转载来自

fastapi源码

FastAPI-DLS

Minimal Delegated License Service (DLS).

Compatibility tested with official DLS 2.0.1.

This service can be used without internet connection.
Only the clients need a connection to this service on configured port.

Official Links

• https://git.collinwebdesigns.de/oscar.krause/fastapi-dls (Private Git)

• https://gitea.publichub.eu/oscar.krause/fastapi-dls (Public Git)

• https://hub.docker.com/r/collinwebdesigns/fastapi-dls (Docker-Hub collinwebdesigns/fastapi-dls:latest)

All other repositories are forks! (which is no bad – just for information and bug reports)

[[TOC]]

Setup (Service)

System requirements

• 256mb ram

• 4gb hdd

Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.

Prepare your system

• Make sure your timezone is set correct on you fastapi-dls server and your client

Docker

Docker-Images are available here:

• Docker-Hub: collinwebdesigns/fastapi-dls:latest

• GitLab-Registry: registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest

The images include database drivers for postgres, mysql, mariadb and sqlite.

Run this on the Docker-Host

WORKING_DIR=/opt/docker/fastapi-dls/cert
mkdir -p WORKING_DIR
cdWORKING_DIR
# create instance private and public key for singing JWT's
openssl genrsa -out WORKING_DIR/instance.private.pem 2048 
openssl rsa -inWORKING_DIR/instance.private.pem -outform PEM -pubout -out WORKING_DIR/instance.public.pem
# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyoutWORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt

Start container

To test if everything is set up properly you can start container as following:

docker volume create dls-db
docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert -v dls-db:/app/database collinwebdesigns/fastapi-dls:latest

Docker-Compose / Deploy stack

Goto docker-compose.yml for more advanced example (with reverse proxy usage).

version: '3.9'

x-dls-variables: &dls-variables
  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
  DLS_URL: localhost # REQUIRED, change to your ip or hostname
  DLS_PORT: 443
  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
  DATABASE: sqlite:////app/database/db.sqlite
  DEBUG: false

services:
  dls:
    image: collinwebdesigns/fastapi-dls:latest
    restart: always
    environment:
      <<: *dls-variables
    ports:
      - "443:443"
    volumes:
      - /opt/docker/fastapi-dls/cert:/app/cert
      - dls-db:/app/database
    logging:  # optional, for those who do not need logs
      driver: "json-file"
      options:
        max-file: 5
        max-size: 10m

volumes:
  dls-db:

Debian/Ubuntu (manual method using git clone and python virtual environment)

Tested on Debian 11 (bullseye), Ubuntu may also work.

Make sure you are logged in as root.

Install requirements

apt-get update && apt-get install git python3-venv python3-pip

Install FastAPI-DLS

WORKING_DIR=/opt/fastapi-dls
mkdir -p WORKING_DIR
cdWORKING_DIR
git clone https://git.collinwebdesigns.de/oscar.krause/fastapi-dls .
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
deactivate
chown -R www-data:www-data $WORKING_DIR

Create keypair and webserver certificate

WORKING_DIR=/opt/fastapi-dls/app/cert
mkdir -p WORKING_DIR
cdWORKING_DIR
# create instance private and public key for singing JWT's
openssl genrsa -out WORKING_DIR/instance.private.pem 2048 
openssl rsa -inWORKING_DIR/instance.private.pem -outform PEM -pubout -out WORKING_DIR/instance.public.pem
# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyoutWORKING_DIR/webserver.key -out WORKING_DIR/webserver.crt
chown -R www-data:www-dataWORKING_DIR

Test Service

This is only to test whether the service starts successfully.

cd /opt/fastapi-dls/app
sudo -u www-data /opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app
# or
su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"

Create config file

mkdir /etc/fastapi-dls
cat <<EOF >/etc/fastapi-dls/env
DLS_URL=127.0.0.1
DLS_PORT=443
LEASE_EXPIRE_DAYS=90
DATABASE=sqlite:////opt/fastapi-dls/app/db.sqlite

EOF

Create service

Now you have to run systemctl daemon-reload. After that you can start service
with systemctl start fastapi-dls.service and enable autostart with systemctl enable fastapi-dls.service.

openSUSE Leap (manual method using git clone and python virtual environment)

Tested on openSUSE Leap 15.4, openSUSE Tumbleweed may also work.

Install requirements

zypper in -y python310 python3-virtualenv python3-pip

Install FastAPI-DLS

BASE_DIR=/opt/fastapi-dls
SERVICE_USER=dls
mkdir -p {BASE_DIR}
cd{BASE_DIR}
git clone https://git.collinwebdesigns.de/oscar.krause/fastapi-dls .
python3.10 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
deactivate
useradd -r {SERVICE_USER} -M -d /opt/fastapi-dls
chown -R{SERVICE_USER} ${BASE_DIR}

Create keypair and webserver certificate

CERT_DIR={BASE_DIR}/app/cert
SERVICE_USER=dls
mkdir{CERT_DIR}
cd {CERT_DIR}
# create instance private and public key for singing JWT's
openssl genrsa -out{CERT_DIR}/instance.private.pem 2048 
openssl rsa -in {CERT_DIR}/instance.private.pem -outform PEM -pubout -out{CERT_DIR}/instance.public.pem
# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  {CERT_DIR}/webserver.key -out{CERT_DIR}/webserver.crt
chown -R {SERVICE_USER}{CERT_DIR}

Test Service

This is only to test whether the service starts successfully.

BASE_DIR=/opt/fastapi-dls
SERVICE_USER=dls
cd {BASE_DIR}
sudo -u{SERVICE_USER} {BASE_DIR}/venv/bin/uvicorn main:app --app-dir={BASE_DIR}/app
# or
su - {SERVICE_USER} -c "{BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app"

Create config file

BASE_DIR=/opt/fastapi-dls
cat <<EOF >/etc/fastapi-dls/env
# Adjust DSL_URL as needed (accessing from LAN won't work with 127.0.0.1)
DLS_URL=127.0.0.1
DLS_PORT=443
LEASE_EXPIRE_DAYS=90
DATABASE=sqlite:///${BASE_DIR}/app/db.sqlite

EOF

Create service

BASE_DIR=/opt/fastapi-dls
SERVICE_USER=dls
cat <<EOF >/etc/systemd/system/fastapi-dls.service
[Unit]
Description=Service for fastapi-dls vGPU licensing service
After=network.target

[Service]
User={SERVICE_USER}
AmbientCapabilities=CAP_NET_BIND_SERVICE
WorkingDirectory={BASE_DIR}/app
EnvironmentFile=/etc/fastapi-dls/env
ExecStart={BASE_DIR}/venv/bin/uvicorn main:app \\
  --env-file /etc/fastapi-dls/env \\
  --host \$DLS_URL --port \$DLS_PORT \\
  --app-dir{BASE_DIR}/app \\
  --ssl-keyfile {BASE_DIR}/app/cert/webserver.key \\
  --ssl-certfile{BASE_DIR}/app/cert/webserver.crt \\
  --proxy-headers
Restart=always
KillSignal=SIGQUIT
Type=simple
NotifyAccess=all

[Install]
WantedBy=multi-user.target

EOF

Now you have to run systemctl daemon-reload. After that you can start service
with systemctl start fastapi-dls.service and enable autostart with systemctl enable fastapi-dls.service.

Debian/Ubuntu (using dpkg)

Packages are available here:

• GitLab-Registry

Successful tested with:

• Debian 12 (Bookworm) (works but not recommended because it is currently in testing state)

• Ubuntu 22.10 (Kinetic Kudu)

Not working with:

• Debian 11 (Bullseye) and lower (missing python-jose dependency)

• Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to fastapi – uvicorn version missmatch)

Run this on your server instance

First go to GitLab-Registry and select your
version. Then you have to copy the download link of the fastapi-dls_X.Y.Z_amd64.deb asset.

apt-get update
FILENAME=/opt/fastapi-dls.deb
wget -O FILENAME <download-url>
dpkg -iFILENAME
apt-get install -f --fix-missing

Start with systemctl start fastapi-dls.service and enable autostart with systemctl enable fastapi-dls.service.

ArchLinux (using pacman)

Shout out to samicrusader who created build file for ArchLinux!

Packages are available here:

• GitLab-Registry

pacman -Sy
FILENAME=/opt/fastapi-dls.pkg.tar.zst

curl -o FILENAME <download-url>
# or
wget -OFILENAME <download-url>

pacman -U --noconfirm fastapi-dls.pkg.tar.zst

Start with systemctl start fastapi-dls.service and enable autostart with systemctl enable fastapi-dls.service.

unRAID

1. Download this xml file

2. Put it in /boot/config/plugins/dockerMan/templates-user/

3. Go to Docker page, scroll down to Add Container, click on Template list and choose FastAPI-DLS

4. Open terminal/ssh, follow the instructions in overview description

5. Setup your container IP, Port, DLS_URL and DLS_PORT

6. Apply and let it boot up

Unraid users must also make sure they have Host access to custom networks enabled if unraid is the vgpu guest.

Continue here for docker guest setup.

Let’s Encrypt Certificate (optional)

If you’re using installation via docker, you can use traefik. Please refer to their documentation.

Note that port 80 must be accessible, and you have to install socat if you’re using standalone mode.

acme.sh --issue -d example.com \
  --cert-file /etc/fastapi-dls/webserver.donotuse.crt \
  --key-file /etc/fastapi-dls/webserver.key \
  --fullchain-file /etc/fastapi-dls/webserver.crt \
  --reloadcmd "systemctl restart fastapi-dls.service"

After first success you have to replace --issue with --renew.

Configuration

*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
client has 19.2 hours in which to re-establish connectivity before its license expires.

*3 Always use https, since guest-drivers only support secure connections!

*4 If you recreate instance keys you need to recreate client-token for each guest!

Setup (Client)

The token file has to be copied! It’s not enough to C&P file contents, because there can be special characters.

Successfully tested with this package versions:

• https://docs.nvidia.com/grid/index.html

Linux

Download client-token and place it into /etc/nvidia/ClientConfigToken:

curl --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o /etc/nvidia/ClientConfigToken/client_configuration_token_(date '+%d-%m-%Y-%H-%M-%S').tok
# or
wget --no-check-certificate -O /etc/nvidia/ClientConfigToken/client_configuration_token_(date '+%d-%m-%Y-%H-%M-%S').tok https://<dls-hostname-or-ip>/-/client-token

Restart nvidia-gridd service:

service nvidia-gridd restart

Check licensing status:

nvidia-smi -q | grep "License"

Output should be something like:

vGPU Software Licensed Product
    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)

Done. For more information check troubleshoot section.

Windows

Power-Shell (run as administrator!)

Download client-token and place it into C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken:

curl.exe --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o "C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token_((Get-Date).tostring('dd-MM-yy-hh-mm-ss')).tok"

Restart NvContainerLocalSystem service:

Restart-Service NVDisplay.ContainerLocalSystem

Check licensing status:

& 'nvidia-smi' -q  | Select-String "License"

Output should be something like:

vGPU Software Licensed Product
    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)

Done. For more information check troubleshoot section.

unRAID Guest

1. Make sure you create a folder in a linux filesystem (BTRFS/XFS/EXT4…), I recommend /mnt/user/system/nvidia (this is where docker and libvirt preferences are saved, so it’s a good place to have that)

2. Edit the script to put your DLS_IP, DLS_PORT and TOKEN_PATH, properly

3. Install User Scripts plugin from Community Apps (the Apps page, or google User Scripts Unraid if you’re not using CA)

4. Go to Settings > Users Scripts > Add New Script

5. Give it a name (the name must not contain spaces preferably)

6. Click on the gear icon to the left of the script name then edit script

7. Paste the script and save

8. Set schedule to At First Array Start Only

9. Click on Apply

Endpoints

GET /

Redirect to /-/readme.

GET /-/health

Status endpoint, used for healthcheck.

GET /-/config

Shows current runtime environment variables and their values.

GET /-/readme

HTML rendered README.md.

GET /-/manage

Shows a very basic UI to delete origins or leases.

GET /-/origins?leases=false

List registered origins.

DELETE /-/origins

Deletes all origins and their leases.

GET /-/leases?origin=false

List current leases.

DELETE /-/lease/{lease_ref}

Deletes an lease.

GET /-/client-token

Generate client token, (see installation).

Others

There are many other internal api endpoints for handling authentication and lease process.

Troubleshoot

Please make sure that fastapi-dls and your guests are on the same timezone!

Linux

Logs are available with journalctl -u nvidia-gridd -f.

Windows

Logs are available in C:\Users\Public\Documents\Nvidia\LoggingLog.NVDisplay.Container.exe.log.

Known Issues

Linux

uvicorn.error:Invalid HTTP request received.

This message can be ignored.

• Ref. https://github.com/encode/uvicorn/issues/441

Windows

Required cipher on Windows Guests (e.g. managed by domain controller with GPO)

It is required to enable SHA1 (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521)
in windows-server/security/tls/manage-tls" target="_blank" style="box-sizing: border-box; border: 0px; margin: 0px; padding: 0px; color: rgb(13, 133, 204); text-decoration-line: none;">windows cipher suite.

Multiple Display Container LS Instances

On Windows on some machines there are running two or more instances of NVIDIA Display Container LS. This causes a
problem on licensing flow. As you can see in the logs below, there are two lines with NLS initialized, each prefixed
with <1> and <2>. So it is possible, that daemon 1 fetches a valid license through dls-service, and daemon 2
only
gets a valid local license.

Error on releasing leases on shutdown (can be ignored and/or fixed with reverse proxy)

The driver wants to release current leases on shutting down windows. This endpoint needs to be a http endpoint.
The error message can safely be ignored (since we have no license limitation :P) and looks like this:

Credits

Thanks to vGPU community and all who uses this project and report bugs.

Special thanks to

• @samicrusader who created build file for ArchLinux

• @cyrus who wrote the section for openSUSE

• @midi who wrote the section for unRAID

推荐本站淘宝优惠价购买喜欢的宝贝:

本文链接：https://hqyman.cn/post/4544.html 非本站原创文章欢迎转载，原创文章需保留本站地址！

打赏

微信支付宝扫一扫，打赏作者吧～

休息一下~~