Update instruct_kerberos.md
This commit is contained in:
@@ -224,3 +224,88 @@ else
|
|||||||
|| { log_error "Failed to create user: $APP_USER"; return 1; }
|
|| { log_error "Failed to create user: $APP_USER"; return 1; }
|
||||||
fi
|
fi
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# =============================================================================
|
||||||
|
# 06-app-service.sh — Create and enable the systemd service unit
|
||||||
|
# =============================================================================
|
||||||
|
|
||||||
|
require_vars APP_SERVICE_NAME APP_ROOT APP_DIR APP_ENV_DIR APP_HOST APP_PORT \
|
||||||
|
APP_USER APP_GROUP APP_MODULE || return 1
|
||||||
|
|
||||||
|
# APP_ENV_DIR defaults to APP_ROOT if not explicitly set in config
|
||||||
|
APP_ENV_DIR="${APP_ENV_DIR:-$APP_ROOT}"
|
||||||
|
|
||||||
|
UNIT_FILE="/etc/systemd/system/${APP_SERVICE_NAME}.service"
|
||||||
|
|
||||||
|
# ---- Build the After= line ----
|
||||||
|
AFTER_TARGETS="network.target"
|
||||||
|
if [[ -n "${CIFS_MOUNTS:-}" ]]; then
|
||||||
|
AFTER_TARGETS="network.target remote-fs.target"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ---- Capability for privileged ports ----
|
||||||
|
CAP_LINE=""
|
||||||
|
if (( APP_PORT < 1024 )); then
|
||||||
|
CAP_LINE="AmbientCapabilities=CAP_NET_BIND_SERVICE"
|
||||||
|
log_info "Port ${APP_PORT} < 1024 — adding CAP_NET_BIND_SERVICE"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ---- Verify uvicorn is installed ----
|
||||||
|
if ! "${APP_ROOT}/.venv/bin/python" -c "import uvicorn" &>/dev/null; then
|
||||||
|
log_error "uvicorn not importable in ${APP_ROOT}/.venv — was step 3 (App Install) successful?"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ---- Build ExecStart command ----
|
||||||
|
# Use the venv python to run uvicorn as a module, avoiding shebang path issues.
|
||||||
|
EXEC_START="${APP_ROOT}/.venv/bin/python -m uvicorn ${APP_MODULE} --host ${APP_HOST} --port ${APP_PORT}"
|
||||||
|
|
||||||
|
if [[ "${APP_SSL_ENABLED:-true}" == "true" ]]; then
|
||||||
|
EXEC_START="${EXEC_START} --ssl-keyfile \${SSL_KEYFILE} --ssl-certfile \${SSL_CERTFILE}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ---- Write the unit file ----
|
||||||
|
log_info "Writing systemd unit file: $UNIT_FILE"
|
||||||
|
cat > "$UNIT_FILE" <<UNITEOF
|
||||||
|
[Unit]
|
||||||
|
Description=${APP_SERVICE_NAME} FastAPI Application
|
||||||
|
After=${AFTER_TARGETS}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=${APP_USER}
|
||||||
|
Group=${APP_GROUP}
|
||||||
|
WorkingDirectory=${APP_DIR}
|
||||||
|
EnvironmentFile=${APP_ENV_DIR}/.env
|
||||||
|
ExecStart=${EXEC_START}
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
${CAP_LINE}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
UNITEOF
|
||||||
|
|
||||||
|
# ---- Enable and restart ----
|
||||||
|
log_info "Reloading systemd and enabling ${APP_SERVICE_NAME}"
|
||||||
|
systemctl daemon-reload \
|
||||||
|
|| { log_error "systemctl daemon-reload failed"; return 1; }
|
||||||
|
|
||||||
|
systemctl enable "$APP_SERVICE_NAME" \
|
||||||
|
|| { log_error "Failed to enable ${APP_SERVICE_NAME}"; return 1; }
|
||||||
|
|
||||||
|
# ---- Gate restart on test results ----
|
||||||
|
if [[ "${DEPLOY_TESTS_PASSED}" != "true" ]]; then
|
||||||
|
log_warn "Tests failed — skipping service restart to preserve the current running version"
|
||||||
|
log_warn "Fix the failing tests and re-run the deployment to restart the service"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
log_info "Restarting ${APP_SERVICE_NAME}"
|
||||||
|
systemctl restart "$APP_SERVICE_NAME" \
|
||||||
|
|| { log_error "Failed to restart ${APP_SERVICE_NAME}"; return 1; }
|
||||||
|
|
||||||
|
systemctl --no-pager status "$APP_SERVICE_NAME"
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user