yahoo / netchasm Goto Github PK

An addition to the API to load config directly from the control socket instead of having to parse a YAML file can helpful when integrating with other applications.

Expected Behavior

Does NetCHASM support http2 (or later) health checks?

It's unclear from my scanning of the documentation whether NetCHASM supports making health checks to servers which support only http2 (i.e. no http/1.1 support).

Current Behavior

Change would be to add http2 support (if it does not exist).

Context

Such support would be useful for checking servers running gRPC services which are http2 based, but do not support http/1.1. We often have a situation now running Java gRPC services where a health check comes in for, say, GET /status.html HTTP/1.1 on the same port as the Java gRPC service. In Java gRPC, this results in an error and a long stack backtrace (see grpc/grpc-java#7692).

If the current code can be modified to make use of Dynamic libraries for instantiation of derived class objects instead of concrete instantiation as is done currently during initialization from the master config, inclusion of unwanted libraries in the final binary can be avoided when developers have their own implementation of the derived classes . For example :- inclusion of MDBM library can be avoided when developers have their own implementation of the storage base class that makes use of a different backend database.

Currently, the only way to add/remove servers to host groups using the provided API is to make the desired changes in the config and to issue a reload of the config. A new API to dynamically add/remove servers to host groups will avoid this time consuming reload.

Expected Behavior

A build target that does not compile AUX features

Possible Solution

modify the existing slimbuild target to exclude AUX as well

Expected Behavior

NetCHASM should build under Ubuntu LTS 22.04 and CentOS 9 which be default use OpenSSL3.

Current Behavior

NetCHASM fails to compile against OpenSSL3 because it uses a function that has been removed: FIPS_mode_set(). Here is the compile error:

/home/ubuntu/NetCHASM/src/internal/HMStateManager.cpp:106:5: error: ‘FIPS_mode_set’ was not declared in this scope
  106 |     FIPS_mode_set(0);
      |     ^~~~~~~~~~~~~
make[2]: *** [src/internal/CMakeFiles/netchasm_core.dir/build.make:692: src/internal/CMakeFiles/netchasm_core.dir/HMStateManager.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:426: src/internal/CMakeFiles/netchasm_core.dir/all] Error 2
make: *** [Makefile:166: all] Error 2

Note that there are also some functions used in NetCHASM that have been deprecated in OpenSSL3 (and some deprecated in OpenSSL 1.1.0). These functions will still work for now, but it is advisable to use the newer, non-deprecated functions to avoid the build breaking in the future. I've attached a full build log against OpenSSL3 which contains all the warnings of deprecated functions. Here is an example:

/home/ubuntu/NetCHASM/src/api/HMControlTLSSocketClient.cpp: In constructor ‘HMControlTLSSocketClient::HMControlTLSSocketClient(HMAPIIPAddress&, uint16_t, std::string&, std::string&, std::string&)’:
/home/ubuntu/NetCHASM/src/api/HMControlTLSSocketClient.cpp:100:40: warning: ‘const SSL_METHOD* TLSv1_2_method()’ is deprecated: Since OpenSSL 1.1.0 [-Wdeprecated-declarations]
  100 |     m_ctx = SSL_CTX_new(TLSv1_2_method());
      |                                        ^
In file included from /home/ubuntu/NetCHASM/include/NetCHASM/HMControlTLSSocketClient.h:11,
                 from /home/ubuntu/NetCHASM/src/api/HMControlTLSSocketClient.cpp:12:
/usr/include/openssl/ssl.h:2020:50: note: declared here
 2020 | OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
      |                                                  ^~~~~~~~~~~~~~
/home/ubuntu/NetCHASM/src/api/HMControlTLSSocketClient.cpp:100:40: warning: ‘const SSL_METHOD* TLSv1_2_method()’ is deprecated: Since OpenSSL 1.1.0 [-Wdeprecated-declarations]
  100 |     m_ctx = SSL_CTX_new(TLSv1_2_method());
      |                                        ^
In file included from /home/ubuntu/NetCHASM/include/NetCHASM/HMControlTLSSocketClient.h:11,
                 from /home/ubuntu/NetCHASM/src/api/HMControlTLSSocketClient.cpp:12:
/usr/include/openssl/ssl.h:2020:50: note: declared here
 2020 | OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
      |                                                  ^~~~~~~~~~~~~~
/home/ubuntu/NetCHASM/src/internal/HMWorkHealthCheckCurl.cpp:86:21: warning: ‘void RSA_free(RSA*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
   86 |         RSA_free(rsa);
      |                     ^
In file included from /usr/include/openssl/x509.h:36,
                 from /usr/include/openssl/ssl.h:31,
                 from /home/ubuntu/NetCHASM/include/internal/HMEventLoopLibEvent.h:15,
                 from /home/ubuntu/NetCHASM/include/internal/HMStateManager.h:9,
                 from /home/ubuntu/NetCHASM/src/internal/HMWorkHealthCheckCurl.cpp:10:
/usr/include/openssl/rsa.h:293:28: note: declared here
  293 | OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);
      |                            ^~~~~~~~

Full Log: make.log

Possible Solution

I'm not really sure why FIPS_mode_set(0) (which would attempt to turn FIPS Mode off) is called as I can't find an instance in the NetCHASM code where FIPS mode is turned on. The OpenSSL page on migrating to OpenSSL3 is here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Deprecated-low-level-encryption-functions and it says this:

Removed FIPS_mode() and FIPS_mode_set()
These functions are legacy APIs that are not applicable to the new provider model. Applications should instead use [EVP_default_properties_is_fips_enabled(3)](https://www.openssl.org/docs/man3.0/man3/EVP_default_properties_is_fips_enabled.html) and [EVP_default_properties_enable_fips(3)](https://www.openssl.org/docs/man3.0/man3/EVP_default_properties_enable_fips.html).

So I can't fully suggest what to change here to fix this issue.

Steps to Reproduce (for bugs)

Clone the repository on Ubuntu 22.04 LTS and follow the normal steps for building. Install the pre-reqs, run the cmake command then make. Note that I also had to install and use g++-9 because NetCHASM won't build with g++-11 due to compiler changes.

Context

OpenSSL3 is the current version of the OpenSSL project and has been adopted by Ubuntu 22.04, CentOS 9, and presumably will be the default for most distros going forward. The older OpenSSL versions will go EOL eventually thus meaning that all systems that want to use OpenSSL must upgrade. Unfortunately, OpenSSL has deprecated or removed some of their API in this major version update. If people want to use NetCHASM on these newer distros then it will have to be updated to support the OpenSSL 3.0 APIs. Here is the migration guide which helps explain this.

Your Environment

• Version used: git master, as of this writing that is commit 3071241
• Environment name and version (e.g. Chrome 39, node.js 5.4): Ubuntu 22.04, g++-9, OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
• Operating System and version (desktop or mobile): Ubuntu 22.04

An optimization can be introduced when a Host group consists of only IP addresses instead of Domain names for servers. Currently, Work orders for DNS resolution are placed on the Queue even when just the IP addresses for the servers are provided in the config. This can be avoided if NetCHASM can detect host groups with only IP addresses and cancel this part of the code flow.