database-chassis python http-server implementation #13345
Conversation
Python HTTP Server service.
This service runs in database-chassis docker based on the configuration
provided in device/<platform>/chassisdb.conf
Configuration parameters provided by chassisdb.conf are as follows:
start_http_server: if "yes" or "1", http-server will be started on this
node
chassis_db_address : IP address for http-server. This is the same IP used
for the chassis db server
http_server_port : Port to bind to, default: 8000
http_server_dir : HTTP server home directory path, default: /var/www/
Signed-off-by: anamehra <anamehra@cisco.com>
|
@abdosi , FYI- |
|
@arlakshm / @judyjoseph please help review. |
|
@judyjoseph , @arlakshm , please let me know if you have any comments. I resolved all comments from our last meeting discussion in this PR. moved the http-server in database-chassis docker for chassis. |
anamehra
requested review from
judyjoseph
and removed request for
lguohan and
arlakshm
|
|
||
| {% if INSTANCES %} | ||
| {% for redis_inst, redis_items in INSTANCES.items() %} | ||
| {% if redis_inst == 'redis_chassis' %} |
There was a problem hiding this comment.
Thanks for the review @qiluo-msft !
I will fix this.
| @@ -44,5 +44,6 @@ COPY ["files/sysctl-net.conf", "/etc/sysctl.d/"] | |||
| COPY ["critical_processes", "/etc/supervisor"] | |||
| COPY ["files/update_chassisdb_config", "/usr/local/bin/"] | |||
| COPY ["flush_unused_database", "/usr/local/bin/"] | |||
| COPY ["http-server", "/usr/local/bin/"] | |||
There was a problem hiding this comment.
My initial PR was to run this as host side service as a feature but in the last review in Chassis group, it was decided to use it inside database-chassis for now as it's only for internal image/data hosting for chassis modules. It runs only on Supervisor on Chassis and binds to same internal ip as redis_chassis.server.
There was a problem hiding this comment.
@qiluo-msft yes we had discussion on this and if we want to run on host there was comment from Guohan to add this as Feature in Feature Table. But that was little deviation from current model where each feature is like docker with we can enable/disable the feature by doing container stop/start. So in chassis subgroup we discussed and thought since that will be some infrastructure change for this scenario to unblock chassis use case we thought to make it part of database-chassis docker which is specific to chassis use case. Also in future if this is needed in host we can revisit.
| # Example of config: | ||
| ''' | ||
| start_http_server=yes | ||
| chassis_db_address=127.0.0.10 |
There was a problem hiding this comment.
This is an example of the config. The chassis_db_address is used for redis_chassis.server and is hardcoded as of today, provided by chassisd.conf file by vendor in dir.
This http-serevr use the same IP to bind to service requests on internal midplane network.
| [program: http-server] | ||
| command=python3 /usr/local/bin/http-server | ||
| priority=3 | ||
| autostart=true |
There was a problem hiding this comment.
The process starts when the database chassis starts but the server will run only if start_http_server flag is set in chassisd.conf file by the vendor. If the flag is not set, the http-server won't run and this service will exit. autorestart is false.
|
|
||
| from pathlib import Path | ||
|
|
||
| HTTP_DEFAULT_BIND_PORT = "8000" |
There was a problem hiding this comment.
I will investigate more on this and respond/implement. Thanks
There was a problem hiding this comment.
@qiluo-msft your point is to have Control plane acl (ip table rules) to explicitly permit this ?
There was a problem hiding this comment.
yes, I believe you also want to limit the access, for example by some rules on 5-tuple
There was a problem hiding this comment.
@abdosi , @qiluo-msft , this port is on the internal network. Do we have any rules on other internal ip/ports which I can refer to?
There was a problem hiding this comment.
Hi @qiluo-msft , Abhishek and I had a discussion on this. The current Sonic implementation does not have any rule defined for the midplane subnet yet and we need to have a rule for all kinds of access in the midplane subnet. We will have to define platform subnet parameters that caclmgrd could use to define the rules for midplane access for all kinds of midplane traffic in the chassis. I will open a case and we can use a different PR to define the general subnet access rule. Let me know if that is fine.
There was a problem hiding this comment.
@qiluo-msft on chassis setup we have additional interface eth1-midplane both on supervisor and LC for internal traffic (eg: redis and http) . We will add iptable rule to allow all traffic on that interface. That way http traffic will be protected from outside network (eth0) and will get permit only if coming from internal network. I will create separate for that
There was a problem hiding this comment.
Created PR : sonic-net/sonic-host-services#42 . With this PR any port 8000 traffic that is not coming on eth1-midplane will get drop and thus protected from external network access.
|
@qiluo-msft can you please review this again. |
If the start_http_server is not set, the process exit with status 0 but it
exits before reaching RUNNING state which happens after running for more than a sec.
In such a scenario, supervisord restarts the process and mark state as FATAL. For exit
with status 0, we do not want to restart the process.
Fixed indentation
|
@anamehra , can you resolve the conflict since the changes has been a while and require rebase/merge to resolve conflicts. |
we don;t need this for 202205. This will gets merged to master directly. |
Signed-off-by: anamehra <anamehra@cisco.com>
resolved. Thanks! |
|
Lower priority now. Will revisit in the future |
Signed-off-by: anamehra anamehra@cisco.com
Why I did it
Enable http-server as database-chassis service on Chassis supervisor to enable LCs to download image and config files from Supervisor.
How I did it
Added python3 http-server based implementation in database-chassis as a docker service run by supervisord.
How to verify it
Add device//chassisdb.conf with the following data:
start_http_server=yes
chassis_db_address=127.0.0.10
http_server_dir=/var/www/tftp
Boot with the image with the above data.
put an image file at /var/www/tftp/filename
check 'systemctl status http-service'
curl http://http-server:8000/filename -o out_file
compare file_out with /var/www/tftp/filename
Which release branch to backport (provide reason below if selected)
Description for the changelog
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)