Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / b0d3a8562bb11ac9279aa234ce60cf619b64ca6a
commitb0d3a8562bb11ac9279aa234ce60cf619b64ca6a[log] [tgz]
authorEd Tanous <edtanous@google.com>Tue Jun 28 08:35:47 2022 -0700
committerEd Tanous <ed@tanous.net>Wed Aug 17 17:26:19 2022 +0000
treebd776f6b8163748d3713a151a29090d6ef6f922e
parent17dcc312e534b33c2ea18a1dbf287e30ea79cfb5 [diff]
Section out the maintainership of bmcweb

As bmcweb grows, it's important that we distribute the load amongst the
available community.  This commit pivots slightly from our usual process
of giving full repo maintainership to a small list of one or two people,
and instead proposes passing out smaller pieces of maintainership.  The
hope is that over time, these maintainers can grow into owning larger
portions of the stack.

In this way, we can increase our breadth of available maintainers for
the things that are straightforward, like adding new redfish schemas or
doing migrations, while still keeping a few core maintainers responsible
for the core.

I've reached out to both Krzysztof and Nan, and asked them which pieces
they feel that they're comfortable maintaining, and I've added all
components they listed to the OWNERS files.  Each has a track record of
doing reviews in upstream, and given that Gunnar and myself will still
be present and active, this seems like a good thing for the project
overall.

The specific sections of maintainership for each person is laid out in
the OWNERS file, and we can modify over time as each person gets more
experience in reviewing and testing.

The expectations are that for the files explicitly listed, these new
maintainers will be able to handle all reviews that touch those sections
of functionality (including reviews not yet merged).  Please continue to
communicate as you have previously.

To those being added, it is expected that if there are core issues
brought up in the modules that you maintain, you escalate them to the
entire group of maintainers, and remain active on our communication
channels.  In the past, we've had significant issues where individual
modules tried to implement generalized solutions in a handler-specific
way, and while most of that has been cleaned up, it caused significant
thrash.  Lets try to avoid that going forward.

I look forward to working with both of you more.

Change-Id: I7750a12703af68fc82f84a0e22496dabca582208
Signed-off-by: Ed Tanous <edtanous@google.com>
1 file changed
tree: bd776f6b8163748d3713a151a29090d6ef6f922e
  1. .github/
  2. http/
  3. include/
  4. redfish-core/
  5. scripts/
  6. src/
  7. static/
  8. subprojects/
  9. .clang-format
  10. .clang-ignore
  11. .clang-tidy
  12. .dockerignore
  13. .gitignore
  14. .shellcheck
  15. bmcweb.service.in
  16. bmcweb.socket.in
  17. bmcweb_config.h.in
  18. build_x86.sh
  19. build_x86_docker.sh
  20. CLIENTS.md
  21. COMMON_ERRORS.md
  22. DEVELOPING.md
  23. Dockerfile
  24. Dockerfile.base
  25. HEADERS.md
  26. LICENSE
  27. meson.build
  28. meson_options.txt
  29. OEM_SCHEMAS.md
  30. OWNERS
  31. pam-webserver
  32. README.md
  33. Redfish.md
  34. run-ci
  35. setup.cfg
  36. TESTING.md
README.md

OpenBMC webserver

This component attempts to be a "do everything" embedded webserver for OpenBMC.

Features

The webserver implements a few distinct interfaces:

  • DBus event websocket. Allows registering on changes to specific dbus paths, properties, and will send an event from the websocket if those filters match.
  • OpenBMC DBus REST api. Allows direct, low interference, high fidelity access to dbus and the objects it represents.
  • Serial: A serial websocket for interacting with the host serial console through websockets.
  • Redfish: A protocol compliant, (Redfish.md)[DBus to Redfish translator].
  • KVM: A websocket based implementation of the RFB (VNC) frame buffer protocol intended to mate to webui-vue to provide a complete KVM implementation.

Protocols

bmcweb at a protocol level supports http and https. TLS is supported through OpenSSL.

AuthX

Authentication

Bmcweb supports multiple authentication protocols:

  • Basic authentication per RFC7617
  • Cookie based authentication for authenticating against webui-vue
  • Mutual TLS authentication based on OpenSSL
  • Session authentication through webui-vue
  • XToken based authentication conformant to Redfish DSP0266

Each of these types of authentication is able to be enabled or disabled both via runtime policy changes (through the relevant Redfish APIs) or via configure time options. All authentication mechanisms supporting username/password are routed to libpam, to allow for customization in authentication implementations.

Authorization

All authorization in bmcweb is determined at routing time, and per route, and conform to the Redfish PrivilegeRegistry.

*Note: Non-Redfish functions are mapped to the closest equivalent Redfish privilege level.

Configuration

bmcweb is configured per the meson build files. Available options are documented in meson_options.txt

Compile bmcweb with default options:

meson builddir
ninja -C builddir

If any of the dependencies are not found on the host system during configuration, meson will automatically download them via its wrap dependencies mentioned in bmcweb/subprojects.

Debug logging

bmcweb by default is compiled with runtime logging disabled, as a performance consideration. To enable it in a standalone build, add the

-Dlogging='enabled'

option to your configure flags. If building within Yocto, add the following to your local.conf.

EXTRA_OEMESON:pn-bmcweb:append = "-Dbmcweb-logging='enabled'"

Use of persistent data

bmcweb relies on some on-system data for storage of persistent data that is internal to the process. Details on the exact data stored and when it is read/written can seen from the persistent_data namespace.

TLS certificate generation

When SSL support is enabled and a usable certificate is not found, bmcweb will generate a self-signed a certificate before launching the server. Please see the bmcweb source code for details on the parameters this certificate is built with.