Remove typo from RAPI documentation

[ganeti-local] / doc / design-impexp2.rst

==================================
Design for import/export version 2
==================================

.. contents:: :depth: 4

Current state and shortcomings
------------------------------

Ganeti 2.2 introduced :doc:`inter-cluster instance moves <design-2.2>`
and replaced the import/export mechanism with the same technology. It's
since shown that the chosen implementation was too complicated and and
can be difficult to debug.

The old implementation is henceforth called "version 1". It used
``socat`` in combination with a rather complex tree of ``bash`` and
Python utilities to move instances between clusters and import/export
them inside the cluster. Due to protocol limitations, the master daemon
starts a daemon on the involved nodes and then keeps polling a status
file for updates. A non-trivial number of timeouts ensures that jobs
don't freeze.

In version 1, the destination node would start a daemon listening on a
random TCP port. Upon receiving the destination information, the source
node would temporarily stop the instance, create snapshots, and start
exporting the data by connecting to the destination. The random TCP port
is chosen by the operating system by binding the socket to port 0.
While this is a somewhat elegant solution, it causes problems in setups
with restricted connectivity (e.g. iptables).

Another issue encountered was with dual-stack IPv6 setups. ``socat`` can
only listen on one protocol, IPv4 or IPv6, at a time. The connecting
node can not simply resolve the DNS name, but it must be told the exact
IP address.

Instance OS definitions can provide custom import/export scripts. They
were working well in the early days when a filesystem was usually
created directly on the block device. Around Ganeti 2.0 there was a
transition to using partitions on the block devices. Import/export
scripts could no longer use simple ``dump`` and ``restore`` commands,
but usually ended up doing raw data dumps.


Proposed changes
----------------

Unlike in version 1, in version 2 the destination node will connect to
the source. The active side is swapped. This design assumes the
following design documents have been implemented:

- :doc:`design-x509-ca`
- :doc:`design-http-server`

The following design is mostly targetted at inter-cluster instance
moves. Intra-cluster import and export use the same technology, but do
so in a less complicated way (e.g. reusing the node daemon certificate
in version 1).

Support for instance OS import/export scripts, which have been in Ganeti
since the beginning, will be dropped with this design. Should the need
arise, they can be re-added later.


Software requirements
+++++++++++++++++++++

- HTTP client: cURL/pycURL (already used for inter-node RPC and RAPI
  client)
- Authentication: X509 certificates (server and client)


Transport
+++++++++

Instead of a home-grown, mostly raw protocol the widely used HTTP
protocol will be used. Ganeti already uses HTTP for its :doc:`Remote API
<rapi>` and inter-node communication. Encryption and authentication will
be implemented using SSL and X509 certificates.


SSL certificates
++++++++++++++++

The source machine will identify connecting clients by their SSL
certificate. Unknown certificates will be refused.

Version 1 created a new self-signed certificate per instance
import/export, allowing the certificate to be used as a Certificate
Authority (CA). This worked by means of starting a new ``socat``
instance per instance import/export.

Under the version 2 model, a continously running HTTP server will be
used. This disallows the use of self-signed certificates for
authentication as the CA needs to be the same for all issued
certificates.

See the :doc:`separate design document for more details on how the
certificate authority will be implemented <design-x509-ca>`.

Local imports/exports will, like version 1, use the node daemon's
certificate/key. Doing so allows the verification of local connections.
The client's certificate can be exported to the CGI/FastCGI handler
using lighttpd's ``ssl.verifyclient.exportcert`` setting. If a
cluster-local import/export is being done, the handler verifies if the
used certificate matches with the local node daemon key.


Source
++++++

The source can be the same physical machine as the destination, another
node in the same cluster, or a node in another cluster. A
physical-to-virtual migration mechanism could be implemented as an
alternative source.

In the case of a traditional import, the source is usually a file on the
source machine. For exports and remote imports, the source is an
instance's raw disk data. In all cases the transported data is opaque to
Ganeti.

