Hi,

My name is Anggrio and I’m a student from the Australian National University. I’m currently working on a project that wants to use Almond as a base for developing a text based virtual assistant that can filter news. My team has so far followed the documentation that is written here for the web Almond only option but we are stuck on step 3 where we are required to provide some keys. Specifically, we are unsure on how to provide keys for the SECRET_KEY , JWT_SIGNING_KEY and AES_SECRET_KEY variables. We are all very new to Almond, open source, and web deployment, so any help would be greatly appreciated.

Thank you

Hi @Anggrio, welcome to the community.

Those keys should be generated randomly and then kept secret.
AES_SECRET_KEY needs to be exactly 128 bits (16 bytes), formatted as 32 hex characters. SECRET_KEY and JWT_SIGNING_KEY can be anything as long as they are formatted in hex. Choosing a 128 or 256 bit random string is recommended.

On Linux, this is a simple command to generate a strong random key of 32:

dd if=/dev/random of=/dev/stdout bs=32 count=1 | od -t x8 -w

You can then copy the hex digits and remove the spaces.

Hi Giovanni,

I tried running the command you gave and it gave me 4 sets of 16 hex characters like as follows:
4d626d8cfe4a7120 54e68c7d7dcaf6cc 37053ad1642b07e5 25774060484f1c9a
Is it correct that 32 hex characters would be something like 4d626d8cfe4a712054e68c7d7dcaf6cc? As in only needing half of it (I will generate a new one for the actual key) or am I misunderstanding the requirement.

To assign the characters to the key, is it safe to just paste them in the config.js file? From previous web projects I assumed that the standard is using environment variables, but the documentation for Almond mentions that the change is done in the file itself.

Thanks again for your help

1. You should use half of it for AES_SECRET_KEY (128 bits), and the whole 64 characters for the other two (use three different strings, to be clear)

2. Save them in /etc/almond-cloud/config.js (alternatively: /etc/almond-cloud/config.yaml or /etc/almond-cloud/config.json). This is in fact safer than environment variables because the variables won’t accidentally leak to spawned processes, and you can use file system permissions for additional isolation.

We use a public github repository to store the file. Would the key be visible to visitors then?

Our project has to be put in a public repository (from the course requirement), but I suppose the normal case is to put it into private/organization repository for security right? or are there ways to isolate config.js in the repository?

You should not store the configuration file in a public repository. The normal case is to store the configuration in some private repository (separate from the actual code repository), or some configuration management system. Barring that, having the configuration file only stored in the machine where the deployment occurs is the safest option.

Ok, I think I will have to continue following the documentation to see how we will need to do it. Would it be better to post any following questions in this discussion or should I make a different one?

Feel free to ask here or create new topics, as you prefer.

Hi Giovanni,

My team has completed step 3 by adding the secret key variables as well as the mysql server link. However, when we tried to run the command in step 4 (almond-cloud bootstrap), the following error happens:

image1361×442 45.7 KB

We managed to fix the above problem by reinstalling mysql (it turns out that we accidently installed both mariadb and mysql), but we are now stuck in step 5 and 6.
The output for step 5 is as follows:

image824×515 162 KB

The output for step 6 is as follows:

If my understanding is correct, we should do both of these commands at the same time right? Do you have any suggestions on what the problem is here?

Are you running both processes in the same directory? There should be a “control” socket file in the directory where you’re running the backend process.

Also, you should probably avoid running as root (unless you’re in a docker or similar environment), as that can lead to hard-to-debug permission errors…

Is the control socket file created from step 5? We just followed the instructions to run cd /srv/almond-cloud/workdir ; almond-cloud run-almond, then opened a different terminal to run almond-cloud run-frontend --80

The control socket file is created when you run the backend process (“almond-cloud run-almond”). The backend listens on the control socket and the frontend connects to it.

I think we accidently changed the name of the control socket path on the config file, which we now changed back to ['./control']. Is the following output a sign that it is running correctly (exited with code null changed to exited with code 0 now)?

image702×511 98 KB

For the front end, we tried changing the port to other ones in case 80 was used but it still showed the same output:

From that screenshot, it looks like you stopped the backend process with Ctrl-C. Why did you do that? You need to leave both processes running at the same time.

Oh I didn’t see that. I’ll have to ask the member in charge of making this then. Then the output for the back end should stay as follows?
engine started
engine running

I think his concern was that it generated two new directories/folders as follows (the two from the top):

image861×177 69.9 KB

Yes, the backend process will create a new directory for every user registered in Web Almond. The directory contains the user’s profile.
(I’m not sure why “control” shows up as a directory, it should be a socket file. What OS are you running on? Is this WSL?)

It’s run in a remote server that should be on a linux distribution. The directory display here is accessed through xftp, which is running on a windows system (our local computer)

Ok yeah so it seems to be running correctly.