Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making SSH Nodes work both on Linux and Windows based systems #25291

Draft
wants to merge 19 commits into
base: master
Choose a base branch
from
Draft

Making SSH Nodes work both on Linux and Windows based systems #25291

wants to merge 19 commits into from
+3,480 −2,841

Conversation

dmatej
Copy link
Contributor

@dmatej dmatej commented Dec 17, 2024
edited
Loading

Please try to review "per commit" - it is a lot of changes, tested on Kubuntu host and Windows Server 2025 in VirtualBox. I know it works, however I could make some mistakes.

When I implemented these tests I had to face quite a lot of issues even on Linux. When I finish, I will write some blog about it, it is another painful episode. However I have to make notes and it will be useful also for users and reviewers.

Automated test

  • Expects you can use local docker service on Linux.

Manual test

  • The private key doesn't have any passphrase
  • Test uses Temurin docker images as a base.
  • You have Windows Server 2025 installed into VirtualBox machine, reachable using network and configured to provide the SSH Server with SFTP support.
  • Later, tired of repeating actions, I created two scripts.

Windows Server 2025 Configuration

I hope I did not skip something, but I tried to collect command line executions done to prepare everything. It is a bit longer, so I will add that to discussions, see #25343

DAS Script

#!/bin/bash
set -x

VERSION="$1"
./glassfish7/bin/asadmin stop-domain
rm -rf ./glassfish7

set -e
mvn org.apache.maven.plugins:maven-dependency-plugin:3.1.2:get -Dartifact=org.glassfish.main.distributions:glassfish:${VERSION}:zip -Dtransitive=false
cp ${HOME}/.m2/repository/org/glassfish/main/distributions/glassfish/${VERSION}/glassfish-${VERSION}.zip ./
unzip glassfish-${VERSION}.zip
#cp ./asenv.conf ./glassfish7/glassfish/config/asenv.conf
export AS_JAVA=/usr/lib/jvm/jdk17
./glassfish7/bin/asadmin start-domain --debug
tail -n 10000 -F ./glassfish7/glassfish/domains/domain1/logs/server.log

Test Script

#!/bin/bash

set -v
set -e

#/app/appservers/glassfish7/bin/asadmin start-domain

/app/appservers/glassfish7/bin/asadmin change-admin-password
/app/appservers/glassfish7/bin/asadmin enable-secure-admin
/app/appservers/glassfish7/bin/asadmin restart-domain

export AS_ADMIN_PASSWORDFILE=/app/appservers/passwordfile.txt
/app/appservers/glassfish7/bin/asadmin create-node-ssh --nodehost 192.168.56.101 --installdir '/Users/vboxuser/glassfish7' --sshuser vboxuser --sshkeyfile /home/dmatej/.ssh/id_rsa_nopassphrase --install true win2025
/app/appservers/glassfish7/bin/asadmin create-cluster ClusterOne
/app/appservers/glassfish7/bin/asadmin create-instance --cluster ClusterOne --node win2025 InstanceWin2025
/app/appservers/glassfish7/bin/asadmin create-instance --cluster ClusterOne --node localhost-domain1 InstanceLin2025
#/app/appservers/glassfish7/bin/asadmin start-cluster ClusterOne

/app/appservers/glassfish7/bin/asadmin start-instance InstanceWin2025
/app/appservers/glassfish7/bin/asadmin list-instances

The passwordfile.txt contains just this:

AS_ADMIN_PASSWORD=admin123

Execution

You need three console windows:
Window 1: cd glassfish project, clone from github, and build and run automated tests:

mvn clean install -Pfastest -T4C && mvn clean install -pl :ssh-cluster-tests

Window 2, start DAS and print the server.log:

./run-jdk17-gf7.sh 7.0.22-SNAPSHOT

Window 3, execute the test scenario. It will ask three times for password, which is admin123

./run.sh

Node side: Environment

  • jar is not on PATH everywhere
    • however unzip might be already there - fix: add some autodetection code.

Node side: SSHD Configuration

  • SFTP has to be explicitly enabled on some systems
  • public key authentication can be disabled. Same applies to other types.
  • User interaction can be forbidden.
  • Port can be blocked by firewall or antivirus, etc.
  • Port can be different.
  • ...

