RHEL 8 ããŒã¿çã¯éçºè ã«å€ãã®æ°æ©èœãæäŸããŠããããã®ãªã¹ãã説æããã«ã¯äœããŒãžããããå ŽåããããŸãããå®éã«æ°ããããšãåŠã¶ããšã¯åžžã«è¯ãããšã§ãããã®ããã以äžã§ã¯ãRed Hat Enterprise Linux 8 ããŒã¿çã«åºã¥ããŠã¢ããªã±ãŒã·ã§ã³ ã€ã³ãã©ã¹ãã©ã¯ãã£ãå®éã«äœæããããã®ã¯ãŒã¯ã·ã§ãããæäŸããŸãã
éçºè
ã®éã§äººæ°ã®ããããã°ã©ãã³ã°èšèªã§ãã Python ãããŒã¹ãšããŠãã¢ããªã±ãŒã·ã§ã³äœæã«ãã䜿çšããã Django ãš PostgreSQL ã®çµã¿åããã䜿çšããããããšé£æºã§ããããã« RHEL 8 ããŒã¿ãæ§æããŠã¿ãŸãããã 次ã«ãããã«ããã€ãã® (æªåé¡ã®) ææãè¿œå ããŸãã
èªååã®å¯èœæ§ãæ¢ã£ãããã³ã³ãããŒãæäœããããè€æ°ã®ãµãŒããŒã䜿çšããç°å¢ãè©Šãããããã®ã¯èå³æ·±ãããããã¹ãç°å¢ã¯å€æŽãããŸãã æ°ãããããžã§ã¯ããéå§ããã«ã¯ãå°ãããŠåçŽãªãããã¿ã€ããæåã§äœæããããšããå§ããŠãäœãèµ·ããå¿
èŠãããã®ãââãã©ã®ããã«çžäºäœçšããã®ããæ£ç¢ºã«ç¢ºèªããŠãããããè€éãªæ§æã®èªååãšäœæã«é²ãããšãã§ããŸãã ä»æ¥ã¯ãã®ãããªãããã¿ã€ãã®äœæã«ã€ããŠè©±ããŸãã
RHEL 8 ããŒã¿ VM ã€ã¡ãŒãžããããã€ããããšããå§ããŸãããã ä»®æ³ãã·ã³ãæåããã€ã³ã¹ããŒã«ããããšããããŒã¿ ãµãã¹ã¯ãªãã·ã§ã³ã§å©çšå¯èœãª KVM ã²ã¹ã ã€ã¡ãŒãžã䜿çšããããšãã§ããŸãã ã²ã¹ã ã€ã¡ãŒãžã䜿çšããå Žåã¯ãã¯ã©ãŠãåæå (cloud-init) çšã®ã¡ã¿ããŒã¿ãšãŠãŒã¶ãŒ ããŒã¿ãå«ãä»®æ³ CD ãæ§æããå¿ èŠããããŸãã ãã£ã¹ã¯æ§é ãå©çšå¯èœãªããã±ãŒãžã«é¢ããŠç¹å¥ãªããšãè¡ãå¿ èŠã¯ãªããä»»æã®æ§æã§ååã§ãã
ããã»ã¹å šäœã詳ããèŠãŠã¿ãŸãããã
Django ã®ã€ã³ã¹ããŒã«
ææ°ããŒãžã§ã³ã® Django ã§ã¯ãPython 3.5 以éã®ä»®æ³ç°å¢ (virtualenv) ãå¿ èŠã§ãã ããŒã¿çããŒãã§ã¯ãPython 3.6 ãå©çšå¯èœã§ããããšãããããŸãããããå®éã«åœãŠã¯ãŸããã©ããã確èªããŠã¿ãŸãããã
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
Red Hat 㯠RHEL ã®ã·ã¹ãã ããŒã«ããããšã㊠Python ãç©æ¥µçã«äœ¿çšããŠããŸããããªããã®ãããªçµæã«ãªãã®ã§ãããã?
å®éãå€ãã® Python éçºè
ã¯äŸç¶ãšã㊠Python 2 ãã Python 2 ãžã®ç§»è¡ãæ€èšããŠããŸãããPython 3 èªäœã¯æŽ»çºã«éçºäžã§ãããæ°ããããŒãžã§ã³ãåžžã«ç»å ŽããŠããŸãã ãããã£ãŠããŠãŒã¶ãŒãããŸããŸãªæ°ããããŒãžã§ã³ã® Python ã«ã¢ã¯ã»ã¹ã§ããããã«ããªãããå®å®ããã·ã¹ãã ããŒã«ã®ããŒãºãæºããããã«ãã·ã¹ãã Python ã¯æ°ããããã±ãŒãžã«ç§»åãããPython 2.7 ãš 3.6 ã®äž¡æ¹ãã€ã³ã¹ããŒã«ã§ããæ©èœãæäŸãããŸããã å€æŽãšãã®å€æŽçç±ã®è©³çŽ°ã«ã€ããŠã¯ã次ã®åºçç©ãåç
§ããŠãã ããã
ãããã£ãŠãPython ãåäœãããã«ã¯ãäŸåé¢ä¿ãšã㊠python3-pip ãå«ãŸããŠãã XNUMX ã€ã®ããã±ãŒãžãã€ã³ã¹ããŒã«ããã ãã§æžã¿ãŸãã
sudo yum install python36 python3-virtualenv
Langdon ãææ¡ããŠããããã«ãçŽæ¥ã¢ãžã¥ãŒã«åŒã³åºãã䜿çšã㊠pip3 ãã€ã³ã¹ããŒã«ããŠã¯ã©ãã§ãããã? ä»åŸã®èªååã念é ã«çœ®ããŠãpip ã¢ãžã¥ãŒã«ã¯ã«ã¹ã¿ã pip å®è¡å¯èœãã¡ã€ã«ãå«ã virtualenvs ããµããŒãããŠããªããããAnsible ãå®è¡ããã«ã¯ pip ãã€ã³ã¹ããŒã«ãããŠããå¿ èŠãããããšãç¥ãããŠããŸãã
åäœãã python3 ã€ã³ã¿ãŒããªã¿ãèªç±ã«äœ¿ããã®ã§ãDjango ã®ã€ã³ã¹ããŒã« ããã»ã¹ãç¶è¡ããä»ã®ã³ã³ããŒãã³ããšãšãã«åäœããã·ã¹ãã ãæã«å ¥ããããšãã§ããŸãã ã€ã³ã¿ãŒãããäžã«ã¯å€ãã®å®è£ ãªãã·ã§ã³ãçšæãããŠããŸãã ããã§ã¯ XNUMX ã€ã®ããŒãžã§ã³ã瀺ãããŠããŸããããŠãŒã¶ãŒã¯ç¬èªã®ããã»ã¹ã䜿çšã§ããŸãã
Yum ã䜿çšããŠãããã©ã«ã㧠RHEL 8 ã§å©çšå¯èœãª PostgreSQL ããã³ Nginx ããŒãžã§ã³ãã€ã³ã¹ããŒã«ããŸãã
sudo yum install nginx postgresql-server
PostgreSQL ã«ã¯ psycopg2 ãå¿ èŠã§ãããvirtualenv ç°å¢ã§ã®ã¿å©çšã§ããå¿ èŠããããããDjango ããã³ Gunicorn ãšãšãã« pip3 ã䜿çšããŠã€ã³ã¹ããŒã«ããŸãã ãã ããæåã« virtualenv ãèšå®ããå¿ èŠããããŸãã
Django ãããžã§ã¯ããã€ã³ã¹ããŒã«ããé©åãªå ŽæãéžæãããšããããŒãã«ã€ããŠã¯ãåžžã«å€ãã®è°è«ãè¡ãããŠããŸãããè¿·ã£ãå Žåã«ã¯ããã€ã§ã Linux ãã¡ã€ã«ã·ã¹ãã éå±€æšæºãåç §ããããšãã§ããŸãã å ·äœçã«ã¯ãFHS ã«ããã°ã/srv ã¯ããã¹ãåºæã®ããŒã¿ãã€ãŸã Web ãµãŒããŒã®ããŒã¿ãã¹ã¯ãªãããFTP ãµãŒããŒã«ä¿åãããããŒã¿ãå¶åŸ¡ã·ã¹ãã ãªããžããªãªã©ãã·ã¹ãã ãçæããããŒã¿ãä¿åãããããã«äœ¿çšããããšè¿°ã¹ãããŠããŸãã 2.3 幎ã«ã¯ -2004)ã
