I solved my problem, please see the end of this question for my solution.
Am a Mosquitto|MQTT noob so my apologies for all that follows.
Installed mosquitto on e.g. Ubuntu and everything works, I can do this to my heart's content:
mosquitto_pub \
--host mqtt.googleapis.com \
--port 8883 \
--id ${LONG_REGISTRY}/devices/${DEVICE} \
--username unused \
--pw ${PASSWORD} \
--cafile /roots.pem \
--tls-version tlsv1.2 \
--protocol-version mqttv311 \
--debug \
--qos 1 \
--topic /devices/${DEVICE}/events \
--message "$(date --rfc-3339=seconds) Hello Henry!"
I would like to perform the equivalent from an Onion Omega2 device and am using a container running openwrt-x86-generic-rootfs as a development proxy for it (perhaps issue #1)
docker run -i -t openwrt-x86-generic-rootfs /bin/ash
mkdir -p /var/lock
opkg update
opkg install mosquitto mosquitto-client libmosquitto
And, I then have mosquitto_pub and mosquitto_sub but different versions to the Ubuntu version above, flags of the form -f and --flag not supported. The tools do not appear to provide any version information.
I think these versions are outdated but I do not know whether|how I can update to anything more current than the opkg install above (issue #2).
As in the Unix example, the Google Cloud IoT broker to which I'd like to connect requires TLS (not mutual) but the OpenWRT Mosquitto clients appear to not include options that permit TLS. No equivalent to --cafile. Without this, I think I'm blocked. (issue #3).
Questions:
Does Mosquitto on the Onion Omega2 device support TLS?
Is the OpenWRT Mosquitto client outdated? Can I upgrade?
Is there a way for me to connect the Onion to Google's MTQQ using TLS?
Thanks!!
On the Onion Omega2 device, the Mosquitto installation provides me with a different/current version of the tools which includes a cafile flag and this worked for me. Curiously, this version of the tools provides help that stipulates e.g. -u but the tool will accept --username
So, I'm able to run the following commands on the Omega2 and both work for me:
mosquitto_pub \
--host mqtt.googleapis.com \
--port 8883 \
--id ${LONG_REGISTRY}/devices/${DEVICE} \
--username unused \
--pw ${PASSWORD} \
--cafile /roots.pem \
--tls-version tlsv1.2 \
--protocol-version mqttv311 \
--debug \
--qos 1 \
--topic /devices/${DEVICE}/events \
--message "Hello Henry!"
and:
mosquitto_sub \
--host mqtt.googleapis.com \
--port 8883 \
--id ${LONG_REGISTRY}/devices/${DEVICE} \
--username unused \
--pw ${PASSWORD} \
--cafile /roots.pem \
--tls-version tlsv1.2 \
--protocol-version mqttv311 \
--debug \
--qos 1 \
--topic /devices/${DEVICE}/config
Where:
LONG_REGISTRY=projects/${PROJECT}/locations/${REGION}/registries/${REGISTRY}
And, answering my questions:
The Mosquitto tools installed on the Onion Omega2 support TLS
I (assume) the OpenWRT Mosquitto client is outdated; it's different
Yes, the examples above demo pub'ing and sub'ing using Cloud IoT
I am a Googler not in Cloud IoT and I think I most need Mosquitto help.
Related
SUMMARY
I am running a Zabbix Server container, but I am not being able to communicate on its listening port - Locally even.
OS / ENVIRONMENT / Used docker-compose files
This is the script I am currently using to run it:
docker run -d --name zabbix-server \
--restart always \
--link zabbix-snmptraper:zabbix-snmptraps --volumes-from zabbix-snmptraper \
-p 192.168.1.248:10052:10051 \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="aro#123" \
-e ZBX_LISTENPORT=10052 \
-e ZBX_HOUSEKEEPINGFREQUENCY=12 \
-e ZBX_LOGSLOWQUERIES=1000 \
-e ZBX_STARTPOLLERSUNREACHABLE=1 \
-e ZBX_STARTPINGERS=5 \
-e ZBX_STARTTRAPPERS=1 \
-e ZBX_STARTDBSYNCERS=3 \
-e ZBX_STARTDISCOVERERS=4 \
-e ZBX_STARTPOLLERS=10 \
-e ZBX_TIMEOUT=30 \
-e ZBX_VALUECACHESIZE=32M \
-e ZBX_CACHESIZE=48M \
-e ZBX_MAXHOUSEKEEPERDELETE=432000 \
-e ZBX_ENABLE_SNMP_TRAPS=true \
-e MYSQL_ROOT_PASSWORD="my_root_pass_of_mysql..." \
-e DB_SERVER_HOST="mysql-server" \
-e DB_SERVER_PORT="3306" \
-v /etc/localtime:/etc/localtime:ro \
-v /mnt/dados/zabbix/external_scripts:/usr/lib/zabbix/externalscripts \
--network=zabbix-net \
zabbix/zabbix-server-mysql:5.4-ubuntu-latest
CONFIGURATION
The code block of commands is being run on a Debian 11.
STEPS TO REPRODUCE
Basically, the container is UP and running.
The passive queries are all working - I can gather data from Zabbix to other Zabbix Agents, SNMP, etc.
The problem happens when I try to do a active query from outside to Zabbix Server itself... (Active queries.)
My deduction was that the docker container did not create the necessary routes for this, so I must specify something or there is some configuration missing.
EXPECTED RESULTS
When doing a telnet to 10052 on my Zabbix Server, the expected result is a OK Connected.
ACTUAL RESULTS
Locally, on my own Zabbix Server, when I did:
sudo telnet 192.168.1.248 10052
I got telnet: Unable to connect to remote host: Connection refused
Crazy thing is that when doing this on the IP address of the DOCKER NETWORK, (Got the IP from docker inspect zabbix-server "IPAddress": "172.18.0.4"):
sudo telnet 172.18.0.4 10052
Trying 172.18.0.4...
Connected to 172.18.0.4.
It worked. So there is a routing problem with this container.
But most containers when running create the rules or at least show it in logs or docs. how to do it.
But I could not find this anywhere...
Can you please help me?
I am on this for more than two weeks and do not know what to do anymore.
If this is in the wrong section or "flow", please direct me to the correct place to this.
I really appreciate the help.
Edit 1
Here is the output TCPDUMP gave me:
16:28:12.373378 IP 192.168.17.24.55114 > 192.168.1.248.10052: Flags [S], seq 2008667124, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
As you can see, packets are coming through and arriving to the Docker Server.
I tried adding the following rule to IPTables to see if it solved it:
sudo iptables -t nat -A PREROUTING -p tcp --dport 10052 -j DNAT --to-destination 172.18.0.4:10052 -m comment --comment "Redirect requests from IP 248 to the container IP"
But it did not work. Or I created this wrongly.
To list the rules I used the command:
sudo iptables -t nat -v -L PREROUTING -n --line-number
It was created all fine.
While you configured Zabbix to listen on port 10052 (-e ZBX_LISTENPORT=10052), you mount the host port 10052 to the containers port 10051 instead (-p 192.168.1.248:10052:10051).
Use -p 192.168.1.248:10052:10052 to make it work.
docker run -d --name zabbix-server \
--restart always \
--link zabbix-snmptraper:zabbix-snmptraps --volumes-from zabbix-snmptraper \
-p 192.168.1.248:10052:10052 \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="aro#123" \
-e ZBX_LISTENPORT=10052 \
-e ZBX_HOUSEKEEPINGFREQUENCY=12 \
-e ZBX_LOGSLOWQUERIES=1000 \
-e ZBX_STARTPOLLERSUNREACHABLE=1 \
-e ZBX_STARTPINGERS=5 \
-e ZBX_STARTTRAPPERS=1 \
-e ZBX_STARTDBSYNCERS=3 \
-e ZBX_STARTDISCOVERERS=4 \
-e ZBX_STARTPOLLERS=10 \
-e ZBX_TIMEOUT=30 \
-e ZBX_VALUECACHESIZE=32M \
-e ZBX_CACHESIZE=48M \
-e ZBX_MAXHOUSEKEEPERDELETE=432000 \
-e ZBX_ENABLE_SNMP_TRAPS=true \
-e MYSQL_ROOT_PASSWORD="my_root_pass_of_mysql..." \
-e DB_SERVER_HOST="mysql-server" \
-e DB_SERVER_PORT="3306" \
-v /etc/localtime:/etc/localtime:ro \
-v /mnt/dados/zabbix/external_scripts:/usr/lib/zabbix/externalscripts \
--network=zabbix-net \
zabbix/zabbix-server-mysql:5.4-ubuntu-latest
I am following the steps in the "Standalone Instance, Two-Way SSL" section of https://hub.docker.com/r/apache/nifi. However, when I visit the NiFi page, my user has insufficient permissions. Below is the process I am using:
Generate self-signed certificates
mkdir conf
docker exec \
-ti toolkit \
/opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh \
standalone \
-n 'nifi1.bluejay.local' \
-C 'CN=admin,OU=NIFI'
docker cp toolkit:/opt/nifi/nifi-current/nifi-cert.pem conf
docker cp toolkit:/opt/nifi/nifi-current/nifi-key.key conf
docker cp toolkit:/opt/nifi/nifi-current/nifi1.bluejay.local conf
docker cp toolkit:/opt/nifi/nifi-current/CN=admin_OU=NIFI.p12 conf
docker cp toolkit:/opt/nifi/nifi-current/CN=admin_OU=NIFI.password conf
docker stop toolkit
Import client certificate to browser
Import the .p12 file into your browser.
Update /etc/hosts
Add "127.0.0.1 nifi1.bluejay.local" to the end of your /etc/hosts file.
Define a NiFi network
docker network create --subnet=10.18.0.0/16 nifi
Run NiFi in a container
docker run -d \
-e AUTH=tls \
-e KEYSTORE_PATH=/opt/certs/keystore.jks \
-e KEYSTORE_TYPE=JKS \
-e KEYSTORE_PASSWORD=$(grep keystorePasswd conf/nifi1.bluejay.local/nifi.properties | cut -d'=' -f2) \
-e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
-e TRUSTSTORE_PASSWORD=$(grep truststorePasswd conf/nifi1.bluejay.local/nifi.properties | cut -d'=' -f2) \
-e TRUSTSTORE_TYPE=JKS \
-e INITIAL_ADMIN_IDENTITY="CN=admin,OU=NIFI" \
-e NIFI_WEB_PROXY_CONTEXT_PATH=/nifi \
-e NIFI_WEB_PROXY_HOST=nifi1.bluejay.local \
--hostname nifi1.bluejay.local \
--ip 10.18.0.10 \
--name nifi \
--net nifi \
-p 8443:8443 \
-v $(pwd)/conf/nifi1.bluejay.local:/opt/certs:ro \
-v /data/projects/nifi-shared:/opt/nifi/nifi-current/ls-target \
apache/nifi
Visit Page
When you visit http://localhost:8443/nifi, you'll be asked to select a certificate. Select the certificate (e.g. admin) that you imported.
At this point, I am seeing:
Insufficient Permissions
Unknown user with identity 'CN=admin, OU=NIFI'. Contact the system administrator.
In the examples I am seeing, there is no mention of this issue or how to resolve it.
How are permissions assigned to the Initial Admin Identity?
You are missing a space at line
-e INITIAL_ADMIN_IDENTITY="CN=admin,OU=NIFI"
See the error msg.
I am currently trying to connect a gcloud IoT project to the MQTT bridge to be able to publish telemetry data. I am using Mosquitto and am trying to run the mosquitto_pub command on a VM instance I created on gcloud compute engine. I also created a firewall rule to open port 8883 with priority 0. In full I am submitting the following command (I removed the JWT used and put here in the code block)
mosquitto_pub \
--host mqtt.googleapis.com \
--port 8883 \
--id projects/telemetry-268916/locations/us-central1/registries/iotcore-registry-telemetry/devices/esp32 \
--username unused \
--pw "<my-JWT.>" \
--cafile ./roots.pem \
--tls-version tlsv1.2 \
--protocol-version mqttv311 \
--debug \
--qos 1 \
--topic /devices/esp32/events \
--message "Hello MQTT"
When I run this command ^ I get the following error:
Client projects/telemetry-268916/locations/us-central1/registries/iotcore-registry telemetry/devices/esp32 sending CONNECT
Client projects/telemetry-268916/locations/us-central1/registries/iotcore-registry-telemetry/devices/esp32 received CONNACK
Connection Refused: not authorised.
Error: The connection was refused.
I've looked everywhere and can't find a solution to this problem. I am using the root certificate and specifying the CA file so idk what is going on -- HELP!
I suspect it's that your JWT expiry is too far (>=24h) in the future.
Google Cloud IoT's MQTT gateway (documented: the maximum lifetime of a token)
to require JWTs to be <=24h
PROJECT=
REGISTRY=
REGION=
DEVICE=
CLIENT="projects/${PROJECT}/locations/${REGION}/registries/${REGISTRY}/devices/${DEVICE}"
TOPIC="/devices/${DEVICE}/events"
# Using a JWT generator; expiry=24h
PASSWORD=$(\
go-jwt \
--project=${PROJECT} \
--private_key=${KEY} \
--expiry=24h)
docker run \
--interactive --tty \
--volume=${PWD}/roots.pem:/roots.pem \
eclipse-mosquitto:1.6.8 mosquitto_pub \
-h mqtt.googleapis.com -p 8883 \
-i ${CLIENT} \
-u unused -P ${PASSWORD} \
-t ${TOPIC} \
-m "Hello Freddie!" \
--cafile /roots.pem \
--debug \
--qos 1 \
--tls-version tlsv1.2 \
--protocol-version mqttv311
sending CONNECT
received CONNACK (0)
sending PUBLISH (d0, q1, r0, m1, '/devices/.../events', ... (14 bytes))
received PUBACK (Mid: 1, RC:0)
sending DISCONNECT
# Using a JWT generator; expiry=25h
PASSWORD=$(\
go-jwt \
--project=${PROJECT} \
--private_key=${KEY} \
--expiry=25h)
docker run \
--interactive --tty \
--volume=${PWD}/roots.pem:/roots.pem \
eclipse-mosquitto:1.6.8 mosquitto_pub \
-h mqtt.googleapis.com -p 8883 \
-i ${CLIENT} \
-u unused -P ${PASSWORD} \
-t ${TOPIC}
-m "Hello Freddie!" \
--cafile /roots.pem \
--debug \
--qos 1 \
--tls-version tlsv1.2 \
--protocol-version mqttv311
CONNECT
CONNACK (4)
Connection error: Connection Refused: bad user name or password.
DISCONNECT
I am using windows mobaxterm for xserver and ssh client. If I type xclock in my ssh server (ubuntu 16.04)in AWS, the clock appears and there is not problem. Now I install nvidia-docker in AWS. Here is the run script for starting the docker container:
nvidia-docker run -it \
-e DISPLAY=$DISPLAY \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-v /tmp/.docker.xauth:/tmp/.docker.xauth \
-e XAUTHORITY=/tmp/.docker.xauth \
-net=host \
\
gcr.io/tensorflow/tensorflow:latest-gpu /bin/bash
The error i have is:
root#ip-172-31-35-73:/notebooks# xclock
MobaXterm X11 proxy: Unsupported authorisation protocol
Error: Can't open display: localhost:10.0
the following seems to work.
ssh from local terminal in mobaxterm:
ssh -X -Y -i "C:\your_key_path\xxx.pem" root#xx.xx.xx.xx
in aws, start your docker as
nvidia-docker run -it \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-v /root/.Xauthority:/root/.Xauthority \
-e XAUTHORITY=/root/.Xauthority \
--net=host \
\
gcr.io/tensorflow/tensorflow:latest-gpu /bin/bash
The results is:
docker run \
--volume=/:/rootfs:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
--volume=/var/run:/var/run:rw \
--net=host \
--pid=host \
--privileged=true \
-d \
gcr.io/google_containers/hyperkube-amd64:v${K8S_VERSION} \
/hyperkube kubelet \
--containerized \
--hostname-override="127.0.0.1" \
--address="0.0.0.0" \
--api-servers=http://localhost:8080 \
--config=/etc/kubernetes/manifests \
--cluster-dns=10.0.0.10 \
--cluster-domain=cluster.local \
--allow-privileged=true --v=2
A curl localhost:8080confirms that the API is running.
But trying to access it with the host's IP like curl dockerHostIp:8080fails:
Failed to connect to ipOfDockerHost port 8080: Connection refused
How can I expose k8s to the outside? (docker-host is an ubuntu server)
As far as I understand using --net=host should solve this problem. But it does not work in this case.
When you start kubernetes with docker, you choose between two models:
--config=/etc/kubernetes/manifests
--config=/etc/kubernetes/manifests-multi.
If you look in these files, you will notice one difference: --insecure-bind-address is different.
When you use --config=/etc/kubernetes/manifests, you ask for a local access only.
You should start with --config=/etc/kubernetes/manifests-multi.
Note that:
you will need to start etcd manually when you use --config=/etc/kubernetes/manifests-multi
follow this post as docker support is not working for now