ONE 5.10, CentOS 8
Hello,
Possible for admins to encrypt xmlrpc endpoints between zone HA nodes?
Set endpoint in command “onezone server-add --name name --rpc httpS://url:<reverse_proxy_port>/rpc2” ?
Will oned be able to communicate with reverse proxy ssl socket?
All I found in regard to this question was encryption between sunstone and oned: https://dev.opennebula.org/issues/5257
Thanks!
Hello!
To clarify my OP, I am looking to secure xmlrpc traffic. I am concerned to see the oneadmin credentials in clear text within HA heartbeat packets.
How do you all secure this traffic? I am thinking of modifying the raft HA hook and the related vip.sh script to pass a second floating IP for a NIC+VLAN specifically for xmlrpc traffic.
Hi Spencer,
Did you try setting up nginx proxy in front of the XML-RPC to provide ssl encryption?
Best Regards,
Anton Todorov
Thank you atodorov!
I had a misconfiguration on when to integrate the reverse proxy.
In case there are any lurkers out there:
- ONe uses libcurl to post against the XMLRPC port.
- Set up the nginx reverse proxy for ssl termination before this step: OpenNebula HA Setup — OpenNebula 5.10.5 documentation
- Add the initial server with “onezone server-add 0 --name server-0 --rpc https://IP:2634/RPC2”
- Step through the rest of the HA config and add other nodes similarly ( I found I had to restart opennebula after starting the service on an added node to get it to function).
- oned.conf does not use proxy port, keep default xmlrpc ip and port.
- sunstone-server.conf will need to use https://cluster_leader_ip:2634/RPC2 EDIT Sunstone on cluster leader threw ssl verification error, changed to localhost.
No env change
My nginx is similar to the link in my op.
I did end up editing oned.conf raft hooks like the following:
RAFT_LEADER_HOOK = [
COMMAND = "raft/vip.sh",
ARGUMENTS = "leader eth0 {{ one_a_leader_ip }}/19 eth2 {{ one_b_leader_ip }}/19"
]
And then editing vip.sh to pass in the extra args:
INTERFACE2="$4"
IFADDR2="$5"
IP2="${IFADDR2%%/*}"
Editing vip.sh further to add the extra ip to if (and similar remove to case follower):
case $ACTION in
leader)
sudo ip address add $IFADDR dev $INTERFACE
#####################
# Add second FIP #
#####################
sudo ip address add $IFADDR2 dev $INTERFACE2
#####################
This interface addition allows a separation between the webserver and the api for firewall security etc.