turnserver: workaround zero-knowledge.read limitation

slapos.cookbook:zero-knowledge.read has this limitation that because it reads the secret file on __init__, ie. before any other parts are installed, the value cannot be read the first time. On first slapos node instance run, the generated turnserver-config has an empty secret, it's only after the second execution that the secret is generated. What happens is: - first run: - read-secret __init__ cannot find the file and does not override secret - turnserver-config uses the default ${read-secret:secret} (empty string) - gen-secret install creates the secret file - second run - read-secret __init__ finds the file and override secret with the value read from the file. - turnserver-config uses the overriden ${read-secret:secret} (good secret) This was not a problem before, because some frontend promise were always failing, so we processed this partition several time, but now it is succesfully processed the first time. To workadound this, we prevent turnserver from starting if secret is empty, then promise will fail, instance will be processed a second time and then turnserver will run with a secret.

turnserver: workaround zero-knowledge.read limitation
slapos.cookbook:zero-knowledge.read has this limitation that because it reads the secret file on __init__, ie. before any other parts are installed, the value cannot be read the first time. On first slapos node instance run, the generated turnserver-config has an empty secret, it's only after the second execution that the secret is generated. What happens is: - first run: - read-secret __init__ cannot find the file and does not override secret - turnserver-config uses the default ${read-secret:secret} (empty string) - gen-secret install creates the secret file - second run - read-secret __init__ finds the file and override secret with the value read from the file. - turnserver-config uses the overriden ${read-secret:secret} (good secret) This was not a problem before, because some frontend promise were always failing, so we processed this partition several time, but now it is succesfully processed the first time. To workadound this, we prevent turnserver from starting if secret is empty, then promise will fail, instance will be processed a second time and then turnserver will run with a secret.
ad7603f0 · Jérome Perrin · 0454ef56 · ad7603f0 · ad7603f0
Commit ad7603f0 authored Sep 21, 2019 by Jérome Perrin
Showing with 7 additions and 3 deletions

software/turnserver/buildout.hash.cfg software/turnserver/buildout.hash.cfg +1 -1

software/turnserver/instance-turnserver.cfg.jinja2.in software/turnserver/instance-turnserver.cfg.jinja2.in +6 -2

No files found.
--- a/software/turnserver/buildout.hash.cfg
+++ b/software/turnserver/buildout.hash.cfg
@@ -19,4 +19,4 @@ md5sum = d027a2dccaf15ae6e7d3a28cc02d70c3

 [template-turnserver]
 filename = instance-turnserver.cfg.jinja2.in
-md5sum = f275df4900a9db1d1a72b67b12ee8afe
+md5sum = 6ba54fb299e1fd59617e5a6a9545e36e
--- a/software/turnserver/instance-turnserver.cfg.jinja2.in
+++ b/software/turnserver/instance-turnserver.cfg.jinja2.in
@@ -109,8 +109,12 @@ mode = 644

 [turnserver-wrapper]
 recipe = slapos.cookbook:wrapper
-command-line = {{ parameter_dict['turnserver-location'] }}/bin/turnserver
-               -c ${turnserver-config:output}
+# XXX on first invocation of read-secret, the secret file is not yet generated
+# so on first buildout run turnserver-config has an empty secret.
+# We don't want to start the server when config file is not complete.
+command-line =
+  bash -c "egrep static-auth-secret=.+ ${turnserver-config:output} && \
+  {{ parameter_dict['turnserver-location'] }}/bin/turnserver -c ${turnserver-config:output}"
 wrapper-path = ${directory:services}/turnserver
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg