x/build: move http2 demo to GKE

[sbinet]

hi there,

trying to show to a co-worker the nice performance improvements one could get with Go, HTTP/2 and https, I got this:

$> curl https://http2.golang.org/gophertiles
curl: (7) Failed to connect to http2.golang.org port 443: Connection refused

could this be reinstated?
(@bradfitz ?)

[bradfitz]

Well, crap.

It looks like the CoreOS instance updated itself (currently 4.13.16-coreos-r2) and my systemd unit from my cloud-config was no longer recognized.

For the record, my user-data metadata on GCE is:

#cloud-config
coreos:
  units:
    - name: h2demo.service
      command: start
      content: |
        [Unit]
        Description=HTTP2 Demo
        
        [Service]
        ExecStartPre=/bin/bash -c 'mkdir -p /opt/bin && curl -s -o /opt/bin/h2demo http://storage.googleapis.com/http2-demo-server-tls/h2demo && chmod +x /opt/bin/h2demo'
        ExecStart=/opt/bin/h2demo --prod
        RestartSec=5s
        Restart=always
        Type=simple
        
        [Install]
        WantedBy=multi-user.target

ssh_authorized_keys:
    - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwks9dwWKlRC+73gRbvYtVg0vdCwDSuIlyt4z6xa/YU/jTDynM4R4W10hm2tPjy8iR1k8XhDv4/qdxe6m07NjG/By1tkmGpm1mGwho4Pr5kbAAy/Qg+NLCSdAYnnE00FQEcFOC15GFVMOW2AzDGKisReohwH9eIzHPzdYQNPRWXE= bradfitz@papag.bradfitz.com

That had worked for years, but today when I ran systemctl there was no mention of h2demo in the list of services.

To "fix" it, I did:

http2-demo bradfitz # systemctl enable /etc/systemd/system/h2demo.service
Created symlink /etc/systemd/system/multi-user.target.wants/h2demo.service → /etc/systemd/system/h2demo.service.
http2-demo bradfitz # systemctl start h2demo.service
http2-demo bradfitz # systemctl status h2demo.service
● h2demo.service - HTTP2 Demo
   Loaded: loaded (/etc/systemd/system/h2demo.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-12-07 18:28:35 UTC; 5s ago
  Process: 1019 ExecStartPre=/bin/bash -c mkdir -p /opt/bin && curl -s -o /opt/bin/h2demo http://storage.googleapis.com/http2-demo-server-tls/h2demo && chmod +x /opt/bin/h2demo (code=exited, status=0/SUCCESS)
 Main PID: 1024 (h2demo)
    Tasks: 4 (limit: 32768)
   Memory: 15.8M
      CPU: 74ms
   CGroup: /system.slice/h2demo.service
           └─1024 /opt/bin/h2demo --prod
Dec 07 18:28:35 http2-demo.c.symbolic-datum-552.internal systemd[1]: Starting HTTP2 Demo...
Dec 07 18:28:35 http2-demo.c.symbolic-datum-552.internal systemd[1]: Started HTTP2 Demo.

I can move this service to GKE along with our others, I suppose.

[sbinet]

Thanks for the speedy "fix" :)

[crawford]

In case anyone is interested, the reason for the failure was a few malformed entries in authorized_keys coupled with a new implementation of update-ssh-keys (in Rust 😬). The old implementation of update-ssh-keys blindly concatenated the contents of ~/.ssh/authorized_keys.d into ~/.ssh/authorized_keys while the new implementation validates the correctness of the keys. One of coreos-cloudinit's first tasks is to update SSH keys, which it does by calling update-ssh-keys. Unfortunately, when update-ssh-keys failed as it encountered the malformed entries, it caused coreos-cloudinit to exit early without actually starting any of the services. This bug is a good illustration of the problems with the underlying design of coreos-cloudinit and it's worth noting that it has been deprecated in favor of Container Linux Configs and Ignition.

[bradfitz]

@crawford, are you changing update-ssh-keys to ignore those invalid entries? (which GKE added for itself, even though those are on unrelated VMs)

[crawford]

@bradfitz Yeah, we are going to update it to throw warnings and skip invalid keys, but continue copying valid ones.

[gopherbot]

Change https://golang.org/cl/91495 mentions this issue: http2/h2demo: enable HTTP ACME challenges, move from CoreOS to Kubernetes