search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.76k stars 850 forks source link

Support systemd notify #9602

Open NyCodeGHG opened 4 months ago

NyCodeGHG commented 4 months ago

Is your feature request related to a problem? Please describe. I'm running authentik in a podman container started by systemd. I have another service which depends on authentik running and being ready. My problem is that authentik always takes some time to start up, but systemd has currently no way of knowing when authentik is ready and starts the other service directly after starting authentik, which leads to the other service crashing once and restarting (this should be handled better in the other service, but I have no control over that).

Describe the solution you'd like Systemd has a really simple protocol to notify when an application is ready. Podman proxies the socket used for the protocol into a container by default: https://docs.podman.io/en/latest/markdown/podman-run.1.html#sdnotify-container-conmon-healthy-ignore

The protocol is described here: https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Notes It's basically just connecting to the socket specified in the NOTIFY_SOCKET environment variable and sending READY=1 via a single datagram.

I found this python implementation which could be used, or it could just be implemented as a single function, as it's very simple. https://github.com/bb4242/sdnotify/

Describe alternatives you've considered

Additional context I would be willing to try to implement this feature by myself.

BeryJu commented 2 weeks ago

Even though the podman container is started through systemd, does that not support standard container Healthchecks? I'm not really a fan of having healthchecks this way around (i.e. the application tells the orchestrator it's healthy vs just being checked), and we also don't officially support running in podman containers started by systemd

NyCodeGHG commented 2 weeks ago

This is not a health check, it's a mechanism to tell systemd that the application is ready (e.g. ready to accept requests), so systemd can utilize that to only start another application after the dependencies are ready. systemd has another feature for checking an applications health, but that is not in scope for my issue.

For example, my use case for this is a Synapse matrix server which fetches OpenID information on startup and thus depends on the authentik service, so it starts after authentik, but this currently does not work as it should, because authentik takes some time until it's ready and systemd has no way of knowing if it is ready.

I already assumed this is a niche edge case, which is not officially supported, so I would offer to try to implement this myself if such a contribution would be welcome.