diff --git a/.DEBIAN/conffiles b/.DEBIAN/conffiles index 008d731..cd8fdd7 100644 --- a/.DEBIAN/conffiles +++ b/.DEBIAN/conffiles @@ -1 +1,2 @@ /etc/fastapi-dls/env +/etc/systemd/system/fastapi-dls.service diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fd1817c..cb1cdea 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -50,7 +50,7 @@ build:apt: - cp .DEBIAN/env.default build/etc/fastapi-dls/env # create service file - mkdir -p build/etc/systemd/system - - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system + - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system/fastapi-dls.service # cd into "build/" - cd build/ script: @@ -280,7 +280,7 @@ release:prepare: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH script: - source version.env - - echo &VERSION + - echo $VERSION artifacts: reports: dotenv: version.env diff --git a/README.md b/README.md index e97b8df..c07deb3 100644 --- a/README.md +++ b/README.md @@ -9,68 +9,6 @@ Only the clients need a connection to this service on configured port. [[_TOC_]] -## ToDo's - -- check why windows guests display "can't acquire license" although in log there is no message displayed and license is - also acquired successfully - -## Endpoints - -### `GET /` - -Redirect to `/-/readme`. - -### `GET /-/health` - -Status endpoint, used for *healthcheck*. - -### `GET /-/config` - -Shows current runtime environment variables and their values. - -### `GET /-/readme` - -HTML rendered README.md. - -### `GET /-/docs`, `GET /-/redoc` - -OpenAPI specifications rendered from `GET /-/openapi.json`. - -### `GET /-/manage` - -Shows a very basic UI to delete origins or leases. - -### `GET /-/origins?leases=false` - -List registered origins. - -| Query Parameter | Default | Usage | -|-----------------|---------|--------------------------------------| -| `leases` | `false` | Include referenced leases per origin | - -### `DELETE /-/origins` - -Deletes all origins and their leases. - -### `GET /-/leases?origin=false` - -List current leases. - -| Query Parameter | Default | Usage | -|-----------------|---------|-------------------------------------| -| `origin` | `false` | Include referenced origin per lease | - -### `DELETE /-/lease/{lease_ref}` - -Deletes an lease. - -### `GET /-/client-token` - -Generate client token, (see [installation](#installation)). - -### Others - -There are some more internal api endpoints for handling authentication and lease process. # Setup (Service) @@ -96,6 +34,8 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $WORKING_DIR/webse **Start container** +To test if everything is set up properly you can start container as following: + ```shell docker volume create dls-db docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert -v dls-db:/app/database collinwebdesigns/fastapi-dls:latest @@ -103,7 +43,7 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/ **Docker-Compose / Deploy stack** -Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example. +Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example (with reverse proxy usage). ```yaml version: '3.9' @@ -298,8 +238,8 @@ After first success you have to replace `--issue` with `--renew`. | `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | | `INSTANCE_REF` | `10000000-0000-0000-0000-000000000001` | Instance identification uuid | | `ALLOTMENT_REF` | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid | -| `INSTANCE_KEY_RSA` | `/cert/instance.private.pem` | Site-wide private RSA key for singing JWTs | -| `INSTANCE_KEY_PUB` | `/cert/instance.public.pem` | Site-wide public key | +| `INSTANCE_KEY_RSA` | `/cert/instance.private.pem` | Site-wide private RSA key for singing JWTs \*3 | +| `INSTANCE_KEY_PUB` | `/cert/instance.public.pem` | Site-wide public key \*3 | \*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the @@ -307,6 +247,8 @@ client has 19.2 hours in which to re-establish connectivity before its license e \*2 Always use `https`, since guest-drivers only support secure connections! +\*3 If you recreate instance keys you need to **recreate client-token for each guest**! + # Setup (Client) **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.** @@ -338,8 +280,68 @@ Restart-Service NVDisplay.ContainerLocalSystem 'C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe' -q | Select-String "License" ``` +## Endpoints + +### `GET /` + +Redirect to `/-/readme`. + +### `GET /-/health` + +Status endpoint, used for *healthcheck*. + +### `GET /-/config` + +Shows current runtime environment variables and their values. + +### `GET /-/readme` + +HTML rendered README.md. + +### `GET /-/docs`, `GET /-/redoc` + +OpenAPI specifications rendered from `GET /-/openapi.json`. + +### `GET /-/manage` + +Shows a very basic UI to delete origins or leases. + +### `GET /-/origins?leases=false` + +List registered origins. + +| Query Parameter | Default | Usage | +|-----------------|---------|--------------------------------------| +| `leases` | `false` | Include referenced leases per origin | + +### `DELETE /-/origins` + +Deletes all origins and their leases. + +### `GET /-/leases?origin=false` + +List current leases. + +| Query Parameter | Default | Usage | +|-----------------|---------|-------------------------------------| +| `origin` | `false` | Include referenced origin per lease | + +### `DELETE /-/lease/{lease_ref}` + +Deletes an lease. + +### `GET /-/client-token` + +Generate client token, (see [installation](#installation)). + +### Others + +There are many other internal api endpoints for handling authentication and lease process. + # Troubleshoot +**Please make sure that fastapi-dls and your guests are on the same timezone!** + ## Linux Logs are available with `journalctl -u nvidia-gridd -f`. @@ -358,6 +360,9 @@ This message can be ignored. - Ref. https://github.com/encode/uvicorn/issues/441 +
+ Log example + ``` WARNING:uvicorn.error:Invalid HTTP request received. Traceback (most recent call last): @@ -376,6 +381,8 @@ Traceback (most recent call last): h11._util.RemoteProtocolError: no request line received ``` +
+ ## Windows ### Required cipher on Windows Guests (e.g. managed by domain controller with GPO) @@ -443,14 +450,13 @@ Dec 20 17:53:34 ubuntu-grid-server nvidia-gridd[10354]: License acquired success -### Error on releasing leases on shutdown (fixed in 1.3 by using reverse proxy) +### Error on releasing leases on shutdown (can be ignored and/or fixed with reverse proxy) -**UPDATE for version `1.3`**: This issue can be fixed by using a reverse proxy (e.g. `nginx`). Please read section -below. +The driver wants to release current leases on shutting down windows. This endpoint needs to be a http endpoint. +The error message can safely be ignored (since we have no license limitation :P) and looks like this: -The driver wants to release current leases on shutting down windows. This endpoint needs to be a http endpoint and -is currently not implemented. The error message looks like and safely can be ignored (since we have no license -limitation :P): +
+ Log example ``` <1>:NLS initialized @@ -459,7 +465,7 @@ limitation :P): <0>:End Logging ``` -#### log with 1.3 and nginx as reverse proxy +#### log with nginx as reverse proxy (see [docker-compose.yml](docker-compose.yml)) ``` <1>:NLS initialized @@ -474,6 +480,8 @@ limitation :P): <0>:End Logging ``` +
+ # Credits Thanks to vGPU community and all who uses this project and report bugs. diff --git a/docker-compose.yml b/docker-compose.yml index 2ebd525..b52a58a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,13 +2,28 @@ version: '3.9' x-dls-variables: &dls-variables DLS_URL: localhost # REQUIRED, change to your ip or hostname - DLS_PORT: 443 # must match nginx listen port + DLS_PORT: 443 # must match nginx listen & exposed port LEASE_EXPIRE_DAYS: 90 DATABASE: sqlite:////app/database/db.sqlite DEBUG: false services: - web: + dls: + image: collinwebdesigns/fastapi-dls:latest + restart: always + environment: + <<: *dls-variables + volumes: + - /opt/docker/fastapi-dls/cert:/app/cert # instance.private.pem, instance.public.pem + - db:/app/database + entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"] + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 30s + proxy: image: nginx ports: # thees are ports where nginx (!) is listen to @@ -17,14 +32,14 @@ services: volumes: - /opt/docker/fastapi-dls/cert:/opt/cert healthcheck: - test: [ "CMD", "curl", "--insecure", "--fail", "https://localhost/-/health" ] + test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"] interval: 10s timeout: 5s retries: 3 start_period: 30s command: | - bash -c 'bash -s <<"EOF" - cat > /etc/nginx/nginx.conf <<"EON" + bash -c "bash -s <<\"EOF\" + cat > /etc/nginx/nginx.conf <<\"EON\" daemon off; user root; worker_processes auto; @@ -39,7 +54,7 @@ services: include /etc/nginx/mime.types; upstream dls-backend { - server dls:443; + server dls:8000; # must match dls listen port } server { @@ -60,18 +75,17 @@ services: ssl_prefer_server_ciphers on; location / { - proxy_ssl_verify off; proxy_set_header Host $$http_host; proxy_set_header X-Real-IP $$remote_addr; proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $$scheme; - proxy_pass https://dls-backend$$request_uri; + proxy_pass http://dls-backend$$request_uri; } location = /-/health { access_log off; add_header 'Content-Type' 'application/json'; - return 200; # '{\"status\":\"up\",\"service\":\"nginx\"}'; + return 200 '{\"status\":\"up\",\"service\":\"nginx\"}'; } } @@ -84,12 +98,11 @@ services: server_name _; location /leasing/v1/lessor/shutdown { - proxy_ssl_verify off; proxy_set_header Host $$http_host; proxy_set_header X-Real-IP $$remote_addr; proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $$scheme; - proxy_pass https://dls-backend/leasing/v1/lessor/shutdown; + proxy_pass http://dls-backend/leasing/v1/lessor/shutdown; } location / { @@ -99,16 +112,7 @@ services: } EON nginx - EOF' - - dls: - image: collinwebdesigns/fastapi-dls:latest - restart: always - environment: - <<: *dls-variables - volumes: - - /opt/docker/fastapi-dls/cert:/app/cert - - db:/app/database + EOF" volumes: db: diff --git a/requirements.txt b/requirements.txt index 56a6d8e..b7f24ed 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ uvicorn[standard]==0.20.0 python-jose==3.3.0 pycryptodome==3.16.0 python-dateutil==2.8.2 -sqlalchemy==1.4.45 +sqlalchemy==1.4.46 markdown==3.4.1 python-dotenv==0.21.0 jinja2==3.1.2