RHEL 8 Beta yana ba wa masu haɓaka sabbin abubuwa da yawa, jerin abubuwan da za su iya ɗaukar shafuka, duk da haka, koyan sabbin abubuwa koyaushe yana da kyau a aikace, don haka a ƙasa muna ba da bita kan ƙirƙirar kayan aikin aikace-aikacen da ke kan Red Hat Enterprise Linux 8 Beta.
Bari mu ɗauki Python, sanannen yaren shirye-shirye tsakanin masu haɓakawa, a matsayin tushe, haɗin Django da PostgreSQL, haɗaɗɗiyar gama gari don ƙirƙirar aikace-aikace, kuma saita RHEL 8 Beta don aiki tare da su. Sa'an nan kuma za mu ƙara wasu nau'o'in nau'i biyu (wanda ba a raba su ba).
Yanayin gwajin zai canza, saboda yana da ban sha'awa don bincika yiwuwar aiki da kai, aiki tare da kwantena da kuma gwada yanayin tare da sabobin masu yawa. Don farawa da sabon aikin, zaku iya farawa ta ƙirƙirar ƙaramin samfuri mai sauƙi da hannu don ku iya ganin ainihin abin da ke buƙatar faruwa da yadda yake mu'amala, sannan ku matsa don yin aiki da kai da ƙirƙirar ƙarin hadaddun jeri. A yau muna magana ne game da ƙirƙirar irin wannan samfurin.
Bari mu fara da tura hoton RHEL 8 Beta VM. Kuna iya shigar da injin kama-da-wane daga karce, ko amfani da hoton baƙo na KVM da ke tare da biyan kuɗin ku na Beta. Lokacin amfani da hoton baƙo, kuna buƙatar saita CD mai kama-da-wane wanda zai ƙunshi metadata da bayanan mai amfani don ƙaddamarwar girgije (Cloud-init). Ba kwa buƙatar yin wani abu na musamman tare da tsarin diski ko fakitin da ke akwai; kowane tsari zai yi.
Bari mu dubi tsarin duka.
Shigar Django
Tare da sabuwar sigar Django, kuna buƙatar yanayi mai kama-da-wane (virtualenv) tare da Python 3.5 ko kuma daga baya. A cikin bayanan Beta za ku iya ganin cewa Python 3.6 yana samuwa, bari mu bincika idan da gaske haka lamarin yake:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
Red Hat yana amfani da Python a matsayin kayan aikin kayan aiki a cikin RHEL, don haka me yasa wannan sakamakon?
Gaskiyar ita ce, yawancin masu haɓaka Python har yanzu suna tunanin sauye-sauye daga Python 2 zuwa Python 2, yayin da Python 3 kanta ke ƙarƙashin ci gaba mai ƙarfi, kuma ƙarin sabbin nau'ikan suna fitowa koyaushe. Don haka, don saduwa da buƙatar ingantaccen kayan aikin tsarin yayin ba wa masu amfani damar zuwa sabbin nau'ikan Python daban-daban, tsarin Python ya koma cikin sabon fakiti kuma ya ba da ikon shigar da Python 2.7 da 3.6. Ana iya samun ƙarin bayani game da canje-canjen da kuma dalilin da yasa aka yi su a cikin ɗaba'ar (Langdon White).
Don haka, don samun Python aiki, kuna buƙatar shigar da fakiti biyu kawai, tare da python3-pip wanda aka haɗa azaman dogaro.
sudo yum install python36 python3-virtualenv
Me zai hana a yi amfani da kiran ƙirar kai tsaye kamar yadda Langdon ya ba da shawara kuma shigar da pip3? Yin la'akari da aiki da kai mai zuwa, an san cewa Mai yiwuwa zai buƙaci shigar da pip don gudana, tun da tsarin pip ba ya goyan bayan virtualenvs tare da al'ada pip executable.
Tare da mai fassara python3 mai aiki a hannunku, zaku iya ci gaba da tsarin shigarwa na Django kuma ku sami tsarin aiki tare da sauran abubuwan mu. Akwai zaɓuɓɓukan aiwatarwa da yawa da ake samu akan Intanet. Akwai sigar guda daya da aka gabatar anan, amma masu amfani zasu iya amfani da nasu tsarin.
Za mu shigar da nau'ikan PostgreSQL da Nginx da ke cikin RHEL 8 ta tsohuwa ta amfani da Yum.
sudo yum install nginx postgresql-server
PostgreSQL zai buƙaci psycopg2, amma yana buƙatar samuwa ne kawai a cikin yanayin virtualenv, don haka za mu shigar da shi ta amfani da pip3 tare da Django da Gunicorn. Amma da farko muna buƙatar saita virtualenv.
Koyaushe akwai muhawara mai yawa kan batun zabar wurin da ya dace don shigar da ayyukan Django, amma idan kuna shakka, koyaushe kuna iya juyawa zuwa Matsayin Tsarin Tsarin Fayil na Linux. Musamman, FHS ta ce ana amfani da / srv don: "ajiya takamaiman bayanai-bayanan da tsarin ke samarwa, kamar bayanan sabar yanar gizo da rubutun, bayanan da aka adana akan sabar FTP, da wuraren ajiyar tsarin sarrafawa." sigogin (yana bayyana a cikin FHS). 2.3 a cikin 2004).
Wannan shine ainihin lamarinmu, don haka mun sanya duk abin da muke buƙata a cikin /srv, wanda mai amfani da aikace-aikacen mu ne (mai amfani da Cloud).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Saita PostgreSQL da Django abu ne mai sauƙi: ƙirƙirar bayanai, ƙirƙirar mai amfani, saita izini. Abu daya da ya kamata a tuna lokacin da aka fara shigar da PostgreSQL shine rubutun saitin postgresql wanda aka shigar tare da kunshin sabar postgresql. Wannan rubutun yana taimaka muku aiwatar da ayyuka na asali masu alaƙa da sarrafa tarin bayanai, kamar ƙaddamar da gungu ko tsarin haɓakawa. Don saita sabon misalin PostgreSQL akan tsarin RHEL, muna buƙatar gudanar da umarni:
sudo /usr/bin/postgresql-setup -initdb
Kuna iya fara PostgreSQL ta amfani da systemd, ƙirƙirar bayanai, kuma saita aiki a Django. Tuna don sake kunna PostgreSQL bayan yin canje-canje ga fayil ɗin daidaitawar abokin ciniki (yawanci pg_hba.conf) don saita ma'ajin kalmar sirri don mai amfani da aikace-aikacen. Idan kun ci karo da wasu matsaloli, tabbatar da canza saitunan IPv4 da IPv6 a cikin fayil pg_hba.conf.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
A cikin fayil /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
A cikin fayil /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
Bayan daidaita fayil ɗin settings.py a cikin aikin da kuma saita saitunan bayanai, zaku iya fara uwar garken ci gaba don tabbatar da cewa komai yana aiki. Bayan fara uwar garken ci gaba, yana da kyau a ƙirƙiri mai amfani da admin don gwada haɗin yanar gizon.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Wai?
Sabar ci gaba tana da amfani don gwaji, amma don gudanar da aikace-aikacen dole ne ka saita uwar garken da ta dace da kuma wakili don Interface Ƙofar Gidan Yanar Gizo (WSGI). Akwai haɗuwa gama gari da yawa, misali, Apache HTTPD tare da uWSGI ko Nginx tare da Gunicorn.
Ayyukan Ƙofar Ƙofar Yanar Gizo ta Yanar Gizo shine aika buƙatun daga sabar gidan yanar gizo zuwa tsarin gidan yanar gizon Python. WSGI wani abu ne na munin abubuwan da suka gabata lokacin da injunan CGI ke kusa, kuma a yau WSGI shine ma'auni na gaskiya, ba tare da la'akari da sabar yanar gizo ko tsarin Python da aka yi amfani da shi ba. Amma duk da yawan amfani da shi, har yanzu akwai wasu nuances yayin aiki tare da waɗannan ka'idoji, da zaɓuɓɓuka da yawa. A wannan yanayin, za mu yi ƙoƙarin kafa hulɗa tsakanin Gunicorn da Nginx ta hanyar soket.
Tunda ana shigar da waɗannan abubuwan biyu akan sabar guda ɗaya, bari mu gwada amfani da soket na UNIX maimakon soket na cibiyar sadarwa. Tunda sadarwa tana buƙatar soket a kowane hali, bari mu yi ƙoƙarin ɗaukar ƙarin mataki kuma saita kunna soket don Gunicorn ta hanyar tsarin.
Tsarin ƙirƙirar ayyukan kunna soket abu ne mai sauƙi. Da farko, an ƙirƙiri fayil ɗin raka'a wanda ya ƙunshi umarnin ListenStream yana nuni zuwa wurin da za a ƙirƙiri soket ɗin UNIX, sannan fayil ɗin naúrar sabis ɗin wanda umarnin da ake buƙata zai nuna fayil ɗin naúrar soket. Sannan, a cikin fayil ɗin sashin sabis, abin da ya rage shine a kira Gunicorn daga mahallin kama-da-wane kuma ƙirƙirar ɗaurin WSGI don soket na UNIX da aikace-aikacen Django.
