nginx: Do not use spawn-fcgi for munin-graph #139

mtrossevin · 2021-11-17T13:46:48+01:00

mtrossevin commented

2021-11-17 13:46:48 +01:00

systemd provides already provides all the fonctionnalities of spawn-fcgi
with the exception of the possibility to spawn multiple process to a
single socket (it can be done using multiwatch though). So we might as
well use the fonctions provided by systemd instead of needing to install
a new package and add a layer of indirection in how the fastcgi service
is managed.

This make for a somewhat simpler service that can be started as an
unprivileged user.

systemd provides already provides all the fonctionnalities of spawn-fcgi with the exception of the possibility to spawn multiple process to a single socket (it can be done using multiwatch though). So we might as well use the fonctions provided by systemd instead of needing to install a new package and add a layer of indirection in how the fastcgi service is managed. This make for a somewhat simpler service that can be started as an unprivileged user.

mtrossevin reviewed 2021-11-17 13:50:10 +01:00

nginx/tasks/munin_vhost.yml Outdated

					
				@ -36,3 +41,3 @@

				- name: Systemd unit for Munin-fcgi is started

				  systemd:

				    name: spawn-fcgi-munin-graph

				    name: fcgi-munin-graph.socket

mtrossevin commented

2021-11-17 13:50:10 +01:00

Enabling only the socket mean that the service will be started on the first connexion on said socket instead of being started on boot. That increase the latency for the very first connexion (+ the first after a crash of the service) in exchange of not blocking boot until the service is started.

mtrossevin force-pushed nginx-munin-no-spawn-fcgi from 0b3a7cbc8f to 93084d6ce8

2021-11-17 13:52:33 +01:00

Compare

mtrossevin reviewed 2021-11-17 13:53:15 +01:00

mtrossevin reviewed 2021-11-17 13:54:51 +01:00

nginx/files/systemd/fcgi-munin-graph.service

					
				@ -0,0 +12,4 @@

				StandardError=journal

				[Install]

				WantedBy=multi-user.target

mtrossevin commented

2021-11-17 13:54:51 +01:00

This allow the service to be started on boot instead of waiting for the first connexion on the socket if wanted.

mtrossevin changed title from ~~nginx: Do not use spawn-fcgi for munin-graph~~ to WIP: nginx: Do not use spawn-fcgi for munin-graph

2021-11-17 13:56:15 +01:00

mtrossevin changed title from ~~WIP: nginx: Do not use spawn-fcgi for munin-graph~~ to nginx: Do not use spawn-fcgi for munin-graph

2021-11-17 13:56:24 +01:00

mtrossevin requested review from jlecour 2021-11-17 13:56:33 +01:00

mtrossevin commented

2021-11-22 09:53:22 +01:00

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot).

That seems to work without any problem.

In fact it works without any problem with this exact service unit:

# /run/systemd/system/fcgi-munin-graph.service
[Unit]
Description=Munin zoom for nginx.
After=network.target
Requires=fcgi-munin-graph.socket

[Service]
User=munin
Group=munin
ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
StandardInput=socket
StandardOutput=null
StandardError=journal

# /var/log/munin and /var/lib/munin need to be RW for the service to work
ReadWritePaths=-/var/log/munin
ReadWritePaths=-/var/lib/munin
# Not certain if it really need to be RW but since it appears in the logs I put it there anyway
ReadWritePaths=-/var/cache/munin/

# Sandboxing options
# Full system RO except /dev, /proc, /sys and /home
ProtectSystem=strict
PrivateTmp=yes
# Minimal set of device visible
PrivateDevices=yes
# No need of network connectivity
PrivateNetwork=yes
# No need to see other users
PrivateUsers=yes
# No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no`
ProtectHome=yes
# /proc/sys/, /sys/ and /proc/sysrq-trigger RO
ProtectKernelTunables=yes
# /sys/fs/cgroup/ RO
ProtectControlGroups=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX
# No access to namespacing for the service
RestrictNamespaces=yes
# Cannot load new modules
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

# This service doesn't need any capability with the current user
CapabilityBoundingSet=

# Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway.
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
SystemCallErrorNumber=EPERM
# Needed by RestrictAddressFamilies= and SystemCallFilter
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

(mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot). That seems to work without any problem. In fact it works without any problem with this exact service unit: ```.ini # /run/systemd/system/fcgi-munin-graph.service [Unit] Description=Munin zoom for nginx. After=network.target Requires=fcgi-munin-graph.socket [Service] User=munin Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph StandardInput=socket StandardOutput=null StandardError=journal # /var/log/munin and /var/lib/munin need to be RW for the service to work ReadWritePaths=-/var/log/munin ReadWritePaths=-/var/lib/munin # Not certain if it really need to be RW but since it appears in the logs I put it there anyway ReadWritePaths=-/var/cache/munin/ # Sandboxing options # Full system RO except /dev, /proc, /sys and /home ProtectSystem=strict PrivateTmp=yes # Minimal set of device visible PrivateDevices=yes # No need of network connectivity PrivateNetwork=yes # No need to see other users PrivateUsers=yes # No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no` ProtectHome=yes # /proc/sys/, /sys/ and /proc/sysrq-trigger RO ProtectKernelTunables=yes # /sys/fs/cgroup/ RO ProtectControlGroups=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX # No access to namespacing for the service RestrictNamespaces=yes # Cannot load new modules ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes # This service doesn't need any capability with the current user CapabilityBoundingSet= # Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway. SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete SystemCallErrorNumber=EPERM # Needed by RestrictAddressFamilies= and SystemCallFilter SystemCallArchitectures=native [Install] WantedBy=multi-user.target ``` (mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

jlecour reviewed 2022-06-06 18:22:45 +02:00

nginx/tasks/munin_vhost.yml

					
				@ -35,2 +38,4 @@

				    src: systemd/fcgi-munin-graph.service

				    dest: /etc/systemd/system/fcgi-munin-graph.service

				- name: Systemd unit for Munin-fcgi is started