DAS side: Environment

  • When using scripts, no TTY might be available. Scripts can fail or wait for user input forever.
    • Always set timeout when such risk exists
    • For ssh command is useful sshpass command. Test uses it, however GlassFish uses Jsch library instead.

DAS side: SSH Command Configuration

  • Applies to the test and user experiments, not to GlassFish
  • Empty passphrase - be careful, when you set it via execInContainer: "''" means apostrophes, not empty passphrase.
  • User interaction can be forbidden just like on the server (sshd)
  • StrictHostKeyChecking=accept-new should not be used on production; however would be useful if we would not enforce user to run the ssh command on his own and manually accept the server's key. That is TODO for another PR, however I replaced all none values by accept-new, because it is still better than not doing any validation. User can do the validation manually first, than DAS does not override it.

DAS side: JSCH SSH Implementation

  • "raw" and "resolved" password and passphrase. I doubt the implementation is correct.
  • logging
    • race condition - fix: use Jsch logger name.
    • impossible to guess which logger level I should set, overengineered antipattern of "set logger for Jsch once for asadmin, then for kernel, then for cluster, then just jsch, ..." - then you set 4 logger levels and it still doesn't print anything. The fix: always use Jsch logger name.

@dmatej dmatej self-assigned this Dec 17, 2024
@dmatej dmatej added bug Something isn't working build and test improvement labels Dec 17, 2024
@dmatej dmatej added this to the 7.0.21 milestone Dec 17, 2024
@dmatej dmatej changed the title Making SSH Nodes working reliably both on Linux and Windows based systems Making SSH Nodes work both on Linux and Windows based systems Dec 17, 2024
@arjantijms arjantijms requested a review from pzygielo December 24, 2024 13:01
@arjantijms arjantijms modified the milestones: 7.0.21, 7.0.22 Jan 3, 2025
@dmatej
Copy link
Contributor Author

dmatej commented Jan 3, 2025

Local status: Large refactoring targeting File vs Path vs String vs SFTP vs Unix vs Windows. Local manual testing of DAS on Kubuntu and Node on Windows Server 2025 - was able to "replicate" glassfish installation, unpack, create node and instance. Instance did not start yet as I did not install Java to Windows yet :-)

TODO

  • Proper session management (AutoCloseable, separate session and SSHLauncher)
  • Data object with some autodetection of Node's operating system and features
  • SFTP rmdir does not work on windows
  • Documentation, example, ...

OndroMih
OndroMih reviewed Jan 3, 2025
View reviewed changes
Jenkinsfile Outdated Show resolved Hide resolved
@dmatej dmatej force-pushed the windows-ssh branch 2 times, most recently from d30a997 to e88181e Compare January 17, 2025 20:07
@dmatej
Copy link
Contributor Author

dmatej commented Jan 17, 2025

TODO:

  • Broken encoding in SSH stdout (hardcoded UTF8 vs Windows-1250)
  • Missing autodeploy/bundles (I am often removing those empty directories with .empty file inside, this time it seems Felix cannot autocreate it)
  • restart-domain now does not replace WALL_CLOCK_START system property, then GF computes incorrect startup time including CLI (now rather "time since CLI started this process"; on restart-domain the server restarts itself after it was asked to do so by restart-domain).
  • SSH adapter should throw the new SSHException, which would always collect exec output. We are losing remote logs sometimes, details about errors. I have fixed it here and there where I needed it, but this should be systematic.

@dmatej dmatej force-pushed the windows-ssh branch 3 times, most recently from dbcb8eb to 1dc88a3 Compare January 20, 2025 20:56
dmatej added 9 commits January 22, 2025 15:18
@dmatej
Fixed artifactId of ant based ejb tests - was duplicit
3140b2c 
Signed-off-by: David Matějček <[email protected]>
@dmatej
Implemented test for SSH nodes on Linux-based system
93409dd 
Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed unavailable jar command
c610d3b 
- prefer unzip, if not detected, use jar

Signed-off-by: David Matějček <[email protected]>
@dmatej
Created linux workflow
525deb4 
- Because Eclipse Jenkins CI does not support TestContainers while GitHub
  Actions do.
- Synced Ubuntu and Windows workflow

Signed-off-by: David Matějček <[email protected]>
@dmatej
The gosh.args options definitively consolidated
12c3fb1 
- The server-config used "nointeractive", while default used
  "--noshutdown -c noop=true" options

Signed-off-by: David Matějček <[email protected]>
@dmatej
Added important note about the SFTP nodes.
b8b1f3c 
- SFTP uses "linux-like" paths, while Windows uses different separators and
  all systems may use also different root for SFTP.

