Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@enykeev
enykeev committed Jan 20, 2016
1 parent d74ee23 commit ed74295
Show file tree
Hide file tree
Showing 22 changed files with 73 additions and 40 deletions.
4 changes: 2 additions & 2 deletions packages/st2api/debian/st2api.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="st2api"
NAME=st2api
DAEMON=/usr/share/python/st2api/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2api/bin/gunicorn_pecan
DAEMON_ARGS="/usr/share/python/st2api/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
Expand Down
8 changes: 8 additions & 0 deletions packages/st2api/debian/st2api.postinst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

#DEBHELPER#

set -e
USER=st2
mkdir -p /var/sockets/
chown ${USER}:${USER} /var/sockets/
3 changes: 1 addition & 2 deletions packages/st2api/debian/st2api.upstart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,9 @@ kill timeout 60

script
NAME=st2api
DEFAULT_ARGS="--config-file /etc/st2/st2.conf"

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

/usr/share/python/st2api/bin/$NAME ${DEFAULT_ARGS}
/usr/share/python/st2api/bin/gunicorn_pecan /usr/share/python/st2api/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1
end script
6 changes: 3 additions & 3 deletions packages/st2api/rpm/st2api.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@

DESC="st2api"
NAME=st2api
DAEMON=/usr/share/python/st2api/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2api/bin/gunicorn_pecan
DAEMON_ARGS="/usr/share/python/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
Expand Down Expand Up @@ -56,7 +56,7 @@ nohup_start() {
corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}"
# if they set NICELEVEL in /etc/sysconfig/foo, honor it
[ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL"

# Echo daemon
[ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base"

Expand Down
3 changes: 1 addition & 2 deletions packages/st2api/rpm/st2api.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,8 @@ After=network.target
Type=simple
User=st2
Group=st2
Environment="DAEMON_ARGS=--config-file /etc/st2/st2.conf"
EnvironmentFile=-/etc/sysconfig/st2api
ExecStart=/usr/share/python/st2api/bin/st2api $DAEMON_ARGS
ExecStart=/usr/share/python/st2api/bin/st2api /usr/share/python/st2api/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1
TimeoutSec=60
PrivateTmp=true
Restart=on-failure
Expand Down
10 changes: 10 additions & 0 deletions packages/st2auth/conf/uwsgi/st2auth.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[uwsgi]
uid = st2
gid = st2
chmod-socket = 644
chown-socket = www-data:www-data
processes = 1
socket = /var/sockets/st2auth.sock
threads = 10
vacuum = true
wsgi-file = /usr/share/python/st2auth/lib/python2.7/site-packages/st2auth/wsgi.py
1 change: 1 addition & 0 deletions packages/st2auth/debian/install
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
conf/uwsgi/st2auth.ini etc/uwsgi.d
8 changes: 3 additions & 5 deletions packages/st2auth/debian/st2auth.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,10 @@
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="st2auth"
NAME=st2auth
DAEMON=/usr/share/python/st2auth/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2auth/bin/uwsgi
DAEMON_ARGS="--ini /etc/uwsgi.d/st2auth.ini"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
RUNAS_GROUP="st2"

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
Expand Down Expand Up @@ -61,7 +59,7 @@ do_start()
# 1 if daemon was already running
# 2 if daemon could not be started
lsb_running || return 1
start-stop-daemon --start --quiet --chuid $RUNAS_USER:$RUNAS_GROUP --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
}
Expand Down
8 changes: 8 additions & 0 deletions packages/st2auth/debian/st2auth.postinst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

#DEBHELPER#

set -e
USER="st2"
mkdir -p /var/sockets/
chown ${USER}:${USER} /var/sockets/
5 changes: 1 addition & 4 deletions packages/st2auth/debian/st2auth.upstart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ author "StackStorm Engineering <opsadmin@stackstorm.com>"
start on filesystem and net-device-up IFACE!=lo
stop on starting rc RUNLEVEL=[016]

setuid st2
setgid st2
respawn
respawn limit 2 5

Expand All @@ -14,10 +12,9 @@ kill timeout 60

script
NAME=st2auth
DEFAULT_ARGS="--config-file /etc/st2/st2.conf"

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

/usr/share/python/st2auth/bin/$NAME ${DEFAULT_ARGS}
/usr/share/python/st2auth/bin/uwsgi --ini /etc/uwsgi.d/st2auth.ini
end script
8 changes: 3 additions & 5 deletions packages/st2auth/rpm/st2auth.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,10 @@

DESC="st2auth"
NAME=st2auth
DAEMON=/usr/share/python/st2auth/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2auth/bin/uwsgi
DAEMON_ARGS="--ini /etc/uwsgi.d/st2auth.ini"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
RUNAS_GROUP="st2"

lockfile=/var/lock/subsys/$NAME

Expand Down Expand Up @@ -56,7 +54,7 @@ nohup_start() {
corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}"
# if they set NICELEVEL in /etc/sysconfig/foo, honor it
[ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL"

# Echo daemon
[ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base"

Expand Down
5 changes: 1 addition & 4 deletions packages/st2auth/rpm/st2auth.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,8 @@ After=network.target

[Service]
Type=simple
User=st2
Group=st2
Environment="DAEMON_ARGS=--config-file /etc/st2/st2.conf"
EnvironmentFile=-/etc/sysconfig/st2auth
ExecStart=/usr/share/python/st2auth/bin/st2auth $DAEMON_ARGS
ExecStart=/usr/share/python/st2auth/bin/uwsgi --ini /etc/uwsgi.d/st2auth.ini
TimeoutSec=60
PrivateTmp=true
Restart=on-failure
Expand Down
1 change: 1 addition & 0 deletions packages/st2auth/rpm/st2auth.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Requires: st2common = %{version}-%{release}
%files
%{_datadir}/python/%{name}
%config(noreplace) %{_sysconfdir}/st2/*
%config(noreplace) %{_sysconfdir}/uwsgi.d/*
%if 0%{?use_systemd}
%{_unitdir}/%{name}.service
%else
Expand Down
10 changes: 10 additions & 0 deletions packages/st2bundle/conf/uwsgi/st2auth.ini
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[uwsgi]
uid = st2
gid = st2
chmod-socket = 644
chown-socket = www-data:www-data
processes = 1
socket = /var/sockets/st2auth.sock
threads = 10
vacuum = true
wsgi-file = /usr/share/python/st2/lib/python2.7/site-packages/st2auth/wsgi.py
1 change: 1 addition & 0 deletions packages/st2bundle/debian/install
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
../st2exporter/conf/syslog.*.conf etc/st2/
../st2reactor/conf/logging.*.conf etc/st2/
../st2reactor/conf/syslog.*.conf etc/st2/
conf/uwsgi/st2auth.ini etc/uwsgi.d
2 changes: 2 additions & 0 deletions packages/st2bundle/debian/postinst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@

set -e
USER=st2
mkdir -p /var/sockets/
chown $USER.$USER /var/sockets/
chown $USER.$USER /var/log/st2
if [ ! -f /etc/st2/htpasswd ]; then
touch /etc/st2/htpasswd
Expand Down
4 changes: 2 additions & 2 deletions packages/st2bundle/debian/st2bundle.st2api.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="st2api"
NAME=st2api
DAEMON=/usr/share/python/st2/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2/bin/gunicorn_pecan
DAEMON_ARGS="/usr/share/python/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
Expand Down
2 changes: 1 addition & 1 deletion packages/st2bundle/debian/st2bundle.st2api.upstart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ script
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

/usr/share/python/st2/bin/$NAME ${DEFAULT_ARGS}
/usr/share/python/st2/bin/gunicorn_pecan /usr/share/python/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b unix:/var/sockets/st2api.sock --threads 10 --workers 1
end script
8 changes: 3 additions & 5 deletions packages/st2bundle/debian/st2bundle.st2auth.init
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,10 @@
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="st2auth"
NAME=st2auth
DAEMON=/usr/share/python/st2/bin/$NAME
DAEMON_ARGS="--config-file /etc/st2/st2.conf"
DAEMON=/usr/share/python/st2/bin/uwsgi
DAEMON_ARGS="--ini /etc/uwsgi.d/st2auth.ini"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
RUNAS_USER="st2"
RUNAS_GROUP="st2"

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
Expand Down Expand Up @@ -61,7 +59,7 @@ do_start()
# 1 if daemon was already running
# 2 if daemon could not be started
lsb_running || return 1
start-stop-daemon --start --quiet --chuid $RUNAS_USER:$RUNAS_GROUP --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
start-stop-daemon --start --quiet --background --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
}
Expand Down
5 changes: 1 addition & 4 deletions packages/st2bundle/debian/st2bundle.st2auth.upstart
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ author "StackStorm Engineering <opsadmin@stackstorm.com>"
start on filesystem and net-device-up IFACE!=lo
stop on starting rc RUNLEVEL=[016]

setuid st2
setgid st2
respawn
respawn limit 2 5

Expand All @@ -14,10 +12,9 @@ kill timeout 60

script
NAME=st2auth
DEFAULT_ARGS="--config-file /etc/st2/st2.conf"

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

/usr/share/python/st2/bin/$NAME ${DEFAULT_ARGS}
/usr/share/python/st2auth/bin/uwsgi --ini /etc/uwsgi.d/st2auth.ini
end script
2 changes: 1 addition & 1 deletion rake/build/build_packages.rake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ namespace :build do
buildroot = File.join(buildroot, package_name) unless opts.standalone

# hardcode to build only st2bundle and mistral
if ['mistral', 'st2bundle'].include?(package_name)
if ['st2common', 'st2auth', 'st2api'].include?(package_name)

This comment has been minimized.

Sign in to view

Copy link
@dennybaa

dennybaa Jan 21, 2016

Contributor

this is what for? Could you plz explain. aw yeah got it, you just build st2api and st2auth. ignore this)

This comment has been minimized.

Sign in to view

Copy link
@enykeev

enykeev Jan 21, 2016

Author Member

That's for myself. I'll remove it when it comes to PR.
with opts.env do
within buildroot do
make :changelog
Expand Down
9 changes: 9 additions & 0 deletions tmp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
sudo bash -c "echo 'deb https://apt.dockerproject.org/repo ubuntu-trusty main' > /etc/apt/sources.list.d/docker.list"
sudo apt-get update
sudo apt-get install linux-image-extra-$(uname -r) docker-engine
sudo pip install wheel docker-compose
cd /mnt/st2-packages/
sudo docker-compose -f docker-compose.circle.yml run -e ST2_GITURL="https://github.com/stackstorm/st2" -e ST2_GITREV="master" -e ST2PKG_VERSION="1.3dev" -e ST2PKG_RELEASE="999" -e RABBITMQHOST="172.17.0.1" -e POSTGRESHOST="172.17.0.1" -e MONGODBHOST="172.17.0.1" trusty build
sudo dpkg -i /tmp/st2-packages/st2common_1.3dev-999_amd64.deb
sudo dpkg -i /tmp/st2-packages/st2api_1.3dev-999_amd64.deb

7 comments on commit ed74295

@arm4b
Copy link
Member

@arm4b arm4b commented on ed74295 Jan 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI that long command:

sudo docker-compose -f docker-compose.circle.yml run -e ST2_GITURL="https://github.com/stackstorm/st2" -e ST2_GITREV="master" -e ST2PKG_VERSION="1.3dev" -e ST2PKG_RELEASE="999" -e RABBITMQHOST="172.17.0.1" -e POSTGRESHOST="172.17.0.1" -e MONGODBHOST="172.17.0.1" trusty build

is for Circle really which has built-in mongo and rabbit and some specific environment.

Locally you can use just simple (default way):

sudo docker-compose trusty build

This will be fully isolated (including containers for mongo and rabbit).

@arm4b
Copy link
Member

@arm4b arm4b commented on ed74295 Jan 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just researched a bit.

Seems /var/sockets/ is not within the best practices. It's best to place socket with non-root permissions into directory where program lives or in /tmp.
/run and /var/run are best suited for root processes.

I suspect /tmp/st2api.sock would be the best, just near the mongodb.sock, see:

root@ubuntu14:/# find / -name '*.sock'
/run/rpcbind.sock
/tmp/mongodb-27017.sock
/run/docker.sock

And this also will simplify life since we won't need to create/chown /var/sockets/ directory anymore.

Resources:

@arm4b
Copy link
Member

@arm4b arm4b commented on ed74295 Jan 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another corner case will be assumption that www-data user exists, which is not always the case. As i understand it comes from nginx.

I think I need to dig into apache or nginx packaging for this example, to see if we can create this user (ensure) without breaking anything else.

You probably saw that we already create stanley user if not exists:

st2-packages/packages/st2bundle/debian/preinst

Lines 18 to 21 in a067cbd

if (! id stanley 2>/dev/null); then
adduser --group stanley
adduser --disabled-password --gecos "" --ingroup stanley stanley
fi

as example.

@arm4b
Copy link
Member

@arm4b arm4b commented on ed74295 Jan 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enykeev Sorry for not being super helpful, I had several issues with Vagrant networking & Docker pull & Vagrant I/O issues,
so I only commented, rather then trying to build/fix the things by myself.

The last one I'm experiencing is: #4 (comment)

Will continue to dig tomorrow by running everything in AWS instance (to avoid Vagrant).

@enykeev
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, actually, you've been quite helpful. Moving sockets to /tmp will make my live so much easier yet I wonder if there's any security implications in that decision.

As for www-data, yes, indeed, we're relying on the user being present. When I'm done with packaging, I'm going to try and move stuff around, see if I can probably make the username a n env variable or pick another user inside nginx config on per server basis.

There's actually quite a lot of stuff to do on nginx config side. We need to reevaluate the hacks we've added there to see which one of them still required and see if we can make it simpler. I was a little bit startled when @lakshmi-kannan told me our final deliverable is docs and not script so we can't just throw a load of cryptic code at our user and told him to trust us.

@enykeev
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, apparently you can't use /tmp for sockets because of systemd security feature called privatetmp. You can probably disable it, but you would have to do the same for nginx for it to work. Shame, it was a good idea. I'm moving sockets to /run though.

@dennybaa
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to that what @armab says. Please choose standard socket directory for each platform. /tmp/ is not the best place.

Regarding www-data, it's better to check how it's created in other packages like apcahe, nginx and trying to create exactly in the same manner if it doesn't exist... Bringing nginx/apache as a dependency doesn't look good at all.

Please sign in to comment.