Update instruct_kerberos.md
This commit is contained in:
@@ -224,3 +224,88 @@ else
|
||||
|| { log_error "Failed to create user: $APP_USER"; return 1; }
|
||||
fi
|
||||
```
|
||||
|
||||
```bash
|
||||
#!/usr/bin/env bash
|
||||
# =============================================================================
|
||||
# 06-app-service.sh — Create and enable the systemd service unit
|
||||
# =============================================================================
|
||||
|
||||
require_vars APP_SERVICE_NAME APP_ROOT APP_DIR APP_ENV_DIR APP_HOST APP_PORT \
|
||||
APP_USER APP_GROUP APP_MODULE || return 1
|
||||
|
||||
# APP_ENV_DIR defaults to APP_ROOT if not explicitly set in config
|
||||
APP_ENV_DIR="${APP_ENV_DIR:-$APP_ROOT}"
|
||||
|
||||
UNIT_FILE="/etc/systemd/system/${APP_SERVICE_NAME}.service"
|
||||
|
||||
# ---- Build the After= line ----
|
||||
AFTER_TARGETS="network.target"
|
||||
if [[ -n "${CIFS_MOUNTS:-}" ]]; then
|
||||
AFTER_TARGETS="network.target remote-fs.target"
|
||||
fi
|
||||
|
||||
# ---- Capability for privileged ports ----
|
||||
CAP_LINE=""
|
||||
if (( APP_PORT < 1024 )); then
|
||||
CAP_LINE="AmbientCapabilities=CAP_NET_BIND_SERVICE"
|
||||
log_info "Port ${APP_PORT} < 1024 — adding CAP_NET_BIND_SERVICE"
|
||||
fi
|
||||
|
||||
# ---- Verify uvicorn is installed ----
|
||||
if ! "${APP_ROOT}/.venv/bin/python" -c "import uvicorn" &>/dev/null; then
|
||||
log_error "uvicorn not importable in ${APP_ROOT}/.venv — was step 3 (App Install) successful?"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# ---- Build ExecStart command ----
|
||||
# Use the venv python to run uvicorn as a module, avoiding shebang path issues.
|
||||
EXEC_START="${APP_ROOT}/.venv/bin/python -m uvicorn ${APP_MODULE} --host ${APP_HOST} --port ${APP_PORT}"
|
||||
|
||||
if [[ "${APP_SSL_ENABLED:-true}" == "true" ]]; then
|
||||
EXEC_START="${EXEC_START} --ssl-keyfile \${SSL_KEYFILE} --ssl-certfile \${SSL_CERTFILE}"
|
||||
fi
|
||||
|
||||
# ---- Write the unit file ----
|
||||
log_info "Writing systemd unit file: $UNIT_FILE"
|
||||
cat > "$UNIT_FILE" <<UNITEOF
|
||||
[Unit]
|
||||
Description=${APP_SERVICE_NAME} FastAPI Application
|
||||
After=${AFTER_TARGETS}
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=${APP_USER}
|
||||
Group=${APP_GROUP}
|
||||
WorkingDirectory=${APP_DIR}
|
||||
EnvironmentFile=${APP_ENV_DIR}/.env
|
||||
ExecStart=${EXEC_START}
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
${CAP_LINE}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
UNITEOF
|
||||
|
||||
# ---- Enable and restart ----
|
||||
log_info "Reloading systemd and enabling ${APP_SERVICE_NAME}"
|
||||
systemctl daemon-reload \
|
||||
|| { log_error "systemctl daemon-reload failed"; return 1; }
|
||||
|
||||
systemctl enable "$APP_SERVICE_NAME" \
|
||||
|| { log_error "Failed to enable ${APP_SERVICE_NAME}"; return 1; }
|
||||
|
||||
# ---- Gate restart on test results ----
|
||||
if [[ "${DEPLOY_TESTS_PASSED}" != "true" ]]; then
|
||||
log_warn "Tests failed — skipping service restart to preserve the current running version"
|
||||
log_warn "Fix the failing tests and re-run the deployment to restart the service"
|
||||
return 1
|
||||
fi
|
||||
|
||||
log_info "Restarting ${APP_SERVICE_NAME}"
|
||||
systemctl restart "$APP_SERVICE_NAME" \
|
||||
|| { log_error "Failed to restart ${APP_SERVICE_NAME}"; return 1; }
|
||||
|
||||
systemctl --no-pager status "$APP_SERVICE_NAME"
|
||||
```
|
||||
Reference in New Issue
Block a user