Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build: move http2 demo to GKE #23034

sbinet opened this issue Dec 7, 2017 · 6 comments

x/build: move http2 demo to GKE #23034

sbinet opened this issue Dec 7, 2017 · 6 comments
Builders FrozenDueToAge


Copy link

@sbinet sbinet commented Dec 7, 2017

hi there,

trying to show to a co-worker the nice performance improvements one could get with Go, HTTP/2 and https, I got this:

$> curl
curl: (7) Failed to connect to port 443: Connection refused

could this be reinstated?
(@bradfitz ?)

@bradfitz bradfitz self-assigned this Dec 7, 2017
Copy link

@bradfitz bradfitz commented Dec 7, 2017

Well, crap.

It looks like the CoreOS instance updated itself (currently 4.13.16-coreos-r2) and my systemd unit from my cloud-config was no longer recognized.

For the record, my user-data metadata on GCE is:

    - name: h2demo.service
      command: start
      content: |
        Description=HTTP2 Demo
        ExecStartPre=/bin/bash -c 'mkdir -p /opt/bin && curl -s -o /opt/bin/h2demo && chmod +x /opt/bin/h2demo'
        ExecStart=/opt/bin/h2demo --prod

    - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwks9dwWKlRC+73gRbvYtVg0vdCwDSuIlyt4z6xa/YU/jTDynM4R4W10hm2tPjy8iR1k8XhDv4/qdxe6m07NjG/By1tkmGpm1mGwho4Pr5kbAAy/Qg+NLCSdAYnnE00FQEcFOC15GFVMOW2AzDGKisReohwH9eIzHPzdYQNPRWXE=

That had worked for years, but today when I ran systemctl there was no mention of h2demo in the list of services.

To "fix" it, I did:

http2-demo bradfitz # systemctl enable /etc/systemd/system/h2demo.service
Created symlink /etc/systemd/system/ → /etc/systemd/system/h2demo.service.
http2-demo bradfitz # systemctl start h2demo.service
http2-demo bradfitz # systemctl status h2demo.service
● h2demo.service - HTTP2 Demo
   Loaded: loaded (/etc/systemd/system/h2demo.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-12-07 18:28:35 UTC; 5s ago
  Process: 1019 ExecStartPre=/bin/bash -c mkdir -p /opt/bin && curl -s -o /opt/bin/h2demo && chmod +x /opt/bin/h2demo (code=exited, status=0/SUCCESS)
 Main PID: 1024 (h2demo)
    Tasks: 4 (limit: 32768)
   Memory: 15.8M
      CPU: 74ms
   CGroup: /system.slice/h2demo.service
           └─1024 /opt/bin/h2demo --prod
Dec 07 18:28:35 http2-demo.c.symbolic-datum-552.internal systemd[1]: Starting HTTP2 Demo...
Dec 07 18:28:35 http2-demo.c.symbolic-datum-552.internal systemd[1]: Started HTTP2 Demo.

I can move this service to GKE along with our others, I suppose.

@bradfitz bradfitz changed the title http2: online demo not working anymore x/build: move http2 demo to GKE Dec 7, 2017
@gopherbot gopherbot added this to the Unreleased milestone Dec 7, 2017
@gopherbot gopherbot added the Builders label Dec 7, 2017
Copy link
Member Author

@sbinet sbinet commented Dec 7, 2017

Thanks for the speedy "fix" :)

Copy link

@crawford crawford commented Dec 8, 2017

In case anyone is interested, the reason for the failure was a few malformed entries in authorized_keys coupled with a new implementation of update-ssh-keys (in Rust 😬). The old implementation of update-ssh-keys blindly concatenated the contents of ~/.ssh/authorized_keys.d into ~/.ssh/authorized_keys while the new implementation validates the correctness of the keys. One of coreos-cloudinit's first tasks is to update SSH keys, which it does by calling update-ssh-keys. Unfortunately, when update-ssh-keys failed as it encountered the malformed entries, it caused coreos-cloudinit to exit early without actually starting any of the services. This bug is a good illustration of the problems with the underlying design of coreos-cloudinit and it's worth noting that it has been deprecated in favor of Container Linux Configs and Ignition.

Copy link

@bradfitz bradfitz commented Dec 8, 2017

@crawford, are you changing update-ssh-keys to ignore those invalid entries? (which GKE added for itself, even though those are on unrelated VMs)

Copy link

@crawford crawford commented Dec 8, 2017

@bradfitz Yeah, we are going to update it to throw warnings and skip invalid keys, but continue copying valid ones.

Copy link

@gopherbot gopherbot commented Feb 1, 2018

Change mentions this issue: http2/h2demo: enable HTTP ACME challenges, move from CoreOS to Kubernetes

@golang golang locked and limited conversation to collaborators Feb 1, 2019
NET12115 added a commit to NET12115/Golang-C-NET that referenced this issue Feb 28, 2022

This makes HTTP challenges work on since
LetsEncrypted disabled the TLS-SNI challenges.

Also, move it from a systemd unit on CoreOS to GKE.

Updates golang/go#23627
Fixes golang/go#23034

Change-Id: Id8348e9e56ab43e277f1e12d563fd8fc490d6211
Reviewed-by: Andrew Bonventre <>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Builders FrozenDueToAge
None yet

No branches or pull requests

4 participants