High Performance Computing (HPC) webhook package to trigger qsub commands
For more information see the documentation:
- Usage instructions
- Installation instructions
- Design
- Glossary
High Performance Computing (HPC) webhook package to trigger qsub commands
License: MIT License
High Performance Computing (HPC) webhook package to trigger qsub commands
For more information see the documentation:
The HTTP method should be GET, and the URL should be
http(s)://{QaasHost}:{QaasPort}/configuration/{webhookId}
SSH connection needs to be closed when done. This is currently not the case.
Perhaps refactor connector.go
and execute.go
and replace ssh.Dial
convenience function call with something else:
c, err := net.DialTimeout(network, addr, timeout)
if err != nil {
return nil, err
}
conn, chans, reqs, err := ssh.NewClientConn(c, addr, config)
if err != nil {
return nil, err
}
// will close the underlying net.Conn
defer conn.Close
client := ssh.NewClient(c, chans, reqs)
roboos@mentat005> wget https://qaas.dccn.nl:443/xxxx
--2019-03-16 10:20:00-- https://qaas.dccn.nl/xxxx
Resolving qaas.dccn.nl (qaas.dccn.nl)... 131.174.44.44
Connecting to qaas.dccn.nl (qaas.dccn.nl)|131.174.44.44|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-03-16 10:20:00 ERROR 404: Not Found.
The HTTP method should be DELETE and the URL should be:
http(s)://{QaasHost}:{QaasPort}/configuration/{WebhookID}
It should just return HTTP code 200 on success, 404 if the {WebhookID} is not found.
Question: how to be sure the webhook is deleted by the owner of it, not any random user?
roboos@mentat005> hpcutil webhook list
ERRO[0000] error retrieving webhook info from the QaaS server: 404 Not Found (HTTP CODE: 404)
ERRO[0000] error retrieving webhook info from the QaaS server: 404 Not Found (HTTP CODE: 404)
Perhaps this is due to you not having completed the install yet. In that case, please do let me know when it is ready.
Since the script.sh
file is not to be executed itself, I propose to call it script
. That aligns better with payload
, which ends up in the same directory.
The webhook trigger should be updated to integrate with the Slurm cluster.
@rutgervandeelen
I think it is safer to also match the username (and/or group name) when retrieving webhook information from the database.
Since we have a working directory for each webhook under user's home directory, I think we could make use it to allow creating webhook-specific secret using an approach similar to the .htpasswd file.
For example, after a user creates a webhook,
$ hpcutil webhook create {qsubScript}
The user can optionally secure it by using the client:
$ hpcutil webhook secure {webhookID} --secret {webhookSecret}
or these two steps can be combined in one command:
$ hpcutil webhook create {subscript} --secret {webhookSecret}
Under the hood, the client tool writes the (oneway-hashed) secret in a file (e.g. secret
) in the webhook's working directory.
When there is a trigger to the webhook, the server checks whether there is such secret file available in its working directory, if so, it tries to match the secret received from the HTTP request header to the secret in the file. The following qsub
command is only performed if there is a match.
If the webhook folder doesn't have the secret file in it, the trigger is then accepted without the check. This allows the user to remove (and reset) the secret easily by just remove the secret
file.
@rutgervandeelen
It looks to me that this will result in removing existing table after restart of the Postgresql container. Is it intended?
for consistency it would be better if the directory would not have an "s" in its name.
@rutgervandeelen
It's nice to see that you return whatever in the database Item back as the information; but I miss the full Webhook URL which needs to be constructed by taking the Hash of the Webhook and the base URL of the webhook trigger. Please also provide it as part of the returned Webhook info.
I recommend to rename this application from hpc-qaas to hpc-webhook
Motivation:
The primary application is to have a webhook server, which executes jobs on our compute cluster using qsub. The cluster itself is not the service, neither is qsub the service.
so that triggers from GitHub (and maybe others) will not be terminated after exceeding the expected response time.
GitHub expects the webhook server to response within 10 seconds, otherwise it terminates the call. See this document from GitHub.
When it happens, the NGINX proxy server reports the following error log:
access.hpc-webhook.log-20191019.gz:192.30.252.99 - - [18/Oct/2019:13:19:09 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/3b07851"
access.hpc-webhook.log-20191019.gz:140.82.115.245 - - [18/Oct/2019:13:34:08 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/3b07851"
access.hpc-webhook.log-20191019.gz:140.82.115.251 - - [18/Oct/2019:15:40:31 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/3b07851"
access.hpc-webhook.log-20191019.gz:192.30.252.97 - - [18/Oct/2019:23:48:16 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/6c1acbb"
access.hpc-webhook.log-20191020.gz:140.82.115.245 - - [19/Oct/2019:15:45:18 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/6c1acbb"
access.hpc-webhook.log-20191020.gz:140.82.115.249 - - [19/Oct/2019:20:43:59 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/6c1acbb"
access.hpc-webhook.log-20191020.gz:192.30.252.98 - - [19/Oct/2019:23:46:51 +0200] "POST /webhook/91580b45-03e0-4b6f-9001-2c76e7ac4e4a HTTP/1.1" 499 0 "-" "GitHub-Hookshot/6c1acbb"
@rutgervandeelen
Please return the ConfigurationResponse after the new webhoook is registered. This allows the client to give user a feedback with the Webhook URL he/she can then use to registry it on a Webhook trigger (e.g. on GitHub).
You seem to return the ConfigurationResponse in the WebhookHandler, which I don't think is necessary as I don't think the Webhook trigger (such as GitHub) will be able to process this response.
@rutgervandeelen
I just noticed that the URL returned from the database.getRow
doesn't contain the server.WebhookPath
(see the link below). If one takes that URL and call it directly, the 404 NOT FOUND is returned.
@rutgervandeelen
In the code referred below, you seem to check and create a SSH key pair per user. This is to my understanding not necessary.
The entire QaaS can just use one key pair with the private key held by (and only accessible for) the QaaS service user; while the public key is distributed into users' ~/.ssh/authorized_keys file. This already allows QaaS service user to SSH into individual user's account.
hpc-webhook/internal/server/key.go
Line 114 in 070c4eb
The code above is how the .ssh/authorized_keys
path is constructed. It assumes that the user's home directory follows the format of /home/{group_name}/{user_name}
which is not always the case. It should be replaced by
import "os/user"
...
u, _ := user.Lookup(usename)
sshDir := path.Join(u.HomeDir, ".ssh")
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.