fedn icon indicating copy to clipboard operation
fedn copied to clipboard

Published 20 hours ago verified publisher icon scaleoutsystems

Refactor/SK-936 | Clean up certs and remove /add_combiner logic

Open Wrede opened this issue 7 months ago • 0 comments

This PR cleans up the old cert managment of sending certs via REST from controller to combiner and clients. Certs for gRPC clients can now fully be controlled via environment variables FEDN_GRPC_CERT_PATH which will be read and included as ssl credential in gRPC channels. To control different certs for mutiple combiners one can use FEDN_GRPC_CERT_PATH_<COMBINER NAME> where COMBINER NAME is as stored in the statestore. Certs (and the private key) is no longer stored in the statestore (risky), and is not sent over http(s). The server (combiner) can setup certs via "cert_path" and "key_path" which can be provided in the config file. Obs that this is only for gRPC and not REST.

The logic for adding a combiner to the network has changed. Previously, the combiner had to post to the endpoint /add_combiner of the REST API which then returns statestore and modelstore configs (inluding password/access secrets, which is very risky) and added the combiner to statestore. This logic has been removed and instead the combiner requires configs (file) from admin at server start, the combiner will then directly communicate with the statestore server to add the combiner. The combiner in the state does no longer store the certs. However, storage(model) configs is still stored in the statestore (inluding password). This should be removed in a future PR.

Additional:

  • unpinned torch in mnist-pytorch (had problems installing 2.3.1, unsure why)
  • Added native config files so that only mongo and minio is required to run via compose. Controller, combiner and clients can run in native mode over localhost network.
  • Added typed dict ServerConfig for gRPC server
  • setting/downloading the package and saving to file path was hard coded to /app/config (related to docker image) which made it impossibe to use controller in native mode. All /app/config in API has been changed to os.getcwd().
  • Client does no longer expect "package" config from controller (if it should be remote or local), the client decide if it want to download a package or use local.
  • init of statestore client and modelstore clients on the server side (combiner) has been removed to shared.py for ease of readbility and decrease redudancy.

Wrede avatar Jul 10 '24 10:07 Wrede