Docker-in-Docker (DinD) capabilities of public runners deactivated. More info

Commit c091dd37 authored by Marc Betoule's avatar Marc Betoule
Browse files

Update doc for pipeweb behing apache, add autostart functionnality

parent ace424e5
......@@ -1034,9 +1034,10 @@ Pipeline(pipedot, codedir=, prefix=, env=MyEnvironment)
** Launching pipeweb behind apache
Pipeweb use the cherrypy web framework server and can be run behind an
apache webserver which brings essentially two advantages:
apache web server which brings essentially two advantages:
- access to *_mod apache facilities (https, gzip, authentication facilities ...).
- faster static files serving (the pipelet appli actually use quite few of them so the actual gain is marginal).
- faster static files serving (the pipelet application actually use
quite few of them so the actual gain is marginal).
There is actually several way of doing so, the [[http://tools.cherrypy.org/wiki/BehindApache][cherrypy]] documentation
giving hints about each. We describe here an example case using
......@@ -1049,10 +1050,10 @@ mod_rewrite and virtual hosting.
=sudo a2enmod proxy=
=sudo a2enmod proxy_http=
2. We then configure apache to rewrite request to the cherrypy apps
except for the static files of the application that will be served
directly. Here is a sample configuration file for a dedicated
virtual host named pipeweb with pipelet installed under
2. We then configure apache to rewrite request to the cherrypy
application except for the static files of the application that
will be served directly. Here is a sample configuration file for a
dedicated virtual host named pipeweb with pipelet installed under
=/usr/local/lib/python2.6/dist-packages/=.
#+begin_src apache
<VirtualHost pipeweb:80>
......@@ -1072,8 +1073,96 @@ mod_rewrite and virtual hosting.
specified address and port:
=pipeweb start -H 127.0.0.1=
There is also some possibility to start the application on demand
using a cgi script like:
#+begin_src python
#!/usr/local/bin/python
print "Content-type: text/html\r\n"
print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
import os
os.system('pipeweb start -H 127.0.0.1')
#+end_src
To have it executed when the proxy detect the absence of the application:
#+begin_src apache
<VirtualHost pipeweb:80>
#...
ScriptAliasMatch ^/pipeweb_autostart\.cgi$ /usr/local/bin/pipeweb_autostart.cgi
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
RewriteRule ^/static/(.*) /usr/local/lib/python2.6/dist-packages/pipelet/static/$1 [L]
RewriteCond %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
RewriteRule ^(.*) http://127.0.0.1:8080$1 [proxy]
ErrorDocument 503 /pipeweb_autostart.cgi
#...
</VirtualHost>
#+end_src
You may want to adjust ownership and suid of the
=pipeweb_autostart.cgi= script so that it executes with the correct
rights.
Pipeweb handles access rights using per pipeline ACL registered in the
database file. It support Basic and Digest http authentication. When
deploying the pipeweb interface in a production environment, one may
want to defer a part of the authorization process to external and
potentially more secure systems. The pipeweb behavior in term of
authorization is controlled by the =-A= option that accept the
following arguments:
- =Digest= (default) Authenticate users via HTTP Digest authentication
according to the user:passwd list stored in the database.
- =Basic= Authenticate users via HTTP Basic (clear text)
authentication according to the user:passwd list stored in the
database.
- =ACL= Check the access rights of otherwise authenticated users
according to the user list stored in the database.
- =None= Do no check. (Defer the whole authentication/authorization
process to the proxy.)
Here is a complete configuration sample making of https, basic
authentication, and per pipeline ACL to secure data browsing.
#+begin_src apache
<VirtualHost _default_:443>
ServerAdmin pipeweb_admin@localhost
DocumentRoot /usr/local/lib/python2.6/dist-packages/pipelet
# ErrorLog /some/custom/error_file.log
# CustomLog /some/custom/access_file.log common
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# This handles authentication and access to the index page
# Access right checking to the various registered pipelines
# is left to pipeweb
<Location />
#Replace with Any suitable authentication system
AuthName "pipeweb"
AuthType Basic
AuthUserFile /etc/apache2/pipelet.pwd
require valid-user
</Location>
ScriptAliasMatch ^/pipeweb_autostart\.cgi$ /usr/local/bin/pipeweb_autostart.cgi
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
RewriteRule ^/static/(.*) /usr/local/lib/python2.6/dist-packages/pipelet/static/$1 [L]
RewriteCond %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
RewriteRule ^(.*) http://127.0.0.1:8080$1 [proxy]
ErrorDocument 503 /pipeweb_autostart.cgi
</VirtualHost>
#+end_src
And the corresponding cgi script:
#+begin_src python
#!/usr/local/bin/python
print "Content-type: text/html\r\n"
print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
import os
os.system('pipeweb start -H 127.0.0.1 -A ACL')
#+end_src
When deploying the pipeweb interface in a production environment, one may want
* The Pipelet actors
This section document the code for developers. The code documentation
......
......@@ -17,7 +17,6 @@ def check_access(auth_type, access_level):
auth_type: either 'None', 'ACL', 'Basic', 'Digest'
access_level: the required access level.
"""
cherrypy.log.error('auth_type:%s'%auth_type)
realm = "pipeweb"
if auth_type == 'None':
#No autorization check required
......@@ -41,7 +40,6 @@ def check_access(auth_type, access_level):
return False
password = dic.get(ah["username"], None)
encrypt = lambda x:x
cherrypy.log.error('password:%s'%password)
if cherrypy.lib.httpauth.checkResponse(ah, password, method=cherrypy.request.method,
encrypt=encrypt, realm=realm):
cherrypy.request.login = ah["username"]
......
......@@ -805,7 +805,10 @@ def start(config, config_file):
from cherrypy.process.plugins import Daemonizer, PIDFile
cherrypy.config.update(config)
cherrypy.config.update(config_file)
cherrypy.tree.mount(PipeIndex(),"",config)
app = cherrypy.tree.mount(PipeIndex(),"",config)
if hasattr(app, 'toolboxes'):
# CherryPy 3.1+
app.toolboxes['pipeauth'] = auth.pipeauth
d = Daemonizer(cherrypy.engine)
d.subscribe()
p = PIDFile(cherrypy.engine, config['global']['server.pidfile'])
......
#!/usr/bin/python
print "Content-type: text/html\r\n"
print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
import os
os.system('pipeweb start -H 127.0.0.1')
......@@ -13,5 +13,5 @@ setup(name='pipelet',
'pipelet.pipeline','pipelet.tracker', 'pipelet.repository', 'pipelet.launchers',
'pipelet.task', 'pipelet.utils', 'pipelet.web'],
package_data={'pipelet': ['static/*']},
scripts=['scripts/pipeweb', 'scripts/pipeutils', 'scripts/pipeletd']
scripts=['scripts/pipeweb', 'scripts/pipeutils', 'scripts/pipeletd', 'scripts/pipeweb_autostart.cgi']
)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment