以 root 身份运行
如果我streamlit
以 root 身份运行:
streamlit hello \
--browser.serverAddress dharmatech.dev \
--browser.serverPort 8502 \
--server.sslCertFile /etc/letsencrypt/live/dharmatech.dev/fullchain.pem \
--server.sslKeyFile /etc/letsencrypt/live/dharmatech.dev/privkey.pem
它工作正常,我可以访问该网站:
https://dharmatech.dev:8502/
不以 root 身份运行
当然,我不想streamlit
以 root 身份运行。
如果我以普通用户身份运行它,我会得到以下信息:
$ streamlit hello --browser.serverAddress dharmatech.dev --browser.serverPort 8502 --server.sslCertFile /etc/letsencrypt/live/dharmatech.dev/fullchain.pem --server.sslKeyFile /etc/letsencrypt/live/dharmatech.dev/privkey.pem
Collecting usage statistics. To deactivate, set browser.gatherUsageStats to false.
Traceback (most recent call last):
File "/home/dharmatech/python-environments/env-3.10-streamlit/bin/streamlit", line 8, in <module>
sys.exit(main())
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/click/core.py", line 1157, in __call__
return self.main(*args, **kwargs)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/cli.py", line 188, in main_hello
_main_run(filename, flag_options=kwargs)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/cli.py", line 270, in _main_run
bootstrap.run(file, is_hello, args, flag_options)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/bootstrap.py", line 405, in run
asyncio.run(run_server())
File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
return future.result()
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/bootstrap.py", line 393, in run_server
await server.start()
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/server/server.py", line 269, in start
start_listening(app)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/server/server.py", line 118, in start_listening
ssl_options = _get_ssl_options(cert_file, key_file)
File "/home/dharmatech/python-environments/env-3.10-streamlit/lib/python3.10/site-packages/streamlit/web/server/server.py", line 143, in _get_ssl_options
if not Path(cert_file).exists():
File "/usr/lib/python3.10/pathlib.py", line 1290, in exists
self.stat()
File "/usr/lib/python3.10/pathlib.py", line 1097, in stat
return self._accessor.stat(self, follow_symlinks=follow_symlinks)
PermissionError: [Errno 13] Permission denied: '/etc/letsencrypt/live/dharmatech.dev/fullchain.pem'
问题
所以问题是普通用户无权访问fullchain.pem
和privkey.pem
文件。
streamlit
允许在不以 root 身份运行的情况下访问这些文件的最佳实践是什么?
处理方法:修改权限
我可以chmod
根据需要选择文件和目录。但是,我看到它提到letsencrypt
文件会定期重置权限。所以这似乎不是一个可持续的方法。
方法:更新后罩
这个答案:
https://serverfault.com/a/1085282/102828
提到了脚本方法。然而,我还没有看到其他人建议这种方法,所以我想知道这是否确实是这里的最佳实践。