Add Gunicorn example #80
Conversation
Signed-off-by: Sonali Saha <[email protected]>
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @sahason)
gunicorn/gunicorn.manifest.template line 40 at r1 (raw file):
# BSD (flock) locks are currently experimental sys.experimental__enable_flock = true
Does it really require flock locks? If you remove this option, Gunicorn fails?
gunicorn/README.md line 3 at r1 (raw file):
# Gunicorn example This directory contains an example for running Gunicorn in Gramine, including the
Can you add official links to Gunicorn, and add a paragraph on what Gunicorn is? And why is it beneficial to put it inside Gramine?
Also, what is the relationship between Gunicorn and Flask?
gunicorn/README.md line 29 at r1 (raw file):
Without SGX:gramine-direct gunicorn --workers 1 --timeout 600 main:app
Why not put these arguments as loader.argv (see https://gramine.readthedocs.io/en/stable/manifest-syntax.html#command-line-arguments)
Then you won't need to use an insecure loader.insecure__use_cmdline_argv.
Also, please describe why you must have workers == 1 and timeout == 600. Why not have the default settings?
Signed-off-by: Sonali Saha <[email protected]>
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv)
gunicorn/gunicorn.manifest.template line 40 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Does it really require flock locks? If you remove this option, Gunicorn fails?
For the sample application it is not required. But if any file is getting download from endpoints flock is required. I have removed this line.
gunicorn/README.md line 3 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Can you add official links to Gunicorn, and add a paragraph on what Gunicorn is? And why is it beneficial to put it inside Gramine?
Also, what is the relationship between Gunicorn and Flask?
Done.
gunicorn/README.md line 29 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Why not put these arguments as
loader.argv(see https://gramine.readthedocs.io/en/stable/manifest-syntax.html#command-line-arguments)Then you won't need to use an insecure
loader.insecure__use_cmdline_argv.Also, please describe why you must have
workers == 1andtimeout == 600. Why not have the default settings?
Modified the manifest file.
To workaround the timeout issue which happens due to gramine not supporting sharing file metadata (st_ctime) information between child and parent processes, the timeout is set to a higher value.
More details are here. I found a gap between Gunicorn execution in native vs gramine (Both gramine-direct and gramine-sgx) irrespective of the value of timeout. In native the flow works fine but in gramine the worker is up for some time ~(timeout-20) seconds then exit happens, and the worker is restarted again after timeout.
In Gunicorn timeout happens when time.time() - worker.tmp.last_update() <= self.timeout
https://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/arbiter.py#L498 & https://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/workers/workertmp.py#L49C24-L49C53. After every timeout/2 seconds the st_ctime of a tmpfs file is updated by fchmod https://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/workers/workertmp.py#L46. So, last updated time will get updated after each timeout/2 seconds. The fchmod happens in a forked process and Gunicorn checks updated time using fstat in parent process in each one second interval. In gramine the file metadata information (st_ctime in this case) is not propagated from child to parent if there is any change in child process due to fchmod. I have found similar issues already reported in gramine Forked processes do not get updated file sizes when modified in a multi-process scenario · Issue #1134 · gramineproject/gramine (github.com) & gramineproject/gramine#254. There is a work item to handle the shared tmpfs files gramineproject/gramine#584. Also note that we have to handle st_ctime modification for tmpfs files when fchmod is called when this fix is in.
Signed-off-by: Sonali Saha <[email protected]>
|
I tested this example currently on Ubuntu 22.04 system, I was able to launch the gunicorn app with both gramine-direct and gramine-sgx, but I am not able to kill the process. Everytime I have to hard kill both the child and parent process. Starting GUNICORN app Get the process details and kill it |
Signed-off-by: Sonali Saha <[email protected]>
There was a problem hiding this comment.
Please check now. Added "sys.enable_sigterm_injection = true" to the manifest file.