Signed-off-by: David Matějček <[email protected]>
@dmatej
Updated SshClusterITest based on my new knowledge
2ec77a1 
- Added PATH and JAVA_HOME to user environment
- Disabled AS_TRACE
- UsePAM set to yes to enable /etc/environment
- INFO ssh server log level

Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed issue with spaces in native lib path
298ec49 
Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed server start on Windows over SSH
c1c08b2 
- Windows is killing everything started in the session
- The only workaround found after 2 weeks of experiments, googling, consultation
  with GitHub CoPilot is this - to create two scripts executed by the Windows
  Scheduler just once.
- Added also nohup for Linux nodes.

Signed-off-by: David Matějček <[email protected]>
dmatej added 9 commits January 22, 2025 15:19
@dmatej
Added loggers for JCraft SSH and cluster packages
71fc225 
Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed selection of the DAS hostname used by the SSH Node.
4f70ccb 
- DAS host can have multiple network endpoints but not all accessible from
  the node host. Once we are able to establish the connection, we can also
  use the socket's local address as the host.
- Note: This can be much more complicated, this is rather a quick fix or
  simple workaround. Proper solution is to have the DAS host used by the node
  configurable.

Signed-off-by: David Matějček <[email protected]>
@dmatej
Reimplemented the SSH communication to be less dependent on operating…
041ae87 
… system

- SSHLauncher is stateless and NOT injectable; collects information about
  the target system.
- new SSHSession - wraps the jsch session
- SFTPClient - responsible for file system changes
- chmod is not supported on windows
- all stateful objects are closeable -> no need to keep them in SSHUtil

Signed-off-by: David Matějček <[email protected]>
@dmatej
Added workaround for networks with partial DNS
3e9bab4 
- If the host name is not good enough, we will prefer chosen IPv4 address.
- Would be better to let it on the user which hostname or IP should represent
  the node and DAS, however that goes over this pull request.

Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed version number of the new module after rebase
a5ca9c4 
Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed restart-domain on Windows
4fca959 
- The gfstart.bat must be there from the last start, so we don't need
  to generate the command again.
- Permissions to use the scheduler depend on the windows session type.
- Killing of started programs also depends on the windows session type
- Closing streams doesn't resolve issues, it seems it causes some.

- I have doubts about all solutions related to Windows OS, so I tried to
  minimize it as much as possible. Also I tried to learn as much as possible.

Signed-off-by: David Matějček <[email protected]>
@dmatej
Another try to fix starts on Windows
b6cf8c0 
- Tested via SSH and locally
- Tested on domains and instances
- Very probably can be simplified later, especially problematic is hard coded
  timeout in the generated ps1 script.

Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed restart-domain
d2464f1 
- The bat script reads from a temp file given

Signed-off-by: David Matějček <[email protected]>
@dmatej
Fixed inability to remove generated executables on Windows
a047d32 
- We don't need to wait for the end of the server in startup scripts.

Signed-off-by: David Matějček <[email protected]>
@dmatej dmatej marked this pull request as ready for review January 23, 2025 19:14
@dmatej dmatej marked this pull request as draft January 24, 2025 21:14
@dmatej
Copy link
Contributor Author

dmatej commented Jan 24, 2025

Yet one bug detected (I created it): NIO Path uses '' as a separator, not '/', so it fails to use SFTP protocol now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OndroMih OndroMih OndroMih left review comments

@pzygielo pzygielo Awaiting requested review from pzygielo

At least 1 approving review is required to merge this pull request.

Assignees

@dmatej dmatej

Labels
bug Something isn't working build and test improvement
Projects
None yet
Milestone
7.0.22
Development

Successfully merging this pull request may close these issues.
4 participants
@dmatej @OndroMih @pzygielo @arjantijms