mirror of
https://github.com/minio/minio.git
synced 2024-12-25 22:55:54 -05:00
66174692a2
add a hint on the disk to allow for tracking fresh disk being healed, to allow for restartable heals, and also use this as a way to track and remove disks. There are more pending changes where we should move all the disk formatting logic to backend drives, this PR doesn't deal with this refactor instead makes it easier to track healing in the future.
217 lines
6.5 KiB
Go
217 lines
6.5 KiB
Go
/*
|
|
* MinIO Cloud Storage, (C) 2017, 2018 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package http
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"errors"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"runtime/pprof"
|
|
"sync"
|
|
"sync/atomic"
|
|
"time"
|
|
|
|
humanize "github.com/dustin/go-humanize"
|
|
|
|
"github.com/minio/minio-go/v7/pkg/set"
|
|
"github.com/minio/minio/cmd/config"
|
|
"github.com/minio/minio/pkg/certs"
|
|
"github.com/minio/minio/pkg/env"
|
|
)
|
|
|
|
const (
|
|
serverShutdownPoll = 500 * time.Millisecond
|
|
|
|
// DefaultShutdownTimeout - default shutdown timeout used for graceful http server shutdown.
|
|
DefaultShutdownTimeout = 5 * time.Second
|
|
|
|
// DefaultMaxHeaderBytes - default maximum HTTP header size in bytes.
|
|
DefaultMaxHeaderBytes = 1 * humanize.MiByte
|
|
)
|
|
|
|
// Server - extended http.Server supports multiple addresses to serve and enhanced connection handling.
|
|
type Server struct {
|
|
http.Server
|
|
Addrs []string // addresses on which the server listens for new connection.
|
|
ShutdownTimeout time.Duration // timeout used for graceful server shutdown.
|
|
listenerMutex sync.Mutex // to guard 'listener' field.
|
|
listener *httpListener // HTTP listener for all 'Addrs' field.
|
|
inShutdown uint32 // indicates whether the server is in shutdown or not
|
|
requestCount int32 // counter holds no. of request in progress.
|
|
}
|
|
|
|
// GetRequestCount - returns number of request in progress.
|
|
func (srv *Server) GetRequestCount() int32 {
|
|
return atomic.LoadInt32(&srv.requestCount)
|
|
}
|
|
|
|
// Start - start HTTP server
|
|
func (srv *Server) Start() (err error) {
|
|
// Take a copy of server fields.
|
|
var tlsConfig *tls.Config
|
|
if srv.TLSConfig != nil {
|
|
tlsConfig = srv.TLSConfig.Clone()
|
|
}
|
|
handler := srv.Handler // if srv.Handler holds non-synced state -> possible data race
|
|
|
|
addrs := set.CreateStringSet(srv.Addrs...).ToSlice() // copy and remove duplicates
|
|
|
|
// Create new HTTP listener.
|
|
var listener *httpListener
|
|
listener, err = newHTTPListener(
|
|
addrs,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Wrap given handler to do additional
|
|
// * return 503 (service unavailable) if the server in shutdown.
|
|
wrappedHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// If server is in shutdown.
|
|
if atomic.LoadUint32(&srv.inShutdown) != 0 {
|
|
// To indicate disable keep-alives
|
|
w.Header().Set("Connection", "close")
|
|
w.WriteHeader(http.StatusForbidden)
|
|
w.Write([]byte(http.ErrServerClosed.Error()))
|
|
w.(http.Flusher).Flush()
|
|
return
|
|
}
|
|
|
|
atomic.AddInt32(&srv.requestCount, 1)
|
|
defer atomic.AddInt32(&srv.requestCount, -1)
|
|
|
|
// Handle request using passed handler.
|
|
handler.ServeHTTP(w, r)
|
|
})
|
|
|
|
srv.listenerMutex.Lock()
|
|
srv.Handler = wrappedHandler
|
|
srv.listener = listener
|
|
srv.listenerMutex.Unlock()
|
|
|
|
// Start servicing with listener.
|
|
if tlsConfig != nil {
|
|
return srv.Server.Serve(tls.NewListener(listener, tlsConfig))
|
|
}
|
|
return srv.Server.Serve(listener)
|
|
}
|
|
|
|
// Shutdown - shuts down HTTP server.
|
|
func (srv *Server) Shutdown() error {
|
|
srv.listenerMutex.Lock()
|
|
if srv.listener == nil {
|
|
srv.listenerMutex.Unlock()
|
|
return http.ErrServerClosed
|
|
}
|
|
srv.listenerMutex.Unlock()
|
|
|
|
if atomic.AddUint32(&srv.inShutdown, 1) > 1 {
|
|
// shutdown in progress
|
|
return http.ErrServerClosed
|
|
}
|
|
|
|
// Close underneath HTTP listener.
|
|
srv.listenerMutex.Lock()
|
|
err := srv.listener.Close()
|
|
srv.listenerMutex.Unlock()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Wait for opened connection to be closed up to Shutdown timeout.
|
|
shutdownTimeout := srv.ShutdownTimeout
|
|
shutdownTimer := time.NewTimer(shutdownTimeout)
|
|
ticker := time.NewTicker(serverShutdownPoll)
|
|
defer ticker.Stop()
|
|
for {
|
|
select {
|
|
case <-shutdownTimer.C:
|
|
// Write all running goroutines.
|
|
tmp, err := ioutil.TempFile("", "minio-goroutines-*.txt")
|
|
if err == nil {
|
|
_ = pprof.Lookup("goroutine").WriteTo(tmp, 1)
|
|
tmp.Close()
|
|
return errors.New("timed out. some connections are still active. goroutines written to " + tmp.Name())
|
|
}
|
|
return errors.New("timed out. some connections are still active")
|
|
case <-ticker.C:
|
|
if atomic.LoadInt32(&srv.requestCount) <= 0 {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Secure Go implementations of modern TLS ciphers
|
|
// The following ciphers are excluded because:
|
|
// - RC4 ciphers: RC4 is broken
|
|
// - 3DES ciphers: Because of the 64 bit blocksize of DES (Sweet32)
|
|
// - CBC-SHA256 ciphers: No countermeasures against Lucky13 timing attack
|
|
// - CBC-SHA ciphers: Legacy ciphers (SHA-1) and non-constant time
|
|
// implementation of CBC.
|
|
// (CBC-SHA ciphers can be enabled again if required)
|
|
// - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA
|
|
// padding scheme. See Bleichenbacher attacks.
|
|
var secureCipherSuites = []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
}
|
|
|
|
// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
|
|
var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
|
|
|
|
const (
|
|
enableSecureCiphersEnv = "MINIO_API_SECURE_CIPHERS"
|
|
)
|
|
|
|
// NewServer - creates new HTTP server using given arguments.
|
|
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
|
|
secureCiphers := env.Get(enableSecureCiphersEnv, config.EnableOn) == config.EnableOn
|
|
|
|
var tlsConfig *tls.Config
|
|
if getCert != nil {
|
|
tlsConfig = &tls.Config{
|
|
// TLS hardening
|
|
PreferServerCipherSuites: true,
|
|
MinVersion: tls.VersionTLS12,
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
}
|
|
tlsConfig.GetCertificate = getCert
|
|
}
|
|
|
|
if secureCiphers && tlsConfig != nil {
|
|
tlsConfig.CipherSuites = secureCipherSuites
|
|
tlsConfig.CurvePreferences = secureCurves
|
|
}
|
|
|
|
httpServer := &Server{
|
|
Addrs: addrs,
|
|
ShutdownTimeout: DefaultShutdownTimeout,
|
|
}
|
|
httpServer.Handler = handler
|
|
httpServer.TLSConfig = tlsConfig
|
|
httpServer.MaxHeaderBytes = DefaultMaxHeaderBytes
|
|
|
|
return httpServer
|
|
}
|