From 15c49d396ffbbbd07711acb694aef4c9700f9a82 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Tue, 27 Dec 2022 20:35:04 +0100 Subject: [PATCH 01/11] README.md - added required cipher suite for windows guests --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 6b014e5..679e026 100644 --- a/README.md +++ b/README.md @@ -245,6 +245,12 @@ Currently, there are no known issues. ## Windows +### Required cipher on Windows Guests (e.g. managed by domain controller with GPO) + +It is required to enable `SHA1` (`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521`) in [windows cipher suite](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls). + +### Multiple Display Container LS Instances + On Windows on some machines there are running two or more instances of `NVIDIA Display Container LS`. This causes a problem on licensing flow. As you can see in the logs below, there are two lines with `NLS initialized`, each prefixed with `<1>` and `<2>`. So it is possible, that *daemon 1* fetches a valid license through dls-service, and *daemon 2* From c820dac4ec78dfbb330acf42ae92a2f53de03bc6 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 06:49:18 +0100 Subject: [PATCH 02/11] README.md - improvements & fixed manual install steps --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 679e026..133408e 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ There are some more internal api endpoints for handling authentication and lease Docker-Images are available here: - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest` -- GitLab-Registry: `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest` +- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest` **Run this on the Docker-Host** @@ -98,7 +98,7 @@ volumes: dls-db: ``` -## Debian +## Debian/Ubuntu (using `git clone`) Tested on `Debian 11 (bullseye)`, Ubuntu may also work. @@ -148,7 +148,7 @@ su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fast **Create config file** ```shell -cat < /etc/fastapi-dls.env +cat < /etc/fastapi-dls/env DLS_URL=127.0.0.1 DLS_PORT=443 LEASE_EXPIRE_DAYS=90 @@ -160,7 +160,7 @@ EOF **Create service** ```shell -cat </etc/systemd/system/fastapi-dls.service +cat < /etc/systemd/system/fastapi-dls.service [Unit] Description=Service for fastapi-dls After=network.target @@ -204,7 +204,7 @@ with `systemctl start fastapi-dls.service` (and enable autostart with `systemctl | `DATABASE` | `sqlite:///db.sqlite` | See [official dataset docs](https://dataset.readthedocs.io/en/latest/quickstart.html) | | `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) | -# Installation (Client) +# Setup (Client) **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.** From 46620c5e2ad72abdf1ebf78647feee0d5c5c4cb9 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 06:50:04 +0100 Subject: [PATCH 03/11] typos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 133408e..d5da347 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ volumes: dls-db: ``` -## Debian/Ubuntu (using `git clone`) +## Debian/Ubuntu (manual method using `git clone`) Tested on `Debian 11 (bullseye)`, Ubuntu may also work. From 3b75e8dbeb4ac8c561ab821c2ea79fb2d86d2304 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 06:54:25 +0100 Subject: [PATCH 04/11] fixes --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index d5da347..cd12308 100644 --- a/README.md +++ b/README.md @@ -170,13 +170,13 @@ User=www-data Group=www-data AmbientCapabilities=CAP_NET_BIND_SERVICE WorkingDirectory=/opt/fastapi-dls/app -EnvironmentFile=/etc/fastapi-dls.env -ExecStart=/opt/fastapi-dls/venv/bin/uvicorn main:app \ - --env-file /etc/fastapi-dls.env \ - --host \$DLS_URL --port \$DLS_PORT \ - --app-dir /opt/fastapi-dls/app \ - --ssl-keyfile /opt/fastapi-dls/app/cert/webserver.key \ - --ssl-certfile /opt/fastapi-dls/app/cert/webserver.crt \ +EnvironmentFile=/etc/fastapi-dls/env +ExecStart=/opt/fastapi-dls/venv/bin/uvicorn main:app \\ + --env-file /etc/fastapi-dls/env \\ + --host \$DLS_URL --port \$DLS_PORT \\ + --app-dir /opt/fastapi-dls/app \\ + --ssl-keyfile /opt/fastapi-dls/app/cert/webserver.key \\ + --ssl-certfile /opt/fastapi-dls/app/cert/webserver.crt \\ --proxy-headers Restart=always KillSignal=SIGQUIT From 84f7e99c786ad03846383c989027a67f369eabbb Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 06:58:26 +0100 Subject: [PATCH 05/11] README.md - adde toc --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index cd12308..4b4af72 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ Minimal Delegated License Service (DLS). This service can be used without internet connection. Only the clients need a connection to this service on configured port. +[[_TOC_]] + ## ToDo#'s - provide `.deb` package (WIP) From 65937b153e07fc3fc8826d3f556f4cff8c85616f Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 06:58:50 +0100 Subject: [PATCH 06/11] typos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4b4af72..7818c7f 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Only the clients need a connection to this service on configured port. [[_TOC_]] -## ToDo#'s +## ToDo's - provide `.deb` package (WIP) - migrate from `dataset` to `sqlalchemy` (WIP) From 9744a8f0e853998bff01c12709f21586f245ae2a Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 07:04:10 +0100 Subject: [PATCH 07/11] code styling --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7818c7f..fc785e4 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fast **Create config file** ```shell -cat < /etc/fastapi-dls/env +cat </etc/fastapi-dls/env DLS_URL=127.0.0.1 DLS_PORT=443 LEASE_EXPIRE_DAYS=90 @@ -162,7 +162,7 @@ EOF **Create service** ```shell -cat < /etc/systemd/system/fastapi-dls.service +cat </etc/systemd/system/fastapi-dls.service [Unit] Description=Service for fastapi-dls After=network.target From 180cdcb43de8a62dee8c9bd444150a6b9a1dd7f7 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 07:29:38 +0100 Subject: [PATCH 08/11] added some variables --- README.md | 20 ++++++++++++-------- app/main.py | 4 ++-- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index fc785e4..9247071 100644 --- a/README.md +++ b/README.md @@ -197,14 +197,18 @@ with `systemctl start fastapi-dls.service` (and enable autostart with `systemctl # Configuration -| Variable | Default | Usage | -|---------------------|-----------------------|---------------------------------------------------------------------------------------| -| `DEBUG` | `false` | Toggles `fastapi` debug mode | -| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | -| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | -| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | -| `DATABASE` | `sqlite:///db.sqlite` | See [official dataset docs](https://dataset.readthedocs.io/en/latest/quickstart.html) | -| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) | +| Variable | Default | Usage | +|---------------------|----------------------------------------|---------------------------------------------------------------------------------------| +| `DEBUG` | `false` | Toggles `fastapi` debug mode | +| `DLS_URL` | `localhost` | Used in client-token to tell guest driver where dls instance is reachable | +| `DLS_PORT` | `443` | Used in client-token to tell guest driver where dls instance is reachable | +| `LEASE_EXPIRE_DAYS` | `90` | Lease time in days | +| `DATABASE` | `sqlite:///db.sqlite` | See [official dataset docs](https://dataset.readthedocs.io/en/latest/quickstart.html) | +| `CORS_ORIGINS` | `https://{DLS_URL}` | Sets `Access-Control-Allow-Origin` header (comma separated string) | +| `SITE_KEY_XID` | `00000000-0000-0000-0000-000000000000` | Site identification uuid | +| `INSTANCE_REF` | `00000000-0000-0000-0000-000000000000` | Instance identification uuid | +| `INSTANCE_KEY_RSA` | `/cert/instance.private.pem` | Site-wide private RSA key for singing JWTs | +| `INSTANCE_KEY_PUB` | `/cert/instance.public.pem` | Site-wide public key | # Setup (Client) diff --git a/app/main.py b/app/main.py index 93a2b0b..1ac62e6 100644 --- a/app/main.py +++ b/app/main.py @@ -54,8 +54,8 @@ DLS_URL = str(getenv('DLS_URL', 'localhost')) DLS_PORT = int(getenv('DLS_PORT', '443')) SITE_KEY_XID = str(getenv('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000')) INSTANCE_REF = str(getenv('INSTANCE_REF', '00000000-0000-0000-0000-000000000000')) -INSTANCE_KEY_RSA = load_key(join(dirname(__file__), 'cert/instance.private.pem')) -INSTANCE_KEY_PUB = load_key(join(dirname(__file__), 'cert/instance.public.pem')) +INSTANCE_KEY_RSA = load_key(str(getenv('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem')))) +INSTANCE_KEY_PUB = load_key(str(getenv('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem')))) CORS_ORIGINS = getenv('CORS_ORIGINS').split(',') if (getenv('CORS_ORIGINS')) else f'https://{DLS_URL}' # todo: prevent static https From a95126f51da4e9d457da75ba6ae7369044e35ea9 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 07:29:42 +0100 Subject: [PATCH 09/11] typos --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9247071..10482b1 100644 --- a/README.md +++ b/README.md @@ -253,7 +253,8 @@ Currently, there are no known issues. ### Required cipher on Windows Guests (e.g. managed by domain controller with GPO) -It is required to enable `SHA1` (`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521`) in [windows cipher suite](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls). +It is required to enable `SHA1` (`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521`) +in [windows cipher suite](https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls). ### Multiple Display Container LS Instances From 050d10565991b43c9829c79930e9195ddc1d2191 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 08:37:34 +0100 Subject: [PATCH 10/11] README.md - added Let's Encrypt section --- README.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 10482b1..ed407a8 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Only the clients need a connection to this service on configured port. - provide `.deb` package (WIP) - migrate from `dataset` to `sqlalchemy` (WIP) - migrate from `fastapi` to `flask` -- Support http mode for using external https proxy +- Support http mode for using external https proxy (disable uvicorn ssl for using behind proxy) ## Endpoints @@ -193,7 +193,23 @@ EOF ``` Now you have to run `systemctl daemon-reload`. After that you can start service -with `systemctl start fastapi-dls.service` (and enable autostart with `systemctl enable fastapi-dls.service`). +with `systemctl start fastapi-dls.service`. + +## Let's Encrypt Certificate + +If you're using installation via docker, you can use `traefik`. Please refer to their documentation. + +Note that port 80 must be accessible, and you have to install `socat` if you're using `standalone` mode. + +```shell +acme.sh --issue -d example.com \ + --cert-file /etc/fastapi-dls/webserver.donotuse.crt \ + --key-file /etc/fastapi-dls/webserver.key \ + --fullchain-file /etc/fastapi-dls/webserver.crt \ + --reloadcmd "systemctl restart fastapi-dls.service" +``` + +After first success you have to replace `--issue` with `--renew`. # Configuration From e9dc5a765a48d23e3e01438f5f69d5fe20d2bbd8 Mon Sep 17 00:00:00 2001 From: Oscar Krause Date: Wed, 28 Dec 2022 08:52:13 +0100 Subject: [PATCH 11/11] fixed service Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index ed407a8..120feed 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,6 @@ ExecStart=/opt/fastapi-dls/venv/bin/uvicorn main:app \\ Restart=always KillSignal=SIGQUIT Type=simple -StandardError=syslog NotifyAccess=all [Install]