From b8de25b533b184747c06500b8ad62404dd7348da Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Wed, 22 Jul 2020 18:12:09 +0200 Subject: [PATCH] Fixes #30465 - Run services in SELinux enforcing mode --- manifests/config.pp | 9 ++++- manifests/init.pp | 5 +++ manifests/service.pp | 39 +++++++++++++------ templates/pulpcore-api.service.erb | 12 ++---- templates/pulpcore-content.service.erb | 5 ++- .../pulpcore-resource-manager.service.erb | 7 ++-- templates/pulpcore-worker@.service.erb | 6 +-- 7 files changed, 53 insertions(+), 30 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index c53070b3..903d1892 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -20,13 +20,20 @@ order => '01', } - file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir]: + file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir, $pulpcore::pulp_static_root]: ensure => directory, owner => $pulpcore::user, group => $pulpcore::group, mode => '0775', } + file { $pulpcore::libexecdir: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + selinux::port { 'pulpcore-api-port': ensure => 'present', seltype => 'pulpcore_port_t', diff --git a/manifests/init.pp b/manifests/init.pp index 6db9bc14..160f4762 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,6 +6,10 @@ # @param config_dir # Pulp configuration directory # +# @param libexecdir +# The directory used to write wrappers. These wrappers are used in the +# systemd services and take care of the transition to the correct domain. +# # @param user # Pulp user # @@ -94,6 +98,7 @@ class pulpcore ( Stdlib::Absolutepath $cache_dir = '/var/lib/pulp/tmp', Stdlib::Absolutepath $config_dir = '/etc/pulp', + Stdlib::Absolutepath $libexecdir = '/usr/libexec/pulpcore', String $user = 'pulp', String $group = 'pulp', Stdlib::Absolutepath $user_home = '/var/lib/pulp', diff --git a/manifests/service.pp b/manifests/service.pp index 08c8a95e..b532cf89 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,23 +1,37 @@ # configure, enable, and start pulpcore services # @api private class pulpcore::service { + ['gunicorn', 'rq'].each |$bin| { + file { "${pulpcore::libexecdir}/${bin}": + ensure => file, + content => "#!/bin/bash\nexec ${bin} \"$@\"\n", + owner => 'root', + group => 'root', + mode => '0755', + # https://github.com/pulp/pulpcore-selinux/pull/13 introduces this file context + seltype => 'pulpcore_exec_t', + } + } systemd::unit_file { 'pulpcore-api.service': - content => template('pulpcore/pulpcore-api.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-api.service.erb'), + active => true, + enable => true, + subscribe => File["${pulpcore::libexecdir}/gunicorn"], } systemd::unit_file { 'pulpcore-content.service': - content => template('pulpcore/pulpcore-content.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-content.service.erb'), + active => true, + enable => true, + subscribe => File["${pulpcore::libexecdir}/gunicorn"], } systemd::unit_file { 'pulpcore-resource-manager.service': - content => template('pulpcore/pulpcore-resource-manager.service.erb'), - active => true, - enable => true, + content => template('pulpcore/pulpcore-resource-manager.service.erb'), + active => true, + enable => true, + subscribe => File["${pulpcore::libexecdir}/rq"], } systemd::unit_file { 'pulpcore-worker@.service': @@ -26,9 +40,10 @@ Integer[1, $pulpcore::worker_count].each |$n| { service { "pulpcore-worker@${n}.service": - ensure => running, - enable => true, - require => [Systemd::Unit_file['pulpcore-worker@.service'], Class['systemd::systemctl::daemon_reload']], + ensure => running, + enable => true, + require => Class['systemd::systemctl::daemon_reload'], + subscribe => [Systemd::Unit_file['pulpcore-worker@.service'], File["${pulpcore::libexecdir}/rq"]], } } diff --git a/templates/pulpcore-api.service.erb b/templates/pulpcore-api.service.erb index e3bed6e3..77490d09 100644 --- a/templates/pulpcore-api.service.erb +++ b/templates/pulpcore-api.service.erb @@ -7,9 +7,10 @@ Wants=network-online.target Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> -PIDFile=/run/pulpcore-api.pid +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=~ RuntimeDirectory=pulpcore-api -ExecStart=/usr/bin/gunicorn pulpcore.app.wsgi:application \ +ExecStart=<%= scope['pulpcore::libexecdir'] %>/gunicorn pulpcore.app.wsgi:application \ --bind '<%= scope['pulpcore::api_host'] %>:<%= scope['pulpcore::api_port'] %>' \ --access-logfile - ProtectSystem=full @@ -23,13 +24,6 @@ SyslogIdentifier=pulpcore-api Restart=always RestartSec=3 -# This directive is set to an absolute path in other Pulp units. Using an -# absolute path is an abuse of the directive, as it should be a relative path, -# not an absolute path. PIDFile is now used to ensure that PID files are laid -# out in a standard way. If this directive had any other effects, it is better -# to use the correct directive than to uncomment this. -# WorkingDirectory=/var/run/pulpcore-api/ - [Install] WantedBy=multi-user.target diff --git a/templates/pulpcore-content.service.erb b/templates/pulpcore-content.service.erb index 79449d40..c6a5574b 100644 --- a/templates/pulpcore-content.service.erb +++ b/templates/pulpcore-content.service.erb @@ -7,9 +7,10 @@ Wants=network-online.target Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> -WorkingDirectory=/var/run/pulpcore-content/ +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=~ RuntimeDirectory=pulpcore-content -ExecStart=/usr/bin/gunicorn pulpcore.content:server \ +ExecStart=<%= scope['pulpcore::libexecdir'] %>/gunicorn pulpcore.content:server \ --bind '<%= scope['pulpcore::content_host'] %>:<%= scope['pulpcore::content_port'] %>' \ --worker-class 'aiohttp.GunicornWebWorker' \ -w 2 \ diff --git a/templates/pulpcore-resource-manager.service.erb b/templates/pulpcore-resource-manager.service.erb index ab494b11..32dbe420 100644 --- a/templates/pulpcore-resource-manager.service.erb +++ b/templates/pulpcore-resource-manager.service.erb @@ -4,14 +4,15 @@ After=network-online.target Wants=network-online.target [Service] +Type=simple Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> -WorkingDirectory=/var/run/pulpcore-resource-manager/ +Group=<%= scope['pulpcore::group'] %> +WorkingDirectory=~ RuntimeDirectory=pulpcore-resource-manager -ExecStart=/usr/bin/rq worker \ +ExecStart=<%= scope['pulpcore::libexecdir'] %>/rq worker \ -w pulpcore.tasking.worker.PulpWorker -n resource-manager \ - --pid=/var/run/pulpcore-resource-manager/resource-manager.pid \ -c 'pulpcore.rqconfig' \ --disable-job-desc-logging diff --git a/templates/pulpcore-worker@.service.erb b/templates/pulpcore-worker@.service.erb index 54a3a564..c962e56a 100644 --- a/templates/pulpcore-worker@.service.erb +++ b/templates/pulpcore-worker@.service.erb @@ -4,17 +4,17 @@ After=network-online.target Wants=network-online.target [Service] +Type=simple EnvironmentFile=-/etc/default/pulp-workers EnvironmentFile=-/etc/default/pulp-workers-%i Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings" Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>" User=<%= scope['pulpcore::user'] %> Group=<%= scope['pulpcore::group'] %> -WorkingDirectory=/var/run/pulpcore-worker-%i/ +WorkingDirectory=~ RuntimeDirectory=pulpcore-worker-%i -ExecStart=/usr/bin/rq worker \ +ExecStart=<%= scope['pulpcore::libexecdir'] %>/rq worker \ -w pulpcore.tasking.worker.PulpWorker \ - --pid=/var/run/pulpcore-worker-%i/reserved-resource-worker-%i.pid \ -c 'pulpcore.rqconfig' \ --disable-job-desc-logging