RHEL 8 Beta inopa vanogadzira akawanda matsva maficha, iyo rondedzero inogona kutora mapeji, zvisinei, kudzidza zvinhu zvitsva kunogara kuri nani mukuita, saka pazasi tinopa musangano wekugadzira chaizvo zvivakwa zvekushandisa zvakavakirwa paRed Hat Enterprise Linux 8 Beta.
Ngatitorei Python, mutauro unozivikanwa wepurogiramu pakati pevagadziri, sehwaro, musanganiswa weDjango nePostgreSQL, musanganiswa wakajairika wekugadzira maapplication, uye gadzirisa RHEL 8 Beta kushanda navo. Zvadaro tichawedzera mamwe mashoma (asina kunyorwa) zvimisikidzo.
Iyo nharaunda yekuyedza ichachinja, nekuti inonakidza kuongorora mikana yeautomation, kushanda nemidziyo uye kuyedza nharaunda nemaseva akawanda. Kuti utange nepurojekiti nyowani, unogona kutanga nekugadzira diki, rakareruka prototype neruoko kuti iwe ugone kuona chaizvo izvo zvinofanirwa kuitika uye mabatiro azvinoita, uye wozoenderera mberi nekuita otomatiki uye kugadzira mamwe magadzirirwo akaomarara. Nhasi tiri kutaura nezve kusikwa kweiyo prototype.
Ngatitange nekuisa iyo RHEL 8 Beta VM mufananidzo. Unogona kuisa muchina chaiwo kubva kutanga, kana kushandisa iyo KVM yevaenzi mufananidzo unowanikwa neBeta kunyorera. Paunenge uchishandisa mufananidzo wemuenzi, iwe unozofanirwa kumisikidza chaiyo CD iyo ichange iine metadata uye data yemushandisi yekutangisa gore (cloud-init). Iwe haufanire kuita chero chinhu chakakosha nedhisiki chimiro kana mapakeji aripo; chero gadziriso ichaita.
Ngatinyatsoongororai maitiro ese.
Kuisa Django
Iine vhezheni nyowani yeDjango, iwe uchada chaiyo nharaunda (virtualenv) nePython 3.5 kana gare gare. Muzvinyorwa zveBeta unogona kuona kuti Python 3.6 iripo, ngatitarisei kana zviri izvo chaizvo:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
Red Hat inoshingairira kushandisa Python senge system kit muRHEL, saka nei izvi zvichiguma?
Icho chokwadi ndechekuti vazhinji vanogadzira Python vachiri kufunga nezve shanduko kubva kuPython 2 kuenda kuPython 2, nepo Python 3 pachayo iri pasi pekusimudzira, uye akawanda uye akawanda mavhezheni ari kuramba achionekwa. Naizvozvo, kusangana nezvinodiwa zveyakagadzika maturusi ehurongwa uchipa vashandisi mukana kune akasiyana siyana mavhezheni ePython, system Python yakaendeswa mupakeji nyowani uye yakapa kugona kuisa ese Python 2.7 uye 3.6. Rumwe ruzivo nezve shanduko uye nei dzakaitwa dzinogona kuwanikwa mukuburitswa mu (Langdon White).
Saka, kuti uwane Python yekushanda, iwe unongoda kuisa mapakeji maviri, ane python3-pip inosanganisirwa sekutsamira.
sudo yum install python36 python3-virtualenv
Wadii kushandisa yakananga module mafoni sezvinotaurwa naLangdon uye isa pip3? Tichifunga nezveanouya otomatiki, zvinozivikanwa kuti Ansible inoda kuti pip yakaiswa kuti imhanye, sezvo iyo pip module isingatsigire virtualenvs ine tsika pip inogadziriswa.
Uine muturikiri wepython3 anoshanda kwauri, unogona kuenderera mberi neiyo Django yekuisa maitiro uye uve nehurongwa hwekushanda pamwe chete nezvimwe zvikamu zvedu. Pane zvakawanda zvingasarudzwa zvekushandisa zviripo paInternet. Pane imwe vhezheni yakapihwa pano, asi vashandisi vanogona kushandisa yavo maitiro.
Tichaisa iyo PostgreSQL uye Nginx shanduro dziripo muRHEL 8 nekukasira tichishandisa Yum.
sudo yum install nginx postgresql-server
PostgreSQL inoda psycopg2, asi inoda kuwanikwa chete munharaunda yevirtuenv, saka tichaiisa tichishandisa pip3 pamwe neDjango neGunicorn. Asi kutanga tinoda kumisa virtualenv.
Kune nguva dzose kupokana kwakawanda pamusoro penyaya yekusarudza nzvimbo chaiyo yekuisa Django mapurojekiti, asi kana uchipokana, unogona kugara uchitendeukira kuLinux Filesystem Hierarchy Standard. Kunyanya, iyo FHS inotaura kuti / srv inoshandiswa ku: "kuchengetedza-yakatarwa data-data inogadzirwa nehurongwa, senge data rewebhu server uye zvinyorwa, data rakachengetwa pamaseva eFTP, uye kudzora system repositori." shanduro (inoonekwa muFHS -2.3 muna 2004).
Iyi ndiyo nyaya yedu chaiyo, saka tinoisa zvese zvatinoda mukati / srv, inova yemushandisi wedu wekushandisa (cloud-user).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Kumisikidza PostgreSQL uye Django iri nyore: gadzira dhatabhesi, gadzira mushandisi, gadzirisa mvumo. Chinhu chimwe chekuchengeta mupfungwa kana uchitanga kuisa PostgreSQL ndiyo postgresql-setup script inoiswa ne postgresql-server package. Ichi chinyorwa chinokubatsira kuita mabasa akakosha ane chekuita nedhatabhesi cluster manejimendi, senge kutanga kweboka kana maitiro ekusimudzira. Kugadzirisa chiitiko chitsva chePostgreSQL pane RHEL system, tinoda kumhanya murairo:
sudo /usr/bin/postgresql-setup -initdb
Iwe unogona ipapo kutanga PostgreSQL uchishandisa systemd, kugadzira dhatabhesi, uye kuseta chirongwa muDjango. Rangarira kutangidzazve PostgreSQL mushure mekuita shanduko kune mutengi echokwadi yekumisikidza faira (kazhinji pg_hba.conf) kugadzirisa password yekuchengetedza yemushandisi wekushandisa. Kana ukasangana nezvimwe zvinonetsa, ita chokwadi chekushandura IPv4 uye IPv6 marongero mupg_hba.conf faira.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
Mune iyo faira /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
Mune iyo faira /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
Mushure mekugadzirisa zvirongwa.py faira mupurojekiti uye nekugadzirisa dhidhiyo, unogona kutanga sevha yekuvandudza kuti uone kuti zvose zvinoshanda. Mushure mekutanga sevha yekuvandudza, ipfungwa yakanaka kugadzira mushandisi weadmin kuitira kuti uedze kubatana kune database.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Wai?
Sevha yekuvandudza inobatsira pakuedza, asi kuti umhanye application unofanirwa kugadzirisa yakakodzera server uye proxy yeWeb Server Gateway Interface (WSGI). Kune akati wandei akajairwa musanganiswa, semuenzaniso, Apache HTTPD ine uWSGI kana Nginx ine Gunicorn.
Basa reWeb Server Gateway Interface nderekutumira zvikumbiro kubva pawebhu server kuenda kuPython web framework. WSGI chisaririra chekare chaityisa apo injini dzeCGI dzaivepo, uye nhasi WSGI ndiyo de facto standard, zvisinei newebhu server kana Python framework yakashandiswa. Asi zvisinei nekushandiswa kwayo kwakapararira, kuchine akawanda nuances kana uchishanda neaya masisitimu, uye akawanda sarudzo. Muchiitiko ichi, isu tichaedza kumisikidza kudyidzana pakati peGunicorn neNginx kuburikidza nesokisi.
Sezvo zvese zviri zviviri izvi zvakaiswa pane imwechete server, ngatiedzei kushandisa UNIX socket pane network socket. Sezvo kutaurirana kuchida socket chero ipi zvayo, ngatiedze kutora rimwe danho uye gadzirisa socket activation yeGunicorn kuburikidza nesystemd.
Maitiro ekugadzira socket activated services ari nyore. Chekutanga, faira reyuniti rinogadzirwa iro rine kuraira kwe ListenStream kunongedza kunzvimbo ichagadzirwa socket yeUNIX, ipapo faira reyuniti yebasa umo Inodei kuraira kunongedza kune socket unit file. Zvadaro, mune sevhisi unit faira, chasara kufonera Gunicorn kubva kunharaunda chaiyo uye kugadzira WSGI inosunga yeUNIX socket uye Django application.
Heano mimwe mienzaniso yemayuniti mafaira aunogona kushandisa sehwaro. Kutanga tinomisa socket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Iye zvino iwe unofanirwa kugadzirisa iyo Gunicorn daemon.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
βaccess-logfile -
βworkers 3
βbind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Kune Nginx, inyaya yakapusa yekugadzira mafaira ekumisikidza proxy uye kumisikidza dhairekitori kuchengetedza static zvemukati kana iwe uri kushandisa imwe. MuRHEL, Nginx configuration mafaira ari mukati /etc/nginx/conf.d. Unogona kukopa muenzaniso unotevera mufaira /etc/nginx/conf.d/default.conf wotanga sevhisi. Ita shuwa yekuseta iyo server_name kuti ifanane nezita rako rekugamuchira.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Tanga iyo Gunicorn socket uye Nginx uchishandisa systemd uye wagadzirira kutanga kuyedza.
Bad Gateway kukanganisa?
Kana iwe ukaisa kero mubrowser yako, iwe unogona kuwana 502 Bad Gateway kukanganisa. Inogona kukonzerwa nekusarongeka zvisizvo UNIX socket mvumo, kana inogona kunge iri nekuda kwenyaya dzakaomarara dzine chekuita nekuwana kutonga muSELinux.
Mune nginx kukanganisa log iwe unogona kuona mutsara wakadai:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Kana tikaedza Gunicorn zvakananga, tinowana mhinduro isina chinhu.
curl βunix-socket /run/gunicorn.sock 8beta1.example.com
Ngationei kuti sei izvi zvichiitika. Kana iwe ukavhura irogi, iwe uchaona zvakanyanya kuti dambudziko rine chekuita neSELinux. Sezvo isu tiri kuita daemon isina mutemo wakagadzirwa, inomakwa seinit_t. Ngatiedze dzidziso iyi mukuita.
sudo setenforce 0
Zvese izvi zvinogona kukonzera kutsoropodza uye misodzi yeropa, asi izvi zviri kungogadzirisa prototype. Ngatidzima cheki kuti tive nechokwadi chekuti ndiro dambudziko, mushure mezvo tichadzorera zvinhu zvose panzvimbo yacho.
Nekuzorodza peji mubrowser kana kudzoreredza yedu curl command, unogona kuona iyo Django bvunzo peji.
Saka, tave nechokwadi chekuti zvese zvinoshanda uye hapasisina matambudziko emvumo, tinogonesa SELinux zvakare.
sudo setenforce 1
Iko hakuna kutaura nezve audit2bvumira kana kugadzira yambiro-yakavakirwa marongero ane sepolgen pano, sezvo pasina chaiyo Django application panguva ino, saka hapana mepu yakazara yeicho Gunicorn angangoda kuwana uye chii chaanofanira kuramba kuwana. Naizvozvo, zvinodikanwa kuchengetedza SELinux ichimhanya kuchengetedza sisitimu, panguva imwe chete ichibvumira iyo application kuti imhanye uye ichisiya mameseji muodhita regi kuitira kuti iyo chaiyo mutemo inogona kugadzirwa kubva kwavari.
Kudoma madomasi anotendera
Haasi munhu wese akambonzwa nezve akabvumidzwa madomasi muSELinux, asi haasi chinhu chitsva. Vazhinji vakatoshanda navo vasingazvizivi. Kana mutemo wagadzirwa zvichibva pamashoko ekuongorora, iyo yakagadzirwa mutemo inomiririra iyo yakagadziriswa domain. Ngatiedzei kugadzira gwaro remvumo riri nyore.
Kuti ugadzire chaiyo inotenderwa domain yeGunicorn, iwe unoda imwe mhando yepolicy, uye iwe zvakare unofanirwa kumaka mafaera akakodzera. Pamusoro pezvo, maturusi anodiwa kuunganidza marongero matsva.
sudo yum install selinux-policy-devel
Iyo inotenderwa madomasi dhizaini chishandiso chikuru chekuziva matambudziko, kunyanya kana zvasvika kune yakajairwa application kana maapplication anotakura pasina marongero akagadzirwa kare. Muchiitiko ichi, iyo inotenderwa domain policy yeGunicorn ichave nyore sezvinobvira - zivisa rudzi rukuru (gunicorn_t), taura rudzi rwatichashandisa kumaka akawanda executable (gunicorn_exec_t), uye wozomisa shanduko yekuti system inyatso kumaka. running process . Mutsara wekupedzisira unoseta mutemo sekugoneswa nekusarudzika panguva yainoiswa.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
Iwe unogona kuunganidza iyi faira repolicy uye woiwedzera kune yako system.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Ngatitarisei kuti tione kana SELinux iri kuvharira chimwe chinhu kunze kweizvo daemon yedu isingazivikanwe iri kuwana.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux inodzivirira Nginx kubva pakunyora data kune iyo UNIX socket inoshandiswa naGunicorn. Kazhinji, mumamiriro ezvinhu akadaro, mitemo inotanga kuchinja, asi kune mamwe matambudziko ari mberi. Iwe unogona zvakare kushandura masisitimu edomasi kubva kune inorambidzwa domain kuenda kune mvumo domain. Zvino ngatifambisei httpd_t kune mvumo domain. Izvi zvinopa Nginx mukana unodiwa uye isu tinogona kuenderera mberi nebasa rekugadzirisa.
sudo semanage permissive -a httpd_t
Saka, kana iwe uchinge wakwanisa kuchengetedza SELinux yakadzivirirwa (iwe zvechokwadi haufanirwe kusiya SELinux purojekiti mune yakaganhurirwa modhi) uye madomasi emvumo akaremerwa, unofanirwa kufunga kuti chii chaizvo chinoda kumakwa segunicorn_exec_t kuti zvese zvishande nemazvo. zvakare. Ngatiedze kushanyira webhusaiti kuti tione mameseji matsva nezve kurambidzwa kupinda.
sudo ausearch -m AVC -c gunicorn
Iwe uchaona akawanda mameseji ane 'comm="gunicorn"' anoita zvinhu zvakasiyana-siyana pamafaira mu /srv/djangoapp, saka zviri pachena kuti uyu ndiwo mumwe wemirairo yakakodzera kumureza.
Asi nekuwedzera, meseji yakaita seiyi inooneka:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Kana iwe ukatarisa mamiriro eiyo gunicorn sevhisi kana kumhanya iyo ps command, iwe hauzoona chero maitiro ekumhanya. Zvinotaridza kunge pfuti iri kuyedza kuwana muturikiri wePython munharaunda yedu yevirtuenv, pamwe kumhanya zvinyorwa zvevashandi. Saka ikozvino ngatimaka aya mafaera maviri anogona kuitiswa uye titarise kana tichigona kuvhura yedu Django bvunzo peji.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
Iyo guncorn sevhisi inoda kutangwa patsva tegi isati yasarudzwa. Iwe unogona kuitangazve nekukasira kana kumisa sevhisi uye rega soketi itange kana iwe uchivhura saiti mubrowser. Iva nechokwadi chekuti maitiro akagamuchira mavara chaiwo uchishandisa ps.
ps -efZ | grep gunicorn
Usakanganwa kugadzira yakajairika SELinux mutemo gare gare!
Ukatarisa mameseji eAVC izvozvi, meseji yekupedzisira ine permissive=1 yezvese zvine chekuita neapplication, uye permissive=0 kune yese system. Kana iwe uchinzwisisa kuti ndeupi rudzi rwekuwana iyo chaiyo application inoda, unogona kukurumidza kuwana yakanakisa nzira yekugadzirisa matambudziko akadaro. Asi kusvika panguva iyoyo, zvakanakisa kuchengetedza sisitimu yakachengeteka uye kuwana yakajeka, inoshandisika yekuongorora yeiyo Django chirongwa.
sudo ausearch -m AVC
Zvakaitika!
Chirongwa cheDjango chinoshanda chaonekwa chine kumberi kwakavakirwa paNginx uye Gunicorn WSGI. Isu takagadzira Python 3 uye PostgreSQL 10 kubva kuRHEL 8 Beta repositori. Iye zvino unogona kuenderera mberi nekugadzira (kana kungoendesa) Django zvikumbiro kana kuongorora mamwe maturusi aripo muRHEL 8 Beta kugadzirisa otomatiki maitiro ekugadzirisa, kuvandudza mashandiro, kana kutoisa midziyo iyi.
Source: www.habr.com