We Keep Coding

Google Cloud SQL — irregular authentication failures

I have an App Engine Flex java service (REST backend, 1 instance, always up) which connects to Cloud SQL instance using IAM authentication (service account). Everything seems to work fine most of the time but sometimes I'm having timeouts on REST calls and my service and its clients experiencing DoS.
GCP logs shows me that I had 7365 occurrences of this error during last 7 days which is insane:
org.springframework.dao.DataAccessResourceFailureException: Unable to acquire JDBC Connection; nested exception is org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC Connection
I was thinking of limited availability of Cloud SQL Instance itself b/c mine is not highly available, but I see those errors in Postgres log (which is my Cloud SQL DB) which
shows that the instance itself is available but credentials are not ok:
2022-06-16 08:33:33.316 UTC [610407]: [1-1] db=db-dev,user=connect-xxx#appspot FATAL: Cloud SQL IAM service account authentication failed for user "connect-xxx#appspot"
2022-06-16 08:33:33.316 UTC [610407]: [1-1] db=db-dev,user=connect-xxx#appspot DETAIL: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Connection matched pg_hba.conf line 21: "local all +cloudsqliamserviceaccount cloudsql-iam-svc-acct"
I was thinking of some issues in Cloud SQL Auth Proxy but its logs don't show anything that could help.
My connection settings:
<bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
<property name="poolName" value="springHikariCP" />
<property name="connectionTestQuery" value="SELECT 1" />
<property name="driverClassName" value="org.postgresql.Driver" />
<property name="connectionTimeout" value="600000"/>
<property name="jdbcUrl" value="jdbc:postgresql://127.0.0.1:3306/db-dev?cloudSqlInstance=connect-xxx:europe-west9:dev&socketFactory=com.google.cloud.sql.postgres.SocketFactory" />
<property name="username" value="connect-xxx#appspot"/>
<!-- IAM auth -->
<property name="password" value="dummy"/>
<property name="dataSourceProperties">
<props>
<prop key="sslmode">disable</prop>
<prop key="enableIamAuth">true</prop>
</props>
</property>
<!---->
</bean>
My App Engine service has 1vCPU & 4 gigs of RAM.
I see some spikes in CPU usage (up to 80%) but they are not coincide with DoS. Mem usage is always not higher than 1.5 gigs.
My Postgres instance has 1vCPU & 3.75 gigs of RAM.
CPU usage is always about 5%, mem usage is about 2 gigs, always not more than 6 transactions per second.
Any ideas?
UPD regarding SQL proxy:
I use
beta_settings:
cloud_sql_instances: connect-xxx:europe-west9:dev=tcp:3306
in my app.yaml. I also clearly use 3306 port in connection string.
Cloud SQL Proxy is there and also listening on 3306:
docker logs yyy
2022/06/21 15:44:23 current FDs rlimit set to 1048576, wanted limit is 8500. Nothing to do here.
2022/06/21 15:44:24 Listening on 0.0.0.0:3306 for connect-xxx:europe-west9:dev
2022/06/21 15:44:24 Ready for new connections
2022/06/21 15:44:24 Generated RSA key in 731.70246ms
systemd-r 246 systemd-resolve 14u IPv4 13413 0t0 TCP 127.0.0.53:53 (LISTEN)
container 345 root 11u IPv4 14603 0t0 TCP 127.0.0.1:45795 (LISTEN)
sshd 422 root 3u IPv4 14545 0t0 TCP *:22 (LISTEN)
sshd 422 root 4u IPv6 14546 0t0 TCP *:22 (LISTEN)
dockerd 447 root 27u IPv4 17276 0t0 TCP 172.17.0.1:3306 (LISTEN)
PG Socket factory dep:
<dependency>
<groupId>com.google.cloud.sql</groupId>
<artifactId>postgres-socket-factory</artifactId>
<version>1.6.0</version>
</dependency>
UPDATE 2:
Google confirmed this is an issue on their side and they will roll out the fix in a few weeks.

Tomcat 7 RemoteHostValve not working for localhost

I am trying to restrict access to a Tomcat 7 Server by using this valve: org.apache.catalina.valves.RemoteHostValve.
It's working fine for other hosts, but I can not access the server locally by using the localhost (http://localhost:8080).
Here is the Valve:
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="host2.xy.i|host2.xy.i|localhost"/>
Any ideas?

for this function Hostname Lookups are needet.
Did you check that you have set ?
<Connector enableLookups="true" />
If its not working with the Hostname, you could reach the same result with:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\..*"/>
But check if you have localhost V6 IP, this example matches only ipv4

How can i run wildfly 8 in port 80

How can i run wildfly 8.2.1 in port 80? I can run wildfly in different ports by changing the offset as below.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
But unable to run in port 80.

Offset adds that value to all ports. So if you had http set to the default port 8080, an offset of 100 would set it to 8180.
You want to set the socket for http.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="${jboss.http.port:80}"/>
</socket-binding-group>
Alternatively, all of these values can be passed in via command line. so you can run: standalone.sh -Djboss.http.port=80
Note: on some operating systems: OSX and variants of Linux you must be superuser to bind things to port 80.

Unable to send traffic over RDMA

I have softROCE setup on SUSE Linux SP11. I am trying to validate the traffic over RXE device. I am able to send and receive traffic using ibv_*_pingpong. But for rping it is giving and error RDMA_CM_EVENT_UNREACHABLE, error -110.
#rxe_cfg -l
Name Link Driver Speed NMTU IPv4_addr RDEV RMTU
p4p1 yes r8169 1500 10.213.64.106 rxe0 1024 (3)

Load balancing in mod cluster is not working

I have Jboss server in Linux boxes. And I configured apache server in windows machine. I am able to see all the jboss server nodes in my modcluster manager console.
I have deployed one camel application on all the jboss servers. And I have done the performance test with 2,4,6 nodes. But there is no performance difference.......
Find the jboss configuration
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config proxy-list="x.x.x.x:6666" advertise="false">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
For parallel execution of nodes, whether I have to do any other configurations...
Thanks in advance................

1 - download last version of mod_cluster at this link and extract it..
2 - configure your mod_cluster at the httpd.conf file like above..
Listen ##PUT THE BALANCER IP HERE##:80
############### mod_cluster Setting - STARTED ###############
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# MOD_CLUSTER_ADDS
# Adjust to you hostname and subnet.
<IfModule manager_module>
Listen ##PUT THE BALANCER IP HERE##:6666
ManagerBalancerName mycluster
<VirtualHost ##PUT THE MACHINE IP HERE##:6666>
<Location />
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
</VirtualHost>
</IfModule>
############### mod_cluster Setting - ENDED ###############
3 - Set each of your jboss node's name
<server name="node1" xmlns="urn:jboss:domain:1.2">
4 - Add the instance-id attribute in web subsystem as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:web:1.1" instance-id="${jboss.node.name}" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
.
.
.
</subsystem>
5 - Add the proxy-list in the attribute in mod-cluster-config of modcluster subsystem, which would be having IP Address and Port on which your Apache server (the balancer) is running so that JBoss server can communicate with it, as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config advertise-socket="modcluster" proxy-list="##PUT THE BALANCER IP HERE##:80">
.
.
.
</mod-cluster-config>
</subsystem>
6 - Now you can go to http://BALANCER_IP:80 and test it and to manage the jboss instances with mod_cluster go to http://BALANCER_IP:6666/mod_cluster_manager
**Obs: if you want to run jboss in standalone mode you CANNOT use the "-b" flag with the ip 0.0.0.0 that listens requests from all IPs.. I recommend you use the IP of the machine that's running the jboss itself

with sticky-session="true" (default), balancer keeps sending requests to the particular node to whom the session belongs as long as it is healthy.
If you tell me how did you test, especially: how many clients vs. how many requests, or not etc., I will be able to help you.
Furthermore, consider editing capacity attribute of load-metric element.
BTW: "busyness" considers threads in thread pool being occupied with serving requests. You might find that this is not the bottleneck of your system. You might want to add heap, requests or other metrics. See http://docs.jboss.org/mod_cluster/1.2.0/html_single/