-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SOLVED] Centos - Nginx - Gunicorn - Django - Kaleido on Digital Ocean Droplet not working because of selinux policy [EDITED] #37
Comments
Hi @irwanOyong, Can you SSH into the droplet and try exporting an image from a python/ipython session? This will help narrow in on where things are going wrong. Also, FWIW, these lines look odd
The top line lists the chromium command line arguments that kaleido uses. But the following lines list a bunch of command line arguments that aren't specified by kaleido (e.g. |
Thank you for the response @jonmmease And yes, I am able to SSH the droplet and export an image from the plotly go.Figure in a CLI python session without any warning and error. I think those lines also come from the Chromium, no? |
They are flags that are accepted by Chromium, but I'm not clear on how they are being set. Here are the flags that we set when calling the kaleido executable, which passes them on to Chromium: https://github.com/plotly/Kaleido/blob/master/repos/linux_scripts/launch_script. I guess these may be subprocesses that chromium launches internally. Are you using the |
I did not use And ah, I noticed that the response I get from the request is 504: Gateway time-out, any possibilites the problem comes from (unsuitable) Nginx configuration? Here is what written in the Nginx error log I saw just now. My client_body_timeout and client_header_timeout are set to 3 minutes btw, which supposed to be more than enough to finish the process. |
Just to clarify, everything works when you comment out the |
Yes, I can assure that it happens right on this line of code I tried to add these on my location /api block of nginx.conf but nothing changes. Also to clarify, do we need GPU to finish the write_image with kaleido? I see |
Ok, thanks for confirming.
No, a GPU is not required. I don't have any other ideas off hand. Do you have any other logging from your app itself? Can you tell if the |
I tried using single gunicorn worker, nothing changed. But I found something, using the same code I tried to run my Django server in development mode The latest response after I updated some Btw thank you for the continuous response even knowing the problem doesn't come directly from Kaleido, I really appreciate that. |
Ok, so it sounds like it specifically a problem under gunicorn. And again, to double check, running with gunicorn on your local development machine work properly? If it were a problem with gunicorn everywhere, then I'd suspect it has something to do with gunicorn's process forking model, but if it's only a problem on specific os configuration, that doesn't make as much sense. |
Unfortunately I don't run the project with gunicorn on my local development machine, but I will try to set it up that way to narrow down the problem. Btw, I found this error message when restarting gunicorn while the process is hanging before the 100 seconds mark.
|
Thanks @irwanOyong, this error message is helpful. After a little searching, I've seen a few references to this kind of error being causes by selinux security policies. e.g. https://forums.gentoo.org/viewtopic-t-1114806-start-0.html. I'm not very familiar with selinux, but it would be worth checking if this is installed on the droplet and to try disabling it if so: https://www.tecmint.com/disable-selinux-in-centos-rhel-fedora/. |
Oh my, you are right. I tried to disable the Selinux (not entirely) by setting it to permissive mode, and it works like a charm. Last question, is there any way I may still use Kaleido without modifying the default Selinux mode? It was set that way to give more security (said them who made so), many people wrote that it is not recommended to disable or set Selinux to permissive mode. But only if you and the team already know something in hand, no need to dig too much because you helped me a lot already. Thank you. |
Hi @irwanOyong, great! Yeah, I wasn't recommending disabling selinux permanently, just to test things out. I haven't worked with selinux much, but there must be some way to allow the execution of individual executables. The native executable will be located in a directory under
So the trick will be working out how to tell selinux to allow execution from this directory. If you work out a solution for allowing this, please add it to the issue here! Also, please let us know if you come across information on anything that we could do on our end to avoid getting flagged. |
Good news @jonmmease ! In short, after ensuring that the problem comes from selinux policy. Here is how I resolved the issue. First, we may run
And even more human-friendly, we may run
By running
Specifically we can then run
And the last part is installing the module
I don't know if this may help, but from what I read, running your service under init_t is not recommended, but I am also no expert in sysadmin stuff so I am not really sure :( Thank you so much for helping these few days! |
Thanks for sharing your solution @irwanOyong! |
Hi! Thank you for the hardwork,
I have a question regarding Kaleido implementation of Centos - Nginx - Gunicorn - Django - Kaleido on a Digital Ocean Droplet using Cloudflare SSL.
It works seamlessly on my local development env, Ubuntu/Windows, but not in the mentioned environment (staging).
As seen from the gunicorn status below, the worker(s) are exiting and rebooting when I try exporting plots using fig.write_image function.
The text was updated successfully, but these errors were encountered: