/doc/design-http-server.rst - Annotate - ganeti-local - Greek Research and Technology Network's projects

Michael Hanselmann

=========================================

2

278ddaa9

Michael Hanselmann

Design for replacing Ganeti's HTTP server

3

278ddaa9

Michael Hanselmann

=========================================

4

278ddaa9

Michael Hanselmann

5

278ddaa9

Michael Hanselmann

.. contents:: :depth: 4

6

278ddaa9

Michael Hanselmann

7

278ddaa9

Michael Hanselmann

.. _http-srv-shortcomings:

8

278ddaa9

Michael Hanselmann

9

278ddaa9

Michael Hanselmann

Current state and shortcomings

10

278ddaa9

Michael Hanselmann

------------------------------

11

278ddaa9

Michael Hanselmann

12

278ddaa9

Michael Hanselmann

The :doc:`new design for import/export <design-impexp2>` depends on an

13

278ddaa9

Michael Hanselmann

HTTP server. Ganeti includes a home-grown HTTP server based on Python's

14

278ddaa9

Michael Hanselmann

``BaseHTTPServer``. While it served us well so far, it only implements

15

278ddaa9

Michael Hanselmann

the very basics of the HTTP protocol. It is, for example, not structured

16

278ddaa9

Michael Hanselmann

well enough to support chunked transfers (:rfc:`2616`, section 3.6.1),

17

278ddaa9

Michael Hanselmann

which would have some advantages. In addition, it has not been designed

18

278ddaa9

Michael Hanselmann

for sending large responses.

19

278ddaa9

Michael Hanselmann

20

278ddaa9

Michael Hanselmann

In the case of the node daemon the HTTP server can not easily be

21

278ddaa9

Michael Hanselmann

separated from the actual backend code and therefore must run as "root".

22

278ddaa9

Michael Hanselmann

The RAPI daemon does request parsing in the same process as talking to

23

278ddaa9

Michael Hanselmann

the master daemon via LUXI.

24

278ddaa9

Michael Hanselmann

25

278ddaa9

Michael Hanselmann

26

278ddaa9

Michael Hanselmann

Proposed changes

27

278ddaa9

Michael Hanselmann

----------------

28

278ddaa9

Michael Hanselmann

29

278ddaa9

Michael Hanselmann

The proposal is to start using a full-fledged HTTP server in Ganeti and

30

278ddaa9

Michael Hanselmann

to run Ganeti's code as `FastCGI <http://www.fastcgi.com/>`_

31

278ddaa9

Michael Hanselmann

applications. Reasons:

32

278ddaa9

Michael Hanselmann

33

278ddaa9

Michael Hanselmann

- Simplify Ganeti's code by delegating the details of HTTP and SSL to

34

278ddaa9

Michael Hanselmann

  another piece of software

35

278ddaa9

Michael Hanselmann

- Run HTTP frontend and handler backend as separate processes and users

36

278ddaa9

Michael Hanselmann

  (esp. useful for node daemon, but also import/export and Remote API)

37

278ddaa9

Michael Hanselmann

- Allows implementation of :ref:`rpc-feedback`

38

278ddaa9

Michael Hanselmann

39

278ddaa9

Michael Hanselmann

40

278ddaa9

Michael Hanselmann

Software choice

41

278ddaa9

Michael Hanselmann

+++++++++++++++

42

278ddaa9

Michael Hanselmann

43

278ddaa9

Michael Hanselmann

Theoretically any server able of speaking FastCGI to a backend process

44

278ddaa9

Michael Hanselmann

could be used. However, to keep the number of steps required for setting

45

278ddaa9

Michael Hanselmann

up a new cluster at roughly the same level, the implementation will be

46

278ddaa9

Michael Hanselmann

geared for one specific HTTP server at the beginning. Support for other

47

278ddaa9

Michael Hanselmann

HTTP servers can still be implemented.

48

278ddaa9

Michael Hanselmann

49

278ddaa9

Michael Hanselmann

After a rough selection of available HTTP servers `lighttpd

50

278ddaa9

Michael Hanselmann

<http://www.lighttpd.net/>`_ and `nginx <http://www.nginx.org/>`_ were

51

278ddaa9

Michael Hanselmann

the most likely candidates. Both are `widely used`_ and tested.

52

278ddaa9

Michael Hanselmann

53

278ddaa9

Michael Hanselmann

.. _widely used: http://news.netcraft.com/archives/2011/01/12/

54

278ddaa9

Michael Hanselmann

  january-2011-web-server-survey-4.html

55

278ddaa9

Michael Hanselmann

56

278ddaa9

Michael Hanselmann

Nginx' `original documentation <http://sysoev.ru/nginx/docs/>`_ is in

57

278ddaa9

Michael Hanselmann

Russian, translations are `available in a Wiki

58

278ddaa9

Michael Hanselmann

<http://wiki.nginx.org/>`_. Nginx does not support old-style CGI

59

278ddaa9

Michael Hanselmann

programs.

60

278ddaa9

Michael Hanselmann

61

278ddaa9

Michael Hanselmann

The author found `lighttpd's documentation

62

278ddaa9

Michael Hanselmann

<http://redmine.lighttpd.net/wiki/lighttpd>`_ easier to understand and

63

278ddaa9

Michael Hanselmann

was able to configure a test server quickly. This, together with the

64

278ddaa9

Michael Hanselmann

support for more technologies, made deciding easier.

65

278ddaa9

Michael Hanselmann

66

278ddaa9

Michael Hanselmann

With its use as a public-facing web server on a large number of websites

67

278ddaa9

Michael Hanselmann

(and possibly more behind proxies), lighttpd should be a safe choice.

68

278ddaa9

Michael Hanselmann

Unlike other webservers, such as the Apache HTTP Server, lighttpd's

69

278ddaa9

Michael Hanselmann

codebase is of manageable size.

70

278ddaa9

Michael Hanselmann

71

278ddaa9

Michael Hanselmann

Initially the HTTP server would only be used for import/export

72

278ddaa9

Michael Hanselmann

transfers, but its use can be expanded to the Remote API and node

73

278ddaa9

Michael Hanselmann

daemon (see :ref:`rpc-feedback`).

74

278ddaa9

Michael Hanselmann

75

278ddaa9

Michael Hanselmann

To reduce the attack surface, an option will be provided to configure

76

278ddaa9

Michael Hanselmann

services (e.g. import/export) to only listen on certain network

77

278ddaa9

Michael Hanselmann

interfaces.

78

278ddaa9

Michael Hanselmann

79

278ddaa9

Michael Hanselmann

80

278ddaa9

Michael Hanselmann

.. _rpc-feedback:

81

278ddaa9

Michael Hanselmann

82

278ddaa9

Michael Hanselmann

RPC feedback

83

278ddaa9

Michael Hanselmann

++++++++++++

84

278ddaa9

Michael Hanselmann

85

278ddaa9

Michael Hanselmann

HTTP/1.1 supports chunked transfers (:rfc:`2616`, section 3.6.1). They

86

278ddaa9

Michael Hanselmann

could be used to provide feedback from node daemons to the master,

87

278ddaa9

Michael Hanselmann

similar to the feedback from jobs. A good use would be to provide

88

278ddaa9

Michael Hanselmann

feedback to the user during long-running operations, e.g. downloading an

89

278ddaa9

Michael Hanselmann

instance's data from another cluster.

90

278ddaa9

Michael Hanselmann

91

278ddaa9

Michael Hanselmann

.. _requirement: http://www.python.org/dev/peps/pep-0333/

92

278ddaa9

Michael Hanselmann

  #buffering-and-streaming

93

278ddaa9

Michael Hanselmann

94

278ddaa9

Michael Hanselmann

WSGI 1.0 (:pep:`333`) includes the following `requirement`_:

95

278ddaa9

Michael Hanselmann

96

278ddaa9

Michael Hanselmann

  WSGI servers, gateways, and middleware **must not** delay the

97

278ddaa9

Michael Hanselmann

  transmission of any block; they **must** either fully transmit the

98

278ddaa9

Michael Hanselmann

  block to the client, or guarantee that they will continue transmission

99

278ddaa9

Michael Hanselmann

  even while the application is producing its next block

100

278ddaa9

Michael Hanselmann

101

278ddaa9

Michael Hanselmann

This behaviour was confirmed to work with lighttpd and the

102

278ddaa9

Michael Hanselmann

:ref:`flup <http-software-req>` library. FastCGI by itself has no such

103

278ddaa9

Michael Hanselmann

guarantee; webservers with buffering might require artificial padding to

104

278ddaa9

Michael Hanselmann

force the message to be transmitted.

