Bad metadata key - Error 16 on Instance Service

[jevansio]

Hi, I've successfully connected to the Manager service on 9502 (c++) and supplied the certificate and managed to get basic details and watch the flow cells posistion stream to get updates on the connected flow cells and their ports. But when i come to call an Instance service on one of those ports I get Bad Metadata Key even though Im passing the same certificate. I have tried setting the MINKNOW_API_USE_LOCAL_TOKEN to 1 as per the FAQ and it makes no difference, do i need to restart anything after setting that variable?

Thanks

Jay

[rubru2019]

Hi I seem to have similar issue. Bad metadata key - error 16. I am using the python example: list_sequencing_positions.py No local host, port 9502. I am able to print some attributes from Manager but as soon as I call connect() -> status = StatusCode.UNAUTHENTICATED details = "Bad metadata key" debug_error_string = "{"created":"@1652993185.144156328","description":"Error received

User could call {pos.connect()} here to connect to the running MinKNOW instance.

What am I doing wrong?

[jevansio]

Rubru2019, I have been hacking around since I'm getting zilch tech support from ONT, in your minknow folder, edit the app_conf file and set application.rpc.guest_access_default to "enabled". Restart minknow with sudo service minknow restart. This has allowed me to use the port I got back from the flow cell position api and query the Device.get_device_info service successfully

[rubru2019]

Thank you! - I will check it. Currently no - access to app_conf...

[lutfia95]

Hi @jevansio,

I have been working on the issue of connecting to minknow (22.05.5-1~focal) on 9502 (c++). Here I used grpc::CreateChannel() I already defined "ca.crt", "localhost.key" and "localhost.crt" with grpc::SslCredentialsOptions. Can you please tell me how could you successfully connect to the Manager service on 9502? Thanks!

Best, Ahmad

[0x55555555]

Hi @lutfia95,

To connect successfully from C++, you can use this code snippet:

    // Set up ssl endpoint
    std::string const ca = util::read_to_string(".../ca.crt");
    grpc::SslCredentialsOptions ssl_ops;
    ssl_ops.pem_root_certs = ca;

    grpc::ChannelArguments channel_args;
    channel_args.SetSslTargetNameOverride("localhost"); // that's what our cert's CN is

    auto channel_creds = grpc::SslCredentials(ssl_ops);

    // Optionally provide authentication details in channel_creds
    channel_creds = grpc::CompositeChannelCredentials(
        channel_creds,
        grpc::MetadataCredentialsFromPlugin(MyAuthenticationStrategy(...))
    );

    // Create a channel using the credentials created in the previous step.
    auto const channel = grpc::CreateCustomChannel(fmt::format("127.0.0.1:{}", secure_port), channel_creds, channel_args);

You will note several areas you still need to fill in - paths to tokens etc, and the method of authentication.

Manager has some api's available without authentication, but most MinKNOW api's require authentication by default.

You can read an authentication token from /tmp/minknow-auth-token.json on the machine which is running minknow, and use this if connectin locally, otherwise you need to use a developer API token retrieved from the UI, or disable authentication on the sequencer.

You can supply an authentication token to minknow using this snippet:

class MyAuthenticationStrategy : public grpc::MetadataCredentialsPlugin {
public:
    MyAuthenticationStrategy(const grpc::string& token) : m_token(token) {}

    grpc::Status GetMetadata(
        grpc::string_ref service_url, grpc::string_ref method_name,
        const grpc::AuthContext& channel_auth_context,
        std::multimap<grpc::string, grpc::string>* metadata
    ) override {
        metadata->insert(std::make_pair("local-auth", m_token));
        return grpc::Status::OK;
    }

private:
    grpc::string m_token;
};

After obtaining a token using the methods above.

Hope that helps,

• George

[jevansio]

Hi @lutfia95, I pretty much used exactly the same code as George. Few points to note, When creating the channel, if you connect to "localhost:port" you don't need to override the target name with SetSslTargetNameOverride(localhost). When George talks about disabling authentication on the sequencer, this is what my original post is referring to when I talk about editing the app_conf file in the MinKnow installation folder, if you do this you don't need bother with any of the CompositeChannelCredentials/MyAuthenticationStrategy/auth token code, you simply pass in the SslCredentials object (basically just comment out creating the CompositeChannelCredentials line)

Hi @jorj1988, many thanks for supplying the additional piece of the puzzle to add the auth strategy, I had tried adding the token myself manually to the client metadata but that hadnt worked and when I discovered how to disable it the issue obviously vanished

Thanks Jay

[lutfia95]

Hi @jorj1988 and @jevansio,

thank you very much for the nice answers! I am now working on that and will let you know ASAP when I solve the issue. @jorj1988 exactly, I have a problem with the app_conf file. Usually I am editing the app_conf file as I am not sequencing directly and only running a playback experiment:

sudo ./config_editor --conf application --filename ../conf/app_conf --set data_generation.simulated_device=1 sudo ./config_editor --conf application --filename ../conf/app_conf --set device.simulator_device_count=1
But since only a couple of days, I am facing the problem with app_conf, where I can't set the data_generation.simulated_device to 1 (With the error that device.simulator_device_count not found). I am assuming that I did something wrong with the installation of MinKNOW.

By installing the MinKNOW UI I used the following command lines from sirselim Miles:

wget -O- https://mirror.oxfordnanoportal.com/apt/ont-repo.pub | sudo apt-key add - echo "deb http://mirror.oxfordnanoportal.com/apt focal-stable non-free" | sudo tee /etc/apt/sources.list.d/nanoporetech.sources.list

Is this the correct way to install the MinKNOW UI on Ubuntu Focal? Because ONT developing toward supporting Ubuntu Focal (20.04) and I am not sure if installing it with these commands is the best way to do it.

Thanks! Best, Ahmad

[0x55555555]

Hi @lutfia95 ,

In MinKNOW 5.1, due to changes required for future improvements + features we have changed the way a simulated device is added.

Instead of editing the config, you now need to run the minknow service using additional arguments to add simulated devices.

You can edit: /lib/systemd/system/minknow.service and add arguments to the ExecStart line:

The below demonstrates adding one simulated minion:

...
[Service]
ExecStart=/opt/ont/minknow/bin/mk_manager_svc --simulated-integrated-devices 1
...

The commands you post look correct for installing minknow for focal.

[lutfia95]

@jorj1988 thank you very much, I will check it out.

Best, Ahmad

[lutfia95]

Hey @jorj1988,

By editing lib/systemd/system/minknow.service I could successfully playback the simulation run thanks!

After applying the code snippet, I am getting the error: Invalid local-auth token I understood from the FAQ that I have to change the MINKNOW_API_USE_LOCAL_TOKEN. Where can I find it? PS: I am connecting atm only locally!

Thanks! Best, Ahmad

[0x55555555]

MINKNOW_API_USE_LOCAL_TOKEN is an environment variable - you can set it in bash prior to starting the script youre writing:

> export MINKNOW_API_USE_LOCAL_TOKEN=1
> ./my_api_script.py

[lutfia95]

@jorj1988 Thanks! it solved the problem!

As I am planing to use on both OS (Linux and Windows), where can I find the token file minknow-auth-token.json under Windows machine, where MinKNOW 5.1 is installed?

You already mentioned that the connection using the token file is for locally connection! How can I adapt also an remote connection to MinKNOW e.g. tool running on different machine where the sequencer is set.

Thank you for your support! Best, Ahmad

[0x55555555]

Hi @lutfia95 ,

If you are connecting to a nanopore sequencer (gridion, promethion, mk1c) you can provision a developer access token using the UI on these boxes, throgh "Host Settings".

Right now, for non-nanopore platforms we dont support creating a developer API token. You can enable guest mode on these sequencers in the minknow user config file, by changing guest_rpc_enabled to enabled.

The minknow-auth-token.json location can be obtained using the manager API, see https://github.com/nanoporetech/minknow_api/blob/9ea4a4d60043d0ea01656b5a4cc64340eeaa9394/python/minknow_api/manager.py#L33 for an example of doing this in python.