updating with most recent code and syncing versions

Author: rps9

Dockerfile

@@ -1,6 +1,3 @@
-# Python version can be changed, e.g.
-# FROM python:3.8
-# FROM ghcr.io/mamba-org/micromamba:1.5.1-focal-cuda-11.3.1
 FROM docker.io/python:3.12.1-slim-bookworm
 
 LABEL org.opencontainers.image.authors="FedMed Demo" \
@@ -13,6 +10,20 @@ WORKDIR ${SRCDIR}
 COPY requirements.txt .
 RUN --mount=type=cache,sharing=private,target=/root/.cache/pip pip install -r requirements.txt
 
+# NEW: install ssh client + autossh for reverse tunnels
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      openssh-client autossh ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      openssh-client autossh ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+# IMPORTANT: ensure UID 1001 exists for Apptainer/CUBE runtime
+RUN if ! getent passwd 1001 >/dev/null 2>&1; then \
+      useradd -u 1001 -m appuser; \
+    fi
+
 COPY . .
 ARG extras_require=none
 RUN pip install .[${extras_require}] \

app.py

@@ -18,7 +18,7 @@
 
 from chris_plugin import chris_plugin
 
-__version__ = "0.1.4"
+__version__ = "0.1.7"
 
 APP_PACKAGE = "fedmed_flower_app"
 APP_DIR = Path(resources.files(APP_PACKAGE))
@@ -81,6 +81,44 @@ def build_parser() -> ArgumentParser:
         help="fraction of clients used for evaluation",
     )
     parser.add_argument("--json", action="store_true", help=argparse.SUPPRESS)
+
+    # NEW optional bastion-related arguments (for reverse tunnelling)
+    parser.add_argument("--bastion-host", default=None, help="SSH bastion hostname for reverse tunneling")
+    parser.add_argument("--bastion-user", default=None, help="SSH user on bastion")
+    parser.add_argument("--bastion-port", type=int, default=22, help="SSH port on bastion")
+
+    parser.add_argument(
+        "--bastion-key",
+        type=str,
+        default="id_ed25519",
+        help="path to SSH private key inside container",
+    )
+    parser.add_argument(
+        "--bastion-known-hosts",
+        type=str,
+        default="known_hosts",
+        help="path to known_hosts file; if missing, host key checking is relaxed",
+    )
+
+    parser.add_argument(
+        "--bastion-fleet-port",
+        type=int,
+        default=19092,
+        help="remote port on bastion forwarding to Fleet API",
+    )
+    parser.add_argument(
+        "--bastion-control-port",
+        type=int,
+        default=19093,
+        help="remote port on bastion forwarding to Control API",
+    )
+    parser.add_argument(
+        "--bastion-serverapp-port",
+        type=int,
+        default=19091,
+        help="remote port on bastion forwarding to ServerAppIo",
+    )
+
     parser.add_argument(
         "-V",
         "--version",
@@ -90,6 +128,7 @@ def build_parser() -> ArgumentParser:
     return parser
 
 
+
 parser = build_parser()
 
 
@@ -171,6 +210,175 @@ def _prepare_environment(state_dir: str) -> tuple[dict[str, str], Path]:
     env["FLWR_HOME"] = str(flwr_home)
     return env, flwr_home
 
