https://pantsbuild.org/ logo
Join Slack
Powered by
Hi team, I'm trying to figure out how to properly ...
# general
p
Hi team, I'm trying to figure out how to properly connect to remote caching service (bazel-cache) that's behind our internal proxy service. So far I'm getting lots of: 
Failed to read from remote cache (4 occurrences so far): Unknown: "transport error"
and I was wondering if there's a way to get more debug info?
Bits of pants.toml that may be relevant:
Copy code
[GLOBAL]
pants_version = "2.16.0"

remote_cache_read = true
remote_cache_write = true
remote_store_address = "<grpcs://username:pass@our-internal.proxy:443>"
remote_instance_name = "main"

remote_ca_certs_path = "path to .pem file with proxy ca, cert and key (self signed cert)"
remote_store_headers = "some headers for the proxy to forward traffic to bazel-cache"
I tried running locally against bezel-cache docker file (so, no tls, no proxy, but with basic auth) and it worked fine
when running pants tests, I can see this bit in the logs:
Copy code
16:48:23.94 [DEBUG] add_pem_file processed 2 valid and 0 invalid certs
and I have 2 certificates in my .pem file, so I assume those are read correctly
I'm not sure if that's our infrastructure problem (that's a custom proxy...) or pants setup, is there a way to get more logs with a bit more detail on that transport error?
that happens during reading the cache
after tests are run, I can see this in the logs:
Copy code
6:58:44.75 [ERROR] TLS alert received: Message {
    typ: Alert,
    version: TLSv1_3,
    payload: Alert(
        AlertMessagePayload {
            level: Fatal,
            description: CertificateRequired,
        },
    ),
}
but this looks it's like happening when writing to cache; so it may be that my certificate is completely ignored
I'd be grateful for any tips here, thanks 🙂
f
Does your internal proxy handle HTTP/2 traffic?
(which is what gRPC operates over)
p
I think so, if grpc needs that; in general it works for other services we use, so bezel-cache is not the only one it directs the traffic to/from
f
You can switch on trace logging with 
-ltrace
and dump Rust logs with 
--log-show-rust-3rdparty
(since the gRPC code in Pants for remote cache is all done in Rust)
description: CertificateRequired
implies to me that something is misconfigured or otherwise happening with setting up the TLS connection
👍 1
p
right, I will first write some basic grpc python script to check if I can send any grpc calls to the service directly, bypassing pants completely... Thanks!
Open in Slack
PreviousNext
Powered by