Commit 969e31cd authored by Jérome Perrin's avatar Jérome Perrin

turnserver: workaround zero-knowledge.read limitation

slapos.cookbook:zero-knowledge.read has this limitation that because it
reads the secret file on __init__, ie. before any other parts are
installed, the value cannot be read the first time.
On first slapos node instance run, the generated turnserver-config has
an empty secret, it's only after the second execution that the secret is
generated. What happens is:
 - first run:
   - read-secret __init__ cannot find the file and does not override
     secret
   - turnserver-config uses the default ${read-secret:secret} (empty
     string)
   - gen-secret install creates the secret file
 - second run
   - read-secret __init__ finds the file and override secret with the
     value read from the file.
   - turnserver-config uses the overriden ${read-secret:secret} (good
     secret)

This was not a problem before, because some frontend promise were
always failing, so we processed this partition several time, but now it
is succesfully processed the first time.

To workadound this, we prevent turnserver from starting if secret is
empty, then promise will fail, instance will be processed a second time
and then turnserver will run with a secret.
parent 674c91ab
......@@ -19,4 +19,4 @@ md5sum = d027a2dccaf15ae6e7d3a28cc02d70c3
[template-turnserver]
filename = instance-turnserver.cfg.jinja2.in
md5sum = 02bddf180519f7649d3b1f997a496eed
md5sum = e3552dfb20cce771d6f1b524c6ade4ac
......@@ -109,8 +109,12 @@ mode = 644
[turnserver-wrapper]
recipe = slapos.cookbook:wrapper
command-line = {{ parameter_dict['turnserver-location'] }}/bin/turnserver
-c ${turnserver-config:output}
# XXX on first invocation of read-secret, the secret file is not yet generated
# so on first buildout run turnserver-config has an empty secret.
# We don't want to start the server when config file is not complete.
command-line =
bash -c "egrep static-auth-secret=.+ ${turnserver-config:output} && \
{{ parameter_dict['turnserver-location'] }}/bin/turnserver -c ${turnserver-config:output}"
wrapper-path = ${directory:services}/turnserver
hash-files = ${buildout:directory}/software_release/buildout.cfg
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment