Hello!

We're setting up ELOG on OpenShift. ELOG is installed on a Alma Linux 9 image. The container and the elog demo works fine executing the docker image locally.

When deployed on OpenShift, we get a weird response, that results in a 502 Bad Gateway. The broken response looks like:
 

# curl -v -H 'X-Forwarded-User: enrico.gamberini@cern.ch' https://psi-elog-container2-elisa-epdtdi.app.cern.ch/demo/

<html>redir</html>
HTTP/1.1 200 Document follows
HTTP/1.1 200 Document follows
Server: ELOG HTTP 3.1.5-23df00d
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: elmode=Summary; path=/demo; expires=Friday, 07-Dec-35 06:30:26 GMT;
Pragma: no-cache
Cache-control: private, max-age=0, no-cache, no-store
 

Notice the HTML tag before the HTTP header, as well the duplicate HTTP header.

I understand that it might be difficult to reproduce, but any input would be very welcome!

Thanks!

Best,
Enrico

Sorry for posting again but something else came up.

Actually, building from source (elog-3.1.5-1.tar.gz) works just fine on OpenShift too.

The problem described below only happens when installing the packaged binary elog-3.1.5-20240226.el9.x86_64.rpm.

Best,
Enrico

Hey Enrico,

Do you activate also all options with your build ? (pam/ldap/kb5/ssl)

Can you compare ldd command results on elogd binaries builded by yourself and the one from RPM ?

$ ldd /path/to/elogd

Also, size of both elogd files.

Regards

Hi Laurent,

Thanks, good point! I'm building a vanilla version (no extra options enabled as I'm using Webserver authentication).

3.15 RPM:

-rwxr-xr-x. 1 elog elog 1574768 Feb 26 17:29 elogd

bash-5.1$ ldd /usr/local/sbin/elogd 
    linux-vdso.so.1 (0x00007fff215f7000)
    libssl.so.3 => /lib64/libssl.so.3 (0x00007feff74c6000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007feff73eb000)
    libldap.so.2 => /lib64/libldap.so.2 (0x00007feff7384000)
    liblber.so.2 => /lib64/liblber.so.2 (0x00007feff7372000)
    libpam.so.0 => /lib64/libpam.so.0 (0x00007feff7360000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007feff7139000)
    libm.so.6 => /lib64/libm.so.6 (0x00007feff705c000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007feff7041000)
    libc.so.6 => /lib64/libc.so.6 (0x00007feff6e38000)
    libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007feff6a07000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007feff69ee000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007feff69e7000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007feff69d4000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007feff69cd000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007feff69b9000)
    libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007feff6960000)
    libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007feff6940000)
    libaudit.so.1 => /lib64/libaudit.so.1 (0x00007feff6912000)
    libeconf.so.0 => /lib64/libeconf.so.0 (0x00007feff6905000)
    /lib64/ld-linux-x86-64.so.2 (0x00007feff7572000)
    libz.so.1 => /lib64/libz.so.1 (0x00007feff68eb000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007feff68be000)
    libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007feff6884000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007feff682d000)
    libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007feff6822000)
    libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007feff6786000)
    
3.15 source vanilla build:

-rwxr-xr-x. 1 root root 1503896 Jul 15 09:31 elogd

bash-5.1$ ldd elogd
    linux-vdso.so.1 (0x00007fff60bbf000)
    libssl.so.3 => /lib64/libssl.so.3 (0x00007f8f83e44000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f8f83c1b000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f8f83b40000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f8f83b25000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f8f8391c000)
    libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f8f834e9000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f8f83ef0000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f8f834cd000)

Best,
Enrico

Enrico,

When using RPM in OpenShift, I guess all the RPM dependencies are correctly installed.

FYI, I met a problem with elogd docker built with alpine Linux image and running on Synology NAS (x86_64). The ImageMagick dependencies libs provided by alpine for X86_64 are optimized for better CPU than mine with AVX2 (or something like that), and elogd failed to save a log with any enclosure (core exit, bad instruction), as some thumbnails are generated while saving.

As I didn't find any easy workaround w/o rebuilding all IM libs, so I switch to Debian images more conservative in CPU optimization, but bigger :-( before to switch to minideb that's run fine in my case.

It's not easy to debug in container w/o making one specially for that, so you should try to build a docker based on alma9 image, compiling elogd from sources (you can follow https://github.com/loll31/elog-ldap for the process).

Good luck

NB : The ldd result from my minideb Docker :

root@9ac6063e87bf:/# ldd -v /usr/local/sbin/elogd                                                                                                        

        linux-vdso.so.1 (0x00007ffd0e794000)                                                                                                             

        libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007fc00ac35000)                                                                            

        libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0 (0x00007fc00abd6000)                                                                  

        liblber-2.5.so.0 => /lib/x86_64-linux-gnu/liblber-2.5.so.0 (0x00007fc00abc6000)                                                                  

        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fc00a9ac000)                                                                      

        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fc00a98c000)                                                                        

        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc00a7a9000)                                                                                

        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fc00a328000)                                                                      

        libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fc00a30b000)                                                                        

        libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fc00a0ef000)                                                                    

        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc00a010000)                                                                                

        /lib64/ld-linux-x86-64.so.2 (0x00007fc00f959000)                                                                                                 

        libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fc009eda000)                                                                    

        libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007fc009ea9000)                                                                          

        libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007fc009cf3000)                                                                

        libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fc009cde000)                                                                        

        libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (0x00007fc009c90000)                                                                      

        libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6 (0x00007fc009c47000)                                                                    

        libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fc009bc4000)                                                                          

        libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007fc009bb8000)                                  

Also, you have the option to rebuild RPM from SRPMS or SOURCES via ELOG buildrpm script.

You will need to install rpmbuild tools...

Options (ldap, kb5, etc) can be set from options or by editing defaults.

The ETH physics department is running an ELOG behind an Apache reverse proxy:

ProxyPass / http://localhost:$port/ retry=0
ProxyPassReverse / http://localhost:$port/
ProxyAddHeaders off

Authentication is done on the Apache side using LDAP authentication, example:

<Location /demo>
  Use PhysLDAP
  AuthType Basic
  AuthBasicProvider ldap
...
  Require valid-user
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader add X-Forwarded-User %{RU}e
</Location>

And all ELOGs use the following config:

[demo]
Authentication = Webserver

For the PSI-Praktikum we had to create a logbook that is accessible without an ETH-Account. A new logbook was added, which is not authenticated via the proxy, but the ELOG internal authentication. In order to grant access to the students, I was made admin for that logbook. The configuration is the following:

[PSI-Praktikum]
Authentication = File
Password file = /home/wwwelog/private/password/psi-praktikum.xml
Admin user = damian

In order to prevent my user from editing the global configuration, top groups according to https://elog.psi.ch/elog/config.html#groups were introduced, with one top group for all the proxy-authenticated logbooks, and a separate one for the Praktikum logbook. However, even after doing this, I am still able to edit the [global] section. Is there a way to prevent this? Or is it not possible to have a global section that is not accessible by the top group admins?

You can have authentication via the Webserver or the ELOG internal one, but this is on a global level for all logbooks. You cannot mix this between logbooks. For that, you would have to run two instances of ELOG at two different ports.

Stefan