RHEL 8 Beta e fa batho ba ntlafatsang likarolo tse ngata tse ncha, lethathamo la tsona le ka nkang maqephe, leha ho le joalo, ho ithuta lintho tse ncha ho lula ho le betere ha ho etsoa, ka hona ka tlase re fana ka lithupelo mabapi le ho theha lisebelisoa tsa kopo tse thehiloeng ho Red Hat Enterprise Linux 8 Beta.
Ha re nke Python, puo e tsebahalang ea lenaneo har'a bahlahisi, e le motheo, motsoako oa Django le PostgreSQL, motsoako o tloaelehileng oa ho theha lits'ebetso, 'me u lokise RHEL 8 Beta ho sebetsa le bona. Ebe re eketsa lisebelisoa tse ling tse 'maloa (tse sa tsejoeng).
Tikoloho ea liteko e tla fetoha, hobane hoa thahasellisa ho hlahloba menyetla ea ho iketsetsa, ho sebetsa ka lijana le libaka tse lekang ka li-server tse ngata. E le hore u qale ka morero o mocha, u ka qala ka ho theha setšoantšo se senyenyane, se bonolo ka letsoho e le hore u ka bona hantle se lokelang ho etsahala le hore na se sebelisana joang, ebe u tsoela pele ho iketsetsa le ho etsa litlhophiso tse rarahaneng haholoanyane. Kajeno re bua ka ho thehoa ha mohlala o joalo.
Ha re qaleng ka ho tsamaisa setšoantšo sa RHEL 8 Beta VM. O ka kenya mochini o sebetsang ho tloha qalong, kapa oa sebelisa setšoantšo sa moeti oa KVM se fumanehang ka peeletso ea hau ea Beta. Ha o sebelisa setšoantšo sa moeti, o tla hloka ho hlophisa CD e tla ba le metadata le data ea mosebelisi bakeng sa ho qala leru (cloud-init). Ha ho hlokahale hore u etse letho le ikhethang ka sebopeho sa disk kapa liphutheloana tse fumanehang; tlhophiso efe kapa efe e tla e etsa.
A re ke re shebisiseng tshebetso eohle.
Ho kenya Django
Ka mofuta o mocha oa Django, o tla hloka tikoloho e fumanehang (virtualenv) e nang le Python 3.5 kapa hamorao. Lintlheng tsa Beta u ka bona hore Python 3.6 ea fumaneha, ha re hlahlobeng hore na ho joalo:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
Red Hat e sebelisa Python ka mafolofolo e le sesebelisoa sa lisebelisoa ho RHEL, joale ke hobane'ng ha see se fella?
'Nete ke hore bahlahisi ba bangata ba Python ba ntse ba nahana ka phetoho ea ho tloha Python 2 ho ea Python 2, ha Python 3 ka boeona e ntse e le tlas'a tsoelo-pele e sebetsang,' me ho ntse ho hlaha mefuta e mengata e mecha. Ka hona, ho fihlela tlhoko ea lisebelisoa tse tsitsitseng tsa sistimi ha o ntse o fa basebelisi monyetla oa ho fumana liphetolelo tse ncha tsa Python, sistimi ea Python e ile ea isoa sephutheloana se secha mme ea fana ka bokhoni ba ho kenya Python 2.7 le 3.6 ka bobeli. Lintlha tse ling mabapi le liphetoho le hore na ke hobane'ng ha li entsoe li ka fumanoa khatisong ea (Langdon White).
Kahoo, ho fumana Python e sebetsang, o hloka feela ho kenya liphutheloana tse peli, tse nang le python3-pip e kenyellelitsoeng joalo ka ts'epo.
sudo yum install python36 python3-virtualenv
Hobaneng o sa sebelise mehala e tobileng ea mojule joalo ka ha Langdon a fana ka maikutlo le ho kenya pip3? Ha re ntse re hopola ka boiketsetso bo tlang, hoa tsebahala hore Ansible e tla hloka hore pip e kenngoe ho sebetsa, kaha pip module ha e tšehetse li-virtualenvs tse nang le pip e sebelisoang.
Ka mofetoleli oa python3 ea sebetsang ho uena, u ka tsoela pele ka ts'ebetso ea ho kenya Django 'me u be le tsamaiso ea ho sebetsa hammoho le likarolo tse ling tsa rona. Ho na le likhetho tse ngata tsa ts'ebetsong tse fumanehang Inthaneteng. Ho na le mofuta o le mong o hlahisitsoeng mona, empa basebelisi ba ka sebelisa lits'ebetso tsa bona.
Re tla kenya liphetolelo tsa PostgreSQL le Nginx tse fumanehang ho RHEL 8 ka ho sebelisa Yum.
sudo yum install nginx postgresql-server
PostgreSQL e tla hloka psycopg2, empa e hloka ho fumaneha feela tikolohong ea virtualenv, kahoo re tla e kenya re sebelisa pip3 hammoho le Django le Gunicorn. Empa pele re hloka ho theha virtualenv.
Kamehla ho na le likhang tse ngata tabeng ea ho khetha sebaka se nepahetseng sa ho kenya merero ea Django, empa ha u belaela, u ka lula u retelehela ho Linux Filesystem Hierarchy Standard. Ka ho khetheha, FHS e re / srv e sebelisetsoa ho: "boloka lintlha tse khethehileng tsa moamoheli - data eo sistimi e e hlahisang, joalo ka data ea seva sa webo le lingoliloeng, data e bolokiloeng ho li-server tsa FTP, le li-repositories tsa sistimi." (e hlahang ho FHS). -2.3 ka 2004).
Ena ke taba ea rona hantle, kahoo re kenya tsohle tseo re li hlokang ho / srv, e leng ea mosebelisi oa rona oa kopo (cloud-user).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Ho theha PostgreSQL le Django ho bonolo: theha database, theha mosebelisi, lokisa litumello. Ntho e le 'ngoe eo u lokelang ho e hopola ha u qala ho kenya PostgreSQL ke script ea postgresql-setup e kentsoeng le sephutheloana sa postgresql-server. Sengoliloeng sena se u thusa ho etsa mesebetsi ea mantlha e amanang le tsamaiso ea sehlopha sa database, joalo ka ho qala sehlopha kapa ts'ebetso ea ntlafatso. Ho hlophisa mohlala o mocha oa PostgreSQL ho sistimi ea RHEL, re hloka ho tsamaisa taelo:
sudo /usr/bin/postgresql-setup -initdb
Joale o ka qala PostgreSQL o sebelisa systemd, oa theha database, 'me oa theha morero ho Django. Hopola ho qala PostgreSQL hape ka mor'a ho etsa liphetoho ho faele ea netefatso ea bareki (hangata pg_hba.conf) ho hlophisa polokelo ea password bakeng sa mosebelisi oa kopo. Haeba u kopana le mathata a mang, etsa bonnete ba hore u fetola litlhophiso tsa IPv4 le IPv6 faeleng ea pg_hba.conf.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
Ka faeleng /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
Ho faele /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
Ka mor'a ho lokisa faele ea li-setting.py morerong le ho theha tlhophiso ea database, o ka qala seva sa nts'etsopele ho netefatsa hore ntho e 'ngoe le e' ngoe e sebetsa. Kamora ho qala seva sa nts'etsopele, ke mohopolo o motle ho theha mosebelisi oa admin molemong oa ho leka khokahano ho database.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Wai?
Seva ea nts'etsopele e na le thuso bakeng sa tlhahlobo, empa ho tsamaisa ts'ebeliso, o tlameha ho lokisa seva e loketseng le proxy bakeng sa Web Server Gateway Interface (WSGI). Ho na le metsoako e 'maloa e tloaelehileng, mohlala, Apache HTTPD e nang le uWSGI kapa Nginx e nang le Gunicorn.
Mosebetsi oa Web Server Gateway Interface ke ho fetisetsa likopo ho tsoa ho seva sa marang-rang ho ea ho moralo oa webo oa Python. WSGI ke relic ea nakong e fetileng e mpe ha lienjineri tsa CGI li ne li le teng, 'me kajeno WSGI ke standard standard, ho sa tsotelehe hore na sebatli sa marang-rang kapa moralo oa Python o sebelisitsoeng. Empa ho sa tsotellehe ts'ebeliso ea eona e atileng, ho ntse ho e-na le li-nuances tse ngata ha u sebetsa le mekhoa ena, le likhetho tse ngata. Tabeng ena, re tla leka ho theha tšebelisano pakeng tsa Gunicorn le Nginx ka sokete.
Kaha likarolo tsena ka bobeli li kentsoe ho seva se le seng, ha re lekeng ho sebelisa sokete ea UNIX sebakeng sa sokete ea marang-rang. Kaha puisano e hloka sokete maemong afe kapa afe, ha re lekeng ho nka mohato o mong hape mme re lokise ts'ebetso ea socket bakeng sa Gunicorn ka systemd.
Mokhoa oa ho theha lits'ebeletso tse kentsoeng socket o bonolo haholo. Taba ea pele, faele ea yuniti e entsoe e nang le taelo ea ListenStream e supang moo sokete ea UNIX e tla theoa teng, ebe faele ea yuniti bakeng sa ts'ebeletso eo ho eona taelo e Hlokang e tla supa faele ea socket unit. Ebe, faeleng ea yuniti ea lits'ebeletso, se setseng ke ho letsetsa Gunicorn ho tsoa tikolohong ea sebele le ho theha setlamo sa WSGI bakeng sa sokete ea UNIX le kopo ea Django.
Mehlala ke ena ea lifaele tsa yuniti eo u ka e sebelisang e le motheo. Pele re theha socket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Joale o hloka ho lokisa daemon ea Gunicorn.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
—access-logfile -
—workers 3
—bind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Bakeng sa Nginx, ke taba e bonolo ea ho theha lifaele tsa tlhophiso ea moemeli le ho theha bukana ea ho boloka litaba tse tsitsitseng haeba u e sebelisa. Ho RHEL, lifaele tsa tlhophiso tsa Nginx li teng ho /etc/nginx/conf.d. U ka kopitsa mohlala o latelang faeleng /etc/nginx/conf.d/default.conf 'me u qale tšebeletso. Etsa bonnete ba hore u beha server_name hore e lumellane le lebitso la moamoheli oa hau.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Qala sokete ea Gunicorn le Nginx u sebelisa systemd 'me u se u loketse ho qala liteko.
Phoso e mpe ea Gateway?
Haeba u kenya aterese ho sebatli sa hau, u tla fumana phoso ea 502 Bad Gateway. E kanna ea bakoa ke litumello tsa socket tse lokiselitsoeng ka phoso tsa UNIX, kapa e kanna ea ba ka lebaka la litaba tse thata tse amanang le taolo ea phihlello ho SELinux.
Lenaneng la phoso ea nginx u ka bona mola o kang ona:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Haeba re leka Gunicorn ka kotloloho, re tla fumana karabo e se nang letho.
curl —unix-socket /run/gunicorn.sock 8beta1.example.com
A re bone hore na ke hobane’ng ha sena se etsahala. Haeba u bula log, u tla bona hore bothata bo amana le SELinux. Kaha re sebelisa daemon eo ho seng pholisi e entsoeng bakeng sa eona, e tšoailoe e le init_t. Ha re lekeng khopolo ena ka ts'ebetso.
sudo setenforce 0
Sena sohle se ka baka ho nyatsuoa le meokho ea mali, empa sena se mpa se lokisa prototype. Ha re tima cheke ho netefatsa hore bothata ke bona, ka mor'a moo re tla khutlisetsa ntho e 'ngoe le e' ngoe sebakeng sa eona.
Ka ho khatholla leqephe ho sebatli kapa ho khutlisetsa taelo ea rona ea curl, o ka bona leqephe la tlhahlobo la Django.
Kahoo, ha re entse bonnete ba hore ntho e 'ngoe le e' ngoe e sebetsa 'me ha ho sa na mathata a tumello, re nolofalletsa SELinux hape.
sudo setenforce 1
Nke ke ka bua ka audit2allow kapa ho theha maano a thehiloeng hloko ka sepolgen mona, kaha ha ho na kopo ea sebele ea Django hajoale, kahoo ha ho na 'mapa o feletseng oa seo Gunicorn a ka batlang ho se fumana le seo e lokelang ho hana ho se fumana. Ka hona, hoa hlokahala ho boloka SELinux e sebetsa ho sireletsa tsamaiso, ha ka nako e ts'oanang e lumella kopo hore e sebetse le ho siea melaetsa ho log log e le hore pholisi ea sebele e ka etsoa ho bona.
E totobatsa libaka tse lumelletsoeng
Ha se motho e mong le e mong ea utloileng ka libaka tse lumelletsoeng ho SELinux, empa ha se ntho e ncha. Ba bangata ba bile ba sebetsa le bona ba sa hlokomele. Ha leano le theoa ho ipapisitsoe le melaetsa ea tlhahlobo, pholisi e entsoeng e emela sebaka se rarollotsoeng. Ha re leke ho theha leano le bonolo la tumello.
Ho theha sebaka se itseng se lumelletsoeng bakeng sa Gunicorn, o hloka mofuta o itseng oa pholisi, hape o hloka ho tšoaea lifaele tse nepahetseng. Ho feta moo, lisebelisoa li hlokahala ho theha maano a macha.
sudo yum install selinux-policy-devel
Mecha ea libaka tse lumelletsoeng ke sesebelisoa se setle sa ho tsebahatsa mathata, haholo ha ho tluoa ts'ebetsong ea tloaelo kapa lits'ebetso tse romelloang ntle le maano a seng a entsoe. Tabeng ena, leano la "domain" le lumelletsoeng bakeng sa Gunicorn le tla ba bonolo kamoo ho ka khonehang - phatlalatsa mofuta oa mantlha (gunicorn_t), phatlalatsa mofuta oo re tla o sebelisa ho tšoaea li-multiple executables (gunicorn_exec_t), ebe o theha phetoho ea sistimi ho tšoaea ka nepo. ho matha mekhoa . Mola oa ho qetela o beha pholisi joalo ka ha e nolofalitsoe ka nako eo e kentsoeng ka eona.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
U ka bokella faele ena ea pholisi 'me u e kenye tsamaisong ea hau.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Ha re hlahlobeng ho bona hore na SELinux e thibela ntho e 'ngoe ntle le seo daemon ea rona e sa tsejoeng e se fihlelang.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
SELinux e thibela Nginx ho ngola data ho socket ea UNIX e sebelisoang ke Gunicorn. Ka tloaelo, maemong a joalo, maano a qala ho fetoha, empa ho na le mathata a mang a tlang. U ka boela ua fetola litlhophiso tsa domain name ho tloha sebakeng sa thibelo ho ea sebakeng sa tumello. Joale ha re tsamaise httpd_t sebakeng sa tumello. Sena se tla fa Nginx phihlello e hlokahalang mme re ka tsoela pele ka mosebetsi o mong oa ho lokisa liphoso.
sudo semanage permissive -a httpd_t
Kahoo, hang ha u se u khonne ho boloka SELinux e sirelelitsoe (ka sebele ha ua lokela ho tlohela morero oa SELinux ka mokhoa o thibetsoeng) 'me libaka tsa tumello li laetsoe, u hloka ho tseba hore na ke eng e lokelang ho tšoauoa e le gunicorn_exec_t ho etsa hore ntho e' ngoe le e 'ngoe e sebetse hantle. hape. Ha re leke ho etela sebaka sa marang-rang ho bona melaetsa e mecha mabapi le lithibelo tsa phihlello.
sudo ausearch -m AVC -c gunicorn
U tla bona melaetsa e mengata e nang le 'comm="gunicorn"' e etsang lintho tse fapaneng lifaeleng tse / srv/djangoapp, kahoo ho hlakile hore ena ke e 'ngoe ea litaelo tse lokelang ho tšoauoa.
Empa ho feta moo, molaetsa o kang ona oa hlaha:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Haeba u sheba boemo ba tšebeletso ea lithunya kapa u tsamaisa taelo ea ps, u ke ke ua bona mekhoa leha e le efe e sebetsang. Ho bonahala eka sethunya se leka ho fumana mofetoleli oa Python tikolohong ea rona ea virtualenv, mohlomong ho tsamaisa mangolo a basebetsi. Joale ha re tšoaee lifaele tsena tse peli tse ka sebetsoang 'me re hlahlobe hore na re ka bula leqephe la rona la liteko la Django.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
Ts'ebeletso ea sethunya e tla hloka ho qalisoa bocha pele tag e ncha e ka khethoa. U ka e qala hang hang kapa ua emisa ts'ebeletso 'me u tlohelle sokete e e qale ha u bula sebaka sa marang-rang ho sebatli. Netefatsa hore lits'ebetso li fumane lileibole tse nepahetseng ho sebelisa ps.
ps -efZ | grep gunicorn
Se ke oa lebala ho theha leano le tloaelehileng la SELinux hamorao!
Haeba u sheba melaetsa ea AVC hona joale, molaetsa oa ho qetela o na le permissive=1 bakeng sa ntho e 'ngoe le e' ngoe e amanang le kopo, le permissive=0 bakeng sa tsamaiso eohle. Haeba u utloisisa hore na ke phihlello ea mofuta ofe eo kopo ea 'nete e e hlokang, u ka fumana kapele tsela e molemohali ea ho rarolla mathata a joalo. Empa ho fihlela ka nako eo, ho molemo ho boloka sistimi e bolokehile le ho fumana tlhahlobo e hlakileng, e sebetsang ea projeke ea Django.
sudo ausearch -m AVC
Ho etsahetse!
Morero o sebetsang oa Django o hlahile o na le sebaka sa pele se thehiloeng ho Nginx le Gunicorn WSGI. Re hlophisitse Python 3 le PostgreSQL 10 ho tsoa polokelong ea RHEL 8 Beta. Joale o ka hatela pele 'me oa theha (kapa oa tsamaisa feela) lits'ebetso tsa Django kapa oa hlahloba lisebelisoa tse ling tse fumanehang ho RHEL 8 Beta ho iketsetsa ts'ebetso ea tlhophiso, ho ntlafatsa ts'ebetso, kapa ho kenya tlhophiso ena.
Source: www.habr.com