All nodes of a cluster will run an instance of Lighttpd. The
configuration is automatically generated when starting Ganeti. The HTTP
server is configured to listen on IPv4 and IPv6 simultaneously.
Imports/exports will use a dedicated TCP port, similar to the Remote
API.

See the separate :ref:`HTTP server design document
<http-srv-shortcomings>` for why Ganeti's existing, built-in HTTP server
is not a good choice.

The source cluster is provided with a X509 Certificate Signing Request
(CSR) for a key private to the destination cluster.

After shutting down the instance, creating snapshots and restarting the
instance the master will sign the destination's X509 certificate using
the :doc:`X509 CA <design-x509-ca>` once per instance disk. Instead of
using another identifier, the certificate's serial number (:ref:`never
reused <x509-ca-serial>`) and fingerprint are used to identify incoming
requests. Once ready, the master will call an RPC method on the source
node and provide it with the input information (e.g. file paths or block
devices) and the certificate identities.

The RPC method will write the identities to a place accessible by the
HTTP request handler, generate unique transfer IDs and return them to
the master. The transfer ID could be a filename containing the
certificate's serial number, fingerprint and some disk information. The
file containing the per-transfer information is signed using the node
daemon key and the signature written to a separate file.

Once everything is in place, the master sends the certificates, the data
and notification URLs (which include the transfer IDs) and the public
part of the source's CA to the job submitter. Like in version 1,
everything will be signed using the cluster domain secret.

Upon receiving a request, the handler verifies the identity and
continues to stream the instance data. The serial number and fingerprint
contained in the transfer ID should be matched with the certificate
used. If a cluster-local import/export was requested, the remote's
certificate is verified with the local node daemon key. The signature of
the information file from which the handler takes the path of the block
device (and more) is verified using the local node daemon certificate.
There are two options for handling requests, :ref:`CGI
<lighttpd-cgi-opt>` and :ref:`FastCGI <lighttpd-fastcgi-opt>`.

To wait for all requests to finish, the master calls another RPC method.
The destination should notify the source once it's done with downloading
the data. Since this notification may never arrive (e.g. network
issues), an additional timeout needs to be used.

There is no good way to avoid polling as the HTTP requests will be
handled asynchronously in another process. Once, and if, implemented
:ref:`RPC feedback <rpc-feedback>` could be used to combine the two RPC
methods.

Upon completion of the transfer requests, the instance is removed if
requested.


.. _lighttpd-cgi-opt:

Option 1: CGI
~~~~~~~~~~~~~

While easier to implement, this option requires the HTTP server to
either run as "root" or a so-called SUID binary to elevate the started
process to run as "root".

The export data can be sent directly to the HTTP server without any
further processing.


.. _lighttpd-fastcgi-opt:

Option 2: FastCGI
~~~~~~~~~~~~~~~~~

Unlike plain CGI, FastCGI scripts are run separately from the webserver.
The webserver talks to them via a Unix socket. Webserver and scripts can
run as separate users. Unlike for CGI, there are almost no bootstrap
costs attached to each request.

The FastCGI protocol requires data to be sent in length-prefixed
packets, something which wouldn't be very efficient to do in Python for
large amounts of data (instance imports/exports can be hundreds of
gigabytes). For this reason the proposal is to use a wrapper program
written in C (e.g. `fcgiwrap
<http://nginx.localdomain.pl/wiki/FcgiWrap>`_) and to write the handler
like an old-style CGI program with standard input/output. If data should
be copied from a file, ``cat``, ``dd`` or ``socat`` can be used (see
note about :ref:`sendfile(2)/splice(2) with Python <python-sendfile>`).

The bootstrap cost associated with starting a Python interpreter for
a disk export is expected to be negligible.

The `spawn-fcgi <http://cgit.stbuehler.de/gitosis/spawn-fcgi/about/>`_
program will be used to start the CGI wrapper as "root".

FastCGI is, in the author's opinion, the better choice as it allows user
separation. As a first implementation step the export handler can be run
as a standard CGI program. User separation can be implemented as a
second step.


Destination
+++++++++++

The destination can be the same physical machine as the source, another
node in the same cluster, or a node in another cluster. While not
considered in this design document, instances could be exported from the
cluster by implementing an external client for exports.

For traditional exports the destination is usually a file on the
destination machine. For imports and remote exports, the destination is
an instance's disks. All transported data is opaque to Ganeti.

Before an import can be started, an RSA key and corresponding
Certificate Signing Request (CSR) must be generated using the new opcode
``OpInstanceImportPrepare``. The returned information is signed using
the cluster domain secret. The RSA key backing the CSR must not leave
the destination cluster. After being passed through a third party, the
source cluster will generate signed certificates from the CSR.

Once the request for creating the instance arrives at the master daemon,
it'll create the instance and call an RPC method on the instance's
primary node to download all data. The RPC method does not return until
the transfer is complete or failed (see :ref:`EXP_SIZE_FD <exp-size-fd>`
and :ref:`RPC feedback <rpc-feedback>`).

The node will use pycURL to connect to the source machine and identify
itself with the signed certificate received. pycURL will be configured
to write directly to a file descriptor pointing to either a regular file
or block device. The file descriptor needs to point to the correct
offset for resuming downloads.

Using cURL's multi interface, more than one transfer can be made at the
same time. While parallel transfers are used by the version 1
import/export, it can be decided at a later time whether to use them in
version 2 too. More investigation is necessary to determine whether
``CURLOPT_MAXCONNECTS`` is enough to limit the number of connections or
whether more logic is necessary.

If a transfer fails before it's finished (e.g. timeout or network
issues) it should be retried using an exponential backoff delay. The
opcode submitter can specify for how long the transfer should be
retried.

At the end of a transfer, succssful or not, the source cluster must be
notified. A the same time the RSA key needs to be destroyed.

Support for HTTP proxies can be implemented by setting
``CURLOPT_PROXY``. Proxies could be used for moving instances in/out of
restricted network environments or across protocol borders (e.g. IPv4
networks unable to talk to IPv6 networks).


The big picture for instance moves
----------------------------------

#. ``OpInstanceImportPrepare`` (destination cluster)

  Create RSA key and CSR (certificate signing request), return signed
  with cluster domain secret.

#. ``OpBackupPrepare`` (source cluster)

  Becomes a no-op in version 2, but see :ref:`backwards-compat`.

#. ``OpBackupExport`` (source cluster)

  - Receives destination cluster's CSR, verifies signature using
    cluster domain secret.
  - Creates certificates using CSR and :doc:`cluster CA
    <design-x509-ca>`, one for each disk
  - Stop instance, create snapshots, start instance
  - Prepare HTTP resources on node
  - Send certificates, URLs and CA certificate to job submitter using
    feedback mechanism
  - Wait for all transfers to finish or fail (with timeout)
  - Remove snapshots

#. ``OpInstanceCreate`` (destination cluster)

  - Receives certificates signed by destination cluster, verifies
    certificates and URLs using cluster domain secret

    Note that the parameters should be implemented in a generic way
    allowing future extensions, e.g. to download disk images from a
    public, remote server. The cluster domain secret allows Ganeti to
    check data received from a third party, but since this won't work
    with such extensions, other checks will have to be designed.

  - Create block devices
  - Download every disk from source, verified using remote's CA and
    authenticated using signed certificates
  - Destroy RSA key and certificates
  - Start instance

.. TODO: separate create from import?


.. _impexp2-http-resources:

HTTP resources on source
------------------------

The HTTP resources listed below will be made available by the source
machine. The transfer ID is generated while preparing the export and is
unique per disk and instance. No caching should be used and the
``Pragma`` (HTTP/1.0) and ``Cache-Control`` (HTTP/1.1) headers set
accordingly by the server.

