Pim van Pelt
744b1cb3d2
Makefile:
- New install-deps umbrella target split into three sub-targets:
install-deps-apt — Debian/Trixie-packaged build deps
(nodejs, npm, protobuf-compiler, git, make,
dpkg-dev, ca-certificates, curl, tar). Uses
sudo when not already root.
install-deps-go — ensures a Go toolchain >= GO_VERSION (go.mod
floor, default 1.25.0). Short-circuits when
the system Go is already recent enough;
otherwise downloads the upstream tarball
from go.dev/dl/ into /usr/local/go. Trixie
only ships 1.24 so this step is load-bearing.
install-deps-go-tools — go install protoc-gen-go, protoc-gen-go-grpc,
and golangci-lint/v2/cmd/golangci-lint. Then
asserts the installed golangci-lint version
parses as >= GOLANGCI_LINT_VERSION (default
1.64.0, the floor that supports Go 1.25
syntax) to catch stale binaries in $GOPATH
/bin before they silently run against Go
1.25 code.
- Parser bug fixed: golangci-lint v1.x prints "has version v1.64.8" but
v2.x dropped the 'v' prefix and prints "has version 2.11.4". The
original sed regex required the 'v' and returned an empty match on
v2.x, making the assertion explode with "could not parse version
output". Fixed by switching to extended regex (sed -En) with 'v?' so
both forms parse cleanly.
- GO_VERSION and GOLANGCI_LINT_VERSION exposed as Makefile variables
so operators can override on the command line, e.g.
make install-deps GO_VERSION=1.25.5 GOLANGCI_LINT_VERSION=2.0.0
- .PHONY extended with the four new target names.
Docs:
- README.md: capability note rewritten to cover CAP_NET_RAW (ICMP) and
the new CAP_SYS_ADMIN requirement when healthchecker.netns is set,
plus a paragraph explaining that the Debian systemd unit grants both
automatically. Docker example gained a second variant that shows the
additional --cap-add SYS_ADMIN and /var/run/netns bind mount for
netns-scoped deployments. Also notes that maglevd-frontend ignores
SIGHUP so controlling-terminal disconnects don't kill it.
- docs/user-guide.md: Capabilities section rewritten as a bulleted
list covering both caps, with the EPERM error string and three
different ways to grant them (systemd unit, setcap, systemd-run);
'show vpp lb counters' command description updated to explain that
per-backend packet counts are no longer shown (LB plugin's
forwarding node bypasses ip{4,6}_lookup_inline, so /net/route/to at
the backend's FIB entry never ticks for LB-forwarded traffic); new
~75-line "What the SPA shows" subsection covering the scope
selector + maglev_scope cookie, the per-maglevd frontend cards, the
health-cascade icon table (ok / bug-buckets / primary-drained /
degraded / unknown), the lb buckets column semantics, the
maglev_zippy_open cookie, the admin-mode lifecycle dialogs with
their plain-English consequence text, and the debug panel.
- docs/config-guide.md: healthchecker.netns field gains a capability-
requirement note spelling out setns(CLONE_NEWNET), the EPERM
symptom string, and the /var/run/netns/ readability requirement.
- docs/healthchecks.md: new "Jitter" subsection explaining the +/-10%
scaling on every computed interval, and a "Probe timing while a
probe is in flight" subsection that explains why fast-interval alone
doesn't give fast fault detection against hanging backends (the
probe loop is synchronous, so each iteration is timeout +
fast-interval; the advice is to lower timeout, not fast-interval).
- docs/maglevd.8: description paragraph corrected (dropped the
per-backend stats claim and added a short note pointing at the LB
plugin forwarding-path bypass); new CAPABILITIES section between
SIGNALS and FILES covering both CAP_NET_RAW and CAP_SYS_ADMIN with
the drop-in-override hint.
- docs/maglevd-frontend.8: new SIGNALS section documenting the
explicit SIGHUP ignore (so a controlling-terminal disconnect doesn't
kill the daemon); description extended with paragraphs on the two
persistence cookies (maglev_scope, maglev_zippy_open) and on the
health-cascade icon + lb buckets column.
- docs/maglevc.1: left untouched — intentionally minimal and delegates
to docs/user-guide.md.
Lint (26 issues across 12 files, all errcheck / ineffassign / S1021):
- cmd/frontend/handlers.go: _, _ = fmt.Fprintf(...) for the SSE retry
hint and resync control-event writes.
- cmd/maglevc/commands.go: bulk-prefix every fmt.Fprintf(w, ...) with
_, _ =; also merged 'var watchEventsOptSlot *Node; ... = &Node{...}'
into a single := declaration (staticcheck S1021) — the self-
referencing pattern still works because the Children back-ref is
assigned on the next statement, not inside the struct literal.
- cmd/maglevc/complete.go: _, _ = fmt.Fprintf(ql.rl.Stderr(), ...)
for the banner and help writes; removed the ineffectual
'partial = ""' assignment (nothing downstream reads partial after
that branch, so setting it was dead code flagged by ineffassign).
- cmd/maglevc/shell.go: defer func() { _ = rl.Close() }() for the
readline instance; _, _ = fmt.Fprintf(rl.Stderr(), ...) for error
display in the REPL loop.
- cmd/maglevc/main.go: defer func() { _ = conn.Close() }() for the
gRPC client connection.
- internal/grpcapi/server_test.go: _ = conn.Close() in the test
teardown closure.
- internal/prober/http.go: _ = c.Close() in the TLS-handshake-failed
path; defer func() { _ = conn.Close() }() and defer func() { _ =
resp.Body.Close() }() for the two deferred cleanups.
- internal/prober/http_test.go: defer func() { _ = resp.Body.Close()
}() plus three _, _ = fmt.Fprint(w, ...) in the httptest.Server
handlers and _, _ = fmt.Sscanf(...) when parsing the test listener's
port.
- internal/prober/icmp.go: defer func() { _ = pc.Close() }() for the
ICMP packet conn.
- internal/prober/netns.go: defer func() { _ = origNs.Close() }(),
defer func() { _ = netns.Set(origNs) }(), defer func() { _ =
targetNs.Close() }() — also dropped a stray //nolint:errcheck that
was no longer needed once the closure wrapping handled the discard.
- internal/prober/tcp.go: _ = conn.Close() in the L4-only path,
_ = tlsConn.Close() in the failed and succeeded handshake branches,
_ = tlsConn.SetDeadline(...) (also dropped a //nolint:errcheck
previously covering it).
Iterative 'make lint' runs were needed because golangci-lint v2.x
caps same-linter reports per pass, so the first pass reported 21,
then 4, then 3, then 1, then 0. Final pass: 0 issues. make test is
green across every package, and make build produces all three
binaries cleanly.
367 lines
12 KiB
Go
367 lines
12 KiB
Go
// Copyright (c) 2026, Pim van Pelt <pim@ipng.ch>
|
||
|
||
package main
|
||
|
||
import (
|
||
"context"
|
||
"crypto/subtle"
|
||
"encoding/json"
|
||
"fmt"
|
||
"io/fs"
|
||
"log/slog"
|
||
"net/http"
|
||
"strings"
|
||
"time"
|
||
|
||
buildinfo "git.ipng.ch/ipng/vpp-maglev/cmd"
|
||
)
|
||
|
||
// adminCreds holds the basic-auth credentials for the /admin/ surface.
|
||
// Enabled is true when both the user and password env vars were set
|
||
// and non-empty at startup; when false, /admin/ is hidden entirely
|
||
// (returns 404) so operators who never intended to expose it don't
|
||
// see a teasing "unauthorized" response.
|
||
type adminCreds struct {
|
||
User string
|
||
Password string
|
||
Enabled bool
|
||
}
|
||
|
||
func registerHandlers(mux *http.ServeMux, clients []*maglevClient, broker *Broker, admin adminCreds) {
|
||
byName := make(map[string]*maglevClient, len(clients))
|
||
for _, c := range clients {
|
||
byName[c.name] = c
|
||
}
|
||
|
||
mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) {
|
||
_, _ = w.Write([]byte("ok\n"))
|
||
})
|
||
|
||
// Favicon served from the same embedded dist tree Vite produced.
|
||
// Browsers auto-fetch /favicon.ico from the document root regardless
|
||
// of where the SPA itself is mounted, so we register a top-level
|
||
// handler in addition to whatever /view/favicon.ico picks up via the
|
||
// static file server below. Read once at registration so we don't
|
||
// touch the embed.FS on every request, and serve with a long
|
||
// max-age since the bytes never change for a given binary.
|
||
if favicon, ferr := fs.ReadFile(webFS, "web/dist/favicon.ico"); ferr == nil {
|
||
mux.HandleFunc("/favicon.ico", func(w http.ResponseWriter, _ *http.Request) {
|
||
w.Header().Set("Content-Type", "image/x-icon")
|
||
w.Header().Set("Cache-Control", "public, max-age=86400")
|
||
_, _ = w.Write(favicon)
|
||
})
|
||
} else {
|
||
slog.Warn("favicon-missing", "err", ferr)
|
||
}
|
||
|
||
mux.HandleFunc("/view/api/version", func(w http.ResponseWriter, _ *http.Request) {
|
||
writeJSON(w, VersionInfo{
|
||
Version: buildinfo.Version(),
|
||
Commit: buildinfo.Commit(),
|
||
Date: buildinfo.Date(),
|
||
AdminEnabled: admin.Enabled,
|
||
})
|
||
})
|
||
|
||
mux.HandleFunc("/view/api/maglevds", func(w http.ResponseWriter, _ *http.Request) {
|
||
infos := make([]MaglevdInfo, 0, len(clients))
|
||
for _, c := range clients {
|
||
infos = append(infos, c.Info())
|
||
}
|
||
writeJSON(w, infos)
|
||
})
|
||
|
||
mux.HandleFunc("/view/api/state", func(w http.ResponseWriter, _ *http.Request) {
|
||
out := make([]*StateSnapshot, 0, len(clients))
|
||
for _, c := range clients {
|
||
out = append(out, c.Snapshot())
|
||
}
|
||
writeJSON(w, out)
|
||
})
|
||
|
||
mux.HandleFunc("/view/api/state/", func(w http.ResponseWriter, r *http.Request) {
|
||
name := strings.TrimPrefix(r.URL.Path, "/view/api/state/")
|
||
c, ok := byName[name]
|
||
if !ok {
|
||
http.NotFound(w, r)
|
||
return
|
||
}
|
||
writeJSON(w, c.Snapshot())
|
||
})
|
||
|
||
mux.HandleFunc("/view/api/events", func(w http.ResponseWriter, r *http.Request) {
|
||
serveSSE(w, r, broker)
|
||
})
|
||
|
||
// Static SPA served from the embedded dist fs, mounted under /view/.
|
||
staticFS, err := fs.Sub(webFS, "web/dist")
|
||
if err != nil {
|
||
slog.Error("embed-subfs", "err", err)
|
||
return
|
||
}
|
||
fileServer := http.FileServer(http.FS(staticFS))
|
||
mux.Handle("/view/", http.StripPrefix("/view/", fileServer))
|
||
|
||
// /admin/ serves the same SPA shell behind basic auth when the
|
||
// credentials are configured. Only the index.html is served here —
|
||
// all JS, CSS, and assets are referenced via absolute /view/assets/
|
||
// URLs baked in by Vite, so they continue to load from the
|
||
// unauthenticated /view/ tree. Read-only API calls also go to
|
||
// /view/api/* unchanged. Mutation endpoints live under /admin/api/
|
||
// so the same basic-auth middleware covers every writing path.
|
||
if admin.Enabled {
|
||
indexBytes, ierr := fs.ReadFile(staticFS, "index.html")
|
||
if ierr != nil {
|
||
slog.Error("embed-index", "err", ierr)
|
||
return
|
||
}
|
||
serveIndex := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||
w.Header().Set("Cache-Control", "no-store")
|
||
_, _ = w.Write(indexBytes)
|
||
})
|
||
adminAPI := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
handleAdminAPI(w, r, byName)
|
||
})
|
||
realm := "maglevd-frontend admin"
|
||
// Register /admin/api/ before /admin/ so the more specific
|
||
// pattern wins in net/http's ServeMux.
|
||
mux.Handle("/admin/api/", basicAuth(realm, admin.User, admin.Password, adminAPI))
|
||
mux.Handle("/admin/", basicAuth(realm, admin.User, admin.Password, serveIndex))
|
||
}
|
||
|
||
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||
if r.URL.Path == "/" {
|
||
http.Redirect(w, r, "/view/", http.StatusFound)
|
||
return
|
||
}
|
||
http.NotFound(w, r)
|
||
})
|
||
}
|
||
|
||
// handleAdminAPI dispatches mutation requests under /admin/api/.
|
||
//
|
||
// Supported shapes:
|
||
//
|
||
// POST /admin/api/{maglevd}/backend/{name}/{pause|resume|enable|disable}
|
||
// → fresh BackendSnapshot as JSON
|
||
//
|
||
// POST /admin/api/{maglevd}/frontend/{fe}/pool/{pool}/backend/{name}/weight
|
||
// body: {"weight": 0-100, "flush": bool}
|
||
// → fresh FrontendSnapshot as JSON
|
||
//
|
||
// The WatchEvents stream also delivers a backend-transition (and, for
|
||
// the weight case, no event — since the config mutation doesn't flip
|
||
// the health state). The POST response is primarily for the
|
||
// originating SPA to learn about failures and to refresh effective
|
||
// weights immediately. Errors from the gRPC side are surfaced as
|
||
// 400 (bad request) or 502 (maglevd returned an error).
|
||
func handleAdminAPI(w http.ResponseWriter, r *http.Request, byName map[string]*maglevClient) {
|
||
if r.Method != http.MethodPost {
|
||
w.Header().Set("Allow", "POST")
|
||
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
||
return
|
||
}
|
||
parts := strings.Split(strings.TrimPrefix(r.URL.Path, "/admin/api/"), "/")
|
||
// Peel off the maglevd name (always the first segment).
|
||
if len(parts) < 2 {
|
||
http.NotFound(w, r)
|
||
return
|
||
}
|
||
maglevd := parts[0]
|
||
c, ok := byName[maglevd]
|
||
if !ok {
|
||
http.NotFound(w, r)
|
||
return
|
||
}
|
||
rest := parts[1:]
|
||
|
||
switch {
|
||
// {maglevd}/backend/{name}/{action}
|
||
case len(rest) == 3 && rest[0] == "backend":
|
||
handleBackendLifecycle(w, r, c, rest[1], rest[2])
|
||
// {maglevd}/frontend/{fe}/pool/{pool}/backend/{name}/weight
|
||
case len(rest) == 7 && rest[0] == "frontend" && rest[2] == "pool" && rest[4] == "backend" && rest[6] == "weight":
|
||
handleBackendWeight(w, r, c, rest[1], rest[3], rest[5])
|
||
default:
|
||
http.NotFound(w, r)
|
||
}
|
||
}
|
||
|
||
func handleBackendLifecycle(w http.ResponseWriter, r *http.Request, c *maglevClient, name, action string) {
|
||
switch action {
|
||
case "pause", "resume", "enable", "disable":
|
||
default:
|
||
http.Error(w, fmt.Sprintf("unknown action %q", action), http.StatusBadRequest)
|
||
return
|
||
}
|
||
ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
|
||
defer cancel()
|
||
snap, err := c.BackendAction(ctx, name, action)
|
||
if err != nil {
|
||
slog.Warn("admin-backend-action", "maglevd", c.name, "backend", name, "action", action, "err", err)
|
||
http.Error(w, err.Error(), http.StatusBadGateway)
|
||
return
|
||
}
|
||
slog.Info("admin-backend-action",
|
||
"maglevd", c.name, "backend", name, "action", action, "state", snap.State)
|
||
// The maglevd→watch path will deliver a transition event that
|
||
// also wakes the lb-state loop, but firing here too makes the
|
||
// admin path self-contained and shaves the worst-case race
|
||
// where the SPA is still waiting on the WatchEvents replay
|
||
// when the POST response lands. The debouncer coalesces any
|
||
// duplicate wake.
|
||
c.triggerLBStateFetch()
|
||
writeJSON(w, snap)
|
||
}
|
||
|
||
type setWeightBody struct {
|
||
Weight int32 `json:"weight"`
|
||
Flush bool `json:"flush"`
|
||
}
|
||
|
||
func handleBackendWeight(w http.ResponseWriter, r *http.Request, c *maglevClient, frontend, pool, backend string) {
|
||
var body setWeightBody
|
||
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
||
http.Error(w, fmt.Sprintf("bad json: %v", err), http.StatusBadRequest)
|
||
return
|
||
}
|
||
if body.Weight < 0 || body.Weight > 100 {
|
||
http.Error(w, fmt.Sprintf("weight %d out of range [0, 100]", body.Weight), http.StatusBadRequest)
|
||
return
|
||
}
|
||
ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
|
||
defer cancel()
|
||
snap, err := c.SetBackendWeight(ctx, frontend, pool, backend, body.Weight, body.Flush)
|
||
if err != nil {
|
||
slog.Warn("admin-set-weight",
|
||
"maglevd", c.name, "frontend", frontend, "pool", pool, "backend", backend,
|
||
"weight", body.Weight, "flush", body.Flush, "err", err)
|
||
http.Error(w, err.Error(), http.StatusBadGateway)
|
||
return
|
||
}
|
||
slog.Info("admin-set-weight",
|
||
"maglevd", c.name, "frontend", frontend, "pool", pool, "backend", backend,
|
||
"weight", body.Weight, "flush", body.Flush)
|
||
// Weight changes never produce a transition event on the maglevd
|
||
// side (the backend's state is unchanged), so the WatchEvents
|
||
// stream won't wake the lb-state loop for us — without an explicit
|
||
// trigger here the SPA's bucket column would stay stale until the
|
||
// next 30s refresh tick. SyncLBStateVIP on the maglevd side has
|
||
// already pushed the new weights into VPP synchronously, so the
|
||
// fetch we kick off will see fresh post-mutation buckets.
|
||
c.triggerLBStateFetch()
|
||
writeJSON(w, snap)
|
||
}
|
||
|
||
// basicAuth wraps a handler in an HTTP basic-auth check. Uses
|
||
// subtle.ConstantTimeCompare to avoid leaking credential length or
|
||
// content via response-timing side channels.
|
||
func basicAuth(realm, user, password string, next http.Handler) http.Handler {
|
||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
u, p, ok := r.BasicAuth()
|
||
// Compare fixed-length byte slices so a wrong username takes
|
||
// the same time as a wrong password; only the boolean result
|
||
// matters.
|
||
uOK := subtle.ConstantTimeCompare([]byte(u), []byte(user)) == 1
|
||
pOK := subtle.ConstantTimeCompare([]byte(p), []byte(password)) == 1
|
||
if !ok || !uOK || !pOK {
|
||
w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm=%q`, realm))
|
||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||
return
|
||
}
|
||
next.ServeHTTP(w, r)
|
||
})
|
||
}
|
||
|
||
func writeJSON(w http.ResponseWriter, v any) {
|
||
w.Header().Set("Content-Type", "application/json")
|
||
enc := json.NewEncoder(w)
|
||
enc.SetEscapeHTML(false)
|
||
if err := enc.Encode(v); err != nil {
|
||
slog.Error("json-encode", "err", err)
|
||
}
|
||
}
|
||
|
||
// serveSSE handles the long-lived /view/api/events stream. The operational
|
||
// requirements (retry hint, heartbeat, flush-after-write, X-Accel-Buffering,
|
||
// context-done teardown) are documented in PLAN_FRONTEND.md §SSE operational
|
||
// requirements.
|
||
func serveSSE(w http.ResponseWriter, r *http.Request, broker *Broker) {
|
||
flusher, ok := w.(http.Flusher)
|
||
if !ok {
|
||
http.Error(w, "streaming unsupported", http.StatusInternalServerError)
|
||
return
|
||
}
|
||
|
||
h := w.Header()
|
||
h.Set("Content-Type", "text/event-stream")
|
||
h.Set("Cache-Control", "no-cache")
|
||
h.Set("Connection", "keep-alive")
|
||
h.Set("X-Accel-Buffering", "no")
|
||
w.WriteHeader(http.StatusOK)
|
||
|
||
// Reconnect hint: EventSource default is 3–5s; 2s feels livelier.
|
||
_, _ = fmt.Fprintf(w, "retry: 2000\n\n")
|
||
flusher.Flush()
|
||
|
||
result := broker.Subscribe(r.Header.Get("Last-Event-ID"))
|
||
defer broker.Unsubscribe(result.Channel)
|
||
|
||
if result.NeedResync {
|
||
// No id: line — the browser keeps whatever Last-Event-ID it had,
|
||
// so subsequent reconnects compare against a real event ID.
|
||
_, _ = fmt.Fprintf(w, "event: resync\ndata: {}\n\n")
|
||
flusher.Flush()
|
||
}
|
||
for _, ev := range result.ReplayEvents {
|
||
if err := writeEvent(w, ev); err != nil {
|
||
return
|
||
}
|
||
flusher.Flush()
|
||
}
|
||
|
||
heartbeat := time.NewTicker(15 * time.Second)
|
||
defer heartbeat.Stop()
|
||
|
||
for {
|
||
select {
|
||
case <-r.Context().Done():
|
||
return
|
||
case ev, ok := <-result.Channel:
|
||
if !ok {
|
||
return
|
||
}
|
||
if err := writeEvent(w, ev); err != nil {
|
||
return
|
||
}
|
||
flusher.Flush()
|
||
case <-heartbeat.C:
|
||
if _, err := fmt.Fprintf(w, ": ping\n\n"); err != nil {
|
||
return
|
||
}
|
||
flusher.Flush()
|
||
}
|
||
}
|
||
}
|
||
|
||
func writeEvent(w http.ResponseWriter, ev deliveredEvent) error {
|
||
// "resync" goes out as a named SSE event so the SPA's existing
|
||
// addEventListener("resync", ...) handler fires (and not the
|
||
// default onmessage path). Every other event type keeps the
|
||
// default onmessage path with a JSON body. We still emit an id
|
||
// so a reconnecting browser can replay from the right point in
|
||
// the ring; the resync handler is idempotent (a duplicate
|
||
// replay just triggers a redundant fetchState).
|
||
if ev.Event.Type == "resync" {
|
||
_, err := fmt.Fprintf(w, "id: %s\nevent: resync\ndata: {}\n\n", ev.ID)
|
||
return err
|
||
}
|
||
body, err := json.Marshal(ev.Event)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
_, err = fmt.Fprintf(w, "id: %s\ndata: %s\n\n", ev.ID, body)
|
||
return err
|
||
}
|