feat: python script for starting the service

Makefile

@@ -1,7 +1,7 @@
 PANTOS_SERVICE_NODE_VERSION := $(shell poetry version -s)
 PANTOS_SERVICE_NODE_REVISION ?= 1
 PANTOS_SERVICE_NODE_SSH_HOST ?= bdev-service-node
-PYTHON_FILES_WITHOUT_TESTS := pantos/servicenode
+PYTHON_FILES_WITHOUT_TESTS := pantos/servicenode linux/pantos-service-node-server
 PYTHON_FILES := $(PYTHON_FILES_WITHOUT_TESTS) tests
 
 .PHONY: dist

linux/debian/postinst

@@ -95,7 +95,7 @@ else
 fi
 
 # Signer key
-if [ ! -e ${signer_key_file} ] || [ -z ${SIGNER_KEY_PASSWORD} ]; then
+if [ ! -e ${signer_key_file} ]; then
     # Check if ssh-keygen is installed
     if command -v ssh-keygen &>/dev/null; then
       echo "Signer key does not exist; generating a new one"

linux/pantos-service-node-server

@@ -1,42 +1,69 @@
-#! /bin/bash
-
-set -e
-
-application_directory='/opt/pantos/service-node'
-log_directory='/var/log/pantos'
-configuration_directory='/etc/pantos'
-configuration_file="${configuration_directory}/service-node-config.yml"
-ssl_certificate_file="${configuration_directory}/service-node-fullchain.pem"
-ssl_certificate_key_file="${configuration_directory}/service-node-privkey.pem"
-system_user='pantos'
-
-server_name=$(cat ${configuration_file} | grep 'url:' | head -1 | awk '{$1=$1;print}' | sed --expression 's/url:.*http.*\/\///;s/\/.*//')
-
-# check if apache2 is installed on systemctl
-if [ -n "$(systemctl list-units --type=service | grep apache2)" ]; then
-    # stop apache2
-    systemctl stop apache2
-else
-    echo "[pantos-service-node-server] apache2 is not installed, not stopping it"
-fi
-
-# extract server name and port
-server_name_and_port=$(cat ${configuration_file} | grep 'url:' | head -1 | awk '{$1=$1;print}' | sed 's/url:.*http.*\/\///;s/\/.*//')
-
-if [ -n "$( echo $server_name_and_port | sed -n '/:\d*/p')" ]; then
-    # if port is set, extract it
-    port=$(echo $server_name_and_port | sed 's/.*://')
-else
-    # otherwise use default port
-    port=443
-fi
-
-if [ ! command -v iptables-nft &> /dev/null ]; then
-    echo "[pantos-service-node-server] iptables-nft is not installed, not redirecting port"
-fi
-if (( $port < 1024 )) && command -v iptables-nft &> /dev/null; then
-    runuser -u ${system_user} -- bash -c "source ${application_directory}/virtual-environment/bin/activate; nohup mod_wsgi-express start-server --https-port 8443 --https-only --server-name ${server_name} --ssl-certificate-file ${ssl_certificate_file} --ssl-certificate-key-file ${ssl_certificate_key_file} ${application_directory}/wsgi.py >> ${log_directory}/service-node-mod_wsgi.log 2>&1 &"
-    iptables-nft -t nat -A PREROUTING -p tcp --dport $port -j REDIRECT --to-port 8443
-else
-    runuser -u ${system_user} -- bash -c "source ${application_directory}/virtual-environment/bin/activate; nohup mod_wsgi-express start-server --https-port ${port} --https-only --server-name ${server_name} --ssl-certificate-file ${ssl_certificate_file} --ssl-certificate-key-file ${ssl_certificate_key_file} ${application_directory}/wsgi.py >> ${log_directory}/service-node-mod_wsgi.log 2>&1 &"
-fi
+#!/usr/bin/env python3
+
+import re
+import subprocess
+import sys
+
+from pantos.servicenode.configuration import config
+from pantos.servicenode.configuration import load_config
+
+load_config()
+
+WSGI_FILE = '/opt/pantos/service-node/wsgi.py'
+MOD_WSGI_LOGS = '/var/log/pantos/service-node-mod_wsgi.log'
+NON_ROOT_DEFAULT_HTTPS_PORT = 8443
+NON_ROOT_DEFAULT_HTTP_PORT = 8080
+application_config = config['application']
+host = application_config['host']
+port = application_config['port']
+ssl_certificate = application_config.get('ssl_certificate')
+if ssl_certificate:
+    ssl_private_key = application_config['ssl_private_key']
+
+# apache2 should stop if already running
+completed_process = subprocess.run('systemctl list-units --type=service',
+                                   check=True, text=True, shell=True,
+                                   capture_output=True)  # nosec B602
+if 'apache2' in completed_process.stdout:
+    subprocess.run('systemctl stop apache2', check=True, text=True, shell=True,
+                   capture_output=True)  # nosec B602
+
+# the server should not run on a priviledged port (<1024)
+if port < 1024:
+    if ssl_certificate:
+        default_port = NON_ROOT_DEFAULT_HTTPS_PORT
+    else:
+        default_port = NON_ROOT_DEFAULT_HTTP_PORT
+    port_redirect_command = (
+        'iptables-nft -t nat -A PREROUTING -p tcp '
+        f'--dport {port} -j REDIRECT --to-port {default_port}')
+    port = default_port
+    try:
+        completed_process = subprocess.run(port_redirect_command, text=True,
+                                           shell=True, check=True,
+                                           capture_output=True)  # nosec B602
+    except subprocess.CalledProcessError as error:
+        if 'command not found' in error.stderr:
+            print(
+                'iptables-nft is not installed, unable to redirect the '
+                'port; please reinstall the package with the recommended '
+                'dependencies', file=sys.stderr)
+        else:
+            print('unable to redirect the port', file=sys.stderr)
+        sys.exit(1)
+
+# build the port command (along with the ssl certificate info if requested)
+if ssl_certificate:
+    server_name = re.sub(r'http.*?//|/.*', '', application_config['url'])
+    port_command = (
+        f'--https-port {port} --https-only --ssl-certificate-file '
+        f'{ssl_certificate} --ssl-certificate-key-file {ssl_private_key} '
+        f'--server-name {server_name}')
+else:
+    port_command = f'--port {port}'
+
+server_run_command = (
+    f'nohup mod_wsgi-express start-server --host {host} {port_command} '
+    f'{WSGI_FILE} >> {MOD_WSGI_LOGS} 2>&1 &')
+subprocess.run(server_run_command, check=True, text=True,
+               shell=True)  # nosec B602

linux/pantos-service-node-server.service

@@ -7,7 +7,7 @@ StartLimitIntervalSec=0
 Type=forking
 Restart=always
 RestartSec=1
-ExecStart=/usr/local/bin/pantos-service-node-server
+ExecStart=runuser -u pantos -- bash -c "source /opt/pantos/service-node/virtual-environment/bin/activate; ./usr/local/bin/pantos-service-node-server"
 
 [Install]
 WantedBy=multi-user.target

pantos/servicenode/__main__.py

@@ -5,14 +5,16 @@
 from pantos.servicenode.application import create_application
 from pantos.servicenode.configuration import config
 
-if __name__ == '__main__':
-    application = create_application()
-    host = config['application'].get('host')
-    port = config['application'].get('port')
-    ssl_certificate = config['application'].get('ssl_certificate')
-    ssl_private_key = config['application'].get('ssl_private_key')
-    ssl_context = (None if ssl_certificate is None or ssl_private_key is None
-                   else (ssl_certificate, ssl_private_key))
-    debug = config['application']['debug']
+if __name__ == '__main__':  # pragma: no cover
+    application = create_application()  # pragma: no cover
+    host = config['application']['host']  # pragma: no cover
+    port = config['application']['port']  # pragma: no cover
+    ssl_certificate = config['application'].get(
+        'ssl_certificate')  # pragma: no cover
+    ssl_private_key = config['application'].get(
+        'ssl_private_key')  # pragma: no cover
+    ssl_context = (None if ssl_certificate is None else
+                   (ssl_certificate, ssl_private_key))  # pragma: no cover
+    debug = config['application']['debug']  # pragma: no cover
     application.run(host=host, port=port, ssl_context=ssl_context, debug=debug,
-                    use_reloader=False)
+                    use_reloader=False)  # pragma: no cover

pantos/servicenode/configuration.py

@@ -162,17 +162,22 @@
             },
             'host': {
                 'type': 'string',
-                'empty': False
+                'empty': False,
+                'required': True
             },
             'port': {
-                'type': 'integer'
+                'type': 'integer',
+                'min': 0,
+                'required': True
             },
             'ssl_certificate': {
                 'type': 'string',
+                'dependencies': 'ssl_private_key',
                 'empty': False
             },
             'ssl_private_key': {
                 'type': 'string',
+                'dependencies': 'ssl_certificate',
                 'empty': False
             },
             'url': {