O le RHEL 8 Beta e ofoina atu i le au atinaʻe le tele o foliga fou, o le lisi e mafai ona ave itulau, ae ui i lea, o le aʻoaʻoina o mea fou e sili atu ona lelei i le faʻatinoga, o lea i lalo ifo matou te ofoina atu se mafutaga faaleaoaoga i le faia moni o se atinaʻe talosaga e faʻavae i luga o Red Hat Enterprise Linux 8 Beta.
Sei o tatou ave le Python, o se gagana lauiloa polokalame i le au atinaʻe, o se faʻavae, o se tuʻufaʻatasiga o Django ma PostgreSQL, o se tuʻufaʻatasiga masani mo le fatuina o talosaga, ma faʻapipiʻi le RHEL 8 Beta e galulue ai ma i latou. Ona matou fa'aopoopoina lea o isi mea e lua (e le'i fa'avasegaina).
O le a suia le siosiomaga o suʻega, aua e manaia le suʻesuʻeina o avanoa o le masini, galue ma koneteina ma faʻataʻitaʻiga siosiomaga ma le tele o sapalai. Ina ia amata i se poloketi fou, e mafai ona e amata i le fatuina o se faʻataʻitaʻiga laʻititi, faigofie i lima ina ia mafai ona e vaʻaia tonu le mea e tatau ona tupu ma pe faʻafefea ona fegalegaleai, ona faʻasolo atu lea e faʻautometi ma fatuina faʻasalalauga sili atu ona faigata. O aso nei o loʻo tatou talanoa e uiga i le fausiaina o sea faʻataʻitaʻiga.
Tatou amata i le fa'aogaina o le ata RHEL 8 Beta VM. E mafai ona e faʻapipiʻi se masini masini mai le maasiasi, pe faʻaaoga le ata KVM malo avanoa ma lau faʻasalaga Beta. A faʻaaogaina se ata faʻafeiloaʻi, e te manaʻomia le faʻapipiʻiina o se CD virtual o le a aofia ai metadata ma faʻamatalaga tagata faʻaoga mo le amataga o le ao (cloud-init). E te le manaʻomia le faia o se mea faʻapitoa i le fausaga o le tisiki poʻo pusa avanoa; soʻo se faʻatulagaga o le a faia.
Sei o tatou tilotilo totoa i le faagasologa atoa.
Faʻapipiʻi Django
Faatasi ai ma le lomiga fou o Django, e te manaʻomia se siosiomaga faʻapitoa (virtualenv) ma le Python 3.5 pe mulimuli ane. I faʻamatalaga Beta e mafai ona e vaʻaia o loʻo maua le Python 3.6, seʻi o tatou siaki pe o le mea moni lea:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
O loʻo faʻaaogaina e le Red Hat le Python e fai ma mea faigaluega i le RHEL, aisea la e tupu ai lenei mea?
O le mea moni o le tele o le au atinaʻe Python o loʻo mafaufau pea i le suiga mai le Python 2 i le Python 2, ae o le Python 3 lava ia o loʻo i lalo o le atinaʻe malosi, ma o loʻo faʻaalia pea le tele o faʻamatalaga fou. O le mea lea, ina ia faʻafetaui le manaʻoga mo mea faigaluega faʻapipiʻi aʻo tuʻuina atu i tagata faʻaoga avanoa i le tele o lomiga fou o le Python, o le Python system na siitia i totonu o se afifi fou ma maua ai le mafai e faʻapipiʻi uma le Python 2.7 ma le 3.6. O nisi fa'amatalaga e uiga i suiga ma pe aisea na faia ai e mafai ona maua i le lomiga i (Langdon White).
O lea la, ina ia galue Python, naʻo lou manaʻomia e faʻapipiʻi ni afifi se lua, faʻatasi ai ma le python3-pip e aofia ai o se faʻalagolago.
sudo yum install python36 python3-virtualenv
Aisea e le faʻaogaina ai le telefoni faʻapitoa e pei ona fautuaina e Langdon ma faʻapipiʻi pip3? I le manatuaina o le masini o loʻo oʻo mai, e iloa ai e manaʻomia e Ansible le pip faʻapipiʻi e tamoe, talu ai e le lagolagoina e le pip modules virtualenvs ma se pip masani e mafai ona faʻatinoina.
Faatasi ai ma se fa'aliliu upu python3 o lo'o e tu'uina atu, e mafai ona e fa'aauauina le fa'atulagaina o le Django ma fai se faiga fa'aoga fa'atasi ma isi vaega. E tele avanoa fa'atinoga o lo'o maua ile Initaneti. E tasi le lomiga o loʻo tuʻuina atu iinei, ae mafai e tagata faʻaoga ona faʻaogaina a latou lava faiga.
Matou te faʻapipiʻi le PostgreSQL ma Nginx versions o loʻo maua i le RHEL 8 e ala i le faʻaaogaina o le Yum.
sudo yum install nginx postgresql-server
PostgreSQL o le a manaʻomia psycopg2, ae e manaʻomia ona avanoa i totonu o se siosiomaga virtualenv, o lea o le a matou faʻapipiʻiina e faʻaaoga ai le pip3 faʻatasi ma Django ma Gunicorn. Ae muamua e tatau ona tatou seti virtualenv.
E i ai pea le tele o felafolafoaiga i luga o le autu o le filifilia o le nofoaga sao e faʻapipiʻi ai galuega faatino a Django, ae a masalosalo, e mafai lava ona e liliu i le Linux Filesystem Hierarchy Standard. Aemaise lava, fai mai le FHS o / srv e faʻaaogaina e: "teu faʻamaumauga faʻapitoa-faʻamatalaga o loʻo gaosia e le faiga, e pei o faʻamaumauga a le upega tafaʻilagi ma tusitusiga, faʻamaumauga o loʻo teuina i luga ole FTP servers, ma le pulea o fale teu oloa." versions (faʻaalia ile FHS. -2.3 i le 2004).
O le matou tulaga tonu lea, matou te tuʻuina mea uma matou te manaʻomia i totonu / srv, lea e umia e le matou tagata faʻaoga (cloud-user).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Faʻatulagaina PostgreSQL ma Django e faigofie: fatuina se faʻamaumauga, fatuina se tagata faʻaoga, faʻapipiʻi faʻatagaga. Tasi le mea e teu i lou mafaufau pe a faʻapipiʻi muamua le PostgreSQL o le postgresql-setup script lea e faʻapipiʻi i le postgresql-server package. E fesoasoani lenei tusitusiga ia te oe e faatino ai galuega faavae e feso'ota'i ma le pulega o fa'amaumauga tu'ufa'atasiga, e pei o le fa'auluuluga o fuifui po'o le fa'aleleia o le faagasologa. Ina ia faʻapipiʻi se faʻataʻitaʻiga PostgreSQL fou i luga o se RHEL system, matou te manaʻomia le faʻatonuga:
sudo /usr/bin/postgresql-setup -initdb
Ona mafai lea ona e amata PostgreSQL faʻaaoga systemd, fatuina se database, ma faʻatutu se galuega i Django. Manatua e toe amata le PostgreSQL pe a uma ona fai suiga i le faila faʻamaonia faʻamaonia o le kalani (masani pg_hba.conf) e faʻapipiʻi ai le teuina o upu faʻamaonia mo le tagata faʻaoga talosaga. Afai e te feagai ma isi faʻafitauli, ia mautinoa e sui le IPv4 ma IPv6 tulaga i le faila pg_hba.conf.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
I le faila /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
I le faila /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
A maeʻa ona faʻapipiʻi le faila settings.py i le poloketi ma faʻapipiʻi le faʻasologa o faʻamaumauga, e mafai ona e amataina le server atinaʻe ina ia mautinoa e aoga mea uma. A maeʻa le amataina o le atinaʻe server, o se manatu lelei le fatuina o se tagata faʻaoga admin ina ia mafai ai ona suʻeina le fesoʻotaʻiga i le database.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Oi?
O le atinaʻe server e aoga mo suʻega, ae e faʻatautaia le talosaga e tatau ona e faʻatulagaina le server talafeagai ma sui mo le Web Server Gateway Interface (WSGI). E tele tu'ufa'atasiga masani, mo se fa'ata'ita'iga, Apache HTTPD ma uWSGI po'o Nginx ma Gunicorn.
O le galuega a le Web Server Gateway Interface o le tuʻuina atu lea o talosaga mai le upega tafaʻilagi i le Python web framework. O le WSGI o se faʻamaumauga o le mataʻutia ua tuanaʻi pe a iai masini CGI, ma o aso nei o le WSGI o le tulaga moni, e tusa lava po o le a le upega tafaʻilagi poʻo le Python framework na faʻaaogaina. Ae e ui lava i lona faʻaaogaina lautele, o loʻo i ai pea le tele o nuances pe a galue i nei faʻavae, ma le tele o filifiliga. I lenei tulaga, o le a matou taumafai e faʻavae fegalegaleaiga i le va o Gunicorn ma Nginx e ala i se socket.
Talu ai o nei vaega uma e lua o loʻo faʻapipiʻiina i luga o le server e tasi, seʻi o tatou taumafai e faʻaoga le UNIX socket nai lo le socket network. Talu ai o fesoʻotaʻiga e manaʻomia ai se socket i soʻo se tulaga, seʻi o tatou taumafai e fai se isi laasaga ma faʻapipiʻi le faʻagaoioia o le socket mo Gunicorn e ala i le systemd.
O le faagasologa o le fatuina o socket activated services e fai si faigofie. Muamua, ua faia se faila faila o loʻo i ai se faʻatonuga a le ListenStream e faʻasino i le mea o le a faia ai le socket UNIX, ona faʻapipiʻi lea o se faila faila mo le tautua lea e faasino atu ai le faʻatonuga Manaomia i le faila iunite socket. Ona, i totonu o le faila o le auʻaunaga, o mea uma e totoe o le valaʻau lea o Gunicorn mai le siosiomaga faʻapitoa ma fatuina se WSGI fusifusia mo le UNIX socket ma le Django application.
O nisi nei o faʻataʻitaʻiga o faila faila e mafai ona e faʻaogaina e fai ma faʻavae. Muamua matou te setiina le socket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Ole taimi nei e te manaʻomia le faʻatulagaina o le Gunicorn daemon.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
—access-logfile -
—workers 3
—bind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Mo Nginx, o se mea faigofie o le fatuina o faila faila sui ma le setiina o se lisi e teu ai mea faʻapitoa pe afai o loʻo e faʻaaogaina. I le RHEL, o faila faʻatulagaina Nginx o loʻo i totonu /etc/nginx/conf.d. E mafai ona e kopiina le faʻataʻitaʻiga lea i le faila /etc/nginx/conf.d/default.conf ma amata le auaunaga. Ia mautinoa e seti le server_name e fetaui ma lou igoa talimalo.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Amata le Gunicorn socket ma Nginx faʻaaoga systemd ma ua e sauni e amata suʻega.
Sese Gateway leaga?
Afai e te ulufale i le tuatusi i totonu o lau suʻesuʻega, e foliga mai e te mauaina se mea sese 502 Bad Gateway. Atonu e mafua mai i fa'atagaga o socket UNIX ua le sa'o, pe fa'apea fo'i ona o fa'afitauli e sili atu ona lavelave e feso'ota'i ma le fa'atonutonu avanoa ile SELinux.
I le log error nginx e mafai ona e vaʻai i se laina pei o lenei:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Afai matou te suʻeina saʻo Gunicorn, matou te maua se tali gaogao.
curl —unix-socket /run/gunicorn.sock 8beta1.example.com
Se'i tatou iloa pe aisea ua tupu ai lenei mea. Afai e te tatalaina le ogalaau, o le a sili atu ona e iloa o le faafitauli e fesoʻotaʻi ma SELinux. Talu ai o loʻo matou faʻatautaia se daemon e leai se faiga faʻavae na faia, ua faailogaina o init_t. Se'i o tatou fa'ata'ita'i lenei manatu ile fa'atinoga.
sudo setenforce 0
O nei mea uma e mafai ona mafua ai faitioga ma loimata o le toto, ae o lenei mea ua na o le faʻaaogaina o le prototype. Se'i tatou tape le siaki ina ia mautinoa o le faafitauli lea, a maeʻa ona toe faʻafoʻi mea uma i lona tulaga.
E ala i le faʻafouina o le itulau i totonu o le suʻega poʻo le toe faʻafoʻiina o la matou curl command, e mafai ona e vaʻai i le Django suʻega itulau.
O lea la, i le faʻamautinoaina o loʻo lelei mea uma ma e leai ni faʻafitauli faʻatagaina, matou te toe faʻatagaina SELinux.
sudo setenforce 1
O le a ou le talanoa e uiga i le audit2allow poʻo le fatuina o faiga faʻavae mataala ma sepolgen iinei, talu ai e leai se talosaga Django moni i le taimi nei, o lea e leai se faʻafanua atoa o mea e ono manaʻo e maua e Gunicorn ma le mea e tatau ona faʻafitia le avanoa. O le mea lea, e manaʻomia le faʻaauau pea o le SELinux e puipuia le faiga, ae i le taimi lava e tasi e faʻatagaina ai le talosaga e faʻagasolo ma tuʻu savali i totonu o le suʻega suʻega ina ia mafai ai ona faia le faiga faʻavae moni mai ia i latou.
Fa'amaoti vaega fa'atagaina
E le'o fa'alogo tagata uma ile fa'ataga ile SELinux, ae e le'o se mea fou. E toatele na galulue faatasi ma i latou e aunoa ma le iloaina. A fai se faiga fa'avae e fa'atatau i fe'au su'etusi, o le faiga fa'avae ua fa'atusalia le vaega ua fo'ia. Tatou taumafai e fai se faiga fa'ataga faigofie.
Ina ia fatuina se vaega faʻatagaina faapitoa mo Gunicorn, e te manaʻomia se ituaiga o faiga faʻavae, ma e manaʻomia foʻi ona e makaina faila talafeagai. E le gata i lea, e manaʻomia meafaigaluega e faʻapipiʻi ai faiga faʻavae fou.
sudo yum install selinux-policy-devel
O le fa'ataga fa'atagaina o se meafaigaluega lelei mo le fa'ailoaina o fa'afitauli, aemaise lava pe a o'o mai i se fa'aoga masani po'o ni talosaga e va'aia e aunoa ma ni faiga fa'avae ua uma ona faia. I lenei tulaga, o le tulafono faʻatagaina mo Gunicorn o le a faigofie lava - faʻaalia se ituaiga autu (gunicorn_t), faʻaalia se ituaiga o le a matou faʻaogaina e maka ai le tele o mea e mafai ona faʻaaogaina (gunicorn_exec_t), ona faʻatulagaina lea o se suiga mo le faiga e faʻailoga saʻo. fa'agasolo faiga . Ole laina mulimuli e fa'atulaga ai le faiga fa'avae e mafai ona fa'aletonu ile taimi e utaina ai.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
E mafai ona e tu'ufa'atasia lenei faila o faiga fa'avae ma fa'aopoopo i lau faiga.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Sei o tatou siaki e vaʻai pe o SELinux o loʻo poloka se isi mea nai lo le mea o loʻo maua e le tatou daemon le iloa.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux e taofia Nginx mai le tusiaina o faʻamatalaga i le UNIX socket na faʻaaogaina e Gunicorn. E masani lava, i ia tulaga, e amata ona suia faiga faʻavae, ae o loʻo i ai isi luitau o loʻo i luma. E mafai fo'i ona e suia le fa'atonuga mai le vaega fa'atapula'a i le fa'atagaga. Se'i o tatou si'i le httpd_t ile vaega ole fa'atagaga. O lenei mea o le a tuʻuina atu ai ia Nginx le avanoa talafeagai ma e mafai ona matou faʻaauau pea i le faʻaogaina atili o galuega.
