Design for import/export version 2

Current state and shortcomings

Ganeti 2.2 introduced inter-cluster instance moves and replaced the import/export mechanism with the same technology. It’s since shown that the chosen implementation was too complicated and and can be difficult to debug.

The old implementation is henceforth called “version 1”. It used socat in combination with a rather complex tree of bash and Python utilities to move instances between clusters and import/export them inside the cluster. Due to protocol limitations, the master daemon starts a daemon on the involved nodes and then keeps polling a status file for updates. A non-trivial number of timeouts ensures that jobs don’t freeze.

In version 1, the destination node would start a daemon listening on a random TCP port. Upon receiving the destination information, the source node would temporarily stop the instance, create snapshots, and start exporting the data by connecting to the destination. The random TCP port is chosen by the operating system by binding the socket to port 0. While this is a somewhat elegant solution, it causes problems in setups with restricted connectivity (e.g. iptables).

Another issue encountered was with dual-stack IPv6 setups. socat can only listen on one protocol, IPv4 or IPv6, at a time. The connecting node can not simply resolve the DNS name, but it must be told the exact IP address.

Instance OS definitions can provide custom import/export scripts. They were working well in the early days when a filesystem was usually created directly on the block device. Around Ganeti 2.0 there was a transition to using partitions on the block devices. Import/export scripts could no longer use simple dump and restore commands, but usually ended up doing raw data dumps.

Proposed changes

Unlike in version 1, in version 2 the destination node will connect to the source. The active side is swapped. This design assumes the following design documents have been implemented:

The following design is mostly targetted at inter-cluster instance moves. Intra-cluster import and export use the same technology, but do so in a less complicated way (e.g. reusing the node daemon certificate in version 1).

Support for instance OS import/export scripts, which have been in Ganeti since the beginning, will be dropped with this design. Should the need arise, they can be re-added later.

Software requirements

  • HTTP client: cURL/pycURL (already used for inter-node RPC and RAPI client)
  • Authentication: X509 certificates (server and client)


Instead of a home-grown, mostly raw protocol the widely used HTTP protocol will be used. Ganeti already uses HTTP for its Remote API and inter-node communication. Encryption and authentication will be implemented using SSL and X509 certificates.

SSL certificates

The source machine will identify connecting clients by their SSL certificate. Unknown certificates will be refused.

Version 1 created a new self-signed certificate per instance import/export, allowing the certificate to be used as a Certificate Authority (CA). This worked by means of starting a new socat instance per instance import/export.

Under the version 2 model, a continously running HTTP server will be used. This disallows the use of self-signed certificates for authentication as the CA needs to be the same for all issued certificates.

See the separate design document for more details on how the certificate authority will be implemented.

Local imports/exports will, like version 1, use the node daemon’s certificate/key. Doing so allows the verification of local connections. The client’s certificate can be exported to the CGI/FastCGI handler using lighttpd’s ssl.verifyclient.exportcert setting. If a cluster-local import/export is being done, the handler verifies if the used certificate matches with the local node daemon key.


The source can be the same physical machine as the destination, another node in the same cluster, or a node in another cluster. A physical-to-virtual migration mechanism could be implemented as an alternative source.

In the case of a traditional import, the source is usually a file on the source machine. For exports and remote imports, the source is an instance’s raw disk data. In all cases the transported data is opaque to Ganeti.

All nodes of a cluster will run an instance of Lighttpd. The configuration is automatically generated when starting Ganeti. The HTTP server is configured to listen on IPv4 and IPv6 simultaneously. Imports/exports will use a dedicated TCP port, similar to the Remote API.

See the separate HTTP server design document for why Ganeti’s existing, built-in HTTP server is not a good choice.

The source cluster is provided with a X509 Certificate Signing Request (CSR) for a key private to the destination cluster.

After shutting down the instance, creating snapshots and restarting the instance the master will sign the destination’s X509 certificate using the X509 CA once per instance disk. Instead of using another identifier, the certificate’s serial number (never reused) and fingerprint are used to identify incoming requests. Once ready, the master will call an RPC method on the source node and provide it with the input information (e.g. file paths or block devices) and the certificate identities.

The RPC method will write the identities to a place accessible by the HTTP request handler, generate unique transfer IDs and return them to the master. The transfer ID could be a filename containing the certificate’s serial number, fingerprint and some disk information. The file containing the per-transfer information is signed using the node daemon key and the signature written to a separate file.

Once everything is in place, the master sends the certificates, the data and notification URLs (which include the transfer IDs) and the public part of the source’s CA to the job submitter. Like in version 1, everything will be signed using the cluster domain secret.

Upon receiving a request, the handler verifies the identity and continues to stream the instance data. The serial number and fingerprint contained in the transfer ID should be matched with the certificate used. If a cluster-local import/export was requested, the remote’s certificate is verified with the local node daemon key. The signature of the information file from which the handler takes the path of the block device (and more) is verified using the local node daemon certificate. There are two options for handling requests, CGI and FastCGI.

To wait for all requests to finish, the master calls another RPC method. The destination should notify the source once it’s done with downloading the data. Since this notification may never arrive (e.g. network issues), an additional timeout needs to be used.

There is no good way to avoid polling as the HTTP requests will be handled asynchronously in another process. Once, and if, implemented RPC feedback could be used to combine the two RPC methods.

Upon completion of the transfer requests, the instance is removed if requested.

Option 1: CGI

While easier to implement, this option requires the HTTP server to either run as “root” or a so-called SUID binary to elevate the started process to run as “root”.

The export data can be sent directly to the HTTP server without any further processing.

Option 2: FastCGI

Unlike plain CGI, FastCGI scripts are run separately from the webserver. The webserver talks to them via a Unix socket. Webserver and scripts can run as separate users. Unlike for CGI, there are almost no bootstrap costs attached to each request.

The FastCGI protocol requires data to be sent in length-prefixed packets, something which wouldn’t be very efficient to do in Python for large amounts of data (instance imports/exports can be hundreds of gigabytes). For this reason the proposal is to use a wrapper program written in C (e.g. fcgiwrap) and to write the handler like an old-style CGI program with standard input/output. If data should be copied from a file, cat, dd or socat can be used (see note about sendfile(2)/splice(2) with Python).

The bootstrap cost associated with starting a Python interpreter for a disk export is expected to be negligible.

The spawn-fcgi program will be used to start the CGI wrapper as “root”.

FastCGI is, in the author’s opinion, the better choice as it allows user separation. As a first implementation step the export handler can be run as a standard CGI program. User separation can be implemented as a second step.


The destination can be the same physical machine as the source, another node in the same cluster, or a node in another cluster. While not considered in this design document, instances could be exported from the cluster by implementing an external client for exports.

For traditional exports the destination is usually a file on the destination machine. For imports and remote exports, the destination is an instance’s disks. All transported data is opaque to Ganeti.

Before an import can be started, an RSA key and corresponding Certificate Signing Request (CSR) must be generated using the new opcode OpInstanceImportPrepare. The returned information is signed using the cluster domain secret. The RSA key backing the CSR must not leave the destination cluster. After being passed through a third party, the source cluster will generate signed certificates from the CSR.

Once the request for creating the instance arrives at the master daemon, it’ll create the instance and call an RPC method on the instance’s primary node to download all data. The RPC method does not return until the transfer is complete or failed (see EXP_SIZE_FD and RPC feedback).

The node will use pycURL to connect to the source machine and identify itself with the signed certificate received. pycURL will be configured to write directly to a file descriptor pointing to either a regular file or block device. The file descriptor needs to point to the correct offset for resuming downloads.

Using cURL’s multi interface, more than one transfer can be made at the same time. While parallel transfers are used by the version 1 import/export, it can be decided at a later time whether to use them in version 2 too. More investigation is necessary to determine whether CURLOPT_MAXCONNECTS is enough to limit the number of connections or whether more logic is necessary.

If a transfer fails before it’s finished (e.g. timeout or network issues) it should be retried using an exponential backoff delay. The opcode submitter can specify for how long the transfer should be retried.

At the end of a transfer, succssful or not, the source cluster must be notified. A the same time the RSA key needs to be destroyed.

Support for HTTP proxies can be implemented by setting CURLOPT_PROXY. Proxies could be used for moving instances in/out of restricted network environments or across protocol borders (e.g. IPv4 networks unable to talk to IPv6 networks).

The big picture for instance moves

  1. OpInstanceImportPrepare (destination cluster)
Create RSA key and CSR (certificate signing request), return signed with cluster domain secret.
  1. OpBackupPrepare (source cluster)
Becomes a no-op in version 2, but see Backwards compatibility.
  1. OpBackupExport (source cluster)
  • Receives destination cluster’s CSR, verifies signature using cluster domain secret.
  • Creates certificates using CSR and cluster CA, one for each disk
  • Stop instance, create snapshots, start instance
  • Prepare HTTP resources on node
  • Send certificates, URLs and CA certificate to job submitter using feedback mechanism
  • Wait for all transfers to finish or fail (with timeout)
  • Remove snapshots
  1. OpInstanceCreate (destination cluster)
  • Receives certificates signed by destination cluster, verifies certificates and URLs using cluster domain secret

    Note that the parameters should be implemented in a generic way allowing future extensions, e.g. to download disk images from a public, remote server. The cluster domain secret allows Ganeti to check data received from a third party, but since this won’t work with such extensions, other checks will have to be designed.

  • Create block devices

  • Download every disk from source, verified using remote’s CA and authenticated using signed certificates

  • Destroy RSA key and certificates

  • Start instance

HTTP resources on source

The HTTP resources listed below will be made available by the source machine. The transfer ID is generated while preparing the export and is unique per disk and instance. No caching should be used and the Pragma (HTTP/1.0) and Cache-Control (HTTP/1.1) headers set accordingly by the server.

GET /transfers/[transfer_id]/contents

Dump disk contents. Important request headers:

Accept (RFC 2616, section 14.1)

Specify preferred media types. Only one type is supported in the initial implementation:

Request raw disk content.

If support for more media types were to be implemented in the future, the “q” parameter used for “indicating a relative quality factor” needs to be used. In the meantime parameters need to be expected, but can be ignored.

If support for OS scripts were to be re-added in the future, the MIME type application/x-ganeti-instance-export is hereby reserved for disk dumps using an export script.

If the source can not satisfy the request the response status code will be 406 (Not Acceptable). Successful requests will specify the used media type using the Content-Type header. Unless only exactly one media type is requested, the client must handle the different response types.

Accept-Encoding (RFC 2616, section 14.3)

Specify desired content coding. Supported are identity for uncompressed data, gzip for compressed data and * for any. The response will include a Content-Encoding header with the actual coding used. If the client specifies an unknown coding, the response status code will be 406 (Not Acceptable).

If the client specifically needs compressed data (see Compression) but only gets identity, it can either compress locally or abort the request.

Range (RFC 2616, section 14.35)

Raw disk dumps can be resumed using this header (e.g. after a network issue).

If this header was given in the request and the source supports resuming, the status code of the response will be 206 (Partial Content) and it’ll include the Content-Range header as per RFC 2616. If it does not support resuming or the request was not specifying a range, the status code will be 200 (OK).

Only a single byte range is supported. cURL does not support multipart/byteranges responses by itself. Even if they could be somehow implemented, doing so would be of doubtful benefit for import/export.

For raw data dumps handling ranges is pretty straightforward by just dumping the requested range.

cURL will fail with the error code CURLE_RANGE_ERROR if a request included a range but the server can’t handle it. The request must be retried without a range.

POST /transfers/[transfer_id]/done
Use this resource to notify the source when transfer is finished (even if not successful). The status code will be 204 (No Content).

Code samples

pycURL to file

The following code sample shows how to write downloaded data directly to a file without pumping it through Python:

curl = pycurl.Curl()
curl.setopt(pycurl.URL, "")
curl.setopt(pycurl.WRITEDATA, open("googlecom.html", "w"))

This works equally well if the file descriptor is a pipe to another process.

Backwards compatibility

Version 1

The old inter-cluster import/export implementation described in the Ganeti 2.2 design document will be supported for at least one minor (2.x) release. Intra-cluster imports/exports will use the new version right away.


Together with the improved import/export infrastructure Ganeti 2.2 allowed instance export scripts to report the expected data size. This was then used to provide the user with an estimated remaining time. Version 2 no longer supports OS import/export scripts and therefore EXP_SIZE_FD is no longer needed.


Version 1 used explicit compression using gzip for transporting data, but the dumped files didn’t use any compression. Version 2 will allow the destination to specify which encoding should be used. This way the transported data is already compressed and can be directly used by the client (see HTTP resources on source). The cURL option CURLOPT_ENCODING can be used to set the Accept-Encoding header. cURL will not decompress received data when CURLOPT_HTTP_CONTENT_DECODING is set to zero (if another HTTP client library were used which doesn’t support disabling transparent compression, a custom content-coding type could be defined, e.g. x-ganeti-gzip).


The HTTP/1.1 protocol (RFC 2616) defines trailing headers for chunked transfers in section 3.6.1. This could be used to transfer a checksum at the end of an import/export. cURL supports trailing headers since version 7.14.1. Lighttpd doesn’t seem to support them for FastCGI, but they appear to be usable in combination with an NPH CGI (No Parsed Headers).

Lighttpd allows FastCGI applications to send the special headers X-Sendfile and X-Sendfile2 (the latter with a range). Using these headers applications can send response headers and tell the webserver to serve regular file stored on the file system as a response body. The webserver will then take care of sending that file. Unfortunately this mechanism is restricted to regular files and can not be used for data from programs, neither direct nor via named pipes, without writing to a file first. The latter is not an option as instance data can be very large. Theoretically X-Sendfile could be used for sending the input for a file-based instance import, but that’d require the webserver to run as “root”.

Python does not include interfaces for the sendfile(2) or splice(2) system calls. The latter can be useful for faster copying of data between file descriptors. There are some 3rd-party modules (e.g. and discussions ( for including support for sendfile(2), but the later is certainly not going to happen for the Python versions supported by Ganeti. Calling the function using the ctypes module might be possible.

Performance considerations

The design described above was confirmed to be one of the better choices in terms of download performance with bigger block sizes. All numbers were gathered on the same physical machine with a single CPU and 1 GB of RAM while downloading 2 GB of zeros read from /dev/zero. wget (version 1.10.2) was used as the client, lighttpd (version 1.4.28) as the server. The numbers in the first line are in megabytes per second. The second line in each row is the CPU time spent in userland respective system (measured for the CGI/FastCGI program using time -v).

Block size                      4 KB    64 KB   128 KB    1 MB    4 MB
Plain CGI script reading          83      174      180     122     120
from ``/dev/zero``
                             0.6/3.9  0.1/2.4  0.1/2.2 0.0/1.9 0.0/2.1
FastCGI with ``fcgiwrap``,        86      167      170     177     174
``dd`` reading from
``/dev/zero``                  1.1/5  0.5/2.9  0.5/2.7 0.7/3.1 0.7/2.8
FastCGI with ``fcgiwrap``,        68      146      150     170     170
Python script copying from
``/dev/zero`` to stdout
                             1.3/5.1  0.8/3.7  0.7/3.3  0.9/2.9  0.8/3
FastCGI, Python script using      31       48       47       5       1
``flup`` library (version
1.0.2) reading from
                            23.5/9.8 14.3/8.5   16.1/8       -       -

It should be mentioned that the flup library is not implemented in the most efficient way, but even with some changes it doesn’t get much faster. It is fine for small amounts of data, but not for huge transfers.

Other considered solutions

Another possible solution considered was to use socat like version 1 did. Due to the changing model, a large part of the code would’ve required a rewrite anyway, while still not fixing all shortcomings. For example, socat could still listen on only one protocol, IPv4 or IPv6. Running two separate instances might have fixed that, but it’d get more complicated. Using an existing HTTP server will provide us with a number of other benefits as well, such as easier user separation between server and backend.