From 120ad5dce9ae29038b3b93f0309d3b013eba71c7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= Date: Wed, 10 Sep 2014 22:56:21 +0200 Subject: [PATCH 1/1] Initial package, in /opt for now. --- rOCCI-server.logrotate | 5 + rOCCI-server.spec | 277 +++++++++++++++++++++++++++++++++++++++++++++ rocci-server-gemfile.diff | 100 ++++++++++++++++ rocci-server-unbundle.diff | 20 ++++ rocci_server.fc | 3 + rocci_server.te | 60 ++++++++++ 6 files changed, 465 insertions(+) create mode 100644 rOCCI-server.logrotate create mode 100644 rOCCI-server.spec create mode 100644 rocci-server-gemfile.diff create mode 100644 rocci-server-unbundle.diff create mode 100644 rocci_server.fc create mode 100644 rocci_server.te diff --git a/rOCCI-server.logrotate b/rOCCI-server.logrotate new file mode 100644 index 0000000..eff9d04 --- /dev/null +++ b/rOCCI-server.logrotate @@ -0,0 +1,5 @@ +/var/log/rocci-server/*.log { + weekly + rotate 4 + missingok +} diff --git a/rOCCI-server.spec b/rOCCI-server.spec new file mode 100644 index 0000000..3e6522c --- /dev/null +++ b/rOCCI-server.spec @@ -0,0 +1,277 @@ +%global gem_name occi-server +# %%{_datadir}/%%{name} +%global app_root /opt/%{name} +%global semodule_name rocci_server +%global use_bundler 1 + +%global commit e142d83fc4214fdfd7498209e68491eb913cd1cf +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global date 20140830 + +Name: rOCCI-server +Version: 1.0.5 +Release: 1.%{date}git%{shortcommit}%{?dist} +Summary: Ruby OCCI Server + +License: ASL 2.0 +URL: https://github.com/EGI-FCTF/rOCCI-server +Source0: https://github.com/EGI-FCTF/%{name}/archive/%{commit}/%{name}-%{commit}.tar.gz +Source1: %{semodule_name}.te +Source2: %{semodule_name}.fc +Source3: %{name}.logrotate +Patch0: rocci-server-gemfile.diff +Patch1: rocci-server-unbundle.diff + +BuildArch: noarch +BuildRequires: policycoreutils-python +BuildRequires: ruby(release) >= 1.9.3 +BuildRequires: rubygems-devel +%if %{use_bundler} +BuildRequires: rubygem(bundler) +%endif +BuildRequires: rubygem(rdoc) +# tests (plus all runtimes) +#BuildRequires: rubygem(rspec) +#BuildRequires: rubygem(rspec-rails) +Requires(pre): shadow-utils +Requires(post): policycoreutils +Requires(preun): policycoreutils +Requires(postun): policycoreutils +Requires: logrotate +Requires: memcached +Requires: mod_passenger +%if %{use_bundler} +Requires: rubygem(bundler) +%endif +Requires: rubygem(dalli) +Requires: rubygem(hashie) +Requires: rubygem(ice_nine) +# upstream: jbuilder ~> 2.1.0 +# F20: 1.5.0 +Requires: rubygem(jbuilder) +Requires: rubygem(kgio) +# upstream: ~> 4.0.48 +# F20: 4.0.18 +Requires: rubygem(passenger) +# upstream: rails ~> 4.0.8 +# F20: 4.0.0, F21: 4.1.x +Requires: rubygem(rails) >= 4.0.0 +Requires: rubygem(rails) <= 4.1 +# upstream: rails-api ~> 0.2.0, F20: 0.1.0 +Requires: rubygem(rails-api) +# COPR +Requires: rubygem(logstasher) +Requires: rubygem(occi-core) >= 4.2.16 +Requires: rubygem(occi-core) < 4.3 +Requires: rubygem(rack-cors) +Requires: rubygem(whenever) +# upstream: >= 1.2.3, really needed +# F20: 1.2.0 +Requires: rubygem(warden) >= 1.2.3 +%if 0%{?fedora} && 0%{?fedora} <= 20 || 0%{?rhel} && 0%{?rhel} <= 7 +Requires: ruby(release) +Requires: ruby(rubygems) +Requires: rubygem(openssl_cms_2_0_0) +Provides: rubygem(%{gem_name}) = %{version} +%else +Requires: rubygem(openssl_cms_2_1) +%endif + +%description +A ruby OCCI server. + + +%package doc +Summary: Documentation for %{name} +Group: Documentation +Requires: %{name} = %{version}-%{release} +BuildArch: noarch + +%description doc +Documentation for %{name}. + + +%prep +%setup -q -n %{name}-%{commit} + +# correct openssl_cms dependency: +# - remove reference to git +# - keep only one openssl_cms gem +%if 0%{?fedora} && 0%{?fedora} <= 20 +echo 'gem "openssl_cms_2_0_0", require: false, platforms: :ruby_20' > lib/authentication_strategies/bundles/Gemfile.keystone +%else +echo 'gem "openssl_cms_2_1", require: false, platforms: :ruby_21' > lib/authentication_strategies/bundles/Gemfile.keystone +%endif + +# tweak Gemfile +%patch0 -p1 +# kill bundler +%if %{use_bundler} +%patch1 -p1 +%endif + +# always use the system gems +sed -i .bundle/config -e '/.