Docker Install with SSL

melaleuca5 · June 28, 2018, 3:58am

Trying to install Kaltura Docker locally with SSL. I am using the following answer file as a test, so credentials are ok to see =).

I am getting this error when installing

tarting httpd: [Thu Jun 28 00:13:46 2018] [warn] The Alias directive in /opt/kaltura/app/configurations/apache/conf.d/enabled.apps.conf at line 38 will probably never match because it overlaps an earlier Alias.
httpd: Could not reliably determine the server’s fully qualified domain name, using 172.17.0.2 for ServerName

Not sure if I am missing something in my answer file , doing this on a clean docker install. I add my host k.test.com in the docker container pointing to 127.0.0.1

TIME_ZONE="Etc/UTC"
KALTURA_VIRTUAL_HOST_PORT="443"
KALTURA_FULL_VIRTUAL_HOST_NAME="k.test.com:443"
KALTURA_VIRTUAL_HOST_NAME="k.test.com"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="dMi63rEXkjedkEn"
DB1_NAME="kaltura"
DB1_USER="kaltura"
IS_NGINX_SSL="y"NGIN
SERVICE_URL="https://k.test.com:443"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2=" "
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="test@test.com"
ADMIN_CONSOLE_PASSWORD="password"
CDN_HOST="k.test.com"
SUPER_USER="root"
SUPER_USER_PASSWD="password"
ENVIRONMENT_NAME="test"
DWH_PASS="dMi63rEXkjedkEn"
PROTOCOL="https"
PRIMARY_MEDIA_SERVER_HOST="k.test.com"
USER_CONSENT="0"
CONTACT_MAIL="test@test.com"
VOD_PACKAGER_HOST="k.test.com"
VOD_PACKAGER_PORT="88"
VOD_PACKAGER_SSL_PORT="8443"
IP_RANGE="0.0.0.0-255.255.255.255"
WWW_HOST="127.0.0.1"
CONFIG_CHOICE="0"
IS_SSL="Y"
CRT_FILE="/etc/ssl/certs/localhost.crt"
KEY_FILE="/etc/pki/tls/private/localhost.key"
CA_FILE="NO_CA"
RTMP_PORT=1935

jess · June 28, 2018, 10:40am

Hi @melaleuca5,

You’re not doing anything wrong or at least, if you are, that warning is no indication of that:)

This block:

Alias /apps/kea "/opt/kaltura/apps/kea"
<Directory "/opt/kaltura/apps/kea">
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks +Includes
    Order allow,deny
    Allow from all
    AllowOverride all
</Directory>

will never match because of the block right above it:

Alias /apps "/opt/kaltura/apps"
<Directory "/opt/kaltura/apps">
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks +Includes
    AllowOverride None
    Order allow,deny
    Allow from all
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Directory>

It should be removed and I’ll let the person who introduced it into the configuration know. You can safely ignore the warning.

If you have encountered an issue, that’s not the cause. Please provide more details so that I may guide you further.

Thanks,

melaleuca5 · June 28, 2018, 3:22pm

Ok I added IS_SSL=“Y”, I am getting when I try to login

An error occurred
(error code: API:-1)

Looking at the console I a getting 404
https://k.test.com/admin_console/css/style.css , so not sure if that virtual host is causing issues

jess · June 28, 2018, 4:31pm

Hi @melaleuca5,

Check for errors in /opt/kaltura/log/kaltura_api_v3.log, /opt/kaltura/log/kaltura_apache_errors*log and /opt/kaltura/log/kaltura_prod.log.

melaleuca5 · June 28, 2018, 5:49pm

I only have kaltura_apache_errors_ssl.log

[Thu Jun 28 17:53:43 2018] [error] [client 172.17.0.1] File does not exist: /opt/kaltura/app/alpha/web/opt, referer: https://k.test.com/admin_console/index

