From 2eeb9216f2a1ca8f0065f63a03ed0234e738df5b Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Wed, 22 Jul 2020 18:12:09 +0200 Subject: [PATCH] Fixes #30465 - Run services in SELinux enforcing mode --- manifests/config.pp | 10 ++++- manifests/service.pp | 40 +++++++++++++------ templates/pulpcore-api.service.erb | 12 ++---- templates/pulpcore-content.service.erb | 5 ++- .../pulpcore-resource-manager.service.erb | 7 ++-- templates/pulpcore-worker@.service.erb | 6 +-- 6 files changed, 50 insertions(+), 30 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index a260debf..410a9b73 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -20,7 +20,7 @@ order => '01', } - file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir]: + file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir, $pulpcore::pulp_static_root]: ensure => directory, owner => $pulpcore::user, group => $pulpcore::group, @@ -30,6 +30,14 @@ pulpcore::admin { 'collectstatic --noinput': refreshonly => true, subscribe => Concat['pulpcore settings'], + require => File[$pulpcore::pulp_static_root], + } + + file { '/usr/libexec/pulpcore': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', } selinux::port { 'pulpcore-api-port': diff --git a/manifests/service.pp b/manifests/service.pp index 08c8a95e..aa16a201 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -2,22 +2,37 @@ # @api private class pulpcore::service { + ['gunicorn', 'rq'].each |$bin| { + file { "/usr/libexec/pulpcore/${bin}": + ensure => file, + content => "#!/bin/bash\nexec ${bin} \"$@\"\n", + owner => 'root', + group => 'root', + mode => '0755', + # https://github.com/pulp/pulpcore-selinux/pull/13 + seltype => 'pulpcore_exec_t', + } + } + systemd::unit_file { 'pulpcore-api.service': - content => template('pulpcore/pulpcore-api.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-api.service.erb'), + active => true, + enable => true, + subscribe => File['/usr/libexec/pulpcore/gunicorn'], } systemd::unit_file { 'pulpcore-content.service': - content => template('pulpcore/pulpcore-content.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-content.service.erb'), + active => true, + enable => true, + subscribe => File['/usr/libexec/pulpcore/gunicorn'], } systemd::unit_file { 'pulpcore-resource-manager.service': - content => template('pulpcore/pulpcore-resource-manager.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-resource-manager.service.erb'), + active => true, + enable => true, + subscribe => File['/usr/libexec/pulpcore/rq'], } systemd::unit_file { 'pulpcore-worker@.service': @@ -26,9 +41,10 @@ Integer[1, $pulpcore::worker_count].each |$n| { service { "pulpcore-worker@${n}.service": - ensure => running, - enable => true, - require => [Systemd::Unit_file['pulpcore-worker@.service'], Class['systemd::systemctl::daemon_reload']], + ensure => running, + enable => true, + require => Class['systemd::systemctl::daemon_reload'], + subscribe => [Systemd::Unit_file['pulpcore-worker@.service'], File['/usr/libexec/pulpcore/rq']], } } diff --git a/templates/pulpcore-api.service.erb b/templates/pulpcore-api.service.erb index b2c6ba2a..bbd8428f 100644 --- a/templates/pulpcore-api.service.erb +++ b/templates/pulpcore-api.service.erb @@ -8,9 +8,10 @@ Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" Environment="PULP_STATIC_ROOT=<%= scope['pulpcore::pulp_static_root'] %>" User=<%= scope['pulpcore::user'] %> -PIDFile=/run/pulpcore-api.pid +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=%t/pulpcore-api RuntimeDirectory=pulpcore-api -ExecStart=/usr/bin/gunicorn pulpcore.app.wsgi:application \ +ExecStart=/usr/libexec/pulpcore/gunicorn pulpcore.app.wsgi:application \ --bind '<%= scope['pulpcore::api_host'] %>:<%= scope['pulpcore::api_port'] %>' \ --access-logfile - ProtectSystem=full @@ -24,13 +25,6 @@ SyslogIdentifier=pulpcore-api Restart=always RestartSec=3 -# This directive is set to an absolute path in other Pulp units. Using an -# absolute path is an abuse of the directive, as it should be a relative path, -# not an absolute path. PIDFile is now used to ensure that PID files are laid -# out in a standard way. If this directive had any other effects, it is better -# to use the correct directive than to uncomment this. -# WorkingDirectory=/var/run/pulpcore-api/ - [Install] WantedBy=multi-user.target diff --git a/templates/pulpcore-content.service.erb b/templates/pulpcore-content.service.erb index 79449d40..fa1cf369 100644 --- a/templates/pulpcore-content.service.erb +++ b/templates/pulpcore-content.service.erb @@ -7,9 +7,10 @@ Wants=network-online.target Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> -WorkingDirectory=/var/run/pulpcore-content/ +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=%t/pulpcore-content RuntimeDirectory=pulpcore-content -ExecStart=/usr/bin/gunicorn pulpcore.content:server \ +ExecStart=/usr/libexec/pulpcore/gunicorn pulpcore.content:server \ --bind '<%= scope['pulpcore::content_host'] %>:<%= scope['pulpcore::content_port'] %>' \ --worker-class 'aiohttp.GunicornWebWorker' \ -w 2 \ diff --git a/templates/pulpcore-resource-manager.service.erb b/templates/pulpcore-resource-manager.service.erb index ab494b11..6bc95129 100644 --- a/templates/pulpcore-resource-manager.service.erb +++ b/templates/pulpcore-resource-manager.service.erb @@ -4,14 +4,15 @@ After=network-online.target Wants=network-online.target [Service] +Type=simple Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> -WorkingDirectory=/var/run/pulpcore-resource-manager/ +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=%t/pulpcore-resource-manager RuntimeDirectory=pulpcore-resource-manager -ExecStart=/usr/bin/rq worker \ +ExecStart=/usr/libexec/pulpcore/rq worker \ -w pulpcore.tasking.worker.PulpWorker -n resource-manager \ - --pid=/var/run/pulpcore-resource-manager/resource-manager.pid \ -c 'pulpcore.rqconfig' \ --disable-job-desc-logging diff --git a/templates/pulpcore-worker@.service.erb b/templates/pulpcore-worker@.service.erb index 54a3a564..3a90a72a 100644 --- a/templates/pulpcore-worker@.service.erb +++ b/templates/pulpcore-worker@.service.erb @@ -4,17 +4,17 @@ After=network-online.target Wants=network-online.target [Service] +Type=simple EnvironmentFile=-/etc/default/pulp-workers EnvironmentFile=-/etc/default/pulp-workers-%i Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> Group=<%= scope['pulpcore::group'] %> -WorkingDirectory=/var/run/pulpcore-worker-%i/ +WorkingDirectory=%t/pulpcore-worker-%i RuntimeDirectory=pulpcore-worker-%i -ExecStart=/usr/bin/rq worker \ +ExecStart=/usr/libexec/pulpcore/rq worker \ -w pulpcore.tasking.worker.PulpWorker \ - --pid=/var/run/pulpcore-worker-%i/reserved-resource-worker-%i.pid \ -c 'pulpcore.rqconfig' \ --disable-job-desc-logging