Proposal - encrypted cache
by Sebastian Laskawiec
Hey!
A while ago I stumbled upon [1]. The article talks about encrypting data
before they reach the server, so that the server doesn't know how to
decrypt it. This makes the data more secure.
The idea is definitely not new and I have been asked about something
similar several times during local JUGs meetups (in my area there are lots
of payments organizations who might be interested in this).
Of course, this can be easily done inside an app, so that it encrypts the
data and passes a byte array to the Hot Rod Client. I'm just thinking about
making it a bit easier and adding a default encryption/decryption mechanism
to the Hot Rod client.
What do you think? Does it make sense?
Thanks
Sebastian
[1] https://eprint.iacr.org/2016/920.pdf
6 years, 6 months
Maintenance of OpenShift templates
by Galder Zamarreño
Hi,
Looking at [1] and I'm wondering why the templates have to maintain a
different XML file for OpenShift?
We already ship an XML in the server called `cloud.xml`, that should
just work. Having a separate XML file in the templates means we're
duplicating the maintainance of XML files.
Also, users can now create caches programmatically. This is by far the
most common tweak that had to be done to the config. So, I see the
urgency to change XML files less immediate.
Sure, there will always be people who modify/tweak things and that's
fine. We should however show the people how to do that in a way that
doesn't require us to duplicate our maintanence work.
Also, if we want to show the users how to use a custom XML file, I don't
think we should show them how to embedd it in the template as JSON
[2]. It's quite a pain. Instead, the XML should be kept as a separate
file and the JSON file reference it.
Cheers,
[1]
https://github.com/infinispan/infinispan-openshift-templates/pull/16/files
[2] https://github.com/infinispan/infinispan-openshift-templates#maintenance-...
6 years, 7 months
Passing client listener parameters programmatically
by Galder Zamarreno
Hi,
We're working with the OpenWhisk team to create a generic Feed that allows
Infinispan remote events to be exposed in an OpenWhisk way.
So, you'd pass in Hot Rod endpoint information, name of cache and other
details and you'd establish a feed of data from that cache for
create/updated/removed data.
However, making this generic is tricky when you want to pass in
filter/converter factory names since these are defined at the annotation
level.
Ideally we should have a way to pass in filter/converter factory names
programmatically. To avoid limiting ourselves, you could potentially pass
in an instance of the annotation in an overloaded method or as optional
parameter [1].
Thoughts?
Cheers,
Galder
[1]
https://stackoverflow.com/questions/16299717/how-to-create-an-instance-of...
6 years, 7 months
(no subject)
by Galder Zamarreno
Hi Sebastian,
Did you mention something about x-site not working on master?
The reason I ask is cos I was trying to create a state transfer test for
[1] and there are some odds happening.
In my test, I start LON site configured with NYC but NYC is not up yet.
[1] https://issues.jboss.org/browse/ISPN-9111
6 years, 8 months
Search keys by query
by Sergey Chernolyas
*Hi! *
*I want ask about search keys. For example, I have a complex key and the
complex key (POJO) have a field “type”. It is logical if I find all keys
with required type by query. Now query for complex keys not work. Method
“list()” return empty list(). Is the feature implementable?*
--
---------------------
With best regards, Sergey Chernolyas
6 years, 8 months
9.2 EmbeddedCacheManager blocked at shutdown
by Thomas SEGISMONT
Hi everyone,
I am working on integrating Infinispan 9.2.Final in vertx-infinispan.
Before merging I wanted to make sure the test suite passed but it doesn't.
It's not the always the same test involved.
In the logs, I see a lot of messages like "After merge (or coordinator
change), cache still hasn't recovered a majority of members and must stay
in degraded mode.
The context involved are "___counter_configuration" and
"org.infinispan.LOCKS"
Most often it's harmless but, sometimes, I also see this exception
"ISPN000210: Failed to request state of cache"
Again the cache involved is either "___counter_configuration" or
"org.infinispan.LOCKS"
After this exception, the cache manager is unable to stop. It blocks in
method "terminate" (join on cache future).
I thought the test suite was too rough (we stop all nodes at the same
time). So I changed it to make sure that:
- nodes start one after the other
- a new node is started only when the previous one indicates HEALTHY status
- nodes stop one after the other
- a node is stopped only when it indicates HEALTHY status
Pretty much what we do on Kubernetes for the readiness check actually.
But it didn't get any better.
Attached are the logs of such a failing test.
Note that the Vert.x test itself does not fail, it's only when closing
nodes that we have issues.
Here's our XML config:
https://github.com/vert-x3/vertx-infinispan/blob/ispn92/src/main/resource...
Does that ring a bell? Do you need more info?
Regards,
Thomas
6 years, 8 months
Re: [infinispan-dev] [wildfly-dev] WFLYTX0013 in the Infinispan Openshift Template
by Sebastian Laskawiec
Hey Tom,
Comments inlined.
Thanks,
Sebastian
On Tue, Apr 17, 2018 at 4:37 PM Tom Jenkinson <tom.jenkinson(a)redhat.com>
wrote:
>
>
> On 16 April 2018 at 09:31, <> wrote:
>
>> Adding +WildFly Dev <wildfly-dev at lists.jboss.org> to the loop
>
>
>>
>> Thanks for the explanation Rado.
>>
>> TL;DR: A while ago Sanne pointed out that we do not set `node-identifier`
>> in transaction subsystem by default. The default value for the
>> `node-identifier` attribute it `1`. Not setting this attribute might cause
>> problems in transaction recovery. Perhaps we could follow Rado's idea and
>> set it to node name by default?
>>
> Indeed - it would cause serious data integrity problems if a non-unique
> node-identifier is used.
>
>> Some more comments inlined.
>>
>> Thanks,
>> Sebastian
>>
>> On Fri, Apr 13, 2018 at 7:07 PM Radoslav Husar <rhusar at redhat.com>
>> wrote:
>>
>> > Hi Sebastian,
>> >
>> > On Wed, Apr 11, 2018 at 2:31 PM, Sebastian Laskawiec
>> > <slaskawi at redhat.com> wrote:
>> > > Hey Rado, Paul,
>> > >
>> > > I started looking into this issue and it turned out that WF subsystem
>> > > template doesn't provide `node-identifier` attribute [1].
>> >
>> > I assume you mean that the default WildFly server profiles do not
>>
> > explicitly define the attribute. Right ? thus the value defaults in
>
>
>> > the model to "1"
>> >
>> >
>> https://github.com/wildfly/wildfly/blob/master/transactions/src/main/java...
>> > which sole intention seems to be to log a warning on boot if the value
>> > is unchanged.
>> > Why they decided on a constant that will be inherently not unique as
>> > opposed to defaulting to the node name (which we already require to be
>> > unique) as clustering node name or undertow instance-id does, is
>> > unclear to me.
>> > Some context is on https://issues.jboss.org/browse/WFLY-1119.
>> >
>>
>> In OpenShift environment we could set it to `hostname`. This is guaranteed
>> to be unique in whole OpenShift cluster.
>>
>>
>> We do this too in EAP images.
> To Rado's point, the default is "1" so we can print the warning to alert
> people they are misconfigured - it seems to be working :)
>
This is the point. From my understanding, if we set it to node name
(instead of "1"), we could make it always work correctly. We could even
remove the code that emits the warning (since the node name needs to be
unique).
To sum it up - if we decided to proceed this way, there would be no
requirement of setting the node-identifier at all.
>
>
>> >
>
>
>> > > I'm not sure if you guys are the right people to ask, but is it safe
>> to
>> > > leave it set to default? Or shall I override our Infinispan templates
>> and
>> > > add this parameter (as I mentioned before, in OpenShift this I wanted
>> to
>> > set
>> > > it as Pod name trimmed to the last 23 chars since this is the limit).
>>
> Putting a response to this in line - I am not certain who originally
> proposed this.
>
> You must use a globally unique node-identifier. If you are certain the
> last 23 characters guarantee that it would be valid - if there is a chance
> they are not unique it is not valid to trim.
>
If that's not an issue, again, we could use the same limit as we have for
node name.
>
>
>
>> >
>
>
>> > It is not safe to leave it set to "1" as that results in inconsistent
>> > processing of transaction recovery.
>> > IIUC we already set it to the node name for both EAP and JDG
>> >
>> >
>> https://github.com/jboss-openshift/cct_module/blob/master/os-eap70-opensh...
>> >
>> >
>> https://github.com/jboss-openshift/cct_module/blob/master/os-jdg7-conffil...
>>
> > which in turn defaults to the pod name ? so which profiles are we
>
>
>> > talking about here?
>> >
>>
>> Granted, we set it by default in CCT Modules. However in Infinispan we
>> just
>> grab provided transaction subsystem when rendering full configuration from
>> featurepacks:
>>
>> https://github.com/infinispan/infinispan/blob/master/server/integration/f...
>>
>> The default configuration XML doesn't contain the `node-identifier`
>> attribute. I can add it manually in the cloud.xml but I believe the right
>> approach is to modify the transaction subsystem.
>>
>>
>> > Rado
>> >
>> > > Thanks,
>> > > Seb
>> > >
>> > > [1] usually set to node-identifier="${jboss.node.name}"
>> > >
>> > >
>>
> > > On Mon, Apr 9, 2018 at 10:39 AM Sanne Grinovero <sanne at
>> infinispan.org>
>> > > wrote:
>> > >>
>> > >> On 9 April 2018 at 09:26, Sebastian Laskawiec <slaskawi at
>> redhat.com>
>
>
>> > wrote:
>> > >> > Thanks for looking into it Sanne. Of course, we should add it (it
>> can
>> > be
>> > >> > set
>> > >> > to the same name as hostname since those are unique in Kubernetes).
>> > >> >
>> > >> > Created https://issues.jboss.org/browse/ISPN-9051 for it.
>> > >> >
>> > >> > Thanks again!
>> > >> > Seb
>> > >>
>> > >> Thanks Sebastian!
>> > >>
>> > >> >
>>
> > >> > On Fri, Apr 6, 2018 at 8:53 PM Sanne Grinovero <sanne at
>> infinispan.org>
>
>
>> > >> > wrote:
>> > >> >>
>> > >> >> Hi all,
>> > >> >>
>> > >> >> I've started to use the Infinispan Openshift Template and was
>> > browsing
>> > >> >> through the errors and warnings this produces.
>> > >> >>
>> > >> >> In particular I noticed "WFLYTX0013: Node identifier property is
>> set
>> > >> >> to the default value. Please make sure it is unique." being
>> produced
>> > >> >> by the transaction system.
>> > >> >>
>> > >> >> The node id is usually not needed for developer's convenience and
>> > >> >> assuming there's a single node in "dev mode", yet clearly the
>> > >> >> Infinispan template is meant to work with multiple nodes running
>> so
>> > >> >> this warning seems concerning.
>> > >> >>
>> > >> >> I'm not sure what the impact is on the transaction manager so I
>> asked
>> > >> >> on the Narayana forums; Tom pointed me to some thourough design
>> > >> >> documents and also suggested the EAP image does set the node
>> > >> >> identifier:
>> > >> >> - https://developer.jboss.org/message/981702#981702
>> > >> >>
>> > >> >> WDYT? we probably want the Infinispan template to set this as
>> well,
>> > or
>> > >> >> silence the warning?
>> > >> >>
>> > >> >> Thanks,
>> > >> >> Sanne
>> > >> >> _______________________________________________
>> > >> >> infinispan-dev mailing list
>>
> > >> >> infinispan-dev at lists.jboss.org
>
>
>> > >> >> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>> > >> >
>> > >> >
>> > >> > _______________________________________________
>> > >> > infinispan-dev mailing list
>>
> > >> > infinispan-dev at lists.jboss.org
>
>
>> > >> > https://lists.jboss.org/mailman/listinfo/infinispan-dev
>> > >> _______________________________________________
>> > >> infinispan-dev mailing list
>> > >> infinispan-dev at lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.jboss.org/pipermail/wildfly-dev/attachments/20180416/65962cf...
>>
>>
>>
>>
6 years, 8 months
WFLYTX0013 in the Infinispan Openshift Template
by Sanne Grinovero
Hi all,
I've started to use the Infinispan Openshift Template and was browsing
through the errors and warnings this produces.
In particular I noticed "WFLYTX0013: Node identifier property is set
to the default value. Please make sure it is unique." being produced
by the transaction system.
The node id is usually not needed for developer's convenience and
assuming there's a single node in "dev mode", yet clearly the
Infinispan template is meant to work with multiple nodes running so
this warning seems concerning.
I'm not sure what the impact is on the transaction manager so I asked
on the Narayana forums; Tom pointed me to some thourough design
documents and also suggested the EAP image does set the node
identifier:
- https://developer.jboss.org/message/981702#981702
WDYT? we probably want the Infinispan template to set this as well, or
silence the warning?
Thanks,
Sanne
6 years, 8 months