nginx: Do not use spawn-fcgi for munin-graph #139

systemd provides already provides all the fonctionnalities of spawn-fcgi
with the exception of the possibility to spawn multiple process to a
single socket (it can be done using multiwatch though). So we might as
well use the fonctions provided by systemd instead of needing to install
a new package and add a layer of indirection in how the fastcgi service
is managed.

This make for a somewhat simpler service that can be started as an
unprivileged user.

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot).

That seems to work without any problem.

In fact it works without any problem with this exact service unit:

# /run/systemd/system/fcgi-munin-graph.service
[Unit]
Description=Munin zoom for nginx.
After=network.target
Requires=fcgi-munin-graph.socket

[Service]
User=munin
Group=munin
ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
StandardInput=socket
StandardOutput=null
StandardError=journal

# /var/log/munin and /var/lib/munin need to be RW for the service to work
ReadWritePaths=-/var/log/munin
ReadWritePaths=-/var/lib/munin
# Not certain if it really need to be RW but since it appears in the logs I put it there anyway
ReadWritePaths=-/var/cache/munin/

# Sandboxing options
# Full system RO except /dev, /proc, /sys and /home
ProtectSystem=strict
PrivateTmp=yes
# Minimal set of device visible
PrivateDevices=yes
# No need of network connectivity
PrivateNetwork=yes
# No need to see other users
PrivateUsers=yes
# No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no`
ProtectHome=yes
# /proc/sys/, /sys/ and /proc/sysrq-trigger RO
ProtectKernelTunables=yes
# /sys/fs/cgroup/ RO
ProtectControlGroups=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX
# No access to namespacing for the service
RestrictNamespaces=yes
# Cannot load new modules
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

# This service doesn't need any capability with the current user
CapabilityBoundingSet=

# Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway.
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
SystemCallErrorNumber=EPERM
# Needed by RestrictAddressFamilies= and SystemCallFilter
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

(mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot). That seems to work without any problem. In fact it works without any problem with this exact service unit: ```.ini # /run/systemd/system/fcgi-munin-graph.service [Unit] Description=Munin zoom for nginx. After=network.target Requires=fcgi-munin-graph.socket [Service] User=munin Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph StandardInput=socket StandardOutput=null StandardError=journal # /var/log/munin and /var/lib/munin need to be RW for the service to work ReadWritePaths=-/var/log/munin ReadWritePaths=-/var/lib/munin # Not certain if it really need to be RW but since it appears in the logs I put it there anyway ReadWritePaths=-/var/cache/munin/ # Sandboxing options # Full system RO except /dev, /proc, /sys and /home ProtectSystem=strict PrivateTmp=yes # Minimal set of device visible PrivateDevices=yes # No need of network connectivity PrivateNetwork=yes # No need to see other users PrivateUsers=yes # No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no` ProtectHome=yes # /proc/sys/, /sys/ and /proc/sysrq-trigger RO ProtectKernelTunables=yes # /sys/fs/cgroup/ RO ProtectControlGroups=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX # No access to namespacing for the service RestrictNamespaces=yes # Cannot load new modules ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes # This service doesn't need any capability with the current user CapabilityBoundingSet= # Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway. SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete SystemCallErrorNumber=EPERM # Needed by RestrictAddressFamilies= and SystemCallFilter SystemCallArchitectures=native [Install] WantedBy=multi-user.target ``` (mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

 - name: Systemd unit for Munin-fcgi is started
   systemd:
     name: spawn-fcgi-munin-graph
     name: fcgi-munin-graph.socket

nginx: Do not use spawn-fcgi for munin-graph #139

Reviewers