Core API Guide
The Morio Core API is an OpenAPI v3.1 compliant API internal to Morio and — with the exception of a few endpoints — is not accessible to users.
If you are already familiar with the API and are merely looking for answers about which endpoint to use or what data to expect, please refer to /docs/reference/apis/core.
The most important thing to know about the Core API is that you can safely ignore it. It is internal to Morio, and users or even administrators of Morio should never have to use it.
This guide is intended for (aspiring) contributors, or anyone who would like to gain a deeper understanding of how Morio works under the hood.
Purpose of Morio’s Core API
Morio’s Core API (the API) provides functionality that spans various domains:
- Cluster: Accept Morio cluster invites from other nodes, and process the cluster heartbeat
- Cryptography: Generate X.509 certificates and encrypt or decrypt data on demand
- Docker: Getting information from the Docker daemon, restarting containers, and other Docker-related tasks
- Client Packages: Build client packages or provide their defaults
- Settings: Handle initial setup as well as updates to the Morio settings
- Status: Provide a consolidated status of all Morio services
Accessing the API
As this is an internal API, the only endpoints that are available from the network are
the /status endpoint and the /cluster/join and /cluster/heartbeat endpoints.
The API itself is available on all Morio nodes, and can be accessed under the
prefix /-/core/.
All documentation of API endpoints is relative to this prefix. So to access
the /status endpoint of this API on a Morio node, you should use:
https://[your-server-name]/-/core/status
If your server’s DNS name
is example.morio.it, you could run the following curl command to get the /status
endpoint:
curl https://example.morio.it/-/core/status
Or, if your system does not trust the Morio certificates:
curl --insecure https://example.morio.it/-/core/status
Authentication
As an internal API, the Core API does not use or support authentication. Most of its endpoints are not available on the network, but only internally.
Given that this API does not use authentication, it is worth going over the routes that are available on the network and explain why no authentication is used:
The /status endpoint
Just as in the Management API, this is a public and anonymous route, so no authentication is required.
/status endpoint of the Management APIThe Management API includes the core status in its own
/status endpoint. So you do not need to hit this endpoint: you can use the
regular API and check the core key for the core-specific status.
The /cluster/join endpoint
Perhaps counter-intuitively, this too is a public or anonymous route. However, it is only available while Morio is running in ephemeral mode. While being in ephemeral mode, Morio will eagerly await either its initial setup or a cluster join request.
In other words, once Morio has received its initial settings, this endpoint
will no longer be available and will instead return an error response of type
morio.core.ephemeral.required.
The /cluster/heartbeat endpoint
While this too is a public or anonymous route — by which we mean that no authentication headers are required — the cluster heartbeat payload will be cryptographically signed and verified on each end.
This is done by including a checksum that holds a SHA-256 hash of the combination of the payload data, the Morio Root Token, and the password of the internal secret key.
The checksum will be verified on both ends, thus guarding this endpoint against abuse.