I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Iworkshop ye-RHEL 8 Beta: Ukwakha izinhlelo zokusebenza zewebhu ezisebenzayo

Iworkshop ye-RHEL 8 Beta: Ukwakha izinhlelo zokusebenza zewebhu ezisebenzayo

I-RHEL 8 Beta inikeza abathuthukisi izici eziningi ezintsha, ukufakwa kuhlu kwazo okungathatha amakhasi, nokho, ukufunda izinto ezintsha kuhlala kungcono ekusebenzeni, ngakho-ke ngezansi sinikeza umhlangano wokusebenzela wokudala ingqalasizinda yohlelo lokusebenza esekelwe ku-Red Hat Enterprise Linux 8 Beta.

Iworkshop ye-RHEL 8 Beta: Ukwakha izinhlelo zokusebenza zewebhu ezisebenzayo

Ake sithathe i-Python, ulimi lokuhlela oludumile phakathi konjiniyela, njengesisekelo, inhlanganisela ye-Django ne-PostgreSQL, inhlanganisela evamile yokudala izinhlelo zokusebenza, futhi silungiselele i-RHEL 8 Beta ukuze usebenze nayo. Bese sizongeza izithako ezimbalwa ezengeziwe (ezingahlukaniswanga).

Indawo yokuhlola izoshintsha, ngoba kuyathakazelisa ukuhlola amathuba okuzenzakalela, ukusebenza ngeziqukathi kanye nezindawo zokuzama ezinamaseva amaningi. Ukuze uqalise ngephrojekthi entsha, ungaqala ngokwakha i-prototype encane, elula ngesandla ukuze ubone kahle ukuthi yini okufanele yenzeke nokuthi isebenzisana kanjani, bese uqhubekela phambili ukuze wenze okuzenzakalelayo futhi udale ukucupha okuyinkimbinkimbi. Namuhla sikhuluma ngokudalwa kwe-prototype enjalo.

Ake siqale ngokukhipha isithombe se-RHEL 8 Beta VM. Ungafaka umshini obonakalayo kusukela ekuqaleni, noma usebenzise isithombe sesivakashi se-KVM esitholakala ngokubhalisile kwakho kwe-Beta. Uma usebenzisa isithombe sesivakashi, uzodinga ukumisa i-virtual CD ezoqukatha imethadatha nedatha yomsebenzisi ukuze kuqaliswe ifu (cloud-init). Awudingi ukwenza noma yini ekhethekile ngesakhiwo sediski noma amaphakheji atholakalayo; noma yikuphi ukucushwa kuzokwenza.

Ake sibhekisise yonke inqubo.

Ifaka i-Django

Ngenguqulo entsha ye-Django, uzodinga indawo ebonakalayo (virtualenv) enePython 3.5 noma kamuva. Kumanothi e-Beta ungabona ukuthi i-Python 3.6 iyatholakala, ake sihlole ukuthi ingabe kunjalo ngempela: 

[cloud-user@8beta1 ~]$ python
-bash: python: command not found
[cloud-user@8beta1 ~]$ python3
-bash: python3: command not found

I-Red Hat isebenzisa ngenkuthalo i-Python njengekhithi yamathuluzi esistimu ku-RHEL, pho kungani lokhu kuba nomphumela?

Iqiniso liwukuthi abathuthukisi abaningi be-Python basacabanga ngoshintsho ukusuka ku-Python 2 kuya ku-Python 2, kuyilapho i-Python 3 ngokwayo ingaphansi kokuthuthukiswa okusebenzayo, futhi izinguqulo eziningi ezintsha zivela njalo. Ngakho-ke, ukuze kuhlangatshezwane nesidingo samathuluzi esistimu azinzile ngenkathi unikeza abasebenzisi ukufinyelela ezinguqulweni ezintsha ezihlukahlukene zePython, iPython yohlelo ihanjiswe ephaketheni elisha futhi yanikeza ikhono lokufaka kokubili iPython 2.7 kanye ne-3.6. Ulwazi olwengeziwe mayelana nezinguquko nokuthi kungani zenziwa zingatholakala ekushicilelweni kokuthi Ibhulogi likaLangdon White (Langdon White).

Ngakho-ke, ukuze uthole iPython esebenzayo, udinga kuphela ukufaka amaphakheji amabili, ne-python3-pip efakiwe njengokuncika. 

sudo yum install python36 python3-virtualenv

Kungani ungasebenzisi izingcingo eziqondile njengoba uLangdon ephakamisa futhi ufake i-pip3? Ikhumbula i-automation ezayo, kuyaziwa ukuthi i-Ansible izodinga ukuthi i-pip ifakwe ukuze isebenze, njengoba imojula ye-pip ayisekeli ama-virtualenvs anepayipi langokwezifiso elisebenzisekayo.

Ngotolika osebenzayo we-python3 onawo, ungaqhubeka nenqubo yokufaka i-Django futhi ube nesistimu yokusebenza kanye nezinye izingxenye zethu. Kunezinketho eziningi zokuqalisa ezitholakala ku-inthanethi. Kunenguqulo eyodwa evezwe lapha, kodwa abasebenzisi bangasebenzisa izinqubo zabo.

Sizofaka izinguqulo ze-PostgreSQL ne-Nginx ezitholakala ku-RHEL 8 ngokuzenzakalelayo sisebenzisa i-Yum.

sudo yum install nginx postgresql-server

I-PostgreSQL izodinga i-psycopg2, kodwa idinga ukutholakala kuphela endaweni ye-virtualenv, ngakho-ke sizoyifaka sisebenzisa i-pip3 kanye ne-Django ne-Gunicorn. Kodwa okokuqala sidinga ukusetha i-virtualenv.

Kuhlala kunempikiswano enkulu esihlokweni sokukhetha indawo efanele yokufaka amaphrojekthi e-Django, kodwa uma ungabaza, ungaphendukela ku-Linux Filesystem Hierarchy Standard. Ngokuqondile, i-FHS ithi i-/srv isetshenziselwa: β€œukugcina idatha eqondene nomsingathiβ€”idatha ekhiqizwa uhlelo, njengedatha yeseva yewebhu kanye nemibhalo, idatha egcinwe kumaseva e-FTP, nokulawula amaqoqo esistimu.” izinguqulo (ezivela ku-FHS -2.3 ngo-2004).

Lokhu kuyindaba yethu impela, ngakho-ke sibeka konke esikudingayo ku-/srv, okuphethwe umsebenzisi wethu wohlelo lokusebenza (umsebenzisi wefu).

sudo mkdir /srv/djangoapp
sudo chown cloud-user:cloud-user /srv/djangoapp
cd /srv/djangoapp
virtualenv django
source django/bin/activate
pip3 install django gunicorn psycopg2
./django-admin startproject djangoapp /srv/djangoapp

Ukusetha i-PostgreSQL ne-Django kulula: dala isizindalwazi, dala umsebenzisi, lungiselela izimvume. Into eyodwa okufanele uyikhumbule lapho ufaka i-PostgreSQL ekuqaleni iskripthi sokusetha se-postgresql esifakwe nephakheji ye-postgresql-server. Lesi script sikusiza ukuthi wenze imisebenzi eyisisekelo ehlotshaniswa nokuphathwa kweqoqo lesizindalwazi, njengokuqalisa kweqoqo noma inqubo yokuthuthukisa. Ukuze ulungiselele isibonelo esisha se-PostgreSQL ohlelweni lwe-RHEL, sidinga ukusebenzisa umyalo: 

sudo /usr/bin/postgresql-setup -initdb

Ungaqala ke i-PostgreSQL usebenzisa i-systemd, udale isizindalwazi, futhi usethe iphrojekthi ku-Django. Khumbula ukuqalisa kabusha i-PostgreSQL ngemva kokwenza izinguquko kufayela lokumisa lokufakazela ubuqiniso beklayenti (ngokuvamile pg_hba.conf) ukuze ulungiselele ukugcinwa kwephasiwedi komsebenzisi wohlelo lokusebenza. Uma uhlangabezana nobunye ubunzima, qiniseka ukuthi ushintsha izilungiselelo ze-IPv4 ne-IPv6 kufayela elithi pg_hba.conf.

