[Release] Perspectives Server v3.4.1
20 views
Skip to first unread message
Dave Schaefer
Dec 31, 2014, 7:22:43 PM12/31/14
to perspect...@googlegroups.com
I'm happy to announce that Perspectives Server version 3.4.1 has been released!
This is a minor release to fix the HTML for the static server index
page. It also fixes the upgrade documentation, to clarify when
database changes need to be made during an upgrade (hopefully very
rarely, and not for this release), and contains several updates to the
documentation. Full changelist below.
This update contains no data changes, only code changes, so upgrading is easy:
1. Stop your server
2. Sync new code with 'git pull'
3. Start your server.
These steps have also been included in the doc/upgrades directory.
As always, if you have any questions or comments just ask!
Full changelog
---
3.4.1
-----
* Fix HTML in static index page
* Move CSS to its own file, rather than inline, so Content Security
Policies can be properly applied.
* Convert README and Amazon guide to markdown format
* Update Amazon guide
* Add document explaining the notary API
* Add basic guide on using nginx as a cache and proxy
* Fix 'upgrades' directory so steps are more clear
* Clean up unused function parameters
This is a minor release to fix the HTML for the static server index
page. It also fixes the upgrade documentation, to clarify when
database changes need to be made during an upgrade (hopefully very
rarely, and not for this release), and contains several updates to the
documentation. Full changelist below.
This update contains no data changes, only code changes, so upgrading is easy:
1. Stop your server
2. Sync new code with 'git pull'
3. Start your server.
These steps have also been included in the doc/upgrades directory.
As always, if you have any questions or comments just ask!
Full changelog
---
3.4.1
-----
* Fix HTML in static index page
* Move CSS to its own file, rather than inline, so Content Security
Policies can be properly applied.
* Convert README and Amazon guide to markdown format
* Update Amazon guide
* Add document explaining the notary API
* Add basic guide on using nginx as a cache and proxy
* Fix 'upgrades' directory so steps are more clear
* Clean up unused function parameters
Gerold Meisinger
Jan 3, 2015, 9:55:10 AM1/3/15
to perspect...@googlegroups.com
On 2015-01-01 01:22, Dave Schaefer wrote:
> I'm happy to announce that Perspectives Server version 3.4.1 has been released!
Cool!
> I'm happy to announce that Perspectives Server version 3.4.1 has been released!
> * Add basic guide on using nginx as a cache and proxy
> $ update-rc.d nginx defaults
This should probably be sudo'd also. I got:
>> insserv: fopen(.depend.stop): Permission denied
> $ sudo /etc/init.d/nginx restart
>> nginx: [emerg] mkdir() "/home/ubuntu/nginx/cache" failed (2: No such
file or directory)
You hardcoded the home dir there.
> Configure CherryPy
A notary administrator who has no knowledge of the Perspectives server
internals it may be confusing of what's meant by "CherryPy". As I
understand it it's the underlying python web engine?
> To change the notary's internal CherryPy port, pass the --webport 8081
parameter when you launch CherryPy.
Does this mean that all users have to change the port as well? Wouldn't
it be simpler to just change the nginx.conf to 8080?
Alright, I updated the server and installed and configured nginx.
What is the easist way to verify that the server is indeed profiting
from nginx caching?
Btw: Can you please add my server to the third-party list:
195.93.242.152:8080
-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAFlIJdwP+1xum2YSI1WHZ20lLBZ
Dpfm8u4yKydq/jv3sQItTo7csdunLcinI/Q5QLd3Ac6ZCnNCYjEwGNQrguYR0USQ
MQWDcBzOhsvLWktFsMXnLCvRak5/rHHuuh6NBwhnayLrJE3hFsTytDpfTxft0Ltm
BFaQHmrEYsYJK9XVPhXUeMaJhFcSyxux4VM2sWw8ADCTDfHIsPsM6Sacd2/kApdv
IWz3hA95qFMCAwEAAQ==
-----END PUBLIC KEY-----
Dave Schaefer
Jan 3, 2015, 3:50:47 PM1/3/15
to perspect...@googlegroups.com
Hey Gerold, thanks for the feedback.
>so nginx isn't activated by default with this update
No, I don't want to assume that people want to use nginx, or to force
it on them. For example, maybe you are running a server on your
internal network and don't need nginx caching. The heroku notaries do
not use it either, for example.
>You hardcoded the home dir
Ah, you mean in the nginx config file? Yes, that can be fixed.
>A notary administrator who has no knowledge of the Perspectives server
>internals it may be confusing of what's meant by "CherryPy". As I
>understand it it's the underlying python web engine?
Sure, I can clarify this. Yes, CherryPy is a python web framework. The
Perspectives notary server uses it to grab notary data and send it to
any requesting clients.
>Does this mean that all users have to change the port as well? Wouldn't
>it be simpler to just change the nginx.conf to 8080?
My goal with adding nginx to the default notaries is to not require
anyone to change their Perspectives extension settings. Right now the
default notaries all run queries on port 8080. So the example nginx
config file has a comment to serve requests from both port 80 and port
8080 - both of those will get mapped to the underlying notary server.
Thus, yes, I changed the notary server to run on port 8081 to talk to
nginx.
Perhaps it would be more clear if we had two configuration files: one
for the default notaries (that I will set up on them) and one for
everyone else, who probably doesn't need to serve requests from port
8080. If we did that, then, yes, we could just change nginx to talk to
port 8080, and that should make it easier to get things running with
the defaults without having to change anything.
Would that be more clear?
>What is the easist way to verify that the server is indeed profiting
>from nginx caching?
Great question - I'll add this to the guide also.
The easiest way to check is perhaps:
1. Request any data from your notary - e.g. visit http://notary/?host=github.com
2. Look inside the nginx caching directory, likely ~/nginx/cache
3. There should now be a file inside that directory that contains the
XML output sent by the notary (i.e. an XML document with the data for
github.com)
Since the cache files in ~/nginx/cache use random names by default you
may want to look at the file with the most recent modification time.
It is possible to have the cache file names use a naming scheme - like
'gitub.com.cache' or similar - but I didn't specify that in the
default config file.
Another way to check might be: hammer your notary with many requests
and see if it can keep up ;)
>so nginx isn't activated by default with this update
it on them. For example, maybe you are running a server on your
internal network and don't need nginx caching. The heroku notaries do
not use it either, for example.
>You hardcoded the home dir
>A notary administrator who has no knowledge of the Perspectives server
>internals it may be confusing of what's meant by "CherryPy". As I
>understand it it's the underlying python web engine?
Perspectives notary server uses it to grab notary data and send it to
any requesting clients.
>Does this mean that all users have to change the port as well? Wouldn't
>it be simpler to just change the nginx.conf to 8080?
anyone to change their Perspectives extension settings. Right now the
default notaries all run queries on port 8080. So the example nginx
config file has a comment to serve requests from both port 80 and port
8080 - both of those will get mapped to the underlying notary server.
Thus, yes, I changed the notary server to run on port 8081 to talk to
nginx.
Perhaps it would be more clear if we had two configuration files: one
for the default notaries (that I will set up on them) and one for
everyone else, who probably doesn't need to serve requests from port
8080. If we did that, then, yes, we could just change nginx to talk to
port 8080, and that should make it easier to get things running with
the defaults without having to change anything.
Would that be more clear?
>What is the easist way to verify that the server is indeed profiting
>from nginx caching?
The easiest way to check is perhaps:
1. Request any data from your notary - e.g. visit http://notary/?host=github.com
2. Look inside the nginx caching directory, likely ~/nginx/cache
3. There should now be a file inside that directory that contains the
XML output sent by the notary (i.e. an XML document with the data for
github.com)
Since the cache files in ~/nginx/cache use random names by default you
may want to look at the file with the most recent modification time.
It is possible to have the cache file names use a naming scheme - like
'gitub.com.cache' or similar - but I didn't specify that in the
default config file.
Another way to check might be: hammer your notary with many requests
and see if it can keep up ;)
Dave Schaefer
Jan 3, 2015, 3:55:03 PM1/3/15
to perspect...@googlegroups.com
I have added 195.93.242.152:8080 to the third-party notary list
Gerold Meisinger
Jan 3, 2015, 4:59:47 PM1/3/15
to perspect...@googlegroups.com
On 2015-01-03 21:50, Dave Schaefer wrote:
> My goal with adding nginx to the default notaries is to not require
> anyone to change their Perspectives extension settings. Right now the
> default notaries all run queries on port 8080. So the example nginx
> config file has a comment to serve requests from both port 80 and port
> 8080 - both of those will get mapped to the underlying notary server.
> Thus, yes, I changed the notary server to run on port 8081 to talk to
> nginx.
I'm confused. If the CherryPy part listens to 8081 how does nginx notice?
> My goal with adding nginx to the default notaries is to not require
> anyone to change their Perspectives extension settings. Right now the
> default notaries all run queries on port 8080. So the example nginx
> config file has a comment to serve requests from both port 80 and port
> 8080 - both of those will get mapped to the underlying notary server.
> Thus, yes, I changed the notary server to run on port 8081 to talk to
> nginx.
I'm running my Perspectives server with all default settings and it
listens to 80 and 8080.
> Perhaps it would be more clear if we had two configuration files: one
> for the default notaries (that I will set up on them) and one for
> everyone else, who probably doesn't need to serve requests from port
> 8080. If we did that, then, yes, we could just change nginx to talk to
> port 8080, and that should make it easier to get things running with
> the defaults without having to change anything.
80/8080 which will use CherryPy only and 8081 will also make use of the
nginx cache? If so, I think it's better to state both option and
instruct the user what to do.
> Would that be more clear?
proxy_cache_path and proxy_pass to 8080) because the guide didn't
instruct me to do so.
> 1. Request any data from your notary - e.g. visit http://notary/?host=github.com
> 2. Look inside the nginx caching directory, likely ~/nginx/cache
> 3. There should now be a file inside that directory that contains the
> XML output sent by the notary (i.e. an XML document with the data for
> github.com)
Dave Schaefer
Jan 18, 2015, 12:12:19 AM1/18/15
to perspect...@googlegroups.com
Hey Gerold, thanks for the feedback. This is useful and I will make
some changes to the guide to make things more clear. I think the best
option might be: make one useful config file that works with all of
the defaults, like you say, and remove any hint of other settings I
use for the default notaries. That way there is less room for
confusion.
If you want to use nginx caching on your notary, it is important to
send all traffic through nginx as a proxy and not send any traffic
directly to the notary server itself.
This setup would look something like this:
https://i.imgur.com/tmGOsUi.png
It is technically possible to send some traffic through nginx to the
notary server and some traffic directly to the notary. I do NOT
recommending doing this; in fact I strongly recommend against it. Such
a setup would likely give you inconsistent results depending on which
port you talked to and what caching system you received a reply from.
It also opens up the notary server to additional attack surface.
To repeat, do NOT do this:
https://i.imgur.com/agtiDby.png
To that end I will do this: leave the default notary server settings
to listen at port 8080, and have the nginx config file take traffic
from 80 and send it to 8080. I would then recommend that notary owners
only open *one* port in their firewall to the outside world. That
should cause all traffic to go from the internet -> nginx -> notary
server.
Does that make more sense?
some changes to the guide to make things more clear. I think the best
option might be: make one useful config file that works with all of
the defaults, like you say, and remove any hint of other settings I
use for the default notaries. That way there is less room for
confusion.
If you want to use nginx caching on your notary, it is important to
send all traffic through nginx as a proxy and not send any traffic
directly to the notary server itself.
This setup would look something like this:
https://i.imgur.com/tmGOsUi.png
It is technically possible to send some traffic through nginx to the
notary server and some traffic directly to the notary. I do NOT
recommending doing this; in fact I strongly recommend against it. Such
a setup would likely give you inconsistent results depending on which
port you talked to and what caching system you received a reply from.
It also opens up the notary server to additional attack surface.
To repeat, do NOT do this:
https://i.imgur.com/agtiDby.png
To that end I will do this: leave the default notary server settings
to listen at port 8080, and have the nginx config file take traffic
from 80 and send it to 8080. I would then recommend that notary owners
only open *one* port in their firewall to the outside world. That
should cause all traffic to go from the internet -> nginx -> notary
server.
Does that make more sense?
Reply all
Reply to author
Forward
0 new messages