Workshop RHEL 8 Beta: Dhisidda codsiyada shabakadda ee shaqeeya

RHEL 8 Beta waxay siisaa horumariyeyaasha sifooyin badan oo cusub, liiska kuwaas oo qaadan kara bogag, si kastaba ha ahaatee, barashada waxyaabo cusub ayaa had iyo jeer ku fiican ficil ahaan, sidaa darteed hoos waxaan ku bixineynaa aqoon-is-weydaarsi ku saabsan sida dhabta ah loo abuuro kaabayaasha codsiga ee ku saleysan Red Hat Enterprise Linux 8 Beta.

Aynu soo qaadano Python, luuqad barnaamijeed caan ah oo ka mid ah kuwa horumariya, iyada oo saldhig u ah, isku darka Django iyo PostgreSQL, isku darka cadaalad ah ee abuurista codsiyada, oo u habeyno RHEL 8 Beta si ay ula shaqeyso. Kadibna waxaan ku dari doonaa dhowr waxyaalood oo dheeraad ah (aan la kala saarin).

Deegaanka tijaabada ayaa isbedeli doona, sababtoo ah waa wax xiiso leh in la sahamiyo fursadaha otomaatigga ah, la shaqeynta weelasha iyo tijaabinta jawiga leh servero badan. Si aad u bilawdo mashruuc cusub, waxaad ku bilaabi kartaa adiga oo ku abuuraya nooc yar oo fudud oo gacanta ah si aad si sax ah u arki karto waxa loo baahan yahay in uu dhaco iyo sida ay u falgalaan, ka dibna u gudub si otomaatig ah oo aad u abuurto qaabayn adag. Maanta waxaan ka hadlaynaa abuurista tusaalahaas.

Aan ku bilowno geynta RHEL 8 Beta VM sawirka. Waxaad ku rakiban kartaa mishiin dalwad ah xoqan, ama waxaad isticmaali kartaa sawirka martida ee KVM ee la heli karo rukumadaada Beta. Markaad isticmaalayso sawirka martida, waxaad u baahan doontaa inaad habayso CD-gaaban oo ka koobnaan doona xogta badan iyo xogta isticmaalaha ee bilowga daruuraha (cloud-init). Uma baahnid inaad wax gaar ah ku sameyso qaab dhismeedka saxanka ama xirmooyinka la heli karo; qaab kasta ayaa sameyn doona.

Aynu si qoto dheer u eegno habka oo dhan.

Ku rakibida DJango

Nooca ugu cusub ee Django, waxaad u baahan doontaa jawi muuqaal ah (virtualenv) oo leh Python 3.5 ama ka dib. Qoraalada Beta waxaad ku arki kartaa in Python 3.6 la heli karo, aan eegno haddii ay tani run tahay:

[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found

Koofiyada Cas ayaa si firfircoon u isticmaala Python sida qalab nidaam oo ku jira RHEL, markaa maxay tani u tahay natiijada?

Xaqiiqdu waxay tahay in qaar badan oo ka mid ah horumarinta Python ay wali ka fekerayaan ka gudbida Python 2 ilaa Python 2, halka Python 3 lafteedu ay ku jirto horumar firfircoon, iyo noocyo badan oo cusub ayaa si joogto ah u soo baxaya. Sidaa darteed, si loo daboolo baahida qalabka nidaamka xasilloon iyadoo la siinayo dadka isticmaala inay helaan noocyo cusub oo Python ah, nidaamka Python waxaa loo raray xirmo cusub wuxuuna bixiyay awoodda lagu rakibo Python 2.7 iyo 3.6 labadaba. Macluumaad dheeraad ah oo ku saabsan isbeddellada iyo sababta loo sameeyay waxaad ka heli kartaa daabacaadda gudaha Langdon White's blog (Langdon White).

Markaa, si aad u hesho Python shaqaynaysa, waxaad u baahan tahay oo keliya inaad ku rakibto laba xidhmo, oo ay ku jiraan python3-pip ku tiirsanaan ahaan.

sudo yum install python36 python3-virtualenv

Waa maxay sababta aadan u isticmaalin wicitaanada moduleka tooska ah sida Langdon soo jeediyo oo u rakibo pip3? Maskaxda ku hay automation-ka soo socda, waxaa la og yahay in Aansible uu u baahan doono pip rakibay si uu u shaqeeyo, maadaama moduleka pip uusan ku taageerin virtualenvs oo leh tuubo caado ah oo la fulin karo.

