Skip to content

feat: use grpc secure channel #783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat: use grpc secure channel #783

wants to merge 18 commits into from

Conversation

@etiennearnal
Copy link
Member

@etiennearnal etiennearnal commented Nov 26, 2025
edited by echambla
Loading

Description

Including the usage of secure channels upon Speos client.
Secure channel creation is based on cyberchannel.
[breaking change] Speos constructor parameters host and port are removed. Please consider to create the grpc.Channel using default_local_channel:

# Create default channel (to use when server was started with `SpeosRPC_Server.exe`)
Speos(channel=default_local_channel())
# Create channel with custom port and message size (to use when server was started with `SpeosRPC_Server.exe --port 53123`)
Speos(channel=default_local_channel(port=53123, message_size=20000000))
# Create insecure channel (to use when server was started with `SpeosRPC_Server.exe --transport-insecure`)
transport = TransportOptions(
    mode=TransportMode.INSECURE,
    options=InsecureOptions(host=host, port=port, allow_remote_host=True)
)
grpc_options = [("grpc.max_receive_message_length", message_size)]
Speos(channel=transport.create_channel(grpc_options))

Checklist

  • I have tested my changes locally.
  • I have added necessary documentation or updated existing documentation.
  • I have followed the coding style guidelines of this project.
  • I have added appropriate tests (unit, integration, system).
  • I have reviewed my changes before submitting this pull request.
  • I have linked the issue or issues that are solved by the PR if any.
  • I have assigned this PR to myself.
  • I have made sure that the title of my PR follows Conventional commits style (e.g. feat: add optical property)
  • I have agreed with the Contributor License Agreement (CLA).

@github-actions github-actions bot added documentation Improvements or additions to documentation maintenance Package and maintenance related testing Anything related to tests enhancement New features or code improvements labels Nov 26, 2025
@etiennearnal etiennearnal changed the title feat: Use gRPC secure channel feat: use grpc secure channel Nov 26, 2025
etiennearnal
etiennearnal commented Nov 26, 2025
View reviewed changes
@codecov
Copy link

codecov bot commented Nov 28, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 58.73016% with 52 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.03%. Comparing base (4b67954) to head (988ec62).

Files with missing lines Patch % Lines
...c/ansys/speos/core/kernel/grpc/transportoptions.py 71.62% 21 Missing ⚠️
src/ansys/speos/core/kernel/client.py 35.00% 13 Missing ⚠️
src/ansys/speos/core/kernel/job.py 59.09% 9 Missing ⚠️
src/ansys/speos/core/launcher.py 10.00% 9 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #783      +/-   ##
==========================================
- Coverage   88.99%   87.03%   -1.97%     
==========================================
  Files          39       40       +1     
  Lines        5653     5760     +107     
==========================================
- Hits         5031     5013      -18     
- Misses        622      747     +125

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

pluAtAnsys
pluAtAnsys reviewed Nov 29, 2025
View reviewed changes
src/ansys/speos/core/launcher.py
err, stderr_file = tempfile.mkstemp(suffix="speos_err.txt", dir=logfile_loc)

subprocess.Popen(command, stdout=out, stderr=err) # nosec B603
return Speos(
Copy link
Collaborator

@pluAtAnsys pluAtAnsys Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not create local RPC server if using version before 2025.2.3. We can:
Option 1. if version <= 252, using the previous Speos method and raise security warning message
Option 2. raise error directly that this method only supports from 252.
@etiennearnal @StefanThoene @jomadec

Copy link
Member Author

@etiennearnal etiennearnal Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pluAtAnsys we did Service Packs for all previous releases of SpeosRPC_Server (251 & 252), so the goal is to no more support the previous versions that has the vulnerabilities.
I think we have to move forward and consider that users have to use the latest available Service Pack (supporting --transport_xxx option). In other cases, user can duplicate the function manually on there side.

tests/core/test_launcher.py
assert running is not closed


@patch.object(subprocess, "Popen")
Copy link
Collaborator

@pluAtAnsys pluAtAnsys Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@StefanThoene let's check on this

Copy link
Member Author

@etiennearnal etiennearnal Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pluAtAnsys The test doesn't make any sense, client cannot start a docker from python. Docker image must be started by user before launching the tests.

Copy link
Member Author

@etiennearnal etiennearnal Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, the code seems to launch a local SpeosRPC_Server.
Image

doc/source/getting_started/docker/common_docker.rst
from ansys.speos.core import Speos
speos = Speos(host="127.0.0.1", port=50098)
speos = Speos(channel = default_docker_channel())
Copy link
Collaborator

@pluAtAnsys pluAtAnsys Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
speos = Speos(channel = default_docker_channel())
speos = Speos()
Be aware that such docker is launched via insecure channel
By default, the ``Speos`` instance connects to ``"localhost"`` on
port ``50098``.
You can change this by modifying the ``host`` and ``port``
parameters of ``default_docker_channel``, but note that you must also modify
your ``docker run`` command by changing the ``<HOST-PORT>-50098`` argument.
The following tabs show the commands that set the ``host`` and ``port``
parameters of ``default_docker_channel``.
.. code:: python
from ansys.speos.core import Speos, default_docker_channel
speos = Speos(channel = default_docker_channel(host="127.0.0.1", port=50098))

@etiennearnal @jomadec could you please review this? also, could we provide explanation/an example to launch docker in secure way?

echambla
echambla reviewed Dec 3, 2025
View reviewed changes
.github/workflows/nightly.yml
elif [[ "$speos_version" == "dev" ]]; then
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e SPEOS_LOG_LEVEL=2 -e ANSYSLMD_LICENSE_FILE=${{ env.ANSYSLMD_LICENSE_FILE }} -v "${{ github.workspace }}/tests/assets:/app/assets" --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:$speos_version -m 25000000 --host 0.0.0.0
elif [[ "$speos_version" == "2025.2.4.35476" ]]; then
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e SPEOS_LOG_LEVEL=2 -e ANSYSLMD_LICENSE_FILE=${{ env.ANSYSLMD_LICENSE_FILE }} -v "${{ github.workspace }}/tests/assets:/app/assets" --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:$speos_version -m 25000000 --transport_insecure--host 0.0.0.0
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e SPEOS_LOG_LEVEL=2 -e ANSYSLMD_LICENSE_FILE=${{ env.ANSYSLMD_LICENSE_FILE }} -v "${{ github.workspace }}/tests/assets:/app/assets" --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:$speos_version -m 25000000 --transport_insecure--host 0.0.0.0
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e SPEOS_LOG_LEVEL=2 -e ANSYSLMD_LICENSE_FILE=${{ env.ANSYSLMD_LICENSE_FILE }} -v "${{ github.workspace }}/tests/assets:/app/assets" --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:$speos_version -m 25000000 --transport_insecure --host 0.0.0.0

echambla
echambla reviewed Dec 3, 2025
View reviewed changes
doc/source/getting_started/docker/common_docker.rst
export LICENSE_SERVER="[email protected]"
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure --host 0.0.0.0

echambla
echambla reviewed Dec 3, 2025
View reviewed changes
doc/source/getting_started/docker/common_docker.rst
$env:LICENSE_SERVER="[email protected]"
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$env:LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$env:LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$env:LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$env:LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure --host 0.0.0.0

doc/source/getting_started/docker/common_docker.rst
set LICENSE_SERVER="[email protected]"
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=%LICENSE_SERVER% --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=%LICENSE_SERVER% --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=%LICENSE_SERVER% --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=%LICENSE_SERVER% --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure --host 0.0.0.0

echambla
echambla reviewed Dec 3, 2025
View reviewed changes
README.rst
cat GH_TOKEN.txt | docker login ghcr.io -u "$GH_USERNAME" --password-stdin
docker pull ghcr.io/ansys/speos-rpc:251
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251 --transport_insecure
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:251 --transport_insecure
docker run --detach --name speos-rpc -p 127.0.0.1:50098:50098 -e ANSYSLMD_LICENSE_FILE=$LICENSE_SERVER --entrypoint /app/SpeosRPC_Server.x ghcr.io/ansys/speos-rpc:252 --transport_insecure --host 0.0.0.0

echambla
echambla reviewed Dec 3, 2025
View reviewed changes
src/ansys/speos/core/kernel/client.py
return False
try:
grpc.channel_ready_future(self.channel).result(timeout=60)
grpc.channel_ready_future(self.channel).result(timeout=10)
Copy link
Collaborator

@echambla echambla Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the default timeout changed on purpose?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pluAtAnsys pluAtAnsys pluAtAnsys left review comments

@echambla echambla echambla left review comments

@jomadec jomadec Awaiting requested review from jomadec jomadec is a code owner

@StefanThoene StefanThoene Awaiting requested review from StefanThoene StefanThoene is a code owner

@Revathyvenugopal162 Revathyvenugopal162 Awaiting requested review from Revathyvenugopal162 Revathyvenugopal162 is a code owner

@SMoraisAnsys SMoraisAnsys Awaiting requested review from SMoraisAnsys SMoraisAnsys is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@etiennearnal etiennearnal

Labels

documentation Improvements or additions to documentation enhancement New features or code improvements maintenance Package and maintenance related testing Anything related to tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@etiennearnal @pluAtAnsys @echambla @pyansys-ci-bot