I-RHEL 8 Beta inika abaphuhlisi amanqaku amaninzi amatsha, uluhlu lwawo olunokuthatha amaphepha, nangona kunjalo, ukufunda izinto ezintsha kuhlala kungcono ekusebenzeni, ngoko ke ngezantsi sinikezela ngocweyo ngokudala isiseko sesicelo esekwe kwiRed Hat Enterprise Linux 8 Beta.
Masithathe iPython, ulwimi lwenkqubo oludumileyo phakathi kwabaphuhlisi, njengesiseko, indibaniselwano ye-Django kunye ne-PostgreSQL, indibaniselwano eqhelekileyo yokudala izicelo, kwaye uqwalasele i-RHEL 8 Beta ukuze usebenze nayo. Emva koko siya kongeza isibini sezithako (ezingahlelwanga).
Indawo yovavanyo iya kutshintsha, kuba inika umdla ukuphonononga okunokwenzeka kokuzenzekela, ukusebenza kunye nezikhongozeli kunye nokuzama iimeko ezinamaseva amaninzi. Ukuqalisa ngeprojekthi entsha, ungaqala ngokudala iprototype encinci, elula ngesandla ukuze ukwazi ukubona kanye oko kufuneka kwenzeke kunye nendlela edibana ngayo, kwaye emva koko uqhubele phambili kwi-automate kwaye wenze ulungelelwaniso olunzima ngakumbi. Namhlanje sithetha ngokudalwa kweprototype enjalo.
Masiqale ngokubeka umfanekiso we-RHEL 8 Beta VM. Ungafaka umatshini obonakalayo ukusuka ekuqaleni, okanye usebenzise umfanekiso weendwendwe we-KVM okhoyo ngobhaliso lwakho lweBeta. Xa usebenzisa umfanekiso weendwendwe, kuya kufuneka uqwalasele i-CD enenyani eya kuba nemetadata kunye nedatha yomsebenzisi yokuqaliswa kwelifu (cloud-init). Awudingi ukwenza nantoni na ekhethekileyo ngesakhiwo sediski okanye iipakethe ezikhoyo, naluphi na uqwalaselo luyakwenza.
Makhe sihlolisise yonke le nkqubo.
Ifakela iDjango
Ngohlobo olutsha lwe-Django, uya kufuna indawo ebonakalayo (virtualenv) kunye nePython 3.5 okanye kamva. Kumanqaku eBeta unokubona ukuba iPython 3.6 iyafumaneka, masijonge ukuba ngaba kunjalo ngokwenene:
[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found
I-Red Hat isebenzisa iPython njengesixhobo senkqubo kwi-RHEL, kutheni le nto iphumela?
Inyani kukuba uninzi lwabaphuhlisi bePython basacinga ngotshintsho ukusuka kwiPython 2 ukuya kwiPython 2, ngelixa iPython 3 ngokwayo iphantsi kophuhliso olusebenzayo, kwaye uninzi lweenguqulelo ezintsha zihlala zivela. Ke ngoko, ukuhlangabezana nesidingo sezixhobo ezizinzileyo zenkqubo ngelixa unikezela abasebenzisi ukufikelela kwiinguqulelo ezintsha ezahlukeneyo zePython, inkqubo yePython yasiwa kwiphakheji entsha kwaye yabonelela ngokukwazi ukufaka zombini iPython 2.7 kunye ne-3.6. Ulwazi olungakumbi malunga notshintsho kunye nesizathu sokuba lwenziwe lunokufumaneka kupapasho kwi (Langdon White).
Ke, ukufumana iPython esebenzayo, kufuneka ufake kuphela iipakethi ezimbini, kunye ne-python3-pip ebandakanyiwe njengokuxhomekeka.
sudo yum install python36 python3-virtualenv
Kutheni ungasebenzisi iminxeba yemodyuli ngokuthe ngqo njengoko uLangdon ecebisa kwaye ufake ipip3? Ukugcina engqondweni i-automation ezayo, iyaziwa ukuba i-Ansible iya kufuna i-pip efakwe ukuba iqhube, kuba imodyuli yepip ayixhasi i-virtualenvs kunye nombhobho ophunyeziweyo.
Ngetoliki esebenzayo ye-python3 onayo, unokuqhubeka nenkqubo yokufaka i-Django kwaye ube nenkqubo yokusebenza kunye namanye amacandelo ethu. Kukho iindlela ezininzi zokuphumeza ezifumanekayo kwi-Intanethi. Kukho inguqulelo enye eboniswe apha, kodwa abasebenzisi banokusebenzisa iinkqubo zabo.
Siza kufaka i-PostgreSQL kunye ne-Nginx iinguqulelo ezikhoyo kwi-RHEL 8 ngokuzenzekelayo usebenzisa i-Yum.
sudo yum install nginx postgresql-server
I-PostgreSQL iya kufuna i-psycopg2, kodwa kufuneka ifumaneke kuphela kwindawo ebonakalayo, ngoko siya kuyifaka usebenzisa i-pip3 kunye ne-Django kunye ne-Gunicorn. Kodwa kuqala kufuneka sisete i-virtualenv.
Kuhlala kukho iingxoxo ezininzi ngesihloko sokukhetha indawo efanelekileyo yokufaka iiprojekthi ze-Django, kodwa xa uthandabuza, unokuhlala ujika kwi-Linux Filesystem Hierarchy Standard. Ngokukodwa, i-FHS ithi / srv isetyenziselwa: "ukugcina idatha ye-host-specific-data eveliswa yinkqubo, njengedatha ye-web server kunye nemibhalo, idatha egcinwe kwiiseva ze-FTP, kunye neendawo zokugcina iinkqubo." Iinguqulelo (ezivela kwi-FHS -2.3 ngo-2004).
Le yimeko yethu kanye, ngoko sibeka yonke into esiyifunayo kwi-/srv, ephethwe ngumsebenzisi wethu wesicelo (umsebenzisi wefu).
sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp
Ukuseta i-PostgreSQL kunye ne-Django kulula: yenza i-database, yenza umsebenzisi, lungiselela iimvume. Into enye ekufuneka uyigcine engqondweni xa ufaka iPostgreSQL ekuqaleni siscript sokuseta i-postgresql efakwe kunye nephakheji ye-postgresql-server. Esi script sikunceda wenze imisebenzi esisiseko eyayanyaniswa nolawulo lweqela lesiseko sedatha, njengokuqaliswa kweqela okanye inkqubo yophuculo. Ukumisela umzekelo omtsha we-PostgreSQL kwinkqubo ye-RHEL, kufuneka siqhube umyalelo:
sudo /usr/bin/postgresql-setup -initdb
Emva koko ungaqala i-PostgreSQL usebenzisa i-systemd, yenza isiseko sedatha, kwaye usete iprojekthi kwi-Django. Khumbula ukuqalisa kwakhona i-PostgreSQL emva kokwenza utshintsho kwifayile yoqwalaselo lokuqinisekisa umxhasi (ngokuqhelekileyo pg_hba.conf) ukuqwalasela ukugcinwa kwegama lokugqitha kumsebenzisi wesicelo. Ukuba ufumana obunye ubunzima, qiniseka ukutshintsha IPv4 kunye ne IPv6 useto kwifayile pg_hba.conf.
systemctl enable -now postgresql
sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q
Kwifayile /var/lib/pgsql/data/pg_hba.conf:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
Kwifayile /srv/djangoapp/settings.py:
# Database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql_psycopg2',
'NAME': '{{ db_name }}',
'USER': '{{ db_user }}',
'PASSWORD': '{{ db_password }}',
'HOST': '{{ db_host }}',
}
}
Emva kokuqwalasela ifayile yesethingi.py kwiprojekthi kunye nokuseta uqwalaselo lwedatha, ungaqala umncedisi wophuhliso ukuqinisekisa ukuba yonke into iyasebenza. Emva kokuqala umncedisi wophuhliso, yinto efanelekileyo yokwenza umsebenzisi we-admin ukuze uvavanye uxhulumaniso kwisiseko sedatha.
./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser
WSGI? Wai?
Umncedisi wophuhliso uluncedo kuvavanyo, kodwa ukuqhuba isicelo kufuneka uqwalasele umncedisi ofanelekileyo kunye nommeli woMsebenzi weWebhu weSango soNxibelelwano (WSGI). Kukho iindibaniselwano ezininzi eziqhelekileyo, umzekelo, i-Apache HTTPD ene-uWSGI okanye iNginx eneGunicorn.
Umsebenzi weWeb Server Gateway Interface kukudlulisa izicelo ezisuka kumncedisi wewebhu kwisakhelo sewebhu sePython. I-WSGI yintsalela eyoyikekayo yexesha elidlulileyo xa ii-injini zeCGI zazijikeleze, kwaye namhlanje i-WSGI ngumgangatho we-de facto, kungakhathaliseki ukuba iseva yewebhu okanye isakhelo sePython esisetyenzisiweyo. Kodwa ngaphandle kokusetyenziswa kwayo ngokubanzi, kusekho ama-nuances amaninzi xa usebenza nezi zikhokelo, kunye nokukhetha okuninzi. Kule meko, siya kuzama ukuseka intsebenziswano phakathi kwe-Gunicorn kunye ne-Nginx nge-socket.
Ekubeni omabini la malungu efakwe kwiseva enye, makhe sizame ukusebenzisa i-UNIX socket endaweni yesokethi yenethiwekhi. Kuba unxibelelwano lufuna isokhethi kuyo nayiphi na imeko, makhe sizame ukuthatha inyathelo elinye kwaye siqwalasele ukusebenza kwesokethi ye-Gunicorn nge-systemd.
Inkqubo yokudala iinkonzo ezisebenzayo zesokethi ilula kakhulu. Okokuqala, ifayile yeyunithi yenziwe equlethe umyalelo we- ListenStream okhomba kwindawo apho i-socket ye-UNIX iya kwenziwa khona, emva koko ifayile yeyunithi yenkonzo apho i-Ifuna i-directive iya kukhomba kwifayile yeyunithi yesokhethi. Emva koko, kwifayile yeyunithi yenkonzo, konke okuseleyo kukufowunela i-Gunicorn ukusuka kwindawo ebonakalayo kwaye wenze i-WSGI ebophelelayo kwi-UNIX socket kunye nesicelo se-Django.
Nantsi eminye imizekelo yeefayile zeyunithi onokuzisebenzisa njengesiseko. Okokuqala simisa i-socket.
[Unit]
Description=Gunicorn WSGI socket
[Socket]
ListenStream=/run/gunicorn.sock
[Install]
WantedBy=sockets.target
Ngoku kufuneka uqwalasele i-daemon ye-Gunicorn.
[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target
[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp
ExecStart=/srv/djangoapp/django/bin/gunicorn
βaccess-logfile -
βworkers 3
βbind unix:gunicorn.sock djangoapp.wsgi
[Install]
WantedBy=multi-user.target
Kwi-Nginx, ngumcimbi olula wokwenza iifayile zoqwalaselo lommeleli kunye nokuseta uvimba weefayili ukugcina umxholo ongatshintshiyo ukuba usebenzisa enye. Kwi-RHEL, iifayile zoqwalaselo ze-Nginx zibekwe kwi/etc/nginx/conf.d. Ungakopa lo mzekelo ulandelayo kwifayile /etc/nginx/conf.d/default.conf kwaye uqale inkonzo. Qinisekisa ukuseta i-server_name ukuze ifane negama lomninimzi wakho.
server {
listen 80;
server_name 8beta1.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /srv/djangoapp;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Qala i-socket ye-Gunicorn kunye ne-Nginx usebenzisa i-systemd kwaye ulungele ukuqalisa uvavanyo.
Impazamo yesango elibi?
Ukuba ufaka idilesi kwisikhangeli sakho, uya kufumana impazamo ye-502 ye-Bad Gateway. Isenokubangelwa luqwalaselo olungalunganga lweemvume zesokethi ze-UNIX, okanye inokuba kungenxa yemibandela entsonkothileyo enxulumene nonikezelo lolawulo kwi-SELinux.
Kwifayile yempazamo ye nginx ungabona umgca onje:
2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"
Ukuba sivavanya iGunicorn ngokuthe ngqo, siya kufumana impendulo engenanto.
curl βunix-socket /run/gunicorn.sock 8beta1.example.com
Makhe sibone ukuba kutheni le nto isenzeka. Ukuba uvula ilogi, uya kubona ukuba ingxaki inxulumene ne-SELinux. Kuba siqhuba i-daemon ekungekho mgaqo-nkqubo wenziwayo, iphawulwe njenge-init_t. Makhe sivavanye le nkcazo yokusebenza.
sudo setenforce 0
Konke oku kunokubangela ukugxekwa kunye neenyembezi zegazi, kodwa oku kukulungisa nje iprototype. Masiyicime itshekhi ukuze siqinisekise ukuba le yingxaki, emva koko siya kubuyisela yonke into kwindawo yayo.
Ngokuhlaziya iphepha kwisikhangeli okanye ukuphinda usebenzise i-curl yethu yomyalelo, unokubona iphepha lovavanyo lwe-Django.
Ke, emva kokuqinisekisa ukuba yonke into iyasebenza kwaye akusekho zingxaki zemvume, senza i-SELinux kwakhona.
sudo setenforce 1
Andizukuthetha malunga ne-audit2allow okanye ukwenza imigaqo-nkqubo esekwe kwisilumkiso kunye ne-sepolgen apha, kuba akukho sicelo sokwenyani se-Django okwangoku, ke akukho mephu ipheleleyo yento i-Gunicorn enokufuna ukufikelela kuyo kwaye kufuneka yale ukufikelela kuyo. Ngoko ke, kuyimfuneko ukugcina i-SELinux isebenza ukukhusela inkqubo, ngelixa elifanayo livumela isicelo ukuba siqhube kwaye sishiye imiyalezo kwi-log log ukwenzela ukuba umgaqo-nkqubo wangempela unokudalwa kubo.
Ukuchaza imimandla evumelekileyo
Ayinguye wonke umntu ovileyo ngemimandla evunyelweyo kwi-SELinux, kodwa ayiyonto intsha. Abaninzi bade basebenza nabo bengaqondanga. Xa umgaqo-nkqubo wenziwa ngokusekelwe kwimiyalezo yophicotho-zincwadi, umgaqo-nkqubo owenziweyo umele i-domain esonjululweyo. Masizame ukwenza ipolisi yemvume elula.
Ukwenza i-domain ethile evumelekileyo ye-Gunicorn, udinga uhlobo oluthile lwepolisi, kwaye kufuneka kwakhona uphawule iifayile ezifanelekileyo. Ukongeza, izixhobo ziyafuneka ukuhlanganisa imigaqo-nkqubo emitsha.
sudo yum install selinux-policy-devel
Inkqubo yemimandla evunyelweyo sisixhobo esikhulu sokuchonga iingxaki, ngakumbi xa isiza kwisicelo esilungiselelweyo okanye izicelo ezithunyelwa ngenqanawa ngaphandle kwemigaqo-nkqubo esele yenziwe. Kule meko, umgaqo-nkqubo wedomeyini ovunyelweyo we-Gunicorn uya kuba lula kangangoko - bhengeza uhlobo olungundoqo (gunicorn_t), bhengeza uhlobo esiza kulusebenzisa ukuphawula ukuphunyezwa okuninzi (gunicorn_exec_t), kwaye emva koko umise utshintsho lwenkqubo ukuphawula ngokuchanekileyo. iinkqubo ezisebenzayo . Umgca wokugqibela ucwangcisa inkqubo njengoko yenziwe ngokungagqibekanga ngexesha ilayishwa.
gunicorn.te:
policy_module(gunicorn, 1.0)
type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;
Ungaqokelela le fayile yenkqubo kwaye uyongeze kwindlela yakho.
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp
sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive
Makhe sijonge ukuba i-SELinux ivalela enye into engeyiyo le nto i-daemon yethu engaziwayo ifikelela kuyo.
sudo ausearch -m AVC
type=AVC msg=audit(1545315977.237:1273): avc: denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
I-SELinux inqanda i-Nginx ekubhaleni idatha kwi-UNIX socket esetyenziswa yi-Gunicorn. Ngokuqhelekileyo, kwiimeko ezinjalo, imigaqo-nkqubo iqala ukutshintsha, kodwa kukho eminye imingeni ezayo. Ungatshintsha kwakhona useto lwesizinda ukusuka kwindawo yothintelo ukuya kwindawo yemvume. Ngoku masihambise i-httpd_t kwisizinda seemvume. Oku kuya kunika iNginx ukufikelela okuyimfuneko kwaye sinokuqhubeka nomsebenzi wokulungisa ingxaki.
sudo semanage permissive -a httpd_t
Ke, xa ukwazile ukugcina i-SELinux ikhuselwe (awufanelanga ushiye iprojekthi ye-SELinux ikwimo ethintelweyo) kwaye imimandla yemvume ilayishiwe, kufuneka ufumanise ukuba yintoni kanye kanye ekufuneka iphawulwe njenge gunicorn_exec_t ukuze yonke into isebenze kakuhle. kwakhona. Makhe sizame ukutyelela iwebhusayithi ukuze sibone imiyalezo emitsha malunga nezithintelo zokufikelela.
sudo ausearch -m AVC -c gunicorn
Uzakubona imiyalezo emininzi equlathe 'comm="gunicorn"' eyenza izinto ezahlukeneyo kwiifayile kwi /srv/djangoapp, ngoko ke lo ngomnye wemiyalelo ekufanele ifakwe iflegi.
Kodwa ukongeza, umyalezo onje uvela:
type=AVC msg=audit(1545320700.070:1542): avc: denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
Ukuba ujonga ubume benkonzo yegunicorn okanye sebenzisa umyalelo weps, awuzukubona naziphi na iinkqubo ezisebenzayo. Kubonakala ngathi i-gun izama ukufikelela kwitoliki yePython kwindawo yethu ye-virtualenv, kunokwenzeka ukuba iqhube izikripthi zabasebenzi. Ke ngoku masiphawule ezi fayile zimbini zinokusetyenziswa kwaye sijonge ukuba singakwazi na ukuvula iphepha lethu lovavanyo lwe-Django.
chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6
Inkonzo yemipu iyakufuna ukuphinda iqalwe phambi kokuba ithegi entsha ikhethwe. Unokuyiqala kwakhona ngokukhawuleza okanye uyeke inkonzo kwaye uvumele isokhethi ukuba iqale xa uvula isayithi kwisikhangeli. Qinisekisa ukuba iinkqubo zifumene iilebhile ezichanekileyo usebenzisa i-ps.
ps -efZ | grep gunicorn
Ungalibali ukwenza umgaqo-nkqubo oqhelekileyo we-SELinux kamva!
Ukuba ujonga imiyalezo ye-AVC ngoku, umyalezo wokugqibela uqulathe imvume=1 yayo yonke into enxulumene nesicelo, kunye ne-permissive=0 kuyo yonke inkqubo. Ukuba uyaqonda ukuba luhlobo luni lokufikelela kwiimfuno zangempela zesicelo, unokufumana ngokukhawuleza indlela efanelekileyo yokusombulula iingxaki ezinjalo. Kodwa kude kube ngoko, kungcono ukugcina inkqubo ikhuselekile kwaye ufumane uphicotho olucacileyo, olusebenzisekayo lweprojekthi ye-Django.
sudo ausearch -m AVC
Yenzekile!
Iprojekthi ye-Django esebenzayo ivele kunye ne-frontend esekelwe kwi-Nginx kunye ne-Gunicorn WSGI. Siqwalasele i-Python 3 kunye ne-PostgreSQL 10 ukusuka kwi-RHEL 8 yokugcina i-Beta. Ngoku ungaqhubela phambili kwaye wenze (okanye usebenzise ngokulula) usetyenziso lwe-Django okanye ujonge ezinye izixhobo ezikhoyo kwi-RHEL 8 Beta ukwenza inkqubo yoqwalaselo ngokuzenzekelayo, uphucule ukusebenza, okanye uqukumbele olu lungelelwaniso.
umthombo: www.habr.com