SDK v3 does not works locally with CosmosDB Emulator and Docker like SDK v2 does. #1551
Comments
|
This looks like a duplicate of #1232 |
|
Did you follow the docs at https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#running-on-mac-or-linux ? Are you exporting the certificate and importing it as described for Linux? Are you starting the emulator with network requests allowed? |
|
Did you follow the docs at https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#running-on-mac-or-linux ? (Are you exporting the certificate and importing it as described for Linux?) Are you starting the emulator with network requests allowed? |
|
So in your case you are running on Windows, and the Emulator is on that Windows machine, but the App is running on a Windows Docker container? Or is it a Linux Docker container? If it's a Linux Docker container, the docs are valid, I tested the same scenario, Windows machine with Emulator, running Ubuntu docker image with a NET Core app inside. I had to export and import the cert into the docker image. The key there was that each distro might use a different directory for certificates. Another thing. I see in your video that you are changing the Endpoint and using the Docker URL, the problem is basically that the Certificate that the Emulator uses is only for localhost, not for the Docker URL. That will always fail, because the Urls don't match (a certificate is valid for the Url it was created for). Is there a chance you can actually use localhost or 127.0.0.1 to connect to the Emulator? |
|
App is running on a Windows Docker container? Or is it a Linux Docker container? If it's a Linux Docker container, the docs are valid, I tested the same scenario, Windows machine with Emulator, running Ubuntu docker image with a NET Core app inside. I had to export and import the cert into the docker image. The key there was that each distro might use a different directory for certificates. Is there a chance you can actually use localhost or 127.0.0.1 to connect to the Emulator? Just to note and you can see from the video too, there is no problem whatsoever with SDK v2. Please revert back the functionality as before. We have +30 devs that are waiting on this issue. This post is duplicate as j82w said. |
|
I have provided a small code sample in the first post, please take it, change it, and make it work for Core 3.1. Then upload the working scenario or you can record screen as well. Not just you, but anybody that thinks this is doable. Update 1: I just saw that you have new version from 6 days ago with #1441 merged. Maybe this can help us somehow, but I have to test it. |
Step 1 - Export the CertificateThe certificate needs to be a PFX, not CRT. It will ask you to set some password. Step 2 - Place the cert somewhere you can copy or access from dockerI wrote a small Console App with the following code: private static string EndpointUrl = "https://localhost:8081";
private static string PrimaryKey = "C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==";
public static async Task Main(string[] args)
{
CosmosClient client = new CosmosClient(EndpointUrl, PrimaryKey, new CosmosClientOptions(){ ConnectionMode = ConnectionMode.Gateway });
Container container = client.GetContainer("test", "test");
ItemResponse<dynamic> response = await container.ReadItemAsync<dynamic>("test", new PartitionKey("test"));
Console.WriteLine(JsonConvert.SerializeObject(response.Resource));
}And I placed the cert in the folder with the source code.
Then I went to the Emulator and created a container and an item inside (I did this on Windows, not docker): Step 3 - Get your machine's IP addressAs per https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#running-on-mac-or-linux, I used Step 4 - Start a docker imageIn my case, I use one with the NET Core 3.1 SDK, the official one from https://docs.microsoft.com/en-us/dotnet/architecture/microservices/net-core-net-framework-containers/official-net-docker-images I started the container with an interactive shell, and mapping
And I'm also mounting the folder where I saved the project and the certificate I want to import. This is not required, but I'm not fluent on Docker to know if there is a better way to pass the certificate. After the shell starts, I basically run the commands described in the doc and the certificate gets added.
Step 5Run the app from inside docker, I used
Basically, I followed https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#linux plus the previous part where I had to obtain the IP. |
|
Instead of 5 steps above, a disableSSLVerification feature might be more convenient from dev perspective as is present in python azure-cosmos sdk and azure-cosmos-js. |
|
Hi, Side by side the app on .net core 2.2 works locally but not the one on .net Core 3.1. I've tried to run the CosmosDb Emulator on a docker container without any success. By setting an IHttpClientFactory to bypass SSL certificate validation i got the following error: Microsoft.Azure.Cosmos.CosmosException: 'Response status code does not indicate success: ServiceUnavailable (503); Substatus: 0; ActivityId: 00000000-0000-0000-0000-000000000000; Reason: ( <TITLE>Network Error</TITLE>
RequestUri: https://127.0.0.1:8081//addresses/?$resolveFor=dbs%2fiJ1ZAA%3d%3d%2fcolls%2fiJ1ZAPfNpqM%3d%2fdocs&$filter=protocol eq rntbd&$partitionKeyRangeIds=0; For my migration i 'am moving from Microsoft.Azure.Cosmos 3.6 (.net Core 2.2) to Microsoft.Azure.Cosmos 3.10.1 (.net core 3.1 ) and from what i see on debug the CosmosClient class seem to have change a lot. This is a "Go To Production" blocking issue. Do we need to stop all our migrations to .net core 3.1 on CosmosDB or is there some work around. Regards |
|
I continue my investigation, on CosmosDB on Docket and .net Core 3.1. -What i don't understand is: Why i can open CosmosDb Emulator in a broswer and then query it but not from my API. Here under what i got from my Visual Studio Ouput console: 'iisexpress.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.5\System.Net.ServicePoint.dll'. Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled. DocDBTrace Information: 0 : Creating RNTBD TransportClient with options Rntbd.TransportClient.Options DocDBTrace Error: 0 : DocumentClientException with status code: NotFound, message: Message: {"Errors":["Resource Not Found"]} Regards |
|
Ok guy, one step further On my CosmosClientOptions I put ConnectionMode = ConnectionMode.Gateway but guess what CosmosClient try to turn it into a Direct Mode (Tcp) on my container Ip address ??? Just one word: HELP. DocDBTrace Information: 0 : DocumentClient with id 1 initialized at endpoint: https://localhost:8081/ with ConnectionMode: Gateway, connection Protocol: Https, and consistency level: null DocDBTrace Information: 0 : TimerPool Created with minSupportedTimerDelayInSeconds = 1 |
|
Hello everybody, End of the weekend and by the way end of this issue :) As for every thing in IT it is so simple once you identify the root cause... My problem was the following: I'm on my professional laptop that is secured: To access internet or my my corporate intranet i have to go through my corporate proxy that is set through a proxy.pac set by a policy at the start up. In my global settings the NO_PROXY variable includes localhost ... but not 127.0.0.1. As i showed in the here above threads the CosmosClient once it identifies a localhost call continue with 127.0.0.1 as host. So by just setting "127.0.0.1" and "localhost" at start of yours NO_PROXY global setting you don't need to setup CosmosDB Emulator on Docker, on local it works perfectly well. So long muchachos... |
|
@ealsur Is there a possible way to have some property for disabling SSL as @priyankajayaswal1 suggested? |
|
@FVilevski the discussion the team had back in the day was around the dangers of such a direct property. If there were such a property and the code was pushed to production (accidentally hopefully), it would mean all data communications would be totally unsecure and your application is now subject to data breach scenarios. Since this is a dev only scenario (you'd never use the Emulator on production) the steps to setup the required components (while I agree troublesome) make sure that when you push it to production, there is no way you can generate an insecure scenario. I agree also that in hybrid scenarios, the whole SSL certificate dance represent extra steps and if you use docker, then it also implies powershell scripts. Ideally this would be solved (on the most part) with an Emulator that works on Linux (which is something that the team is still working on). |
|
No offence, but you are treating developers like children. Let us worry about accidental pushes to production. Especially considering the other SDKs already have this added. |
|
@D3MaxT can you not use the HttpClientFactory to disable the SSL validation and switch the client to gateway mode? |
|
@j82w HttpClientFactory will work but it is not yet included in any release. After the next release, this should work: Or if you are using a NET Standard 2.1 project: |
|
3.12.0 is released with the necessary changes. @ealsur example above will now work just like in v2 SDK. Or if you are using a NET Standard 2.1 project: |
|
man - I wish I'd have found this thread sooner :( |
Describe the bug
We have some issues regarding working locally with CosmosDB Emulator and Docker itself.
We are trying to make a connection between CosmosDB Emulator that is installed on the host itself and Core API that is started inside Linux container on the same developer machine.
The problem is related to the SSL certificate that is intended for the localhost on the host itself, but not for the Linux container. We have checked everything on Microsoft docs pages for emulator, containers and SSL, Cosmos DB SDKs, and whatnot, but nothing has helped us. There is no case that solves this issue. There are topics for extracting SSL on pages, but we could not manage to make it work.
Since we are looking for a solution that works only for development mode (non-production) anything that can help us we will be happy to apply.
Here is a video link of the issue that I am talking about, works for SDK v2, but not for SDK v3: https://www.loom.com/share/767b5eb281cc40f7b464cbe9eb087467
To Reproduce
Here is the project sample from the video above:
https://drive.google.com/file/d/1FFtdAojde6JNbf_zHEFJzIBRGRhdNMm5/view
Expected behavior
Azure Cosmos SDK v3, should work like SDK v2. The same goes for new SDKs in the future like v4.
Actual behavior
.NET Core 2.x (Working sample)
We have made it working for CosmosDB SDK 2 via code on the API itself that is ignoring SSL validation. This code is only available for Cosmos SDK 2 and not a case with SDK 3. We want to use the new Cosmos SDK and not be stuck in the past. For this to work we have used /AllowNetworkAccess and /Key flags of the emulator itself.
.NET Core 3.x (Not working sample)
Unfortunately, there is no way you can add code to ignore validation in CosmosDB SDK 3, so we tried other mechanisms like exporting certificates and other stuff without any luck.
Solution
I know what should be changed in your code and if you agree I can make a fix for it from the master branch.
The text was updated successfully, but these errors were encountered: