfo
Jul 06 2016 02:30
cool, I will look into it and see
ccit-spence
@ccit-spence
Jul 06 2016 09:13
Am I understanding it correctly that spring-cloud-consul and spring-cloud-vault-config is an either or choice for configuration?
Meaning I use Consul for Config and Service Discovery or Vault for Config and Consul for Service Discovery
Dave Syer
@dsyer
Jul 06 2016 09:19
The Vault support in config server is independent of Spring Cloud Consul
I guess that's what you mean
ccit-spence
@ccit-spence
Jul 06 2016 09:19
maybe
so then you could use Vault for secrets and consul for general config?
Dave Syer
@dsyer
Jul 06 2016 09:20
Don't know. Probably.
Haven't tried it. But in principle yes.
ccit-spence
@ccit-spence
Jul 06 2016 09:21
is it better to use vault for all config?
Dave Syer
@dsyer
Jul 06 2016 09:21
Might be simpler.
Using Vault for storing keys only is also probably an option
(not one we've put a lot of effort into yet, but the abstractions are there)
It would certainly work with the normal git config backend
ccit-spence
@ccit-spence
Jul 06 2016 09:22
so in the first version of Spring cloud sense: Spring Cloud Config = Vault Eureka = Consul?
Dave Syer
@dsyer
Jul 06 2016 09:23
"first version"?
ccit-spence
@ccit-spence
Jul 06 2016 09:23
angel when consul was not around
Dave Syer
@dsyer
Jul 06 2016 09:23
I don't think "=" is really a useful operator
In Camden Spring Cloud Config will have a Vault back end (in addition to git etc.)
In Brixton we offer a range of service discovery options including Eureka and Consul
ccit-spence
@ccit-spence
Jul 06 2016 09:25
so then a replacement for the current JCE used in Spring Cloud Config
Dave Syer
@dsyer
Jul 06 2016 09:25
Nothing replaces JCE (it's a library in the JDK)
Not sure what you mean
ccit-spence
@ccit-spence
Jul 06 2016 09:26
currently to encrypt with Spring Cloud Config you need to include JCE for encrypt decrypt
Alexander Kalinovski
@akalinovski
Jul 06 2016 09:26
Hi, everyone! Is this a right place to ask some questions about Spring Cloud Stream?
Dave Syer
@dsyer
Jul 06 2016 09:26
I suppose with a Vault backend probably there is no crypto in the JVM
@akalinovski yes, there is no dedicated channel for Stream. But all the Stream guys are in the US, so don't expect much of a detailed response.
ccit-spence
@ccit-spence
Jul 06 2016 09:27
ok, I will play around with some scenarios and see how it works. Thanks for the help
Dave Syer
@dsyer
Jul 06 2016 09:27
No problem
Vault is significantly non-trivial to productionize.
ccit-spence
@ccit-spence
Jul 06 2016 09:27
and not everyone in the US sleeps :-)
Alexander Kalinovski
@akalinovski
Jul 06 2016 09:28
@dsyer Ok, thanks. I see.
ccit-spence
@ccit-spence
Jul 06 2016 09:29
agreed, Vault fun. using it for config stuff outside of apps and thought it would be nice to use for Spring Cloud as well
Alexander Kalinovski
@akalinovski
Jul 06 2016 09:47
Not sure if anyone related to Spring Integration or Spring Cloud Stream is here but I have a question - I have a message subscriber (using SubscribableChannel) and have multiple instances of the service with it. Looks like this way it’s working like pub/sub so I got a message for each instance of the service and multiple duplicate output messages within the initial entrypoint service. I know that we can specify consumer groups but not sure how this can help here - we can have different consumer group settings for each instance but how we can send the messages to a proper instance rather than to both.
Dave Syer
@dsyer
Jul 06 2016 09:52
Partitioning?
Alexander Kalinovski
@akalinovski
Jul 06 2016 09:54
Hm, maybe. Ok, thanks for pointing to this, I will investigate if that can solve my issue.
Włodzimierz Rożkow
@rozhok
Jul 06 2016 13:56
is there quick way to disable eureka eip binder:
java.lang.StringIndexOutOfBoundsException: String index out of range: -4
    at java.lang.String.substring(String.java:1967)
    at com.netflix.eureka.util.EIPManager.getEIPsFromServiceUrls(EIPManager.java:301)
    at com.netflix.eureka.util.EIPManager.getEIPsForZoneFromConfig(EIPManager.java:281)
    at com.netflix.eureka.util.EIPManager.getCandidateEIPs(EIPManager.java:258)
    at com.netflix.eureka.util.EIPManager.isEIPBound(EIPManager.java:104)
    at com.netflix.eureka.EurekaBootStrap$1.run(EurekaBootStrap.java:251)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)
my eureka is in private network
Włodzimierz Rożkow
@rozhok
Jul 06 2016 14:13
This message was deleted
Włodzimierz Rożkow
@rozhok
Jul 06 2016 14:20
founded EurekaServerConfigBean wondering if anyone used AwsBindingStrategy.ENI
Alexander Kalinovski
@akalinovski
Jul 06 2016 14:29
Re: my previous question about scaling Spring Cloud Stream - partiontioning doesn’t work good I think. If we use partion for each service instance what do we do with the failed/down one? It has separate queue with its own routing key. So such messages will not be re-delivered to any instances, right?
So after configuration of such instances I stopped one of them and the messages “lost" (other instances do not see them) and getting the result back is failed withing timeout (as it’s still trying t route it to down instance)
This will not work in the cloud solution where we can dynamically scale up or down the nodes
This can make sense only for different types of messages
Not for different instances of the same service
Any thoughts guys?
Włodzimierz Rożkow
@rozhok
Jul 06 2016 15:17
@dsyer sadly that there is no way to suppress binding to anything
i've tried ENI, but it requires permissions which I don't want to grant since my instance already has ENI. Not sure why it just to passing check that ENI is already bound
Włodzimierz Rożkow
@rozhok
Jul 06 2016 15:42
I'll leave it as is at the moment
Dave Syer
@dsyer
Jul 06 2016 16:05
@akalinovski you probably should wait for @mbogoevici (or @garyrussell) to explain the options. Marius is on vacation.
Generally I think if partition processing is to be done in an HA way you need to have multiple instances per partition. Scaling up and down definitely requires special strategies. But I don't think that's a problem with Spring Cloud Stream. It's just the way the messaging works.
bitsofinfo
@bitsofinfo
Jul 06 2016 16:07

@spencergibb regarding that issue I brought up last night w/ eureka discovery client not obeying that parameter, I took a look but have to move on to something else. It might be possible, I made a crude attempt but it just feels like a hack. These 2 parts of the eureka code are the issue

This code properly sets the system ssl flag
https://github.com/Netflix/eureka/blob/b06598347814596f75fe24bf39018b803a90bc22/eureka-client/src/main/java/com/netflix/discovery/shared/transport/jersey/JerseyEurekaHttpClientFactory.java#L112

Then when build is called, it is ignored as in buildLegacy() it just creates a new one that does not take into account that system property https://github.com/Netflix/eureka/blob/b06598347814596f75fe24bf39018b803a90bc22/eureka-client/src/main/java/com/netflix/discovery/shared/transport/jersey/JerseyEurekaHttpClientFactory.java#L174

bitsofinfo
@bitsofinfo
Jul 06 2016 16:13
The DiscoveryClientOptionalArgshas a setEurekaJerseyClient(EurekaJerseyClient eurekaJerseyClient) but the client yielded from the builder that is generated by the thread path I am following generates a EurekaHttpClient which is different, so not sure it would even work
Alexander Kalinovski
@akalinovski
Jul 06 2016 16:34
@dsyer ok, thanks
bitsofinfo
@bitsofinfo
Jul 06 2016 16:53
For spring.cloud.config.discovery.enabled=true my config service is running HTTPS however, when an app gets the location of the config service via eureka discovery, its attempting to connect via HTTP (not ssl) and obviously failing. I assume I need to use the meta-map for this, what property should I be looking for?
Dave Syer
@dsyer
Jul 06 2016 17:04
I don't think you need metamap (but I could be wrong)
There's a section in the user guide on using ssl with eureka
IIRC
bitsofinfo
@bitsofinfo
Jul 06 2016 17:05
looking here spring-cloud/spring-cloud-netflix#176
yes so reading here: http://cloud.spring.io/spring-cloud-static/spring-cloud.html#_spring_cloud_netflix .. so I would statically hardwire on the eureka's server config, info about a service registering? rather than let the service registerning itself dictate the ssl/port info?
Dave Syer
@dsyer
Jul 06 2016 17:08
Yeah. I remember that.
bitsofinfo
@bitsofinfo
Jul 06 2016 17:08
doesn't that defeat the whole purpose of self/registration and discovery?
Dave Syer
@dsyer
Jul 06 2016 17:09
How's that? When you register you have to know your own address at least.
I agree it's stupid and inconsistent that https gets treated differently.
That's behaviour we inherited from Netflix. I guess if anyone feels strongly about it we can change it.
bitsofinfo
@bitsofinfo
Jul 06 2016 17:14
still trying to get this working before I give an opinion :) So I guess I'm unclear reading this. Does this go on the eureaka client end (app registering themselves) or eureka server end? eureka.instance.[nonSecurePortEnabled,securePortEnabled]=[false,true]
Dave Syer
@dsyer
Jul 06 2016 17:15
The instance is the client
Short for "Service instance"
bitsofinfo
@bitsofinfo
Jul 06 2016 17:21
Ok got it thanks, so on my instance side, i added -Peureka.instance.securePortEnabled=true -Peureka.instance.nonSecurePortEnabled=false -Peureka.instance.securePort=8888 and now eureka/apps displays what I would expect. Ok this is not as bad I as was worrying it was. I was thinking I had to "pre-list" certain clients in the eureka SERVER's app.yml (which is why I was saying that would defeat the purpose). The double listing of the port (server.port AND securePort) is a little annoying.... but I can live with that with everything else thing project is doing for us, thanks guys
Dave Syer
@dsyer
Jul 06 2016 17:26
You can use a placeholder to refer to the other property
(No need for duplication)
bitsofinfo
@bitsofinfo
Jul 06 2016 17:26
like eureka.instance.securePort: ${server.port} i assume
Dave Syer
@dsyer
Jul 06 2016 17:26
Indeed
Marcos Barbero
@marcosbarbero
Jul 06 2016 18:09
Hi guys, I’m trying to build spring-cloud-dataflow from source but it’s failing. I’ve tried it from master branch and v1.0.0.RC1 tag both of them keeps failing on:
[INFO] spring-cloud-dataflow-server-core .................. FAILURE [ 24.067 s]
Any advice?
Dave Syer
@dsyer
Jul 06 2016 18:13
Not a lot to go on there
Marcos Barbero
@marcosbarbero
Jul 06 2016 18:17
Just found out the issue (I think at least)
yeah… confirmed
There’s a need of a redis-server running in localhost to complete the build, maybe it will be necessary to add an embedded redis for test phase.
Dave Syer
@dsyer
Jul 06 2016 18:20
Embedded redis is just running the native binaries.
I'm sure it's in the build instructions
Marcos Barbero
@marcosbarbero
Jul 06 2016 18:34
you’re right I missed the detailed building instructions
JonathanAaron
@JonathanAaron
Jul 06 2016 18:43
What dependency do I need for my client to have the refresh endpoint?
Dave Syer
@dsyer
Jul 06 2016 18:55
spring-cloud-context and spring-boot-actuator
JonathanAaron
@JonathanAaron
Jul 06 2016 18:58
You're awesome man! Thanks!
Dave Syer
@dsyer
Jul 06 2016 19:32
plus spring-cloud-bus if you want to send the message to other instances of the same service
JonathanAaron
@JonathanAaron
Jul 06 2016 19:36
I'm actually looking into that right now.
JonathanAaron
@JonathanAaron
Jul 06 2016 20:12
Does spring cloud bus have the ability to watch a git repo for changes or is best practice for refreshing configs is to have github send a post the the bus to refresh changes/
?
bitsofinfo
@bitsofinfo
Jul 06 2016 20:13
see this section Push Notifications and Spring Cloud Bus at http://cloud.spring.io/spring-cloud-static/spring-cloud.html#_spring_cloud_config_server
Dave Syer
@dsyer
Jul 06 2016 20:14
Look at spring-cloud-config-monitor
Spencer Gibb
@spencergibb
Jul 06 2016 20:44
@bitsofinfo Netflix/eureka#813
bitsofinfo
@bitsofinfo
Jul 06 2016 20:44
very nice, sweet!
someone is on top of it!
Spencer Gibb
@spencergibb
Jul 06 2016 20:45
they’re pretty responsive. Though they just released 1.4.9 so it will have to wait for the next release.
JonathanAaron
@JonathanAaron
Jul 06 2016 20:46
About spring-cloud-config-monitor. Do I have to configure webhooks in git to send a post to my bus?
bitsofinfo
@bitsofinfo
Jul 06 2016 20:46
understood, what I'm building won't be in prod for a while so I can run discovery w/ no ssl for now, or just install legit certs/matching hostnames for now.
Spencer Gibb
@spencergibb
Jul 06 2016 20:47
@JonathanAaron just to send a post no, you can post yourself to /bus/refresh. To have it done when your git repo is updated, yes.
JonathanAaron
@JonathanAaron
Jul 06 2016 20:51
I see. Thanks!