| ========================================= |
| Design for replacing Ganeti's HTTP server |
| ========================================= |
| |
| .. contents:: :depth: 4 |
| |
| .. _http-srv-shortcomings: |
| |
| Current state and shortcomings |
| ------------------------------ |
| |
| The :doc:`new design for import/export <design-impexp2>` depends on an |
| HTTP server. Ganeti includes a home-grown HTTP server based on Python's |
| ``BaseHTTPServer``. While it served us well so far, it only implements |
| the very basics of the HTTP protocol. It is, for example, not structured |
| well enough to support chunked transfers (:rfc:`2616`, section 3.6.1), |
| which would have some advantages. In addition, it has not been designed |
| for sending large responses. |
| |
| In the case of the node daemon the HTTP server can not easily be |
| separated from the actual backend code and therefore must run as "root". |
| The RAPI daemon does request parsing in the same process as talking to |
| the master daemon via LUXI. |
| |
| |
| Proposed changes |
| ---------------- |
| |
| The proposal is to start using a full-fledged HTTP server in Ganeti and |
| to run Ganeti's code as `FastCGI <http://www.fastcgi.com/>`_ |
| applications. Reasons: |
| |
| - Simplify Ganeti's code by delegating the details of HTTP and SSL to |
| another piece of software |
| - Run HTTP frontend and handler backend as separate processes and users |
| (esp. useful for node daemon, but also import/export and Remote API) |
| - Allows implementation of :ref:`rpc-feedback` |
| |
| |
| Software choice |
| +++++++++++++++ |
| |
| Theoretically any server able of speaking FastCGI to a backend process |
| could be used. However, to keep the number of steps required for setting |
| up a new cluster at roughly the same level, the implementation will be |
| geared for one specific HTTP server at the beginning. Support for other |
| HTTP servers can still be implemented. |
| |
| After a rough selection of available HTTP servers `lighttpd |
| <http://www.lighttpd.net/>`_ and `nginx <http://www.nginx.org/>`_ were |
| the most likely candidates. Both are `widely used`_ and tested. |
| |
| .. _widely used: http://news.netcraft.com/archives/2011/01/12/ |
| january-2011-web-server-survey-4.html |
| |
| Nginx' `original documentation <http://sysoev.ru/nginx/docs/>`_ is in |
| Russian, translations are `available in a Wiki |
| <http://wiki.nginx.org/>`_. Nginx does not support old-style CGI |
| programs. |
| |
| The author found `lighttpd's documentation |
| <http://redmine.lighttpd.net/wiki/lighttpd>`_ easier to understand and |
| was able to configure a test server quickly. This, together with the |
| support for more technologies, made deciding easier. |
| |
| With its use as a public-facing web server on a large number of websites |
| (and possibly more behind proxies), lighttpd should be a safe choice. |
| Unlike other webservers, such as the Apache HTTP Server, lighttpd's |
| codebase is of manageable size. |
| |
| Initially the HTTP server would only be used for import/export |
| transfers, but its use can be expanded to the Remote API and node |
| daemon (see :ref:`rpc-feedback`). |
| |
| To reduce the attack surface, an option will be provided to configure |
| services (e.g. import/export) to only listen on certain network |
| interfaces. |
| |
| |
| .. _rpc-feedback: |
| |
| RPC feedback |
| ++++++++++++ |
| |
| HTTP/1.1 supports chunked transfers (:rfc:`2616`, section 3.6.1). They |
| could be used to provide feedback from node daemons to the master, |
| similar to the feedback from jobs. A good use would be to provide |
| feedback to the user during long-running operations, e.g. downloading an |
| instance's data from another cluster. |
| |
| .. _requirement: http://www.python.org/dev/peps/pep-0333/ |
| #buffering-and-streaming |
| |
| WSGI 1.0 (:pep:`333`) includes the following `requirement`_: |
| |
| WSGI servers, gateways, and middleware **must not** delay the |
| transmission of any block; they **must** either fully transmit the |
| block to the client, or guarantee that they will continue transmission |
| even while the application is producing its next block |
| |
| This behaviour was confirmed to work with lighttpd and the |
| :ref:`flup <http-software-req>` library. FastCGI by itself has no such |
| guarantee; webservers with buffering might require artificial padding to |
| force the message to be transmitted. |
| |
| The node daemon can send JSON-encoded messages back to the master daemon |
| by separating them using a predefined character (see :ref:`LUXI |
| <luxi>`). The final message contains the method's result. pycURL passes |
| each received chunk to the callback set as ``CURLOPT_WRITEFUNCTION``. |
| Once a message is complete, the master daemon can pass it to a callback |
| function inside the job, which then decides on what to do (e.g. forward |
| it as job feedback to the user). |
| |
| A more detailed design may have to be written before deciding whether to |
| implement RPC feedback. |
| |
| |
| .. _http-software-req: |
| |
| Software requirements |
| +++++++++++++++++++++ |
| |
| - lighttpd 1.4.24 or above built with OpenSSL support (earlier versions |
| `don't support SSL client certificates |
| <http://redmine.lighttpd.net/issues/1288>`_) |
| - `flup <http://trac.saddi.com/flup>`_ for FastCGI |
| |
| |
| Lighttpd SSL configuration |
| ++++++++++++++++++++++++++ |
| |
| .. highlight:: lighttpd |
| |
| The following sample shows how to configure SSL with client certificates |
| in Lighttpd:: |
| |
| $SERVER["socket"] == ":443" { |
| ssl.engine = "enable" |
| ssl.pemfile = "server.pem" |
| ssl.ca-file = "ca.pem" |
| ssl.use-sslv2 = "disable" |
| ssl.cipher-list = "HIGH:-DES:-3DES:-EXPORT:-ADH" |
| ssl.verifyclient.activate = "enable" |
| ssl.verifyclient.enforce = "enable" |
| ssl.verifyclient.exportcert = "enable" |
| ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" |
| } |
| |
| |
| .. vim: set textwidth=72 : |
| .. Local Variables: |
| .. mode: rst |
| .. fill-column: 72 |
| .. End: |