+def _resolve_input_file(inputdir: Path, raw_path: str) -> Path | None:
+    """
+    Resolve a file that is supposed to live under the plugin's input directory.
+
+    Cases:
+      - relative path: look in inputdir / raw_path, else search by basename
+      - absolute path starting with /incoming: treat it as a hint and search
+        under inputdir for the same basename
+      - any other absolute path: only use it if it actually exists
+    """
+    base = inputdir
+    p = Path(raw_path)
+
+    # Case 1: relative path like "id_ed25519" or "keys/id_ed25519"
+    if not p.is_absolute():
+        candidate = base / p
+        if candidate.is_file():
+            print(f"[fedmed-pl-superlink] using bastion file: {candidate}", flush=True)
+            return candidate
+
+        # try by basename anywhere under inputdir
+        basename = p.name
+        matches = list(base.rglob(basename))
+        if matches:
+            chosen = matches[0]
+            print(
+                f"[fedmed-pl-superlink] resolved {raw_path} -> {chosen} (found under {base})",
+                flush=True,
+            )
+            return chosen
+
+        print(
+            f"[fedmed-pl-superlink] ERROR: could not find {raw_path} under {base}",
+            flush=True,
+        )
+        return None
+
+    # Case 2: absolute path under /incoming – treat as hint
+    if str(p).startswith("/incoming/"):
+        basename = p.name
+        if base.exists():
+            matches = list(base.rglob(basename))
+            if matches:
+                chosen = matches[0]
+                print(
+                    f"[fedmed-pl-superlink] resolved {raw_path} -> {chosen} (found under {base})",
+                    flush=True,
+                )
+                return chosen
+        print(
+            f"[fedmed-pl-superlink] ERROR: {raw_path} not usable and nothing named {basename} under {base}",
+            flush=True,
+        )
+        return None
+
+    # Case 3: other absolute path – only accept if it actually exists
+    if p.is_file():
+        print(f"[fedmed-pl-superlink] using bastion file (absolute): {p}", flush=True)
+        return p
+
+    print(
+        f"[fedmed-pl-superlink] ERROR: absolute path {raw_path} does not exist",
+        flush=True,
+    )
+    return None
+
+# Added for reverse tunelling
+def _maybe_open_reverse_tunnels(
+    options: Namespace,
+    inputdir: Path,
+    fleet_local: str,
+    control_local: str,
+    serverapp_local: str,
+) -> Process | None:
+    """Optionally open reverse SSH tunnels from this container to a bastion.
+
+    Exposes bastion:<bastion_*_port> -> container:<local ports>.
+    If bastion_host or bastion_user is unset, this is a no-op.
+    """
+    bastion_host = options.bastion_host
+    bastion_user = options.bastion_user
+    if not bastion_host or not bastion_user:
+        return None
+
+    # Resolve original key under /share/incoming (read-only bind mount)
+    orig_key_path = _resolve_input_file(inputdir, options.bastion_key)
+    if orig_key_path is None:
+        print("[fedmed-pl-superlink] WARNING: no valid SSH key found; skipping reverse tunnels", flush=True)
+        return None
+
+    # 🔑 Copy key to a writable location and fix permissions there
+    keys_dir = Path("/tmp/fedmed-ssh")
+    keys_dir.mkdir(parents=True, exist_ok=True)
+
+    key_path = keys_dir / orig_key_path.name
+    try:
+        shutil.copy2(orig_key_path, key_path)
+        key_path.chmod(0o600)
+        print(
+            f"[fedmed-pl-superlink] copied bastion key to {key_path} and set permissions 0600",
+            flush=True,
+        )
+    except Exception as exc:
+        print(
+            f"[fedmed-pl-superlink] ERROR: failed to copy/chmod bastion key: {exc}",
+            flush=True,
+        )
+        return None
+
+    # Optional: handle known_hosts similarly
+    known_hosts_path = None
+    if options.bastion_known_hosts:
+        orig_known = _resolve_input_file(inputdir, options.bastion_known_hosts)
+        if orig_known and orig_known.is_file():
+            try:
+                known_hosts_path = keys_dir / "known_hosts"
+                shutil.copy2(orig_known, known_hosts_path)
+                print(
+                    f"[fedmed-pl-superlink] copied known_hosts to {known_hosts_path}",
+                    flush=True,
+                )
+            except Exception as exc:
+                print(
+                    f"[fedmed-pl-superlink] WARNING: failed to copy known_hosts: {exc}",
+                    flush=True,
+                )
+                known_hosts_path = None
+
+    ssh_opts: list[str] = [
+        "-o", "ServerAliveInterval=30",
+        "-o", "ServerAliveCountMax=3",
+        "-o", "ExitOnForwardFailure=yes",
+    ]
+
+    if known_hosts_path and known_hosts_path.exists():
+        ssh_opts.extend([
+            "-o", f"UserKnownHostsFile={known_hosts_path}",
+            "-o", "StrictHostKeyChecking=yes",
+        ])
+    else:
+        ssh_opts.extend(["-o", "StrictHostKeyChecking=no"])
+
+    cmd: list[str] = [
+        "ssh",
+        "-vv",
+        "-N",
+        *ssh_opts,
+        "-p", str(options.bastion_port),
+        "-i", str(key_path),
+        "-R", f"0.0.0.0:{options.bastion_fleet_port}:{fleet_local}",
+        "-R", f"0.0.0.0:{options.bastion_control_port}:{control_local}",
+        "-R", f"0.0.0.0:{options.bastion_serverapp_port}:{serverapp_local}",
+        f"{bastion_user}@{bastion_host}",
+    ]
+
+    #_check_superlink_reachable(options.superlink_host, options.bastion_port)
+
+    print(f"[fedmed-pl-superlink] opening reverse tunnels: {' '.join(cmd)}", flush=True)
+    proc = subprocess.Popen(
+        cmd,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True,
+    )
+    _register_child(proc)
+    threading.Thread(target=_stream_lines, args=(proc.stdout, "ssh"), daemon=True).start()
+    threading.Thread(target=_stream_lines, args=(proc.stderr, "ssh"), daemon=True).start()
+    return proc
+
 
 def handle_signals() -> None:
     def _handle(signum, _frame):  # type: ignore[override]
@@ -289,9 +497,21 @@ def main(options: Namespace, inputdir: Path, outputdir: Path) -> None:
         "===============================\n",
         flush=True,
     )
-    del inputdir
     handle_signals()
 
+    # DEBUG: show what pl-dircopy actually put into /incoming
+    print(f"[fedmed-pl-superlink] DEBUG: inputdir = {inputdir}", flush=True)
+    root = inputdir
+    if not root.exists():
+        print(f"[fedmed-pl-superlink] DEBUG: {root} does not exist", flush=True)
+    else:
+        for p in root.rglob("*"):
+            try:
+                rel = p.relative_to(root)
+            except ValueError:
+                rel = p
+            print(f"  {root}/{rel}", flush=True)
+
     if getattr(options, "json", False):
         emit_plugin_json()
         return
@@ -330,11 +550,27 @@ def main(options: Namespace, inputdir: Path, outputdir: Path) -> None:
             + ", ".join(reachable_ips),
             flush=True,
         )
+        # Use the first container IP as the target for SSH -R
+        tunnel_ip = reachable_ips[0]
+        print(
+            f"[fedmed-pl-superlink] using {tunnel_ip} as SSH -R backend target",
+            flush=True,
+        )
     else:
         print(
-            "[fedmed-pl-superlink] unable to auto-detect host IPs.",
+            "[fedmed-pl-superlink] unable to auto-detect host IPs; "
+            "falling back to 127.0.0.1 for SSH -R backend (may fail on host)",
             flush=True,
         )
+        tunnel_ip = "127.0.0.1"
+
+    # Local targets *from the EC2 host's perspective* for SSH -R
+    fleet_local     = f"{tunnel_ip}:{options.fleet_port}"
+    control_local   = f"{tunnel_ip}:{options.control_port}"
+    serverapp_local = f"{tunnel_ip}:{options.serverapp_port}"
+
+    # Open reverse tunnels to bastion (no-op if bastion_* not set)
+    _maybe_open_reverse_tunnels(options, inputdir, fleet_local, control_local, serverapp_local)
 
     superlink = _launch_superlink(addresses, env)
     time.sleep(max(0, options.startup_delay))

fedmed_flower_app/fedmed_flower_app/__init__.py

@@ -10,4 +10,4 @@
     "server_app",
 ]
 
-__version__ = "0.1.4"
+__version__ = "0.1.7"

fedmed_flower_app/fedmed_flower_app/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "fedmed-flower-app"
-version = "0.1.4"
+version = "0.1.7"
 description = "FedMed Flower App"
 license = {text = "MIT"}
 authors = [{name = "FedMed Team", email = "[email protected]"}]