design-http-server.rst 5.43 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
=========================================
Design for replacing Ganeti's HTTP server
=========================================

.. contents:: :depth: 4

.. _http-srv-shortcomings:

Current state and shortcomings
------------------------------

The :doc:`new design for import/export <design-impexp2>` depends on an
HTTP server. Ganeti includes a home-grown HTTP server based on Python's
``BaseHTTPServer``. While it served us well so far, it only implements
the very basics of the HTTP protocol. It is, for example, not structured
well enough to support chunked transfers (:rfc:`2616`, section 3.6.1),
which would have some advantages. In addition, it has not been designed
for sending large responses.

In the case of the node daemon the HTTP server can not easily be
separated from the actual backend code and therefore must run as "root".
The RAPI daemon does request parsing in the same process as talking to
the master daemon via LUXI.


Proposed changes
----------------

The proposal is to start using a full-fledged HTTP server in Ganeti and
to run Ganeti's code as `FastCGI <http://www.fastcgi.com/>`_
applications. Reasons:

- Simplify Ganeti's code by delegating the details of HTTP and SSL to
  another piece of software
- Run HTTP frontend and handler backend as separate processes and users
  (esp. useful for node daemon, but also import/export and Remote API)
- Allows implementation of :ref:`rpc-feedback`


Software choice
+++++++++++++++

Theoretically any server able of speaking FastCGI to a backend process
could be used. However, to keep the number of steps required for setting
up a new cluster at roughly the same level, the implementation will be
geared for one specific HTTP server at the beginning. Support for other
HTTP servers can still be implemented.

After a rough selection of available HTTP servers `lighttpd
<http://www.lighttpd.net/>`_ and `nginx <http://www.nginx.org/>`_ were
the most likely candidates. Both are `widely used`_ and tested.

.. _widely used: http://news.netcraft.com/archives/2011/01/12/
  january-2011-web-server-survey-4.html

Nginx' `original documentation <http://sysoev.ru/nginx/docs/>`_ is in
Russian, translations are `available in a Wiki
<http://wiki.nginx.org/>`_. Nginx does not support old-style CGI
programs.

The author found `lighttpd's documentation
<http://redmine.lighttpd.net/wiki/lighttpd>`_ easier to understand and
was able to configure a test server quickly. This, together with the
support for more technologies, made deciding easier.

With its use as a public-facing web server on a large number of websites
(and possibly more behind proxies), lighttpd should be a safe choice.
Unlike other webservers, such as the Apache HTTP Server, lighttpd's
codebase is of manageable size.

Initially the HTTP server would only be used for import/export
transfers, but its use can be expanded to the Remote API and node
daemon (see :ref:`rpc-feedback`).

To reduce the attack surface, an option will be provided to configure
services (e.g. import/export) to only listen on certain network
interfaces.


.. _rpc-feedback:

RPC feedback
++++++++++++

HTTP/1.1 supports chunked transfers (:rfc:`2616`, section 3.6.1). They
could be used to provide feedback from node daemons to the master,
similar to the feedback from jobs. A good use would be to provide
feedback to the user during long-running operations, e.g. downloading an
instance's data from another cluster.

.. _requirement: http://www.python.org/dev/peps/pep-0333/
  #buffering-and-streaming

WSGI 1.0 (:pep:`333`) includes the following `requirement`_:

  WSGI servers, gateways, and middleware **must not** delay the
  transmission of any block; they **must** either fully transmit the
  block to the client, or guarantee that they will continue transmission
  even while the application is producing its next block

This behaviour was confirmed to work with lighttpd and the
:ref:`flup <http-software-req>` library. FastCGI by itself has no such
guarantee; webservers with buffering might require artificial padding to
force the message to be transmitted.

The node daemon can send JSON-encoded messages back to the master daemon
by separating them using a predefined character (see :ref:`LUXI
<luxi>`). The final message contains the method's result. pycURL passes
each received chunk to the callback set as ``CURLOPT_WRITEFUNCTION``.
Once a message is complete, the master daemon can pass it to a callback
function inside the job, which then decides on what to do (e.g. forward
it as job feedback to the user).

A more detailed design may have to be written before deciding whether to
implement RPC feedback.


.. _http-software-req:

Software requirements
+++++++++++++++++++++

- lighttpd 1.4.24 or above built with OpenSSL support (earlier versions
  `don't support SSL client certificates
  <http://redmine.lighttpd.net/issues/1288>`_)
- `flup <http://trac.saddi.com/flup>`_ for FastCGI


Lighttpd SSL configuration
++++++++++++++++++++++++++

.. highlight:: lighttpd

The following sample shows how to configure SSL with client certificates
in Lighttpd::

  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "server.pem"
    ssl.ca-file = "ca.pem"
    ssl.use-sslv2  = "disable"
    ssl.cipher-list = "HIGH:-DES:-3DES:-EXPORT:-ADH"
    ssl.verifyclient.activate = "enable"
    ssl.verifyclient.enforce = "enable"
    ssl.verifyclient.exportcert = "enable"
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
  }


.. vim: set textwidth=72 :
.. Local Variables:
.. mode: rst
.. fill-column: 72
.. End: