allow puma/systemd deployment

[evgeni]

No description provided.

[evgeni]

I guess something is incompatible with systemd 5.x 😿

[ekohl]

Looks good.

For unix sockets: we did find it was needed to set the hostname: https://github.com/theforeman/puppet-foreman/blob/af5dbe295525aa375c1ecc15225a40e95ef36053/manifests/config/apache.pp#L132

That part is what it supposedly connected to. https://stackoverflow.com/questions/51243332/apache-proxy-pass-to-unix-domain-socket/73741715#73741715 uses %{HTTP_HOST} which may actually be better than what we do.

So changing the proxy_pass url to `unix:///path/to/socket|http://

[ekohl]

In Foreman we also unset SSL client cert parameters. Is that not needed here because Redmine ignores those?

[evgeni]

that was my assumption, nothing uses client auth here, so no need to unset.

[evgeni]

Two TODOs for the future (will become issues in this repo once this PR is merged):

• switch redmine to use a unix socket instead of TCP #1885
• use puppet/systemd 6.0 features #1886
• flip this to use CentOS Stream 9 instead of 8

[ekohl]

• switch to a unix socket (this will require some selinux mangling, as the socket by default is created as var_run_t and Apache can't write to that, so we'll need to make it be created as httpd_var_run_t)

There's this context:

/var/run/apache.*                                  all files          system_u:object_r:httpd_var_run_t:s0 

So would using /run/apache.redmine.sock automatically get the correct context? Manual way suggests it would:

# touch /var/run/apache.redmine.sock
# ls -lZ /var/run/apache.redmine.sock
-rw-r--r--. 1 root root unconfined_u:object_r:var_run_t:s0 0 Sep  5 12:41 /var/run/apache.redmine.sock

[evgeni]

type=AVC msg=audit(1693980504.181:4437): avc:  denied  { connectto } for  pid=62541 comm="httpd" path="/run/apache-redmine.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

Too damn smart this thing is.

The socket is owned correctly:

# ls -alhZ /run/apache-redmine.sock 
srw-------. 1 apache apache system_u:object_r:httpd_var_run_t:s0 0 Sep  6 06:08 /run/apache-redmine.sock

But the service is running as unconfined_service_t and thus denied by SELinux:

[root@redmine ~]# ps auxZ |grep puma
system_u:system_r:unconfined_service_t:s0 redmine 62615 3.3  8.4 555808 170152 ? Ssl  06:10   0:02 puma 6.3.1 (unix:///run/apache-redmine.sock) [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62621 0.1  8.6 758724 173848 ? Sl   06:10   0:00 puma: cluster worker 0: 62615 [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62622 0.0  8.1 623492 162284 ? Sl   06:10   0:00 puma: cluster worker 1: 62615 [redmine]

[ekohl]

I think that's what SELinuxContext= is for. Quoting man systemd.exec:

       SELinuxContext=
           Set the SELinux security context of the executed process. If set, this will override the automated domain transition. However, the policy still needs to authorize the
           transition. This directive is ignored if SELinux is disabled. If prefixed by "-", failing to set the SELinux security context will be ignored, but it's still possible
           that the subsequent execve() may fail if the policy doesn't allow the transition for the non-overridden context. This does not affect commands prefixed with "+". See
           setexeccon(3) for details.

The question is then: which domain would make sense.

[evgeni]

The question is then: which domain would make sense.

Yeah, and this is something I'd prefer to think about another day ;)

[ekohl]

I'd be good with an issue that summarizes the information about using a unix socket instead of TCP.

[evgeni]

Opened #1885 and #1886 for the follow ups