Update_ood_portal script does not work

I’m trying to setup ood 1.6. I’m encountering a problem where the “update_ood_portal” script does not produce expected httpd.conf file. Above script worked for SSL setup. However, it did not work for keycloak setup in the authorization step. I was able to get it working following the manual setup described in the documentation. Now I’m in the interactive application setup step but could not get the reverse proxy to work without “update_ood_portal”. Please point me to correct documentation on how to set up httpd.conf manually.

@neranjan it sounds like you are having trouble using update_ood_portal to convert your ood_portal.yml into the proper Apache conf. If you let us know what Apache directives you are trying to add we can help you get the YAML right so that update_ood_portal works properly.

The documentation we have for using KeyCloak with OnDemand is available at: https://osc.github.io/ood-documentation/master/authentication/tutorial-oidc-keycloak-rhel7.html.

The section that is directly relevant to updating the Apache configuration file for OnDemand (ood-portal.conf) is here: https://osc.github.io/ood-documentation/master/authentication/tutorial-oidc-keycloak-rhel7/install_mod_auth_openidc.html#re-generate-main-config-using-ood-portal-generator.

Finally, we do not have documentation posted on setting up ood-portal.conf manually.

Thanks for the reply.

As I mentioned in my original post, I was able to setup KeyCloak. However, I’m having problems setting up Reverse Proxy. Enable Reverse Proxy

I followed direction and add the following lines to the /etc/ood/config/ood_portal.yml.

host_regex: '[\w.-]+\.gsu\.edu'
node_uri: '/node'
rnode_uri: '/rnode'

But after running sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal and restarting the process, the example does not work.

ssh n0001.rs.gsu.edu
nc -l 5432

then
https://ondemand.rs.gsu.edu/node/n0001.rs.gsu.edu/5432/

Also, I do not see any changes in the apache conf file. What could be the reason that update_ood_portal does not work? what is the proper way to debug this problem?

So OSC has this for one of the OnDemand installs:

host_regex: "[\\w.-]+\\.osc\\.edu"
node_uri: "/node"
rnode_uri: "/rnode"

and the corresponding ood-portal.conf generated is:

  # Reverse proxy traffic to backend webserver through IP sockets:
  #
  #     https://ondemand-test.osc.edu:443/node/HOST/PORT/index.html
  #     #=> http://HOST:PORT/node/HOST/PORT/index.html
  #
  <LocationMatch "^/node/(?<host>[\w.-]+\.osc\.edu)/(?<port>\d+)">
    AuthType openid-connect
    Require valid-user

    # ProxyPassReverse implementation
    Header edit Location "^[^/]+//[^/]+" ""

    # ProxyPassReverseCookieDomain implemenation
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation
    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/node/%{MATCH_HOST}e/%{MATCH_PORT}e"

    LuaHookFixups node_proxy.lua node_proxy_handler
  </LocationMatch>

  # Reverse "relative" proxy traffic to backend webserver through IP sockets:
  #
  #     https://ondemand-test.osc.edu:443/rnode/HOST/PORT/index.html
  #     #=> http://HOST:PORT/index.html
  #
  <LocationMatch "^/rnode/(?<host>[\w.-]+\.osc\.edu)/(?<port>\d+)(?<uri>/.*|)">
    AuthType openid-connect
    Require valid-user

    # ProxyPassReverse implementation
    Header edit Location "^([^/]+//[^/]+)|(?=/)" "/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"

    # ProxyPassReverseCookieDomain implemenation
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation
    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"

    LuaHookFixups node_proxy.lua node_proxy_handler
  </LocationMatch>

And this is because the template that is used to render this is: https://github.com/OSC/ondemand/blob/7926843ba237cb831762db698e3b538fb10b025b/ood-portal-generator/templates/ood-portal.conf.erb#L126-L174

So if /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf does not have directives corresponding to the ones above then indeed it appears there is a problem generating the config. Can you confirm that is the case? Is that what you mean when you say “I do not see any changes in the apache conf file”.

If the directives are not there, than adding those would be the first step. I’m not sure why update_ood_portal script would not work but confirm that your YAML config file is at /etc/ood/config/ood_portal.yml.

If the directives are there, what is the error you see when you go to https://ondemand.rs.gsu.edu/node/n0001.rs.gsu.edu/5432/? One common problem is that firewall settings are preventing the request to successfully proxy from the web node to the compute node.

@efranz that’s it. It worked perfectly after manually editing ood_portal.conf. I had my ood_portal.yml in the correct location. but for some reason it did not generate correct ood-portal.conf file. Thanks for your help.

I am also hitting this problem again. The ood-portal.conf file clearly states “DO NOT EDIT THIS FILE” but there are so many lines missing from it - all the reverse proxy stuff. Are we supposed to edit the file since the generator isn’t doing it correctly?

I opened an issue https://github.com/OSC/ondemand/issues/48 to track investigating this problem. The old file should be saved to the same directory so you could do a diff and see what was missing and add it back. Unfortunately every time a new rpm is installed the update script will run and will again backup the existing ood-portal.conf file and write its new one.

Which is the reason for the recommendation to not edit it.

@suzlitz is your correct YAML config still at /etc/ood/config/ood_portal.yml

Yea if you’re still having issues, please attach your ood_portal.yml to the github issue so we can replicate it. Of course, replacing sensitive information with the actual work ‘sensitive’ or sens.itive.edu or similar.