systemctl enable -now postgresql

sudo -u postgres psql
postgres=# create database djangoapp;
postgres=# create user djangouser with password 'qwer4321';
postgres=# alter role djangouser set client_encoding to 'utf8';
postgres=# alter role djangouser set default_transaction_isolation to 'read committed';
postgres=# alter role djangouser set timezone to 'utc';
postgres=# grant all on DATABASE djangoapp to djangouser;
postgres=# q

Efayeleni /var/lib/pgsql/data/pg_hba.conf:

# IPv4 local connections:
host    all        all 0.0.0.0/0                md5
# IPv6 local connections:
host    all        all ::1/128                 md5

Kufayela /srv/djangoapp/settings.py:

# Database
DATABASES = {
   'default': {
       'ENGINE': 'django.db.backends.postgresql_psycopg2',
       'NAME': '{{ db_name }}',
       'USER': '{{ db_user }}',
       'PASSWORD': '{{ db_password }}',
       'HOST': '{{ db_host }}',
   }
}

Ngemva kokumisa ifayela le-setting.py kuphrojekthi kanye nokumisa ukucushwa kwesizindalwazi, ungaqala iseva yokuthuthukisa ukuze uqiniseke ukuthi yonke into iyasebenza. Ngemva kokuqala iseva yokuthuthukisa, kuwumqondo omuhle ukudala umsebenzisi womlawuli ukuze ahlole uxhumano kusizindalwazi. 

./manage.py runserver 0.0.0.0:8000
./manage.py createsuperuser

I-WSGI? Wai?

Iseva yokuthuthukisa iwusizo ekuhloleni, kodwa ukuze uqalise uhlelo lokusebenza kufanele ulungiselele iseva efanelekile nommeleli we-Web Server Gateway Interface (WSGI). Kunezinhlanganisela ezimbalwa ezijwayelekile, isibonelo, i-Apache HTTPD ene-uWSGI noma i-Nginx ene-Gunicorn.

Umsebenzi we-Web Server Gateway Interface uwukudlulisa izicelo ezivela kuseva yewebhu kuhlaka lwewebhu lwePython. I-WSGI iyinsalela yesikhathi esidlule esibi lapho izinjini ze-CGI zikhona, futhi namuhla i-WSGI iyindinganiso ye-de facto, kungakhathaliseki ukuthi iseva yewebhu noma uhlaka lwePython olusetshenzisiwe. Kodwa naphezu kokusetshenziswa kwayo kabanzi, kusekhona ama-nuances amaningi lapho usebenza nalezi zinhlaka, nokukhetha okuningi. Kulokhu, sizozama ukusungula ukusebenzisana phakathi kwe-Gunicorn ne-Nginx ngesokhethi.

Njengoba zombili lezi zingxenye zifakwe kuseva efanayo, ake sizame ukusebenzisa isokhethi ye-UNIX esikhundleni sesokhethi yenethiwekhi. Njengoba ukuxhumana kudinga isokhethi kunoma yikuphi, ake sizame ukuthatha isinyathelo esisodwa futhi silungiselele ukusebenza kwesokhethi ye-Gunicorn nge-systemd.

Inqubo yokwenza izinsiza ezicushiwe zesokhethi ilula kakhulu. Okokuqala, kwakhiwa ifayela leyunithi eliqukethe isiqondiso se-ListenStream esikhomba iphuzu lapho isokhethi le-UNIX lizokwakhiwa khona, bese kuba ifayela leyunithi lesevisi lapho i-Directive Dinga izokhomba ifayela leyunithi yesokhethi. Bese, kufayela leyunithi yesevisi, okusele nje ukushayela i-Gunicorn endaweni ebonakalayo bese udala isibopho se-WSGI sesokhethi ye-UNIX kanye nohlelo lokusebenza lwe-Django.

Nazi ezinye izibonelo zamafayela amayunithi ongawasebenzisa njengesisekelo. Okokuqala simisa isokhethi. 

[Unit]
Description=Gunicorn WSGI socket

[Socket]
ListenStream=/run/gunicorn.sock

[Install]
WantedBy=sockets.target

Manje udinga ukumisa i-daemon ye-Gunicorn.

[Unit]
Description=Gunicorn daemon
Requires=gunicorn.socket
After=network.target

[Service]
User=cloud-user
Group=cloud-user
WorkingDirectory=/srv/djangoapp

ExecStart=/srv/djangoapp/django/bin/gunicorn 
         β€”access-logfile - 
         β€”workers 3 
         β€”bind unix:gunicorn.sock djangoapp.wsgi

[Install]
WantedBy=multi-user.target

Ku-Nginx, kuyindaba elula yokudala amafayela wokumisa ummeleli nokumisa uhla lwemibhalo ukuze ugcine okuqukethwe okumile uma usebenzisa eyodwa. Ku-RHEL, amafayela wokumisa we-Nginx atholakala ku-/etc/nginx/conf.d. Ungakwazi ukukopisha isibonelo esilandelayo kufayela /etc/nginx/conf.d/default.conf futhi uqale isevisi. Qiniseka ukuthi usetha igama_leseva ukuze lifane negama lomsingathi wakho. 

server {
   listen 80;
   server_name 8beta1.example.com;

   location = /favicon.ico { access_log off; log_not_found off; }
   location /static/ {
       root /srv/djangoapp;
   }

   location / {
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_pass http://unix:/run/gunicorn.sock;
   }
}

Qala isokhethi ye-Gunicorn ne-Nginx usebenzisa i-systemd futhi usulungele ukuqala ukuhlola.

Iphutha lesango elibi?

Uma ufaka ikheli esipheqululini sakho, cishe uzothola iphutha le-502 Bad Gateway. Kungase kubangelwe izimvume zesokhethi ezilungiselelwe ngokungalungile, noma kungase kube ngenxa yezinkinga eziyinkimbinkimbi ezihlobene nokulawula ukufinyelela ku-SELinux.

Kulogi yephutha ye-nginx ungabona umugqa onjengalo: 

2018/12/18 15:38:03 [crit] 12734#0: *3 connect() to unix:/run/gunicorn.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.122.1, server: 8beta1.example.com, request: "GET / HTTP/1.1", upstream: "http://unix:/run/gunicorn.sock:/", host: "8beta1.example.com"

Uma sihlola i-Gunicorn ngokuqondile, sizothola impendulo engenalutho. 

curl β€”unix-socket /run/gunicorn.sock 8beta1.example.com

Ake sithole ukuthi kungani lokhu kwenzeka. Uma uvula ilogi, cishe uzobona ukuthi inkinga ihlobene ne-SELinux. Njengoba sisebenzisa i-daemon okungadaliwe inqubomgomo yayo, imakwe njenge-init_t. Ake sihlole lo mbono ngokusebenza. 

sudo setenforce 0

Konke lokhu kungase kubangele ukugxekwa nezinyembezi zegazi, kodwa lokhu nje ukulungisa iphutha le-prototype. Ake sikhubaze isheke ukuze senze isiqiniseko sokuthi lena inkinga, emva kwalokho sizobuyisela yonke into endaweni yayo.

Ngokuvuselela ikhasi kusiphequluli noma ukuqalisa kabusha umyalo wethu we-curl, ungabona ikhasi lokuhlola le-Django.

