# Fire up system container for GN-QA System

# Tags

* assigned: bonfacem, alexm


The current code is a WIP.  Patches will be sent after a working container is set-up.  Most recent code can be found at /home/bonfacem/gn-machines and the current confs that were copied to the respective paths can be found at: /home/bonfacem/qa-set-up-files/.  Important files that were changed/introduced are: /home/bonfacem/gn-machines/{qa-gn.scm, qa-gn-deploy.sh, genenetwork/services/genenetwork.scm}.

### Setting up SSL Keys

Generated RS256 key-pairs by following:

=> Generating How to generate Key-Pairs

Currently, on tux02, you can find the key-pairs:

```
ls /home/bonfacem/qa-set-up-files/*pem
```

These have been saved in

```
/export2/guix-containers/genenetwork/gn-qa/var/ssl
```

The client key pairs have been saved in:

```
/export2/guix-containers/genenetwork/gn-qa/var/ssl/clients-public-keys/
```

If the above directory is empty, gn-auth will crap out.

In the container, we have that mounted as:

```
--share=/export2/guix-containers/genenetwork/gn-qa/var/ssl=/var/ssl
```

Because of permission issues, this is a lazy work-around---when setting up the container---to get things up and running:

```
(for-each (lambda (file)
                      (chmod file #o777))
                    (find-files #$ssl-path #:directories? #t))
```

and for the gunicorn app, for similar issues around permissions:

```
(gunicorn-app
             (name "gn-auth")
             (package gn-auth)
             (sockets (list (forge-ip-socket
                             (port gn-auth-port))))
             (wsgi-app-module "gn_auth:create_app()")
             (workers 20)
             (environment-variables
              (list (environment-variable
                     (name "GN_AUTH_CONF")
                     (value gn-auth-conf))
                    (environment-variable
                     (name "HOME")
                     (value "/tmp"))
                    (environment-variable
                     (name "AUTHLIB_INSECURE_TRANSPORT")
                     (value "true"))))
             (mappings (list database-mapping
                             [...]
                             (file-system-mapping
                              (source ssl-path)
                              (target source)
                              (writable? #t)))))
```

### GN2 Set-up


Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn2-secrets.py:

```
SECRET_KEY="XXXX"
OAUTH2_CLIENT_ID="XXXX"
OAUTH2_CLIENT_SECRET="XXXX"
```

### GN3 Set-up

Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn3-secrets.py:

```
SECRET_KEY="XXXX"
FAHAMU_AUTH_TOKEN="XXXX"
```

### gn-auth Set-up

Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn3-secrets.py:

```
SECRET_KEY="XXXX"
FAHAMU_AUTH_TOKEN="XXXXX"
```

For the db, I manually inserted entries for Bonfacem and AlexM using scripts from gn-auth in SQLITE and saved that to /export/data/gn-qa/genenetwork-sqlite/auth-qa.db

### Nginx configuration / Building the container

Added this block to /etc/nginx/nginx.conf:


```
stream {
    [...]

    upstream qa-gn-genenetwork {
        server 127.0.0.1:10908;
    }

    [...]

    map $ssl_preread_server_name $upstream {
        qa.genenetwork.org qa-gn-genenetwork;
        qa-auth.genenetwork.org qa-gn-genenetwork;
        [...]
    }
```

Reload nginx gracefully:

```
sudo systemctl reload nginx
```

### AI Set-up and Systemd service set-up


XXX: TODO with Alexm

### Troubleshooting

In the container SSL issues were resolved by running:

```
/usr/bin/acme renew
```

Error related to a missing key in GN2 when trying to sign a new user in wqflask/oauth2/toplevel.py:

```
[...]
"sub": request.args["user_id"]
[...]
`````

was fixed by using the latest gn-auth code.  The one in guix-bioinformatics is stale.

There was an error when displaying the error page.  Fixed upstream in guix-bioinformatics:

=> https://git.genenetwork.org/guix-bioinformatics/commit/?id=7f9908d03acd6d2c44733188122313036dc63b64

Whenever our git instance fails, CD---in particular auth---will fail.  This needs further investigation.  Restarting the CD container will fix things.