Xmlrpc encryption

Community Support HA / Federation
#1

ONE 5.10, CentOS 8

Hello,

Possible for admins to encrypt xmlrpc endpoints between zone HA nodes?

Set endpoint in command “onezone server-add --name name --rpc httpS://url:<reverse_proxy_port>/rpc2” ?
Will oned be able to communicate with reverse proxy ssl socket?

All I found in regard to this question was encryption between sunstone and oned: https://dev.opennebula.org/issues/5257

Thanks!

#2

Hello!

To clarify my OP, I am looking to secure xmlrpc traffic. I am concerned to see the oneadmin credentials in clear text within HA heartbeat packets.

How do you all secure this traffic? I am thinking of modifying the raft HA hook and the related vip.sh script to pass a second floating IP for a NIC+VLAN specifically for xmlrpc traffic.

#3

Hi Spencer,

Did you try setting up nginx proxy in front of the XML-RPC to provide ssl encryption?

Best Regards,
Anton Todorov

#4

Thank you atodorov!

I had a misconfiguration on when to integrate the reverse proxy.

In case there are any lurkers out there:

  1. ONe uses libcurl to post against the XMLRPC port.
  2. Set up the nginx reverse proxy for ssl termination before this step: http://docs.opennebula.org/5.10/advanced_components/ha/frontend_ha_setup.html#bootstrapping-the-ha-cluster
  3. Add the initial server with “onezone server-add 0 --name server-0 --rpc https://IP:2634/RPC2”
  4. Step through the rest of the HA config and add other nodes similarly ( I found I had to restart opennebula after starting the service on an added node to get it to function).
  5. oned.conf does not use proxy port, keep default xmlrpc ip and port.
  6. sunstone-server.conf will need to use https://cluster_leader_ip:2634/RPC2 EDIT Sunstone on cluster leader threw ssl verification error, changed to localhost.

No env change

My nginx is similar to the link in my op.

I did end up editing oned.conf raft hooks like the following:

RAFT_LEADER_HOOK = [
    COMMAND = "raft/vip.sh",
    ARGUMENTS = "leader eth0 {{ one_a_leader_ip }}/19 eth2 {{ one_b_leader_ip }}/19"
]

And then editing vip.sh to pass in the extra args:

INTERFACE2="$4"
IFADDR2="$5"
IP2="${IFADDR2%%/*}"

Editing vip.sh further to add the extra ip to if (and similar remove to case follower):

case $ACTION in
leader)
    sudo ip address add $IFADDR dev $INTERFACE
    #####################
    #   Add second FIP  #
    #####################
    sudo ip address add $IFADDR2 dev $INTERFACE2
    #####################

This interface addition allows a separation between the webserver and the api for firewall security etc.