Anan akwai wasu misalan fayilolin naúrar waɗanda zaku iya amfani da su azaman tushe. Da farko mun kafa soket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Yanzu kuna buƙatar saita Gunicorn daemon.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
—access-logfile -
—workers 3
—bind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Don Nginx, al'amari ne mai sauƙi na ƙirƙirar fayilolin sanyi na wakili da kuma kafa kundin adireshi don adana abun ciki na tsaye idan kuna amfani da ɗaya. A cikin RHEL, fayilolin sanyi na Nginx suna cikin /etc/nginx/conf.d. Kuna iya kwafin misalin mai zuwa cikin fayil /etc/nginx/conf.d/default.conf kuma fara sabis ɗin. Tabbatar da saita sunan uwar garke don dacewa da sunan mai masaukin ku.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Fara Socket Gunicorn da Nginx ta amfani da systemd kuma kuna shirye don fara gwaji.
Kuskuren Ƙofar Mara kyau?
Idan ka shigar da adireshin a cikin burauzarka, tabbas za ka sami kuskuren 502 Bad Gateway. Ana iya haifar da shi ta hanyar ba da izini na soket na UNIX ba daidai ba, ko kuma yana iya zama saboda ƙarin al'amurra masu rikitarwa da suka shafi samun damar sarrafawa a cikin SELinux.
A cikin kuskuren nginx zaku iya ganin layi kamar haka:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Idan muka gwada Gunicorn kai tsaye, za mu sami amsar fanko.
curl —unix-socket /run/gunicorn.sock 8beta1.example.com
Bari mu gano dalilin da ya sa hakan ke faruwa. Idan ka buɗe log ɗin, da alama za ka ga cewa matsalar tana da alaƙa da SELinux. Tunda muna gudanar da daemon wanda ba a ƙirƙiri wata manufa don shi ba, ana yi masa alama a matsayin init_t. Bari mu gwada wannan ka'idar a aikace.
sudo setenforce 0
Duk wannan yana iya haifar da zargi da hawaye na jini, amma wannan shine kawai lalata samfurin. Mu kashe cak din kawai don tabbatar da cewa matsalar ita ce, bayan haka za mu mayar da komai zuwa wurinsa.
Ta hanyar sabunta shafin a cikin burauzar yanar gizo ko sake aiwatar da umarnin curl ɗin mu, zaku iya ganin shafin gwajin Django.
Don haka, bayan tabbatar da cewa komai yana aiki kuma babu ƙarin matsalolin izini, mun sake kunna SELinux.
sudo setenforce 1
Ba zan yi magana game da audit2allow ba ko ƙirƙirar manufofin tushen faɗakarwa tare da sepolgen a nan, tunda babu ainihin aikace-aikacen Django a yanzu, don haka babu cikakken taswirar abin da Gunicorn zai so ya samu da kuma abin da ya kamata ya hana samun dama ga. Sabili da haka, ya zama dole a ci gaba da gudanar da SELinux don kare tsarin, yayin da a lokaci guda ƙyale aikace-aikacen ya gudana kuma ya bar saƙonni a cikin bayanan dubawa ta yadda za a iya ƙirƙirar ainihin manufar daga gare su.
Ƙayyadaddun yankuna masu izini
Ba kowa ba ne ya ji labarin yankunan da aka yarda a cikin SELinux, amma ba sabon abu ba ne. Da yawa ma sun yi aiki da su ba tare da sun sani ba. Lokacin da aka ƙirƙiri manufa bisa saƙon dubawa, manufar da aka ƙirƙira tana wakiltar yankin da aka warware. Bari mu yi ƙoƙari mu ƙirƙiri tsarin ba da izini mai sauƙi.
Don ƙirƙirar takamaiman yanki da aka yarda don Gunicorn, kuna buƙatar wasu nau'ikan manufofi, kuma kuna buƙatar yiwa fayilolin da suka dace alama. Bugu da ƙari, ana buƙatar kayan aiki don haɗa sabbin manufofi.
sudo yum install selinux-policy-devel
Ƙimar yankunan da aka ba da izini babban kayan aiki ne don gano matsaloli, musamman ma idan yazo da aikace-aikacen al'ada ko aikace-aikacen da ke jigilar kaya ba tare da manufofin da aka riga aka ƙirƙira ba. A wannan yanayin, manufofin yankin da aka yarda don Gunicorn zai zama mai sauƙi kamar yadda zai yiwu - ayyana babban nau'in (gunicorn_t), ayyana nau'in da za mu yi amfani da shi don yiwa masu aiwatarwa da yawa alama (gunicorn_exec_t), sannan saita canji don tsarin don yin alama daidai. tafiyar matakai . Layin ƙarshe yana saita manufofin kamar yadda aka kunna ta tsohuwa a lokacin da aka loda shi.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
Kuna iya haɗa wannan fayil ɗin manufofin kuma ƙara shi zuwa tsarin ku.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Bari mu duba don ganin ko SELinux yana toshe wani abu dabam ban da abin da daemon ɗinmu da ba a san shi ke shiga ba.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux yana hana Nginx rubuta bayanai zuwa soket ɗin UNIX da Gunicorn ke amfani dashi. Yawanci, a irin waɗannan yanayi, manufofin sun fara canzawa, amma akwai wasu ƙalubale a gaba. Hakanan zaka iya canza saitunan yanki daga yankin ƙuntatawa zuwa yankin izini. Yanzu bari mu matsa httpd_t zuwa yankin izini. Wannan zai ba Nginx damar da ake bukata kuma za mu iya ci gaba da ƙarin aikin gyara kuskure.
sudo semanage permissive -a httpd_t
Don haka, da zarar kun sami damar kiyaye SELinux kariya (da gaske bai kamata ku bar aikin SELinux a cikin iyakanceccen yanayin ba) kuma an ɗora wuraren izini, kuna buƙatar gano ainihin abin da ake buƙatar alama kamar gunicorn_exec_t don samun duk abin da ke aiki da kyau. sake. Bari mu gwada ziyartar gidan yanar gizon don ganin sabbin saƙonni game da ƙuntatawa shiga.
sudo ausearch -m AVC -c gunicorn
Za ku ga saƙonni da yawa da ke ɗauke da 'comm="gunicorn"' waɗanda ke yin abubuwa daban-daban akan fayiloli a /srv/djangoapp, don haka a fili wannan yana ɗaya daga cikin umarni masu daraja.
Amma ban da haka, sako kamar haka yana bayyana:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Idan kun kalli matsayin sabis na gunicorn ko gudanar da umarnin ps, ba za ku ga kowane matakai masu gudana ba. Yana kama da gunicorn yana ƙoƙarin samun dama ga mai fassarar Python a cikin mahallin mu na virtualenv, mai yiwuwa don gudanar da rubutun ma'aikata. Don haka yanzu bari mu yi alama waɗannan fayilolin guda biyu masu aiwatarwa kuma mu bincika ko za mu iya buɗe shafin gwajin Django ɗin mu.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
Ana buƙatar sake kunna sabis na gunicorn kafin a iya zaɓar sabon tag. Kuna iya sake kunna shi nan da nan ko dakatar da sabis ɗin kuma bari soket ta fara shi lokacin da kuka buɗe rukunin yanar gizon a cikin mai lilo. Tabbatar da cewa matakai sun karɓi madaidaicin takalmi ta amfani da ps.
ps -efZ | grep gunicorn
Kar a manta don ƙirƙirar manufofin SELinux na yau da kullun daga baya!
Idan ka kalli saƙonnin AVC yanzu, saƙon ƙarshe ya ƙunshi izini = 1 ga duk abin da ke da alaƙa da aikace-aikacen, da izini = 0 ga sauran tsarin. Idan kun fahimci irin damar da ainihin aikace-aikacen ke buƙata, zaku iya samun sauri mafi kyawun hanyar magance irin waɗannan matsalolin. Amma har sai lokacin, yana da kyau a kiyaye tsarin kuma a sami cikakkiyar tantancewar aikin Django mai amfani.
sudo ausearch -m AVC
Ya faru!
Aikin Django mai aiki ya bayyana tare da gaban gaba bisa Nginx da Gunicorn WSGI. Mun saita Python 3 da PostgreSQL 10 daga wuraren ajiyar beta na RHEL 8. Yanzu za ku iya ci gaba da ƙirƙira (ko kawai tura) aikace-aikacen Django ko bincika wasu kayan aikin da ake da su a cikin RHEL 8 Beta don sarrafa tsarin daidaitawa, haɓaka aiki, ko ma ɗaukar wannan sanyi.
source: www.habr.com