sudo semanage permissive -a httpd_t
O lea la, a maeʻa ona e puipuia le SELinux (e le tatau ona e tuʻua se poloketi SELinux i le faʻatapulaʻaina) ma o loʻo faʻapipiʻiina ia faʻatagaga, e tatau ona e suʻeina le mea tonu e tatau ona faailogaina o le gunicorn_exec_t e faʻaoga lelei mea uma. toe. Tatou taumafai e asiasi i le upega tafa'ilagi e va'ai i fe'au fou e uiga i tapula'a avanoa.
sudo ausearch -m AVC -c gunicorn
E te vaʻai i le tele o feʻau o loʻo i ai 'comm="gunicorn"' e faia mea eseese i faila i / srv / djangoapp, o lea e mautinoa lava o se tasi lea o poloaiga e tatau ona faʻailogaina.
Ae le gata i lea, o se savali e pei o lenei e aliali mai:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Afai e te vaʻavaʻai i le tulaga o le auʻaunaga gunicorn poʻo le faʻatonuina o le ps command, e te le vaʻai i soʻo se gaioiga faʻasolosolo. E foliga mai o loʻo taumafai le gunicorn e faʻaoga le faʻaliliuga Python i totonu o la tatou siosiomaga virtualenv, atonu e faʻatautaia tusitusiga a tagata faigaluega. O lea la, seʻi o tatou makaina nei faila faila e lua ma siaki pe mafai ona tatala le matou itulau suʻega Django.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
E mana'omia le toe amataina o le tautua a le gunicorn a'o le'i filifilia le pine fou. E mafai ona e toe amata vave pe taofi le tautua ma tuʻu le socket e amata pe a e tatalaina le saite i le browser. Fa'amaonia na maua e faiga fa'ailoga sa'o e fa'aaoga ai le ps.
ps -efZ | grep gunicorn
Aua nei galo e fai se faiga masani SELinux mulimuli ane!
Afai e te vaʻavaʻai i le AVC feʻau i le taimi nei, o le savali mulimuli o loʻo i ai le faʻatagaina = 1 mo mea uma e fesoʻotaʻi ma le talosaga, ma faʻatagaina = 0 mo le vaega o totoe o le polokalama. Afai e te malamalama i le ituaiga avanoa e manaʻomia e se talosaga moni, e mafai ona e mauaina vave le auala sili e foia ai ia faʻafitauli. Ae seʻia oʻo i lena taimi, e sili ona lelei le faʻamautu o le polokalama ma maua se suʻega manino, faʻaaogaina o le poloketi Django.
sudo ausearch -m AVC
Ua tupu!
O se galuega galue Django ua faʻaalia ma se pito i luma e faʻavae i luga o Nginx ma Gunicorn WSGI. Na matou faʻatulagaina le Python 3 ma le PostgreSQL 10 mai le RHEL 8 Beta repositories. Ole taimi nei e mafai ona e agai i luma ma fatuina (pe naʻo le faʻapipiʻiina) Django talosaga pe suʻesuʻe isi meafaigaluega avanoa ile RHEL 8 Beta e faʻaogaina ai le faʻatulagaina o faʻasologa, faʻaleleia le faʻatinoga, poʻo le faʻapipiʻiina foi o lenei faʻatulagaga.
puna: www.habr.com