Date: Thu, 28 Mar 2024 10:06:41 +0000 (UTC) Message-ID: <1351097949.35005.1711620401581@aws-us-west-2-lfedge-confluence-1.web.codeaurora.org> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_35004_1906325752.1711620401581" ------=_Part_35004_1906325752.1711620401581 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The proposal consists of two parts:
The draft API for this is specified in https://g= ithub.com/lf-edge/eve/pull/2073
We introduce a tag/profile for each application instance, and in t= he EVE API we also introduce a default_profile field. The profile is a stri= ng which the user can pick. User=E2=80=99s might want to use a handful of d= ifferent profiles. Each application can be tagged with more than one profil= e.
The app instances which have a profile tag which match the receive= d default_profile will be considered for running and those that do not matc= h any will be halted. (=E2=80=9CConsidered=E2=80=9D since we also take into= account the individual stop/start in the UI aka the Activate boolean in th= e EVE API for the app instance as well.)
In addition to the above default_profile from the controller, EVE = can be configured to talk to a local profile server, which is accessible on= the network (it could be deployed in the enterprise, or could be an app in= stance deployed on the edge node). In that case EVE will request profile ov= erride configuration using a new API specified below. The response payload = from that API will be a protobuf message containing an optional profile fie= ld.
When the local profile server is configured, and it responds with = a non-empty string in the profile field, then EVE will use that as the prof= ile to select which application instances to shutdown and start and ignore = the default_profile received from the controller.
Hence the profile override can be disabled by either having the pr= ofile server return the empty string, or deconfigure the local profile serv= er. In either case, EVE will switch to using the default_profile received f= rom the controller. Note that a (temporarily or permanently) unreachable lo= cal profile server will not result in switching back.
EVE will report in info messages whether and which profile overrid= e is used.
The implementation of a local profile server is out of scope, as t= here might be different user interfaces to the local profile server. This w= ork will merely define the GET API for the profile, and the method by which= EVE is configured to access the local profile server. [But see Testing sec= tion below.]
Once the local profile server has asserted an override of the prof= ile, it is up to the local profile server to remove that override when it i= s no longer needed, to ensure that the controller can fully control the app= lication instances.
The check for Activate being true will now be gated by (current pr= ofile not set, or current profile matches one of the app instance=E2=80=99s= profile.)
The current_profile is set to the override_profile if not empty, o= therwise it is set to the defaut_profile from the controller.
If a local profile server has been configured, then EVE will attem= pt a GET request to that server with the same frequency as it requests conf= iguration from the controller. It will retain the most recently received st= ring as the override_profile (and report that in the info API message so th= at the UI can display the existence of an override in a prominent place.) P= resumably the override_profile should be persisted across reboots so EVE ca= n do the right thing on power up.
Should the local_profile_server field be cleared in the config API= , then EVE will clear the override_profile.
EVE will verify that the server_token in the protobuf message matc= hes the profile server token received from the controller.
A few items in the EVE API:
And a new Profile Override protobuf API defining one message:
message ProfileOverride {
profile string =3D 1; server_token string =3D 2;
}
See https://github.com/lf-edge/eve/pull/2073
The local_profile_server string can be an IPv4, IPv6, or hostname = followed by an optional =E2=80=9C:=E2=80=9D and a port number. Note that to= handle IPv6 addresses it needs to check and allow for https://datatracker.ietf.org/doc/html/rfc398= 6#section-3.2.2 which means allowing syntax like
[fe80::1]:1234
10.1.1.1:1234
Hostname:1234
[fe80::1]
10.1.= 1.1
Hostname
Together with a local_profile_server one shoul= d be able to specify a profile_server_token.
The UI needs to display the overide_profile in a prominent place s= ince this indicates that an override is in place even when connected to the= controller. (Perhaps the case when override_profile =3D=3D default_profile= would be normal and need not be flagged.)
Depending on whether we reuse the tag capability in the UI or defi= ne some new profile setting for the app instances, zedcloud has different t= ypes of work to feed the application profiles to the EVE API.
The communication to the local profile server will be done using h= ttp but on a specified port so that an outbound ACLs for port 80 will= not accidentally allow such traffic to leave the edge-node on the Ethernet= ports. Users will have to allow this port either out the Ethernet ports or= to an app instance deployed locally on EVE. [TBD: the ip rules currently d= o not make the IP addresses on a local network instance reachable by EVE so= need some tweak here.]
In addition, we require that the profile server be configured with= a server_token (a random string) which EVE will verify matches the profile= _server_token.That makes it harder for a network attacker to inject respons= es even when the ACLs have been configured to accept all traffic.
To test the above it makes sense to implement a very basic local p= rofile server app instance in the form of a container which each time the G= ET method is handled will look for a USB stick with a FAT filesystem and re= ad a file called =E2=80=9Cprofile=E2=80=9D on that USB stick. If the file i= s not found it will return an empty string, otherwise the content of the fi= le.