THREESCALE-12122: Fix Que worker connection to TLS protected DB #573
Conversation
jlledom
force-pushed
the
THREESCALE-12122-que-psql-ssl
branch
from
4c4bd83 to
78f91b8
Compare
|
Does this make any sense and can it help?
|
|
Basically, if we run from rake, then make |
I already tried that and doesn't work. The reason is because Que in fact opens two connections, one for executing the jobs itself, and the other one for the "locker", the first one already receives all SSL parameters, but the Locker one has this bug and, by reading the code, really having a truthy |
It's already a dependency, the |
|
Can't we monkey patch the thing to grab another connection from the ActiveRecord pool and pass it to the locker? Perhaps submit the fix upstream? This manually passing parameters feels wrong. |
We probably can, yes. But do you really prefer monkey patching? I know the hack is ugly but I don't think it's too dangerous. It should work as long as the Rails connection parameters are correct, and if they aren't, then the que worker would fail anyway. I don't have a strong opinion, though. @mayorova you untie here. |
|
I looked more carefully and I don't understand, why would it checkout a connection from the pool and then create another one? Also apparently it never checks-in that connection. The simplest way to monkey patch this would be to override So I agree that the safest option, as ugly as it is, atm is to use your update. But also propose an upstream fix, where the checked-out connection is used directly instead of just reading its parameters. And link to this task so maybe some day we remove this duplication. |
Nice. I didn't send a fix, but I opened a issue there: que-rb/que#442 |
|
Would be nice to add a comment line pointing at it so that later somebody may check if there was any fix. Things look ok for me. |
|
lib/tasks/que.rake
Outdated
| desc 'Start que worker' | ||
| task exec: :environment do |_, args| | ||
| exec("que ./config/environment.rb que/prometheus #{args.extras.join}") | ||
| db_config = ActiveRecord::Base.connection_db_config.configuration_hash |
There was a problem hiding this comment.
I agree with @akostadinov that it seems a bit ugly, but probably indeed it's better than monkey-patch...
What would be nice though is to put this logic into some module under lib and call it from here. This will allow us to add some unit tests.
While simple, I think this logic is error-prone, and I'd rather have some unit tests.
jlledom
force-pushed
the
THREESCALE-12122-que-psql-ssl
branch
from
eb33751 to
6c03c2b
Compare
❌ 2 blocking issues (3 total)
|
mayorova
left a comment
mayorova
left a comment
There was a problem hiding this comment.
Looks good to me (although I haven't tested it with an actual TLS-protected DB)
It's the only way for it to receive the SSL parameters Co-Authored-By: Claude <noreply@anthropic.com>
jlledom
force-pushed
the
THREESCALE-12122-que-psql-ssl
branch
from
9abbe7a to
b31edb7
Compare
jlledom
force-pushed
the
THREESCALE-12122-que-psql-ssl
branch
from
b31edb7 to
6527ae9
Compare
3 participants
The Que worker is not able to connect to TLS protected DBs. This is because we launch the que worker via rake task, and this calls new process
que.This process is able to read Rails DB configuration properly, however, it only extracts the basic connection data from it (code). Due to this, the SSL configuration is lost and Que fails to connect. We see the error:
The only way to solve this is to pass the
connection_urlparameter to thequecall. A you see in the code, if you send--connection_urland set all the SSL params in the url query, those parameters are actually loaded by the Que connection. Without theconnection_urlparam, all SSL params are ignored.The bug is important because we are in fact not supporting TLS protected DBs in Zync and we thought we did. The only supported scenario is when the connection doesn't require any of the ssl parameters, like connecting without mTLS to a server protected by a certificate already trusted in the OS certs bundle.
Jira issue
https://issues.redhat.com/browse/THREESCALE-12122