How to set up project with docker and deepstream.io? - docker

https://github.com/PhillippOhlandt/deepstream-turn-based-game-demo
I cloned this repo and am trying to get it up and running but think I am missing a step.
I run npm install inside the folder, and I have also installed docker on my mac. Then I run docker-compose up and it starts up. When I go to localhost nothing happens?
I don't think I fully understand what's going on here...
UPDATE
deepstream_1 | _ _ _
deepstream_1 | __| | ___ ___ _ __ ___| |_ _ __ ___ __ _ _ __ ___ (_) ___
deepstream_1 | / _` |/ _ \/ _ \ '_ \/ __| __| '__/ _ \/ _` | '_ ` _ \ | |/ _ \
deepstream_1 | | (_| | __/ __/ |_) \__ \ |_| | | __/ (_| | | | | | |_| | (_) |
deepstream_1 | \__,_|\___|\___| .__/|___/\__|_| \___|\__,_|_| |_| |_(_)_|\___/
deepstream_1 | |_|
deepstream_1 | ========================= starting ==========================
deepstream_1 | INFO | logger ready
deepstream_1 | INFO | deepstream version: 2.1.2
deepstream_1 | INFO | configuration file loaded from /etc/deepstream/config.yml
deepstream_1 | INFO | library directory set to: /var/lib/deepstream
deepstream_1 | INFO | messageConnector ready
deepstream_1 | INFO | storage ready
deepstream_1 | INFO | cache ready
deepstream_1 | INFO | authenticationHandler ready: file using /etc/deepstream/users.yml
deepstream_1 | INFO | permissionHandler ready: valve permissions loaded from /etc/deepstream/permissions.yml
deepstream_1 | INFO | Listening for health checks on path /health-check
deepstream_1 | CLUSTER_JOIN | jgx4b6kz-1y8u6be9n0744
deepstream_1 | INFO | Listening for websocket connections on 0.0.0.0:6020/deepstream
deepstream_1 | INFO | Deepstream started
deepstream_1 | INCOMING_CONNECTION | from undefined (172.18.0.3)
deepstream_1 | AUTH_ATTEMPT | 172.18.0.3: AREQ{"username":"backend","password":"password"}
deepstream_1 | AUTH_SUCCESSFUL | backend
gameprovider_1 | LOGIN true { username: 'backend', role: 'backend' }
deepstream_1 | S | for P:get-game-types by backend
deepstream_1 | S | for P:create-game by backend
deepstream_1 | S | for P:join-game by backend
deepstream_1 | S | for P:leave-game by backend
deepstream_1 | S | for P:turn by backend

The game demo is working, but the creators should add a few lines of friendly manual. However, don't worry, I'll cover it for you here.
After running docker-compose up open up your browser at http://localhost:8088/
Enter Username: userA Password: password
Create a new game and note the GameID
Open up another browser tab at http://localhost:8088/
Enter Username: userB Password: password
Join the game by previously noted GameID and you can start playing already.
The game supports up to 4 users and in authors' defense, they created a youtube video, but forgot to provide some useful instructions, like what the password is.

Related

Docker Swarm: bypass load balancer and make direct request to specific containers

I have two containers running in a swarm. Each exposes a /stats endpoint which I am trying to scrape.
However, using the swarm port obviously results in the queries being load balanced and therefore the stats are all intermingled:
+--------------------------------------------------+
| Server |
| +-------------+ +-------------+ |
| | | | | |
| | Container A | | Container B | |
| | | | | |
| +-------------+ +-------------+ |
| \ / |
| \ / |
| +--------------+ |
| | | |
| | Swarm Router | |
| | | |
| +--------------+ |
| v |
+-------------------------|------------------------+
|
A Stats
B Stats
A Stats
B Stats
|
v
I want to keep the load balancer for application requests, but also need a direct way to make requests to each container to scrape the stats.
+--------------------------------------------------+
| Server |
| +-------------+ +-------------+ |
| | | | | |
| | Container A | | Container B | |
| | | | | |
| +-------------+ +-------------+ |
| | \ / | |
| | \ / | |
| | +--------------+ | |
| | | | | |
| | | Swarm Router | | |
| v | | v |
| | +--------------+ | |
| | | | |
+--------|----------------|----------------|-------+
| | |
A Stats | B Stats
A Stats Normal Traffic B Stats
A Stats | B Stats
| | |
| | |
v | v
A dynamic solution would be ideal, but since I don't intend to do any dynamic scaling something like hardcoded ports for each container would be fine:
::8080 Both containers via load balancer
::8081 Direct access to container A
::8082 Direct access to container B
Can this be done with swarm?
From inside an overlay network you can get IP-addresses of all replicas with tasks.<service_name> DNS query:
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> -tA tasks.foo_test
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19860
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tasks.foo_test. IN A
;; ANSWER SECTION:
tasks.foo_test. 600 IN A 10.0.1.3
tasks.foo_test. 600 IN A 10.0.1.5
tasks.foo_test. 600 IN A 10.0.1.6
This is mentioned in the documentation.
Also, if you use Prometheus to scrape those endpoints for metrics, you can combine the above with dns_sd_configs to set the targets to scrape (here is an article how). This is easy to get running but somewhat limited in features (especially in large environments).
A more advanced way to achieve the same is to use dockerswarm_sd_config (docs, example configuration). This way the list of endpoints will be gathered by querying Docker daemon, along with some useful labels (i.e. node name, service name, custom labels).
While less than ideal, you can introduce a microservice that acts as an intermediary to the other containers that are exposing /stats. This microservice would have to be configured with the individual endpoints and operate in the same network as said endpoints.
This doesn't bypass the load balancer, but instead makes it so it does not matter.
The intermediary could roll-up the information or you could make it more sophisticated by passing a list of opaque identifiers which the caller can then use to individually query the intermediary.
It is slightly "anti-pattern" in the sense that you have a highly coupled "stats" proxy that must be configured to be able to hit each endpoint.
That said, it is good in the sense that you don't have to expose individual containers outside of the proxy. From a security perspective, this may be better because you're not leaking additional information out of your swarm.
You can try to publish a specific container port on a host machine
,add to your services:
ports:
- target: 8081
published: 8081
protocol: tcp
mode: host

Upgrading from MariaDB 10.2 to MariaDB 10.3 // docker-compose

i did an upgrade on my server for my Docker MARIADB with:
docker-compose pull
docker-compose up -d
My version before:
Server version: 10.2.14-MariaDB-10.2.14+maria~jessie mariadb.org binary distribution
SHOW VARIABLES LIKE "%version%";
+-------------------------+--------------------------------------+
| Variable_name | Value |
+-------------------------+--------------------------------------+
| innodb_version | 5.7.21 |
| protocol_version | 10 |
| slave_type_conversions | |
| version | 10.2.14-MariaDB-10.2.14+maria~jessie |
| version_comment | mariadb.org binary distribution |
| version_compile_machine | x86_64 |
| version_compile_os | debian-linux-gnu |
| version_malloc_library | system |
| version_ssl_library | OpenSSL 1.0.1t 3 May 2016 |
| wsrep_patch_version | wsrep_25.23 |
+-------------------------+--------------------------------------+
My version now:
Server version: 10.3.9-MariaDB-1:10.3.9+maria~bionic mariadb.org binary distribution
+---------------------------------+------------------------------------------+
| Variable_name | Value |
+---------------------------------+------------------------------------------+
| innodb_version | 10.3.9 |
| protocol_version | 10 |
| slave_type_conversions | |
| system_versioning_alter_history | ERROR |
| system_versioning_asof | DEFAULT |
| version | 10.3.9-MariaDB-1:10.3.9+maria~bionic |
| version_comment | mariadb.org binary distribution |
| version_compile_machine | x86_64 |
| version_compile_os | debian-linux-gnu |
| version_malloc_library | system |
| version_source_revision | ca26f91bcaa21933147974c823852a2e1c2e2bd7 |
| version_ssl_library | OpenSSL 1.1.0g 2 Nov 2017 |
| wsrep_patch_version | wsrep_25.23 |
+---------------------------------+------------------------------------------+
So it seems it was a upgrade from 10.2 to 10.3.
Upgrading from MariaDB 10.2 to MariaDB 10.3
Now i get the following error in "docker-compose logs"
2018-09-28 13:03:38 0 [Warning] InnoDB: Table mysql/innodb_table_stats has length mismatch in the column name table_name. Please run mysql_upgrade
2018-09-28 13:03:38 0 [Warning] InnoDB: Table mysql/innodb_index_stats has length mismatch in the column name table_name. Please run mysql_upgrade
The database is working as expected. What to do to get rid of this error?
While I was writing the question I was able to fix it myself. If you also facing this problem:
connect to the docker database container:
docker exec -u 0 -i -t CONTAINER_NAME /bin/bash
run mysql_upgrade like written in the error message:
mysql_upgrade --user=root --password=xxyy --host=localhost
I did a restart of the docker compose with:
docker-compose stop
docker-compose start

Forward SSH connections based on user name

I found numerous sites explaining ssh port forwarding, ssh reverse proxy, ssh multiplexing etc. involving sshpiper, sslh, running a ssh socks server, just configuring the local SSH server an so on..
so I'm quite puzzled right now and might ask a very common and/or simple question:
As you might already guess from the title I want to set up a git server (GitLab) inside a docker container listening for SSH connections on port 22 without having to use a different port for default ssh operations (terminal, scp, etc..) on the host (as suggested here)
I.e.
ssh alice#myserver.org should still be possible as well as
git clone git#myserver.com:path/to/project
and I don't want to do any setup on the client computer
If you prefer a picture:
+------ myserver.org --------+
| +----+ +- typical -+ |
+--------+ alice#myserver.org:22 | | | | SSH | |
| client | ----------------------> -+--+----+---->| service | |
+--------+ all names but `git` | | ? | +-----------+ |
| | | |
| | ? | +- docker --+ |
+--------+ git#myserver.org:22 | | | | with | |
| client | ----------------------> -+--+----+---->| GitLab | |
+--------+ only user `git` | | | | | |
| +----+ +-----------+ |
+----------------------------+
Can you tell me what's the recommended/most common way to do this? This question sounds promising but the answer seems to configure the client (which I want to avoid)
This project may help you.
https://github.com/tg123/sshpiper.
SSH Piper works as a proxy-like ware, and route connections by username, src ip , etc.
+---------+ +------------------+ +-----------------+
| | | | | |
| Bob +----ssh -l bob----+ | SSH Piper +-------------> Bob' machine |
| | | | | | | |
+---------+ | | | | +-----------------+
+---> pipe-by-name--+ |
+---------+ | | | | +-----------------+
| | | | | | | |
| Alice +----ssh -l alice--+ | +-------------> Alice' machine |
| | | | | |
+---------+ +------------------+ +-----------------+
Downstream SSH Piper Upstream
First of all, thanks for reading TheDockerExperts blog , hope our articles help you! Let me explain how we do SSH proxy in our company.
We have HAproxy that listens TCP 22 port and sends traffic to GitLab server, on host we have custom SSH port. Unfortunately as we use TCP balancing in this case, there is no way to create balancer based on domain names and users. You can take small VPS , spin up HAproxy on it and use it to balance your GIT traffic.
Hope this will help you!

Dreamfactory - Service user is deactivated

While meddling with an experimental Dreamfactory 2.1 installation, the user service was accidentally disabled through the admin console. The message when trying to log in is
Service user is deactivated
How to get around this problem? Is there a configuration file or something that I need to edit to get this back on? After a bit of probing I saw this in the table called "service" in MySQL db(bitnami_dreamfactory).
+-------------------------+-----------+
| name | is_active |
+-------------------------+-----------+
| system | 1 |
| api_docs | 1 |
| files | 0 |
| db | 0 |
| email | 0 |
| user | 0 |
| mysql | 0 |
| mongodb | 1 |
| scr-insert | 1 |
| testdb | 1 |
| test-mlabs | 1 |
+-------------------------+-----------+
Can I just go ahead an issue an update statement to set 0 to 1, for 'user' service?
Thanks,
M&M
Yes, and then clear the application cache using 'php artisan cache:clear'.

Single page application losing authentication token cookie

Apologies in advance for the wall of text below, but I wanted to be sure to include anything in the log that might be useful....
I have an ASP.Net MVC application whose primary interface is a single-page application using SignalR. We are having occasional problems with things suddenly "not working" for users--the underlying reason is that they are no longer authenticated. I have an MVC request every minute to keep the session alive, and SignalR also has its own keep-alive every 5 minutes. It doesn't seem to be related to a specific time interval, because most of the time, users have the application open all day without problems. I have included an annotated sample of the IIS log on the web server below. The authentication token and session values have been shortened for readability. Notice that the authentication token is renewed several times without any problem. Then, all of the sudden, the browser no longer sends the authentication token.
+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+
| date | time | cs-method | cs-uri-stem | cs-username | cs(Cookie) | sc-status | comment |
+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+
| 2015-11-04 | 10:54:30 | GET | / | - | - | 302 | user requesting page for the first time; redirect to login page |
| 2015-11-04 | 10:54:30 | GET | /Account/Login | - | - | 200 | login page GET |
| 2015-11-04 | 10:54:46 | POST | /Account/Login | - | | 302 | login page POST; authenticate and redirect to content page |
| 2015-11-04 | 10:54:46 | GET | / | user123 | .VWRID=AAAA | 302 | content page GET; user is logged in |
| 2015-11-04 | 10:54:46 | GET | /Account/SelectConfiguration | user123 | .VWRID=AAAA | 200 | user doing stuff; no problem |
| 2015-11-04 | … | … | … | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | user doing stuff; no problem |
| 2015-11-04 | 10:54:50 | GET | /signalr/negotiate | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | SignalR connection |
| 2015-11-04 | 10:54:50 | GET | /signalr/start | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 10:54:50 | POST | /signalr/send | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 10:55:50 | POST | /Home/CheckVersion | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | keepalive for ASP.Net session; once/min |
| 2015-11-04 | … | … | … | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | user doing stuff; no problem |
| 2015-11-04 | 10:59:50 | GET | /signalr/ping | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | SignalR keepalive; once/5 min |
| 2015-11-04 | 11:00:50 | … | … | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:08:50 | POST | /Home/CheckVersion | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:09:50 | POST | /Home/CheckVersion | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | renewed ASP.net token sent to client (?) |
| 2015-11-04 | 11:09:50 | GET | /signalr/ping | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | new ASP.net token sent to server |
| 2015-11-04 | 11:10:50 | POST | /Home/CheckVersion | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:11:50 | POST | /Home/CheckVersion | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | … | … | … | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | user doing stuff; no problem |
| 2015-11-04 | 11:24:32 | POST | /signalr/send | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:24:50 | POST | /Home/CheckVersion | user123 | .VWRID=BBBB;+ASP.NET_SessionId=ses1 | 200 | renewed ASP.net token sent to client (?) |
| 2015-11-04 | 11:24:50 | GET | /signalr/ping | user123 | .VWRID=CCCC;+ASP.NET_SessionId=ses1 | 200 | new ASP.net token sent to server |
| 2015-11-04 | 11:25:50 | POST | /Home/CheckVersion | user123 | .VWRID=CCCC;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | … | … | … | user123 | .VWRID=CCCC;+ASP.NET_SessionId=ses1 | 200 | user doing stuff; no problem |
| 2015-11-04 | … | … | … | user123 | .VWRID=CCCC;+ASP.NET_SessionId=ses1 | 200 | same pattern continues, until… |
| 2015-11-04 | 11:58:50 | POST | /Home/CheckVersion | user123 | .VWRID=EEEE;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:59:50 | POST | /Home/CheckVersion | user123 | .VWRID=EEEE;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 11:59:50 | GET | /signalr/ping | user123 | .VWRID=EEEE;+ASP.NET_SessionId=ses1 | 200 | |
| 2015-11-04 | 12:00:50 | POST | /Home/CheckVersion | - | - | 302 | NO AUTHENTICATION COOKIE! |
| 2015-11-04 | 12:00:50 | GET | /Account/Login | - | - | 200 | JSON request "redirected" but user never notified |
| 2015-11-04 | 12:01:50 | POST | /Home/CheckVersion | - | | 302 | |
| 2015-11-04 | 12:01:50 | GET | /Account/Login | - | | 200 | |
| 2015-11-04 | … | POST | /Home/CheckVersion | - | | 302 | same pattern… |
| 2015-11-04 | … | GET | /Account/Login | - | | 200 | |
| 2015-11-04 | 12:04:49 | GET | /signalr/ping | - | | 200 | signalr keepalive returns HTTP 200 (?)… |
| 2015-11-04 | 12:05:50 | POST | /Home/CheckVersion | - | | 302 | |
| 2015-11-04 | 12:05:50 | GET | /Account/Login | - | | 200 | |
| 2015-11-04 | … | POST | /Home/CheckVersion | - | | 302 | |
| 2015-11-04 | … | GET | /Account/Login | - | | 200 | |
| 2015-11-04 | 12:16:43 | POST | /signalr/send | - | | 403 | … but signalr requests fail because they need to be authenticated |
| 2015-11-04 | … | POST | /signalr/send | - | | 403 | |
| 2015-11-04 | 12:43:23 | POST | /signalr/abort | - | | 403 | at some point signalr aborts |
| 2015-11-04 | 12:43:23 | GET | /signalr/connect | user123 | .VWRID=AAAA;+ASP.NET_SessionId=ses1 | 200 | and reconnects with the ORIGINAL authentication token (?) |
| 2015-11-04 | 12:43:23 | GET | / | - | | 302 | User realizes there is a problem and refreshed the page, forcing the login process to initiate |
| 2015-11-04 | 12:43:23 | GET | /Account/Login | - | | 200 | |
| 2015-11-04 | 12:43:35 | POST | /Account/Login | - | | 302 | |
| 2015-11-04 | 12:43:35 | GET | / | user123 | .VWRID=FFFF | 302 | and we're good again… |
| 2015-11-04 | 12:43:36 | GET | /Account/SelectConfiguration | user123 | .VWRID=FFFF | 200 | |
| 2015-11-04 | … | … | … | user123 | .VWRID=FFFF;+ASP.NET_SessionId=ses2 | 200 | |
| 2015-11-04 | 15:43:02 | POST | /Home/CheckVersion | user123 | .VWRID=GGGG;+ASP.NET_SessionId=ses2 | 200 | still going strong nearly 2 hours later. |
+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+
The relevant part of the web.config:
<system.web>
<authentication mode="Forms">
<forms name=".VWRID" loginUrl="~/Account/Login" timeout="30" slidingExpiration="true" protection="All" requireSSL="true" />
</authentication>
</system.web>
Does anyone have any ideas what might be going on here and how to resolve?
[UPDATE]
In looking at the logs, this only seems to be impacting users on IE 10. The SignalR transport mechanism being used there is foreverFrame. I am wondering if this is a SignalR bug with that transport. I am going to downgrade those client to use long polling and see if the problem goes away.
We removed the foreverFrame option for the SignalR transport and the problem went away. Seems to be a bug in SignalR.

Resources