nginx: Do not use spawn-fcgi for munin-graph #139

Open
mtrossevin wants to merge 1 commits from mtrossevin/ansible-roles:nginx-munin-no-spawn-fcgi into unstable
Owner

systemd provides already provides all the fonctionnalities of spawn-fcgi
with the exception of the possibility to spawn multiple process to a
single socket (it can be done using multiwatch though). So we might as
well use the fonctions provided by systemd instead of needing to install
a new package and add a layer of indirection in how the fastcgi service
is managed.

This make for a somewhat simpler service that can be started as an
unprivileged user.

systemd provides already provides all the fonctionnalities of spawn-fcgi with the exception of the possibility to spawn multiple process to a single socket (it can be done using multiwatch though). So we might as well use the fonctions provided by systemd instead of needing to install a new package and add a layer of indirection in how the fastcgi service is managed. This make for a somewhat simpler service that can be started as an unprivileged user.
mtrossevin reviewed 6 months ago
- name: Systemd unit for Munin-fcgi is started
systemd:
name: spawn-fcgi-munin-graph
name: fcgi-munin-graph.socket
Poster
Owner

Enabling only the socket mean that the service will be started on the first connexion on said socket instead of being started on boot. That increase the latency for the very first connexion (+ the first after a crash of the service) in exchange of not blocking boot until the service is started.

Enabling only the socket mean that the service will be started on the first connexion on said socket instead of being started on boot. That increase the latency for the very first connexion (+ the first after a crash of the service) in exchange of not blocking boot until the service is started.
mtrossevin force-pushed nginx-munin-no-spawn-fcgi from 0b3a7cbc8f to 93084d6ce8 6 months ago
mtrossevin reviewed 6 months ago
mtrossevin reviewed 6 months ago
StandardError=journal
[Install]
WantedBy=multi-user.target
Poster
Owner

This allow the service to be started on boot instead of waiting for the first connexion on the socket if wanted.

This allow the service to be started on boot instead of waiting for the first connexion on the socket if wanted.
mtrossevin changed title from nginx: Do not use spawn-fcgi for munin-graph to WIP: nginx: Do not use spawn-fcgi for munin-graph 6 months ago
mtrossevin changed title from WIP: nginx: Do not use spawn-fcgi for munin-graph to nginx: Do not use spawn-fcgi for munin-graph 6 months ago
mtrossevin requested review from jlecour 6 months ago
Poster
Owner

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot).

That seems to work without any problem.

In fact it works without any problem with this exact service unit:

# /run/systemd/system/fcgi-munin-graph.service
[Unit]
Description=Munin zoom for nginx.
After=network.target
Requires=fcgi-munin-graph.socket

[Service]
User=munin
Group=munin
ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
StandardInput=socket
StandardOutput=null
StandardError=journal

# /var/log/munin and /var/lib/munin need to be RW for the service to work
ReadWritePaths=-/var/log/munin
ReadWritePaths=-/var/lib/munin
# Not certain if it really need to be RW but since it appears in the logs I put it there anyway
ReadWritePaths=-/var/cache/munin/

# Sandboxing options
# Full system RO except /dev, /proc, /sys and /home
ProtectSystem=strict
PrivateTmp=yes
# Minimal set of device visible
PrivateDevices=yes
# No need of network connectivity
PrivateNetwork=yes
# No need to see other users
PrivateUsers=yes
# No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no`
ProtectHome=yes
# /proc/sys/, /sys/ and /proc/sysrq-trigger RO
ProtectKernelTunables=yes
# /sys/fs/cgroup/ RO
ProtectControlGroups=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX
# No access to namespacing for the service
RestrictNamespaces=yes
# Cannot load new modules
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

# This service doesn't need any capability with the current user
CapabilityBoundingSet=

# Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway.
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
SystemCallErrorNumber=EPERM
# Needed by RestrictAddressFamilies= and SystemCallFilter
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

(mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot). That seems to work without any problem. In fact it works without any problem with this exact service unit: ```.ini # /run/systemd/system/fcgi-munin-graph.service [Unit] Description=Munin zoom for nginx. After=network.target Requires=fcgi-munin-graph.socket [Service] User=munin Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph StandardInput=socket StandardOutput=null StandardError=journal # /var/log/munin and /var/lib/munin need to be RW for the service to work ReadWritePaths=-/var/log/munin ReadWritePaths=-/var/lib/munin # Not certain if it really need to be RW but since it appears in the logs I put it there anyway ReadWritePaths=-/var/cache/munin/ # Sandboxing options # Full system RO except /dev, /proc, /sys and /home ProtectSystem=strict PrivateTmp=yes # Minimal set of device visible PrivateDevices=yes # No need of network connectivity PrivateNetwork=yes # No need to see other users PrivateUsers=yes # No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no` ProtectHome=yes # /proc/sys/, /sys/ and /proc/sysrq-trigger RO ProtectKernelTunables=yes # /sys/fs/cgroup/ RO ProtectControlGroups=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX # No access to namespacing for the service RestrictNamespaces=yes # Cannot load new modules ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes # This service doesn't need any capability with the current user CapabilityBoundingSet= # Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway. SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete SystemCallErrorNumber=EPERM # Needed by RestrictAddressFamilies= and SystemCallFilter SystemCallArchitectures=native [Install] WantedBy=multi-user.target ``` (mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

Reviewers

jlecour was requested for review 6 months ago
Some checks failed
continuous-integration/drone/pr Build is failing
This pull request has changes conflicting with the target branch.
CHANGELOG.md
Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Loading…
There is no content yet.