-
-
Save vandorjw/8294866 to your computer and use it in GitHub Desktop.
# This is a step by step tutorial on how to run uwsgi in emperor mode, | |
# behind nginx on Fedora 20. I'll add to the tutorial as time goes on. | |
# SeLinux will likely be a pain (even in permissive mode), so please see my comment on how to fix it. | |
sudo yum upgrade | |
sudo yum install nano yum-utils gcc uwsgi-plugin-python3 nginx | |
yum-builddep python3-psycopg2 | |
yum-builddep python3-Pillow | |
1. usermod -a nginx -G uwsgi | |
2. ??? | |
3. Place the following in /etc/uwsgi.d/me_vandorjw.ini | |
# | |
# me_vandorjw.ini | |
# | |
[uwsgi] | |
#variables | |
projectname = vandorjw | |
base = /var/sites/me/vandorjw | |
plugins = python3 | |
chdir = %(base)/src/%(projectname) | |
pythonpath = %(base)/src/%(projectname) | |
virtualenv = %(base)/venv/%(projectname) | |
env = DJANGO_SETTINGS_MODULE=%(projectname).settings | |
module = django.core.handlers.wsgi:WSGIHandler() | |
socket = /run/uwsgi/%n.socket | |
chmod-socket = 660 | |
logto = %(base)/logs/uwsgi.log | |
4. sudo chown uwsgi:uwsgi /etc/uwsgi.d/me_vandorjw.ini | |
5. place the following in /etc/nginx/conf.d/me_vandorjw.conf | |
server { | |
listen 80; | |
server_name vandorjw.me; | |
access_log /var/sites/me/vandorjw/logs/access.log; | |
error_log /var/sites/me/vandorjw/logs/error.log; | |
location /static/ { | |
alias /var/sites/me/vandorjw/static/; | |
} | |
location /media/ { | |
alias /var/sites/me/vandorjw/media/; | |
} | |
location / { | |
uwsgi_pass unix:///run/uwsgi/me_vandorjw.socket; | |
include uwsgi_params; | |
} | |
error_page 404 /404.html; | |
location = /40x.html { | |
root /usr/share/nginx/html; | |
} | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
} | |
5. Grab this script. Place it in your home dir, calling it pyvenv3.py | |
http://docs.python.org/3/library/venv.html#an-example-of-extending-envbuilder | |
6. sudo mkdir -p /var/sites/me/vandorjw/ | |
7. sudo chown -R fedora /var/sites | |
7b. alternatively, use ACL | |
8. cd /var/sites/me/vandorjw/ | |
9. mkdir venv logs media static src | |
10. python3 ~/pyvenv3.py venv/vandorjw | |
11. source venv/vandorjw/bin/activate | |
12. pip install django, south, pillow, psycopg2 | |
13. cd src | |
14. django-admin.py startproject vandorjw | |
15. cd .. | |
15. sudo semanage fcontext -a -t httpd_log_t -r s0 "/var/sites/me/vandorjw/logs(/.*)?" | |
16. sudo restorecon -R logs/ | |
17. touch /var/sites/me/vandorjw/logs/uwsgi.log | |
17. sudo chgrp uwsgi /var/sites/me/vandorjw/logs | |
17. sudo chown uwsgi:uwsgi /var/sites/me/vandorjw/logs/uwsgi.log | |
17. sudo systemctl enable nginx.service | |
18. sudo systemctl enable uwsgi.service | |
19. Place the following line in /etc/tmpfiles.d/uwsgi.conf | |
D /run/uwsgi 0770 uwsgi uwsgi - | |
Restart Server - Enjoy Life |
Fix SELINUX
Run all these commands are root
- ausearch -m avc -ts today
You'll likely see messages like this:
time->Thu Jan 9 01:45:37 2014
type=SYSCALL msg=audit(1389231937.166:58): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7f27e09931f8 a2=6e a3=7fffb8952460 items=0 ppid=542 pid=543 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389231937.166:58): avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
- Where it starts with "avc: denied { write } for pid=543" .... all the way until ".....tclass=sock_file", highlight the message and insert it quotes between
echo " the long error message" | audit2why
EXAMPLE
echo "avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file" | audit2why
- It'll make a suggestion on what to do... Just take that same message, and instead of "audit2why", use audit2allow
echo "avc: denied { write } for pid=543 comm="nginx" name="me_vandorjw.socket" dev="tmpfs" ino=10313 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file" | audit2allow -M nginx-uwsgi
- semodule -i nginx-uwsgi.pp
reboot
Alternatively --Edit /etc/sysconfig/selinux to disable selinux
(bad alternative)
touch /etc/tmpfiles.d/uwsgi.conf
D /run/uwsgi 0770 uwsgi uwsgi -
usermod -a nginx -G uwsgi
usermod -a (username) -G uwsgi
Then add
chmod-socket = 660
to each vassal
The explaination for why we do this is this:
In the Linux implementation, sockets which are visible in the
filesystem honor the permissions of the directory they are in. Their
owner, group and their permissions can be changed. Creation of a new
socket will fail if the process does not have write and search
(execute) permission on the directory the socket is created in.
Connecting to the socket object requires read/write permission.
source: http://man7.org/linux/man-pages/man7/unix.7.html