How do I validate within the device that it was provisioned?
When applying a Pre-Provisioning Hook, it says in the documentation that if the hook doesn't return in 5 seconds the provisioning fails with ACCESS DENIED, is there a way to configure the timeout to more than 5 seconds?
Related
I am trying to move my backend API app (node.js express server) from Heroku to AWS Elastic Beanstalk. But I did not realize the amount of features that Heroku was providing automatically and which I now have to set up manually in AWS.
So here is the list of features which I discovered were missing in AWS and the solutions I have implemented.
Could you please let me know if I am missing something in order to run smoothly my APIs in AWS and get the equivalent of what I had in Heroku?
auto-restart server when crashed : I am using PM2 to automatically restart my server in case of critical error
SSL certificate : I am using AWS ACM certificate,
logging : have inserted the datadog agent in order to receive logs in datadog
logging response time : I have added the "morgan-body" package to get each requests' duration and response code (had to manually filter the AWS healthchecks and search engine bots, because AWS gave me an IP adress which was visited constatntly by Baidu bots)
server timeout : I have implemented a 1200000ms timeout on the whole app (any better option ?)
auto deploy from Github : I have implemented a github automation to deploy code automatically (better options?)
Am I missing something? This app is already live so I do not want to put my customers at risk when I will move from Heroku to AWS...
Thanks for your help!
I believe you are covered:
Heroku Dynos restart after crashing or raising an error (Heroku Restarting Policy)
SSL certificates are provided for free
logging: Heroku supports various plugins, including Datadog
response time (in millisec) is logged automatically
HTTP timeout is 30 sec (it cannot be changed)
deploy from Github is possible (connecting the accounts), Docker deployment is also supported. Better options? Using Github Actions to deploy a new version after code push or tagging.
If you are migrating a production environment I strongly suggest first to setup a Heroku (Free) Dyno to test and verify all your needs are satisfied.
tdlr; I want to create an AMI with "partial sysprep" so that SSM can connect when I launch a different Instance Type than the original off that AMI, but want to keep all else equal. It only needs to update metadata/kms routes.
I recently hit an issue where SSM was unreachable if I deployed instances of an instance type other than the instance type for which the AMI was originally created. This turned out to be because the different instance size would be launched into a different availability zone, and the routes to connect to SSM were saved to the image pointing to the availability zone of the original instance type AMI.
The solution to this was to shut down with sysprep before creating the AMI. However, that opened other issues:
1- Launching systems off the sysprep'd AMI take 2+ minutes for SSM to become available, as opposed to instantly when sysprep is not used. But more importantly:
2- Part of my launch script downloads an exe to the desktop and install it using SSM RunPowershellScript. This part now fails, I believe because the desktop, etc. isn't created until I RDP into the new instance. I've tested with a 15 minute sleep with same result. That portion of the code runs fine after I've rdp'd into the instance.
I have:
1. Confirmed the exe installer runs fine when the AMI is not sysprep'd. However, in this mode, I am stuck with only the Instance Type for which the original AMI was created.
Tried a 15min sleep before downloading/running the installer when sysprep is used. This did not work.
Confirmed that on the sysprep'd image, installer downloads & runs if I have rdp'd into the instance to initialize the desktop, etc.
This is all related to metadata/KMS routes described at the bottom of the page here: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-inittasks
When an AMI is created without using sysprep, if an instance launches off that AMI into a different Availability Zone, SSM is unreachable and the following error occurs in logs:
2019-08-28 22:39:12 ERROR [func1 # coremanager.go.245] [instanceID=i-0d6c57bbfe2db46af] error occurred trying to start core module. Plugin name: StartupProcessor. Error: Internal error occurred by startup processor: runtime error: invalid memory address or nil pointer dereference
2019-08-28 22:39:27 ERROR [SetWebSocket # controlchannel.go.89] [MessageGatewayService] Failed to get controlchannel token, error: CreateControlChannel failed with error: createControlChannel request failed: unexpected response from the service Unauthorized request.
