从 Janus Graph docker 容器连接到 Azure Cassandra 托管实例

Connect to Azure Cassandra Managed Instance from Janus Graph docker container

我无法从 JanusGraph docker 容器连接到在 Azure 中设置的 Cassandra 集群。以下是撰写文件(修改后 docker-compose-cql-es)的样子:

version: "3"

services:
  janusgraph:
    image: docker.io/janusgraph/janusgraph:latest
    container_name: jce-janusgraph
    environment:
      JANUS_PROPS_TEMPLATE: cassandra-es
      janusgraph.storage.backend: cql
      janusgraph.storage.hostname: 10.2.0.6,10.2.0.9
      janusgraph.index.search.hostname: jce-elastic
      janusgraph.storage.username: cassandra
      janusgraph.storage.password: *****
      SSL_VERSION: TLSv1_2
      SSL_VALIDATE: 'false'
    ports:
      - "8182:8182"
    networks:
      - jce-network
    healthcheck:
      test: ["CMD", "bin/gremlin.sh", "-e", "scripts/remote-connect.groovy"]
      interval: 10s
      timeout: 30s
      retries: 3
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.6.0
    container_name: jce-elastic
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "http.host=0.0.0.0"
      - "network.host=0.0.0.0"
      - "transport.host=127.0.0.1"
      - "cluster.name=docker-cluster"
      - "xpack.security.enabled=false"
      - "discovery.zen.minimum_master_nodes=1"
    ports:
      - "9200:9200"
    networks:
      - jce-network

networks:
  jce-network:
volumes:
  janusgraph-default-data:

我可以通过 cqlsh 连接到集群,在 bash 中有一些技巧:

export SSL_VERSION=TLSv1_2
export SSL_VALIDATE=false

不幸的是,这在 docker 容器中根本不起作用。我不断收到以下错误:

All host(s) tried for query failed (tried: /10.2.0.9:9042 (com.datastax.driver.core.exceptions.TransportException: [/10.2.0.9:9042] Connection has been closed), /10.2.0.6:9042 (com.datastax.driver.core.exceptions.TransportException: [/10.2.0.6:9042] Connection has been closed))

那么,有什么方法可以信任来自 docker 容器的证书吗?我没有控制 Cassandra 实例,所以无法关闭 SSL。

尝试使用 OpenSSL 提取 public 密钥,它有所帮助。

openssl s_client -connect <ip-of-node> -showcerts

已将 0 级证书复制到文本文件中,包括 ---begin-- ---end--- 行并以 .pem 扩展名保存。然后将.pem证书转换为.crt格式:

openssl x509 -outform der -in <cert>.pem -out <cert>.crt

已使用以下命令将证书导入 JKS 信任库:

keytool -import -alias <cert-alias> -file <cert>.crt -storetype JKS -keystore server.truststore

已创建具有以下内容的属性文件(检查 java 版本):

storage.backend=cql
storage.hostname=<ip of cassanrda instances>
storage.username=cassandra
storage.password=<password>
storage.cql.ssl.enabled=true
storage.cql.ssl.truststore.location=/usr/lib/jvm/java-<java-version>-openjdk-amd64/jre/lib/security/cacerts
storage.cql.ssl.truststore.password=changeit
cache.db-cache=true
cache.db-cache-clean-wait=20
cache.db-cache-time=180000
cache.db-cache-size=0.25
index.search.backend=lucene
index.search.directory=<folder for indices>

然后我用 gremlin shell 我用图形结束创建了工厂,一切正常。

graph = JanusGraphFactory.open('<properties file>')
g = graph.traversal()

一切都可以通过这些步骤打包到 Dockerfile。