5

I have a cronJob that runs at some time interval to download images from remote servers. I had alpine-php:7.2-fpm docker image. It works fine with some of the URLs. but it is failing with some URLs.

Here is the code for CURL

$fp = fopen($fileNameWithPath, 'w');

$ch = curl_init();
curl_setopt_array($ch, array(
        CURLOPT_URL => $url,
        CURLOPT_FILE => $fp,
        CURLOPT_ENCODING => "",
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
        CURLOPT_CUSTOMREQUEST => "GET",
        CURLOPT_CONNECTTIMEOUT => 90,
        CURLOPT_TIMEOUT => 180,
        CURLOPT_SSL_VERIFYHOST => 0,
        CURLOPT_SSL_VERIFYPEER => 0,
        CURLOPT_VERBOSE => 1
));        
$result = curl_exec($ch);
$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
fclose($fp);

I had enabled verbose and the logs in Kubernetes pods gives the following output

* TCP_NODELAY set 
* Connected to images.asos-media.com (23.32.5.80) port 443 (#0) 
* ALPN, offering http/1.1 
* successfully set certificate verify locations: 
*   CAfile: /etc/ssl/certs/ca-certificates.crt 
  CApath: none 
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 
* ALPN, server accepted to use http/1.1 
* Server certificate: 
*  subject: C=GB; L=London; O=ASOS.com Limited; CN=*.asos-media.com 
*  start date: Feb 26 00:00:00 2020 GMT 
*  expire date: May 27 12:00:00 2021 GMT 
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Secure Site ECC CA-1 
*  SSL certificate verify ok. 
> GET /products/wonderbra-new-ultimate-strapless-bra-a-g-cup/5980845-1-beige?$XXL$ HTTP/1.1 
Host: images.asos-media.com 
Accept: */* 
Accept-Encoding: deflate, gzip 
* old SSL session ID is stale, removing 

* Operation timed out after 180000 milliseconds with 0 bytes received 
* Closing connection 0

If I run this code from docker-image locally it works fine.

Kubernetes Deployment Files

CronJoB

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  namespace: scheduleApp
  name: imagedownlload
  labels:
    app: scheduleApp
spec:
  schedule: "5 */4 * * *" # Specify schedule using linux cron syntax
  concurrencyPolicy: Allow
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      parallelism: 1 # Number of Pods start together with Job
      template:
        metadata:
          labels:
            tier: cronservice
        spec:
          volumes:
            - name: pv-restorage
              persistentVolumeClaim:
                claimName: pipeline-volumeclaim
          containers:
            - name: imagedownload
              image: gcr.io/{project_id}/{image_name}:v1.0.2 # Set the image tobe used in container with full repository URL
              envFrom:
                - configMapRef:
                    name: app-config
                - secretRef:
                    name: app-secret
              volumeMounts:
                - name: pv-restorage
                  mountPath: /var/www/html/restorage
          restartPolicy: Never

Service file

apiVersion: v1
kind: Service
metadata:
  name: cron-loadbalancer
  namespace: scheduleApp
spec:
  selector:
    tier: cronservice
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 443
  sessionAffinity: None
  type: LoadBalancer

Dockerfile

FROM php:7.2-fpm-alpine

RUN apk update && apk add \
  libzip-dev \
  unzip \
  && docker-php-ext-configure zip --with-libzip \
  && docker-php-ext-install mysqli zip \
  && rm -rf /var/cache/apk/*

COPY --from=composer:latest /usr/bin/composer /usr/local/bin/composer

COPY composer.* /var/www/html/

RUN cd /usr/local/etc/php/conf.d/ \
  && echo 'memory_limit = -1' >> /usr/local/etc/php/conf.d/docker-php-memlimit.ini

WORKDIR /var/www/html

RUN composer install && composer clear-cache

COPY . /var/www/html/

ENTRYPOINT ["php","console"]

CMD ["-V"]
Mr.KoopaKiller
  • 3,665
  • 10
  • 21
Kathak Dabhi
  • 399
  • 3
  • 16
  • I can see timeout in your log. The nodes of your cluster there are some firewall rules or is behind a proxy to access the internet? – Mr.KoopaKiller Apr 22 '20 at 13:09
  • @KoopaKiller It is in the Google cloud platform and I'm new to GCP. Is there any firewall on the Cluster from GCP? I don't have any idea about it. – Kathak Dabhi Apr 23 '20 at 04:58
  • Are you using GKE or a self-managed cluster? For default GKE doesn't has any firewall rule to access the internet. If is a self managed cluster, ssh into the node and try to test using curl to check if you are able to reach the internet. Another possibility is deploy a test pod and try to curl from inside this pod. You could use [this image](https://hub.docker.com/r/curlimages/curl). – Mr.KoopaKiller Apr 23 '20 at 07:49
  • @KoopaKiller Thanks for your reply. I'm using a GKE and The same deployment is working fine with `minikube` in my local system. I will try with deploying a test pod with your suggested image. – Kathak Dabhi Apr 23 '20 at 09:22
  • any update about your issue? – Mr.KoopaKiller Apr 24 '20 at 08:58
  • @KoopaKiller I had tried with deploying curl image you suggested on the cluster and it works. It is able to make connection to server and download the file. But pods from cronjob are not able to done it. – Kathak Dabhi Apr 24 '20 at 09:42
  • Weird, if you use 'kubectl exec' on a pod with your image, are you able to download the image, or you get a timeout error? I mean, is it working when you run a pod using the same image from cronJob as a Pod? – Mr.KoopaKiller Apr 24 '20 at 14:32
  • @KoopaKiller I test with my image as an orphan pod, but result is still the same. I get a timeout error. – Kathak Dabhi Apr 27 '20 at 04:03
  • @KoopaKiller I also tried by installing a curl package in my docker image and the result is still the same. – Kathak Dabhi Apr 27 '20 at 05:33
  • The pod was deployed in the same node? If the test pod reached the site successfully, so take a closer look in your image and see if there are something blocking the internet connection... some proxy configuration or other configuration made in the Dockerfile. – Mr.KoopaKiller Apr 27 '20 at 08:46
  • @KoopaKiller Yes, the pod is deployed in same node. I had 1 master and 1 node(`preemptible`) in my cluster right now. – Kathak Dabhi Apr 27 '20 at 08:52
  • So, you've deployed the `curl` image and it works, but from your image with orphan pod and cronjob is not working... I see you posted your dockerfile. Could you provide a image builded with this docker file with a minimum code to test and for try to reproduce your issue? – Mr.KoopaKiller May 04 '20 at 08:55
  • Does your cluster have internet access? Are you using network policy? Try to check out if you are using network policy. If you do, you have to enable the access on policy, – Dilson Rainov May 05 '20 at 01:15
  • @DilsonRainov Yes, My cluster has internet access and for network policy, It has correct access as I can able to download resources from other servers. – Kathak Dabhi May 05 '20 at 08:15
  • Maybe it's a TLS problem... Seems like PHP is ignoring your CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER options. Try to set a old version off TLS, like 1.2 `CURLOPT_SSLVERSION => CURL_SSLVERSION_MAX_TLSv1_2` – Dilson Rainov May 05 '20 at 20:21

0 Answers0