``GET /transfers/[transfer_id]/contents``
  Dump disk contents. Important request headers:

  ``Accept`` (:rfc:`2616`, section 14.1)
    Specify preferred media types. Only one type is supported in the
    initial implementation:

    ``application/octet-stream``
      Request raw disk content.

    If support for more media types were to be implemented in the
    future, the "q" parameter used for "indicating a relative quality
    factor" needs to be used. In the meantime parameters need to be
    expected, but can be ignored.

    If support for OS scripts were to be re-added in the future, the
    MIME type ``application/x-ganeti-instance-export`` is hereby
    reserved for disk dumps using an export script.

    If the source can not satisfy the request the response status code
    will be 406 (Not Acceptable). Successful requests will specify the
    used media type using the ``Content-Type`` header. Unless only
    exactly one media type is requested, the client must handle the
    different response types.

  ``Accept-Encoding`` (:rfc:`2616`, section 14.3)
    Specify desired content coding. Supported are ``identity`` for
    uncompressed data, ``gzip`` for compressed data and ``*`` for any.
    The response will include a ``Content-Encoding`` header with the
    actual coding used. If the client specifies an unknown coding, the
    response status code will be 406 (Not Acceptable).

    If the client specifically needs compressed data (see
    :ref:`impexp2-compression`) but only gets ``identity``, it can
    either compress locally or abort the request.

  ``Range`` (:rfc:`2616`, section 14.35)
    Raw disk dumps can be resumed using this header (e.g. after a
    network issue).

    If this header was given in the request and the source supports
    resuming, the status code of the response will be 206 (Partial
    Content) and it'll include the ``Content-Range`` header as per
    :rfc:`2616`. If it does not support resuming or the request was not
    specifying a range, the status code will be 200 (OK).

    Only a single byte range is supported. cURL does not support
    ``multipart/byteranges`` responses by itself. Even if they could be
    somehow implemented, doing so would be of doubtful benefit for
    import/export.

    For raw data dumps handling ranges is pretty straightforward by just
    dumping the requested range.

    cURL will fail with the error code ``CURLE_RANGE_ERROR`` if a
    request included a range but the server can't handle it. The request
    must be retried without a range.

``POST /transfers/[transfer_id]/done``
  Use this resource to notify the source when transfer is finished (even
  if not successful). The status code will be 204 (No Content).


Code samples
------------

pycURL to file
++++++++++++++

.. highlight:: python

The following code sample shows how to write downloaded data directly to
a file without pumping it through Python::

  curl = pycurl.Curl()
  curl.setopt(pycurl.URL, "http://www.google.com/")
  curl.setopt(pycurl.WRITEDATA, open("googlecom.html", "w"))
  curl.perform()

This works equally well if the file descriptor is a pipe to another
process.


.. _backwards-compat:

Backwards compatibility
-----------------------

.. _backwards-compat-v1:

Version 1
+++++++++

The old inter-cluster import/export implementation described in the
:doc:`Ganeti 2.2 design document <design-2.2>` will be supported for at
least one minor (2.x) release. Intra-cluster imports/exports will use
the new version right away.


.. _exp-size-fd:

``EXP_SIZE_FD``
+++++++++++++++

Together with the improved import/export infrastructure Ganeti 2.2
allowed instance export scripts to report the expected data size. This
was then used to provide the user with an estimated remaining time.
Version 2 no longer supports OS import/export scripts and therefore
``EXP_SIZE_FD`` is no longer needed.


.. _impexp2-compression:

Compression
+++++++++++

Version 1 used explicit compression using ``gzip`` for transporting
data, but the dumped files didn't use any compression. Version 2 will
allow the destination to specify which encoding should be used. This way
the transported data is already compressed and can be directly used by
the client (see :ref:`impexp2-http-resources`). The cURL option
``CURLOPT_ENCODING`` can be used to set the ``Accept-Encoding`` header.
cURL will not decompress received data when
``CURLOPT_HTTP_CONTENT_DECODING`` is set to zero (if another HTTP client
library were used which doesn't support disabling transparent
compression, a custom content-coding type could be defined, e.g.
``x-ganeti-gzip``).


