RHEL 8 Beta imapatsa opanga zinthu zambiri zatsopano, mindandanda yake yomwe ingatenge masamba, komabe, kuphunzira zinthu zatsopano kumakhala bwinoko nthawi zonse, kotero pansipa timapereka msonkhano wokhudza kupanga maziko ogwiritsira ntchito pogwiritsa ntchito Red Hat Enterprise Linux 8 Beta.
Tiyeni titenge Python, chilankhulo chodziwika bwino cha mapulogalamu pakati pa opanga, monga maziko, kuphatikiza kwa Django ndi PostgreSQL, kuphatikiza kodziwika bwino popanga mapulogalamu, ndikusintha RHEL 8 Beta kuti mugwire nawo ntchito. Kenako tiwonjezera zosakaniza zingapo (zosadziwika).
Malo oyesera adzasintha, chifukwa ndizosangalatsa kufufuza mwayi wodzipangira okha, kugwira ntchito ndi zotengera ndi malo oyesera ndi ma seva angapo. Kuti muyambe ndi pulojekiti yatsopano, mukhoza kuyamba ndi kupanga chojambula chaching'ono, chophweka ndi dzanja kuti muwone zomwe ziyenera kuchitika ndi momwe zimagwirizanirana, ndiyeno pitirizani kupanga makina ndikupanga zosintha zovuta kwambiri. Lero tikukamba za kulengedwa kwa chitsanzo choterocho.
Tiyeni tiyambe ndikuyika chithunzi cha RHEL 8 Beta VM. Mutha kukhazikitsa makina enieni kuyambira pachiyambi, kapena gwiritsani ntchito chithunzi cha alendo cha KVM chomwe chilipo ndikulembetsa kwanu kwa Beta. Mukamagwiritsa ntchito chithunzi cha alendo, muyenera kukonza CD yeniyeni yomwe idzakhala ndi metadata ndi deta ya ogwiritsa ntchito poyambitsa mtambo (cloud-init). Simufunikanso kuchita chilichonse chapadera ndi mawonekedwe a disk kapena mapaketi omwe alipo; kasinthidwe kalikonse kadzachita.
Tiyeni tione mwatsatanetsatane ndondomeko yonseyi.
Kukhazikitsa Django
Ndi mtundu waposachedwa kwambiri wa Django, mudzafunika malo enieni (virtualenv) okhala ndi Python 3.5 kapena mtsogolo. Muzolemba za Beta mutha kuwona kuti Python 3.6 ilipo, tiyeni tiwone ngati ndi choncho:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
Red Hat imagwiritsa ntchito Python mwachangu ngati chida chadongosolo mu RHEL, ndiye chifukwa chiyani izi?
Chowonadi ndi chakuti ambiri opanga Python akuganizabe za kusintha kuchokera ku Python 2 kupita ku Python 2, pamene Python 3 palokha ikuchitika, ndipo matembenuzidwe atsopano akuwonekera nthawi zonse. Chifukwa chake, kuti akwaniritse kufunikira kwa zida zokhazikika zokhazikika pomwe akupereka mwayi kwa ogwiritsa ntchito kumitundu yatsopano ya Python, Python yadongosolo idasunthidwa kukhala phukusi latsopano ndipo idapereka mwayi woyika onse Python 2.7 ndi 3.6. Zambiri zokhudzana ndi kusinthaku komanso chifukwa chake zidapangidwira zitha kupezeka m'mabuku mu (Langdon White).
Chifukwa chake, kuti mugwiritse ntchito Python, mumangofunika kukhazikitsa mapaketi awiri, python3-pip ikuphatikizidwa ngati kudalira.
sudo yum install python36 python3-virtualenv
Bwanji osagwiritsa ntchito mafoni achindunji monga momwe Langdon akunenera ndikuyika pip3? Pokumbukira zomwe zikubwera, zimadziwika kuti Ansible idzafuna kuti pip iyambe kuyendetsa, popeza gawo la pip siligwirizana ndi virtualenvs ndi pip yokhazikika.
Pokhala ndi womasulira wa python3 yemwe muli nawo, mutha kupitiliza ndi njira yoyika Django ndikukhala ndi dongosolo logwirira ntchito limodzi ndi zida zathu zina. Pali njira zambiri zoyendetsera zomwe zilipo pa intaneti. Pali mtundu umodzi womwe ukuwonetsedwa pano, koma ogwiritsa ntchito amatha kugwiritsa ntchito njira zawo.
