GCS5.4.65 and multiple IPs with HTTPS services

83 views
Skip to first unread message

Chandin Wilson

unread,
Jul 12, 2023, 7:30:46 PM7/12/23
to dis...@globus.org
Hi all,

I realize this may transition to a support item, but since the documentation implies this should work, I'll start this way:



I've got a data portal system with two IPs (on one interface) -- one for legacy HTTPS and FTP content, the other for GCS5.

Everything is containerized (contained?), and the HTTPS container is only listening on its IP. The gcs5 is inside a rocky linux 9.2 container.

I setup the node like so:

podman create -t --name gcs5 --cap-add=SYS_ADMIN --cap-add=SYS_PTRACE --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=AUDIT_WRITE \
--net=bridge -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
.... blah blah blat blah ....

globus-connect-server node setup --data-interface 140.208.31.32 --ip-address 140.208.31.32 \
... etc etc etc ...

and the processes do start, but there's nobody listening on :443. Relevant section of the gcs self-diagnostic are:

globus-connect-server --version
globus-connect-server, package 5.4.65, cli 1.0.44


== diagnostic: globus-gridftp-server --version ==
globus_connect_gridftp_server: 15.100 (1686146736-86)
== diagnostic: func:get_info_uri() ==
https://f4efe4.8540.data.globus.org/api/info
== diagnostic: func:resolve_nodes() ==
Domain f4efe4.8540.data.globus.org resolves to 140.208.31.32
== diagnostic: func:contact_info_uri() ==
Error accessing GCS Manager at 140.208.31.32: HTTPSConnectionPool(host='140.208.31.32', port=443): Max retries exceeded with url: /api/info (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f1575b56e50>: Failed to establish a new connection: [Errno 111] Connection refused'))


If I leave the HTTPS container off, the GCS5 container will start, but the http squats on *:443 which prevents the HTTPS container from starting.

I started tinkering with the (generated) gcs5 apache configs but didn't get anywhere.

Ideas?

thanks,

--Chan

Chan Wilson SAIC for NOAA GFDL Toolsmith
General Specialist, Info Tech RDHPCS Security
chandin...@noaa.gov +1-608-216-5689

Michael Link

unread,
Jul 12, 2023, 11:43:31 PM7/12/23
to Chandin Wilson, dis...@globus.org
Hi Chan,

Apache will listen on all interfaces with the config installed by most
distros. Since the config that GCS controls is limited to its virtual
hosts, it won't try to change that global setting.

To listen on a specific interface, you can find the "Listen 443"
directive (probably in /etc/httpd/conf.d/ssl.conf) and change it to
"Listen ip-address:443".

Mike

Chandin Wilson

unread,
Jul 27, 2023, 2:13:59 PM7/27/23
to ml...@globus.org, dis...@globus.org
Mike,

Thanks, that did the trick. Along with letting podman control the IP on that interface, that is key.

Now the next item: How to configure a publicly accessible posix storage-gateway, and one not restricted to a specific domain?

If I omit the `--domain` argument, I get a API 422 error: 'The value for allowed_domains is invalid'.

I searched around a tad for an example on docs.globus.org but nothing surfaced...

thanks!

--Chan

Karl Kornel

unread,
Jul 27, 2023, 5:53:11 PM7/27/23
to Chandin Wilson, ml...@globus.org, dis...@globus.org

Hi Chandin,

 

I think you’ll need a Guest Collection to provide the anonymous HTTPS access that you want.

 

For example, let’s say each user has a public-facing space mounted at path `/public/$USER`, and user “abc” wanted to share their space with the public.  It would be structured like this:

 

POSIX Storage Gateway

Mapped Collection, base path `/public`, default directory `/$USER`

    Guest Collection, base path `/abc`

         Permission, base path `/`, for “public (anonymous)”, read permissions

 

And the setup process would be this:

 

  1. You make the POSIX Storage Gateway, and use the `--domain` argument—plus an optional Identity Mapping JSON file—to map Globus Identities (like akko...@stanford.edu) into local users.  You don’t set any path restrictions.
  2. You create the Mapped Collection, with `/public` as the root of the collection, and `/$USER` as the default directory (so, the real default directory resolves to `/public/$USER`).  You allow HTTPS and sharing.
  3. The user logs in to Globus and accesses the mapped collection, and their directory.
  4. The user creates a guest collection, based off of their directory within the mapped collection.  They provide read access to the world.
  5. The world is now able to get to files via the guest collection.

 

Each of those layers is doing a different translation:

 

• The Guest Collection lets anonymous users act as a particular Globus user.

• The Mapped Collection lets a Globus user act as a particular local user.

• The POSIX Gateway provides access to POSIX storage (as opposed to cloud storage, etc.).

 

So, have an explore with that, and see if it works!

 

~ Karl

Chandin Wilson

unread,
Jul 27, 2023, 6:23:31 PM7/27/23
to akko...@stanford.edu, ml...@globus.org, dis...@globus.org
Karl,

> Each of those layers is doing a different translation:
>
> • The Guest Collection lets anonymous users act as a particular Globus user.
> • The Mapped Collection lets a Globus user act as a particular local user.
> • The POSIX Gateway provides access to POSIX storage (as opposed to cloud storage, etc.).

thanks for this summarization! I'd been chasing so many other items (podman, systemd, ip aliases) I'd forgotten about the Guest Collection being the layer at which anonymous / public access is granted.

I'll set a Guest Collection up and that should do the trick.

cheers,
Reply all
Reply to author
Forward
0 new messages