From a9becc2c0373e47b516e2749a1c668a7122f72ad Mon Sep 17 00:00:00 2001 From: clime Date: May 27 2016 08:58:46 +0000 Subject: [dockerized-backend] signing rpms enabled (copr-keygen part added) --- diff --git a/backend/docker/Dockerfile b/backend/docker/Dockerfile index c0b5e44..4d3f929 100644 --- a/backend/docker/Dockerfile +++ b/backend/docker/Dockerfile @@ -43,6 +43,10 @@ RUN dnf -y install glib2 RUN dnf -y install ca-certificates RUN dnf -y install scl-utils-build RUN dnf -y install ethtool +RUN dnf -y install copr-keygen +RUN dnf -y install nginx + +RUN echo '127.0.0.1 keygen' > /etc/hosts RUN export LANG=en_US.utf8 RUN setcap cap_net_raw,cap_net_admin+p /usr/bin/ping @@ -65,6 +69,19 @@ RUN cat /home/copr/.ssh/id_rsa.pub >> /home/copr/.ssh/authorized_keys RUN chown copr:copr -R /home/copr RUN usermod -a -G mock copr +RUN dnf -y install uwsgi +RUN dnf -y install uwsgi-plugin-python +RUN mkdir /var/log/uwsgi +RUN chown apache:apache /var/log/uwsgi + +# perhaps change umask instead of this +RUN chmod 775 /var/log/uwsgi + +RUN chown apache:apache /var/run/uwsgi +RUN chmod 775 /var/run/uwsgi + +RUN usermod copr-signer -G apache + COPY . /copr RUN dnf -y builddep /copr/backend/copr-backend.spec RUN rm -rf /tmp/tito && cd /copr/backend && LANG=en_US.UTF-8 tito build --test --rpm @@ -73,6 +90,12 @@ RUN dnf -y install /tmp/tito/noarch/copr-backend*.noarch.rpm COPY backend/docker/files/ / RUN chmod 700 /root && chmod 700 /home/copr && chown copr:copr /home/copr # fix permission after COPY +RUN chown copr-signer:apache /etc/uwsgi.d/copr-keygen.ini + RUN dnf -y downgrade fedpkg # temporary fix cause fedpkg-copr doesn't work with the new version of fedpkg RUN dnf -y install ansible1.9 --allowerasing # copr does not support ansible2 yet + +# todo: it seems config in /etc/sysctl.conf is not taken into account +RUN echo 4096 > /proc/sys/net/core/somaxconn + CMD ["/bin/run.sh"] diff --git a/backend/docker/files/etc/copr/copr-be.conf b/backend/docker/files/etc/copr/copr-be.conf index 7884153..7e52090 100644 --- a/backend/docker/files/etc/copr/copr-be.conf +++ b/backend/docker/files/etc/copr/copr-be.conf @@ -80,11 +80,11 @@ sleeptime=30 # enable package signing, require configured # signer host and correct /etc/sign.conf -# do_sign=false +do_sign=true # host or ip of machine with copr-keygen # usually the same as in /etc/sign.conf -# keygen_host=example.com +keygen_host=keygen # minimum age for builds to be pruned prune_days=14 diff --git a/backend/docker/files/etc/copr/copr-keygen.conf b/backend/docker/files/etc/copr/copr-keygen.conf new file mode 100644 index 0000000..9aa1005 --- /dev/null +++ b/backend/docker/files/etc/copr/copr-keygen.conf @@ -0,0 +1,10 @@ +DEBUG = False + +PHRASES_DIR = "/var/lib/copr-keygen/phrases/" +GPG_BINARY = "/bin/gpg2" +GNUPG_HOMEDIR = "/var/lib/copr-keygen/gnupg/" + +GPG_KEY_LENGTH = 2048 +GPG_EXPIRE = "5y" + +LOG_DIR = "/var/log/copr-keygen" diff --git a/backend/docker/files/etc/nginx/conf.d/copr-be.conf b/backend/docker/files/etc/nginx/conf.d/copr-be.conf new file mode 100644 index 0000000..dcc6fa7 --- /dev/null +++ b/backend/docker/files/etc/nginx/conf.d/copr-be.conf @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + + server_name backend; + charset utf-8; + + root /var/lib/copr/public_html/; + + location / { + autoindex on; + } +} + +server { + listen 5002; + listen [::]:5002; + + server_name localhost; + charset utf-8; + + root /var/lib/copr/public_html/; + + location / { + autoindex on; + } +} diff --git a/backend/docker/files/etc/nginx/conf.d/copr-keygen.conf b/backend/docker/files/etc/nginx/conf.d/copr-keygen.conf new file mode 100644 index 0000000..d61c462 --- /dev/null +++ b/backend/docker/files/etc/nginx/conf.d/copr-keygen.conf @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; + server_name keygen; + + location / { + include uwsgi_params; + uwsgi_pass unix:/run/uwsgi/copr-keygen.sock; + } +} diff --git a/backend/docker/files/etc/nginx/nginx.conf b/backend/docker/files/etc/nginx/nginx.conf new file mode 100644 index 0000000..6dbd800 --- /dev/null +++ b/backend/docker/files/etc/nginx/nginx.conf @@ -0,0 +1,88 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx apache; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + root /usr/share/nginx/html; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + location / { + } + + error_page 404 /404.html; + location = /40x.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + + } + +# Settings for a TLS enabled server. +# +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# server_name _; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/pki/nginx/server.crt"; +# ssl_certificate_key "/etc/pki/nginx/private/server.key"; +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 10m; +# ssl_ciphers PROFILE=SYSTEM; +# ssl_prefer_server_ciphers on; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + +} + diff --git a/backend/docker/files/etc/sign.conf b/backend/docker/files/etc/sign.conf new file mode 100644 index 0000000..35fa197 --- /dev/null +++ b/backend/docker/files/etc/sign.conf @@ -0,0 +1,14 @@ +### for build service host +#server: +#user: build@suse.de +#allowuser: obsrun +# +### for sign server +#allow: +#phrases: /root/.phrases +--- +server: 127.0.0.1 + +allow: 127.0.0.1 +phrases: /var/lib/copr-keygen/phrases +gpg: /bin/gpg_copr.sh diff --git a/backend/docker/files/etc/supervisord.conf b/backend/docker/files/etc/supervisord.conf index af211b4..4673e4c 100644 --- a/backend/docker/files/etc/supervisord.conf +++ b/backend/docker/files/etc/supervisord.conf @@ -128,9 +128,15 @@ serverurl=unix:///var/run/supervisor/supervisor.sock ; use a unix:// URL for a [program:sshd] command=/usr/sbin/sshd -D -[program:lighttpd] -command=/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D -priority=600 +#[program:lighttpd] +#command=/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D +#priority=600 +[program:nginx] +pidfile=/run/nginx.pid +command=/usr/sbin/nginx + +[program:uwsgi] +command=/usr/sbin/uwsgi --ini /etc/uwsgi.ini [program:redis] command=/usr/bin/redis-server /etc/redis.conf @@ -166,5 +172,12 @@ group=root environment=PYTHONPATH="/usr/share/copr/" priority=904 +[program:signd] +command=/usr/sbin/signd -f +user=root +group=root +pidfile=/var/run/signd.pid +priority=905 + [include] files = supervisord.d/*.ini diff --git a/backend/docker/files/etc/sysctl.conf b/backend/docker/files/etc/sysctl.conf new file mode 100644 index 0000000..64cf7c1 --- /dev/null +++ b/backend/docker/files/etc/sysctl.conf @@ -0,0 +1,12 @@ +# sysctl settings are defined through files in +# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. +# +# Vendors settings live in /usr/lib/sysctl.d/. +# To override a whole file, create a new file with the same in +# /etc/sysctl.d/ and put new settings there. To override +# only specific settings, add a file with a lexically later +# name in /etc/sysctl.d/ and put new settings there. +# +# For more information, see sysctl.conf(5) and sysctl.d(5). + +net.core.somaxconn = 512 diff --git a/backend/docker/files/etc/uwsgi.d/copr-keygen.ini b/backend/docker/files/etc/uwsgi.d/copr-keygen.ini new file mode 100644 index 0000000..2d65418 --- /dev/null +++ b/backend/docker/files/etc/uwsgi.d/copr-keygen.ini @@ -0,0 +1,41 @@ +[uwsgi] + +project_name = copr-keygen + +plugins = python + +env = LANG=en_US.utf8 + +master = master + +processes = 2 + +socket = /var/run/uwsgi/%(project_name).sock + +chmod-socket = 664 + +umask = 002 + +chdir = /usr/share/copr-keygen + +#home = /home/clime/.venvs/copr-keygen + +wsgi-file = application.py + +logto = /var/log/uwsgi/%(project_name).log + +stats = /var/run/uwsgi/%(project_name)-stats.sock + +pidfile = /var/run/uwsgi/%(project_name).pid + +touch-reload = /var/run/uwsgi/%(project_name).pid + +listen = 256 + +vacuum = true + +buffer-size = 32768 + +pythonpath = /usr/lib/python3.4/site-packages + +env = COPR_KEYGEN_CONFIG=/etc/copr/copr-keygen.conf diff --git a/backend/docker/files/etc/uwsgi.ini b/backend/docker/files/etc/uwsgi.ini new file mode 100644 index 0000000..564e865 --- /dev/null +++ b/backend/docker/files/etc/uwsgi.ini @@ -0,0 +1,9 @@ +[uwsgi] +uid = apache +gid = apache +pidfile = /run/uwsgi/uwsgi.pid +emperor = /etc/uwsgi.d +stats = /run/uwsgi/stats.sock +logto=/var/log/uwsgi/emperor.log +emperor-tyrant = true +cap = setgid,setuid