Reviewable status: 0 of 4 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
|
@sahason It works now. I will continue to further test on other distros |
Signed-off-by: Sonali Saha <[email protected]>
Signed-off-by: Sonali Saha <[email protected]>
|
We tested across distros, and it is working fine, no further issues to report |
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @sahason)
a discussion (no related file):
Add the explicit BSD-3 license, see #90
Signed-off-by: Sonali Saha <[email protected]>
There was a problem hiding this comment.
Reviewable status: 0 of 4 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
a discussion (no related file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Add the explicit BSD-3 license, see #90
Done.
There was a problem hiding this comment.
Reviewed 1 of 2 files at r2, 1 of 2 files at r4, 2 of 2 files at r5, all commit messages.
Reviewable status: all files reviewed, 14 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @sahason)
gunicorn/gunicorn.manifest.template line 9 at r5 (raw file):
loader.log_level = "{{ log_level }}" loader.argv = ["gunicorn", "--timeout", "600", "main:app"]
Please add a quick comment on why we need --timeout 600. Like this:
# we need `--timeout 600` to work around the problem of a constantly restarting worker process:
# the worker process is supposed to update the ctime of the shared file, and the parent process
# verifies that the worker process is alive by checking the ctime of this file every second.
# This ctime file metadata sharing between processes is currently not supported by Gramine;
# see also https://github.com/gramineproject/gramine/issues/1134.
gunicorn/gunicorn.manifest.template line 13 at r5 (raw file):
sys.enable_sigterm_injection = true loader.env.LD_LIBRARY_PATH = "/gramine_lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
Any reason you're using /gramine_lib? We typically use /lib:
gunicorn/gunicorn.manifest.template line 16 at r5 (raw file):
fs.mounts = [ { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
Please move this entry right-before /usr/{{ arch_libdir }}, for readability
gunicorn/gunicorn.manifest.template line 18 at r5 (raw file):
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" }, { path = "{{ entrypoint }}", uri = "file:{{ entrypoint }}" }, { path = "/gramine_lib", uri = "file:{{ gramine.runtimedir() }}" },
Any reason you're using /gramine_lib? We typically use /lib:
gunicorn/gunicorn.manifest.template line 22 at r5 (raw file):
{ path = "{{ path }}", uri = "file:{{ path }}" }, {% endfor %} { path = "/usr/bin", uri = "file:/usr/bin" },
Is this really needed? What happens if you remove it?
gunicorn/gunicorn.manifest.template line 31 at r5 (raw file):
sgx.max_threads = 64 sgx.use_exinfo = true
Is this really needed? What happens if you remove it?
gunicorn/gunicorn.manifest.template line 34 at r5 (raw file):
sgx.trusted_files = [ "file:{{ arch_libdir }}/",
ditto (move to another place)
gunicorn/gunicorn.manifest.template line 38 at r5 (raw file):
"file:{{ gramine.libos }}", "file:{{ gramine.runtimedir() }}/", "file:main.py",
Can you move it as the very-last item?
gunicorn/gunicorn.manifest.template line 42 at r5 (raw file):
"file:{{ path }}{{ '/' if path.is_dir() else '' }}", {% endfor %} "file:/usr/bin/",
ditto (do you really need it)
gunicorn/main.py line 1 at r5 (raw file):
from flask import Flask, jsonify, request
@sahason Can you please add the license lines also here? If you wrote this yourself, then just add the exact same as for manifest.template and Makefile (BSD license). If you took it from somewhere, please check what license is used for this file in the source website, and add the SPDX with this license here.
gunicorn/README.md line 29 at r1 (raw file):
Previously, sahason wrote…
Modified the manifest file.
To workaround the timeout issue which happens due to gramine not supporting sharing file metadata (
st_ctime) information between child and parent processes, the timeout is set to a higher value.More details are here. I found a gap between Gunicorn execution in native vs gramine (Both gramine-direct and gramine-sgx) irrespective of the value of timeout. In native the flow works fine but in gramine the worker is up for some time ~(timeout-20) seconds then exit happens, and the worker is restarted again after timeout.
In Gunicorn timeout happens whentime.time() - worker.tmp.last_update() <= self.timeout
https://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/arbiter.py#L498 & https://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/workers/workertmp.py#L49C24-L49C53. After everytimeout/2seconds thest_ctimeof atmpfsfile is updated byfchmodhttps://github.com/benoitc/gunicorn/blob/430dcdd997b955fa1a8569a07d9cdcbac686fb35/gunicorn/workers/workertmp.py#L46. So, last updated time will get updated after eachtimeout/2seconds. Thefchmodhappens in a forked process and Gunicorn checks updated time usingfstatin parent process in each one second interval. In gramine the file metadata information (st_ctimein this case) is not propagated from child to parent if there is any change in child process due tofchmod. I have found similar issues already reported in gramine Forked processes do not get updated file sizes when modified in a multi-process scenario · Issue #1134 · gramineproject/gramine (github.com) & gramineproject/gramine#254. There is a work item to handle the shared tmpfs files gramineproject/gramine#584. Also note that we have to handlest_ctimemodification fortmpfsfiles whenfchmodis called when this fix is in.
Thanks for a thorough explanation!
gunicorn/README.md line 4 at r5 (raw file):
This directory contains an example for running Gunicorn in Gramine, including the Makefile and a template for generating the manifest. Gunicorn is a webserver to deploy Flask application in
application -> applications
gunicorn/README.md line 5 at r5 (raw file):
This directory contains an example for running Gunicorn in Gramine, including the Makefile and a template for generating the manifest. Gunicorn is a webserver to deploy Flask application in Python. Although, Flask comes with an internal webserver, this is widely considered to be not
Please remove , after Although:
Although Flask comes ...
gunicorn/README.md line 9 at r5 (raw file):
communicates via the WSGI protocol. A common choice for that webserver is Gunicorn. Users can protect their confidentiality and integrity of the Python based ML APIs and models using Gramine for a more secure production deployment using Gunicorn. For more documentation, refer to
I'm not sure why you added this sentence about Python based ML APIs. I assume that was the final goal of Gunicorn, to use it as a web interface to some AI/ML runtime.
Anyway, since this PR is very generic and only has the HelloWorld example, please remove this whole sentence (Users can protect ...).
gunicorn/README.md line 41 at r5 (raw file):
gramine-sgx gunicorn
But aren't you supposed to also show some client connecting to Gunicorn and receiving the Hello World reply?
Please add a way to quickly test Gunicorn, similar to this: https://github.com/gramineproject/gramine/tree/master/CI-Examples/lighttpd#running-lighttpd
(Just one of wget or curl commands will be enough)
Signed-off-by: Sonali Saha <[email protected]>
There was a problem hiding this comment.
Reviewable status: all files reviewed, 14 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
gunicorn/gunicorn.manifest.template line 9 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Please add a quick comment on why we need
--timeout 600. Like this:# we need `--timeout 600` to work around the problem of a constantly restarting worker process: # the worker process is supposed to update the ctime of the shared file, and the parent process # verifies that the worker process is alive by checking the ctime of this file every second. # This ctime file metadata sharing between processes is currently not supported by Gramine; # see also https://github.com/gramineproject/gramine/issues/1134.
Done.
gunicorn/gunicorn.manifest.template line 13 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Any reason you're using
/gramine_lib? We typically use/lib:
We are enabling this example for all supported distros. In Alpine Distro, ARCH_LIBDIR is /lib and by default gramine.runtimedir() was also mounted to /lib which caused conflicts and failed for Alpine Distro. The solution is inspired from https://github.com/gramineproject/gramine/blob/36676a75e9897c9b7b183157a9d9fcdf2f668a13/CI-Examples/blender/blender.manifest.template#L11
gunicorn/gunicorn.manifest.template line 16 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Please move this entry right-before
/usr/{{ arch_libdir }}, for readability
Done.
gunicorn/gunicorn.manifest.template line 18 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Any reason you're using
/gramine_lib? We typically use/lib:
We are enabling this example for all supported distros. In Alpine Distro, ARCH_LIBDIR is /lib and by default gramine.runtimedir() was also mounted to /lib which caused conflicts and failed for Alpine Distro. The solution is inspired from (https://github.com/gramineproject/gramine/blob/36676a75e9897c9b7b183157a9d9fcdf2f668a13/CI-Examples/blender/blender.manifest.template#L18)
gunicorn/gunicorn.manifest.template line 22 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Is this really needed? What happens if you remove it?
If I remove it I get below error while running make and the build fails in Ubuntu 20.04.
(libos_rtld.c:710:load_and_check_shebang) [P1:T1:] debug: Interpreter to be used for execve: /usr/bin/python3
(libos_init.c:436:libos_init) [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT)
We could have added the path /usr/bin/python3 if the example was not generic to suppoted all distros. As in RHEL8 and CentOS distros the path is /usr/bin/python3.6 based on the gunicorn installation had to add this way.
gunicorn/gunicorn.manifest.template line 31 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Is this really needed? What happens if you remove it?
Gunicorn failed with Gramine-SGX with below error for CentOS Stream 8 and RHEL 8
"error: Tried to handle a memory fault with no faulting address reported by SGX. Please consider enabling 'sgx.use_exinfo' in the manifest."
To fix this the line is added.
gunicorn/gunicorn.manifest.template line 34 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
ditto (move to another place)
Done.
gunicorn/gunicorn.manifest.template line 38 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Can you move it as the very-last item?
Done.
gunicorn/gunicorn.manifest.template line 42 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
ditto (do you really need it)
If I remove it I get below error while running make and the build fails in Ubuntu 20.04.
(libos_rtld.c:710:load_and_check_shebang) [P1:T1:] debug: Interpreter to be used for execve: /usr/bin/python3
(libos_init.c:436:libos_init) [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT)
We could have added the path /usr/bin/python3 if the example was not generic to suppoted all distros. As in RHEL8 and CentOS distros the path is /usr/bin/python3.6 based on the gunicorn installation had to add the path this way.
gunicorn/main.py line 1 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
@sahason Can you please add the license lines also here? If you wrote this yourself, then just add the exact same as for manifest.template and Makefile (BSD license). If you took it from somewhere, please check what license is used for this file in the source website, and add the SPDX with this license here.
Done.
gunicorn/README.md line 4 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
application->applications
Done.
gunicorn/README.md line 5 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Please remove
,afterAlthough:Although Flask comes ...
Done.
gunicorn/README.md line 9 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
I'm not sure why you added this sentence about
Python based ML APIs. I assume that was the final goal of Gunicorn, to use it as a web interface to some AI/ML runtime.Anyway, since this PR is very generic and only has the HelloWorld example, please remove this whole sentence (
Users can protect ...).
Done.
gunicorn/README.md line 41 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
But aren't you supposed to also show some client connecting to Gunicorn and receiving the
Hello Worldreply?Please add a way to quickly test Gunicorn, similar to this: https://github.com/gramineproject/gramine/tree/master/CI-Examples/lighttpd#running-lighttpd
(Just one of
wgetorcurlcommands will be enough)
Done.
There was a problem hiding this comment.
Reviewed 3 of 3 files at r6, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @sahason)
gunicorn/gunicorn.manifest.template line 13 at r5 (raw file):
Previously, sahason wrote…
We are enabling this example for all supported distros. In Alpine Distro,
ARCH_LIBDIRis/liband by defaultgramine.runtimedir()was also mounted to/libwhich caused conflicts and failed for Alpine Distro. The solution is inspired from https://github.com/gramineproject/gramine/blob/36676a75e9897c9b7b183157a9d9fcdf2f668a13/CI-Examples/blender/blender.manifest.template#L11
Thanks for the explanation! Yes, I forgot about Alpine's conflicting /lib dir. We'll probably need to fix it everywhere in our examples at some point?
gunicorn/gunicorn.manifest.template line 22 at r5 (raw file):
Previously, sahason wrote…
If I remove it I get below error while running make and the build fails in Ubuntu 20.04.
(libos_rtld.c:710:load_and_check_shebang) [P1:T1:] debug: Interpreter to be used for execve: /usr/bin/python3
(libos_init.c:436:libos_init) [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT)We could have added the path
/usr/bin/python3if the example was not generic to suppoted all distros. As in RHEL8 and CentOS distros the path is/usr/bin/python3.6based on the gunicorn installation had to add this way.
Still I don't like that we allow all the installed executables on a system.
Can't we use {{ python_exe_path }}? We already have this variable (to get the Python system paths) here, so maybe can use this?
gunicorn/gunicorn.manifest.template line 42 at r5 (raw file):
Previously, sahason wrote…
If I remove it I get below error while running make and the build fails in Ubuntu 20.04.
(libos_rtld.c:710:load_and_check_shebang) [P1:T1:] debug: Interpreter to be used for execve: /usr/bin/python3
(libos_init.c:436:libos_init) [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT)We could have added the path
/usr/bin/python3if the example was not generic to suppoted all distros. As in RHEL8 and CentOS distros the path is/usr/bin/python3.6based on the gunicorn installation had to add the path this way.
Still I don't like that we allow all the installed executables on a system.
Can't we use {{ python_exe_path }}? We already have this variable (to get the Python system paths) here, so maybe can use this?
There was a problem hiding this comment.
Reviewable status: all files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
gunicorn/gunicorn.manifest.template line 22 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Still I don't like that we allow all the installed executables on a system.
Can't we use
{{ python_exe_path }}? We already have this variable (to get the Python system paths) here, so maybe can use this?
In ubuntu20.04 using python_exe_path fails as this path translates to /usr/bn/python3.8 and the interpreter version in /usr/bin/gunicorn i.e. /usr/bin/python3 does not match. So there will be ENOENT failure.
Now tried to set python_exe_path to $(shell sh -c "command -v python3") which translates to /usr/bin/python3 which works fine in ubuntu 20.04. But this will not work in RHEL or CentOS. The interpreter version in /usr/bin/gunicorn in RHEL is/usr/bin/python3.6.
Also tried to set default version of python3 to python3.6 in ubuntu 20.04 and install gunicorn but the interpreter version remains same as /usr/bin/python3 irrespective of default python version.
gunicorn/gunicorn.manifest.template line 42 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Still I don't like that we allow all the installed executables on a system.
Can't we use
{{ python_exe_path }}? We already have this variable (to get the Python system paths) here, so maybe can use this?
In ubuntu20.04 using python_exe_path fails as this path translates to /usr/bn/python3.8 and the interpreter version in /usr/bin/gunicorn i.e. /usr/bin/python3 does not match. So there will be ENOENT failure.
Now tried to set python_exe_path to $(shell sh -c "command -v python3") which translates to /usr/bin/python3 which works fine in ubuntu 20.04. But this will not work in RHEL or CentOS. The interpreter version in /usr/bin/gunicorn in RHEL is/usr/bin/python3.6.
Also tried to set default version of python3 to python3.6 in ubuntu 20.04 and install gunicorn but the interpreter version remains same as /usr/bin/python3 irrespective of default python version.
There was a problem hiding this comment.
Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners
gunicorn/gunicorn.manifest.template line 22 at r5 (raw file):
Previously, sahason wrote…
In ubuntu20.04 using
python_exe_pathfails as this path translates to/usr/bn/python3.8and the interpreter version in/usr/bin/gunicorni.e./usr/bin/python3does not match. So there will beENOENTfailure.
Now tried to setpython_exe_pathto$(shell sh -c "command -v python3")which translates to/usr/bin/python3which works fine in ubuntu 20.04. But this will not work in RHEL or CentOS. The interpreter version in/usr/bin/gunicornin RHEL is/usr/bin/python3.6.
Also tried to set default version of
python3topython3.6in ubuntu 20.04 and install gunicorn but the interpreter version remains same as/usr/bin/python3irrespective of defaultpythonversion.
Ok, I'm unblocking as indeed this will require some complications.
Add Gunicorn example
This change is