feat(app): improve logging, database pool, and auto update shema

kheeklab · Oct 25, 2024 · c14269d · cparkins · Dec 13, 2024 · mr-ssd
1 parent ce67c94
commit c14269d
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 16 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -19,6 +19,7 @@ FROM python:$BASE_IMAGE_TAG
 ARG PI_HOME
 LABEL maintainer="Sida Say <sida@kheek.com>"
 ENV PI_SKIP_BOOTSTRAP=false \
+    PI_AUTO_UPDATE=false \
     PI_DB_VENDOR=sqlite \
     PI_DATA_DIR=/data/privacyidea \
     PI_CFG_DIR=/etc/privacyidea \

diff --git a/README.md b/README.md
@@ -95,9 +95,11 @@ The kheeklab privacyIDEA container can create a default admin user by setting th
 | `PI_SECRET_KEY` | This is used to encrypt the auth_token | |
 | `PI_SUPERUSER_REALM` | The realm, where users are allowed to login as administrators in comma separated value | administrator |
 | `PI_SKIP_BOOTSTRAP` | Set this to true to prevent the container to run setup again | false |
+| `PI_AUTO_UPDATE` | Set this to true to automatically update privacyIDEA. Only effect when `PI_SKIP_BOOTSTRAP` is set to **true** | false |
 
 > [!WARNING]
 > Be careful and setting `PI_SKIP_BOOTSTRAP` to **true** after first initialization. This will prevent the container to run setup again or your data such as admin credentials, secret keys, etc will be overwritten.
+> `PI_AUTO_UPDATE` set to **true** will update privacyIDEA to the latest version. Make sure you have backup your data before setting `PI_AUTO_UPDATE` to **true**.
 
 ### gunicorn environment variables
 

diff --git a/rootfs/opt/privacyidea/gunicorn_conf.py b/rootfs/opt/privacyidea/gunicorn_conf.py
@@ -49,19 +49,19 @@
 
 
 # For debugging and testing
-log_data = {
-    "loglevel": loglevel,
-    "workers": workers,
-    "bind": bind,
-    "graceful_timeout": graceful_timeout,
-    "timeout": timeout,
-    "keepalive": keepalive,
-    "errorlog": errorlog,
-    "accesslog": accesslog,
-    # Additional, non-gunicorn variables
-    "workers_per_core": workers_per_core,
-    "use_max_workers": use_max_workers,
-    "host": host,
-    "port": port,
-}
-print(json.dumps(log_data))
+# log_data = {
+#     "loglevel": loglevel,
+#     "workers": workers,
+#     "bind": bind,
+#     "graceful_timeout": graceful_timeout,
+#     "timeout": timeout,
+#     "keepalive": keepalive,
+#     "errorlog": errorlog,
+#     "accesslog": accesslog,
+#     # Additional, non-gunicorn variables
+#     "workers_per_core": workers_per_core,
+#     "use_max_workers": use_max_workers,
+#     "host": host,
+#     "port": port,
+# }
+# print(json.dumps(log_data))
diff --git a/rootfs/opt/privacyidea/pi-logging.yml b/rootfs/opt/privacyidea/pi-logging.yml
@@ -0,0 +1,20 @@
+version: 1
+formatters:
+  detail:
+    class: privacyidea.lib.log.SecureFormatter
+    format: '[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    level: INFO
+    formatter: detail
+
+loggers:
+  privacyidea:
+    level: INFO
+    handlers: [console]
+
+root:
+  level: WARNING
+  handlers: [console]
diff --git a/rootfs/opt/templates/pi-config.template b/rootfs/opt/templates/pi-config.template
@@ -16,6 +16,7 @@ if PI_PEPPER is None:
 SUPERUSER_REALM = os.environ.get('PI_SUPERUSER_REALM','administrator').split(',')
 
 SQLALCHEMY_DATABASE_URI = "$SQLALCHEMY_DATABASE_URI"
+SQLALCHEMY_ENGINE_OPTIONS = {"pool_pre_ping": True, "pool_recycle": 3600, "pool_size":10, "pool_timeout": 30, "max_overflow": 20}
 PI_ENCFILE = os.environ.get("PI_ENCFILE", "/data/privacyidea/keys/encfile")
 PI_HSM = os.environ.get("PI_HSM", "default")
 PI_AUDIT_NO_SIGN = os.environ.get("PI_AUDIT_NO_SIGN", "False").lower() == "true"
@@ -24,6 +25,9 @@ PI_AUDIT_MODULE = os.environ.get("", "privacyidea.lib.auditmodules.sqlaudit")
 PI_AUDIT_KEY_PRIVATE = os.environ.get("PI_AUDIT_KEY_PRIVATE_PATH", "/data/privacyidea/keys/private.pem")
 # PI_AUDIT_KEY_PUBLIC will be used only when PI_AUDIT_NO_SIGN is True
 PI_AUDIT_KEY_PUBLIC = os.environ.get("PI_AUDIT_KEY_PUBLIC_PATH", "/data/privacyidea/keys/public.pem")
+PI_AUDIT_POOL_SIZE = os.environ.get("PI_AUDIT_POOL_SIZE", 5)
+PI_AUDIT_POOL_RECYCLE = os.environ.get("PI_AUDIT_POOL_RECYCLE", 3600)
+PI_LOGCONFIG= os.environ.get("PI_LOGCONFIG", "/opt/privacyidea/pi-logging.yml")
 PI_LOGFILE = os.environ.get("PI_LOGFILE", "/dev/stdout")
 PI_LOGLEVEL = logging.getLevelName(os.environ.get("PI_LOGLEVEL", 20))
 PI_NODE = os.environ.get("HOSTNAME", "localnode")

diff --git a/rootfs/usr/local/bin/configure_privacyidea.sh b/rootfs/usr/local/bin/configure_privacyidea.sh
@@ -184,6 +184,12 @@ function prestart_privacyidea {
         echo "[INFO] Skipping key generation, table creation, and admin user creation."
         echo ""
     fi
+
+    if [ "${PI_SKIP_BOOTSTRAP}" = true ] && [ "${PI_AUTO_UPDATE}" = true ] ; then
+        echo "Auto updating privacyIDEA..."
+        privacyidea-schema-upgrade /opt/privacyidea/lib/privacyidea/migrations
+        echo "privacyIDEA successfully updated."
+    fi
 }
 
 main