Skip to content

fix: dial schedulers and peers over https when TLS is configured#1859

Open
rtainaan wants to merge 1 commit into
dragonflyoss:mainfrom
rtainaan:fix/scheduler-peer-dial-tls-scheme
Open

fix: dial schedulers and peers over https when TLS is configured#1859
rtainaan wants to merge 1 commit into
dragonflyoss:mainfrom
rtainaan:fix/scheduler-peer-dial-tls-scheme

Conversation

@rtainaan

Copy link
Copy Markdown

Description

The scheduler and peer dial paths build their gRPC channel from an http:// URL, so tonic dials cleartext even when a TLS config is attached. A dfdaemon configured for mTLS then connects in cleartext and fails against a TLS-enforcing server (tls: first record does not look like a TLS handshake), and the host-announce/delete paths never attach a TLS config at all. This selects the https scheme when client TLS is configured and routes the scheduler dials through a single helper so announce and delete get the same mTLS handling as the request path.

Motivation and Context

With mTLS enabled between dfdaemon and the scheduler/peers, the TLS config is loaded but ignored on these paths today — the scheduler and upload-client certificates have no effect and traffic falls back to cleartext.

@pmady

pmady commented May 31, 2026

Copy link
Copy Markdown
Contributor

good catch — the announce and delete paths at scheduler.rs L188/L242/L301 never loaded TLS config at all, which is the more serious side of this. did you test end to end with mTLS between dfdaemon and scheduler? the scheme switch looks right from the code but just want to make sure tonic picks up the https:// correctly with the config attached

@rtainaan

Copy link
Copy Markdown
Author

Yeah I’m surprised no one noticed before. I was verifying end to end mtls when I caught it.

And yep, tested this as a custom patch, dfdaemon handshakes with the scheduler now, fails without it.

@rtainaan rtainaan force-pushed the fix/scheduler-peer-dial-tls-scheme branch from 6cecdde to 2b89cf0 Compare July 2, 2026 05:32
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 27.14286% with 51 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.09%. Comparing base (772c024) to head (0c70d44).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
dragonfly-client/src/grpc/scheduler.rs 0.00% 36 Missing ⚠️
dragonfly-client/src/resource/piece_collector.rs 0.00% 15 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1859      +/-   ##
==========================================
+ Coverage   46.03%   46.09%   +0.05%     
==========================================
  Files          93       93              
  Lines       23465    23488      +23     
==========================================
+ Hits        10803    10827      +24     
+ Misses      12662    12661       -1     
Files with missing lines Coverage Δ
dragonfly-client-util/src/net/mod.rs 70.73% <100.00%> (+8.82%) ⬆️
dragonfly-client/src/dynconfig/mod.rs 0.00% <ø> (ø)
dragonfly-client/src/resource/parent_selector.rs 0.00% <ø> (ø)
dragonfly-client/src/resource/piece_collector.rs 0.00% <0.00%> (ø)
dragonfly-client/src/grpc/scheduler.rs 0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rtainaan rtainaan force-pushed the fix/scheduler-peer-dial-tls-scheme branch from e90f5de to 5fe0b2a Compare July 2, 2026 05:45
tonic derives a channel's transport security from the URL scheme, not from
whether tls_config() was set: an "http://" endpoint dials cleartext even
with a TLS config attached. The scheduler- and peer-dialing paths hardcoded
the "http" scheme, so a client configured with a CA cert connected in
cleartext and the handshake failed against a TLS-enforcing server. The
host-announce and host-delete paths went further and never attached a TLS
config at all.

Add a net::scheme_for_tls helper that selects the scheme from a fully
configured client TLS identity (ca_cert, cert, and key all present, the same
predicate load_client_tls_config uses), and apply it at each dial site: the
scheduler address in dynconfig, and the peer upload dials in parent_selector
and piece_collector. Gating on ca_cert alone would emit an https URL with no
TLS config and fail the dial.

For the scheduler gRPC client, consolidate the four channel-construction
sites into one connect_to_scheduler() helper that derives the scheme the same
way and applies load_client_tls_config() uniformly, so the announce and
delete paths get the same mTLS treatment as the request path.

Tests:
  cargo fmt --all -- --check                       clean
  cargo clippy --all --all-targets -- -D warnings  clean
  cargo test -p dragonfly-client-util net::tests   6 passed
Signed-off-by: Raymond (Kai) Tainaan <282025710+rtainaan@users.noreply.github.com>
@rtainaan rtainaan force-pushed the fix/scheduler-peer-dial-tls-scheme branch from 5fe0b2a to 0c70d44 Compare July 2, 2026 06:50
@rtainaan

rtainaan commented Jul 2, 2026

Copy link
Copy Markdown
Author

@gaius-qi mind reviewing this? Not allowed to use a custom fork in prod so kind of stuck here.

@mingcheng mingcheng added the enhancement New feature or request label Jul 3, 2026

@mingcheng mingcheng left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

key: &Option<PathBuf>,
) -> &'static str {
if ca_cert.is_some() && cert.is_some() && key.is_some() {
"https"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest using const for "https" and "http" strings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants