nginx: Do not use spawn-fcgi for munin-graph #139

Open
mtrossevin wants to merge 1 commits from mtrossevin/ansible-roles:nginx-munin-no-spawn-fcgi into unstable
Owner

systemd provides already provides all the fonctionnalities of spawn-fcgi
with the exception of the possibility to spawn multiple process to a
single socket (it can be done using multiwatch though). So we might as
well use the fonctions provided by systemd instead of needing to install
a new package and add a layer of indirection in how the fastcgi service
is managed.

This make for a somewhat simpler service that can be started as an
unprivileged user.

systemd provides already provides all the fonctionnalities of spawn-fcgi with the exception of the possibility to spawn multiple process to a single socket (it can be done using multiwatch though). So we might as well use the fonctions provided by systemd instead of needing to install a new package and add a layer of indirection in how the fastcgi service is managed. This make for a somewhat simpler service that can be started as an unprivileged user.
mtrossevin reviewed 2021-11-17 13:50:10 +01:00
@ -36,3 +41,3 @@
- name: Systemd unit for Munin-fcgi is started
systemd:
name: spawn-fcgi-munin-graph
name: fcgi-munin-graph.socket
Author
Owner

Enabling only the socket mean that the service will be started on the first connexion on said socket instead of being started on boot. That increase the latency for the very first connexion (+ the first after a crash of the service) in exchange of not blocking boot until the service is started.

Enabling only the socket mean that the service will be started on the first connexion on said socket instead of being started on boot. That increase the latency for the very first connexion (+ the first after a crash of the service) in exchange of not blocking boot until the service is started.
mtrossevin force-pushed nginx-munin-no-spawn-fcgi from 0b3a7cbc8f to 93084d6ce8 2021-11-17 13:52:33 +01:00 Compare
mtrossevin reviewed 2021-11-17 13:53:15 +01:00
mtrossevin reviewed 2021-11-17 13:54:51 +01:00
@ -0,0 +12,4 @@
StandardError=journal
[Install]
WantedBy=multi-user.target
Author
Owner

This allow the service to be started on boot instead of waiting for the first connexion on the socket if wanted.

This allow the service to be started on boot instead of waiting for the first connexion on the socket if wanted.
mtrossevin changed title from nginx: Do not use spawn-fcgi for munin-graph to WIP: nginx: Do not use spawn-fcgi for munin-graph 2021-11-17 13:56:15 +01:00
mtrossevin changed title from WIP: nginx: Do not use spawn-fcgi for munin-graph to nginx: Do not use spawn-fcgi for munin-graph 2021-11-17 13:56:24 +01:00
mtrossevin requested review from jlecour 2021-11-17 13:56:33 +01:00
Author
Owner

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot).

That seems to work without any problem.

In fact it works without any problem with this exact service unit:

# /run/systemd/system/fcgi-munin-graph.service
[Unit]
Description=Munin zoom for nginx.
After=network.target
Requires=fcgi-munin-graph.socket

[Service]
User=munin
Group=munin
ExecStart=/usr/lib/munin/cgi/munin-cgi-graph
StandardInput=socket
StandardOutput=null
StandardError=journal

# /var/log/munin and /var/lib/munin need to be RW for the service to work
ReadWritePaths=-/var/log/munin
ReadWritePaths=-/var/lib/munin
# Not certain if it really need to be RW but since it appears in the logs I put it there anyway
ReadWritePaths=-/var/cache/munin/

# Sandboxing options
# Full system RO except /dev, /proc, /sys and /home
ProtectSystem=strict
PrivateTmp=yes
# Minimal set of device visible
PrivateDevices=yes
# No need of network connectivity
PrivateNetwork=yes
# No need to see other users
PrivateUsers=yes
# No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no`
ProtectHome=yes
# /proc/sys/, /sys/ and /proc/sysrq-trigger RO
ProtectKernelTunables=yes
# /sys/fs/cgroup/ RO
ProtectControlGroups=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX
# No access to namespacing for the service
RestrictNamespaces=yes
# Cannot load new modules
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

# This service doesn't need any capability with the current user
CapabilityBoundingSet=

# Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway.
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
SystemCallErrorNumber=EPERM
# Needed by RestrictAddressFamilies= and SystemCallFilter
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

(mostly checked the sandboxing options to know what exactly it need access to in order to works normally)

I temporarily enabled this change on selks-dev (units in /run/systemd/system instead of /etc and spawn-fcgi-munin-graph stopped but not disabled so it will completely rollback with a reboot). That seems to work without any problem. In fact it works without any problem with this exact service unit: ```.ini # /run/systemd/system/fcgi-munin-graph.service [Unit] Description=Munin zoom for nginx. After=network.target Requires=fcgi-munin-graph.socket [Service] User=munin Group=munin ExecStart=/usr/lib/munin/cgi/munin-cgi-graph StandardInput=socket StandardOutput=null StandardError=journal # /var/log/munin and /var/lib/munin need to be RW for the service to work ReadWritePaths=-/var/log/munin ReadWritePaths=-/var/lib/munin # Not certain if it really need to be RW but since it appears in the logs I put it there anyway ReadWritePaths=-/var/cache/munin/ # Sandboxing options # Full system RO except /dev, /proc, /sys and /home ProtectSystem=strict PrivateTmp=yes # Minimal set of device visible PrivateDevices=yes # No need of network connectivity PrivateNetwork=yes # No need to see other users PrivateUsers=yes # No need to see /home, if it does need to see it, put `read-only` instead, if it need to be able to write on it put `no` ProtectHome=yes # /proc/sys/, /sys/ and /proc/sysrq-trigger RO ProtectKernelTunables=yes # /sys/fs/cgroup/ RO ProtectControlGroups=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX # No access to namespacing for the service RestrictNamespaces=yes # Cannot load new modules ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes # This service doesn't need any capability with the current user CapabilityBoundingSet= # Don't allow these syscall (give an EPERM if they are called), they shouldn't be used by this service anyway. SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete SystemCallErrorNumber=EPERM # Needed by RestrictAddressFamilies= and SystemCallFilter SystemCallArchitectures=native [Install] WantedBy=multi-user.target ``` (mostly checked the sandboxing options to know what exactly it need access to in order to works normally)
jlecour reviewed 2022-06-06 18:22:45 +02:00
@ -35,2 +38,4 @@
src: systemd/fcgi-munin-graph.service
dest: /etc/systemd/system/fcgi-munin-graph.service
- name: Systemd unit for Munin-fcgi is started
Owner

I guess we should change the name to Systemd socket for Munin-fcgi is installed to mention the socket instead of the service.

I guess we should change the name to `Systemd socket for Munin-fcgi is installed` to mention the socket instead of the service.
Some checks failed
continuous-integration/drone/pr Build is failing
This pull request has changes conflicting with the target branch.
  • CHANGELOG.md
  • nginx/tasks/munin_vhost.yml
You can also view command line instructions.

Step 1:

From your project repository, check out a new branch and test the changes.
git checkout -b mtrossevin-nginx-munin-no-spawn-fcgi unstable
git pull nginx-munin-no-spawn-fcgi

Step 2:

Merge the changes and update on Forgejo.
git checkout unstable
git merge --no-ff mtrossevin-nginx-munin-no-spawn-fcgi
git push origin unstable
Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: evolix/ansible-roles#139
No description provided.