Notes
-----

The HTTP/1.1 protocol (:rfc:`2616`) defines trailing headers for chunked
transfers in section 3.6.1. This could be used to transfer a checksum at
the end of an import/export. cURL supports trailing headers since
version 7.14.1. Lighttpd doesn't seem to support them for FastCGI, but
they appear to be usable in combination with an NPH CGI (No Parsed
Headers).

.. _lighttp-sendfile:

Lighttpd allows FastCGI applications to send the special headers
``X-Sendfile`` and ``X-Sendfile2`` (the latter with a range). Using
these headers applications can send response headers and tell the
webserver to serve regular file stored on the file system as a response
body. The webserver will then take care of sending that file.
Unfortunately this mechanism is restricted to regular files and can not
be used for data from programs, neither direct nor via named pipes,
without writing to a file first. The latter is not an option as instance
data can be very large. Theoretically ``X-Sendfile`` could be used for
sending the input for a file-based instance import, but that'd require
the webserver to run as "root".

.. _python-sendfile:

Python does not include interfaces for the ``sendfile(2)`` or
``splice(2)`` system calls. The latter can be useful for faster copying
of data between file descriptors. There are some 3rd-party modules (e.g.
http://pypi.python.org/pypi/py-sendfile/) and discussions
(http://bugs.python.org/issue10882) for including support for
``sendfile(2)``, but the later is certainly not going to happen for the
Python versions supported by Ganeti. Calling the function using the
``ctypes`` module might be possible.


Performance considerations
--------------------------

The design described above was confirmed to be one of the better choices
in terms of download performance with bigger block sizes. All numbers
were gathered on the same physical machine with a single CPU and 1 GB of
RAM while downloading 2 GB of zeros read from ``/dev/zero``. ``wget``
(version 1.10.2) was used as the client, ``lighttpd`` (version 1.4.28)
as the server. The numbers in the first line are in megabytes per
second. The second line in each row is the CPU time spent in userland
respective system (measured for the CGI/FastCGI program using ``time
-v``).

::

  ----------------------------------------------------------------------
  Block size                      4 KB    64 KB   128 KB    1 MB    4 MB
  ======================================================================
  Plain CGI script reading          83      174      180     122     120
  from ``/dev/zero``
                               0.6/3.9  0.1/2.4  0.1/2.2 0.0/1.9 0.0/2.1
  ----------------------------------------------------------------------
  FastCGI with ``fcgiwrap``,        86      167      170     177     174
  ``dd`` reading from
  ``/dev/zero``                  1.1/5  0.5/2.9  0.5/2.7 0.7/3.1 0.7/2.8
  ----------------------------------------------------------------------
  FastCGI with ``fcgiwrap``,        68      146      150     170     170
  Python script copying from
  ``/dev/zero`` to stdout
                               1.3/5.1  0.8/3.7  0.7/3.3  0.9/2.9  0.8/3
  ----------------------------------------------------------------------
  FastCGI, Python script using      31       48       47       5       1
  ``flup`` library (version
  1.0.2) reading from
  ``/dev/zero``
                              23.5/9.8 14.3/8.5   16.1/8       -       -
  ----------------------------------------------------------------------


It should be mentioned that the ``flup`` library is not implemented in
the most efficient way, but even with some changes it doesn't get much
faster. It is fine for small amounts of data, but not for huge
transfers.


Other considered solutions
--------------------------

Another possible solution considered was to use ``socat`` like version 1
did. Due to the changing model, a large part of the code would've
required a rewrite anyway, while still not fixing all shortcomings. For
example, ``socat`` could still listen on only one protocol, IPv4 or
IPv6. Running two separate instances might have fixed that, but it'd get
more complicated. Using an existing HTTP server will provide us with a
number of other benefits as well, such as easier user separation between
server and backend.


.. vim: set textwidth=72 :
.. Local Variables:
.. mode: rst
.. fill-column: 72
.. End: