github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/docs/source/operations_service.rst

github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/docs/source/operations_service.rst (about)

1 The Operations Service
2 ======================
3
4 The peer and the orderer host an HTTP server that offers a RESTful "operations"
5 API. This API is unrelated to the Fabric network services and is intended to be
6 used by operators, not administrators or "users" of the network.
7
8 The API exposes the following capabilities:
9
10 - Log level management
11 - Health checks
12 - Prometheus target for operational metrics (when configured)
13 - Endpoint for retrieving version information
14
15 Configuring the Operations Service
16 ----------------------------------
17
18 The operations service requires two basic pieces of configuration:
19
20 - The **address** and **port** to listen on.
21 - The **TLS certificates** and **keys** to use for authentication and encryption.
22 Note, **these certificates should be generated by a separate and dedicated CA**.
23 Do not use a CA that has generated certificates for any organizations
24 in any channels.
25
26 Peer
27 ~~~~
28
29 For each peer, the operations server can be configured in the ``operations``
30 section of ``core.yaml``:
31
32 .. code:: yaml
33
34 operations:
35 # host and port for the operations server
36 listenAddress: 127.0.0.1:9443
37
38 # TLS configuration for the operations endpoint
39 tls:
40 # TLS enabled
41 enabled: true
42
43 # path to PEM encoded server certificate for the operations server
44 cert:
45 file: tls/server.crt
46
47 # path to PEM encoded server key for the operations server
48 key:
49 file: tls/server.key
50
51 # most operations service endpoints require client authentication when TLS
52 # is enabled. clientAuthRequired requires client certificate authentication
53 # at the TLS layer to access all resources.
54 clientAuthRequired: false
55
56 # paths to PEM encoded ca certificates to trust for client authentication
57 clientRootCAs:
58 files: []
59
60 The ``listenAddress`` key defines the host and port that the operation server
61 will listen on. If the server should listen on all addresses, the host portion
62 can be omitted.
63
64 The ``tls`` section is used to indicate whether or not TLS is enabled for the
65 operations service, the location of the service's certificate and private key,
66 and the locations of certificate authority root certificates that should be
67 trusted for client authentication. When ``enabled`` is true, most of the operations
68 service endpoints require client authentication, therefore
69 ``clientRootCAs.files`` must be set. When ``clientAuthRequired`` is ``true``,
70 the TLS layer will require clients to provide a certificate for authentication
71 on every request. See Operations Security section below for more details.
72
73 Orderer
74 ~~~~~~~
75
76 For each orderer, the operations server can be configured in the `Operations`
77 section of ``orderer.yaml``:
78
79 .. code:: yaml
80
81 Operations:
82 # host and port for the operations server
83 ListenAddress: 127.0.0.1:8443
84
85 # TLS configuration for the operations endpoint
86 TLS:
87 # TLS enabled
88 Enabled: true
89
90 # PrivateKey: PEM-encoded tls key for the operations endpoint
91 PrivateKey: tls/server.key
92
93 # Certificate governs the file location of the server TLS certificate.
94 Certificate: tls/server.crt
95
96 # Paths to PEM encoded ca certificates to trust for client authentication
97 ClientRootCAs: []
98
99 # Most operations service endpoints require client authentication when TLS
100 # is enabled. ClientAuthRequired requires client certificate authentication
101 # at the TLS layer to access all resources.
102 ClientAuthRequired: false
103
104 The ``ListenAddress`` key defines the host and port that the operations server
105 will listen on. If the server should listen on all addresses, the host portion
106 can be omitted.
107
108 The ``TLS`` section is used to indicate whether or not TLS is enabled for the
109 operations service, the location of the service's certificate and private key,
110 and the locations of certificate authority root certificates that should be
111 trusted for client authentication. When ``Enabled`` is true, most of the operations
112 service endpoints require client authentication, therefore
113 ``RootCAs`` must be set. When ``ClientAuthRequired`` is ``true``,
114 the TLS layer will require clients to provide a certificate for authentication
115 on every request. See Operations Security section below for more details.
116
117 Operations Security
118 ~~~~~~~~~~~~~~~~~~~
119
120 As the operations service is focused on operations and intentionally unrelated
121 to the Fabric network, it does not use the Membership Services Provider for
122 access control. Instead, the operations service relies entirely on mutual TLS with
123 client certificate authentication.
124
125 When TLS is disabled, authorization is bypassed and any client that can
126 connect to the operations endpoint will be able to use the API.
127
128 When TLS is enabled, a valid client certificate must be provided in order to
129 access all resources unless explicitly noted otherwise below.
130
131 When clientAuthRequired is also enabled, the TLS layer will require
132 a valid client certificate regardless of the resource being accessed.
133
134 Log Level Management
135 ~~~~~~~~~~~~~~~~~~~~
136
137 The operations service provides a ``/logspec`` resource that operators can use to
138 manage the active logging spec for a peer or orderer. The resource is a
139 conventional REST resource and supports ``GET`` and ``PUT`` requests.
140
141 When a ``GET /logspec`` request is received by the operations service, it will
142 respond with a JSON payload that contains the current logging specification:
143
144 .. code:: json
145
146 {"spec":"info"}
147
148 When a ``PUT /logspec`` request is received by the operations service, it will
149 read the body as a JSON payload. The payload must consist of a single attribute
150 named ``spec``.
151
152 .. code:: json
153
154 {"spec":"chaincode=debug:info"}
155
156 If the spec is activated successfully, the service will respond with a ``204 "No Content"``
157 response. If an error occurs, the service will respond with a ``400 "Bad Request"``
158 and an error payload:
159
160 .. code:: json
161
162 {"error":"error message"}
163
164 Health Checks
165 -------------
166
167 The operations service provides a ``/healthz`` resource that operators can use to
168 help determine the liveness and health of peers and orderers. The resource is
169 a conventional REST resource that supports GET requests. The implementation is
170 intended to be compatible with the liveness probe model used by Kubernetes but
171 can be used in other contexts.
172
173 When a ``GET /healthz`` request is received, the operations service will call all
174 registered health checkers for the process. When all of the health checkers
175 return successfully, the operations service will respond with a ``200 "OK"`` and a
176 JSON body:
177
178 .. code:: json
179
180 {
181 "status": "OK",
182 "time": "2009-11-10T23:00:00Z"
183 }
184
185 If one or more of the health checkers returns an error, the operations service
186 will respond with a ``503 "Service Unavailable"`` and a JSON body that includes
187 information about which health checker failed:
188
189 .. code:: json
190
191 {
192 "status": "Service Unavailable",
193 "time": "2009-11-10T23:00:00Z",
194 "failed_checks": [
195 {
196 "component": "docker",
197 "reason": "failed to connect to Docker daemon: invalid endpoint"
198 }
199 ]
200 }
201
202 In the current version, the only health check that is registered is for Docker.
203 Future versions will be enhanced to add additional health checks.
204
205 When TLS is enabled, a valid client certificate is not required to use this
206 service unless ``clientAuthRequired`` is set to ``true``.
207
208 Metrics
209 -------
210
211 Some components of the Fabric peer and orderer expose metrics that can help
212 provide insight into the behavior of the system. Operators and administrators
213 can use this information to better understand how the system is performing
214 over time.
215
216 Configuring Metrics
217 ~~~~~~~~~~~~~~~~~~~
218
219 Fabric provides two ways to expose metrics: a **pull** model based on Prometheus
220 and a **push** model based on StatsD.
221
222 Prometheus
223 ~~~~~~~~~~
224
225 A typical Prometheus deployment scrapes metrics by requesting them from an HTTP
226 endpoint exposed by instrumented targets. As Prometheus is responsible for
227 requesting the metrics, it is considered a pull system.
228
229 When configured, a Fabric peer or orderer will present a ``/metrics`` resource
230 on the operations service.
231
232 Peer
233 ^^^^
234
235 A peer can be configured to expose a ``/metrics`` endpoint for Prometheus to
236 scrape by setting the metrics provider to ``prometheus`` in the ``metrics`` section
237 of ``core.yaml``.
238
239 .. code:: yaml
240
241 metrics:
242 provider: prometheus
243
244 Orderer
245 ^^^^^^^
246
247 An orderer can be configured to expose a ``/metrics`` endpoint for Prometheus to
248 scrape by setting the metrics provider to ``prometheus`` in the ``Metrics``
249 section of ``orderer.yaml``.
250
251 .. code:: yaml
252
253 Metrics:
254 Provider: prometheus
255
256 StatsD
257 ~~~~~~
258
259 StatsD is a simple statistics aggregation daemon. Metrics are sent to a
260 ``statsd`` daemon where they are collected, aggregated, and pushed to a backend
261 for visualization and alerting. As this model requires instrumented processes
262 to send metrics data to StatsD, this is considered a push system.
263
264 Peer
265 ^^^^
266
267 A peer can be configured to send metrics to StatsD by setting the metrics
268 provider to ``statsd`` in the ``metrics`` section of ``core.yaml``. The ``statsd``
269 subsection must also be configured with the address of the StatsD daemon, the
270 network type to use (``tcp`` or ``udp``), and how often to send the metrics. An
271 optional ``prefix`` may be specified to help differentiate the source of the
272 metrics --- for example, differentiating metrics coming from separate peers ---
273 that would be prepended to all generated metrics.
274
275 .. code:: yaml
276
277 metrics:
278 provider: statsd
279 statsd:
280 network: udp
281 address: 127.0.0.1:8125
282 writeInterval: 10s
283 prefix: peer-0
284
285 Orderer
286 ^^^^^^^
287
288 An orderer can be configured to send metrics to StatsD by setting the metrics
289 provider to ``statsd`` in the ``Metrics`` section of ``orderer.yaml``. The ``Statsd``
290 subsection must also be configured with the address of the StatsD daemon, the
291 network type to use (``tcp`` or ``udp``), and how often to send the metrics. An
292 optional ``prefix`` may be specified to help differentiate the source of the
293 metrics.
294
295 .. code:: yaml
296
297 Metrics:
298 Provider: statsd
299 Statsd:
300 Network: udp
301 Address: 127.0.0.1:8125
302 WriteInterval: 30s
303 Prefix: org-orderer
304
305 For a look at the different metrics that are generated, check out
306 :doc:`metrics_reference`.
307
308 Version
309 -------
310
311 The orderer and peer both expose a ``/version`` endpoint. This endpoint
312 serves a JSON document containing the orderer or peer version and the commit
313 SHA on which the release was created.
314
315 .. Licensed under Creative Commons Attribution 4.0 International License
316 https://creativecommons.org/licenses/by/4.0/