Address comments
- Use aafigure to render text -> HTML/image - Update some docs
This commit is contained in:
parent
14892fc839
commit
c4e752d379
|
@ -4,4 +4,5 @@ sphinx-rtd-theme>=0.1.9
|
|||
sphinxcontrib-napoleon>=0.4.4
|
||||
sphinxcontrib-httpdomain>=1.5.0
|
||||
pyyaml>=3.12
|
||||
aafigure>=0.6
|
||||
bigchaindb
|
||||
|
|
|
@ -10,6 +10,7 @@ The following ports should expect unsolicited inbound traffic:
|
|||
1. **Port 9984** can expect inbound HTTP (TCP) traffic from BigchainDB clients sending transactions to the BigchainDB HTTP API.
|
||||
1. **Port 9985** can expect inbound WebSocket traffic from BigchainDB clients.
|
||||
1. **Port 46656** can expect inbound Tendermint P2P traffic from other Tendermint peers.
|
||||
1. **Port 9986** can expect inbound HTTP (TCP) traffic from clients accessing the Public Key of a Tendermint instance.
|
||||
|
||||
All other ports should only get inbound traffic in response to specific requests from inside the node.
|
||||
|
||||
|
@ -49,6 +50,12 @@ You may want to have Gunicorn and the reverse proxy running on different servers
|
|||
|
||||
Port 9985 is the default port for the [BigchainDB WebSocket Event Stream API](../websocket-event-stream-api.html).
|
||||
|
||||
|
||||
## Port 9986
|
||||
|
||||
Port 9986 is the default port to access the Public Key of a Tendermint instance, it is used by a NGINX instance
|
||||
that runs with Tendermint instance(Pod), and only hosts the Public Key.
|
||||
|
||||
## Port 46656
|
||||
|
||||
Port 46656 is the default port used by Tendermint Core to communicate with other instances of Tendermint Core (peers).
|
||||
|
|
|
@ -48,7 +48,7 @@ extensions = [
|
|||
'sphinx.ext.todo',
|
||||
'sphinx.ext.napoleon',
|
||||
'sphinxcontrib.httpdomain',
|
||||
#'sphinx.ext.autosectionlabel',
|
||||
'aafigure.sphinxext',
|
||||
# Below are actually build steps made to look like sphinx extensions.
|
||||
# It was the easiest way to get it running with ReadTheDocs.
|
||||
'generate_http_server_api_documentation',
|
||||
|
|
|
@ -5,7 +5,7 @@ A BigchainDB Production deployment is hosted on a Kubernetes cluster and include
|
|||
|
||||
* NGINX, OpenResty, BigchainDB, MongoDB and Tendermint
|
||||
`Kubernetes Services <https://kubernetes.io/docs/concepts/services-networking/service/>`_.
|
||||
* NGINX, OpenResty, BigchainDB, Monitoring Agent and Backup Agent
|
||||
* NGINX, OpenResty, BigchainDB and MongoDB Monitoring Agent.
|
||||
`Kubernetes Deployments <https://kubernetes.io/docs/concepts/workloads/controllers/deployment/>`_.
|
||||
* MongoDB and Tendermint `Kubernetes StatefulSet <https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/>`_.
|
||||
* Third party services like `3scale <https://3scale.net>`_,
|
||||
|
@ -14,10 +14,17 @@ A BigchainDB Production deployment is hosted on a Kubernetes cluster and include
|
|||
<https://docs.microsoft.com/en-us/azure/operations-management-suite/>`_.
|
||||
|
||||
|
||||
.. code:: text
|
||||
.. _bigchaindb-node:
|
||||
|
||||
BigchainDB Node
|
||||
---------------
|
||||
|
||||
.. aafig::
|
||||
:aspect: 60
|
||||
:scale: 100
|
||||
:background: #rgb
|
||||
:proportional:
|
||||
|
||||
BigchainDB Node
|
||||
+ +
|
||||
+--------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| | | |
|
||||
|
@ -26,22 +33,22 @@ A BigchainDB Production deployment is hosted on a Kubernetes cluster and include
|
|||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| BigchainDB API | | Tendermint P2P |
|
||||
| | | Communication/ |
|
||||
| | | Public Key Exchange |
|
||||
| "BigchainDB API" | | "Tendermint P2P" |
|
||||
| | | "Communication/" |
|
||||
| | | "Public Key Exchange" |
|
||||
| | | |
|
||||
| | | |
|
||||
| v v |
|
||||
| |
|
||||
| +------------------+ |
|
||||
| | NGINX Service | |
|
||||
| |"NGINX Service" | |
|
||||
| +-------+----------+ |
|
||||
| | |
|
||||
| v |
|
||||
| |
|
||||
| +------------------+ |
|
||||
| | NGINX | |
|
||||
| | Deployment | |
|
||||
| | "NGINX" | |
|
||||
| | "Deployment" | |
|
||||
| | | |
|
||||
| +-------+----------+ |
|
||||
| | |
|
||||
|
@ -49,86 +56,87 @@ A BigchainDB Production deployment is hosted on a Kubernetes cluster and include
|
|||
| | |
|
||||
| v |
|
||||
| |
|
||||
| 443 +----------+ 46656/9986 |
|
||||
| | Rate | |
|
||||
| +---------------------------+ Limiting +-----------------------+ |
|
||||
| | | Logic | | |
|
||||
| | +----------+ | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| v v |
|
||||
| |
|
||||
| +-----------+ +----------+ |
|
||||
| |HTTPS | +------------------> |Tendermint| |
|
||||
| |Termination| | 9986 |Service | 46656 |
|
||||
| | | | +-------+ | <----+ |
|
||||
| +-----+-----+ | | +----------+ | |
|
||||
| | | v v |
|
||||
| | | |
|
||||
| | | +----------+ +----------+ |
|
||||
| | | |NGINX | |Tendermint| |
|
||||
| | | |Deployment| |Stateful | |
|
||||
| | | |Pub-Key-Ex| |Set | |
|
||||
| v | +----------+ +----------+ |
|
||||
| +-----+-----+ | |
|
||||
| POST |Analyze | GET | |
|
||||
| |Request | | |
|
||||
| +-----------+ +--------+ | |
|
||||
| | +-----------+ | | |
|
||||
| | | | Bi-directional, communication between |
|
||||
| | | | BigchainDB(APP) and Tendermint |
|
||||
| | | | BFT consensus Engine |
|
||||
| | | | |
|
||||
| v v | |
|
||||
| | |
|
||||
| +-------------+ +--------------+ | +--------------+ |
|
||||
| | OpenResty | | BigchainDB | | | MongoDB | |
|
||||
| | Service | | Service | | | Service | |
|
||||
| | | +-----> | | | +-------> | | |
|
||||
| +------+------+ | +------+-------+ | | +------+-------+ |
|
||||
| | | | | | | |
|
||||
| v | v | | v |
|
||||
| | | | |
|
||||
| +------------+ | +------------+ | | +----------+ |
|
||||
| | | | | | <-------------+ | |MongoDB | |
|
||||
| | OpenResty | | | BigchainDB | | |Stateful | |
|
||||
| | Deployment | | | Deployment | | |Set | |
|
||||
| | | | | | | +-----+----+ |
|
||||
| | | | | +--------------------------+ | |
|
||||
| | | | | | | |
|
||||
| +-----+------+ | +------------+ | |
|
||||
| | | | |
|
||||
| v | | |
|
||||
| | | |
|
||||
| +-----------+ | | |
|
||||
| | Auth | | | |
|
||||
| | Logic +---------+ | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| +---+-------+ | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
+--------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| |
|
||||
| |
|
||||
v v
|
||||
| "443" +----------+ "46656/9986" |
|
||||
| | "Rate" | |
|
||||
| +---------------------------+"Limiting"+-----------------------+ |
|
||||
| | | "Logic" | | |
|
||||
| | +----+-----+ | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| | "27017" | | |
|
||||
| v | v |
|
||||
| +-------------+ | +------------+ |
|
||||
| |"HTTPS" | | +------------------> |"Tendermint"| |
|
||||
| |"Termination"| | | "9986" |"Service" | "46656" |
|
||||
| | | | | +-------+ | <----+ |
|
||||
| +-----+-------+ | | | +------------+ | |
|
||||
| | | | | | |
|
||||
| | | | v v |
|
||||
| | | | +------------+ +------------+ |
|
||||
| | | | |"NGINX" | |"Tendermint"| |
|
||||
| | | | |"Deployment"| |"Stateful" | |
|
||||
| | | | |"Pub-Key-Ex"| |"Set" | |
|
||||
| ^ | | +------------+ +------------+ |
|
||||
| +-----+-------+ | | |
|
||||
| "POST" |"Analyze" | "GET" | | |
|
||||
| |"Request" | | | |
|
||||
| +-----------+ +--------+ | | |
|
||||
| | +-------------+ | | | |
|
||||
