Testing Broker connectivity to Snyk and to your SCM
Snyk Broker proxies access between snyk.io and your Git repositories, such as GitHub Enterprise, GitHub.com and Bitbucket Server. Snyk Broker can also be used to enable a secure connection with your on-premise Jira deployment.
The Broker server and client establish an applicative tunnel, proxying requests from snyk.io to the Git (fetching manifest files from monitored repositories), and vice versa (webhooks posted by the Git).
The Broker client runs within the user's internal network, keeping sensitive data such as Git tokens within the network perimeter. The applicative tunnel scans and adds only relevant requests to an approved list, narrowing down the access permissions to the bare minimum required for Snyk to actively monitor a repository.
The Snyk Broker should have HTTPS connectivity to both https://broker.snyk.io as well as your configured Source Code Manager (SCM). The broker allows for many different configurations, so you may need to adjust the troubleshooting steps in this article to suit the configuration in your specific environment.
Please excuse my mspaint diagram:
The broker comes configured with two status check endpoints:
/systemcheck- this endpoint will return the status of the connection to the SCM
/healthcheck- this endpoint will return the status of the connection to the broker.snyk.io home server.
These two endpoints will prove very valuable and the first place to look when troubleshooting any Snyk broker issue.
The broker is configured with a token that must be set up by Snyk to configure your connection to Snyk. This unique token allows us to ensure that your broker traffic is only configure for your specified Orgs. One broker token can enable connectivity for multiple orgs. If you need to have a broker configured or updated, please contact Snyk Support by opening a Ticket above.
Troubleshooting through the Broker docker container:
- Step 1:
Pingfrom the machine, the broker is on, to the SCM. If that succeeds, go to step 2, otherwise need to figure out the network connectivity from the broker machine to the SCM.
Note: our base Broker image doesn't ship with many useful troubleshooting tools such as
less, etc to make sure the size of the image is small
To install these tools in your docker container you can do the following:
- Find the Docker container ID:
- Log into the container's bash shell as root:
docker exec -u root -it <container_id> bash
- Update apt-get and install curl:
apt-get update; apt-get install curl
- Repeat the above with any other tools that you might need to successfully troubleshoot
- Execute troubleshooting steps such as curl to broker.snyk.io or your SCM:
Testing connectivity to SCM
- Step 2: Next we need to determine if the docker container itself can communicate with the SCM.
- Follow the same steps above to connect to the docker container, but ping or curl your-scm-hostname
- If this fails, then they need to enable DNS resolution from the container. In the example I have from one of my customers, they edited /etc/resolv.conf file
Replace upper case items, example:
~$ sudo docker container run -d --dns IPOFNAMESERVER --name name snyk/broker:bitbucket-server
~$ sudo docker exec -it jovial cat /etc/resolv.conf