105

278ddaa9

Michael Hanselmann

106

278ddaa9

Michael Hanselmann

The node daemon can send JSON-encoded messages back to the master daemon

107

278ddaa9

Michael Hanselmann

by separating them using a predefined character (see :ref:`LUXI

108

278ddaa9

Michael Hanselmann

<luxi>`). The final message contains the method's result. pycURL passes

109

278ddaa9

Michael Hanselmann

each received chunk to the callback set as ``CURLOPT_WRITEFUNCTION``.

110

278ddaa9

Michael Hanselmann

Once a message is complete, the master daemon can pass it to a callback

111

278ddaa9

Michael Hanselmann

function inside the job, which then decides on what to do (e.g. forward

112

278ddaa9

Michael Hanselmann

it as job feedback to the user).

113

278ddaa9

Michael Hanselmann

114

278ddaa9

Michael Hanselmann

A more detailed design may have to be written before deciding whether to

115

278ddaa9

Michael Hanselmann

implement RPC feedback.

116

278ddaa9

Michael Hanselmann

117

278ddaa9

Michael Hanselmann

118

278ddaa9

Michael Hanselmann

.. _http-software-req:

119

278ddaa9

Michael Hanselmann

120

278ddaa9

Michael Hanselmann

Software requirements

121

278ddaa9

Michael Hanselmann

+++++++++++++++++++++

122

278ddaa9

Michael Hanselmann

123

278ddaa9

Michael Hanselmann

- lighttpd 1.4.24 or above built with OpenSSL support (earlier versions

124

278ddaa9

Michael Hanselmann

  `don't support SSL client certificates

125

278ddaa9

Michael Hanselmann

  <http://redmine.lighttpd.net/issues/1288>`_)

126

278ddaa9

Michael Hanselmann

- `flup <http://trac.saddi.com/flup>`_ for FastCGI

127

278ddaa9

Michael Hanselmann

128

278ddaa9

Michael Hanselmann

129

278ddaa9

Michael Hanselmann

Lighttpd SSL configuration

130

278ddaa9

Michael Hanselmann

++++++++++++++++++++++++++

131

278ddaa9

Michael Hanselmann

132

278ddaa9

Michael Hanselmann

.. highlight:: lighttpd

133

278ddaa9

Michael Hanselmann

134

278ddaa9

Michael Hanselmann

The following sample shows how to configure SSL with client certificates

135

278ddaa9

Michael Hanselmann

in Lighttpd::

136

278ddaa9

Michael Hanselmann

137

278ddaa9

Michael Hanselmann

  $SERVER["socket"] == ":443" {

138

278ddaa9

Michael Hanselmann

    ssl.engine = "enable"

139

278ddaa9

Michael Hanselmann

    ssl.pemfile = "server.pem"

140

278ddaa9

Michael Hanselmann

    ssl.ca-file = "ca.pem"

141

278ddaa9

Michael Hanselmann

    ssl.use-sslv2  = "disable"

142

278ddaa9

Michael Hanselmann

    ssl.cipher-list = "HIGH:-DES:-3DES:-EXPORT:-ADH"

143

278ddaa9

Michael Hanselmann

    ssl.verifyclient.activate = "enable"

144

278ddaa9

Michael Hanselmann

    ssl.verifyclient.enforce = "enable"

145

278ddaa9

Michael Hanselmann

    ssl.verifyclient.exportcert = "enable"

146

278ddaa9

Michael Hanselmann

    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"

147

278ddaa9

Michael Hanselmann

148

278ddaa9

Michael Hanselmann

149

278ddaa9

Michael Hanselmann

150

278ddaa9

Michael Hanselmann

.. vim: set textwidth=72 :

151

278ddaa9

Michael Hanselmann

.. Local Variables:

152

278ddaa9

Michael Hanselmann

.. mode: rst

153

278ddaa9

Michael Hanselmann

.. fill-column: 72

154

278ddaa9

Michael Hanselmann

.. End:

Synnefo » snf-ganeti » ganeti-local

root / doc / design-http-server.rst @ 2a50e2e8

1	278ddaa9	Michael Hanselmann	=========================================
2	278ddaa9	Michael Hanselmann	Design for replacing Ganeti's HTTP server
3	278ddaa9	Michael Hanselmann	=========================================
4	278ddaa9	Michael Hanselmann
5	278ddaa9	Michael Hanselmann	.. contents:: :depth: 4
6	278ddaa9	Michael Hanselmann
7	278ddaa9	Michael Hanselmann	.. _http-srv-shortcomings:
8	278ddaa9	Michael Hanselmann
9	278ddaa9	Michael Hanselmann	Current state and shortcomings
10	278ddaa9	Michael Hanselmann	------------------------------
11	278ddaa9	Michael Hanselmann
12	278ddaa9	Michael Hanselmann	The :doc:`new design for import/export <design-impexp2>` depends on an
13	278ddaa9	Michael Hanselmann	HTTP server. Ganeti includes a home-grown HTTP server based on Python's
14	278ddaa9	Michael Hanselmann	``BaseHTTPServer``. While it served us well so far, it only implements
15	278ddaa9	Michael Hanselmann	the very basics of the HTTP protocol. It is, for example, not structured
16	278ddaa9	Michael Hanselmann	well enough to support chunked transfers (:rfc:`2616`, section 3.6.1),
17	278ddaa9	Michael Hanselmann	which would have some advantages. In addition, it has not been designed
18	278ddaa9	Michael Hanselmann	for sending large responses.
19	278ddaa9	Michael Hanselmann
20	278ddaa9	Michael Hanselmann	In the case of the node daemon the HTTP server can not easily be
21	278ddaa9	Michael Hanselmann	separated from the actual backend code and therefore must run as "root".
22	278ddaa9	Michael Hanselmann	The RAPI daemon does request parsing in the same process as talking to
23	278ddaa9	Michael Hanselmann	the master daemon via LUXI.
24	278ddaa9	Michael Hanselmann
25	278ddaa9	Michael Hanselmann
26	278ddaa9	Michael Hanselmann	Proposed changes
27	278ddaa9	Michael Hanselmann	----------------
28	278ddaa9	Michael Hanselmann
29	278ddaa9	Michael Hanselmann	The proposal is to start using a full-fledged HTTP server in Ganeti and
30	278ddaa9	Michael Hanselmann	to run Ganeti's code as `FastCGI <http://www.fastcgi.com/>`_
31	278ddaa9	Michael Hanselmann	applications. Reasons:
32	278ddaa9	Michael Hanselmann
33	278ddaa9	Michael Hanselmann	- Simplify Ganeti's code by delegating the details of HTTP and SSL to
34	278ddaa9	Michael Hanselmann	another piece of software
35	278ddaa9	Michael Hanselmann	- Run HTTP frontend and handler backend as separate processes and users
36	278ddaa9	Michael Hanselmann	(esp. useful for node daemon, but also import/export and Remote API)
37	278ddaa9	Michael Hanselmann	- Allows implementation of :ref:`rpc-feedback`
38	278ddaa9	Michael Hanselmann
39	278ddaa9	Michael Hanselmann
40	278ddaa9	Michael Hanselmann	Software choice
41	278ddaa9	Michael Hanselmann	+++++++++++++++
42	278ddaa9	Michael Hanselmann
43	278ddaa9	Michael Hanselmann	Theoretically any server able of speaking FastCGI to a backend process
44	278ddaa9	Michael Hanselmann	could be used. However, to keep the number of steps required for setting
45	278ddaa9	Michael Hanselmann	up a new cluster at roughly the same level, the implementation will be
46	278ddaa9	Michael Hanselmann	geared for one specific HTTP server at the beginning. Support for other
47	278ddaa9	Michael Hanselmann	HTTP servers can still be implemented.
48	278ddaa9	Michael Hanselmann
49	278ddaa9	Michael Hanselmann	After a rough selection of available HTTP servers `lighttpd
50	278ddaa9	Michael Hanselmann	<http://www.lighttpd.net/>`_ and `nginx <http://www.nginx.org/>`_ were
51	278ddaa9	Michael Hanselmann	the most likely candidates. Both are `widely used`_ and tested.
52	278ddaa9	Michael Hanselmann
53	278ddaa9	Michael Hanselmann	.. _widely used: http://news.netcraft.com/archives/2011/01/12/
54	278ddaa9	Michael Hanselmann	january-2011-web-server-survey-4.html
55	278ddaa9	Michael Hanselmann
56	278ddaa9	Michael Hanselmann	Nginx' `original documentation <http://sysoev.ru/nginx/docs/>`_ is in
57	278ddaa9	Michael Hanselmann	Russian, translations are `available in a Wiki
58	278ddaa9	Michael Hanselmann	<http://wiki.nginx.org/>`_. Nginx does not support old-style CGI
59	278ddaa9	Michael Hanselmann	programs.
60	278ddaa9	Michael Hanselmann
61	278ddaa9	Michael Hanselmann	The author found `lighttpd's documentation
62	278ddaa9	Michael Hanselmann	<http://redmine.lighttpd.net/wiki/lighttpd>`_ easier to understand and
63	278ddaa9	Michael Hanselmann	was able to configure a test server quickly. This, together with the
64	278ddaa9	Michael Hanselmann	support for more technologies, made deciding easier.
65	278ddaa9	Michael Hanselmann
66	278ddaa9	Michael Hanselmann	With its use as a public-facing web server on a large number of websites
67	278ddaa9	Michael Hanselmann	(and possibly more behind proxies), lighttpd should be a safe choice.
68	278ddaa9	Michael Hanselmann	Unlike other webservers, such as the Apache HTTP Server, lighttpd's
69	278ddaa9	Michael Hanselmann	codebase is of manageable size.
70	278ddaa9	Michael Hanselmann
71	278ddaa9	Michael Hanselmann	Initially the HTTP server would only be used for import/export
72	278ddaa9	Michael Hanselmann	transfers, but its use can be expanded to the Remote API and node
73	278ddaa9	Michael Hanselmann	daemon (see :ref:`rpc-feedback`).
74	278ddaa9	Michael Hanselmann
75	278ddaa9	Michael Hanselmann	To reduce the attack surface, an option will be provided to configure
76	278ddaa9	Michael Hanselmann	services (e.g. import/export) to only listen on certain network
77	278ddaa9	Michael Hanselmann	interfaces.
78	278ddaa9	Michael Hanselmann
79	278ddaa9	Michael Hanselmann
80	278ddaa9	Michael Hanselmann	.. _rpc-feedback:
81	278ddaa9	Michael Hanselmann
82	278ddaa9	Michael Hanselmann	RPC feedback
83	278ddaa9	Michael Hanselmann	++++++++++++
84	278ddaa9	Michael Hanselmann
85	278ddaa9	Michael Hanselmann	HTTP/1.1 supports chunked transfers (:rfc:`2616`, section 3.6.1). They
86	278ddaa9	Michael Hanselmann	could be used to provide feedback from node daemons to the master,
87	278ddaa9	Michael Hanselmann	similar to the feedback from jobs. A good use would be to provide
88	278ddaa9	Michael Hanselmann	feedback to the user during long-running operations, e.g. downloading an
89	278ddaa9	Michael Hanselmann	instance's data from another cluster.
90	278ddaa9	Michael Hanselmann
91	278ddaa9	Michael Hanselmann	.. _requirement: http://www.python.org/dev/peps/pep-0333/
92	278ddaa9	Michael Hanselmann	#buffering-and-streaming
93	278ddaa9	Michael Hanselmann
94	278ddaa9	Michael Hanselmann	WSGI 1.0 (:pep:`333`) includes the following `requirement`_:
95	278ddaa9	Michael Hanselmann
96	278ddaa9	Michael Hanselmann	WSGI servers, gateways, and middleware must not delay the
97	278ddaa9	Michael Hanselmann	transmission of any block; they must either fully transmit the
98	278ddaa9	Michael Hanselmann	block to the client, or guarantee that they will continue transmission
99	278ddaa9	Michael Hanselmann	even while the application is producing its next block
100	278ddaa9	Michael Hanselmann
101	278ddaa9	Michael Hanselmann	This behaviour was confirmed to work with lighttpd and the
102	278ddaa9	Michael Hanselmann	:ref:`flup <http-software-req>` library. FastCGI by itself has no such
103	278ddaa9	Michael Hanselmann	guarantee; webservers with buffering might require artificial padding to
104	278ddaa9	Michael Hanselmann	force the message to be transmitted.
105	278ddaa9	Michael Hanselmann
106	278ddaa9	Michael Hanselmann	The node daemon can send JSON-encoded messages back to the master daemon
107	278ddaa9	Michael Hanselmann	by separating them using a predefined character (see :ref:`LUXI
108	278ddaa9	Michael Hanselmann	<luxi>`). The final message contains the method's result. pycURL passes
109	278ddaa9	Michael Hanselmann	each received chunk to the callback set as ``CURLOPT_WRITEFUNCTION``.
110	278ddaa9	Michael Hanselmann	Once a message is complete, the master daemon can pass it to a callback
111	278ddaa9	Michael Hanselmann	function inside the job, which then decides on what to do (e.g. forward
112	278ddaa9	Michael Hanselmann	it as job feedback to the user).
113	278ddaa9	Michael Hanselmann
114	278ddaa9	Michael Hanselmann	A more detailed design may have to be written before deciding whether to
115	278ddaa9	Michael Hanselmann	implement RPC feedback.
116	278ddaa9	Michael Hanselmann
117	278ddaa9	Michael Hanselmann
118	278ddaa9	Michael Hanselmann	.. _http-software-req:
119	278ddaa9	Michael Hanselmann
120	278ddaa9	Michael Hanselmann	Software requirements
121	278ddaa9	Michael Hanselmann	+++++++++++++++++++++
122	278ddaa9	Michael Hanselmann
123	278ddaa9	Michael Hanselmann	- lighttpd 1.4.24 or above built with OpenSSL support (earlier versions
124	278ddaa9	Michael Hanselmann	`don't support SSL client certificates
125	278ddaa9	Michael Hanselmann	<http://redmine.lighttpd.net/issues/1288>`_)
126	278ddaa9	Michael Hanselmann	- `flup <http://trac.saddi.com/flup>`_ for FastCGI
127	278ddaa9	Michael Hanselmann
128	278ddaa9	Michael Hanselmann
129	278ddaa9	Michael Hanselmann	Lighttpd SSL configuration
130	278ddaa9	Michael Hanselmann	++++++++++++++++++++++++++
131	278ddaa9	Michael Hanselmann
132	278ddaa9	Michael Hanselmann	.. highlight:: lighttpd
133	278ddaa9	Michael Hanselmann
134	278ddaa9	Michael Hanselmann	The following sample shows how to configure SSL with client certificates
135	278ddaa9	Michael Hanselmann	in Lighttpd::
136	278ddaa9	Michael Hanselmann
137	278ddaa9	Michael Hanselmann	$SERVER["socket"] == ":443" {
138	278ddaa9	Michael Hanselmann	ssl.engine = "enable"
139	278ddaa9	Michael Hanselmann	ssl.pemfile = "server.pem"
140	278ddaa9	Michael Hanselmann	ssl.ca-file = "ca.pem"
141	278ddaa9	Michael Hanselmann	ssl.use-sslv2 = "disable"
142	278ddaa9	Michael Hanselmann	ssl.cipher-list = "HIGH:-DES:-3DES:-EXPORT:-ADH"
143	278ddaa9	Michael Hanselmann	ssl.verifyclient.activate = "enable"
144	278ddaa9	Michael Hanselmann	ssl.verifyclient.enforce = "enable"
145	278ddaa9	Michael Hanselmann	ssl.verifyclient.exportcert = "enable"
146	278ddaa9	Michael Hanselmann	ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
147	278ddaa9	Michael Hanselmann	}
148	278ddaa9	Michael Hanselmann
149	278ddaa9	Michael Hanselmann
150	278ddaa9	Michael Hanselmann	.. vim: set textwidth=72 :
151	278ddaa9	Michael Hanselmann	.. Local Variables:
152	278ddaa9	Michael Hanselmann	.. mode: rst
153	278ddaa9	Michael Hanselmann	.. fill-column: 72
154	278ddaa9	Michael Hanselmann	.. End: