Fixes #30803: Bind to socket for Puma and Apache

theforeman · Sep 29, 2020 · 252cdf4 · 252cdf4
1 parent e3bf011
commit 252cdf4
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 19 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -47,12 +47,13 @@
     ensure => absent,
   }
 
-  $listen_socket = $foreman::foreman_service_bind ? {
-    Stdlib::IP::Address::V6 => "[${foreman::foreman_service_bind}]:${foreman::foreman_service_port}",
-    default                 => "${foreman::foreman_service_bind}:${foreman::foreman_service_port}",
-  }
-
   if $foreman::use_foreman_service {
+    if $foreman::apache {
+      include apache
+    }
+
+    $listen_stream = regsubst($foreman::foreman_service_bind, 'unix://|tcp://', '')
+
     systemd::dropin_file { 'foreman-socket':
       filename => 'installer.conf',
       unit     => "${foreman::foreman_service}.socket",
@@ -109,6 +110,12 @@
     ensure  => absent,
   }
 
+  if $foreman::foreman_service_bind =~ 'unix://' {
+    $proxy_backend = "${foreman::foreman_service_bind}|http://${$foreman::servername}/"
+  } else {
+    $proxy_backend = regsubst($foreman::foreman_service_bind, 'tcp://', 'http://')
+  }
+
   if $foreman::apache  {
     class { 'foreman::config::apache':
       passenger               => $foreman::passenger,
@@ -119,7 +126,7 @@
       serveraliases           => $foreman::serveraliases,
       server_port             => $foreman::server_port,
       server_ssl_port         => $foreman::server_ssl_port,
-      proxy_backend           => "http://${listen_socket}/",
+      proxy_backend           => $proxy_backend,
       ssl                     => $foreman::ssl,
       ssl_ca                  => $foreman::server_ssl_ca,
       ssl_chain               => $foreman::server_ssl_chain,

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -105,7 +105,7 @@
   Array[Stdlib::Fqdn] $serveraliases = [],
   Stdlib::Port $server_port = 80,
   Stdlib::Port $server_ssl_port = 443,
-  Stdlib::HTTPUrl $proxy_backend = 'http://localhost:3000/',
+  Pattern['^(http?|unix)://'] $proxy_backend = 'unix:///run/foreman.sock|http://localhost/',
   Hash $proxy_params = {'retry' => '0'},
   Array[String] $proxy_no_proxy_uris = ['/pulp', '/pulp2', '/streamer', '/pub', '/icons'],
   Boolean $ssl = false,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -320,10 +320,10 @@
 
   if $apache {
     $use_foreman_service = ! $passenger
-    $foreman_service_bind = '127.0.0.1'
+    $foreman_service_bind = 'unix:///run/foreman.sock'
   } else {
     $use_foreman_service = true
-    $foreman_service_bind = '0.0.0.0'
+    $foreman_service_bind = 'tcp://0.0.0.0:3000'
   }
 
   include foreman::install

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -74,7 +74,6 @@
   $foreman_service = 'foreman'
   $foreman_service_ensure = 'running'
   $foreman_service_enable = true
-  $foreman_service_port = 3000
   $foreman_service_puma_threads_min = 0
   $foreman_service_puma_threads_max = 16
   $foreman_service_puma_workers = 2

diff --git a/spec/classes/foreman_config_apache_spec.rb b/spec/classes/foreman_config_apache_spec.rb
@@ -224,14 +224,14 @@
                 .with_proxy_pass(
                   "no_proxy_uris" => ['/pulp', '/pulp2', '/streamer', '/pub', '/icons'],
                   "path"          => '/',
-                  "url"           => 'http://localhost:3000/',
+                  "url"           => 'unix:///run/foreman.sock|http://localhost/',
                   "params"        => { "retry" => '0' },
                 )
                 .with_rewrites([
                   {
                     'comment'      => 'Upgrade Websocket connections',
                     'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
-                    'rewrite_rule' => '/(.*) ws://localhost:3000/$1 [P,L]',
+                    'rewrite_rule' => '/(.*) unix:///run/foreman.sock|ws://localhost/$1 [P,L]',
                   },
                 ])
             end
@@ -251,14 +251,14 @@
                 .with_proxy_pass(
                   "no_proxy_uris" => ['/pulp', '/pulp2', '/streamer', '/pub', '/icons'],
                   "path"          => '/',
-                  "url"           => 'http://localhost:3000/',
+                  "url"           => 'unix:///run/foreman.sock|http://localhost/',
                   "params"        => { "retry" => '0' },
                 )
                 .with_rewrites([
                   {
                     'comment'      => 'Upgrade Websocket connections',
                     'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
-                    'rewrite_rule' => '/(.*) ws://localhost:3000/$1 [P,L]',
+                    'rewrite_rule' => '/(.*) unix:///run/foreman.sock|ws://localhost/$1 [P,L]',
                   },
                 ])
             end

diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
@@ -153,8 +153,8 @@
 
         it { should compile.with_all_deps }
         it { should contain_class('foreman::config::apache').with_passenger(false) }
-        it { should contain_systemd__dropin_file('foreman-socket').with_filename('installer.conf').with_unit('foreman.socket').with_content(/^ListenStream=127\.0\.0\.1:3000$/) }
-        it { should contain_systemd__dropin_file('foreman-service').with_filename('installer.conf').with_unit('foreman.service').with_content(/^Environment=FOREMAN_BIND=127.0.0.1$/) }
+        it { should contain_systemd__dropin_file('foreman-socket').with_filename('installer.conf').with_unit('foreman.socket').with_content(/^ListenStream=\/run\/foreman\.sock$/) }
+        it { should contain_systemd__dropin_file('foreman-service').with_filename('installer.conf').with_unit('foreman.service').with_content(/^Environment=FOREMAN_BIND=unix:\/\/\/run\/foreman\.sock$/) }
         it do
           should contain_concat__fragment('foreman_settings+01-header.yaml')
             .with_content(/^:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN$/)
@@ -316,7 +316,7 @@
         }
       end
 
-      context 'with passenger' do 
+      context 'with passenger' do
         let(:params) { super().merge(passenger: true) }
 
         describe 'with url ending with trailing slash' do

diff --git a/templates/foreman.service-overrides.erb b/templates/foreman.service-overrides.erb
@@ -3,7 +3,6 @@ User=<%= scope['foreman::user'] %>
 Environment=FOREMAN_ENV=<%= scope['foreman::rails_env'] %>
 Environment=FOREMAN_HOME=<%= scope['foreman::app_root'] %>
 Environment=FOREMAN_BIND=<%= scope['foreman::foreman_service_bind'] %>
-Environment=FOREMAN_PORT=<%= scope['foreman::foreman_service_port'] %>
 Environment=FOREMAN_PUMA_THREADS_MIN=<%= scope['foreman::foreman_service_puma_threads_min'] %>
 Environment=FOREMAN_PUMA_THREADS_MAX=<%= scope['foreman::foreman_service_puma_threads_max'] %>
 Environment=FOREMAN_PUMA_WORKERS=<%= scope['foreman::foreman_service_puma_workers'] %>
diff --git a/templates/foreman.socket-overrides.erb b/templates/foreman.socket-overrides.erb
@@ -1,3 +1,7 @@
 [Socket]
 ListenStream=
-ListenStream=<%= @listen_socket %>
+ListenStream=<%= @listen_stream %>
+<% if scope['foreman::apache'] -%>
+SocketUser=<%= scope['apache::user'] %>
+SocketMode=0700
+<% end -%>