Mirroristas/bigchaindb
2
0
Fork 0
mirror of https://github.com/bigchaindb/bigchaindb.git synced 2024-10-13 13:34:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

NGINX frontend for MongoDB and BigchainDB (#1304)

Browse Source 
- Added NGINX deployment to frontend both BDB and MDB.
- Nginx is configured with a whitelist (which is read from a ConfigMap)
to allow only other MDB nodes in the closter to communicate with it.
- Azure LB apparently does not support proxy protocol and hence
whitelisting fails as nginx always observer the LB IP instead of the
real IP in the TCP stream.
- Whitelisting source IPs for MongoDB
- Removing deprecated folder
- Better log format
- Intuitive port number usage
- README and examples
- Addressed a typo in PYTHON_STYLE_GUIDE.md
- Azure LB apparently does not support proxy protocol and hence
whitelisting fails as nginx always observer the LB IP instead of the
real IP in the TCP stream.
- Whitelisting source IPs for MongoDB
- Removing deprecated folder
- Multiple changes:
- Better log format
- Intuitive port number usage
- README and examples
- Addressed a typo in PYTHON_STYLE_GUIDE.md
- Documentation
- add the k8s directory to the ignore list in codecov.yml
This commit is contained in:
Krish 2017-03-22 14:25:25 +01:00 committed by GitHub
parent 10d83c2ab9
commit 425397f644
21 changed files with 462 additions and 694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
PYTHON_STYLE_GUIDE.md
View File

@ -82,6 +82,6 @@ flake8 --max-line-length 119 bigchaindb/
## Writing and Running (Python) Tests
The content of this section was moved to [`bigchiandb/tests/README.md`](./tests/README.md).
The content of this section was moved to [`bigchaindb/tests/README.md`](./tests/README.md).
Note: We automatically run all tests on all pull requests (using Travis CI), so you should definitely run all tests locally before you submit a pull request. See the above-linked README file for instructions.
Note: We automatically run all tests on all pull requests (using Travis CI), so you should definitely run all tests locally before you submit a pull request. See the above-linked README file for instructions.

1
codecov.yml
View File

@ -32,6 +32,7 @@ coverage:
- "benchmarking-tests/*"
- "speed-tests/*"
- "ntools/*"
- "k8s/*"
comment:
# @stevepeak (from codecov.io) suggested we change 'suggestions' to 'uncovered'

15
docs/server/source/cloud-deployment-templates/add-node-on-kubernetes.rst
View File

@ -161,3 +161,18 @@ zero downtime during updates.
You can SSH to an existing BigchainDB instance and run the ``bigchaindb
show-config`` command to check that the keyring is updated.
Step 7: Run NGINX as a Deployment
---------------------------------
Please refer :ref:`this <Step 10: Run NGINX as a Deployment>` to
set up NGINX in your new node.
Step 8: Test Your New BigchainDB Node
-------------------------------------
Please refer to the testing steps :ref:`here <Step 11: Verify the BigchainDB
Node Setup>` to verify that your new BigchainDB node is working as expected.

121
docs/server/source/cloud-deployment-templates/node-on-kubernetes.rst
View File

@ -195,9 +195,9 @@ which can also be obtained using the ``az account list-locations`` command.
You can also try to assign a name to an Public IP in Azure before starting
the process, or use ``nslookup`` with the name you have in mind to check
if it's available for use.
In the rare chance that name in the ``data.fqdn`` field is not available,
you must create a ConfigMap with a unique name and restart the
MongoDB instance.
You should ensure that the the name specified in the ``data.fqdn`` field is
a unique one.
**Kubernetes on bare-metal or other cloud providers.**
You need to provide the name resolution function
@ -343,8 +343,8 @@ Get the file ``bigchaindb-dep.yaml`` from GitHub using:
$ wget https://raw.githubusercontent.com/bigchaindb/bigchaindb/master/k8s/bigchaindb/bigchaindb-dep.yaml
Note that we set the ``BIGCHAINDB_DATABASE_HOST`` to ``mdb`` which is the name
of the MongoDB service defined earlier.
Note that we set the ``BIGCHAINDB_DATABASE_HOST`` to ``mdb-svc`` which is the
name of the MongoDB service defined earlier.
We also hardcode the ``BIGCHAINDB_KEYPAIR_PUBLIC``,
``BIGCHAINDB_KEYPAIR_PRIVATE`` and ``BIGCHAINDB_KEYRING`` for now.
@ -367,22 +367,55 @@ Create the required Deployment using:
You can check its status using the command ``kubectl get deploy -w``
Step 10: Verify the BigchainDB Node Setup
Step 10: Run NGINX as a Deployment
----------------------------------
NGINX is used as a proxy to both the BigchainDB and MongoDB instances in the
node.
It proxies HTTP requests on port 80 to the BigchainDB backend, and TCP
connections on port 27017 to the MongoDB backend.
You can also configure a whitelist in NGINX to allow only connections from
other instances in the MongoDB replica set to access the backend MongoDB
instance.
Get the file ``nginx-cm.yaml`` from GitHub using:
.. code:: bash
$ wget https://raw.githubusercontent.com/bigchaindb/bigchaindb/master/k8s/nginx/nginx-cm.yaml
The IP address whitelist can be explicitly configured in ``nginx-cm.yaml``
file. You will need a list of the IP addresses of all the other MongoDB
instances in the cluster. If the MongoDB intances specify a hostname, then this
needs to be resolved to the corresponding IP addresses. If the IP address of
any MongoDB instance changes, we can start a 'rolling upgrade' of NGINX after
updating the corresponding ConfigMap without affecting availabilty.
Create the ConfigMap for the whitelist using:
.. code:: bash
$ kubectl apply -f nginx-cm.yaml
Get the file ``nginx-dep.yaml`` from GitHub using:
.. code:: bash
$ wget https://raw.githubusercontent.com/bigchaindb/bigchaindb/master/k8s/nginx/nginx-dep.yaml
Create the NGINX deployment using:
.. code:: bash
$ kubectl apply -f nginx-dep.yaml
Step 11: Verify the BigchainDB Node Setup
-----------------------------------------
Step 10.1: Testing Externally
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Try to access the ``<dns/ip of your exposed bigchaindb service endpoint>:9984``
on your browser. You must receive a json output that shows the BigchainDB
server version among other things.
Try to access the ``<dns/ip of your exposed mongodb service endpoint>:27017``
on your browser. You must receive a message from MongoDB stating that it
doesn't allow HTTP connections to the port anymore.
Step 10.2: Testing Internally
Step 11.1: Testing Internally
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Run a container that provides utilities like ``nslookup``, ``curl`` and ``dig``
@ -392,23 +425,53 @@ on the cluster and query the internal DNS and IP endpoints.
$ kubectl run -it toolbox -- image <docker image to run> --restart=Never --rm
It will drop you to the shell prompt.
Now you can query for the ``mdb`` and ``bdb`` service details.
.. code:: bash
$ nslookup mdb
$ dig +noall +answer _mdb-port._tcp.mdb.default.svc.cluster.local SRV
$ curl -X GET http://mdb:27017
$ curl -X GET http://bdb:9984
There is a generic image based on alpine:3.5 with the required utilities
hosted at Docker Hub under ``bigchaindb/toolbox``.
The corresponding Dockerfile is `here
<https://github.com/bigchaindb/bigchaindb/k8s/toolbox/Dockerfile>`_.
You can use it as below to get started immediately:
.. code:: bash
$ kubectl run -it toolbox --image bigchaindb/toolbox --restart=Never --rm
It will drop you to the shell prompt.
Now you can query for the ``mdb`` and ``bdb`` service details.
.. code:: bash
# nslookup mdb-svc
# nslookup bdb-svc
# nslookup ngx-svc
# dig +noall +answer _mdb-port._tcp.mdb-svc.default.svc.cluster.local SRV
# dig +noall +answer _bdb-port._tcp.bdb-svc.default.svc.cluster.local SRV
# dig +noall +answer _ngx-public-mdb-port._tcp.ngx-svc.default.svc.cluster.local SRV
# dig +noall +answer _ngx-public-bdb-port._tcp.ngx-svc.default.svc.cluster.local SRV
# curl -X GET http://mdb-svc:27017
# curl -X GET http://bdb-svc:9984
# curl -X GET http://ngx-svc:80
# curl -X GET http://ngx-svc:27017
The ``nslookup`` commands should output the configured IP addresses of the
services in the cluster
The ``dig`` commands should return the port numbers configured for the
various services in the cluster.
Finally, the ``curl`` commands test the availability of the services
themselves.
Step 11.2: Testing Externally
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Try to access the ``<dns/ip of your exposed bigchaindb service endpoint>:80``
on your browser. You must receive a json output that shows the BigchainDB
server version among other things.
Try to access the ``<dns/ip of your exposed mongodb service endpoint>:27017``
on your browser. If your IP is in the whitelist, you will receive a message
from the MongoDB instance stating that it doesn't allow HTTP connections to
the port anymore. If your IP is not in the whitelist, your access will be
blocked and you will not see any response from the MongoDB instance.

2
docs/server/source/cloud-deployment-templates/template-kubernetes-azure.rst
View File

@ -168,7 +168,7 @@ using something like:
.. code:: bash
$ ssh ssh ubuntu@k8s-agent-4AC80E97-0
$ ssh ubuntu@k8s-agent-4AC80E97-0
where ``k8s-agent-4AC80E97-0`` is the name
of a Kubernetes agent node in your Kubernetes cluster.

20
k8s/bigchaindb/bigchaindb-dep.yaml
View File

@ -1,44 +1,47 @@
###############################################################
# This config file runs bigchaindb:master as a k8s Deployment #
# and it connects to the mongodb backend on a separate pod #
# and it connects to the mongodb backend running as a #
# separate pod #
###############################################################
apiVersion: v1
kind: Service
metadata:
name: bdb
name: bdb-svc
namespace: default
labels:
name: bdb
name: bdb-svc
spec:
selector:
app: bdb
app: bdb-dep
ports:
- port: 9984
targetPort: 9984
name: bdb-port
type: LoadBalancer
type: ClusterIP
clusterIP: None
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: bdb
name: bdb-dep
spec:
replicas: 1
template:
metadata:
labels:
app: bdb
app: bdb-dep
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bigchaindb
image: bigchaindb/bigchaindb:master
imagePullPolicy: IfNotPresent
args:
- start
env:
- name: BIGCHAINDB_DATABASE_HOST
value: mdb
value: mdb-svc
- name: BIGCHAINDB_DATABASE_PORT
# TODO(Krish): remove hardcoded port
value: "27017"
@ -58,7 +61,6 @@ spec:
value: "120"
- name: BIGCHAINDB_KEYRING
value: ""
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984

89
k8s/deprecated.to.del/bdb-mdb-dep.yaml
View File

@ -1,89 +0,0 @@
###############################################################
# This config file runs bigchaindb:latest and connects to the #
# mongodb backend as a service #
###############################################################
apiVersion: v1
kind: Service
metadata:
name: bdb-mdb-service
namespace: default
labels:
name: bdb-mdb-service
spec:
selector:
app: bdb-mdb
ports:
- port: 9984
targetPort: 9984
name: bdb-api
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: bdb-mdb
spec:
replicas: 1
template:
metadata:
labels:
app: bdb-mdb
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bdb-mdb
image: bigchaindb/bigchaindb:latest
args:
- start
env:
- name: BIGCHAINDB_DATABASE_HOST
value: mdb-service
- name: BIGCHAINDB_DATABASE_PORT
value: "27017"
- name: BIGCHAINDB_DATABASE_REPLICASET
value: bigchain-rs
- name: BIGCHIANDB_DATABASE_BACKEND
value: mongodb
- name: BIGCHAINDB_DATABASE_NAME
value: bigchain
- name: BIGCHAINDB_SERVER_BIND
value: 0.0.0.0:9984
- name: BIGCHAINDB_KEYPAIR_PUBLIC
value: EEWUAhsk94ZUHhVw7qx9oZiXYDAWc9cRz93eMrsTG4kZ
- name: BIGCHAINDB_KEYPAIR_PRIVATE
value: 3CjmRhu718gT1Wkba3LfdqX5pfYuBdaMPLd7ENUga5dm
- name: BIGCHAINDB_BACKLOG_REASSIGN_DELAY
value: "120"
- name: BIGCHAINDB_KEYRING
value: ""
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984
name: bdb-port
protocol: TCP
volumeMounts:
- name: bigchaindb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
restartPolicy: Always
volumes:
- name: bigchaindb-data
hostPath:
path: /disk/bigchaindb-data

87
k8s/deprecated.to.del/bdb-rdb-dep.yaml
View File

@ -1,87 +0,0 @@
###############################################################
# This config file runs bigchaindb:latest and connects to the #
# rethinkdb backend as a service #
###############################################################
apiVersion: v1
kind: Service
metadata:
name: bdb-rdb-service
namespace: default
labels:
name: bdb-rdb-service
spec:
selector:
app: bdb-rdb
ports:
- port: 9984
targetPort: 9984
name: bdb-rdb-api
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: bdb-rdb
spec:
replicas: 1
template:
metadata:
labels:
app: bdb-rdb
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bdb-rdb
image: bigchaindb/bigchaindb:latest
args:
- start
env:
- name: BIGCHAINDB_DATABASE_HOST
value: rdb-service
- name: BIGCHAINDB_DATABASE_PORT
value: "28015"
- name: BIGCHIANDB_DATABASE_BACKEND
value: rethinkdb
- name: BIGCHAINDB_DATABASE_NAME
value: bigchain
- name: BIGCHAINDB_SERVER_BIND
value: 0.0.0.0:9984
- name: BIGCHAINDB_KEYPAIR_PUBLIC
value: EEWUAhsk94ZUHhVw7qx9oZiXYDAWc9cRz93eMrsTG4kZ
- name: BIGCHAINDB_KEYPAIR_PRIVATE
value: 3CjmRhu718gT1Wkba3LfdqX5pfYuBdaMPLd7ENUga5dm
- name: BIGCHAINDB_BACKLOG_REASSIGN_DELAY
value: "120"
- name: BIGCHAINDB_KEYRING
value: ""
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984
name: bdb-port
protocol: TCP
volumeMounts:
- name: bigchaindb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
restartPolicy: Always
volumes:
- name: bigchaindb-data
hostPath:
path: /disk/bigchaindb-data

57
k8s/deprecated.to.del/mongo-statefulset.yaml
View File

@ -1,57 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: mongodb
labels:
name: mongodb
spec:
ports:
- port: 27017
targetPort: 27017
clusterIP: None
selector:
role: mongodb
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: mongodb
spec:
serviceName: mongodb
replicas: 3
template:
metadata:
labels:
role: mongodb
environment: staging
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongo
image: mongo:3.4.1
command:
- mongod
- "--replSet"
- bigchain-rs
#- "--smallfiles"
#- "--noprealloc"
ports:
- containerPort: 27017
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-sidecar
image: cvallance/mongo-k8s-sidecar
env:
- name: MONGO_SIDECAR_POD_LABELS
value: "role=mongo,environment=staging"
volumeClaimTemplates:
- metadata:
name: mongo-persistent-storage
annotations:
volume.beta.kubernetes.io/storage-class: "fast"
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 100Gi

114
k8s/deprecated.to.del/node-mdb-ss.yaml
View File

@ -1,114 +0,0 @@
#################################################################
# This YAML file desribes a StatefulSet with two containers: #
# bigchaindb/bigchaindb:latest and mongo:3.4.1 #
# It also describes a Service to expose BigchainDB and MongoDB. #
#################################################################
apiVersion: v1
kind: Service
metadata:
name: bdb-service
namespace: default
labels:
name: bdb-service
spec:
selector:
app: bdb
ports:
- port: 9984
targetPort: 9984
name: bdb-http-api
- port: 27017
targetPort: 27017
name: mongodb-port
type: LoadBalancer
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: bdb
namespace: default
spec:
serviceName: bdb
replicas: 1
template:
metadata:
name: bdb
labels:
app: bdb
#annotations:
#pod.beta.kubernetes.io/init-containers: '[
# TODO mongodb user and group; id = 999
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bigchaindb
image: bigchaindb/bigchaindb:master
args:
- start
env:
- name: BIGCHAINDB_KEYPAIR_PRIVATE
value: 3CjmRhu718gT1Wkba3LfdqX5pfYuBdaMPLd7ENUga5dm
- name: BIGCHAINDB_KEYPAIR_PUBLIC
value: EEWUAhsk94ZUHhVw7qx9oZiXYDAWc9cRz93eMrsTG4kZ
- name: BIGCHAINDB_KEYRING
value: ""
- name: BIGCHAINDB_DATABASE_BACKEND
value: mongodb
- name: BIGCHAINDB_DATABASE_HOST
value: localhost
- name: BIGCHAINDB_DATABASE_PORT
value: "27017"
- name: BIGCHAINDB_SERVER_BIND
value: "0.0.0.0:9984"
- name: BIGCHAINDB_DATABASE_REPLICASET
value: bigchain-rs
- name: BIGCHAINDB_DATABASE_NAME
value: bigchain
- name: BIGCHAINDB_BACKLOG_REASSIGN_DELAY
value: "120"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984
name: bdb-port
protocol: TCP
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: bdb-port
initialDelaySeconds: 15
timeoutSeconds: 10
- name: mongodb
image: mongo:3.4.1
args:
- --replSet=bigchain-rs
imagePullPolicy: IfNotPresent
ports:
- containerPort: 27017
hostPort: 27017
name: mdb-port
protocol: TCP
volumeMounts:
- name: mdb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
tcpSocket:
port: mdb-port
successThreshold: 1
failureThreshold: 3
periodSeconds: 15
timeoutSeconds: 1
restartPolicy: Always
volumes:
- name: mdb-data
persistentVolumeClaim:
claimName: mongoclaim

131
k8s/deprecated.to.del/node-rdb-ss.yaml
View File

@ -1,131 +0,0 @@
##############################################################
# This YAML file desribes a StatefulSet with two containers: #
# bigchaindb/bigchaindb:latest and rethinkdb:2.3 #
# It also describes a Service to expose BigchainDB, #
# the RethinkDB intracluster communications port, and #
# the RethinkDB web interface port. #
##############################################################
apiVersion: v1
kind: Service
metadata:
name: bdb-service
namespace: default
labels:
name: bdb-service
spec:
selector:
app: bdb
ports:
- port: 9984
targetPort: 9984
name: bdb-http-api
- port: 29015
targetPort: 29015
name: rdb-intracluster-comm-port
- port: 8080
targetPort: 8080
name: rdb-web-interface-port
type: LoadBalancer
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: bdb
namespace: default
spec:
serviceName: bdb
replicas: 1
template:
metadata:
name: bdb
labels:
app: bdb
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bdb-server
image: bigchaindb/bigchaindb:latest
args:
- start
env:
- name: BIGCHAINDB_KEYPAIR_PRIVATE
value: 56mEvwwVxcYsFQ3Y8UTFB8DVBv38yoUhxzDW3DAdLVd2
- name: BIGCHAINDB_KEYPAIR_PUBLIC
value: 9DsHwiEtvk51UHmNM2eV66czFha69j3CdtNrCj1RcZWR
- name: BIGCHAINDB_KEYRING
value: ""
- name: BIGCHAINDB_DATABASE_BACKEND
value: rethinkdb
- name: BIGCHAINDB_DATABASE_HOST
value: localhost
- name: BIGCHAINDB_DATABASE_PORT
value: "28015"
- name: BIGCHAINDB_SERVER_BIND
value: "0.0.0.0:9984"
- name: BIGCHAINDB_DATABASE_NAME
value: bigchain
- name: BIGCHAINDB_BACKLOG_REASSIGN_DELAY
value: "120"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984
name: bdb-port
protocol: TCP
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
- name: rethinkdb
image: rethinkdb:2.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
hostPort: 8080
name: rdb-web-interface-port
protocol: TCP
- containerPort: 29015
hostPort: 29015
name: rdb-intra-port
protocol: TCP
- containerPort: 28015
hostPort: 28015
name: rdb-client-port
protocol: TCP
volumeMounts:
- name: rdb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 10
restartPolicy: Always
volumes:
- name: rdb-data
persistentVolumeClaim:
claimName: mongoclaim

89
k8s/deprecated.to.del/node-ss.yaml
View File

@ -1,89 +0,0 @@
#####################################################
# This config file uses bdb v0.9.1 with bundled rdb #
#####################################################
apiVersion: v1
kind: Service
metadata:
name: bdb-service
namespace: default
labels:
name: bdb-service
spec:
selector:
app: bdb
ports:
- port: 9984
targetPort: 9984
name: bdb-http-api
- port: 8080
targetPort: 8080
name: bdb-rethinkdb-api
type: LoadBalancer
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: bdb
namespace: default
spec:
serviceName: bdb
replicas: 1
template:
metadata:
name: bdb
labels:
app: bdb
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "bdb091-configure",
"image": "bigchaindb/bigchaindb:0.9.1",
"command": ["bigchaindb", "-y", "configure", "rethinkdb"],
"volumeMounts": [
{
"name": "bigchaindb-data",
"mountPath": "/data"
}
]
}
]'
spec:
terminationGracePeriodSeconds: 10
containers:
- name: bdb091-server
image: bigchaindb/bigchaindb:0.9.1
args:
- -c
- /data/.bigchaindb
- start
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9984
hostPort: 9984
name: bdb-port
protocol: TCP
volumeMounts:
- name: bigchaindb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 9984
initialDelaySeconds: 15
timeoutSeconds: 10
restartPolicy: Always
volumes:
- name: bigchaindb-data
hostPath:
path: /disk/bigchaindb-data

75
k8s/deprecated.to.del/rethinkdb-ss.yaml
View File

@ -1,75 +0,0 @@
####################################################
# This config file runs rethinkdb:2.3 as a service #
####################################################
apiVersion: v1
kind: Service
metadata:
name: rdb-service
namespace: default
labels:
name: rdb-service
spec:
selector:
app: rdb
ports:
- port: 8080
targetPort: 8080
name: rethinkdb-http-port
- port: 28015
targetPort: 28015
name: rethinkdb-driver-port
type: LoadBalancer
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: rdb
namespace: default
spec:
serviceName: rdb
replicas: 1
template:
metadata:
name: rdb
labels:
app: rdb
spec:
terminationGracePeriodSeconds: 10
containers:
- name: rethinkdb
image: rethinkdb:2.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
hostPort: 8080
name: rdb-http-port
protocol: TCP
- containerPort: 28015
hostPort: 28015
name: rdb-client-port
protocol: TCP
volumeMounts:
- name: rdb-data
mountPath: /data
resources:
limits:
cpu: 200m
memory: 768Mi
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 10
restartPolicy: Always
volumes:
- name: rdb-data
hostPath:
path: /disk/rdb-data

2
k8s/mongodb/container/README.md
View File

@ -19,7 +19,7 @@
```
docker run \
--name=mdb1 \
--publish=17017:17017 \
--publish=<mongo port number for external connections>:<corresponding host port> \
--rm=true \
bigchaindb/mongodb \
--replica-set-name <replica set name> \

21
k8s/mongodb/mongo-ss.yaml
View File

@ -1,38 +1,39 @@
########################################################################
# This YAML file desribes a StatefulSet with a service for running and #
# exposing a MongoDB service. #
# exposing a MongoDB instance. #
# It depends on the configdb and db k8s pvc. #
########################################################################
apiVersion: v1
kind: Service
metadata:
name: mdb
name: mdb-svc
namespace: default
labels:
name: mdb
name: mdb-svc
spec:
selector:
app: mdb
app: mdb-ss
ports:
- port: 27017
targetPort: 27017
name: mdb-port
type: LoadBalancer
type: ClusterIP
clusterIP: None
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: mdb
name: mdb-ss
namespace: default
spec:
serviceName: mdb
serviceName: mdb-svc
replicas: 1
template:
metadata:
name: mdb
name: mdb-ss
labels:
app: mdb
app: mdb-ss
spec:
terminationGracePeriodSeconds: 10
containers:
@ -41,6 +42,7 @@ spec:
# versions during updates and rollbacks. Also, once fixed, change the
# imagePullPolicy to IfNotPresent for faster bootup
image: bigchaindb/mongodb:latest
imagePullPolicy: Always
env:
- name: MONGODB_FQDN
valueFrom:
@ -60,7 +62,6 @@ spec:
capabilities:
add:
- FOWNER
imagePullPolicy: Always
ports:
- containerPort: 27017
hostPort: 27017

11
k8s/nginx/container/Dockerfile Normal file
View File

@ -0,0 +1,11 @@
FROM nginx:1.11.10
LABEL maintainer "dev@bigchaindb.com"
WORKDIR /
RUN apt-get update \
&& apt-get -y upgrade \
&& apt-get autoremove \
&& apt-get clean
COPY nginx.conf.template /etc/nginx/nginx.conf
COPY nginx_entrypoint.bash /
EXPOSE 80 443 27017
ENTRYPOINT ["/nginx_entrypoint.bash"]

70
k8s/nginx/container/README.md Normal file
View File

@ -0,0 +1,70 @@
## Custom Nginx container for a Node
### Need
* Since, BigchainDB and MongoDB both need to expose ports to the outside
world (inter and intra cluster), we need to have a basic DDoS mitigation
strategy to ensure that we can provide proper uptime and security these
core services.
* We can have a proxy like nginx/haproxy in every node that listens to
global connections and applies cluster level entry policy.
### Implementation
* For MongoDB cluster communication, we will use nginx with an environment
variable specifying a ":" separated list of IPs in the whitelist. This list
contains the IPs of exising instances in the MongoDB replica set so as to
allow connections from the whitelist and avoid a DDoS.
* For BigchainDB connections, nginx needs to have rules to throttle
connections that are using resources over a threshold.
### Step 1: Build the Latest Container
Run `docker build -t bigchaindb/nginx .` from this folder.
Optional: Upload container to Docker Hub:
`docker push bigchaindb/nginx:<tag>`
### Step 2: Run the Container
Note that the whilelist IPs must be specified with the subnet in the CIDR
format, eg: `1.2.3.4/16`
```
docker run \
--env "MONGODB_FRONTEND_PORT=<port where nginx listens for MongoDB connections>" \
--env "MONGODB_BACKEND_HOST=<ip/hostname of instance where MongoDB is running>" \
--env "MONGODB_BACKEND_PORT=<port where MongoDB is listening for connections>" \
--env "BIGCHAINDB_FRONTEND_PORT=<port where nginx listens for BigchainDB connections>" \
--env "BIGCHAINDB_BACKEND_HOST=<ip/hostname of instance where BigchainDB is
running>" \
--env "BIGCHAINDB_BACKEND_PORT=<port where BigchainDB is listening for
connections>" \
--env "MONGODB_WHITELIST=<a ':' separated list of IPs that can connect to MongoDB>" \
--name=ngx \
--publish=<port where nginx listens for MongoDB connections as specified above>:<correcponding host port> \
--publish=<port where nginx listens for BigchainDB connections as specified
above>:<corresponding host port> \
--rm=true \
bigchaindb/nginx
```
For example:
```
docker run \
--env "MONGODB_FRONTEND_PORT=17017" \
--env "MONGODB_BACKEND_HOST=localhost" \
--env "MONGODB_BACKEND_PORT=27017" \
--env "BIGCHAINDB_FRONTEND_PORT=80" \
--env "BIGCHAINDB_BACKEND_HOST=localhost" \
--env "BIGCHAINDB_BACKEND_PORT=9984" \
--env "MONGODB_WHITELIST="192.168.0.0/16:10.0.2.0/24" \
--name=ngx \
--publish=80:80 \
--publish=17017:17017 \
--rm=true \
bigchaindb/nginx
```

108
k8s/nginx/container/nginx.conf.template Normal file
View File

@ -0,0 +1,108 @@
worker_processes 2;
daemon off;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /etc/nginx/nginx.error.log;
events {
worker_connections 256;
accept_mutex on;
use epoll;
}
http {
server_names_hash_bucket_size 128;
resolver 8.8.8.8 8.8.4.4;
access_log /etc/nginx/nginx.access.log combined buffer=16k flush=5s;
# allow 10 req/sec from the same IP address, and store the counters in a
# `zone` or shared memory location tagged as 'one'.
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
# enable logging when requests are being throttled
limit_req_log_level notice;
# the http status code to return to the client when throttling;
# 429 is for TooManyRequests,
# ref. RFC 6585
limit_req_status 429;
upstream bdb_backend {
server BIGCHAINDB_BACKEND_HOST:BIGCHAINDB_BACKEND_PORT max_fails=5 fail_timeout=30;
}
server {
listen BIGCHAINDB_FRONTEND_PORT;
# server_name "FRONTEND_DNS_NAME";
underscores_in_headers on;
# max client request body size: avg transaction size
client_max_body_size 15k;
# keepalive connection settings
keepalive_timeout 20s;
# `slowloris` attack mitigation settings
client_body_timeout 10s;
client_header_timeout 10s;
location / {
proxy_ignore_client_abort on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_redirect off;
# TODO proxy_set_header X-Forwarded-Proto https;
# limit requests from the same client, allow `burst` to 20 r/s,
# `nodelay` or drop connection immediately in case it exceeds this
# threshold.
limit_req zone=one burst=20 nodelay;
proxy_pass http://bdb_backend;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /etc/nginx/50x.html;
}
}
}
# NGINX stream block for TCP and UDP proxies
stream {
log_format mdb_log '[$time_iso8601] $realip_remote_addr $remote_addr '
'$proxy_protocol_addr $proxy_protocol_port '
'$protocol $status $session_time $bytes_sent '
'$bytes_received "$upstream_addr" "$upstream_bytes_sent" '
'"$upstream_bytes_received" "$upstream_connect_time" ';
access_log /etc/nginx/nginx.stream.access.log mdb_log buffer=16k flush=5s;
# define a zone 'two' of size 10 megabytes to store the counters
# that hold number of TCP connections from a specific IP address
limit_conn_zone $binary_remote_addr zone=two:10m;
# enable logging when connections are being throttled
limit_conn_log_level notice;
upstream mdb_backend {
server MONGODB_BACKEND_HOST:MONGODB_BACKEND_PORT max_fails=5 fail_timeout=30 max_conns=1024;
}
server {
listen MONGODB_FRONTEND_PORT so_keepalive=10m:1m:5;
preread_timeout 30s;
tcp_nodelay on;
# whitelist
MONGODB_WHITELIST
# deny access to everyone else
deny all;
# allow 512 connections from the same IP address
limit_conn two 512;
proxy_pass mdb_backend;
}
}

44
k8s/nginx/container/nginx_entrypoint.bash Executable file
View File

@ -0,0 +1,44 @@
#!/bin/bash
set -euo pipefail
mongo_frontend_port=`printenv MONGODB_FRONTEND_PORT`
mongo_backend_host=`printenv MONGODB_BACKEND_HOST`
mongo_backend_port=`printenv MONGODB_BACKEND_PORT`
bdb_frontend_port=`printenv BIGCHAINDB_FRONTEND_PORT`
bdb_backend_host=`printenv BIGCHAINDB_BACKEND_HOST`
bdb_backend_port=`printenv BIGCHAINDB_BACKEND_PORT`
mongo_whitelist=`printenv MONGODB_WHITELIST`
# sanity checks
if [[ -z "${mongo_frontend_port}" || \
-z "${mongo_backend_host}" || \
-z "${mongo_backend_port}" || \
-z "${bdb_frontend_port}" || \
-z "${bdb_backend_host}" || \
-z "${bdb_backend_port}" ]] ; then
echo "Invalid environment settings detected. Exiting!"
exit 1
fi
NGINX_CONF_FILE=/etc/nginx/nginx.conf
# configure the nginx.conf file with env variables
sed -i "s|MONGODB_FRONTEND_PORT|${mongo_frontend_port}|g" $NGINX_CONF_FILE
sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" $NGINX_CONF_FILE
sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" $NGINX_CONF_FILE
sed -i "s|BIGCHAINDB_FRONTEND_PORT|${bdb_frontend_port}|g" $NGINX_CONF_FILE
sed -i "s|BIGCHAINDB_BACKEND_HOST|${bdb_backend_host}|g" $NGINX_CONF_FILE
sed -i "s|BIGCHAINDB_BACKEND_PORT|${bdb_backend_port}|g" $NGINX_CONF_FILE
# populate the whitelist in the conf file as per MONGODB_WHITELIST env var
hosts=$(echo ${mongo_whitelist} | tr ":" "\n")
for host in $hosts; do
sed -i "s|MONGODB_WHITELIST|allow ${host};\n MONGODB_WHITELIST|g" $NGINX_CONF_FILE
done
# remove the MONGODB_WHITELIST marker string from template
sed -i "s|MONGODB_WHITELIST||g" $NGINX_CONF_FILE
# start nginx
echo "INFO: starting nginx..."
exec nginx -c /etc/nginx/nginx.conf

13
k8s/nginx/nginx-cm.yaml Normal file
View File

@ -0,0 +1,13 @@
#########################################################################
# This YAML file desribes a ConfigMap with a valid list of IP addresses #
# that can connect to the MongoDB instance. #
#########################################################################
apiVersion: v1
kind: ConfigMap
metadata:
name: mongodb-whitelist
namespace: default
data:
# ':' separated list of allowed hosts
allowed-hosts: 192.168.0.0/16:10.0.2.0/24

82
k8s/nginx/nginx-dep.yaml Normal file
View File

@ -0,0 +1,82 @@
###############################################################
# This config file runs nginx as a k8s deployment and exposes #
# it using an external load balancer. #
# This deployment is used as a front end to both BigchainDB #
# and MongoDB. #
###############################################################
apiVersion: v1
kind: Service
metadata:
name: ngx-svc
namespace: default
labels:
name: ngx-svc
annotations:
# NOTE: the following annotation is a beta feature and
# only available in GCE/GKE and Azure as of now
service.beta.kubernetes.io/external-traffic: OnlyLocal
spec:
selector:
app: ngx-dep
ports:
- port: 27017
targetPort: 27017
name: ngx-public-mdb-port
protocol: TCP
- port: 80
targetPort: 80
name: ngx-public-bdb-port
protocol: TCP
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ngx-dep
spec:
replicas: 1
template:
metadata:
labels:
app: ngx-dep
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx
image: bigchaindb/nginx:latest
imagePullPolicy: Always
env:
- name: MONGODB_FRONTEND_PORT
value: "27017"
- name: MONGODB_BACKEND_HOST
value: mdb-svc
- name: MONGODB_BACKEND_PORT
value: "27017"
- name: BIGCHAINDB_FRONTEND_PORT
value: "80"
- name: BIGCHAINDB_BACKEND_HOST
value: bdb-svc
- name: BIGCHAINDB_BACKEND_PORT
value: "9984"
- name: MONGODB_WHITELIST
valueFrom:
configMapKeyRef:
name: mongodb-whitelist
key: allowed-hosts
ports:
- containerPort: 27017
hostPort: 27017
name: public-mdb-port
protocol: TCP
- containerPort: 80
hostPort: 80
name: public-bdb-port
protocol: TCP
resources:
limits:
cpu: 200m
memory: 768Mi
#livenessProbe: TODO(Krish)
#readinessProbe: TODO(Krish)
restartPolicy: Always