github.com/true-sqn/fabric@v2.1.1+incompatible/docs/source/operations_service.rst

github.com/true-sqn/fabric@v2.1.1+incompatible/docs/source/operations_service.rst (about)

1 The Operations Service
2 ======================
3
4 The peer and the orderer host an HTTP server that offers a RESTful "operations"
5 API. This API is unrelated to the Fabric network services and is intended to be
6 used by operators, not administrators or "users" of the network.
7
8 The API exposes the following capabilities:
9
10 - Log level management
11 - Health checks
12 - Prometheus target for operational metrics (when configured)
13
14 Configuring the Operations Service
15 ----------------------------------
16
17 The operations service requires two basic pieces of configuration:
18
19 - The **address** and **port** to listen on.
20 - The **TLS certificates** and **keys** to use for authentication and encryption.
21 Note, **these certificates should be generated by a separate and dedicated CA**.
22 Do not use a CA that has generated certificates for any organizations
23 in any channels.
24
25 Peer
26 ~~~~
27
28 For each peer, the operations server can be configured in the ``operations``
29 section of ``core.yaml``:
30
31 .. code:: yaml
32
33 operations:
34 # host and port for the operations server
35 listenAddress: 127.0.0.1:9443
36
37 # TLS configuration for the operations endpoint
38 tls:
39 # TLS enabled
40 enabled: true
41
42 # path to PEM encoded server certificate for the operations server
43 cert:
44 file: tls/server.crt
45
46 # path to PEM encoded server key for the operations server
47 key:
48 file: tls/server.key
49
50 # most operations service endpoints require client authentication when TLS
51 # is enabled. clientAuthRequired requires client certificate authentication
52 # at the TLS layer to access all resources.
53 clientAuthRequired: false
54
55 # paths to PEM encoded ca certificates to trust for client authentication
56 clientRootCAs:
57 files: []
58
59 The ``listenAddress`` key defines the host and port that the operation server
60 will listen on. If the server should listen on all addresses, the host portion
61 can be omitted.
62
63 The ``tls`` section is used to indicate whether or not TLS is enabled for the
64 operations service, the location of the service's certificate and private key,
65 and the locations of certificate authority root certificates that should be
66 trusted for client authentication. When ``enabled`` is true, most of the operations
67 service endpoints require client authentication, therefore
68 ``clientRootCAs.files`` must be set. When ``clientAuthRequired`` is ``true``,
69 the TLS layer will require clients to provide a certificate for authentication
70 on every request. See Operations Security section below for more details.
71
72 Orderer
73 ~~~~~~~
74
75 For each orderer, the operations server can be configured in the `Operations`
76 section of ``orderer.yaml``:
77
78 .. code:: yaml
79
80 Operations:
81 # host and port for the operations server
82 ListenAddress: 127.0.0.1:8443
83
84 # TLS configuration for the operations endpoint
85 TLS:
86 # TLS enabled
87 Enabled: true
88
89 # PrivateKey: PEM-encoded tls key for the operations endpoint
90 PrivateKey: tls/server.key
91
92 # Certificate governs the file location of the server TLS certificate.
93 Certificate: tls/server.crt
94
95 # Paths to PEM encoded ca certificates to trust for client authentication
96 ClientRootCAs: []
97
98 # Most operations service endpoints require client authentication when TLS
99 # is enabled. ClientAuthRequired requires client certificate authentication
100 # at the TLS layer to access all resources.
101 ClientAuthRequired: false
102
103 The ``ListenAddress`` key defines the host and port that the operations server
104 will listen on. If the server should listen on all addresses, the host portion
105 can be omitted.
106
107 The ``TLS`` section is used to indicate whether or not TLS is enabled for the
108 operations service, the location of the service's certificate and private key,
109 and the locations of certificate authority root certificates that should be
110 trusted for client authentication. When ``Enabled`` is true, most of the operations
111 service endpoints require client authentication, therefore
112 ``RootCAs`` must be set. When ``ClientAuthRequired`` is ``true``,
113 the TLS layer will require clients to provide a certificate for authentication
114 on every request. See Operations Security section below for more details.
115
116 Operations Security
117 ~~~~~~~~~~~~~~~~~~~
118
119 As the operations service is focused on operations and intentionally unrelated
120 to the Fabric network, it does not use the Membership Services Provider for
121 access control. Instead, the operations service relies entirely on mutual TLS with
122 client certificate authentication.
123
124 When TLS is disabled, authorization is bypassed and any client that can
125 connect to the operations endpoint will be able to use the API.
126
127 When TLS is enabled, a valid client certificate must be provided in order to
128 access all resources unless explicitly noted otherwise below.
129
130 When clientAuthRequired is also enabled, the TLS layer will require
131 a valid client certificate regardless of the resource being accessed.
132
133 Log Level Management
134 ~~~~~~~~~~~~~~~~~~~~
135
136 The operations service provides a ``/logspec`` resource that operators can use to
137 manage the active logging spec for a peer or orderer. The resource is a
138 conventional REST resource and supports ``GET`` and ``PUT`` requests.
139
140 When a ``GET /logspec`` request is received by the operations service, it will
141 respond with a JSON payload that contains the current logging specification:
142
143 .. code:: json
144
145 {"spec":"info"}
146
147 When a ``PUT /logspec`` request is received by the operations service, it will
148 read the body as a JSON payload. The payload must consist of a single attribute
149 named ``spec``.
150
151 .. code:: json
152
153 {"spec":"chaincode=debug:info"}
154
155 If the spec is activated successfully, the service will respond with a ``204 "No Content"``
156 response. If an error occurs, the service will respond with a ``400 "Bad Request"``
157 and an error payload:
158
159 .. code:: json
160
161 {"error":"error message"}
162
163 Health Checks
164 -------------
165
166 The operations service provides a ``/healthz`` resource that operators can use to
167 help determine the liveness and health of peers and orderers. The resource is
168 a conventional REST resource that supports GET requests. The implementation is
169 intended to be compatible with the liveness probe model used by Kubernetes but
170 can be used in other contexts.
171
172 When a ``GET /healthz`` request is received, the operations service will call all
173 registered health checkers for the process. When all of the health checkers
174 return successfully, the operations service will respond with a ``200 "OK"`` and a
175 JSON body:
176
177 .. code:: json
178
179 {
180 "status": "OK",
181 "time": "2009-11-10T23:00:00Z"
182 }
183
184 If one or more of the health checkers returns an error, the operations service
185 will respond with a ``503 "Service Unavailable"`` and a JSON body that includes
186 information about which health checker failed:
187
188 .. code:: json
189
190 {
191 "status": "Service Unavailable",
192 "time": "2009-11-10T23:00:00Z",
193 "failed_checks": [
194 {
195 "component": "docker",
196 "reason": "failed to connect to Docker daemon: invalid endpoint"
197 }
198 ]
199 }
200
201 In the current version, the only health check that is registered is for Docker.
202 Future versions will be enhanced to add additional health checks.
203
204 When TLS is enabled, a valid client certificate is not required to use this
205 service unless ``clientAuthRequired`` is set to ``true``.
206
207 Metrics
208 -------
209
210 Some components of the Fabric peer and orderer expose metrics that can help
211 provide insight into the behavior of the system. Operators and administrators
212 can use this information to better understand how the system is performing
213 over time.
214
215 Configuring Metrics
216 ~~~~~~~~~~~~~~~~~~~
217
218 Fabric provides two ways to expose metrics: a **pull** model based on Prometheus
219 and a **push** model based on StatsD.
220
221 Prometheus
222 ~~~~~~~~~~
223
224 A typical Prometheus deployment scrapes metrics by requesting them from an HTTP
225 endpoint exposed by instrumented targets. As Prometheus is responsible for
226 requesting the metrics, it is considered a pull system.
227
228 When configured, a Fabric peer or orderer will present a ``/metrics`` resource
229 on the operations service.
230
231 Peer
232 ^^^^
233
234 A peer can be configured to expose a ``/metrics`` endpoint for Prometheus to
235 scrape by setting the metrics provider to ``prometheus`` in the ``metrics`` section
236 of ``core.yaml``.
237
238 .. code:: yaml
239
240 metrics:
241 provider: prometheus
242
243 Orderer
244 ^^^^^^^
245
246 An orderer can be configured to expose a ``/metrics`` endpoint for Prometheus to
247 scrape by setting the metrics provider to ``prometheus`` in the ``Metrics``
248 section of ``orderer.yaml``.
249
250 .. code:: yaml
251
252 Metrics:
253 Provider: prometheus
254
255 StatsD
256 ~~~~~~
257
258 StatsD is a simple statistics aggregation daemon. Metrics are sent to a
259 ``statsd`` daemon where they are collected, aggregated, and pushed to a backend
260 for visualization and alerting. As this model requires instrumented processes
261 to send metrics data to StatsD, this is considered a push system.
262
263 Peer
264 ^^^^
265
266 A peer can be configured to send metrics to StatsD by setting the metrics
267 provider to ``statsd`` in the ``metrics`` section of ``core.yaml``. The ``statsd``
268 subsection must also be configured with the address of the StatsD daemon, the
269 network type to use (``tcp`` or ``udp``), and how often to send the metrics. An
270 optional ``prefix`` may be specified to help differentiate the source of the
271 metrics --- for example, differentiating metrics coming from separate peers ---
272 that would be prepended to all generated metrics.
273
274 .. code:: yaml
275
276 metrics:
277 provider: statsd
278 statsd:
279 network: udp
280 address: 127.0.0.1:8125
281 writeInterval: 10s
282 prefix: peer-0
283
284 Orderer
285 ^^^^^^^
286
287 An orderer can be configured to send metrics to StatsD by setting the metrics
288 provider to ``statsd`` in the ``Metrics`` section of ``orderer.yaml``. The ``Statsd``
289 subsection must also be configured with the address of the StatsD daemon, the
290 network type to use (``tcp`` or ``udp``), and how often to send the metrics. An
291 optional ``prefix`` may be specified to help differentiate the source of the
292 metrics.
293
294 .. code:: yaml
295
296 Metrics:
297 Provider: statsd
298 Statsd:
299 Network: udp
300 Address: 127.0.0.1:8125
301 WriteInterval: 30s
302 Prefix: org-orderer
303
304 For a look at the different metrics that are generated, check out
305 :doc:`metrics_reference`.
306
307 .. Licensed under Creative Commons Attribution 4.0 International License
308 https://creativecommons.org/licenses/by/4.0/