Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch redmine to use a unix socket instead of TCP #1885

Open
evgeni opened this issue Sep 6, 2023 · 0 comments
Open

switch redmine to use a unix socket instead of TCP #1885

evgeni opened this issue Sep 6, 2023 · 0 comments

Comments

@evgeni
Copy link
Member

evgeni commented Sep 6, 2023

In #1883 we deployed redmine with Puma using a TCP socket.

From past experience (with Foreman) we know that using an Unix Socket is better performance wise.

To achieve that we need to

  • deploy the systemd socket as a unix socket
  • make apache use it

In theory, all this can be achieved by the following patch:

diff --git puppet/modules/redmine/files/redmine.socket puppet/modules/redmine/files/redmine.socket
index 63eb431f..504e4336 100644
--- puppet/modules/redmine/files/redmine.socket
+++ puppet/modules/redmine/files/redmine.socket
@@ -5,7 +5,9 @@
 Description=redmine socket
 
 [Socket]
-ListenStream=3000
+ListenStream=/run/apache-redmine.sock
+SocketUser=apache
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target
diff --git puppet/modules/redmine/manifests/init.pp puppet/modules/redmine/manifests/init.pp
index e968d780..0f88eac7 100644
--- puppet/modules/redmine/manifests/init.pp
+++ puppet/modules/redmine/manifests/init.pp
@@ -182,7 +182,7 @@ class redmine (
           '/server-status', '/help', '/images', '/javascripts', '/plugin_assets', '/stylesheets', '/themes', '/favicon.ico',
         ],
         'path'          => '/',
-        'url'           => 'http://127.0.0.1:3000/',
+        'url'           => 'unix:///run/apache-redmine.sock|http://%{HTTP_HOST}/',
       },
     }

However, when we tried to deploy that, SELinux would prevent access. First because the socket in /run was labeled var_run_t, but that we fixed by using the apache- prefix, which makes the kernel automatically label it at httpd_var_run_t. Then because Apache is not allowed to connect to an unconfined service (behind that socket):

type=AVC msg=audit(1693980504.181:4437): avc:  denied  { connectto } for  pid=62541 comm="httpd" path="/run/apache-redmine.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

[root@redmine ~]# ps auxZ |grep puma
system_u:system_r:unconfined_service_t:s0 redmine 62615 3.3  8.4 555808 170152 ? Ssl  06:10   0:02 puma 6.3.1 (unix:///run/apache-redmine.sock) [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62621 0.1  8.6 758724 173848 ? Sl   06:10   0:00 puma: cluster worker 0: 62615 [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62622 0.0  8.1 623492 162284 ? Sl   06:10   0:00 puma: cluster worker 1: 62615 [redmine]

We gotta label the service correctly (systemd has the SELinuxContext= directive for that), but we don't know yet which label would fit best.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evgeni