Design for import/export version 2¶
Design for import/export version 2
Current state and shortcomings¶
Ganeti 2.2 introduced inter-cluster instance moves and replaced the import/export mechanism with the same technology. It’s since shown that the chosen implementation was too complicated and and can be difficult to debug.
The old implementation is henceforth called “version 1”. It used
socat in combination with a rather complex tree of
Python utilities to move instances between clusters and import/export
them inside the cluster. Due to protocol limitations, the master daemon
starts a daemon on the involved nodes and then keeps polling a status
file for updates. A non-trivial number of timeouts ensures that jobs
In version 1, the destination node would start a daemon listening on a random TCP port. Upon receiving the destination information, the source node would temporarily stop the instance, create snapshots, and start exporting the data by connecting to the destination. The random TCP port is chosen by the operating system by binding the socket to port 0. While this is a somewhat elegant solution, it causes problems in setups with restricted connectivity (e.g. iptables).
Another issue encountered was with dual-stack IPv6 setups.
only listen on one protocol, IPv4 or IPv6, at a time. The connecting
node can not simply resolve the DNS name, but it must be told the exact
Instance OS definitions can provide custom import/export scripts. They
were working well in the early days when a filesystem was usually
created directly on the block device. Around Ganeti 2.0 there was a
transition to using partitions on the block devices. Import/export
scripts could no longer use simple
but usually ended up doing raw data dumps.
Unlike in version 1, in version 2 the destination node will connect to the source. The active side is swapped. This design assumes the following design documents have been implemented:
The following design is mostly targetted at inter-cluster instance moves. Intra-cluster import and export use the same technology, but do so in a less complicated way (e.g. reusing the node daemon certificate in version 1).
Support for instance OS import/export scripts, which have been in Ganeti since the beginning, will be dropped with this design. Should the need arise, they can be re-added later.
HTTP client: cURL/pycURL (already used for inter-node RPC and RAPI client)
Authentication: X509 certificates (server and client)
Instead of a home-grown, mostly raw protocol the widely used HTTP protocol will be used. Ganeti already uses HTTP for its Remote API and inter-node communication. Encryption and authentication will be implemented using SSL and X509 certificates.
The source machine will identify connecting clients by their SSL certificate. Unknown certificates will be refused.
Version 1 created a new self-signed certificate per instance
import/export, allowing the certificate to be used as a Certificate
Authority (CA). This worked by means of starting a new
instance per instance import/export.
Under the version 2 model, a continuously running HTTP server will be used. This disallows the use of self-signed certificates for authentication as the CA needs to be the same for all issued certificates.
See the separate design document for more details on how the certificate authority will be implemented.
Local imports/exports will, like version 1, use the node daemon’s
certificate/key. Doing so allows the verification of local connections.
The client’s certificate can be exported to the CGI/FastCGI handler
ssl.verifyclient.exportcert setting. If a
cluster-local import/export is being done, the handler verifies if the
used certificate matches with the local node daemon key.
The source can be the same physical machine as the destination, another node in the same cluster, or a node in another cluster. A physical-to-virtual migration mechanism could be implemented as an alternative source.
In the case of a traditional import, the source is usually a file on the source machine. For exports and remote imports, the source is an instance’s raw disk data. In all cases the transported data is opaque to Ganeti.
All nodes of a cluster will run an instance of Lighttpd. The configuration is automatically generated when starting Ganeti. The HTTP server is configured to listen on IPv4 and IPv6 simultaneously. Imports/exports will use a dedicated TCP port, similar to the Remote API.
See the separate HTTP server design document for why Ganeti’s existing, built-in HTTP server is not a good choice.
The source cluster is provided with a X509 Certificate Signing Request (CSR) for a key private to the destination cluster.
After shutting down the instance, creating snapshots and restarting the instance the master will sign the destination’s X509 certificate using the X509 CA once per instance disk. Instead of using another identifier, the certificate’s serial number (never reused) and fingerprint are used to identify incoming requests. Once ready, the master will call an RPC method on the source node and provide it with the input information (e.g. file paths or block devices) and the certificate identities.
The RPC method will write the identities to a place accessible by the HTTP request handler, generate unique transfer IDs and return them to the master. The transfer ID could be a filename containing the certificate’s serial number, fingerprint and some disk information. The file containing the per-transfer information is signed using the node daemon key and the signature written to a separate file.
Once everything is in place, the master sends the certificates, the data and notification URLs (which include the transfer IDs) and the public part of the source’s CA to the job submitter. Like in version 1, everything will be signed using the cluster domain secret.
Upon receiving a request, the handler verifies the identity and continues to stream the instance data. The serial number and fingerprint contained in the transfer ID should be matched with the certificate used. If a cluster-local import/export was requested, the remote’s certificate is verified with the local node daemon key. The signature of the information file from which the handler takes the path of the block device (and more) is verified using the local node daemon certificate. There are two options for handling requests, CGI and FastCGI.
To wait for all requests to finish, the master calls another RPC method. The destination should notify the source once it’s done with downloading the data. Since this notification may never arrive (e.g. network issues), an additional timeout needs to be used.
There is no good way to avoid polling as the HTTP requests will be handled asynchronously in another process. Once, and if, implemented RPC feedback could be used to combine the two RPC methods.
Upon completion of the transfer requests, the instance is removed if requested.
Option 1: CGI¶
While easier to implement, this option requires the HTTP server to either run as “root” or a so-called SUID binary to elevate the started process to run as “root”.
The export data can be sent directly to the HTTP server without any further processing.
Option 2: FastCGI¶
Unlike plain CGI, FastCGI scripts are run separately from the webserver. The webserver talks to them via a Unix socket. Webserver and scripts can run as separate users. Unlike for CGI, there are almost no bootstrap costs attached to each request.
The FastCGI protocol requires data to be sent in length-prefixed
packets, something which wouldn’t be very efficient to do in Python for
large amounts of data (instance imports/exports can be hundreds of
gigabytes). For this reason the proposal is to use a wrapper program
written in C (e.g. fcgiwrap) and to write the handler
like an old-style CGI program with standard input/output. If data should
be copied from a file,
socat can be used (see
note about sendfile(2)/splice(2) with Python).
The bootstrap cost associated with starting a Python interpreter for a disk export is expected to be negligible.
The spawn-fcgi program will be used to start the CGI wrapper as “root”.
FastCGI is, in the author’s opinion, the better choice as it allows user separation. As a first implementation step the export handler can be run as a standard CGI program. User separation can be implemented as a second step.
The destination can be the same physical machine as the source, another node in the same cluster, or a node in another cluster. While not considered in this design document, instances could be exported from the cluster by implementing an external client for exports.
For traditional exports the destination is usually a file on the destination machine. For imports and remote exports, the destination is an instance’s disks. All transported data is opaque to Ganeti.
Before an import can be started, an RSA key and corresponding
Certificate Signing Request (CSR) must be generated using the new opcode
OpInstanceImportPrepare. The returned information is signed using
the cluster domain secret. The RSA key backing the CSR must not leave
the destination cluster. After being passed through a third party, the
source cluster will generate signed certificates from the CSR.
Once the request for creating the instance arrives at the master daemon, it’ll create the instance and call an RPC method on the instance’s primary node to download all data. The RPC method does not return until the transfer is complete or failed (see EXP_SIZE_FD and RPC feedback).
The node will use pycURL to connect to the source machine and identify itself with the signed certificate received. pycURL will be configured to write directly to a file descriptor pointing to either a regular file or block device. The file descriptor needs to point to the correct offset for resuming downloads.
Using cURL’s multi interface, more than one transfer can be made at the
same time. While parallel transfers are used by the version 1
import/export, it can be decided at a later time whether to use them in
version 2 too. More investigation is necessary to determine whether
CURLOPT_MAXCONNECTS is enough to limit the number of connections or
whether more logic is necessary.
If a transfer fails before it’s finished (e.g. timeout or network issues) it should be retried using an exponential backoff delay. The opcode submitter can specify for how long the transfer should be retried.
At the end of a transfer, successful or not, the source cluster must be notified. A the same time the RSA key needs to be destroyed.
Support for HTTP proxies can be implemented by setting
CURLOPT_PROXY. Proxies could be used for moving instances in/out of
restricted network environments or across protocol borders (e.g. IPv4
networks unable to talk to IPv6 networks).
The big picture for instance moves¶
Create RSA key and CSR (certificate signing request), return signed with cluster domain secret.
Becomes a no-op in version 2, but see Backwards compatibility.
Receives destination cluster’s CSR, verifies signature using cluster domain secret.
Creates certificates using CSR and cluster CA, one for each disk
Stop instance, create snapshots, start instance
Prepare HTTP resources on node
Send certificates, URLs and CA certificate to job submitter using feedback mechanism
Wait for all transfers to finish or fail (with timeout)
Receives certificates signed by destination cluster, verifies certificates and URLs using cluster domain secret
Note that the parameters should be implemented in a generic way allowing future extensions, e.g. to download disk images from a public, remote server. The cluster domain secret allows Ganeti to check data received from a third party, but since this won’t work with such extensions, other checks will have to be designed.
Create block devices
Download every disk from source, verified using remote’s CA and authenticated using signed certificates
Destroy RSA key and certificates
HTTP resources on source¶
The HTTP resources listed below will be made available by the source
machine. The transfer ID is generated while preparing the export and is
unique per disk and instance. No caching should be used and the
Pragma (HTTP/1.0) and
Cache-Control (HTTP/1.1) headers set
accordingly by the server.
Dump disk contents. Important request headers:
Accept(RFC 2616, section 14.1)
Specify preferred media types. Only one type is supported in the initial implementation:
Request raw disk content.
If support for more media types were to be implemented in the future, the “q” parameter used for “indicating a relative quality factor” needs to be used. In the meantime parameters need to be expected, but can be ignored.
If support for OS scripts were to be re-added in the future, the MIME type
application/x-ganeti-instance-exportis hereby reserved for disk dumps using an export script.
If the source can not satisfy the request the response status code will be 406 (Not Acceptable). Successful requests will specify the used media type using the
Content-Typeheader. Unless only exactly one media type is requested, the client must handle the different response types.
Accept-Encoding(RFC 2616, section 14.3)
Specify desired content coding. Supported are
identityfor uncompressed data,
gzipfor compressed data and
*for any. The response will include a
Content-Encodingheader with the actual coding used. If the client specifies an unknown coding, the response status code will be 406 (Not Acceptable).
If the client specifically needs compressed data (see Compression) but only gets
identity, it can either compress locally or abort the request.
Range(RFC 2616, section 14.35)
Raw disk dumps can be resumed using this header (e.g. after a network issue).
If this header was given in the request and the source supports resuming, the status code of the response will be 206 (Partial Content) and it’ll include the
Content-Rangeheader as per RFC 2616. If it does not support resuming or the request was not specifying a range, the status code will be 200 (OK).
Only a single byte range is supported. cURL does not support
multipart/byterangesresponses by itself. Even if they could be somehow implemented, doing so would be of doubtful benefit for import/export.
For raw data dumps handling ranges is pretty straightforward by just dumping the requested range.
cURL will fail with the error code
CURLE_RANGE_ERRORif a request included a range but the server can’t handle it. The request must be retried without a range.
Use this resource to notify the source when transfer is finished (even if not successful). The status code will be 204 (No Content).
pycURL to file¶
The following code sample shows how to write downloaded data directly to a file without pumping it through Python:
curl = pycurl.Curl() curl.setopt(pycurl.URL, "http://www.google.com/") curl.setopt(pycurl.WRITEDATA, open("googlecom.html", "w")) curl.perform()
This works equally well if the file descriptor is a pipe to another process.
The old inter-cluster import/export implementation described in the Ganeti 2.2 design document will be supported for at least one minor (2.x) release. Intra-cluster imports/exports will use the new version right away.
Together with the improved import/export infrastructure Ganeti 2.2
allowed instance export scripts to report the expected data size. This
was then used to provide the user with an estimated remaining time.
Version 2 no longer supports OS import/export scripts and therefore
EXP_SIZE_FD is no longer needed.
Version 1 used explicit compression using
gzip for transporting
data, but the dumped files didn’t use any compression. Version 2 will
allow the destination to specify which encoding should be used. This way
the transported data is already compressed and can be directly used by
the client (see HTTP resources on source). The cURL option
CURLOPT_ENCODING can be used to set the
cURL will not decompress received data when
CURLOPT_HTTP_CONTENT_DECODING is set to zero (if another HTTP client
library were used which doesn’t support disabling transparent
compression, a custom content-coding type could be defined, e.g.
The HTTP/1.1 protocol (RFC 2616) defines trailing headers for chunked transfers in section 3.6.1. This could be used to transfer a checksum at the end of an import/export. cURL supports trailing headers since version 7.14.1. Lighttpd doesn’t seem to support them for FastCGI, but they appear to be usable in combination with an NPH CGI (No Parsed Headers).
Lighttpd allows FastCGI applications to send the special headers
X-Sendfile2 (the latter with a range). Using
these headers applications can send response headers and tell the
webserver to serve regular file stored on the file system as a response
body. The webserver will then take care of sending that file.
Unfortunately this mechanism is restricted to regular files and can not
be used for data from programs, neither direct nor via named pipes,
without writing to a file first. The latter is not an option as instance
data can be very large. Theoretically
X-Sendfile could be used for
sending the input for a file-based instance import, but that’d require
the webserver to run as “root”.
Python does not include interfaces for the
splice(2) system calls. The latter can be useful for faster copying
of data between file descriptors. There are some 3rd-party modules (e.g.
http://pypi.python.org/pypi/py-sendfile/) and discussions
(http://bugs.python.org/issue10882) for including support for
sendfile(2), but the later is certainly not going to happen for the
Python versions supported by Ganeti. Calling the function using the
ctypes module might be possible.
The design described above was confirmed to be one of the better choices
in terms of download performance with bigger block sizes. All numbers
were gathered on the same physical machine with a single CPU and 1 GB of
RAM while downloading 2 GB of zeros read from
(version 1.10.2) was used as the client,
lighttpd (version 1.4.28)
as the server. The numbers in the first line are in megabytes per
second. The second line in each row is the CPU time spent in userland
respective system (measured for the CGI/FastCGI program using
---------------------------------------------------------------------- Block size 4 KB 64 KB 128 KB 1 MB 4 MB ====================================================================== Plain CGI script reading 83 174 180 122 120 from ``/dev/zero`` 0.6/3.9 0.1/2.4 0.1/2.2 0.0/1.9 0.0/2.1 ---------------------------------------------------------------------- FastCGI with ``fcgiwrap``, 86 167 170 177 174 ``dd`` reading from ``/dev/zero`` 1.1/5 0.5/2.9 0.5/2.7 0.7/3.1 0.7/2.8 ---------------------------------------------------------------------- FastCGI with ``fcgiwrap``, 68 146 150 170 170 Python script copying from ``/dev/zero`` to stdout 1.3/5.1 0.8/3.7 0.7/3.3 0.9/2.9 0.8/3 ---------------------------------------------------------------------- FastCGI, Python script using 31 48 47 5 1 ``flup`` library (version 1.0.2) reading from ``/dev/zero`` 23.5/9.8 14.3/8.5 16.1/8 - - ----------------------------------------------------------------------
It should be mentioned that the
flup library is not implemented in
the most efficient way, but even with some changes it doesn’t get much
faster. It is fine for small amounts of data, but not for huge
Other considered solutions¶
Another possible solution considered was to use
socat like version 1
did. Due to the changing model, a large part of the code would’ve
required a rewrite anyway, while still not fixing all shortcomings. For
socat could still listen on only one protocol, IPv4 or
IPv6. Running two separate instances might have fixed that, but it’d get
more complicated. Using an existing HTTP server will provide us with a
number of other benefits as well, such as easier user separation between
server and backend.