From fc41d57107312dd832815f85b76f3b5f286596ae Mon Sep 17 00:00:00 2001 From: maany Date: Tue, 23 Jan 2024 17:11:50 +0100 Subject: [PATCH 1/4] webui entrypoint - enable patching - generate environment from env variables --- webui/Dockerfile | 4 ++-- webui/docker-entrypoint.sh | 38 ++++++++++++++++++++++++++------------ 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/webui/Dockerfile b/webui/Dockerfile index 09e8552..d4142c5 100644 --- a/webui/Dockerfile +++ b/webui/Dockerfile @@ -27,10 +27,10 @@ RUN python3 -m pip install --no-cache-dir j2cli WORKDIR /opt/rucio/webui -ENV RUCIO_WEBUI_PATH=$(WORKDIR) +ENV RUCIO_WEBUI_PATH=/opt/rucio/webui RUN curl https://raw.githubusercontent.com/rucio/rucio/master/tools/merge_rucio_configs.py --output /opt/rucio/merge_rucio_configs.py -RUN git clone --depth 1 -b ${TAG} -- https://github.com/rucio/webui.git /opt/rucio/webui +RUN git clone --depth 1 -b ${TAG} -- https://github.com/rucio/webui.git ${RUCIO_WEBUI_PATH} RUN npm install RUN npm run build diff --git a/webui/docker-entrypoint.sh b/webui/docker-entrypoint.sh index 87816b6..2b65a1f 100755 --- a/webui/docker-entrypoint.sh +++ b/webui/docker-entrypoint.sh @@ -1,24 +1,36 @@ #!/bin/bash -e +log() { + echo "$(date -u) [rucio-webui] - $@" +} + +generate_env_file() { + cd tools/env-generator && \ + + npm install liquidjs && \ + npm run build && \ + chmod +x ./dist/generate-env.js && \ + ./dist/generate-env.js make prod ../../.env --write + + echo "Return code: $?" + cd ../.. +} + +echo "=================== /opt/rucio/webui/.env ===================" if [ -f /opt/rucio/webui/.env ]; then - echo "/opt/rucio/webui/.env already mounted." + log "/opt/rucio/webui/.env already mounted." else - echo "/opt/rucio/webui/.env not found. will generate one." - j2 /tmp/.env.default.j2 | sed '/^\s*$/d' > /opt/rucio/webui/.env + log "/opt/rucio/webui/.env not found. Will generate one now." + generate_env_file fi - -echo "=================== /opt/rucio/webui/.env ========================" cat /opt/rucio/webui/.env echo "" if [ -d "/patch" ] then - echo "Patches found. Trying to apply them" - - TMP_PATCH_DIR="$(mktemp -d)" - trap 'rm -rf -- "$TMP_PATCH_DIR"' EXIT # Deletes temp dir when script exits - - for patchfile in /patch/*.patch + echo "=================== Apply Patches ===================" + log "Patches found. Trying to apply them" + for patchfile in /patch/* do echo "Applying patch ${patchfile}" @@ -50,7 +62,9 @@ then fi fi done + log "Rebuilding the Rucio WebUI after applying patches!" + npm run build fi -echo "=================== Starting RUCIO WEBUI ========================" +echo "=================== Starting RUCIO WEBUI ===================" npm run start \ No newline at end of file From d5033c7df164141bfa620ba389520e01dc68230b Mon Sep 17 00:00:00 2001 From: maany Date: Thu, 22 Feb 2024 12:51:09 +0100 Subject: [PATCH 2/4] webui: update nodejs version --- webui/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webui/Dockerfile b/webui/Dockerfile index d4142c5..84d9026 100644 --- a/webui/Dockerfile +++ b/webui/Dockerfile @@ -15,8 +15,8 @@ ARG TAG LABEL stage=production RUN dnf -y update && \ dnf -y module reset nodejs && \ - dnf -y module enable nodejs:18 && \ - dnf -y module install nodejs:18/common && \ + dnf -y module enable nodejs:20 && \ + dnf -y module install nodejs:20/common && \ dnf -y install httpd mod_ssl python39 python-pip git procps patchutils && \ dnf clean all && \ rm -rf /var/cache/dnf From 6c0cc02c5a8d87279ebf2df2034ed806164b1279 Mon Sep 17 00:00:00 2001 From: maany Date: Fri, 23 Feb 2024 00:46:08 +0100 Subject: [PATCH 3/4] webui: 33.x compatible containers --- webui/.env.default.j2 | 31 ----- webui/Dockerfile | 6 +- webui/README.md | 225 +++++++++++++++++-------------------- webui/docker-entrypoint.sh | 28 ++++- webui/ecosystem.config.js | 11 ++ webui/rucio.conf.j2 | 16 ++- 6 files changed, 153 insertions(+), 164 deletions(-) delete mode 100644 webui/.env.default.j2 create mode 100644 webui/ecosystem.config.js diff --git a/webui/.env.default.j2 b/webui/.env.default.j2 deleted file mode 100644 index 945b7f7..0000000 --- a/webui/.env.default.j2 +++ /dev/null @@ -1,31 +0,0 @@ -[public] -NEXT_PUBLIC_WEBUI_HOST = {{ RUCIO_HOST | default('https://rucio-host-not-defined') }} - -[meta] -PROJECT_NAME = {{PROJECT_NAME | default('https://atlas.cern/')}} - -[session] -SESSION_PASSWORD = {{SESSION_PASSWORD | default('2gyZ3GDw3LHZQKDhPmPDL3sjREVRXPr8')}} -SESSION_COOKIE_NAME = {{SESSION_COOKIE_NAME | default('rucio-webui-session')}} -NODE_TLS_REJECT_UNAUTHORIZED = {{NODE_TLS_REJECT_UNAUTHORIZED | default('0')}} - -[gateway] -RUCIO_AUTH_HOST = {{ RUCIO_AUTH_HOST | default('https://rucio-auth-host-not-defined') }} -RUCIO_HOST = {{ RUCIO_HOST | default('https://rucio-host-not-defined') }} - -[oidc] -OIDC_ENABLED = {{ OIDC_ENABLED | default('false') }} -OIDC_PROVIDERS = {{ OIDC_PROVIDERS | default('') }} - - -{% if OIDC_PROVIDERS %} - {% set providers_list = OIDC_PROVIDERS.split(',') %} - {% for provider in providers_list %} - {% set provider_var_name = 'OIDC_PROVIDER_' + provider + '_CLIENT_ID' %} - {% set provider_value = '' %} - {% if provider_var_name in context %} - {% set provider_value = context[provider_var_name] %} - {% endif %} - OIDC_PROVIDER_{{ provider }}_CLIENT_ID={{ provider_value }} - {% endfor %} -{% endif %} \ No newline at end of file diff --git a/webui/Dockerfile b/webui/Dockerfile index 84d9026..70bb43a 100644 --- a/webui/Dockerfile +++ b/webui/Dockerfile @@ -32,11 +32,13 @@ ENV RUCIO_WEBUI_PATH=/opt/rucio/webui RUN curl https://raw.githubusercontent.com/rucio/rucio/master/tools/merge_rucio_configs.py --output /opt/rucio/merge_rucio_configs.py RUN git clone --depth 1 -b ${TAG} -- https://github.com/rucio/webui.git ${RUCIO_WEBUI_PATH} +RUN npm i -g pm2 RUN npm install -RUN npm run build COPY docker-entrypoint.sh / -COPY .env.default.j2 /tmp/ +COPY httpd.conf.j2 /tmp/ +COPY rucio.conf.j2 /tmp/ +COPY ecosystem.config.js /opt/rucio/webui/ecosystem.config.js EXPOSE 443 EXPOSE 80 diff --git a/webui/README.md b/webui/README.md index 41b443f..16b2df0 100644 --- a/webui/README.md +++ b/webui/README.md @@ -16,11 +16,17 @@ This section decribes deploying the Rucio WebUI via Docker. For Kubernetes deplo This image provides the Rucio WebUI which works as a web frontend to the Rucio server. The WebUI container can be built with the following command, where `TAG` is the version of the webui to be used (should already be available on [rucio/webui](https://github.com/rucio/webui) repository) and the build context is the directory containing the Dockerfile: +```bash +docker build --rm --no-cache --platform=linux/amd64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 . ``` -docker build --rm --build-arg TAG=1.29.0-pre-alpha --target=production --tag=webui . + +For M1 Macs, the `--platform` flag should be set to `linux/arm64` instead. + +```bash +docker build --rm --no-cache --platform=linux/arm64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 . ``` -Pre-built images are available on [Docker Hub](https://hub.docker.com/u/rucio/). +Pre-built images are available on [Docker Hub](https://hub.docker.com/r/rucio/rucio-webui). A WebUI instance with the minimal configuration can be started like this: @@ -36,137 +42,114 @@ The `` must point to the instance of rucio-server that the Web To start the WebUI