Ngakho-ke, ngemva kokuqinisekisa ukuthi yonke into iyasebenza futhi azikho izinkinga zemvume, sivumela i-SELinux futhi. 

sudo setenforce 1

Ngeke ngikhulume nge-audit2allow noma ukudala izinqubomgomo ezisekelwe ekuxwayiseni nge-sepolgen lapha, njengoba lungekho uhlelo lokusebenza lwangempela lwe-Django okwamanje, ngakho-ke alikho imephu ephelele yalokho i-Gunicorn engase ifune ukuyifinyelela nokuthi yini okufanele inqabele ukufinyelela kukho. Ngakho-ke, kuyadingeka ukugcina i-SELinux isebenza ukuze kuvikelwe uhlelo, kuyilapho ngesikhathi esifanayo ivumela uhlelo lokusebenza ukuthi lusebenze futhi lushiye imilayezo kulogi yokuhlola ukuze inqubomgomo yangempela ingadalwa kubo.

Icacisa izizinda ezivumelayo

Akuwona wonke umuntu ozwile ngezizinda ezivunyelwe ku-SELinux, kodwa aziyona into entsha. Abaningi baze basebenza nabo benganakile. Uma inqubomgomo idalwa ngokusekelwe emilayezweni yokuhlola, inqubomgomo edaliwe imelela isizinda esixazululiwe. Ake sizame ukwenza inqubomgomo yezimvume elula.

Ukuze udale isizinda esithile esivunyelwe se-Gunicorn, udinga uhlobo oluthile lwenqubomgomo, futhi udinga ukumaka amafayela afanelekile. Ngaphezu kwalokho, amathuluzi ayadingeka ukuze kuhlanganiswe izinqubomgomo ezintsha. 

sudo yum install selinux-policy-devel

Indlela yezizinda ezivunyelwe iyithuluzi elihle lokuhlonza izinkinga, ikakhulukazi uma kuza kuhlelo lokusebenza lwangokwezifiso noma izinhlelo zokusebenza ezithunyelwa ngaphandle kwezinqubomgomo ese zidaliwe kakade. Kulesi simo, inqubomgomo yesizinda esivunyelwe ye-Gunicorn izoba lula ngangokunokwenzeka - memezela uhlobo oluyinhloko (gunicorn_t), memezela uhlobo esizolusebenzisa ukumaka okusebenzisekayo okuningi (gunicorn_exec_t), bese usetha inguquko ukuze isistimu imakwe kahle. izinqubo ezisebenzayo . Umugqa wokugcina usetha inqubomgomo njengenikwe amandla ngokuzenzakalela ngesikhathi ilayishwa.

gunicorn.te:

policy_module(gunicorn, 1.0)

type gunicorn_t;
type gunicorn_exec_t;
init_daemon_domain(gunicorn_t, gunicorn_exec_t)
permissive gunicorn_t;

Ungakwazi ukuhlanganisa leli fayela lenqubomgomo futhi ulingeze ohlelweni lwakho. 

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i gunicorn.pp

sudo semanage permissive -a gunicorn_t
sudo semodule -l | grep permissive

Ake sihlole ukuze sibone ukuthi i-SELinux ivimba yini enye into ngaphandle kwalokhu i-daemon yethu engaziwa efinyelela kuyo. 

sudo ausearch -m AVC

type=AVC msg=audit(1545315977.237:1273): avc:  denied { write } for pid=19400 comm="nginx" name="gunicorn.sock" dev="tmpfs" ino=52977 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0

I-SELinux ivimbela i-Nginx ekubhaleni idatha iye kwisokhethi ye-UNIX esetshenziswa yi-Gunicorn. Ngokuvamile, ezimweni ezinjalo, izinqubomgomo ziqala ukushintsha, kodwa kunezinye izinselele ezizayo. Ungaphinda uguqule izilungiselelo zesizinda kusuka kusizinda sokuvinjelwa kuya kusizinda semvume. Manje ake sihambise i-httpd_t esizindeni sezimvume. Lokhu kuzonikeza i-Nginx ukufinyelela okudingekayo futhi singaqhubeka nomsebenzi wokususa amaphutha. 

sudo semanage permissive -a httpd_t

Ngakho-ke, uma usukwazile ukugcina i-SELinux ivikelekile (akufanele ngempela ushiye iphrojekthi ye-SELinux kwimodi ekhawulelwe) futhi izizinda zemvume zilayishiwe, udinga ukuthola ukuthi yini ngempela okudingeka imakwe njenge-gunicorn_exec_t ukuze yonke into isebenze kahle. futhi. Ake sizame ukuvakashela iwebhusayithi ukuze sibone imilayezo emisha mayelana nemikhawulo yokufinyelela. 

sudo ausearch -m AVC -c gunicorn

Uzobona imilayezo eminingi equkethe 'comm="gunicorn"' eyenza izinto ezihlukahlukene kumafayela ku-/srv/djangoapp, ngakho lokhu ngokusobala omunye wemiyalo okufanele ihlatshwe umkhosi.

Kodwa ngaphezu kwalokho, kuvela umyalezo ofana nalo: 

type=AVC msg=audit(1545320700.070:1542): avc:  denied { execute } for pid=20704 comm="(gunicorn)" name="python3.6" dev="vda3" ino=8515706 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0

Uma ubheka isimo sesevisi ye-gunicorn noma usebenzisa umyalo we-ps, ngeke ubone noma yiziphi izinqubo ezisebenzayo. Kubukeka sengathi i-gunicorn izama ukufinyelela kumhumushi we-Python endaweni yethu ye-virtualenv, mhlawumbe ukusebenzisa imibhalo yabasebenzi. Ngakho-ke manje ake simake lawa mafayela amabili asebenzisekayo futhi sihlole ukuthi singakwazi yini ukuvula ikhasi lethu lokuhlola le-Django. 

chcon -t gunicorn_exec_t /srv/djangoapp/django/bin/gunicorn /srv/djangoapp/django/bin/python3.6

Isevisi ye-guncorn izodinga ukuqaliswa kabusha ngaphambi kokuthi ithegi entsha ikhethwe. Ungayiqala kabusha ngokushesha noma umise isevisi futhi uvumele isokhethi ukuthi iqale lapho uvula isayithi esipheqululini. Qinisekisa ukuthi izinqubo zithole amalebula alungile kusetshenziswa i-ps. 

ps -efZ | grep gunicorn

Ungakhohlwa ukudala inqubomgomo evamile ye-SELinux kamuva!

Uma ubheka imilayezo ye-AVC manje, umlayezo wokugcina uqukethe i-permissive=1 yakho konke okuhlobene nohlelo, kanye ne-permissive=0 ohlelweni lonke. Uma uqonda ukuthi yiluphi uhlobo lokufinyelela oludingwa yisicelo sangempela, ungathola ngokushesha indlela engcono kakhulu yokuxazulula izinkinga ezinjalo. Kodwa kuze kube yileso sikhathi, kungcono kakhulu ukugcina isistimu ivikelekile futhi uthole ukuhlolwa okucacile, okusebenzisekayo kwephrojekthi ye-Django. 

sudo ausearch -m AVC

Kwenzekile!

Iphrojekthi ye-Django esebenzayo ivele ene-frontend esekelwe ku-Nginx ne-Gunicorn WSGI. Silungiselele i-Python 3 ne-PostgreSQL 10 kusuka kumakhosombe we-RHEL 8 Beta. Manje ungaqhubekela phambili futhi udale (noma umane usebenzise) izinhlelo zokusebenza ze-Django noma uhlole amanye amathuluzi atholakalayo ku-RHEL 8 Beta ukuze wenze ngokuzenzakalelayo inqubo yokumisa, uthuthukise ukusebenza, noma ngisho nokuqukatha lokhu kulungiselelwa.

Source: www.habr.com

Engeza amazwana