topics/systems/gn-qa-system.gmi


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164

# Fire up system container for GN-QA System

# Tags

* assigned: bonfacem, alexm


The current code is a WIP.  Patches will be sent after a working container is set-up.  Most recent code can be found at /home/bonfacem/gn-machines and the current confs that were copied to the respective paths can be found at: /home/bonfacem/qa-set-up-files/.  Important files that were changed/introduced are: /home/bonfacem/gn-machines/{qa-gn.scm, qa-gn-deploy.sh, genenetwork/services/genenetwork.scm}.

### Setting up SSL Keys

Generated RS256 key-pairs by following:

=> Generating How to generate Key-Pairs

Currently, on tux02, you can find the key-pairs:

```
ls /home/bonfacem/qa-set-up-files/*pem
```

These have been saved in

```
/export2/guix-containers/genenetwork/gn-qa/var/ssl
```

The client key pairs have been saved in:

```
/export2/guix-containers/genenetwork/gn-qa/var/ssl/clients-public-keys/
```

If the above directory is empty, gn-auth will crap out.

In the container, we have that mounted as:

```
--share=/export2/guix-containers/genenetwork/gn-qa/var/ssl=/var/ssl
```

Because of permission issues, this is a lazy work-around---when setting up the container---to get things up and running:

```
(for-each (lambda (file)
                      (chmod file #o777))
                    (find-files #$ssl-path #:directories? #t))
```

and for the gunicorn app, for similar issues around permissions:

```
(gunicorn-app
             (name "gn-auth")
             (package gn-auth)
             (sockets (list (forge-ip-socket
                             (port gn-auth-port))))
             (wsgi-app-module "gn_auth:create_app()")
             (workers 20)
             (environment-variables
              (list (environment-variable
                     (name "GN_AUTH_CONF")
                     (value gn-auth-conf))
                    (environment-variable
                     (name "HOME")
                     (value "/tmp"))
                    (environment-variable
                     (name "AUTHLIB_INSECURE_TRANSPORT")
                     (value "true"))))
             (mappings (list database-mapping
                             [...]
                             (file-system-mapping
                              (source ssl-path)
                              (target source)
                              (writable? #t)))))
```

### GN2 Set-up


Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn2-secrets.py:

```
SECRET_KEY="XXXX"
OAUTH2_CLIENT_ID="XXXX"
OAUTH2_CLIENT_SECRET="XXXX"
```

### GN3 Set-up

Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn3-secrets.py:

```
SECRET_KEY="XXXX"
FAHAMU_AUTH_TOKEN="XXXX"
```

### gn-auth Set-up

Had the following tangled to /export2/guix-containers/genenetwork/gn-qa/etc/genenetwork/gn3-secrets.py:

```
SECRET_KEY="XXXX"
FAHAMU_AUTH_TOKEN="XXXXX"
```

For the db, I manually inserted entries for Bonfacem and AlexM using scripts from gn-auth in SQLITE and saved that to /export/data/gn-qa/genenetwork-sqlite/auth-qa.db

### Nginx configuration / Building the container

Added this block to /etc/nginx/nginx.conf:


```
stream {
    [...]

    upstream qa-gn-genenetwork {
        server 127.0.0.1:10908;
    }

    [...]

    map $ssl_preread_server_name $upstream {
        qa.genenetwork.org qa-gn-genenetwork;
        qa-auth.genenetwork.org qa-gn-genenetwork;
        [...]
    }
```

Reload nginx gracefully:

```
sudo systemctl reload nginx
```

### AI Set-up and Systemd service set-up


XXX: TODO with Alexm

### Troubleshooting

In the container SSL issues were resolved by running:

```
/usr/bin/acme renew
```

Error related to a missing key in GN2 when trying to sign a new user in wqflask/oauth2/toplevel.py:

```
[...]
"sub": request.args["user_id"]
[...]
`````

was fixed by using the latest gn-auth code.  The one in guix-bioinformatics is stale.

There was an error when displaying the error page.  Fixed upstream in guix-bioinformatics:

=> https://git.genenetwork.org/guix-bioinformatics/commit/?id=7f9908d03acd6d2c44733188122313036dc63b64

Whenever our git instance fails, CD---in particular auth---will fail.  This needs further investigation.  Restarting the CD container will fix things.