Management API

[MartinKolarik]

We need a web interface for the probes, but I want to keep as much as possible outside of the FW. My idea is that the FW will expose a simple API that provides the data/performs the actions that our container can't do directly. The container would then interact with this API and make the data/commands further available to the web interface, which will be part of our dashboard.

The advantages of this approach are:

• all GP management in one place, for all probes,
• no need to locate the probe IP addresses,
• all access authenticated without the need to manage separate passwords.

Note that if the probe fails so badly that it can't connect to the API, the web interface won't get new data. The ssh interface will thus remain as a fallback.

The proposed FW interface

1. GET /containers

The raw output of docker ps --all --no-trunc --format json. This provides container status and versions, and by parsing it outside of the FW, we don't need updates here if we later want to use some more of the data.

2. POST /containers/<name>/stop and POST /containers/<name>/start.

We should never stop our probe container, so this only applies to 3rd party containers. Should perform docker stop $(docker ps --all --latest --filter 'name=<name>' --quiet) and start similarly. The configuration must be persistent across HW restarts, but Docker's unless-stopped policy might be enough to achieve that.

3. GET /containers/<name>/logs, with an optional since parameter.

The raw output of docker logs $(docker ps --all --latest --filter 'name=<name>' --quiet) --since <since>

4. GET /settings/ and PUT /settings

Read and write FW settings. These should include:

• sshLogsPassword - default empty - when set, the ssh service that allows reading logs will require this password,
• webApiEnabled - default false - when false, the above API server should only listen to localhost connections (so it's only accessible from the container that runs there), when true, the API listens on all interfaces
• webApiPassword - default empty - when set, all non-localhost API requests (coming from places other than our probe container) must send this password in the Authorization header

The settings must be persistent.

The probe side (implemented in the container)

1. Container status changes can be checked periodically and reported to the API.
2. Requests to stop/start containers can be sent from the GP API to the probe via the existing WS connection.
3. Logs can be reported to the GP API and stored on the servers using a similar approach to the current probe logs.
4. Settings updates can be sent from the GP API to the probes via the existing WS connection.