container with TLS Termination and x509 authentication, you must provide host certificate, key and the the CA certificate as volumes. -``` -docker run \ - --name webui \ - -p 80:80 -p 443:443 \ - -e RUCIO_ENABLE_SSL=True \ - -e RUCIO_HOST=https://rucio-devmaany.cern.ch \ - -v /hostcert.pem:/etc/grid-security/hostcert.pem \ - -v /hostkey.pem:/etc/grid-security/hostkey.pem \ - -v /ca-bundle.pem:/etc/grid-security/ca.pem \ - rucio/rucio-webui +```bash +docker run --rm --name rucio-webui \ + -e RUCIO_WEBUI_HOSTNAME= \ + -e RUCIO_WEBUI_ENABLE_SSL=false \ + -e RUCIO_WEBUI_RUCIO_HOST= \ + -e RUCIO_WEBUI_RUCIO_AUTH_HOST= \ + -e RUCIO_WEBUI_PROJECT_URL=atlas.cern.ch \ + -e RUCIO_WEBUI_MULTIVO_ENABLED=true \ + -e RUCIO_WEBUI_VO_LIST=def \ + -e RUCIO_WEBUI_VO_DEFAULT=def \ + -e RUCIO_WEBUI_VO_DEF_NAME=default \ + -e RUCIO_WEBUI_VO_DEF_LOGO=https://ep-news.web.cern.ch/sites/ep-news.web.cern.ch/files/RUCIO1.jpg \ + -e NODE_EXTRA_CA_CERTS=/etc/grid-security/ca.pem \ + -e RUCIO_WEBUI_OIDC_ENABLED=false \ + -p 80:80 \ + -p 443:443 \ + --mount type=bind,src=$(pwd)/ca-bundle.pem,target=/etc/grid-security/ca.pem \ + rucio-webui-33.0.0-alpha.1 ``` ## Configuration The WebUI container can be configured using environment variables. There are two categories of the environment variables: -1. React App Configuration +1. NextJS Configuration 2. Web Server (Apache) Configuration -Except for `RUCIO_HOST`, the React App Configuration variables are prefixed with `WEBUI_` and are used to process the `.env.default.j2` template, which creates the environment file used by the React App. Additional configuration variables can be passed to the React app. These configration variables must be prefixed with `RUCIO_CFG_REACT_APP_` and can be passed to the container with the `-e RUCIO_CFG_REACT_ENV_=value` flag. - -The Web Server Configuration variables are prefixed with `RUCIO_`. - -The following table lists the available configuration variables: - -### React App Configuration -The following environment variables are used to configure the React App. - -| Variable | Description | Required/Optional | -| --- | --- | --- | -| `RUCIO_HOST` | The URL of the Rucio server to connect to. | Required | -| `WEBUI_LOGIN_PAGE_IMAGE_PRIMARY` | The path to the primary image to be displayed on the login page. | Optional, the image must be volume mounted onto the container | -| `WEBUI_LOGIN_PAGE_IMAGE_SECONDARY` | The path to the secondary image to be displayed on the login page. | Optional, the image must be volume mounted onto the container | +The following sections list the available configuration variables: + +### NextJS Configuration +The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with `RUCIO_WEBUI_` and are by the [env-generator](https://github.com/rucio/webui/tree/master/tools/env-generator) tool , which creates the environment file used by the NextJS application. When running the container, the `-e` flag must specify the `FULL_NAME` of the corresponding environment variable. + +| Variable Name | Full Name | Description | Example | Default | +|-----------------|-----------------------------|--------------------------------------------------------------------------------------|--------------------------------|---------| +| RUCIO_HOST | RUCIO_WEBUI_RUCIO_HOST | URL for the Rucio Server | https://rucio-lb-prod.cern.ch | | +| RUCIO_AUTH_HOST | RUCIO_WEBUI_RUCIO_AUTH_HOST | URL for the Rucio authentication server | https://rucio-auth-host.ch:443 | | +| HOSTNAME | RUCIO_WEBUI_HOSTNAME | Public HOSTNAME at which Rucio WebUI will be accessible. It may include port number. | rucio-ui.cern.ch | | +| ENABLE_SSL | RUCIO_WEBUI_ENABLE_SSL | Enable or Disable TLS Termination (true or false) | true | false | +| PROJECT_URL | RUCIO_WEBUI_PROJECT_URL | Public URL for your project | https://atlas.cern.ch | | +| VO_DEFAULT | RUCIO_WEBUI_VO_DEFAULT | Short name for the default VO used for authentication | def | def | +| VO_LIST | RUCIO_WEBUI_VO_LIST | CSV string containing the list of supported VOs | def, atl, cms | def | +| MULTIVO_ENABLED | RUCIO_WEBUI_MULTIVO_ENABLED | Whether to enable multi-VO config (true or false) | true | | +| OIDC_ENABLED | RUCIO_WEBUI_OIDC_ENABLED | Enable or Disable OIDC Authentication (true or false) | true | | +| OIDC_PROVIDERS | RUCIO_WEBUI_OIDC_PROVIDERS | CSV string containing names of OIDC Providers | cern, indigo | | + +For each `VO` specified in the `VO_LIST` variable, additional variables need to be specified. These variables should be added in the following format: +```RUCIO_WEBUI_VO__=```. An example for the default VO is shown below: +| Variable Name | Full Name | Description | Example | Default | +|-----------------------|-----------------------------------|---------------------------------------------------------------------------|--------------|---------| +| VO_DEF_NAME | RUCIO_WEBUI_VO_DEF_NAME | Full name of the default VO | default | | +| VO_DEF_LOGO | RUCIO_WEBUI_VO_DEF_LOGO | URL to the logo of the default VO that will be rendered on the login page | | | +| VO_DEF_OIDC_ENABLED | RUCIO_WEBUI_VO_DEF_OIDC_ENABLED | Enable or Disable OIDC Authentication for the default VO (true or false) | true | | +| VO_DEF_OIDC_PROVIDERS | RUCIO_WEBUI_VO_DEF_OIDC_PROVIDERS | CSV string containing names of OIDC Providers for the default VO | cern, indigo | | + +For each `OIDC Provider` specified in the `OIDC_PROVIDERS` variable, the additional variables need to be specified. The variables should be added in the following format: +```export RUCIO_WEBUI_OIDC_PROVIDER__=```. An example for the CERN OIDC provider is shown below: + +| Variable Name | Full Name | Description | Example | Default | +| ------------------------------------ | ------------------------------------------------ | --------------------------------------------------------------------- | ------- | ------- | +| OIDC_PROVIDER_CERN_CLIENT_ID | RUCIO_WEBUI_OIDC_PROVIDER_CERN_CLIENT_ID | The client id for the webui registered on the OIDC Provider dashboard | | | +| OIDC_PROVIDER_CERN_CLIENT_SECRET | RUCIO_WEBUI_OIDC_PROVIDER_CERN_CLIENT_SECRET | The client secret for the webui obtained from the OIDC Provider | | | +| OIDC_PROVIDER_CERN_AUTHORIZATION_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_AUTHORIZATION_URL | The authorization URL for the OIDC Provider | | | +| OIDC_PROVIDER_CERN_TOKEN_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_TOKEN_URL | The token endpoint for the OIDC Provider | | | +| OIDC_PROVIDER_CERN_REFRESH_TOKEN_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_REFRESH_TOKEN_URL | The refresh token endpoint | | | +| OIDC_PROVIDER_CERN_USERINFO_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_USERINFO_URL | The URL to obtain user info from the OIDC Provider | | | +| OIDC_PROVIDER_CERN_REDIRECT_URL | RUCIO_WEBUI_OIDC_PROVIDER_CERN_REDIRECT_URL | The redirection URL configured on the OIDC Provider | | | -## OIDC Authentication - -The WebUI supports multiple OIDC Providers. For security reasons, it is highly recommended that the OIDC providers support the PKCE workflow, otherwise any `client_secret` variables would be exposed to the browsers running the WebUI. - -For each OIDC provider, you must register the WebUI as a `client` and generate a `client_id`. You can use the `{https/http}://{rucio_web_ui_domain}/` as the `redirect_uri`. - -Then, you can specify the OIDC client configuration in the WebUI by providing the following environment variables ( increment the number for each provider ): - -| Variable | Description | Required/Optional | -| --- | --- | --- | -| `RUCIO_CFG_OIDC_REACT_APP_oidc_provider_` | The name of the OIDC provider. | Required | -| `RUCIO_CFG_OIDC_REACT_APP_oidc_client_id_` | The client ID of the OIDC provider. | Required | -| `RUCIO_CFG_OIDC_REACT_APP_oidc_authorization_endpoint_` | The authorization endpoint of the OIDC provider, without the trailing '/'. | Required | -| `RUCIO_CFG_OIDC_REACT_APP_oidc_token_endpoint_` | The token endpoint of the OIDC provider, without the trailing '/'. | Required | -| `RUCIO_CFG_OIDC_REACT_APP_oidc_redirect_uri_` | The redirect URI of the OIDC provider. | Required | ## Web Server Configuration The following environment variables are used to configure the rucio specific aspects of the Apache Web Server. -| Variable | Description | Defaults | -| --- | --- | --- | -| `RUCIO_HOSTNAME` | This variable sets the server name in the apache config. | | -| `RUCIO_SERVER_ADMIN` | This variable sets the server admin in the apache config. | | -| `RUCIO_ENABLE_SSL` | Enable SSL/TLS Termination. | Optional, default: `False` | -| `RUCIO_LOG_FORMAT` | The default rucio log format is `%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b` You can set your own format using this variable. | | -| `RUCIO_ENABLE_LOGS`| By default the log output of the web server is written to stdout and stderr. If you set this variable to `True` the output will be written to `access_log` and `error_log` under `/var/log/httpd`. | | -| `RUCIO_LOG_LEVEL` | The log level of Apache | Default: info | -| `RUCIO_HTTPD_LOG_DIR` | If `RUCIO_ENABLE_LOGS` is set use this variable to change the default logfile output directory. | | -| `RUCIO_CA_REVOCATION_CHECK` | Sets the `SSLCARevocationCheck` variable for Apache | Default: `chain` | +| Variable | Description | Defaults | +| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------- | +| `RUCIO_HOSTNAME` | This variable sets the server name in the apache config. | | +| `RUCIO_SERVER_ADMIN` | This variable sets the server admin in the apache config. | | +| `RUCIO_ENABLE_SSL` | Enable SSL/TLS Termination. | Optional, default: `False` | +| `RUCIO_LOG_FORMAT` | The default rucio log format is `%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b` You can set your own format using this variable. | | +| `RUCIO_ENABLE_LOGS` | By default the log output of the web server is written to stdout and stderr. If you set this variable to `True` the output will be written to `access_log` and `error_log` under `/var/log/httpd`. | | +| `RUCIO_LOG_LEVEL` | The log level of Apache | Default: info | +| `RUCIO_HTTPD_LOG_DIR` | If `RUCIO_ENABLE_LOGS` is set use this variable to change the default logfile output directory. | | +| `RUCIO_CA_REVOCATION_CHECK` | Sets the `SSLCARevocationCheck` variable for Apache | Default: `chain` | The following environment variables are used to configure the Apache Web Server. Please take a look at `httpd.conf.j2` for more information. -| Variable | Description | Defaults | -| --- | --- | --- | -| `RUCIO_HTTPD_SERVER_LIMIT` | | | -| `RUCIO_HTTPD_MAX_REQUESTS_PER_CHILD` | | | -| `RUCIO_HTTPD_KEEP_ALIVE_TIMEOUT` | | | -| `RUCIO_HTTPD_MAX_SPARE_THREADS` | | | -| `RUCIO_HTTPD_TIMEOUT` | | | -| `RUCIO_HTTPD_MPM_MODE` | This variable sets the MPM mode. | The default is "event". | -| `RUCIO_HTTPD_START_SERVERS` | | | -| `RUCIO_HTTPD_MAX_CONNECTIONS_PER_CHILD` | | | -| `RUCIO_HTTPD_KEEP_ALIVE` | | | -| `RUCIO_HTTPD_MIN_SPARE_THREADS` | | | -| `RUCIO_HTTPD_MAX_CLIENTS` | | | -| `RUCIO_HTTPD_MAX_KEEP_ALIVE_REQUESTS` | | | -| `RUCIO_HTTPD_MIN_SPARE_SERVERS` | | | -| `RUCIO_HTTPD_THREADS_LIMIT` | | | -| `RUCIO_HTTPD_MAX_SPARE_SERVERS` | | | -| `RUCIO_HTTPD_MAX_REQUEST_WORKERS` | | | -| `RUCIO_HTTPD_THREADS_PER_CHILD` | | | - -## Developers - -For information on how to contribute to Rucio, please refer and follow our [CONTRIBUTING]() guidelines. - -The new WebUI is a single-page React app, therefore, `httpd` is only used for providing `TLS Termination` and `SSL Client Certificate Verification` capabilities. - -The configuration parameters for the react app itself are included in the `.env.default.j2` template. In the webui repository, these environment variables are present in the [.env.template](https://github.com/rucio/webui/blob/master/.env.template) file. Please make sure that all the required environment variables required by the react application can be configured via the `.env.default.j2` template. - -The React app gets built into a static website after running `npm build` in the `docker-entrypoint.sh`. The build process also embeds all environment variables in the final processed output of `.env.default.j2` file (i.e. /opt/rucio/webui/.env inside the container) in the source of the static web application. When httpd serves the webui, it returns the source of the static web application. Therefore, it is highly recommended to **NOT specify any secrets via the environment variables used in .env.default.j2 configuration template**. - -The Dockerfile fetches the source code from a **tagged release of the webui repository ( no node package is pushed to npm)**. The tagged release is specified by the `--build-arg TAG=` argument of the `docker build` command. - -The file `rucio.conf.j2` specifies webui specific configuration for `httpd`. The status of the `x509` certificate veritication is embedded into the `X-SSL-Client-S-DN` and `X-SSL-Client-Verify` response headers. These headers are used by the webui to figure out if x509 was used as an authentication method and whether a valid client certificate was presented. - -For x509 Client Certificate Vertification, the initial idea was to define a new Location in httpd config under the virtual host listening at port 443 -``` - - SSLVerifyClient optional_no_ca - SSLVerifyDepth 10 - -``` -This would allow the end-users to click on the `x509 Authentication` button in the webui login page, which would then initiate the client certificate request and vertification process. - -While, this is a totally valid httpd configuration, most browsers, at the time of writing this document, do not support [`post-handshake`](https://stackoverflow.com/questions/53062504/apache-2-4-37-with-openssl-1-1-1-cannot-perform-post-handshake-authentication) authentication. Therefore, the `SSLVerifyClient` directive must be used in the directive. - -In case this changes in future, please coordinate with the developers of the webui to adapt to the `post-handshake` authentication scenario. - ------ -** UPDATE 24/01/2023 ** - -The following configuration has been moved to rucio server's `httpd.conf.j2` template. https://github.com/rucio/containers/issues/216 - -``` - - SSLVerifyClient optional_no_ca - SSLVerifyDepth 10 - -``` -and `post-handshake` authentication works as expected. The entire scope of changes are described [here](https://github.com/rucio/rucio/issues/6048). - -## Enabling docker auto builds -Once the new webui is ready to be included as part of the main release process of Rucio, it must be added to the docker auto build and push workflow defined in this repository. - -To do so, please add -``` -'webui, prepend-rucio, prepend-release, push-tagged, push-latest' -``` -to the [build context]( -https://github.com/rucio/containers/blob/df0d2a40a24db32523ed218b7e340616832f459a/.github/workflows/docker-auto-build.yml#L13-L28). +| Variable | Description | Defaults | +| --------------------------------------- | -------------------------------- | ----------------------- | +| `RUCIO_HTTPD_SERVER_LIMIT` | | | +| `RUCIO_HTTPD_MAX_REQUESTS_PER_CHILD` | | | +| `RUCIO_HTTPD_KEEP_ALIVE_TIMEOUT` | | | +| `RUCIO_HTTPD_MAX_SPARE_THREADS` | | | +| `RUCIO_HTTPD_TIMEOUT` | | | +| `RUCIO_HTTPD_MPM_MODE` | This variable sets the MPM mode. | The default is "event". | +| `RUCIO_HTTPD_START_SERVERS` | | | +| `RUCIO_HTTPD_MAX_CONNECTIONS_PER_CHILD` | | | +| `RUCIO_HTTPD_KEEP_ALIVE` | | | +| `RUCIO_HTTPD_MIN_SPARE_THREADS` | | | +| `RUCIO_HTTPD_MAX_CLIENTS` | | | +| `RUCIO_HTTPD_MAX_KEEP_ALIVE_REQUESTS` | | | +| `RUCIO_HTTPD_MIN_SPARE_SERVERS` | | | +| `RUCIO_HTTPD_THREADS_LIMIT` | | | +| `RUCIO_HTTPD_MAX_SPARE_SERVERS` | | | +| `RUCIO_HTTPD_MAX_REQUEST_WORKERS` | | | +| `RUCIO_HTTPD_THREADS_PER_CHILD` | | | + +## Volume Mounts +In addition to the environment, the following files can be mounted as volumes to the container: +| File Path (inside container) | Description | Optional / Required | +| ------------------------------- | ---------------------------------------------------------------- | ---------------------------------- | +| /etc/grid-security/hostcert.pem | The host certificate file for the webui host | Required, if running in HTTPS mode | +| /etc/grid-security/hostkey.pem | The host key file for the webui host | Required, if running in HTTPS mode | +| /etc/grid-security/ca.pem | The CA certificate file that can verify the `RUCIO SERVER` host. | Required | +| /patch | The directory containing the patch files for the webui | Optional | diff --git a/webui/docker-entrypoint.sh b/webui/docker-entrypoint.sh index 2b65a1f..83ead94 100755 --- a/webui/docker-entrypoint.sh +++ b/webui/docker-entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/bash -e log() { - echo "$(date -u) [rucio-webui] - $@" + echo -e "\e[32m$(date -u) [rucio-webui] - $@\e[0m" } generate_env_file() { @@ -26,6 +26,20 @@ fi cat /opt/rucio/webui/.env echo "" +log "Building Apache configuration files." +j2 /tmp/httpd.conf.j2 | sed '/^\s*$/d' > /etc/httpd/conf/httpd.conf +echo "=================== /etc/httpd/conf/httpd.conf ========================" +cat /etc/httpd/conf/httpd.conf +echo "" + +j2 /tmp/rucio.conf.j2 | sed '/^\s*$/d' > /etc/httpd/conf.d/rucio.conf +echo "=================== /etc/httpd/conf/conf.d/rucio.conf ========================" +cat /etc/httpd/conf.d/rucio.conf +echo "" + +log "removing httpd example ssl config" +rm -rf /etc/httpd/conf.d/ssl.conf + if [ -d "/patch" ] then echo "=================== Apply Patches ===================" @@ -62,9 +76,13 @@ then fi fi done - log "Rebuilding the Rucio WebUI after applying patches!" - npm run build fi -echo "=================== Starting RUCIO WEBUI ===================" -npm run start \ No newline at end of file +log "Building Rucio WebUI" +npm run build + +log "Starting Rucio WebUI" +pm2 start +sleep 2 +exec httpd -D FOREGROUND +echo "=================== RUCIO WEBUI started ===================" diff --git a/webui/ecosystem.config.js b/webui/ecosystem.config.js new file mode 100644 index 0000000..17103b9 --- /dev/null +++ b/webui/ecosystem.config.js @@ -0,0 +1,11 @@ +module.exports = { + apps: [ + { + name: "rucio-webui", + script: "npm start", + env: { + NODE_ENV: "production", + }, + }, + ], +}; diff --git a/webui/rucio.conf.j2 b/webui/rucio.conf.j2 index deadb8c..875deff 100644 --- a/webui/rucio.conf.j2 +++ b/webui/rucio.conf.j2 @@ -33,7 +33,7 @@ {% endif %} {% endmacro %} -{% if RUCIO_ENABLE_SSL|default('True') == 'True' %} +{% if RUCIO_WEBUI_ENABLE_SSL|default('False') == 'True' %} {% set enable_ssl = 'True' %} {% else %} {% set enable_ssl = 'False' %} @@ -63,22 +63,28 @@ LogFormat "%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\" {% if enable_ssl == 'True' %} -{% if RUCIO_HOSTNAME is defined %} - ServerName {{ RUCIO_HOSTNAME }}:80 - Redirect / https://{{ RUCIO_HOSTNAME }}/ +{% if RUCIO_WEBUI_HOSTNAME is defined %} + ServerName {{ RUCIO_WEBUI_HOSTNAME }}:80 + Redirect / https://{{ RUCIO_WEBUI_HOSTNAME }}/ {% endif %} {{ common_virtual_host_config(port=443) }} - + ProxyPass / http://localhost:3000/ + ProxyPassReverse / http://localhost:3000/ {% else %} {{ common_virtual_host_config(port=80) }} + {% if RUCIO_WEBUI_HOSTNAME is defined %} + ServerName {{ RUCIO_WEBUI_HOSTNAME }}:80 + ProxyPass / http://{{ RUCIO_WEBUI_HOSTNAME }}:3000/ + ProxyPassReverse / http://{{ RUCIO_WEBUI_HOSTNAME }}:3000/ +{% endif %} {% endif %} From 229e1431574a483e3dde475edf677d8997f6f9ba Mon Sep 17 00:00:00 2001 From: maany Date: Tue, 5 Mar 2024 13:09:36 +0100 Subject: [PATCH 4/4] webui: update README and add TMP_PATCH_DIR in entrypoint --- webui/README.md | 4 ++-- webui/docker-entrypoint.sh | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/webui/README.md b/webui/README.md index 16b2df0..339e053 100644 --- a/webui/README.md +++ b/webui/README.md @@ -20,7 +20,7 @@ This image provides the Rucio WebUI which works as a web frontend to the Rucio s docker build --rm --no-cache --platform=linux/amd64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 . ``` -For M1 Macs, the `--platform` flag should be set to `linux/arm64` instead. +For ARM based platforms (For eg, Apple Silicone), the `--platform` flag should be set to `linux/arm64` instead. ```bash docker build --rm --no-cache --platform=linux/arm64 --build-arg TAG=33.0.0 -t rucio-webui:33.0.0 . @@ -70,7 +70,7 @@ The WebUI container can be configured using environment variables. There are two The following sections list the available configuration variables: ### NextJS Configuration -The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with `RUCIO_WEBUI_` and are by the [env-generator](https://github.com/rucio/webui/tree/master/tools/env-generator) tool , which creates the environment file used by the NextJS application. When running the container, the `-e` flag must specify the `FULL_NAME` of the corresponding environment variable. +The following environment variables are used to configure the NextJS App. As a convention, the environment variables are prefixed with `RUCIO_WEBUI_` and are generated by the [env-generator](https://github.com/rucio/webui/tree/master/tools/env-generator) tool , which creates the environment file used by the NextJS application. When running the container, the `-e` flag must specify the `FULL_NAME` of the corresponding environment variable. | Variable Name | Full Name | Description | Example | Default | |-----------------|-----------------------------|--------------------------------------------------------------------------------------|--------------------------------|---------| diff --git a/webui/docker-entrypoint.sh b/webui/docker-entrypoint.sh index 83ead94..29fd470 100755 --- a/webui/docker-entrypoint.sh +++ b/webui/docker-entrypoint.sh @@ -44,6 +44,10 @@ if [ -d "/patch" ] then echo "=================== Apply Patches ===================" log "Patches found. Trying to apply them" + + TMP_PATCH_DIR="$(mktemp -d)" + trap 'rm -rf -- "$TMP_PATCH_DIR"' EXIT # Deletes temp dir when script exits + for patchfile in /patch/* do echo "Applying patch ${patchfile}"