Adigoo adeegsanaya turjumaan python3 ah oo aad gacanta ku hayso, waxaad sii wadan kartaa nidaamka rakibida Django oo waxaad yeelan kartaa nidaam shaqo oo ay la socdaan qaybahayada kale. Waxaa jira fursado badan oo hirgelinta oo laga heli karo internetka. Waxaa jira hal nooc oo halkan lagu soo bandhigay, laakiin isticmaalayaashu waxay isticmaali karaan hanaankooda.

Waxaan ku rakibi doonaa noocyada PostgreSQL iyo Nginx ee laga heli karo RHEL 8 iyadoo la isticmaalayo Yum.

sudo yum install nginx postgresql-server

PostgreSQL waxay u baahan doontaa psycopg2, laakiin waxay u baahan tahay in la helo oo keliya jawiga virtualenv, markaa waxaanu ku rakibi doonaa anagoo adeegsanayna pip3 oo ay weheliso Django iyo Gunicorn. Laakiin marka hore waxaan u baahanahay in la sameeyo virtualenv.

Had iyo jeer waxaa jira doodo badan oo ku saabsan mawduuca doorashada meesha saxda ah ee lagu rakibo mashaariicda Django, laakiin markaad shaki gasho, waxaad mar walba u jeesan kartaa Heerka Sare ee Nidaamka Faylasha Linux. Gaar ahaan, FHS waxay leedahay in / srv loo isticmaalo: "keydka xogta gaarka ah ee martida loo yahay-xogta uu nidaamku soo saaro, sida xogta server-ka webka iyo qoraallada, xogta lagu kaydiyo server-yada FTP, iyo kontoroolka nidaamka nidaamka." Noocyada (ka muuqda FHS 2.3 ee 2004)

Tani waa dhab ahaan kiiskeena, marka waxaan gelinaa wax kasta oo aan u baahanahay srv, kaas oo uu leeyahay isticmaaleha codsigayaga (Cloud-user).

sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp

Dejinta PostgreSQL iyo Django waa sahlan tahay: samee database, samee isticmaale, habee ogolaanshaha. Hal shay oo ay tahay in maskaxda lagu hayo marka hore la rakibayo PostgreSQL waa qoraalka postgresql-setup ee lagu rakibay xirmada postgresql-server. Qoraalkani wuxuu kaa caawinayaa inaad qabato hawlaha aasaasiga ah ee la xidhiidha maamulka kooxda xogta, sida bilawga kooxda ama habka cusboonaysiinta. Si loo habeeyo tusaale PostgreSQL cusub oo ku saabsan nidaamka RHEL, waxaan u baahanahay inaan socodsiino amarka:

sudo /usr/bin/postgresql-setup -initdb

Waxaad markaa bilaabi kartaa PostgreSQL adoo isticmaalaya systemd, samee database, oo aad mashruuc ka sameysan kartaa Django. Xusuusnow inaad dib u bilowdo PostgreSQL ka dib markaad isbeddel ku samayso faylka qaabaynta aqoonsiga macmiilka (badanaa pg_hba.conf) si aad u habayso kaydinta erayga sirta ah ee isticmaalaha arjiga. Haddii aad la kulanto dhibaatooyin kale, hubi inaad bedesho IPv4 iyo IPv6 dejimaha ku jira faylka pg_hba.conf.

systemctl enable -now postgresql

sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q

Ku jira faylka /var/lib/pgsql/data/pg_hba.conf:

# IPv4 local connections:
host    all        all 0.0.0.0/0                md5
# IPv6 local connections:
host    all        all ::1/128                 md5

Gudaha faylka /srv/djangoapp/settings.py:

# Database
DATABASES = {
   'default': {
       'ENGINE': 'django.db.backends.postgresql_psycopg2',
       'NAME': '{{ db_name }}',
       'USER': '{{ db_user }}',
       'PASSWORD': '{{ db_password }}',
       'HOST': '{{ db_host }}',
   }
}

Ka dib markii la habeeyo faylka settings.py ee mashruuca iyo dejinta qaabeynta xogta, waxaad bilaabi kartaa server-ka horumarinta si aad u hubiso in wax walba ay shaqeeyaan. Ka dib markii la bilaabo server-ka horumarinta, waa fikrad wanaagsan inaad abuurto isticmaale maamule si loo tijaabiyo xiriirka database-ka.

./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser

WSGI? Waa maxay?

Seerfarka horumarintu waa faa'iido u leh tijaabinta, laakiin si aad u socodsiiso codsiga waa inaad dejisaa server-ka ku habboon iyo wakiilka Interface-ka Kadinnada Shabakadda (WSGI). Waxaa jira dhowr isku dhafka caadiga ah, tusaale ahaan, Apache HTTPD oo leh uWSGI ama Nginx oo leh Gunicorn.

Shaqada Interface-ka Kadinka Shabakadda ee Server-ka waa inuu u gudbiyo codsiyada ka imanaya server-ka shabakadda qaab-dhismeedka shabakadda Python. WSGI waa taariikh hore oo aad u xun markii matoorada CGI ay ag joogeen, maantana WSGI waa heerka dhabta ah, iyadoon loo eegin server-ka ama qaabka Python ee la isticmaalo. Laakiin inkasta oo ay si baahsan u isticmaasho, weli waxaa jira nuances badan marka la shaqeynayo qaababkan, iyo doorashooyin badan. Xaaladdan oo kale, waxaan isku dayi doonaa in aan aasaasno isdhexgalka ka dhexeeya Gunicorn iyo Nginx iyada oo loo marayo godad.

Mar haddii labadan qayboodba ay ku rakiban yihiin hal server, aynu isku dayno in aan isticmaalno godka UNIX halkii aad ka isticmaali lahayd godad shabakadeed. Mar haddii isgaarsiintu u baahan tahay godad kiis kasta, aan isku dayno inaan qaadno hal tillaabo oo dheeri ah oo aan u habeyno hawlgelinta godka Gunicorn iyada oo loo marayo systemd.

Habka abuurista adeegyada firfircoonida godadku waa wax fudud. Marka hore, waxaa la abuurayaa faylal halbeeg ah oo ka kooban dardaaranka ListenStream oo tilmaamaya meesha laga samaynayo godka UNIX, ka dib fayl unug adeega uu dardaaranka u baahan yahay ayaa tilmaamaya faylka unugga godka. Dabadeed, faylka unugga adeegga, waxa hadhay oo dhan waa in laga waco Gunicorn jawiga farsamada oo laga abuuro WSGI xidhidhiyaha UNIX socket-ka iyo codsiga Django.

Waa kuwan tusaalayaal faylasha unugga ah oo aad u isticmaali karto saldhig ahaan. Marka hore waxaan dejinay godka.

[Unit]
Description=Gunicorn WSGI socket

[Socket]
ListenStream=/run/gunicorn.sock

[Install]
WantedBy=sockets.target

Hadda waxaad u baahan tahay inaad habayso Gunicorn daemon.

[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target

[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp

ExecStart=/srv/djangoapp/django/bin/gunicorn 
         —access-logfile - 
         —workers 3 
         —bind unix:gunicorn.sock djangoapp.wsgi

[Install]
WantedBy=multi-user.target

Nginx, waa arrin fudud abuurista faylalka qaabeynta wakiilnimada iyo dejinta hagaha si aad u kaydiso waxyaabaha taagan haddii aad mid isticmaalayso. Gudaha RHEL, faylasha qaabeynta Nginx waxay ku yaalliin /etc/nginx/conf.d. Waxaad ku koobi kartaa tusaalahan soo socda faylka /etc/nginx/conf.d/default.conf oo bilow adeegga. Hubi inaad dejiso server_name si uu u dhigmo magacaaga martida loo yahay.

server {
   listen 80;
   server_name 8beta1.example.com;

   location = /favicon.ico { access_log off; log_not_found off; }
   location /static/ {
       root /srv/djangoapp;
   }

   location / {
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_pass http://unix:/run/gunicorn.sock;
   }
}

Ku bilow godka Gunicorn iyo Nginx addoo isticmaalaya systemd oo waxaad diyaar u tahay inaad bilowdo tijaabinta.

Khaladka Gateway xun?

Haddii aad geliso ciwaanka biraawsarkaaga, waxay u badan tahay inaad heli doonto khaladka 502 Bad Gateway. Waxaa laga yaabaa inay sababto si khaldan loo habeeyey ogolaanshaha godka UNIX, ama waxaa laga yaabaa inay sabab u tahay arrimo aad u adag oo la xidhiidha kontoroolka gelitaanka SELinux.

Diiwaanka qaladka nginx waxaad ku arki kartaa laynka sidan oo kale ah:

2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"

Haddii aan si toos ah u tijaabino Gunicorn, waxaan heli doonaa jawaab madhan.

curl —unix-socket /run/gunicorn.sock 8beta1.example.com

Aynu ogaano sababta tani u dhacdo. Haddii aad furto log, waxaad u badan tahay inaad arki doonto in dhibaatadu ay la xiriirto SELinux. Mar haddii aan wadno daemon-ka-soo-bax aan loo samayn siyaasad, waxa loo calaamadeeyay init_t. Aynu si dhab ah u tijaabino aragtidan.

sudo setenforce 0

Waxaas oo dhami waxay sababi karaan dhaleecayn iyo ilmo dhiig ah, laakiin tani waxay kaliya tirtiraysaa tusaalaha. Aynu joojino jeegga si aan u hubinno in tani ay tahay dhibaatadu, ka dib waxaan ku celin doonaa wax walba meeshiisii.

Adigoo dib u cusbooneysiinaya bogga browserka ama dib u socodsiinta amarka curlka, waxaad arki kartaa bogga tijaabada Django.

Marka, markii aan hubinay in wax walba ay shaqeeyaan oo aysan jirin dhibaatooyin ogolaansho oo dheeri ah, waxaan awood u siineynaa SELinux mar kale.

sudo setenforce 1

Kama hadli doono wax ku saabsan audit2allow ama abuurista siyaasad ku saleysan feejignaan oo leh sepolgen halkan, maadaama aysan jirin codsi dhab ah oo Django ah xilligan, sidaa darteed ma jiro khariidad dhammaystiran oo ah waxa Gunicorn laga yaabo inuu rabo inuu galo iyo waxa ay tahay inuu diido gelitaanka. Sidaa darteed, waxaa lagama maarmaan ah in la sii wado SELinux si loo ilaaliyo nidaamka, isla mar ahaantaana u oggolaanaya codsiga inuu shaqeeyo oo uu ka tago farriimaha diiwaanka xisaabinta si markaa siyaasadda dhabta ah loo abuuro iyaga.

Sheegidda xayndaabka oggolaanshaha

Qof kastaa ma maqal domains la oggol yahay ee SELinux, laakiin maaha wax cusub. Qaar badan ayaa xitaa la shaqeeyay iyaga oo aan xitaa ogeyn. Marka siyaasad la abuuro iyadoo lagu salaynayo farriimaha hanti dhawrka, siyaasadda la abuuray waxay matalaysaa bogga la xaliyay. Aan isku dayno inaan abuurno siyaasad ogolaansho fudud.

Si aad u abuurto xayndaab gaar ah oo la ogol yahay Gunicorn, waxaad u baahan tahay nooc ka mid ah siyaasad, waxaad sidoo kale u baahan tahay inaad calaamadiso faylasha ku habboon. Intaa waxaa dheer, qalab ayaa loo baahan yahay si loo ururiyo siyaasado cusub.

sudo yum install selinux-policy-devel

Habka domains ee la ogol yahay waa qalab weyn oo lagu aqoonsado dhibaatooyinka, gaar ahaan marka ay timaado codsi gaar ah ama codsiyada in markab iyada oo aan siyaasado hore loo abuuray. Xaaladdan oo kale, siyaasadda domain ee la oggol yahay ee Gunicorn waxay noqon doontaa sida ugu fudud ee suurtogalka ah - ku dhawaaq nooca ugu muhiimsan (gunicorn_t), ku dhawaaq nooca aan u isticmaali doono si aan u calaamadeyno dhowr fulin (gunicorn_exec_t), ka dibna u dejiso kala-guurka nidaamka si sax ah loo calaamadiyo hababka socodsiinta . Sadarka ugu dambeeya wuxuu dejiyaa siyaasadda sidii loo kartiyeeyay marka la raro.

gunicorn.te:

policy_module(gunicorn, 1.0)

type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;

Waxaad soo ururin kartaa faylka siyaasadda oo aad ku dari kartaa nidaamkaaga.

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp

sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive

Aynu eegno haddii SELinux ay xannibayso shay kale oo aan ahayn waxa daemon-keena aan la garanayn uu galo.

sudo ausearch -m AVC

type=AVC msg=audit(1545315977.237:1273): avc:  denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0

SELinux waxay ka hortagtaa Nginx inuu xogta u qoro godka UNIX ee uu isticmaalo Gunicorn. Caadi ahaan, xaaladahan oo kale, siyaasaduhu waxay bilaabaan inay isbedelaan, laakiin waxaa jira caqabado kale oo soo socda. Waxa kale oo aad ka beddeli kartaa bogga internetka ee bogga xaddidan una beddelo bogga oggolaanshaha. Hadda aan u guurno httpd_t bogga oggolaanshaha. Tani waxay siin doontaa Nginx marinka lagama maarmaanka ah waxaanan ku sii wadi karnaa shaqada khaladaadka dheeraadka ah.

sudo semanage permissive -a httpd_t

Marka, marka aad ku guulaysato inaad ilaaliso SELinux (dhab ahaantii waa inaadan ka tagin mashruuca SELinux qaab xaddidan) iyo meelaha oggolaanshaha waa la raray, waxaad u baahan tahay inaad ogaato waxa saxda ah ee loo baahan yahay in lagu calaamadiyo gunicorn_exec_t si aad u hesho wax kasta oo si sax ah u shaqeynaya. mar kale. Aynu isku dayno inaad booqato mareegaha si aan u aragno fariimo cusub oo ku saabsan xannibaadaha gelitaanka

sudo ausearch -m AVC -c gunicorn

Waxaad arki doontaa fariimo badan oo ay ku jiraan 'comm="gunicorn"' kuwaas oo waxyaabo kala duwan ku sameeya faylalka / srv/djangoapp, marka tani waa sida iska cad mid ka mid ah amarrada mudan in la calaamadiyo.

Laakiin marka lagu daro, fariintan oo kale ayaa u muuqata:

type=AVC msg=audit(1545320700.070:1542): avc:  denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0

Haddii aad eegto heerka adeegga gunicorn ama aad maamusho amarka ps, ma arki doontid wax socodsiin ah. Waxay u egtahay in gunicorn uu isku dayayo inuu galo turjumaanka Python ee deegaankayaga virtualenv, laga yaabo inuu socodsiiyo qoraalada shaqaalaha. Markaa hadda aynu calaamadeyno labadan faylal ee la fulin karo oo aan hubino haddii aan furi karno boggayaga tijaabada Django.

chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6

Adeegga gunicorn wuxuu u baahan doonaa in dib loo bilaabo ka hor inta aan la dooran summada cusub. Isla markiiba waad dib u bilaabi kartaa ama joojin kartaa adeegga oo u ogolow godku inuu bilaabo marka aad furto goobta browserka. Xaqiiji in hababku ay heleen sumadaha saxda ah adoo isticmaalaya ps.

ps -efZ | grep gunicorn

Ha iloobin inaad abuurto siyaasad SELinux caadi ah hadhow!

Haddii aad hadda eegto farriimaha AVC, farriinta u dambaysa waxay ka kooban tahay oggolaanshaha=1 wax kasta oo la xidhiidha codsiga, iyo oggolaanshaha=0 ee nidaamka intiisa kale. Haddii aad fahamto nooca helitaanka codsiga dhabta ah u baahan yahay, waxaad si dhakhso ah u heli kartaa habka ugu wanaagsan ee lagu xalliyo dhibaatooyinkan oo kale. Laakiin ilaa markaas, waxa fiican in la ilaaliyo nidaamka oo la helo hanti-dhawr cad oo la adeegsan karo mashruuca Django.

sudo ausearch -m AVC

dhacay!

Mashruuc Django ah oo shaqeeya ayaa la soo baxay gees hore oo ku salaysan Nginx iyo Gunicorn WSGI. Waxaan ka habeynay Python 3 iyo PostgreSQL 10 ee RHEL 8 Beta. Hadda waxaad hore u socon kartaa oo aad abuuri kartaa (ama si fudud u geyn kartaa) codsiyada Django ama waxaad sahamin kartaa qalabka kale ee la heli karo ee RHEL 8 Beta si aad u habayn karto habka qaabaynta, u wanaajiso waxqabadka, ama xitaa u xidho qaabayntan.

Source: www.habr.com