mirror of
https://src.koozali.org/infra/smeserver-koji.git
synced 2024-11-25 02:57:28 +01:00
Add selinux settings
This commit is contained in:
parent
450305499e
commit
180cc1c36f
18
README.md
18
README.md
@ -5,7 +5,7 @@
|
|||||||
The purpose of these scripts it to enable setting up a koji environment quickly
|
The purpose of these scripts it to enable setting up a koji environment quickly
|
||||||
with reasonable configurations.
|
with reasonable configurations.
|
||||||
|
|
||||||
These scripts have been borrowed from Clear Linux and modofied to suit the smeserver (Koozali.org) setup.
|
These scripts have been borrowed from Clear Linux and modified to suit the smeserver (Koozali.org) setup.
|
||||||
|
|
||||||
## Assumptions
|
## Assumptions
|
||||||
|
|
||||||
@ -15,16 +15,14 @@ These scripts have been borrowed from Clear Linux and modofied to suit the smese
|
|||||||
* Basic configurations (e.g. network, time, etc.) have been applied
|
* Basic configurations (e.g. network, time, etc.) have been applied
|
||||||
* Only one koji builder is required
|
* Only one koji builder is required
|
||||||
|
|
||||||
## Unsupported Environments
|
|
||||||
|
|
||||||
* Systems that are not starting as dedicated and clean
|
|
||||||
* Systems that are not based on Rocky 8 Linux OS*
|
|
||||||
|
|
||||||
For unsupported environments, it will be up to the sysadmin to proceed at their
|
|
||||||
own discretion and fix issues that may arise on their own.
|
|
||||||
|
|
||||||
## Getting Going
|
## Getting Going
|
||||||
|
|
||||||
|
1. Copy these scripts into your ~/bin directory and make sure they are executeable
|
||||||
|
|
||||||
|
mkdir -p ~/bin
|
||||||
|
cp <path where you copied the scripts> ~/bin/.
|
||||||
|
chmod a+x ~/bin/*.sh
|
||||||
|
|
||||||
1. Edit parameters.sh as needed. If running in a production environment, be
|
1. Edit parameters.sh as needed. If running in a production environment, be
|
||||||
sure to supply reasonable SSL certificate field values.
|
sure to supply reasonable SSL certificate field values.
|
||||||
|
|
||||||
@ -54,5 +52,3 @@ builder machine
|
|||||||
|
|
||||||
deploy-koji-nfs-client.sh
|
deploy-koji-nfs-client.sh
|
||||||
deploy-koji-builder.sh
|
deploy-koji-builder.sh
|
||||||
|
|
||||||
*Other names and brands may be claimed as the property of others.
|
|
||||||
|
@ -7,11 +7,12 @@ SCRIPT_DIR="$(dirname "$(realpath "$0")")"
|
|||||||
source "$SCRIPT_DIR"/globals.sh
|
source "$SCRIPT_DIR"/globals.sh
|
||||||
source "$SCRIPT_DIR"/parameters.sh
|
source "$SCRIPT_DIR"/parameters.sh
|
||||||
|
|
||||||
swupd bundle-add koji || :
|
# Install all the required packages (some live in the epel repo, so we need to install that too)
|
||||||
check_dependency koji
|
dnf config-manager --set-enabled powertools
|
||||||
check_dependency httpd
|
dnf install epel-release
|
||||||
check_dependency kojira
|
dnf install koji-hub mod_ssl koji koji-web koji-utils
|
||||||
check_dependency postgres
|
dnf module enable postgresql:10
|
||||||
|
dnf install postgresql-server
|
||||||
|
|
||||||
## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
|
## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
|
||||||
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
|
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
|
||||||
@ -202,6 +203,9 @@ Alias /kojifiles "$KOJI_DIR"
|
|||||||
</Location>
|
</Location>
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# SELinux changes to allow db access
|
||||||
|
setsebool -P httpd_can_network_connect_db 1
|
||||||
|
|
||||||
# Koji Web
|
# Koji Web
|
||||||
mkdir -p /etc/kojiweb
|
mkdir -p /etc/kojiweb
|
||||||
cat > /etc/kojiweb/web.conf <<- EOF
|
cat > /etc/kojiweb/web.conf <<- EOF
|
||||||
@ -252,6 +256,11 @@ chown kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"/config
|
|||||||
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
|
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
|
||||||
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
|
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
|
||||||
|
|
||||||
|
# twealk SELinux to allow $HTTPD_USER write access
|
||||||
|
setsebool -P allow_httpd_anon_write=1
|
||||||
|
semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?"
|
||||||
|
restorecon -r -v /mnt/koji
|
||||||
|
|
||||||
## Apache Configuration Files
|
## Apache Configuration Files
|
||||||
mkdir -p /etc/httpd/conf.d
|
mkdir -p /etc/httpd/conf.d
|
||||||
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
||||||
@ -302,6 +311,12 @@ cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
|
|||||||
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# allow httpd access through firewall
|
||||||
|
firewall-cmd --permanent --add-service=http
|
||||||
|
firewall-cmd --permanent --add-service=https
|
||||||
|
firewall-cmd --reload
|
||||||
|
|
||||||
|
# enable and start the httpd service
|
||||||
systemctl enable --now httpd
|
systemctl enable --now httpd
|
||||||
|
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ export GIT_DEFAULT_DIR=/var/lib/gitolite
|
|||||||
export POSTGRES_USER=postgres
|
export POSTGRES_USER=postgres
|
||||||
export POSTGRES_DEFAULT_DIR=/var/lib/pgsql
|
export POSTGRES_DEFAULT_DIR=/var/lib/pgsql
|
||||||
|
|
||||||
export HTTPD_USER=httpd
|
export HTTPD_USER=apache
|
||||||
export HTTPD_DOCUMENT_ROOT=/var/www/html
|
export HTTPD_DOCUMENT_ROOT=/var/www/html
|
||||||
|
|
||||||
export KOJI_PKI_DIR=/etc/pki/koji
|
export KOJI_PKI_DIR=/etc/pki/koji
|
||||||
|
Loading…
Reference in New Issue
Block a user