Webware for Python

I think that all of this can wait.  But.  Since it sounds like some of 
     you find this to be a must have immediately, here's my suggestion.
     
     
     Here is my refined proposal for load-balancing/fail-over.  It is 
     derived from the JServe system.  It's clean, lean and reliable.
     
     First of all, the load balancing logic is in the Adaptor/webserver 
     module.
     
     The key is changing the address.text file so it can have multiple 
     entries.
     
     Part of the AppServer configuration file is the port to run on.  We 
     change the Adaptor logic to consider that a starting port number. When 
     an AppServer starts, it will read the address.text file and see if 
     there are any other entries there, if so, it starts at the next higher 
     port and adds an entry to the file, otherwise it starts at the base 
     address and adds that entry to the file. (note, there is another 
     verion of this below, related to starting the AppServers and writing 
     to address.text)
     
     When an adaptor starts up, it reads the address.text file and gets the 
     list of available AppServers.  It then checks the request for a cookie 
     (a new one, encoded with the port number and machine some how, maybe 
     named __PRT__) (see SECURITY ISSUES) identifying the previous 
     AppServer used for this client.  If it exists, it checks to see that 
     that address is a valid entry from the address.text list (to avoid 
     stale cookies) and sends the request there. (See more complicated 
     version of this below, with different mechanism for verifying 
     AppServer availability)  If it doesn't exist, it chooses an available 
     server randomly.  The AppServer is reponsible for adding the cookie 
     that identifies the machine:port. (So it doesn't have to if there is 
     no session assigned).
     
     
     
     For fail-over, we can have a wimpy little process that is the parent 
     of the AppServers, and monitors them by sending a special request to 
     each periodically.  If it can't connect to one of them, it kills it 
     and forks to start another one.  Pretty simple little app.  It could 
     also be responsible for the initial starting of the pool of 
     AppServers.  Maybe it's also the only process that actually writes to 
     address.text, to avoid any concurrent write issues. (that would change 
     the method I mentioned above)
     
     
     In order to handle AppSevers limiting the number of requests they can 
     handle and killing themselves, we'll have to add some more complicated 
     logic, I think.  My first thought on this is that we add a status 
     check to the initial communication between the Adaptor and the 
     AppServer.  Maybe before sending a request, the Adaptor connects to 
     the AppServer and asks for the AppServer's status.  The AppServer 
     responds with OK or DYING.  If it responds with DYING, the Adaptor 
     won't send it any new requests, only requests that have gone there 
     before.  (this would work for both cgi and persistent adaptors) (This 
     could also be the communication mechanism for the monitor process). 
     When it finally dies, the monitor process can't connect to it anymore 
     and starts another AppServer on that port.    The monitor forks,and if 
     it's the child, it imports AppServer.  We change AppServer slightly to 
     have a "main" function that takes a machine/port as an optional 
     parameter.  The monitor child calls that function with the specified 
     port.
     
     The AppServer won't die until it's session cache is empty.
     
     How does that sound?
     
     I think this method will have the lowest impact on the rest of the 
     code. (Which I consider important) Really the only addition below the 
     AppServer level is the __PRT__ cookie, and that could be done in the 
     AppServer (I think).  Everything else is at AppServer or above.
     
     
     SECURITY ISSUES:
     
     I'm worried about putting the port and machine in a cookie.  Then any 
     hacker can get at that port, unless there's a decent firewall set up, 
     and we can't rely on that, can we? The obvious solution (to me) is to 
     encode only a count in the cookie, like 2, and have the Adaptor know 
     to add that number to some configuration parameter to get the actual 
     port number. Maybe put that configuration number in address.text.  How 
     about that?  (We can't use some encoding scheme that relies only on 
     the cookie value (ie the cookie value is the actual port plus 5 
     divided by 3 times 7), because this is open source.)

Re: [Webware-discuss] Load-Balancing Proposal From: Chuck Esterbrook <echuck@mi...> - 2000-06-15 20:34 At 02:48 PM 6/15/00 -0500, Jay.Love@... wrote: > > I think that all of this can wait. But. Since it sounds like some of > you find this to be a must have immediately, here's my suggestion. > > > Here is my refined proposal for load-balancing/fail-over. It is > derived from the JServe system. It's clean, lean and reliable. > > First of all, the load balancing logic is in the Adaptor/webserver > module. Sounds good. > The key is changing the address.text file so it can have multiple > entries. Sounds possible. We could even pad the fields to be fixed width so you can jump to a particular row as you mention below. Just an idea. > In order to handle AppSevers limiting the number of requests they can > handle and killing themselves, we'll have to add some more complicated > logic, I think. My first thought on this is that we add a status > check to the initial communication between the Adaptor and the > AppServer. Maybe before sending a request, the Adaptor connects to > the AppServer and asks for the AppServer's status. The AppServer > responds with OK or DYING. If it responds with DYING, the Adaptor > won't send it any new requests, only requests that have gone there > before. (this would work for both cgi and persistent adaptors) (This > could also be the communication mechanism for the monitor process). Dying is a rare event, so instead of asking every time, what if the information was pushed back by the AppServer to the address.text file? You might get a couple requests that slip through between the time the AppServer decides it's dying and the time it updates the file, BUT there's not a big difference if you have appserver's with a lifetime of 10 hours and they take a couple more requests at the very end. > When it finally dies, the monitor process can't connect to it anymore > and starts another AppServer on that port. The monitor forks,and if > it's the child, it imports AppServer. We change AppServer slightly to > have a "main" function that takes a machine/port as an optional > parameter. The monitor child calls that function with the specified > port. Or a method or a constructor arguments since we're using OOP, after all. ;-) > The AppServer won't die until it's session cache is empty. Yes, it won't terminate. > How does that sound? I haven't digested all of it yet, but it sounds reasonable. > I think this method will have the lowest impact on the rest of the > code. (Which I consider important) Really the only addition below the Why is low impact on the code important? This project is still pretty young and certainly I don't want to tear things up that are already done the right way, but the rest is fair game. > AppServer level is the __PRT__ cookie, and that could be done in the > AppServer (I think). Everything else is at AppServer or above. > > > SECURITY ISSUES: > > I'm worried about putting the port and machine in a cookie. Then any > hacker can get at that port, unless there's a decent firewall set up, > and we can't rely on that, can we? The obvious solution (to me) is to > encode only a count in the cookie, like 2, and have the Adaptor know > to add that number to some configuration parameter to get the actual > port number. Maybe put that configuration number in address.text. How > about that? (We can't use some encoding scheme that relies only on > the cookie value (ie the cookie value is the actual port plus 5 > divided by 3 times 7), because this is open source.) I think even with open source it's safe to use things like md5 and such, but I forget how that works. :-) You didn't mention it, but the config should say what the max # of app servers are. So if this is a concession proposal, what is that we're leaving out? It looks like you have everything but load balancing...? Yes/no? And who's coding this? Geoff? You? Me? -Chuck

Re: [Webware-discuss] Load-Balancing Proposal From: Geoff Talvola <gtalvola@Na...> - 2000-06-15 21:25 Chuck Esterbrook wrote: > And who's coding this? Geoff? You? Me? I would be happy to take a stab at it, but realistically it'll be a couple of weeks before you can expect any results. I'm kinda busy with work right now... I question the need for a separate "watchdog" application -- why not just have the CGI adaptor start up a new appserver if the old one isn't responding? That's what I suggested in my proposal... Also, what logic would be used to decide to start up a new appserver? Would we automatically start up N appservers based on a configuration parameter, or start out with just one appserver and only start up a new one when that one says it's dying or when it can't be contacted and is presumed dead? -- - Geoff Talvola Parlance Corporation gtalvola@...

Re: [Webware-discuss] Load-Balancing Proposal From: Chuck Esterbrook <echuck@mi...> - 2000-06-15 21:44 At 05:21 PM 6/15/00 -0400, Geoff Talvola wrote: >Chuck Esterbrook wrote: > > > And who's coding this? Geoff? You? Me? > >I would be happy to take a stab at it, but realistically it'll be a couple of >weeks before you can expect any results. I'm kinda busy with work right >now... > >I question the need for a separate "watchdog" application -- why not just have >the CGI adaptor start up a new appserver if the old one isn't >responding? That's >what I suggested in my proposal... Good point. Jay? >Also, what logic would be used to decide to start up a new >appserver? Would we >automatically start up N appservers based on a configuration parameter, or >start >out with just one appserver and only start up a new one when that one says >it's >dying or when it can't be contacted and is presumed dead? Should be configurable. NumServers = 4 BTW, whoever codes this, please make your adapter inherit Configurable, found in Configurable.py. We already use this for Application and AppServer to do config files. -Chuck

Re: [Webware-discuss] Load-Balancing Proposal From: Jay Love <jsliv@js...> - 2000-06-15 23:42 Geoff Talvola wrote: > > Chuck Esterbrook wrote: > > > And who's coding this? Geoff? You? Me? > > I would be happy to take a stab at it, but realistically it'll be a couple of > weeks before you can expect any results. I'm kinda busy with work right now... I'll take it on. > > I question the need for a separate "watchdog" application -- why not just have > the CGI adaptor start up a new appserver if the old one isn't responding? That's > what I suggested in my proposal... I didn't think it was necessary at first, either. But when I started following the process flow in my head, I felt like it was. Keep in mind that the monitor app is a little thing that just keeps an eye on everything. It just seems to make the design a lot cleaner to use it. I think reason number one is that if the AppServer on port 7009 isn't reponding, then 5 new AppServers could be started on that port if the Adaptors are responsible for it. Multiple Adaptors could sense that at the same time. That implies a need for a central App that handles the coordination. The monitor process also handles writing the address.text file. This could be done with file locks, etc, but isn't that unix specific? Anyway, having a monitor do it is cleaner. The monitor app could also play an important role later on in multi-machine load balancing. Plus, a monitor App could also monitor the process size of it's children and tell any AppServer that has leaked to much memory that it needs to die. It could also handle administrative coordination, like counting the total number of requests that all The AppServers have handled (by querying each AppServer), etc. > > Also, what logic would be used to decide to start up a new appserver? Would we > automatically start up N appservers based on a configuration parameter, or start > out with just one appserver and only start up a new one when that one says it's > dying or when it can't be contacted and is presumed dead? > Either way. That would be configurable. However, the catch is that you can't run multiple AppServers if you need to rely on AppWide coordination among Servlts. A Chat app, for example, that relied on getting the previous posts from a central Application Can, for example, couldn't be run on multiple AppServers. A good approach there would be to run that single WebApp in its own AppServer. (Sorry, just thought of that) See this page http://java.apache.org/jserv/howto.load-balancing.html, for some detail on how JServ does this. Note that we have one limitation that requires a monitor process. We don't have an apache module that can share memory across apache processes. Jay

Re: [Webware-discuss] Load-Balancing Proposal From: Chuck Esterbrook <echuck@mi...> - 2000-06-15 23:51 >However, the catch is that you can't run multiple AppServers if you need >to rely on AppWide coordination among Servlts. A Chat app, for example, >that relied on getting the previous posts from a central Application >Can, for example, couldn't be run on multiple AppServers. A good >approach there would be to run that single WebApp in its own AppServer. >(Sorry, just thought of that) The other approach is store the data externally such as in a database. >See this page http://java.apache.org/jserv/howto.load-balancing.html, >for some detail on how JServ does this. >Note that we have one limitation that requires a monitor process. We >don't have an apache module that can share memory across apache >processes. Wouldn't our load balancing be between app servers and not between apache processes? -Chuck

Re: [Webware-discuss] Load-Balancing Proposal From: Jay Love <jsliv@js...> - 2000-06-16 00:51 Chuck Esterbrook wrote: > > >However, the catch is that you can't run multiple AppServers if you need > >to rely on AppWide coordination among Servlts. A Chat app, for example, > >that relied on getting the previous posts from a central Application > >Can, for example, couldn't be run on multiple AppServers. A good > >approach there would be to run that single WebApp in its own AppServer. > >(Sorry, just thought of that) > > The other approach is store the data externally such as in a database. Yep. That's actually the approach you have to take with JServe as well. > > >See this page http://java.apache.org/jserv/howto.load-balancing.html, > >for some detail on how JServ does this. > >Note that we have one limitation that requires a monitor process. We > >don't have an apache module that can share memory across apache > >processes. > > Wouldn't our load balancing be between app servers and not between apache > processes? The apache server is process based, but all the processes can share some memory. All of the mod_jserv instances share config info on what ports the JServe processes are running on, etc. So if you have your apache process set to spawn 10 servers, all those servers can share the the memory that holds all the settings. It gets complicated when the apache servers are load balanced as well. Our solution will handle that case by default, though, so that's one step in our favor. With the cgi approach, we have no persistent state, and no resouce sharing between the cgi processes. Jay

Re: [Webware-discuss] Load-Balancing Proposal From: Geoff Talvola <gtalvola@Na...> - 2000-06-16 13:26 Jay Love wrote: > Geoff Talvola wrote: > > > > Chuck Esterbrook wrote: > > > > > And who's coding this? Geoff? You? Me? > > > > I would be happy to take a stab at it, but realistically it'll be a couple of > > weeks before you can expect any results. I'm kinda busy with work right now... > > I'll take it on. OK, I can at least volunteer to test it and adapt it to run on Windows. Starting up processes is completely different on Windows -- you need to spawn a brand new process using os.spawnv instead of forking with os.fork, because there is no way to fork on Windows. The only ways to pass in variables to the new process are via command-line arguments or environment variables. Try to keep that in mind and don't rely too much on the fork'ed process being able to use the variables of the original process. > > I question the need for a separate "watchdog" application -- why not just have > > the CGI adaptor start up a new appserver if the old one isn't responding? That's > > what I suggested in my proposal... > > I didn't think it was necessary at first, either. But when I started > following the process flow in my head, I felt like it was. > > Keep in mind that the monitor app is a little thing that just keeps an > eye on everything. It just seems to make the design a lot cleaner to > use it. > > I think reason number one is that if the AppServer on port 7009 isn't > reponding, then 5 new AppServers could be started on that port if the > Adaptors are responsible for it. Multiple Adaptors could sense that at > the same time. That implies a need for a central App that handles the > coordination. This could be coordinated by file locking. But maybe that's more complicated than a watchdog app. Remember that the watchdog app needs to stay running indefinitely unlike the appservers, so it should be kept as simple as possible. > The monitor process also handles writing the address.text file. This > could be done with file locks, etc, but isn't that unix specific? > Anyway, having a monitor do it is cleaner. Windows also has file locking, but you may be right that it's cleaner with a central application. One more thing -- who starts the monitor app? I'd like to see 2 options: the monitor app can already be running -- fine. But the adaptor should also be able to start up the monitor app if it's not running. This way, you don't have to start any extra processes when the machine reboots -- as long as the web server comes up, on the first WebKit request, everything else gets started automatically. -- - Geoff Talvola Parlance Corporation gtalvola@...

Re: [Webware-discuss] Load-Balancing Proposal From: Chuck Esterbrook <echuck@mi...> - 2000-06-16 14:22 As is often the case, I agree with all of Geoff's comments. -Chuck At 09:21 AM 6/16/00 -0400, Geoff Talvola wrote: >Jay Love wrote: > > > Geoff Talvola wrote: > > > > > > Chuck Esterbrook wrote: > > > > > > > And who's coding this? Geoff? You? Me? > > > > > > I would be happy to take a stab at it, but realistically it'll be a > couple of > > > weeks before you can expect any results. I'm kinda busy with work > right now... > > > > I'll take it on. > >OK, I can at least volunteer to test it and adapt it to run on >Windows. Starting up >processes is completely different on Windows -- you need to spawn a brand >new process >using os.spawnv instead of forking with os.fork, because there is no way >to fork on >Windows. The only ways to pass in variables to the new process are via >command-line >arguments or environment variables. Try to keep that in mind and don't >rely too much >on the fork'ed process being able to use the variables of the original >process. > > > > I question the need for a separate "watchdog" application -- why not > just have > > > the CGI adaptor start up a new appserver if the old one isn't > responding? That's > > > what I suggested in my proposal... > > > > I didn't think it was necessary at first, either. But when I started > > following the process flow in my head, I felt like it was. > > > > Keep in mind that the monitor app is a little thing that just keeps an > > eye on everything. It just seems to make the design a lot cleaner to > > use it. > > > > I think reason number one is that if the AppServer on port 7009 isn't > > reponding, then 5 new AppServers could be started on that port if the > > Adaptors are responsible for it. Multiple Adaptors could sense that at > > the same time. That implies a need for a central App that handles the > > coordination. > >This could be coordinated by file locking. But maybe that's more >complicated than a >watchdog app. > >Remember that the watchdog app needs to stay running indefinitely unlike the >appservers, so it should be kept as simple as possible. > > > The monitor process also handles writing the address.text file. This > > could be done with file locks, etc, but isn't that unix specific? > > Anyway, having a monitor do it is cleaner. > >Windows also has file locking, but you may be right that it's cleaner with >a central >application. > >One more thing -- who starts the monitor app? I'd like to see 2 options: >the monitor >app can already be running -- fine. But the adaptor should also be able >to start up >the monitor app if it's not running. This way, you don't have to start >any extra >processes when the machine reboots -- as long as the web server comes up, >on the first >WebKit request, everything else gets started automatically. > >-- > > >- Geoff Talvola > Parlance Corporation > gtalvola@...

1 message has been excluded from this view by a project administrator.