-
-
Save vandorjw/8294866 to your computer and use it in GitHub Desktop.
| # This is a step by step tutorial on how to run uwsgi in emperor mode, | |
| # behind nginx on Fedora 20. I'll add to the tutorial as time goes on. | |
| # SeLinux will likely be a pain (even in permissive mode), so please see my comment on how to fix it. | |
| sudo yum upgrade | |
| sudo yum install nano yum-utils gcc uwsgi-plugin-python3 nginx | |
| yum-builddep python3-psycopg2 | |
| yum-builddep python3-Pillow | |
| 1. usermod -a nginx -G uwsgi | |
| 2. ??? | |
| 3. Place the following in /etc/uwsgi.d/me_vandorjw.ini | |
| # | |
| # me_vandorjw.ini | |
| # | |
| [uwsgi] | |
| #variables | |
| projectname = vandorjw | |
| base = /var/sites/me/vandorjw | |
| plugins = python3 | |
| chdir = %(base)/src/%(projectname) | |
| pythonpath = %(base)/src/%(projectname) | |
| virtualenv = %(base)/venv/%(projectname) | |
| env = DJANGO_SETTINGS_MODULE=%(projectname).settings | |
| module = django.core.handlers.wsgi:WSGIHandler() | |
| socket = /run/uwsgi/%n.socket | |
| chmod-socket = 660 | |
| logto = %(base)/logs/uwsgi.log | |
| 4. sudo chown uwsgi:uwsgi /etc/uwsgi.d/me_vandorjw.ini | |
| 5. place the following in /etc/nginx/conf.d/me_vandorjw.conf | |
| server { | |
| listen 80; | |
| server_name vandorjw.me; | |
| access_log /var/sites/me/vandorjw/logs/access.log; | |
| error_log /var/sites/me/vandorjw/logs/error.log; | |
| location /static/ { | |
| alias /var/sites/me/vandorjw/static/; | |
| } | |
| location /media/ { | |
| alias /var/sites/me/vandorjw/media/; | |
| } | |
| location / { | |
| uwsgi_pass unix:///run/uwsgi/me_vandorjw.socket; | |
| include uwsgi_params; | |
| } | |
| error_page 404 /404.html; | |
| location = /40x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| error_page 500 502 503 504 /50x.html; | |
| location = /50x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| } | |
| 5. Grab this script. Place it in your home dir, calling it pyvenv3.py | |
| http://docs.python.org/3/library/venv.html#an-example-of-extending-envbuilder | |
| 6. sudo mkdir -p /var/sites/me/vandorjw/ | |
| 7. sudo chown -R fedora /var/sites | |
| 7b. alternatively, use ACL | |
| 8. cd /var/sites/me/vandorjw/ | |
| 9. mkdir venv logs media static src | |
| 10. python3 ~/pyvenv3.py venv/vandorjw | |
| 11. source venv/vandorjw/bin/activate | |
| 12. pip install django, south, pillow, psycopg2 | |
| 13. cd src | |
| 14. django-admin.py startproject vandorjw | |
| 15. cd .. | |
| 15. sudo semanage fcontext -a -t httpd_log_t -r s0 "/var/sites/me/vandorjw/logs(/.*)?" | |
| 16. sudo restorecon -R logs/ | |
| 17. touch /var/sites/me/vandorjw/logs/uwsgi.log | |
| 17. sudo chgrp uwsgi /var/sites/me/vandorjw/logs | |
| 17. sudo chown uwsgi:uwsgi /var/sites/me/vandorjw/logs/uwsgi.log | |
| 17. sudo systemctl enable nginx.service | |
| 18. sudo systemctl enable uwsgi.service | |
| 19. Place the following line in /etc/tmpfiles.d/uwsgi.conf | |
| D /run/uwsgi 0770 uwsgi uwsgi - | |
| Restart Server - Enjoy Life |
Fix SELINUX
Run all these commands are root
- ausearch -m avc -ts today
You'll likely see messages like this:
time->Thu Jan 9 01:45:37 2014
type=SYSCALL msg=audit(1389231937.166:58): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7f27e09931f8 a2=6e a3=7fffb8952460 items=0 ppid=542 pid=543 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389231937.166:58): avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
- Where it starts with "avc: denied { write } for pid=543" .... all the way until ".....tclass=sock_file", highlight the message and insert it quotes between
echo " the long error message" | audit2why
EXAMPLE
echo "avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file" | audit2why
- It'll make a suggestion on what to do... Just take that same message, and instead of "audit2why", use audit2allow
echo "avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file" | audit2allow -M nginx-uwsgi
- semodule -i nginx-uwsgi.pp
reboot
Alternatively --Edit /etc/sysconfig/selinux to disable selinux
(bad alternative)
touch /etc/tmpfiles.d/uwsgi.conf
D /run/uwsgi 0770 uwsgi uwsgi -
usermod -a nginx -G uwsgi
usermod -a (username) -G uwsgi
Then add
chmod-socket = 660
to each vassal
The explaination for why we do this is this:
In the Linux implementation, sockets which are visible in the
filesystem honor the permissions of the directory they are in. Their
owner, group and their permissions can be changed. Creation of a new
socket will fail if the process does not have write and search
(execute) permission on the directory the socket is created in.
Connecting to the socket object requires read/write permission.
source: http://man7.org/linux/man-pages/man7/unix.7.html