Expected behavior is to be able to launch instances off an AMI with everything preconfigured (including the desktop, etc. which needs to be fully reinitialized when sysprep is used), and have the new instance update metadata/kms routes so SSM is reachable.
I had a composer-rest-server running on a host. Due to some reason I had to reboot my aws instance. So I stopped all the fabric docker containers except the chaincode and also stopped the composer rest server.
After rebooting the machine, I restarted all the containers. At this time the chaincode container did not start. However, I issued a ping command with admin identity card and the chaincode container too started.
Next, I restarted the composer rest server with the same admin identity. However, when I tried to issue an "identitiy request" command for a participant it resulted in:
Unhandled error for request POST /api/system/identities/issue: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authorization failure"}]]
Does it mean the old admin identities are invalidated after a system restart?
This is occurring because when the AWS instance reboots, the identity data within the fabric-ca container is cleared (the container uses sqlite for an ephemeral data store).
If you instead setup the fabric-ca container to use a mysql or postgresql db container, you will be able to persist the identity data even after machine/container restarts.
This question also pertains to your situation as well Hyperledger Composer Identity Issue error after network restart (code:20, authorization failure)
This error is usually seen when you try and Issue a New Identity whilst using an Identity that does not have the rights to do so.
(If you are in single user mode the card you started the REST server with does not have the rights, or if in Multi-User mode the card currently being used in the Wallet does not have the rights.)
The Network Admin card initially created to administer the network has the rights to Issue New identities, and if you want to create additional Identities (Cards) that have the right you need to give them issuer rights when you create them. This is an option you use when Issuing an identity. On the CLI you would use a command such as composer identity issue -c admin#my-network --issuer -u mynewuser ...
On the REST server you would include an option in the JSON data e.g.:
{
"participant" : "org.acme.mynetwork.Manager#MGR02",
"userID" : "BrianM",
"options": {"issuer":true}
}
I am on composer 0.16.0 and Fabric 1.0.4
While experimenting with Historian queries via composer-client consistently run into a situation when the network becomes non-responsive and the only way to reanimate it seems to be restarting the Fabric and redeploying the network.
The error follows:
>
Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: admin)
>
So, the questions are:
1. Is this a known issue and is there a workaround? Happy to do more diagnostics and file it properly if that helps.
2. Any way to reboot the network without restarting the Fabric?
Thank you!
so the error "The current identity has not been registered: admin" is fundamentally caused by the fact you are restarting your CA server each time - ie a new CA server, a new authority issuing new credentials effectively for 'admin' (and hence your present admin credentials from 'previous' in your card store are not recognised by the new CA server).
Suggest to
1) clear out old admin cards from your card store eg. composer card delete --name admin#tutorial-network
2) re-import your 'admin' card through playground or CLI - and do a composer network ping to retrieve credentials to the card store.
3) Reduce your Historian queries result sets by adding selection criteria
Note: To restart your existing Dev Fabric - just use docker stop to stop your containers - and docker start you can restart them from the same state (or use docker-compose stop and docker-compose start if you're familiar with that command). Else, use docker persistence to persist your data.
https://hyperledger.github.io/composer/tutorials/developer-tutorial.html
Probably good to
Recently upgrading to run the firebase 3 sdk both in the client, in e2e tests and on the server.
Previously when using the firebase 2.x sdk you could connect to firebase in the same was as a client using signInWithCustomToken. This meant I could generate a token with the {debug: true} flag and use this for my mocha tests. Meaning I would get verbose output from firebase in the invent of security rejection.
Firebase 3 does not allow you to use client types of auth when running the sdk from node (i.e mocha). You must use service accounts. I have created the service account and have serviceaccount.json. I can connect and spoof the UID by using databaseAuthVariableOverride and everything is running AOK but I cannot figure out how to get firebase to send verbose database output so I can debug new firebase rules from my tests.
I have tried things like adding "Log Viewer" permission to my service account. I have also tried (in vein) to add debug: true to the serviceaccount.json
Any help appreciated.
Have you tried the following (in Node.js):
firebase.database.enableLogging(true);