Conversation
There was a problem hiding this comment.
PR Summary
The pull request introduces SSL support for external indexing sockets, enhancing security for data transmission.
- CMakeLists.txt: Added OpenSSL checks and conditional compile-time macros for SSL support.
- ci/scripts/build-linux.sh: Updated to install
lantern-clifromvarik/external-indexing-server-sslbranch. - scripts/integration_tests.py: Added SSL setup for external indexing server tests.
- src/hnsw/build.c: Replaced
external_client_fdwithexternal_socketfor SSL support. - src/hnsw/external_index_socket.c: Added SSL initialization, read, send, and close functions.
- src/hnsw/external_index_socket_ssl.c: New file for SSL support functions.
- src/hnsw/options.c: Added
ldb_external_index_secureoption for enabling SSL connections.
11 file(s) reviewed, 34 comment(s)
Edit PR Review Bot Settings
| @@ -1,4 +1,5 @@ | |||
| cmake_minimum_required(VERSION 3.3) | |||
| include(CheckSymbolExists) | |||
There was a problem hiding this comment.
info: Added include(CheckSymbolExists) to enable checking for the existence of specific symbols, which is necessary for the OpenSSL integration.
CMakeLists.txt
Outdated
| check_symbol_exists(USE_OPENSSL ${PostgreSQL_INCLUDE_DIRS}/pg_config.h PG_USE_OPENSSL) | ||
|
|
||
| if(PG_USE_OPENSSL) | ||
| target_compile_definitions(lantern PRIVATE LANTERN_USE_OPENSSL) | ||
| endif() |
There was a problem hiding this comment.
info: Added checks for OpenSSL symbols and conditionally defined LANTERN_USE_OPENSSL if OpenSSL is available. This is essential for enabling SSL support in the external indexing socket.
ci/scripts/build-linux.sh
Outdated
| then | ||
| setup_rust | ||
| ORT_STRATEGY=system cargo install --git https://github.com/lanterndata/lantern_extras.git --branch main --debug --bin lantern-cli --root /tmp | ||
| ORT_STRATEGY=system cargo install --git https://github.com/lanterndata/lantern_extras.git --branch varik/external-indexing-server-ssl --debug --bin lantern-cli --root /tmp |
There was a problem hiding this comment.
info: Updated the branch for lantern-cli installation to varik/external-indexing-server-ssl.
scripts/integration_tests.py
Outdated
| @pytest.fixture | ||
| def external_index(request): | ||
| cli_path = os.getenv("LANTERN_CLI_PATH") | ||
| use_ssl = os.getenv("EXTERNAL_INDEX_SECURE") |
There was a problem hiding this comment.
info: Added support for SSL by checking the EXTERNAL_INDEX_SECURE environment variable.
| subprocess.run(["openssl", "req", "-x509", "-nodes", "-days", "365", "-newkey", "rsa:2048", "-keyout", "/tmp/key.pem", "-out", "/tmp/cert.pem", "-subj", "/C=US/ST=California/L=San Francisco/O=Lantern/CN=lantern.dev"]) | ||
| ssl_args = ["--cert", "/tmp/cert.pem", "--key", "/tmp/key.pem"] |
There was a problem hiding this comment.
info: Generates SSL certificates and keys if EXTERNAL_INDEX_SECURE is set.
| void close_ssl(external_index_socket_t *socket) | ||
| { | ||
| if(socket->ssl != NULL) { | ||
| SSL_free(socket->ssl); | ||
| socket->ssl = NULL; | ||
| } | ||
|
|
||
| if(socket->ssl_ctx != NULL) { | ||
| SSL_CTX_free(socket->ssl_ctx); | ||
| socket->ssl_ctx = NULL; | ||
| } | ||
|
|
||
| close(socket->fd); | ||
| } |
There was a problem hiding this comment.
info: Implemented close_ssl function to properly free SSL resources and close the socket.
| #ifndef LDB_EXTERNAL_IDX_SOCKET_SSL_H | ||
| #define LDB_EXTERNAL_IDX_SOCKET_SSL_H | ||
|
|
||
| #ifdef LANTERN_USE_OPENSSL | ||
| #include <openssl/err.h> | ||
| #include <openssl/ssl.h> | ||
| #else | ||
| #define SSL_CTX void | ||
| #define SSL void | ||
| #endif | ||
|
|
||
| #endif // LDB_EXTERNAL_IDX_SOCKET_SSL_H |
There was a problem hiding this comment.
info: Introduced conditional inclusion of OpenSSL headers for SSL support in external indexing sockets.
| int ldb_hnsw_ef_search; | ||
| int ldb_external_index_port; | ||
| char *ldb_external_index_host; | ||
| bool ldb_external_index_secure; |
There was a problem hiding this comment.
info: Added a new boolean variable ldb_external_index_secure to store the SSL configuration for external indexing.
| DefineCustomBoolVariable("lantern.external_index_secure", | ||
| "Use SSL connection when connecting to external index socket", | ||
| "Set this to 0 to disable secure connection", | ||
| &ldb_external_index_secure, | ||
| true, | ||
| PGC_USERSET, | ||
| 0, | ||
| NULL, | ||
| NULL, | ||
| NULL); |
There was a problem hiding this comment.
info: Defined a new custom boolean variable lantern.external_index_secure to enable or disable SSL connections for the external index socket.
| extern bool ldb_pgvector_compat; | ||
| extern int ldb_external_index_port; | ||
| extern char* ldb_external_index_host; | ||
| extern bool ldb_external_index_secure; |
There was a problem hiding this comment.
info: Added extern bool ldb_external_index_secure; to support SSL for external indexing.
481e62a to
bc57b42
Compare
Benchmarks
|
73907d3 to
7968f95
Compare
7968f95 to
a7c98f8
Compare
Codecov ReportAttention: Patch coverage is
📢 Thoughts on this report? Let us know! |
ci/scripts/build.sh
Outdated
| mkdir build | ||
| cd build | ||
|
|
||
| if [ -n "$DISABLE_SSL" ]; then |
There was a problem hiding this comment.
let's use DISABLE_SSL or USE_SSL, not both
scripts/integration_tests.py
Outdated
| @pytest.fixture | ||
| def external_index(request): | ||
| cli_path = os.getenv("LANTERN_CLI_PATH") | ||
| use_ssl = os.getenv("EXTERNAL_INDEX_SECURE") == "1" |
There was a problem hiding this comment.
Can this variable be called USE_SSL or whatever we decide is the uniform name of the variable?
src/hnsw/external_index_socket.c
Outdated
| while(total < len) { | ||
| n = socket_con->send(socket_con, buf + total, bytesleft, flags); | ||
| if(n == -1 || n == 0) { | ||
| return n; |
There was a problem hiding this comment.
why is this silently returning the number and not closing the socket and erroring out?
it seems we would want to error out from all the callsites anyway. If so, the API is consuming since the caller might not realize they have to check for these values and deal with closing/erroring out since otherwise the function is quite high level (it handles partial sends and retires)
src/hnsw/external_index_socket.c
Outdated
| } | ||
|
|
||
| uint32 buf_size = read(client_fd, &init_response, EXTERNAL_INDEX_INIT_BUFFER_SIZE); | ||
| uint32 buf_size = socket_con->read(socket_con, (char *)&init_response, EXTERNAL_INDEX_INIT_BUFFER_SIZE); |
There was a problem hiding this comment.
buf_size type must must int32 since it might report -1 an later error handling function below compares it against -1
be42e69 to
c5e52d6
Compare
…overage info at the end of all tests
c5e52d6 to
d84c174
Compare
No description provided.