Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

no tofu token but not in correct session state - Boundary Desktop 1.5 GUI bug #2741

Closed
RobertSkawinski opened this issue Dec 23, 2022 · 8 comments · Fixed by #2795
Closed

no tofu token but not in correct session state - Boundary Desktop 1.5 GUI bug #2741

RobertSkawinski opened this issue Dec 23, 2022 · 8 comments · Fixed by #2795
Assignees
@irenarindos
Labels
triage

Comments

@RobertSkawinski
Copy link

RobertSkawinski commented Dec 23, 2022
edited
Loading

Hi @irenarindos,
thanks for helping.
I think i was able to find the root cause, it seems to be caused by Boundary-Desktop UI.
When using the boundary.exe binary everything works as expected.

Should we track this bug in a new issue?

Steps to reproduce (working):

  1. Extract boundary-desktop_1.5.0_windows_amd64
  2. open powershell and switch to boundary-desktop_1.5.0_windows_amd64\Boundary\resources\app\cli
  3. get a token .\boundary.exe authenticate password -login-name=user -auth-method-id=ampw_xxx -addr=https://boundary.domain.at/
  4. connect to target .\boundary.exe connect -addr=https://boundary.domain.at -target-id=ttcp_xxx

Steps to reproduce (not working):

  1. Open Boundary-Desktop
  2. Login
  3. Switch to Targets
  4. Click Connect
  5. Enter the connection string (localhost + random port) in your application (for example database management tool) & start the application
  6. Boundary terminates the connection and application get a timeout

Originally posted by @tritonblaster in #2362 (comment)
@gsusmi gsusmi added the triage label Jan 9, 2023
@irenarindos
Copy link
Collaborator

Hi @tritonblaster - I'm trying to recreate this, and was curious, what database are you trying to connect to and what database management tool are you using?

Thanks so much!

@RobertSkawinski
Copy link
Author

@irenarindos - MongoDB
this happens when using Studio 3T or even when doing telnet on localhost port that is created by boundary

@irenarindos irenarindos mentioned this issue Jan 13, 2023
Closed
@irenarindos
Copy link
Collaborator

@RobertSkawinski Thank you! I'm curious, do you see the same error using the mongo CLI to connect, or is it only with a db tool?

@RobertSkawinski
Copy link
Author

@irenarindos I have not tried yet the mongo CLI, but with telnet this error happens as soon as I try to establish the connection.

@irenarindos irenarindos mentioned this issue Jan 19, 2023
Merged
@irenarindos
Copy link
Collaborator

@RobertSkawinski I've got a potential fix up in #2795 - I was wondering if you'd be willing to build Boundary from my PR branch and try to replicate your issue to see if it's resolved? Alternatively if you let me know what platform you need I can send a build to you.

Thanks so much!

@irenarindos irenarindos self-assigned this Jan 19, 2023
@RobertSkawinski
Copy link
Author

RobertSkawinski commented Jan 19, 2023
edited
Loading

@irenarindos
I'm failing to build boundary.
seems like scripts/install-golangci-lint.sh is not compatible with my setup when running make tools
Can you provide me a linux/amd64 docker image?
Or is this only related to the boundary Desktop Client? - In this case the Windows Client binary would be great.

@irenarindos
Copy link
Collaborator

@RobertSkawinski Can you email me at "irena.rindos at the company I work for dot com" so we can coordinate getting you a build? We don't think this is a Desktop client issue.

Thanks so much!

@RobertSkawinski
Copy link
Author

RobertSkawinski commented Jan 26, 2023
edited
Loading

@irenarindos Thanks for joining the call on Monday.
updating the main boundary config fixed the issue, thank you!

For all who face the same issue:
In my setup I run controller and worker in one docker container:

# cat /data/boundary/config.hcl 
disable_mlock = true

controller {
  name = "boundary-controller"
  description = "Controller"
  database {
    url = "env://BOUNDARY_POSTGRES_URL"
    max_open_connections = 5
  }
  #public_cluster_addr = "env://HOSTNAME"
}

worker {
  name = "demo-worker"
  description = "A default worker created for demonstration"
  public_addr = "env://BOUNDARY_PUBLIC_DNS"
  initial_upstreams = ["127.0.0.1"]
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "api"
  tls_disable = true 
  public_addr = "env://BOUNDARY_PUBLIC_DNS"
}

listener "tcp" {
  address = "127.0.0.1"
  purpose = "cluster"
  tls_disable   = true 
}

listener "tcp" {
  address = "0.0.0.0"
  purpose       = "proxy"
  tls_disable   = true 
  public_addr = "env://BOUNDARY_PUBLIC_DNS"
}

# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "aead" {
  purpose = "root"
  aead_type = "xxx"
  key = "xxx="
  key_id = "global_root"
}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "aead" {
  purpose = "worker-auth"
  aead_type = "xxx"
  key = "xxx"
  key_id = "global_worker-auth"
}

# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "aead" {
  purpose = "recovery"
  aead_type = "xxx"
  key = "xxx"
  key_id = "global_recovery"
}

Runnig your provided version also works.
Only a Database-Schema upgrade was necessary.
https://hub.docker.com/r/robertskawinski/boundary-unstable
(https://hub.docker.com/layers/robertskawinski/boundary-unstable/0.11.2.4/images/sha256-46c57b9157976bdd38f6ac25ffd55c23f194cd94c5628ff70f112679466a6674?context=explore)

# docker run --restart always -d --name boundary --network host --cap-add IPC_LOCK -v /data/boundary:/boundary -e'BOUNDARY_POSTGRES_URL=postgresql://xxx:5432/boundary?sslmode=require' -e'BOUNDARY_PUBLIC_DNS=xxx robertskawinski/boundary-unstable:0.11.2.4

# docker logs -f boundary 
Database schema must be updated to use this version. Run 'boundary database migrate' to update the database. NOTE: Boundary does not currently support live migration; Ensure all controllers are shut down before running the migration command.
Database schema must be updated to use this version. Run 'boundary database migrate' to update the database. NOTE: Boundary does not currently support live migration; Ensure all controllers are shut down before running the migration command.
Database schema must be updated to use this version. Run 'boundary database migrate' to update the database. NOTE: Boundary does not currently support live migration; Ensure all controllers are shut down before running the migration command.

# docker stop boundary

# docker rm boundary

# docker run -d --name boundary --network host --cap-add IPC_LOCK -v /data/boundary:/boundary -e'BOUNDARY_POSTGRES_URL=postgresql://xxx:5432/boundary?sslmode=require' -e'BOUNDARY_PUBLIC_DNS=xxx' robertskawinski/boundary-unstable:0.11.2.4 boundary database migrate -config /boundary/config.hcl

# docker logs -f boundary
....
Migrations successfully run.

# docker stop boundary

# docker rm boundary

#docker run --restart always -d --name boundary --network host --cap-add IPC_LOCK -v /data/boundary:/boundary -e'BOUNDARY_POSTGRES_URL=postgresql://xxx:5432/boundary?sslmode=require' -e'BOUNDARY_PUBLIC_DNS=xxx robertskawinski/boundary-unstable:0.11.2.4

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@irenarindos irenarindos

Labels
triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bug(sessions): Fix authorizeSession race conditions in handleProxy hashicorp/boundary
3 participants
@gsusmi @irenarindos @RobertSkawinski