| | | | | "Bi+directional, communication between" |
|
||||
| | | | | "BigchainDB(APP) and Tendermint" |
|
||||
| | | | | "BFT consensus Engine" |
|
||||
| | | | | |
|
||||
| v v | | |
|
||||
| | | |
|
||||
| +-------------+ +--------------+ +----+-------------------> +--------------+ |
|
||||
| | "OpenResty" | | "BigchainDB" | | | "MongoDB" | |
|
||||
| | "Service" | | "Service" | | | "Service" | |
|
||||
| | | +----->| | | +-------> | | |
|
||||
| +------+------+ | +------+-------+ | | +------+-------+ |
|
||||
| | | | | | | |
|
||||
| | | | | | | |
|
||||
| v | v | | v |
|
||||
| +-------------+ | +-------------+ | | +----------+ |
|
||||
| | | | | | <------------+ | |"MongoDB" | |
|
||||
| |"OpenResty" | | | "BigchainDB"| | |"Stateful"| |
|
||||
| |"Deployment" | | | "Deployment"| | |"Set" | |
|
||||
| | | | | | | +-----+----+ |
|
||||
| | | | | +---------------------------+ | |
|
||||
| | | | | | | |
|
||||
| +-----+-------+ | +-------------+ | |
|
||||
| | | | |
|
||||
| | | | |
|
||||
| v | | |
|
||||
| +-----------+ | v |
|
||||
| | "Auth" | | +------------+ |
|
||||
| | "Logic" |----------+ |"MongoDB" | |
|
||||
| | | |"Monitoring"| |
|
||||
| | | |"Agent" | |
|
||||
| +---+-------+ +-----+------+ |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
+---------------+---------------------------------------------------------------------------------------+------------------------------+
|
||||
| |
|
||||
| |
|
||||
| |
|
||||
v v
|
||||
+------------------------------------+ +------------------------------------+
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| "3Scale" | | "MongoDB Cloud" |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
+------------------------------------+ +------------------------------------+
|
||||
|
||||
+------------------------------------+ +------------------------------------+
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
| 3Scale | | MongoDB Cloud |
|
||||
| | | |
|
||||
| | | |
|
||||
| | | |
|
||||
+------------------------------------+ +------------------------------------+
|
||||
|
||||
|
||||
|
||||
|
@ -184,8 +192,6 @@ MongoDB: Standalone
|
|||
-------------------
|
||||
|
||||
We use MongoDB as the backend database for BigchainDB.
|
||||
In a multi-node deployment, MongoDB members communicate with each other via the
|
||||
public port exposed by the NGINX Service.
|
||||
|
||||
We achieve security by avoiding DoS attacks at the NGINX proxy layer and by
|
||||
ensuring that MongoDB has TLS enabled for all its connections.
|
||||
|
|
|
@ -63,44 +63,44 @@ Lets assume we are deploying a 4 node cluster, your naming conventions could loo
|
|||
|
||||
.. code::
|
||||
|
||||
{
|
||||
{
|
||||
"MongoDB": [
|
||||
"mdb-instance-1",
|
||||
"mdb-instance-2",
|
||||
"mdb-instance-3",
|
||||
"mdb-instance-4"
|
||||
"mdb-instance-1",
|
||||
"mdb-instance-2",
|
||||
"mdb-instance-3",
|
||||
"mdb-instance-4"
|
||||
],
|
||||
"BigchainDB": [
|
||||
"bdb-instance-1",
|
||||
"bdb-instance-2",
|
||||
"bdb-instance-3",
|
||||
"bdb-instance-4"
|
||||
"bdb-instance-1",
|
||||
"bdb-instance-2",
|
||||
"bdb-instance-3",
|
||||
"bdb-instance-4"
|
||||
],
|
||||
"NGINX": [
|
||||
"ngx-instance-1",
|
||||
"ngx-instance-2",
|
||||
"ngx-instance-3",
|
||||
"ngx-instance-4"
|
||||
"ngx-instance-1",
|
||||
"ngx-instance-2",
|
||||
"ngx-instance-3",
|
||||
"ngx-instance-4"
|
||||
],
|
||||
"OpenResty": [
|
||||
"openresty-instance-1",
|
||||
"openresty-instance-2",
|
||||
"openresty-instance-3",
|
||||
"openresty-instance-4"
|
||||
"openresty-instance-1",
|
||||
"openresty-instance-2",
|
||||
"openresty-instance-3",
|
||||
"openresty-instance-4"
|
||||
],
|
||||
"MongoDB_Monitoring_Agent": [
|
||||
"mdb-mon-instance-1",
|
||||
"mdb-mon-instance-2",
|
||||
"mdb-mon-instance-3",
|
||||
"mdb-mon-instance-4"
|
||||
"mdb-mon-instance-1",
|
||||
"mdb-mon-instance-2",
|
||||
"mdb-mon-instance-3",
|
||||
"mdb-mon-instance-4"
|
||||
],
|
||||
"Tendermint": [
|
||||
"tendermint-instance-1",
|
||||
"tendermint-instance-2",
|
||||
"tendermint-instance-3",
|
||||
"tendermint-instance-4"
|
||||
"tendermint-instance-1",
|
||||
"tendermint-instance-2",
|
||||
"tendermint-instance-3",
|
||||
"tendermint-instance-4"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
.. note::
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ You can modify them to suit your needs.
|
|||
|
||||
We use SSL/TLS and self-signed certificates
|
||||
for MongoDB authentication (and message encryption).
|
||||
The certificates are signed by the organization managing the cluster.
|
||||
The certificates are signed by the organization managing the :ref:`bigchaindb-node`.
|
||||
If your organization already has a process
|
||||
for signing certificates
|
||||
(i.e. an internal self-signed certificate authority [CA]),
|
||||
|
@ -41,6 +41,8 @@ and buy an SSL/TLS certificate for the FQDN.
|
|||
Things Each Node Operator Must Do
|
||||
---------------------------------
|
||||
|
||||
- [ ] Use a standard and unique naming convention for all instances.
|
||||
|
||||
#. Name of the MongoDB instance (``mdb-instance-*``)
|
||||
#. Name of the BigchainDB instance (``bdb-instance-*``)
|
||||
#. Name of the NGINX instance (``ngx-http-instance-*`` or ``ngx-https-instance-*``)
|
||||
|
@ -48,21 +50,64 @@ Things Each Node Operator Must Do
|
|||
#. Name of the MongoDB monitoring agent instance (``mdb-mon-instance-*``)
|
||||
#. Name of the Tendermint instance (``tendermint-instance-*``)
|
||||
|
||||
Example
|
||||
^^^^^^^
|
||||
|
||||
☐ Generate two keys and corresponding certificate signing requests (CSRs):
|
||||
.. code:: text
|
||||
|
||||
{
|
||||
"MongoDB": [
|
||||
"mdb-instance-1",
|
||||
"mdb-instance-2",
|
||||
"mdb-instance-3",
|
||||
"mdb-instance-4"
|
||||
],
|
||||
"BigchainDB": [
|
||||
"bdb-instance-1",
|
||||
"bdb-instance-2",
|
||||
"bdb-instance-3",
|
||||
"bdb-instance-4"
|
||||
],
|
||||
"NGINX": [
|
||||
"ngx-instance-1",
|
||||
"ngx-instance-2",
|
||||
"ngx-instance-3",
|
||||
"ngx-instance-4"
|
||||
],
|
||||
"OpenResty": [
|
||||
"openresty-instance-1",
|
||||
"openresty-instance-2",
|
||||
"openresty-instance-3",
|
||||
"openresty-instance-4"
|
||||
],
|
||||
"MongoDB_Monitoring_Agent": [
|
||||
"mdb-mon-instance-1",
|
||||
"mdb-mon-instance-2",
|
||||
"mdb-mon-instance-3",
|
||||
"mdb-mon-instance-4"
|
||||
],
|
||||
"Tendermint": [
|
||||
"tendermint-instance-1",
|
||||
"tendermint-instance-2",
|
||||
"tendermint-instance-3",
|
||||
"tendermint-instance-4"
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
☐ Generate three keys and corresponding certificate signing requests (CSRs):
|
||||
|
||||
#. Server Certificate for the MongoDB instance
|
||||
#. Client Certificate for BigchainDB Server to identify itself to MongoDB
|
||||
#. Client Certificate for MongoDB Monitoring Agent to identify itself to MongoDB
|
||||
|
||||
Ask the managing organization to use its self-signed CA to sign those four CSRs.
|
||||
They should send you:
|
||||
Use the self-signed CA to sign those three CSRs:
|
||||
|
||||
* Two certificates (one for each CSR you sent them).
|
||||
* One ``ca.crt`` file: their CA certificate.
|
||||
* One ``crl.pem`` file: a certificate revocation list.
|
||||
* Three certificates (one for each CSR).
|
||||
|
||||
For help, see the pages:
|
||||
|
||||
* :doc:`How to Generate a Server Certificate for MongoDB <../production-deployment-template/server-tls-certificate>`
|
||||
* :doc:`How to Generate a Client Certificate for MongoDB <../production-deployment-template/client-tls-certificate>`
|
||||
|
||||
☐ Make up an FQDN for your BigchainDB node (e.g. ``mynode.mycorp.com``).
|
||||
|
|
Loading…
Reference in New Issue