in /opt/kaltura/app/alpha/web i dont have opt

melaleuca5 · June 29, 2018, 12:17am

I do see this in the logs when i try to login

2018-06-29 00:22:34 [0.079353] [1071858] [8] [%context%] [ErrorController->errorAction] ERR: exception 'Kaltura_Client_ClientException' with message 'Peer certificate cannot be authenticated with known CA certificates. RC : 0' in /opt/kaltura/app/admin_console/lib/Kaltura/Client/ClientBase.php:942
Stack trace:
#0 /opt/kaltura/app/admin_console/lib/Kaltura/Client/ClientBase.php(249): Kaltura_Client_ClientBase->getKalturaClientException('Peer certificat...', -1)
#1 /opt/kaltura/app/admin_console/lib/Kaltura/Client/UserService.php(310): Kaltura_Client_ClientBase->doQueue()
#2 /opt/kaltura/app/ui_infra/Infra/AuthAdapter.php(148): Kaltura_Client_UserService->loginByLoginId('test@test.com', 'password', '-2', NULL, 'disableentitlem...', '')
#3 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Auth.php(117): Infra_AuthAdapter->authenticate()
#4 /opt/kaltura/app/admin_console/controllers/UserController.php(165): Zend_Auth->authenticate(Object(Kaltura_AdminAuthAdapter))
#5 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Action.php(513): UserController->loginAction()
#6 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Dispatcher/Standard.php(289): Zend_Controller_Action->dispatch('loginAction')
#7 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Controller/Front.php(946): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#8 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Application/Bootstrap/Bootstrap.php(77): Zend_Controller_Front->dispatch()
#9 /opt/kaltura/app/vendor/ZendFramework/library/Zend/Application.php(358): Zend_Application_Bootstrap_Bootstrap->run()
#10 /opt/kaltura/app/admin_console/web/index.php(38): Zend_Application->run()
#11 {main}

melaleuca5 · June 29, 2018, 12:21am

Perhaps it’s because we are using self generated cert

Currently, the Nginx VOD module does not support integration with Kaltura over HTTPs, only HTTP is supported.

Will try to setup a more production test will let you know.

melaleuca5 · June 29, 2018, 2:25am

Ok seems like the docker image has expired CA files, I am not able to login to the admin console I had to do the following in the docker image

rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates

Now I can, Still testing everything else.

melaleuca5 · July 1, 2018, 4:25pm

@jess , After fighting with docker I found a solution but now VOD is not working properly. Basically vod when loading the file it tried to open https://vodk.test.com:88 If I change the VOD_PACKAGER_PORT=“88”
to VOD_PACKAGER_PORT=“8443” is causes conflict with nginx_ssl=y and have to go in and change nginx.conf manually. Perhaps I need go manually change the delivery_profile in the setting before this works.

Any ideas?

Also the docker image has the wrong CA files, I fix this with running this

ocker exec -it kaltura bash -c "yum update && rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates"

TIME_ZONE="Etc/UTC"
KALTURA_VIRTUAL_HOST_PORT="443"
KALTURA_FULL_VIRTUAL_HOST_NAME="k.test.com:443"
KALTURA_VIRTUAL_HOST_NAME="k.test.com"
DB1_HOST="127.0.0.1"
DB1_PORT="3306"
DB1_PASS="dMi63rEXkjedkEn"
DB1_NAME="kaltura"
DB1_USER="kaltura"
IS_NGINX_SSL="Y"
SERVICE_URL="https://k.test.com"
SPHINX_SERVER1="127.0.0.1"
SPHINX_SERVER2=" "
DWH_HOST="127.0.0.1"
DWH_PORT="3306"
ADMIN_CONSOLE_ADMIN_MAIL="test@test.com"
ADMIN_CONSOLE_PASSWORD="password"
CDN_HOST="k.test.com"
SUPER_USER="root"
SUPER_USER_PASSWD="password"
ENVIRONMENT_NAME="test"
DWH_PASS="dMi63rEXkjedkEn"
PROTOCOL="https"
PRIMARY_MEDIA_SERVER_HOST="k.test.com"
USER_CONSENT="0"
CONTACT_MAIL="test@test.com"
VOD_PACKAGER_HOST="vodk.test.com"
VOD_PACKAGER_PORT="88"
VOD_PACKAGER_SSL_PORT="8443"
IP_RANGE="0.0.0.0-255.255.255.255"
WWW_HOST="k.test.com:443"
CONFIG_CHOICE="0"
IS_SSL="Y"
CRT_FILE="/etc/ssl/certs/localhost.crt"
KEY_FILE="/etc/pki/tls/private/localhost.key"
SSL_KEY="/etc/pki/tls/private/localhost.key"
SSL_CERT="/etc/ssl/certs/localhost.crt"
CHAIN_FILE="/etc/ssl/certs/localhost.crt"

jess · July 3, 2018, 2:00pm

Hi @melaleuca5,

As you can see here:

github.com

kaltura/platform-install-packages/blob/Naos-14.0.0/Dockerfile#L1


FROM centos:6





RUN echo "NETWORKING=yes" > /etc/sysconfig/network







# mysql

RUN yum install -y mysql mysql-server

RUN mysql_install_db

RUN chkconfig mysqld on

we simply use the default CentOS 6 Docker image. I’ve added:

rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates

here: https://github.com/kaltura/platform-install-packages/blob/Naos-14.1.0/docker/install/install.sh#L37

Which should fix the issue you’ve come across.

In regards to the Nginx config, if you want to work over SSL, run this SQL statement:

mysql> UPDATE kaltura.delivery_profile SET url = REPLACE(url, "$VOD_PACKAGER_HOST:$VOD_PACKAGER_PORT", "$VOD_PACKAGER_HOST:$VOD_PACKAGER_SSL_PORT") WHERE url LIKE '$VOD_PACKAGER_HOST:$VOD_PACKAGER_PORT/%'

Should get the job done. I recommend backing up the table before making changes to it.

Note that generally speaking, this Dockerfile is meant for development purposes only. On Production, you should deploy a cluster rather than an all in one instance and I’d also recommend using CentOS 7 as base, rather than 6.
We do not offer Dockerfiles for such a setup but it should be relatively easy for you to create your own based on the instructions here:

github.com

kaltura/platform-install-packages/blob/Naos-14.1.0/doc/rpm-cluster-deployment-instructions.md

# Deploying Kaltura Clusters

Below are **RPM** based instructions for deploying Kaltura Clusters.    
Refer to the [All-In-One Kaltura Server Installation Guide](install-kaltura-redhat-based.md) for more notes about deploying Kaltura in RPM supported environments.    
Refer to the [Deploying Kaltura Clusters Using Chef](rpm-chef-cluster-deployment.md) for automated Chef based deployments.

### Before You Get Started Notes
* If you see a `#` at the beginning of a line, this line should be run as `root`.
* Please review the [frequently answered questions](kaltura-packages-faq.md) document for general help before posting to the forums or issue queue.
* All post-install scripts accept answers-file as parameter, this can used for silent-automatic installs.
* For a cluster install, it is very important to pass an [answer file](kaltura.template.ans) to each script because otherwise, the MySQL 'kaltura' passwd is autogenerated by the installer. This is fine for a standalone server but for a cluster, passwd must be the same on all. 
* [Kaltura Inc.](http://corp.kaltura.com) also provides commercial solutions and services including pro-active platform monitoring, applications, SLA, 24/7 support and professional services. If you're looking for a commercially supported video platform  with integrations to commercial encoders, streaming servers, eCDN, DRM and more - Start a [Free Trial of the Kaltura.com Hosted Platform](http://corp.kaltura.com/free-trial) or learn more about [Kaltura' Commercial OnPrem Edition™](http://corp.kaltura.com/Deployment-Options/Kaltura-On-Prem-Edition). For existing RPM based users, Kaltura offers commercial upgrade options.

### Instructions here are for a cluster with the following members:

* [Load Balancing](load_balancing.md)
* [NFS server](#the-nfs-server)
* [MySQL Database](#the-mysql-database)
* [Sphinx Indexing Nodes](#the-sphinx-indexing-server)
* [Front Nodes](#the-first-front-node)

This file has been truncated. show original

If you decide to do so and have questions, I’ll be happy to assist you and of course, we will welcome a pull request as well:)

Since CentOS/RHEL 7 make use of systemd and many of the packages in the official 7 repos no longer include tranditional POSIX init scripts, you will find it difficult to deploy an all in one CentOS 7 container but like I said, that sort of setup is not recommended for Production ENVs anyhow:)

melaleuca5 · July 6, 2018, 4:32am

@jess thanks for that.

Not sure if you saw this https://github.com/kaltura/server-cluster-container-install is this something your team is working on .

jess · July 7, 2018, 12:45pm

Hi @melaleuca5,

Yes, I’m aware of it, thank you:)
However, that repo still requires work and also, uses centos:6 as the base image.
Like I said, it would be best to use centos:7 instead. Due to systemd, that would require some additional work.