Skip to content

Commit

Permalink
Fixes #30465 - Run services in SELinux enforcing mode
Browse files Browse the repository at this point in the history
  • Loading branch information
ekohl committed Sep 7, 2020
1 parent 8e71bbb commit 1b77a5b
Show file tree
Hide file tree
Showing 7 changed files with 54 additions and 30 deletions.
10 changes: 9 additions & 1 deletion manifests/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
order => '01',
}

file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir]:
file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir, $pulpcore::pulp_static_root]:
ensure => directory,
owner => $pulpcore::user,
group => $pulpcore::group,
Expand All @@ -30,6 +30,14 @@
pulpcore::admin { 'collectstatic --noinput':
refreshonly => true,
subscribe => Concat['pulpcore settings'],
require => File[$pulpcore::pulp_static_root],
}

file { $pulpcore::libexecdir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}

selinux::port { 'pulpcore-api-port':
Expand Down
5 changes: 5 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@
# @param config_dir
# Pulp configuration directory
#
# @param libexecdir
# The directory used to write wrappers. These wrappers are used in the
# systemd services and take care of the transition to the correct domain.
#
# @param user
# Pulp user
#
Expand Down Expand Up @@ -94,6 +98,7 @@
class pulpcore (
Stdlib::Absolutepath $cache_dir = '/var/lib/pulp/tmp',
Stdlib::Absolutepath $config_dir = '/etc/pulp',
Stdlib::Absolutepath $libexecdir = '/usr/libexec/pulpcore',
String $user = 'pulp',
String $group = 'pulp',
Stdlib::Absolutepath $user_home = '/var/lib/pulp',
Expand Down
39 changes: 27 additions & 12 deletions manifests/service.pp
Original file line number Diff line number Diff line change
@@ -1,23 +1,37 @@
# configure, enable, and start pulpcore services
# @api private
class pulpcore::service {
['gunicorn', 'rq'].each |$bin| {
file { "${pulpcore::libexecdir}/${bin}":
ensure => file,
content => "#!/bin/bash\nexec ${bin} \"$@\"\n",
owner => 'root',
group => 'root',
mode => '0755',
# https://github.com/pulp/pulpcore-selinux/pull/13 introduces this file context
seltype => 'pulpcore_exec_t',
}
}

systemd::unit_file { 'pulpcore-api.service':
content => template('pulpcore/pulpcore-api.service.erb'),
active => true,
enable => true,
content => template('pulpcore/pulpcore-api.service.erb'),
active => true,
enable => true,
subscribe => File["${pulpcore::libexecdir}/gunicorn"],
}

systemd::unit_file { 'pulpcore-content.service':
content => template('pulpcore/pulpcore-content.service.erb'),
active => true,
enable => true,
content => template('pulpcore/pulpcore-content.service.erb'),
active => true,
enable => true,
subscribe => File["${pulpcore::libexecdir}/gunicorn"],
}

systemd::unit_file { 'pulpcore-resource-manager.service':
content => template('pulpcore/pulpcore-resource-manager.service.erb'),
active => true,
enable => true,
content => template('pulpcore/pulpcore-resource-manager.service.erb'),
active => true,
enable => true,
subscribe => File["${pulpcore::libexecdir}/rq"],
}

systemd::unit_file { 'pulpcore-worker@.service':
Expand All @@ -26,9 +40,10 @@

Integer[1, $pulpcore::worker_count].each |$n| {
service { "pulpcore-worker@${n}.service":
ensure => running,
enable => true,
require => [Systemd::Unit_file['pulpcore-worker@.service'], Class['systemd::systemctl::daemon_reload']],
ensure => running,
enable => true,
require => Class['systemd::systemctl::daemon_reload'],
subscribe => [Systemd::Unit_file['pulpcore-worker@.service'], File["${pulpcore::libexecdir}/rq"]],
}
}

Expand Down
12 changes: 3 additions & 9 deletions templates/pulpcore-api.service.erb
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@ Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
Environment="PULP_STATIC_ROOT=<%= scope['pulpcore::pulp_static_root'] %>"
User=<%= scope['pulpcore::user'] %>
PIDFile=/run/pulpcore-api.pid
Group=<%= scope['pulpcore::group'] %>
WorkingDirectory=~
RuntimeDirectory=pulpcore-api
ExecStart=/usr/bin/gunicorn pulpcore.app.wsgi:application \
ExecStart=<%= scope['pulpcore::libexecdir'] %>/gunicorn pulpcore.app.wsgi:application \
--bind '<%= scope['pulpcore::api_host'] %>:<%= scope['pulpcore::api_port'] %>' \
--access-logfile -
ProtectSystem=full
Expand All @@ -24,13 +25,6 @@ SyslogIdentifier=pulpcore-api
Restart=always
RestartSec=3

# This directive is set to an absolute path in other Pulp units. Using an
# absolute path is an abuse of the directive, as it should be a relative path,
# not an absolute path. PIDFile is now used to ensure that PID files are laid
# out in a standard way. If this directive had any other effects, it is better
# to use the correct directive than to uncomment this.
# WorkingDirectory=/var/run/pulpcore-api/

[Install]
WantedBy=multi-user.target

5 changes: 3 additions & 2 deletions templates/pulpcore-content.service.erb
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ Wants=network-online.target
Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
User=<%= scope['pulpcore::user'] %>
WorkingDirectory=/var/run/pulpcore-content/
Group=<%= scope['pulpcore::group'] %>
WorkingDirectory=~
RuntimeDirectory=pulpcore-content
ExecStart=/usr/bin/gunicorn pulpcore.content:server \
ExecStart=<%= scope['pulpcore::libexecdir'] %>/gunicorn pulpcore.content:server \
--bind '<%= scope['pulpcore::content_host'] %>:<%= scope['pulpcore::content_port'] %>' \
--worker-class 'aiohttp.GunicornWebWorker' \
-w 2 \
Expand Down
7 changes: 4 additions & 3 deletions templates/pulpcore-resource-manager.service.erb
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,15 @@ After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
User=<%= scope['pulpcore::user'] %>
WorkingDirectory=/var/run/pulpcore-resource-manager/
Group=<%= scope['pulpcore::group'] %>
WorkingDirectory=~
RuntimeDirectory=pulpcore-resource-manager
ExecStart=/usr/bin/rq worker \
ExecStart=<%= scope['pulpcore::libexecdir'] %>/rq worker \
-w pulpcore.tasking.worker.PulpWorker -n resource-manager \
--pid=/var/run/pulpcore-resource-manager/resource-manager.pid \
-c 'pulpcore.rqconfig' \
--disable-job-desc-logging

Expand Down
6 changes: 3 additions & 3 deletions templates/pulpcore-worker@.service.erb
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@ After=network-online.target
Wants=network-online.target

[Service]
Type=simple
EnvironmentFile=-/etc/default/pulp-workers
EnvironmentFile=-/etc/default/pulp-workers-%i
Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
User=<%= scope['pulpcore::user'] %>
Group=<%= scope['pulpcore::group'] %>
WorkingDirectory=/var/run/pulpcore-worker-%i/
WorkingDirectory=~
RuntimeDirectory=pulpcore-worker-%i
ExecStart=/usr/bin/rq worker \
ExecStart=<%= scope['pulpcore::libexecdir'] %>/rq worker \
-w pulpcore.tasking.worker.PulpWorker \
--pid=/var/run/pulpcore-worker-%i/reserved-resource-worker-%i.pid \
-c 'pulpcore.rqconfig' \
--disable-job-desc-logging

Expand Down

0 comments on commit 1b77a5b

Please sign in to comment.