mirror of
https://src.koozali.org/infra/smeserver-koji.git
synced 2024-12-22 23:47:00 +01:00
Add selinux settings
This commit is contained in:
parent
450305499e
commit
180cc1c36f
18
README.md
18
README.md
@ -5,7 +5,7 @@
|
||||
The purpose of these scripts it to enable setting up a koji environment quickly
|
||||
with reasonable configurations.
|
||||
|
||||
These scripts have been borrowed from Clear Linux and modofied to suit the smeserver (Koozali.org) setup.
|
||||
These scripts have been borrowed from Clear Linux and modified to suit the smeserver (Koozali.org) setup.
|
||||
|
||||
## Assumptions
|
||||
|
||||
@ -15,16 +15,14 @@ These scripts have been borrowed from Clear Linux and modofied to suit the smese
|
||||
* Basic configurations (e.g. network, time, etc.) have been applied
|
||||
* Only one koji builder is required
|
||||
|
||||
## Unsupported Environments
|
||||
|
||||
* Systems that are not starting as dedicated and clean
|
||||
* Systems that are not based on Rocky 8 Linux OS*
|
||||
|
||||
For unsupported environments, it will be up to the sysadmin to proceed at their
|
||||
own discretion and fix issues that may arise on their own.
|
||||
|
||||
## Getting Going
|
||||
|
||||
1. Copy these scripts into your ~/bin directory and make sure they are executeable
|
||||
|
||||
mkdir -p ~/bin
|
||||
cp <path where you copied the scripts> ~/bin/.
|
||||
chmod a+x ~/bin/*.sh
|
||||
|
||||
1. Edit parameters.sh as needed. If running in a production environment, be
|
||||
sure to supply reasonable SSL certificate field values.
|
||||
|
||||
@ -54,5 +52,3 @@ builder machine
|
||||
|
||||
deploy-koji-nfs-client.sh
|
||||
deploy-koji-builder.sh
|
||||
|
||||
*Other names and brands may be claimed as the property of others.
|
||||
|
@ -7,11 +7,12 @@ SCRIPT_DIR="$(dirname "$(realpath "$0")")"
|
||||
source "$SCRIPT_DIR"/globals.sh
|
||||
source "$SCRIPT_DIR"/parameters.sh
|
||||
|
||||
swupd bundle-add koji || :
|
||||
check_dependency koji
|
||||
check_dependency httpd
|
||||
check_dependency kojira
|
||||
check_dependency postgres
|
||||
# Install all the required packages (some live in the epel repo, so we need to install that too)
|
||||
dnf config-manager --set-enabled powertools
|
||||
dnf install epel-release
|
||||
dnf install koji-hub mod_ssl koji koji-web koji-utils
|
||||
dnf module enable postgresql:10
|
||||
dnf install postgresql-server
|
||||
|
||||
## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
|
||||
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
|
||||
@ -202,6 +203,9 @@ Alias /kojifiles "$KOJI_DIR"
|
||||
</Location>
|
||||
EOF
|
||||
|
||||
# SELinux changes to allow db access
|
||||
setsebool -P httpd_can_network_connect_db 1
|
||||
|
||||
# Koji Web
|
||||
mkdir -p /etc/kojiweb
|
||||
cat > /etc/kojiweb/web.conf <<- EOF
|
||||
@ -252,6 +256,11 @@ chown kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"/config
|
||||
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
|
||||
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
|
||||
|
||||
# twealk SELinux to allow $HTTPD_USER write access
|
||||
setsebool -P allow_httpd_anon_write=1
|
||||
semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?"
|
||||
restorecon -r -v /mnt/koji
|
||||
|
||||
## Apache Configuration Files
|
||||
mkdir -p /etc/httpd/conf.d
|
||||
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
||||
@ -302,6 +311,12 @@ cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
|
||||
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
||||
EOF
|
||||
|
||||
# allow httpd access through firewall
|
||||
firewall-cmd --permanent --add-service=http
|
||||
firewall-cmd --permanent --add-service=https
|
||||
firewall-cmd --reload
|
||||
|
||||
# enable and start the httpd service
|
||||
systemctl enable --now httpd
|
||||
|
||||
|
||||
|
@ -9,7 +9,7 @@ export GIT_DEFAULT_DIR=/var/lib/gitolite
|
||||
export POSTGRES_USER=postgres
|
||||
export POSTGRES_DEFAULT_DIR=/var/lib/pgsql
|
||||
|
||||
export HTTPD_USER=httpd
|
||||
export HTTPD_USER=apache
|
||||
export HTTPD_DOCUMENT_ROOT=/var/www/html
|
||||
|
||||
export KOJI_PKI_DIR=/etc/pki/koji
|
||||
|
Loading…
Reference in New Issue
Block a user