Tikhazikitsa mitundu ya PostgreSQL ndi Nginx yomwe ikupezeka mu RHEL 8 mwachisawawa pogwiritsa ntchito Yum.
sudo yum install nginx postgresql-server
PostgreSQL idzafuna psycopg2, koma ikuyenera kupezeka pamalo owoneka bwino, kotero tidzayiyika pogwiritsa ntchito pip3 pamodzi ndi Django ndi Gunicorn. Koma choyamba tiyenera kukhazikitsa virtualenv.
Nthawi zonse pamakhala mikangano yambiri pamutu wosankha malo oyenera kukhazikitsa mapulojekiti a Django, koma mukakayikira, mutha kutembenukira ku Linux Filesystem Hierarchy Standard. Mwachindunji, FHS imati / srv imagwiritsidwa ntchito: "kusunga zidziwitso zenizeni - zomwe dongosolo limapanga, monga data ya seva yapaintaneti ndi zolemba, zosungidwa pa seva za FTP, ndi zosungirako zowongolera." mitundu (yowonekera mu FHS -2.3 mu 2004).
Izi ndi momwe zilili zathu, kotero timayika zonse zomwe tingafune mu / srv, yomwe ili ndi wogwiritsa ntchito (cloud-user).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Kukhazikitsa PostgreSQL ndi Django ndikosavuta: pangani database, pangani wogwiritsa ntchito, sinthani zilolezo. Chinthu chimodzi choyenera kukumbukira mukakhazikitsa PostgreSQL ndi postgresql-setup script yomwe imayikidwa ndi phukusi la postgresql-server. Zolemba izi zimakuthandizani kuti muzichita ntchito zoyambira zolumikizidwa ndi kasamalidwe kamagulu a database, monga kuyambitsa magulu kapena kukweza. Kuti tikonze chitsanzo chatsopano cha PostgreSQL pa dongosolo la RHEL, tiyenera kuyendetsa lamulo:
sudo /usr/bin/postgresql-setup -initdb
Mutha kuyambitsa PostgreSQL pogwiritsa ntchito systemd, kupanga nkhokwe, ndikukhazikitsa projekiti ku Django. Kumbukirani kuyambitsanso PostgreSQL mutatha kusintha fayilo yotsimikizira kasitomala (nthawi zambiri pg_hba.conf) kuti mukonze kusungirako mawu achinsinsi kwa wogwiritsa ntchito. Mukakumana ndi zovuta zina, onetsetsani kuti mwasintha ma IPv4 ndi IPv6 mu fayilo ya pg_hba.conf.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
Mu fayilo /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
Mu fayilo /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
Pambuyo pokonza fayilo ya settings.py mu polojekiti ndikukhazikitsa kasinthidwe ka database, mukhoza kuyambitsa seva yachitukuko kuti muwonetsetse kuti zonse zikugwira ntchito. Pambuyo poyambitsa seva yachitukuko, ndibwino kupanga wogwiritsa ntchito admin kuti ayese kugwirizana kwa database.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Wai?
Seva yachitukuko ndiyothandiza poyesa, koma kuti mugwiritse ntchito pulogalamuyi muyenera kukonza seva yoyenera ndi proxy ya Web Server Gateway Interface (WSGI). Pali zophatikizira zingapo zofananira, mwachitsanzo, Apache HTTPD yokhala ndi uWSGI kapena Nginx yokhala ndi Gunicorn.
Ntchito ya Web Server Gateway Interface ndikutumiza zopempha kuchokera pa intaneti kupita ku Python web framework. WSGI ndi chotsalira chambiri zakale pomwe injini za CGI zinalipo, ndipo lero WSGI ndiye mulingo wodziwika bwino, mosasamala kanthu za seva yapaintaneti kapena chimango cha Python chomwe chimagwiritsidwa ntchito. Koma ngakhale kuti amagwiritsidwa ntchito ponseponse, palinso ma nuances ambiri pogwira ntchito ndi izi, ndi zosankha zambiri. Pankhaniyi, tiyesa kukhazikitsa mgwirizano pakati pa Gunicorn ndi Nginx kudzera pa socket.
Popeza zigawo zonse ziwirizi zimayikidwa pa seva imodzi, tiyeni tiyese kugwiritsa ntchito socket ya UNIX m'malo mwa socket ya netiweki. Popeza kulankhulana kumafuna socket mulimonse, tiyeni tiyese kutenga sitepe imodzi ndikukonza yambitsa zitsulo za Gunicorn kudzera pa systemd.
Njira yopanga socket activated services ndiyosavuta. Choyamba, fayilo ya unit imapangidwa yomwe ili ndi chitsogozo cha ListenStream cholozera pomwe socket ya UNIX idzapangidwira, kenako fayilo ya unit ya ntchito yomwe malangizo Amafuna adzalozera ku fayilo ya socket unit. Kenako, mufayilo ya unit unit, chomwe chatsala ndikuyitanitsa Gunicorn kuchokera kumalo enieni ndikupanga chomangira cha WSGI pa socket ya UNIX ndi pulogalamu ya Django.
Nazi zitsanzo za mafayilo amayunitsi omwe mungagwiritse ntchito ngati maziko. Choyamba timapanga socket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Tsopano muyenera kukonza daemon ya Gunicorn.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
βaccess-logfile -
βworkers 3
βbind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Kwa Nginx, ndi nkhani yosavuta kupanga mafayilo osinthika a projekiti ndikukhazikitsa chikwatu kuti musunge zokhazikika ngati mukugwiritsa ntchito. Mu RHEL, mafayilo osintha a Nginx ali mu /etc/nginx/conf.d. Mutha kukopera chitsanzo chotsatira mufayilo /etc/nginx/conf.d/default.conf ndikuyamba ntchitoyo. Onetsetsani kuti mwakhazikitsa seva_name kuti ifanane ndi dzina lanu lolandira.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Yambitsani socket ya Gunicorn ndi Nginx pogwiritsa ntchito systemd ndipo mwakonzeka kuyamba kuyesa.
Vuto la Bad Gateway?
Mukayika adilesi mu msakatuli wanu, mutha kulandira cholakwika cha 502 Bad Gateway. Zitha kuyambitsidwa ndi zilolezo zosinthidwa molakwika za UNIX, kapena zitha kukhala chifukwa cha zovuta zambiri zokhudzana ndi kuwongolera mu SELinux.
Mu chipika cholakwika cha nginx mutha kuwona mzere ngati uwu:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Ngati tiyesa Gunicorn mwachindunji, tidzapeza yankho lopanda kanthu.
curl βunix-socket /run/gunicorn.sock 8beta1.example.com
Tiyeni tione chifukwa chake izi zimachitika. Mukatsegula chipikacho, mudzawona kuti vutoli likukhudzana ndi SELinux. Popeza tikuyendetsa daemon yomwe palibe ndondomeko yomwe idapangidwa, imalembedwa kuti init_t. Tiyeni tiyese chiphunzitso ichi mukuchita.
sudo setenforce 0
Zonsezi zingayambitse kutsutsidwa ndi misozi yamagazi, koma izi ndikungosintha mawonekedwe. Tiyeni tiyimitse cheke kuti titsimikizire kuti ili ndiye vuto, pambuyo pake tidzabwezeretsa chilichonse pamalo ake.
Mwa kutsitsimutsa tsamba mu msakatuli kapena kubwezeretsanso lamulo lathu la curl, mutha kuwona tsamba loyesa la Django.
Chifukwa chake, poonetsetsa kuti zonse zikugwira ntchito ndipo palibenso vuto la chilolezo, timathandizira SELinux kachiwiri.
sudo setenforce 1
Sindilankhula za audit2allow kapena kupanga ndondomeko zochenjeza ndi sepolgen pano, popeza palibe ntchito yeniyeni ya Django pakadali pano, kotero palibe mapu athunthu a zomwe Gunicorn angafune kupeza ndi zomwe ayenera kukana kupeza. Choncho, m'pofunika kusunga SELinux kuthamanga kuteteza dongosolo, pamene nthawi yomweyo kulola ntchito kuthamanga ndi kusiya mauthenga mu chipika kafukufuku kuti mfundo zenizeni kenako kupangidwa kuchokera kwa iwo.
Kutchula madera ololedwa
Sikuti aliyense wamvapo za madera ololedwa mu SELinux, koma sizatsopano. Ambiri mpaka anagwira nawo ntchito osazindikira nβkomwe. Ndondomeko ikapangidwa kutengera mauthenga owerengera, ndondomeko yomwe idapangidwa imayimira dera lomwe lathetsedwa. Tiyeni tiyese kupanga ndondomeko yosavuta yololeza.
Kuti mupange dera linalake lololedwa la Gunicorn, muyenera mtundu wina wa ndondomeko, ndipo muyeneranso kuyika mafayilo oyenera. Kuphatikiza apo, zida zimafunikira kuti mupange ndondomeko zatsopano.
sudo yum install selinux-policy-devel
Dongosolo lololedwa ndi chida chachikulu chodziwira zovuta, makamaka ikafika pakugwiritsa ntchito mwamakonda kapena mapulogalamu omwe amatumiza popanda ndondomeko zomwe zidapangidwa kale. Pamenepa, ndondomeko yololedwa ya Gunicorn idzakhala yosavuta momwe mungathere - lengezani mtundu waukulu (gunicorn_t), lengezani mtundu womwe tidzagwiritse ntchito polemba zolemba zambiri (gunicorn_exec_t), ndiyeno khazikitsani kusintha kuti dongosolo lizilemba molondola. njira zoyendetsera . Mzere womaliza umayika ndondomekoyo ngati yoyatsidwa mwachisawawa panthawi yomwe imakwezedwa.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
Mutha kuphatikizira fayilo iyi ndikuyiwonjezera kudongosolo lanu.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Tiyeni tiwone ngati SELinux ikuletsa china chake kuposa zomwe daemon yathu yosadziwika ikupeza.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux imalepheretsa Nginx kulemba deta ku UNIX socket yogwiritsidwa ntchito ndi Gunicorn. Kawirikawiri, muzochitika zotere, ndondomeko zimayamba kusintha, koma pali zovuta zina patsogolo. Mutha kusinthanso makonda a domeni kuchokera pagawo loletsa kupita kumalo ovomerezeka. Tsopano tiyeni tisunthire httpd_t ku domain ya zilolezo. Izi zipatsa Nginx mwayi wofunikira ndipo titha kupitiliza ntchito yochotsa zolakwika.
sudo semanage permissive -a httpd_t
Chifukwa chake, mukatha kuteteza SELinux (simuyenera kusiya pulojekiti ya SELinux m'njira zoletsedwa) ndipo madera ovomerezeka adzaza, muyenera kudziwa zomwe ziyenera kulembedwa ngati gunicorn_exec_t kuti zonse zigwire bwino. kachiwiri. Tiyeni tiyese kuyendera tsamba la webusayiti kuti tiwone mauthenga atsopano okhudza zoletsa.
sudo ausearch -m AVC -c gunicorn
Mudzawona mauthenga ambiri omwe ali ndi 'comm="gunicorn"' omwe amachita zinthu zosiyanasiyana pamafayilo mu / srv/djangoapp, kotero mwachiwonekere ili ndi limodzi mwamalamulo oyenera kuyimitsa.
Koma kuonjezera apo, uthenga ngati uwu ukuwoneka:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Mukayang'ana momwe ntchito ya gunicorn ikuyendera kapena kuyendetsa lamulo la ps, simudzawona njira iliyonse yoyendetsera. Zikuwoneka ngati mfuti ikuyesera kupeza womasulira wa Python m'malo athu a virtualenv, mwina kuyendetsa zolemba za antchito. Chifukwa chake tsopano tiyeni tiyike zoyeserera ziwirizi ndikuwona ngati tingatsegule tsamba lathu loyesa la Django.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
Ntchito ya mfuti iyenera kuyambikanso chizindikiro chatsopano chisanasankhidwe. Mutha kuyiyambitsanso nthawi yomweyo kapena kuyimitsa ntchitoyo ndikulola socket iyambike mukatsegula tsambalo mu msakatuli. Onetsetsani kuti njira zalandira zilembo zolondola pogwiritsa ntchito ps.
ps -efZ | grep gunicorn
Osayiwala kupanga mfundo za SELinux zanthawi zonse!
Mukayang'ana mauthenga a AVC tsopano, uthenga wotsiriza uli ndi permissive=1 pa chirichonse chokhudzana ndi kugwiritsa ntchito, ndi permissive=0 kwa dongosolo lonse. Ngati mumvetsetsa kuti ndi mtundu wanji wofikira womwe mukufuna kugwiritsa ntchito, mutha kupeza mwachangu njira yabwino yothetsera mavuto otere. Koma mpaka nthawiyo, ndibwino kusunga dongosolo lotetezedwa ndikupeza kafukufuku womveka bwino wa polojekiti ya Django.
sudo ausearch -m AVC
Zachitika!
Pulojekiti yogwira ntchito ya Django yawonekera ndi kutsogolo kutengera Nginx ndi Gunicorn WSGI. Tinakonza Python 3 ndi PostgreSQL 10 kuchokera ku RHEL 8 Beta repositories. Tsopano mutha kupita patsogolo ndikupanga (kapena kungotumiza) mapulogalamu a Django kapena kuyang'ana zida zina zomwe zilipo mu RHEL 8 Beta kuti musinthe makonzedwe, kusintha magwiridwe antchito, kapenanso kusunga kasinthidwe uku.
Source: www.habr.com