Dedicated Solver ServiceΒ #13
Description
Dedicated Solver Service - ELI5
Yes, you need another service/container. Here's the simplest breakdown:
Current (Vulnerable):
Internet β API Server (has docker.sock) π
β
Spawns solver containers
- One service does everything
- If compromised = host owned
Secure (Two Services):
Internet β Web API (NO docker.sock) β
β http://solver-service:8081/solve
Solver Service (has docker.sock) π
(internal network only)
β
Spawns solver containers
What changes:
- Web API: Takes uploads, validates, forwards to internal service
- Solver Service: Internal HTTP API that calls astrometry-go-client
Security win: Attacker must compromise BOTH to reach host
How Close Is astrometry-go-client?
Very close - it's basically ready!
Looking at /home/diarmuid/personal-code/astrometry-go-client:
β Already has everything needed:
- Client with Solve() method
- Clean API
- Docker integration
- Error handling
To make it a solver service: ~1-2 hours work
// solver-service/main.go (new repo)
package main
import (
"net/http"
client "github.com/DiarmuidKelly/astrometry-go-client"
)
func main() {
// Use the SAME client code
astrometryClient, _ := client.NewClient(&client.ClientConfig{
IndexPath: "/data/indexes",
UseDockerExec: true,
})
// Simple HTTP wrapper
http.HandleFunc("/solve", func(w http.ResponseWriter, r *http.Request) {
// Parse multipart form
// Call astrometryClient.Solve()
// Return JSON
})
http.ListenAndServe(":8081", nil)
}
That's it! The client library does all the heavy lifting.
Effort Estimate:
- Solver service: 1-2 hours (thin HTTP wrapper around existing client)
- Update API server: 1 hour (replace direct client calls with HTTP calls to solver)
- Testing: 1 hour
Total: Half a day to properly secure for production
TL;DR:
- Yes, need 2 services instead of 1
- astrometry-go-client is 95% ready - just needs thin HTTP wrapper
- ~4 hours work to make production-ready