ããã¯ãŸãã«ç§ãã¡ã®ã±ãŒã¹ãªã®ã§ãå¿ èŠãªãã®ããã¹ãŠãã¢ããªã±ãŒã·ã§ã³ ãŠãŒã¶ãŒ (ã¯ã©ãŠã ãŠãŒã¶ãŒ) ãææãã /srv ã«çœ®ããŸãã
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
PostgreSQL ãš Django ã®ã»ããã¢ããã¯ç°¡åã§ããããŒã¿ããŒã¹ãäœæãããŠãŒã¶ãŒãäœæããæš©éãèšå®ããŸãã PostgreSQL ãæåã«ã€ã³ã¹ããŒã«ãããšãã«çæãã¹ãç¹ã® XNUMX ã€ã¯ãpostgresql-server ããã±ãŒãžãšãšãã«ã€ã³ã¹ããŒã«ããã postgresql-setup ã¹ã¯ãªããã§ãã ãã®ã¹ã¯ãªããã¯ãã¯ã©ã¹ã¿ãŒã®åæåãã¢ããã°ã¬ãŒã ããã»ã¹ãªã©ãããŒã¿ããŒã¹ ã¯ã©ã¹ã¿ãŒã®ç®¡çã«é¢é£ããåºæ¬çãªã¿ã¹ã¯ãå®è¡ããã®ã«åœ¹ç«ã¡ãŸãã RHEL ã·ã¹ãã äžã§æ°ãã PostgreSQL ã€ã³ã¹ã¿ã³ã¹ãæ§æããã«ã¯ã次ã®ã³ãã³ããå®è¡ããå¿ èŠããããŸãã
sudo /usr/bin/postgresql-setup -initdb
ãã®åŸãsystemd ã䜿çšã㊠PostgreSQL ãèµ·åããããŒã¿ããŒã¹ãäœæããDjango ã§ãããžã§ã¯ããã»ããã¢ããã§ããŸãã ã¯ã©ã€ã¢ã³ãèªèšŒæ§æãã¡ã€ã« (é垞㯠pg_hba.conf) ãå€æŽããŠã¢ããªã±ãŒã·ã§ã³ ãŠãŒã¶ãŒã®ãã¹ã¯ãŒã ã¹ãã¬ãŒãžãæ§æããåŸã¯ãå¿ ã PostgreSQL ãåèµ·åããŠãã ããã ä»ã®åé¡ãçºçããå Žåã¯ãpg_hba.conf ãã¡ã€ã«ã® IPv4 ããã³ IPv6 èšå®ãå¿ ãå€æŽããŠãã ããã
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
ãã¡ã€ã« /var/lib/pgsql/data/pg_hba.conf å :
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
ãã¡ã€ã« /srv/djangoapp/settings.py å :
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
ãããžã§ã¯ã㧠settings.py ãã¡ã€ã«ãæ§æããããŒã¿ããŒã¹æ§æãã»ããã¢ããããåŸãéçºãµãŒããŒãèµ·åããŠããã¹ãŠãæ©èœããããšã確èªã§ããŸãã éçºãµãŒããŒãèµ·åããåŸãããŒã¿ããŒã¹ãžã®æ¥ç¶ããã¹ãããããã«ç®¡çè ãŠãŒã¶ãŒãäœæããããšããå§ãããŸãã
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? ã¯ã€ïŒ
éçºãµãŒããŒã¯ãã¹ãã«ã¯äŸ¿å©ã§ãããã¢ããªã±ãŒã·ã§ã³ãå®è¡ããã«ã¯ãWeb ãµãŒã㌠ã²ãŒããŠã§ã€ ã€ã³ã¿ãŒãã§ã€ã¹ (WSGI) çšã«é©åãªãµãŒããŒãšãããã·ãæ§æããå¿ èŠããããŸãã ããšãã°ãApache HTTPD ãš uWSGIãNginx ãš Gunicorn ãªã©ãäžè¬çãªçµã¿åãããããã€ããããŸãã
Web ãµãŒã㌠ã²ãŒããŠã§ã€ ã€ã³ã¿ãŒãã§ã€ã¹ã®ä»äºã¯ãWeb ãµãŒããŒãã Python Web ãã¬ãŒã ã¯ãŒã¯ã«ãªã¯ãšã¹ãã転éããããšã§ãã WSGI 㯠CGI ãšã³ãžã³ãååšããŠããæãããéå»ã®åæ®ã§ãããçŸåšã§ã¯ã䜿çšãããŠãã Web ãµãŒããŒã Python ãã¬ãŒã ã¯ãŒã¯ã«é¢ä¿ãªããWSGI ãäºå®äžã®æšæºãšãªã£ãŠããŸãã ããããåºã䜿çšãããŠããã«ããããããããããã®ãã¬ãŒã ã¯ãŒã¯ã䜿çšããå Žåã«ã¯äŸç¶ãšããŠå€ãã®åŸ®åŠãªéãããããå€ãã®éžæè¢ããããŸãã ãã®å Žåããœã±ãããä»ã㊠Gunicorn ãš Nginx éã®å¯Ÿè©±ã確ç«ããããšããŸãã
ãããã®ã³ã³ããŒãã³ãã¯äž¡æ¹ãšãåããµãŒããŒã«ã€ã³ã¹ããŒã«ãããŠããããããããã¯ãŒã¯ ãœã±ããã®ä»£ããã« UNIX ãœã±ããã䜿çšããŠã¿ãŸãããã ãããã®å Žåãéä¿¡ã«ã¯ãœã±ãããå¿ èŠãªã®ã§ãããäžæ©é²ãã§ãsystemd çµç±ã§ Gunicorn ã®ãœã±ãã ã¢ã¯ãã£ããŒã·ã§ã³ãèšå®ããŠã¿ãŸãããã
ãœã±ããã§ã¢ã¯ãã£ãåããããµãŒãã¹ãäœæããããã»ã¹ã¯éåžžã«ç°¡åã§ãã ãŸããUNIX ãœã±ãããäœæããããã€ã³ããæã ListenStream ãã£ã¬ã¯ãã£ããå«ããŠããã ãã¡ã€ã«ãäœæããã次ã«ãRequires ãã£ã¬ã¯ãã£ãããœã±ãã ãŠããã ãã¡ã€ã«ãæããµãŒãã¹ã®ãŠããã ãã¡ã€ã«ãäœæãããŸãã 次ã«ããµãŒãã¹ ãŠããã ãã¡ã€ã«ã§ãä»®æ³ç°å¢ãã Gunicorn ãåŒã³åºããUNIX ãœã±ãããš Django ã¢ããªã±ãŒã·ã§ã³ã® WSGI ãã€ã³ãã£ã³ã°ãäœæããã ãã§ãã
ããŒã¹ãšããŠäœ¿çšã§ãããŠããã ãã¡ã€ã«ã®äŸãããã€ã瀺ããŸãã ãŸããœã±ãããèšå®ããŸãã
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
次ã«ãGunicorn ããŒã¢ã³ãæ§æããå¿ èŠããããŸãã
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
âaccess-logfile -
âworkers 3
âbind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Nginx ã®å Žåããããã·æ§æãã¡ã€ã«ãäœæããéçã³ã³ãã³ãã䜿çšããŠããå Žåã¯ãããä¿åãããã£ã¬ã¯ããªãèšå®ããã ãã§æžã¿ãŸãã RHEL ã§ã¯ãNginx æ§æãã¡ã€ã«ã¯ /etc/nginx/conf.d ã«ãããŸãã 次ã®äŸããã¡ã€ã« /etc/nginx/conf.d/default.conf ã«ã³ããŒããŠããµãŒãã¹ãéå§ã§ããŸãã å¿ ããserver_name ããã¹ãåãšäžèŽããããã«èšå®ããŠãã ããã
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
systemd ã䜿çšã㊠Gunicorn ãœã±ãããš Nginx ãèµ·åãããšããã¹ããéå§ããæºåãæŽããŸãã
äžæ£ãªã²ãŒããŠã§ã€ãšã©ãŒ?
ãã©ãŠã¶ã«ã¢ãã¬ã¹ãå ¥åãããšã502 Bad Gateway ãšã©ãŒãçºçããå¯èœæ§ãé«ããªããŸãã ããã¯ãUNIX ãœã±ããã®ã¢ã¯ã»ã¹èš±å¯ãæ£ããæ§æãããŠããªãããšãåå ã§ããå¯èœæ§ããããŸãããããã¯ãSELinux ã®ã¢ã¯ã»ã¹å¶åŸ¡ã«é¢é£ããããè€éãªåé¡ãåå ã§ããå¯èœæ§ããããŸãã
nginx ãšã©ãŒ ãã°ã«ã¯ã次ã®ãããªè¡ã衚瀺ãããŸãã
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Gunicorn ãçŽæ¥ãã¹ããããšã空ã®çããåŸãããŸãã
curl âunix-socket /run/gunicorn.sock 8beta1.example.com
ãªããããèµ·ããã®ãèããŠã¿ãŸãããã ãã°ãéããšãåé¡ã SELinux ã«é¢é£ããŠããããšãããããŸãã ããªã·ãŒãäœæãããŠããªãããŒã¢ã³ãå®è¡ããŠãããããinit_t ãšããŠããŒã¯ãããŠããŸãã ãã®çè«ãå®éã«ãã¹ãããŠã¿ãŸãããã
sudo setenforce 0
ããããã¹ãŠãæ¹å€ãšè¡ã®æ¶ãåŒãèµ·ãããããããŸããããããã¯ãããã¿ã€ãã®ãããã°ã«ãããŸããã ãããåé¡ã§ããããšã確èªããããã«ãã§ãã¯ãç¡å¹ã«ããŠããã¹ãŠãå ã®äœçœ®ã«æ»ããŸãã
ãã©ãŠã¶ãŒã§ããŒãžãæŽæ°ããããcurl ã³ãã³ããåå®è¡ãããšãDjango ãã¹ã ããŒãžã衚瀺ãããŸãã
ãããã£ãŠããã¹ãŠãæ©èœããæš©éã®åé¡ããªããªã£ãããšã確èªããããSELinux ãå床æå¹ã«ããŸãã
sudo setenforce 1
ããã§ã¯ãaudit2allow ã sepolgen ã䜿çšããã¢ã©ãŒãããŒã¹ã®ããªã·ãŒã®äœæã«ã€ããŠã¯èª¬æããŸãããçŸæç¹ã§ã¯å®éã® Django ã¢ããªã±ãŒã·ã§ã³ããªããããGunicorn ãã¢ã¯ã»ã¹ããããã®ãšã¢ã¯ã»ã¹ãæåŠãã¹ããã®ã«ã€ããŠã®å®å šãªãããã¯ãããŸããã ãããã£ãŠãã·ã¹ãã ãä¿è·ããããã« SELinux ãå®è¡ãç¶ããå¿ èŠããããšåæã«ãã¢ããªã±ãŒã·ã§ã³ã®å®è¡ãèš±å¯ããŠç£æ»ãã°ã«ã¡ãã»ãŒãžãæ®ãããã®ã¡ãã»ãŒãžããå®éã®ããªã·ãŒãäœæã§ããããã«ããå¿ èŠããããŸãã
蚱容ãã¡ã€ã³ã®æå®
SELinux ã§èš±å¯ããããã¡ã€ã³ã«ã€ããŠèª°ããèããããšãããããã§ã¯ãããŸããããæ°ãããã®ã§ã¯ãããŸããã å€ãã®äººã¯æ°ã¥ããã«åœŒããšäžç·ã«åããŠããŸããã ç£æ»ã¡ãã»ãŒãžã«åºã¥ããŠããªã·ãŒãäœæãããå Žåãäœæãããããªã·ãŒã¯è§£æ±ºããããã¡ã€ã³ãè¡šããŸãã åçŽãªèš±å¯ããªã·ãŒãäœæããŠã¿ãŸãããã
Gunicorn çšã«ç¹å®ã®èš±å¯ãã¡ã€ã³ãäœæããã«ã¯ãäœããã®ããªã·ãŒãå¿ èŠã§ãããé©åãªãã¡ã€ã«ã«ããŒã¯ãä»ããå¿ èŠããããŸãã ããã«ãæ°ããããªã·ãŒãçµã¿ç«ãŠãããã®ããŒã«ãå¿ èŠã§ãã
sudo yum install selinux-policy-devel
èš±å¯ããããã¡ã€ã³ã®ã¡ã«ããºã ã¯ãç¹ã«ããªã·ãŒãäœæãããŠããªãç¶æ ã§åºè·ãããã«ã¹ã¿ã ã¢ããªã±ãŒã·ã§ã³ã®å Žåã«ãåé¡ãç¹å®ããããã®åªããããŒã«ã§ãã ãã®å ŽåãGunicorn ã®èš±å¯ããããã¡ã€ã³ ããªã·ãŒã¯å¯èœãªéãåçŽã«ãªããŸããã¡ã€ã³ ã¿ã€ã (gunicorn_t) ã宣èšããè€æ°ã®å®è¡å¯èœãã¡ã€ã«ãããŒã¯ããããã«äœ¿çšããã¿ã€ã (gunicorn_exec_t) ã宣èšããã·ã¹ãã ãæ£ããããŒã¯ããããã®é·ç§»ãã»ããã¢ããããŸããå®è¡äžã®ããã»ã¹ã æåŸã®è¡ã¯ãããªã·ãŒãããŒãããããšãã«ããã©ã«ãã§æå¹ã«ãªãããã«èšå®ããŸãã
ã¬ãã³ãŒã³.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
ãã®ããªã·ãŒ ãã¡ã€ã«ãã³ã³ãã€ã«ããŠã·ã¹ãã ã«è¿œå ã§ããŸãã
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
SELinux ãæªç¥ã®ããŒã¢ã³ãã¢ã¯ã»ã¹ããŠãããã®ä»¥å€ã®ãã®ããããã¯ããŠãããã©ããã確èªããŠã¿ãŸãããã
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux ã¯ãNginx ã Gunicorn ã䜿çšãã UNIX ãœã±ããã«ããŒã¿ãæžã蟌ãã®ãé²ããŸãã éåžžããã®ãããªå Žåãããªã·ãŒã¯å€æŽããå§ããŸãããä»åŸã¯å¥ã®èª²é¡ãåŸ ã¡æ§ããŠããŸãã ãã¡ã€ã³èšå®ãå¶éãã¡ã€ã³ããèš±å¯ãã¡ã€ã³ã«å€æŽããããšãã§ããŸãã 次ã«ãhttpd_t ãã¢ã¯ã»ã¹èš±å¯ãã¡ã€ã³ã«ç§»åããŸãããã ããã«ãããNginx ã«å¿ èŠãªã¢ã¯ã»ã¹ãäžãããããããªããããã°äœæ¥ãç¶ããããšãã§ããŸãã
sudo semanage permissive -a httpd_t
ãããã£ãŠãSELinux ãä¿è·ãããŸãŸã«ã (SELinux ãããžã§ã¯ããå¶éã¢ãŒãã®ãŸãŸã«ããŠã¯ãããŸãã)ãèš±å¯ãã¡ã€ã³ãèªã¿èŸŒãŸãããããã¹ãŠãé©åã«åäœãããããã«ãæ£ç¢ºã«äœã gunicorn_exec_t ãšããŠããŒã¯ããå¿ èŠãããããææ¡ããå¿ èŠããããŸãããŸãã Web ãµã€ãã«ã¢ã¯ã»ã¹ããŠãã¢ã¯ã»ã¹å¶éã«é¢ããæ°ããã¡ãã»ãŒãžã確èªããŠã¿ãŸãããã
sudo ausearch -m AVC -c gunicorn
