roachprod: Clusters should default to secure #38539
Comments
|
@rmloveland Insecure was the default initially, and when support for |
kenliu
changed the title
kenliu
changed the title
awoods187
added
the
C-enhancement
Before: roachprod defaulted to making insecure clusters and the useneeded to use the --secure flag to create a secure cluster. Why change? We tell our users that the best practice is to run in secure mode but we don't dog food that configuration enough. Setting roachprod to secure by default will require us to debug problems in secure mode, which means we'll make it easer to run secure mode and we'll get better knowledge of how to run in secure mode. Now: clusters will be spun up in secure mode by default. To get an insecure cluster, use the --insecure flag. Fixes cockroachdb#38539. Release note: None
|
I'm putting this to the side for a bit to work on #33377. Here's status notes on progress:
|
|
Just reflagging this issue, as I think it's still very relevant. I'm curious if there are any plans to return to this. I am specifically thinking of nightly testing. It would go a long way towards dogfooding and making sure our tests reflect realistic usage. Some related work: The SQL Experience team is working on a new roachtest in #62166 and in order for the test to really be valuable, we need a secure cluster. See the PR for a new Also, I believe in the future |
|
Yes so I would say this issue is relevant, and in an ideal world we would leverage the new |
Before: roachprod defaulted to making insecure clusters and the useneeded to use the --secure flag to create a secure cluster. Why change? We tell our users that the best practice is to run in secure mode but we don't dog food that configuration enough. Setting roachprod to secure by default will require us to debug problems in secure mode, which means we'll make it easer to run secure mode and we'll get better knowledge of how to run in secure mode. Now: clusters will be spun up in secure mode by default. To get an insecure cluster, use the --insecure flag. Fixes cockroachdb#38539. Release note: None
Before: roachprod defaulted to making insecure clusters and the useneeded to use the --secure flag to create a secure cluster. Why change? We tell our users that the best practice is to run in secure mode but we don't dog food that configuration enough. Setting roachprod to secure by default will require us to debug problems in secure mode, which means we'll make it easer to run secure mode and we'll get better knowledge of how to run in secure mode. Now: clusters will be spun up in secure mode by default. To get an insecure cluster, use the --insecure flag. Fixes cockroachdb#38539. Release note: None
Before: roachprod defaulted to making insecure clusters and the useneeded to use the --secure flag to create a secure cluster. Why change? We tell our users that the best practice is to run in secure mode but we don't dog food that configuration enough. Setting roachprod to secure by default will require us to debug problems in secure mode, which means we'll make it easer to run secure mode and we'll get better knowledge of how to run in secure mode. Now: clusters will be spun up in secure mode by default. To get an insecure cluster, use the --insecure flag. Fixes cockroachdb#38539. Release note: None
Before: roachprod defaulted to making insecure clusters and the useneeded to use the --secure flag to create a secure cluster. Why change? We tell our users that the best practice is to run in secure mode but we don't dog food that configuration enough. Setting roachprod to secure by default will require us to debug problems in secure mode, which means we'll make it easer to run secure mode and we'll get better knowledge of how to run in secure mode. Now: clusters will be spun up in secure mode by default. To get an insecure cluster, use the --insecure flag. Fixes cockroachdb#38539. Release note: None
|
Putting this back on TestEng's radar... While the bug in [1] didn't strictly require a "secure" cluster for reproducibility, it is suggestive of a blind spot; majority of roachtests still run with [1] #97178 |
Roachtest has been creating secure clusters in tests for a while now. It makes sense for roachprod to use the same, better default when setting up clusters. If necessary, users can still create insecure clusters by passing the `--insecure` flag to `roachprod start` and other commands. Fixes: cockroachdb#38539 Release note: None
123564: drtprod: move drt-chaos to local ssds r=dt a=itsbilal Now that the local ssd bug is identified, we can move drt-chaos to local ssds as well and save some $. Epic: none Release note: None 123593: roachprod: make clusters secure by default r=srosenberg a=renatolabs **roachprod: make clusters secure by default** Roachtest has been creating secure clusters in tests for a while now. It makes sense for roachprod to use the same, better default when setting up clusters. If necessary, users can still create insecure clusters by passing the `--insecure` flag to `roachprod start` and other commands. Fixes: #38539 Release note: None **roachprod: use non-root user by default in roachprod sql** This brings roachprod's and roachtest's defaults closer. Now that we create secure roachprod clusters by default (which includes creating an admin user), we are able to change the default authentication mode used when starting a SQL shell. Like with `pgurl`, the authentication mode can be changed with the `--auth-mode` command line flag. 123603: roachprod: opt-in fluent-servers logging configuration r=sudomateo a=sudomateo In #123227 we added the ability for clusters created by `roachprod` to send their logs to an external system using the `fluent-servers` attribute in the CockroachDB logging configuration. However, the `fluent-servers` attribute was enabled unconditionally which caused clusters to to log an error if the requisite Fluent Bit server was not there to receive the logs. ``` E240503 20:21:50.574780 55 1@util/log/buffered_sink.go:353 ⋮ [-] 229 logging error from *log.fluentSink: dial tcp ‹127.0.0.1:5170›: connect: connection refused ``` This patch adds a `--enable-fluent-sink` option to the `roachprod start` command to conditionally allow clusters to use the `fluent-servers` logging configuration. It also updates `scripts/drtprod` to use this option so they can continue to log to external systems. Epic: none Release note: none Co-authored-by: Bilal Akhtar <bilal@cockroachlabs.com> Co-authored-by: Renato Costa <renato@cockroachlabs.com> Co-authored-by: Matthew Sanabria <24284972+sudomateo@users.noreply.github.com>
Maybe it is insecure by default because it was faster to build it that way. (Totes understandable.)
However, if there are other reasons, e.g., default-secure clusters would break use cases and make things harder for internal folks, then that could be a great incentive to make it easier to do the right thing!
Suggestion: flip the default, and if internal users need an insecure cluster, they need to pass
--insecureand we print the same warning we provide to our users. Delicious dog food!(Filing because my experience working on adding secure options to the "Build an App" docs is teaching me that (at least from Java) doing it the "right way" is quite complex! But in the bad, uninteresting, fiddly and hard-to-get-right way, not in any of the good ways.)
Epic CRDB-10428
Jira issue: CRDB-5690
The text was updated successfully, but these errors were encountered: