RFC Adding Interfaces to OpenBMC

Kenneth Wilke kenneth.wilke at RACKSPACE.COM
Thu Sep 21 00:04:25 AEST 2017


It is a pretty common practice to terminate SSL at a reverse proxy like NGINX. I think this model of routing http to the other daemons listening on localhost sockets should work well for OpenBMC.


Kenneth

________________________________
From: openbmc <openbmc-bounces+kenneth.wilke=rackspace.com at lists.ozlabs.org> on behalf of Chris Austen <austenc at us.ibm.com>
Sent: Tuesday, September 19, 2017 1:19:12 PM
To: openbmc at lists.ozlabs.org
Subject: Re: RFC Adding Interfaces to OpenBMC


After some discussion that did not make it to the mailing list I am revising the RFC to integrate with Nginx technology.  The theme is the same; create interfaces in a way that anyone can add/remove/replace per their business needs through with a prescriptive process


Request - https ---> Nginx (Reverse-Proxy)
                 |
                  |http
                  |
                /|\
                | | `-> rest_dbus   127.0.0.1:8081
                |  `--> webui       127.0.0.1:8082
                 `----> redfish     127.0.0.1:8083

With Nginx accepting https would there be a need for localhost applications incur the cost of secure https too?


Chris Austen/Austin/IBM wrote on 09/01/2017 10:54:06 AM:

> From: Chris Austen/Austin/IBM
> To: openbmc at lists.ozlabs.org
> Date: 09/01/2017 10:54 AM
> Subject: RFC Adding Interfaces to OpenBMC
>
> I'd like to get some feed back on draft...
>
> It should not be any surprise that we are trying to implement a web
> user interface and Redfish.  I think requiring every implementation
> of OpenBMC to now support a webui and Redfish goes against the basic
> principals of the project.  A better approach would be to allow the
> machine configuration to determine what features/apps to support.
> The OpenBMC core would provide the infrastructure to reverse(?)
> proxy incoming requests to the various applications based on the
> application defining which routes it can handle.  With those
> thoughts in mind, the current design needs to be tweaked slightly.
>
> FROM:
> | server | app (dbus) |
> TO:
> | server | reverse | app (dbus)    |
> |        |  proxy  | app (web)     |
> |        |         | app (redfish) |
> |        |         | app (...)     |
> Route handler added at service startup to create the proxy environment
> (figure 1: In todays design the single app defines all routes at
> compile time.  Adding routes to that single app forces all OpenBMC
> machines to pick up the new routes which is undesirable)
>
> Note: due to legacy decisions the '/' and '/xyz' route are owned by
> the dbus app.  (Could the dbus route be helpful here?  All browsers
> use 'text/html' and our rest uses 'application/json', perhaps a
> nudge/redirect the user to the correct uri)
>
> Security:
> ~~~~~~~~
> None at the proxy level
>
> Registering Routes:
> ~~~~~~~~~~~~~~~
> Route registration will happen at service start up.  An application
> configuration file placed in to a predetermined location will be
> parsed by the proxy code
>
> Application Requirements:
> ~~~~~~~~~~~~~~~~~~~~~~
> 1) The cfg file will be based on a common xxx format
> - likely need a decision as to proxy or reverse proxy before
> declaring config format type
>
> 2) Create a bb file in the appropriate layer.  Keep in mind the openbmc/
> meta-phosphor/common/recipes-phosphor/interfaces/ is for core
> functionality only.
> i.e.    PROVIDES = 'phosphor-webui'
>          <example of how to copy the apps config file to the correct
> route registration location>
>
> 3) Declare in the appropriate machine conf file the bb file which
> contains your application
> i.e.    OBMC_MACHINE_FEATURES += 'phosphor-webui'
>
>
> Chris Austen
> POWER Systems Enablement Manager
> (512) 286-5184 (T/L: 363-5184)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20170920/9333223a/attachment-0001.html>


More information about the openbmc mailing list