Optimize gateway startup and service update time (#2153)

Avoid running certbot if the certificate exists. This greatly reduces the gateway startup time when many services or entrypoints are being re-registered. Running certbot can take 3-4 seconds, even if the certificate already exists and there is nothing to do. Certificate renewal is not an issue as it is done by certbot's built-in systemd timer.
dstackai · Dec 27, 2024 · 09cf464 · 09cf464
1 parent 361891c
commit 09cf464
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/src/dstack/_internal/proxy/gateway/services/nginx.py b/src/dstack/_internal/proxy/gateway/services/nginx.py
@@ -105,8 +105,11 @@ def write_conf(self, conf: str, conf_name: str) -> None:
                 sudo_rm(conf_path)
             raise
 
-    @staticmethod
-    def run_certbot(domain: str, acme: ACMESettings) -> None:
+    @classmethod
+    def run_certbot(cls, domain: str, acme: ACMESettings) -> None:
+        if cls.certificate_exists(domain):
+            return
+
         logger.info("Running certbot for %s", domain)
 
         cmd = ["sudo", "timeout", "--kill-after", str(CERTBOT_2ND_TIMEOUT), str(CERTBOT_TIMEOUT)]
@@ -134,6 +137,11 @@ def run_certbot(domain: str, acme: ACMESettings) -> None:
         if r.returncode != 0:
             raise ProxyError(f"Error obtaining {domain} TLS certificate:\n{r.stderr.decode()}")
 
+    @staticmethod
+    def certificate_exists(domain: str) -> bool:
+        cmd = ["sudo", "test", "-e", f"/etc/letsencrypt/live/{domain}/fullchain.pem"]
+        return subprocess.run(cmd, timeout=2).returncode == 0
+
     @staticmethod
     def get_config_name(domain: str) -> str:
         return f"443-{domain}.conf"