-
-
Notifications
You must be signed in to change notification settings - Fork 59
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/sh | ||
|
||
#DEBHELPER# | ||
|
||
set -e | ||
USER=st2 | ||
mkdir -p /var/sockets/ | ||
chown ${USER}:${USER} /var/sockets/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
[uwsgi] | ||
uid = st2 | ||
gid = st2 | ||
chmod-socket = 644 | ||
chown-socket = www-data:www-data | ||
processes = 1 | ||
socket = /var/sockets/st2auth.sock | ||
threads = 10 | ||
vacuum = true | ||
wsgi-file = /usr/share/python/st2auth/lib/python2.7/site-packages/st2auth/wsgi.py |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
conf/uwsgi/st2auth.ini etc/uwsgi.d |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/sh | ||
|
||
#DEBHELPER# | ||
|
||
set -e | ||
USER="st2" | ||
mkdir -p /var/sockets/ | ||
chown ${USER}:${USER} /var/sockets/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
[uwsgi] | ||
uid = st2 | ||
gid = st2 | ||
chmod-socket = 644 | ||
chown-socket = www-data:www-data | ||
processes = 1 | ||
socket = /var/sockets/st2auth.sock | ||
threads = 10 | ||
vacuum = true | ||
wsgi-file = /usr/share/python/st2/lib/python2.7/site-packages/st2auth/wsgi.py |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D | ||
sudo bash -c "echo 'deb https://apt.dockerproject.org/repo ubuntu-trusty main' > /etc/apt/sources.list.d/docker.list" | ||
sudo apt-get update | ||
sudo apt-get install linux-image-extra-$(uname -r) docker-engine | ||
sudo pip install wheel docker-compose | ||
cd /mnt/st2-packages/ | ||
sudo docker-compose -f docker-compose.circle.yml run -e ST2_GITURL="https://github.com/stackstorm/st2" -e ST2_GITREV="master" -e ST2PKG_VERSION="1.3dev" -e ST2PKG_RELEASE="999" -e RABBITMQHOST="172.17.0.1" -e POSTGRESHOST="172.17.0.1" -e MONGODBHOST="172.17.0.1" trusty build | ||
sudo dpkg -i /tmp/st2-packages/st2common_1.3dev-999_amd64.deb | ||
sudo dpkg -i /tmp/st2-packages/st2api_1.3dev-999_amd64.deb |
7 comments
on commit ed74295
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI that long command:
sudo docker-compose -f docker-compose.circle.yml run -e ST2_GITURL="https://github.com/stackstorm/st2" -e ST2_GITREV="master" -e ST2PKG_VERSION="1.3dev" -e ST2PKG_RELEASE="999" -e RABBITMQHOST="172.17.0.1" -e POSTGRESHOST="172.17.0.1" -e MONGODBHOST="172.17.0.1" trusty build
is for Circle really which has built-in mongo and rabbit and some specific environment.
Locally you can use just simple (default way):
sudo docker-compose trusty build
This will be fully isolated (including containers for mongo and rabbit).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just researched a bit.
Seems /var/sockets/
is not within the best practices. It's best to place socket with non-root permissions into directory where program lives or in /tmp
.
/run
and /var/run
are best suited for root processes.
I suspect /tmp/st2api.sock
would be the best, just near the mongodb.sock
, see:
root@ubuntu14:/# find / -name '*.sock'
/run/rpcbind.sock
/tmp/mongodb-27017.sock
/run/docker.sock
And this also will simplify life since we won't need to create/chown /var/sockets/
directory anymore.
Resources:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another corner case will be assumption that www-data
user exists, which is not always the case. As i understand it comes from nginx
.
I think I need to dig into apache or nginx packaging for this example, to see if we can create this user (ensure) without breaking anything else.
You probably saw that we already create stanley
user if not exists:
st2-packages/packages/st2bundle/debian/preinst
Lines 18 to 21 in a067cbd
if (! id stanley 2>/dev/null); then | |
adduser --group stanley | |
adduser --disabled-password --gecos "" --ingroup stanley stanley | |
fi |
as example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enykeev Sorry for not being super helpful, I had several issues with Vagrant networking & Docker pull & Vagrant I/O issues,
so I only commented, rather then trying to build/fix the things by myself.
The last one I'm experiencing is: #4 (comment)
Will continue to dig tomorrow by running everything in AWS instance (to avoid Vagrant).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, actually, you've been quite helpful. Moving sockets to /tmp
will make my live so much easier yet I wonder if there's any security implications in that decision.
As for www-data
, yes, indeed, we're relying on the user being present. When I'm done with packaging, I'm going to try and move stuff around, see if I can probably make the username a n env variable or pick another user inside nginx config on per server basis.
There's actually quite a lot of stuff to do on nginx config side. We need to reevaluate the hacks we've added there to see which one of them still required and see if we can make it simpler. I was a little bit startled when @lakshmi-kannan told me our final deliverable is docs and not script so we can't just throw a load of cryptic code at our user and told him to trust us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, apparently you can't use /tmp for sockets because of systemd security feature called privatetmp. You can probably disable it, but you would have to do the same for nginx for it to work. Shame, it was a good idea. I'm moving sockets to /run though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to that what @armab says. Please choose standard socket directory for each platform. /tmp/
is not the best place.
Regarding www-data
, it's better to check how it's created in other packages like apcahe, nginx and trying to create exactly in the same manner if it doesn't exist... Bringing nginx/apache as a dependency doesn't look good at all.
this is what for? Could you plz explain. aw yeah got it, you just build st2api and st2auth. ignore this)