/srv/djangoapp å ã®ãã¡ã€ã«ã«å¯ŸããŠããŸããŸãªåŠçãè¡ããcomm="gunicorn"ããå«ãã¡ãã»ãŒãžãå€æ°è¡šç€ºããããããããã¯æããã«ãã©ã°ãç«ãŠã䟡å€ã®ããã³ãã³ãã® XNUMX ã€ã§ãã
ãã ããããã«æ¬¡ã®ãããªã¡ãã»ãŒãžã衚瀺ãããŸãã
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
gunicorn ãµãŒãã¹ã®ã¹ããŒã¿ã¹ã確èªããããps ã³ãã³ããå®è¡ãããããŠããå®è¡äžã®ããã»ã¹ã¯è¡šç€ºãããŸããã gunicorn ã¯ããããã¯ãŒã«ãŒ ã¹ã¯ãªãããå®è¡ããããã«ãvirtualenv ç°å¢ã® Python ã€ã³ã¿ãŒããªã¿ãŒã«ã¢ã¯ã»ã¹ããããšããŠããããã§ãã ããã§ã¯ãããã XNUMX ã€ã®å®è¡å¯èœãã¡ã€ã«ã«ããŒã¯ãä»ããŠãDjango ãã¹ã ããŒãžãéãããšãã§ãããã©ããã確èªããŠã¿ãŸãããã
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
æ°ããã¿ã°ãéžæããã«ã¯ãgunicorn ãµãŒãã¹ãåèµ·åããå¿ èŠããããŸãã ããã«åèµ·åããããšãããµãŒãã¹ãåæ¢ããŠããã©ãŠã¶ã§ãµã€ããéãããšãã«ãœã±ããã§éå§ããããšãã§ããŸãã ps ã䜿çšããŠãããã»ã¹ãæ£ããã©ãã«ãåä¿¡ããŠââããããšã確èªããŸãã
ps -efZ | grep gunicorn
åŸã§éåžžã® SELinux ããªã·ãŒãäœæããããšãå¿ããªãã§ãã ããã
ãã㧠AVC ã¡ãã»ãŒãžãèŠããšãæåŸã®ã¡ãã»ãŒãžã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã«é¢é£ãããã¹ãŠã®ãã®ã«å¯Ÿã㊠permissive=1 ãå«ãŸããŠãããæ®ãã®ã·ã¹ãã ã«å¯Ÿã㊠permissive=0 ãå«ãŸããŠããŸãã å®éã®ã¢ããªã±ãŒã·ã§ã³ã«å¿ èŠãªã¢ã¯ã»ã¹ã®çš®é¡ãç解ããŠããã°ããã®ãããªåé¡ã解決ããæé©ãªæ¹æ³ãããã«èŠã€ããããšãã§ããŸãã ãããããããŸã§ã¯ãã·ã¹ãã ãå®å šã«ä¿ã¡ãDjango ãããžã§ã¯ãã®æ確ã§æçšãªç£æ»ãååŸããããšãæåã§ãã
sudo ausearch -m AVC
ããã¯å€æããŸããïŒ
Nginx ãš Gunicorn WSGI ã«åºã¥ããããã³ããšã³ããåãããåäœãã Django ãããžã§ã¯ããç»å ŽããŸããã RHEL 3 ããŒã¿ ãªããžããªãã Python 10 ãš PostgreSQL 8 ãæ§æããŸããã ããã§ãDjango ã¢ããªã±ãŒã·ã§ã³ãäœæ (ãŸãã¯åã«ãããã€) ããããRHEL 8 ããŒã¿ã§ä»ã®å©çšå¯èœãªããŒã«ãæ¢çŽ¢ããŠãæ§æããã»ã¹ãèªååããããã©ãŒãã³ã¹ãåäžããããããã®æ§æãã³ã³ããåãããããããšãã§ããŸãã
åºæïŒ habr.com