cve-search / vulnerability-lookup

Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).
https://cve-search.github.io/vulnerability-lookup/
GNU Affero General Public License v3.0
132 stars 16 forks source link

Provide alternate ways to deploy the website #49

Open cedricbonhomme opened 4 months ago

cedricbonhomme commented 4 months ago

I managed to write a very simple systemd service in order to launch the website. It's quite convenient to start, stop and restart only the website.

But if we go with this possibility, we would need to add an optional parameter for the start command. For example:

$ start --only-backend

this would only execute run_backend and start the importers.

Do you think that's a good idea ?

cedricbonhomme commented 4 months ago

it would also be possible to use mod_wsgi instead of using systemd. But in our setting I guess using systemd is even simpler.

Rafiot commented 4 months ago

I line systemd for that, it is very easy to deploy, I generally do it with a script that looks like that, directly with poetry: https://github.com/Lookyloo/lookyloo/blob/main/etc/systemd/system/lookyloo.service.sample.

I generally avoid having too many alternative way to do the same thing because we will only use one, and the other ones will be broken randomly until someone tells us. So systemd only sounds like a better approach to me.

I'm not sure having two systemd modules is that useful, because the website won't work unless the backend is running. It kinda make sense to have a way to start/stop the importers as it doesn't impact the website (but it requires the backend too anyway).

cedricbonhomme commented 4 months ago

So you mean one systemd module for the backend and the website ? If I understand correctly. I just tried this:

[Unit]
Description=Vulnerability Lookup webservice
After=network.target

[Service]
User=cedric
Group=cedric
WorkingDirectory=/home/cedric/git/vulnerability-lookup
Environment=PATH="/home/cedric/.cache/pypoetry/virtualenvs/vulnerabilitylookup-6JZjMWql-py3.12/bin/:/usr/bin"
ExecStart=/bin/bash -c "run_backend --start ; start_website"
ExecStop=/bin/bash -c "run_backend --stop"

[Install]
WantedBy=multi-user.target

As you can see it uses run_backend --start ; start_website. Only the importers are not started.

It worked quite well. I tried to start and stop several times.

Rafiot commented 4 months ago

It will work, but it won't stop the website cleanly (it will crash because the backend is gone) and we might have ports staying open so starting the website might sometimes fail. That's the advantage of using start/stop: it sets a key in redis that all the services check regularly and stop if that key is present.

Other issue is that when you run run_backend --stop, the importers that are currently running will (most probably) crash and they won't be restarted.

Basically, the backend (redis/kvrocks) is required for all the scripts, if they're gone, the scripts crash. It is possible (not supported yet) to have a start/stop script specifically for the website and another one for the importer, as long as they don't touch the backend. The way to implement that is to make two new stop scripts that are setting dedicated keys in redis, and having the website and the importer check these keys.