Nominatim CLI for all users

[rscop]

I was facing some problems when trying to use nominatim commands on others user instead of "nominatim":

1. Python packages installed in venv
2. User permissions for DB

What I did to solve this:
I changed the file /usr/local/bin/nominatim:

#!/usr/bin/env bash

venv_path="/nominatim/home/nominatim-venv" # Your venv location

export PGUSER=nominatim

source "$venv_path/bin/activate"

python3 - << EOF "$@"
import sys
import os

sys.path.insert(1, '/usr/local/lib/nominatim/lib-python')

from nominatim import cli
from nominatim import version

version.GIT_COMMIT_HASH = ''

exit(cli.nominatim(module_dir='/usr/local/lib/nominatim/module',
                   osm2pgsql_path='/usr/local/lib/nominatim/osm2pgsql'))
EOF

This solve my venv problem and also sets the correct user for DB access.
I needed to give user permissions to run commands as nominatim user, so added this line in the end of /etc/sudoers:

ALL ALL=(nominatim) NOPASSWD: /usr/local/bin/nominatim

With this, all users can now execute this command (nominatim) as user nominatim (without using sudo su ...) .
And finally I needed to solve "peer authentication" error by editing the file /etc/postgresql/14/main/pg_hba.conf:

# "local" is for Unix domain socket connections only
local   nominatim       all                                     trust # This line need come first
local   all             all                                     peer

I added that line, so that users can now login as nominatim user without problems.
Important note: the nominatim user configuration needs to be defined before the config for all users, as postgresql will use the first valid configuration when trying to access the DB.

I did this because I'm using an Java application and it need to make reverse requests. As the server receive many connections (1k-10k/second) TCP and UDP I thought that using CLI would be much better than configure the API and making requests to it, leaving all the "network space" for the external connections to the server

I couldn't find anything related to this use case or anyone having the same problem, so I'm not sure if this is the best aproach for this problem. So, If anyone have any tips, warning, advices, anything, I'd be glad to listen.

[mtmail]

As the server receive many connections (1k-10k/second) TCP and UDP I thought that using CLI would be much better than configure the API

Wouldn't the CLI be started and compiled for each geocoding request?

[lonvia]

To run installed nominatim cli binary under a virtual environment, you can simply run it against the venv's python binary, e.g:

/nominatim/home/nominatim-venv/bin/python /usr/local/bin/nominatim

If you do insist on editing usr/local/bin/nominatim, then all you really have to do is replace the very first line in the file:

#!/nominatim/home/nominatim-venv/bin/python

The sudo part really isn't needed. Just make sure that the files in /nominatim/home/nominatim-venv/ are readable by all users who need access. For example, to make them accessible to all users run: chmod -R +rX nominatim/home/nominatim-venv/. Now every user should be able to use the binary.

For the access to the database, I would advise to make users use the read-only user, if they are only supposed to send queries. If not configured otherwise that would be the 'www-data' user. Instead of changing the trust-level in your database, you can also give this user a password and use a password-based access:

NOMINATIM_DATABASE_DSN="pgsql:dbname=nominatim;port=5432;user=www-data;password=mysupersecretpassword" nominatim reverse ...

(The 'port' is important here because it makes the library switch from socket-based to a TCP-based connection which uses different trust levels.)

All that said, I concur with @mtmail that you might still be faster with talking to a server, especially if you configure and use keep-alive properly.

[rscop]

Wouldn't the CLI be started and compiled for each geocoding request?

@mtmail I thought that, but I have a big problem.
I have this server that receive 10K requests/second in one application (this is not a real problem, because 90% of the devices send UDP packets). Then, it communicates with 3 other local applications via TCP (same message for different purposes...), and also often one of these applications needs to communicate with another application and receive requests from an external web application, also via TCP (the network now has 45k-50k open connections).
I was asked to use CLI instead of a local API for the requests and I also need to use Nominatim and these applications on the same machine.
Personally, I think using the API won't be a problem, as we already make requests throught another external API. I'm in the early stages of testing and will compare both solutions to see if I will have performance issues so I can bring this to table.

@lonvia running the cli binary under python binary with the DSN parameter worked fine, a much easier solution than I initially thought.

All that said, I concur with @mtmail that you might still be faster with talking to a server, especially if you configure and use keep-alive properly.

About that, each connection this application receives creates a new thread, and each thread makes a request to the API, so I'm not sure if I can set up a keep-alive for this in the given time.

I know that this network problem will be solved by refactoring the code of these old applications, and we are working on that, but it will not be in the time the company has given for the task.

Thank you for your responses and suggestions.