*BUNDLE_DISABLE_SHARED_GEMS.*/d' + + +%build +checkmodule -M -m -o %{semodule_name}.mod %{SOURCE1} +semodule_package -o %{semodule_name}.pp -m %{semodule_name}.mod -f %{SOURCE2} + + +%install +mkdir -p %{buildroot}%{app_root} +mkdir -p %{buildroot}%{_sysconfdir} +cp -a . %{buildroot}%{app_root} + +# unused +rm -f %{buildroot}%{app_root}/.gitignore +find %{buildroot}%{app_root} -name .keep -delete + +# config files +mv %{buildroot}%{app_root}/etc %{buildroot}%{_sysconfdir}/rocci-server +ln -s %{_sysconfdir}/rocci-server %{buildroot}%{app_root}/etc + +# logs +mkdir -p %{buildroot}%{_localstatedir}/log/rocci-server +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +rm -rf %{buildroot}/%{app_root}/log +ln -s %{_localstatedir}/log/rocci-server %{buildroot}/%{app_root}/log +install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + +# bundler: +# - no Gemfile.lock +# - enable shared gems +# - disable backends dependencies for now +mv %{buildroot}%{app_root}/Gemfile.lock %{buildroot}%{app_root}/Gemfile.lock.upstream +touch %{buildroot}%{app_root}/Gemfile.lock +# disable backend dependencies +# TODO: get them to Fedora +mv %{buildroot}%{app_root}/lib/backends/bundles/Gemfile.ec2 %{buildroot}%{app_root}/lib/backends/bundles/upstream-Gemfile.ec2 +mv %{buildroot}%{app_root}/lib/backends/bundles/Gemfile.opennebula %{buildroot}%{app_root}/lib/backends/bundles/upstream-Gemfile.opennebula + +rdoc --op %{buildroot}%{_pkgdocdir} lib app *.md +chmod -x %{buildroot}%{_pkgdocdir}/images/*.png + +# SELinux +mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name} +install -m 0644 %{semodule_name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name} +rm -f %{buildroot}%{app_root}/%{semodule_name}.mod +rm -f %{buildroot}%{app_root}/%{semodule_name}.pp + +# httpd configuration +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d +# update for apache >= 2.4 +sed -i examples/etc/apache2/sites-available/occi-ssl -e 's/Allow from all/Require all granted/i' +install -p -m 0644 examples/etc/apache2/sites-available/occi-ssl %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-ssl.conf +echo "Listen 11443" >> %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-listen.conf +install -p -m 0644 examples/etc/apache2/conf.d/security %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-security.conf + + +#%%check +#rspec -Ilib spec --require spec_helper || : +#cat </dev/null || groupadd -r rocci +getent passwd rocci >/dev/null || useradd -r -g rocci -d %{app_root} -c "rOCCI user" rocci + +%post +if [ "$1" -le "1" ] ; then # First install + semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || : + restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || : + semanage port -a -t http_port_t -p tcp 11443 2>/dev/null || : +fi + +%preun +if [ "$1" -lt "1" ] ; then # Final removal + semodule -r %{semodule_name} 2>/dev/null || : + semanage port -d -t http_port_t -p tcp 11443 2>/dev/null || : +fi + +%postun +if [ "$1" -ge "1" ] ; then # Upgrade + semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || : + restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || : +fi + + +%files +%doc %{app_root}/LICENSE +%config(noreplace) %{_sysconfdir}/rocci-server/ +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} +%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-listen.conf +%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-security.conf +%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-ssl.conf +%dir %{_datadir}/selinux/packages/%{name}/ +%{app_root}/.bundle/ +%{app_root}/app/ +%{app_root}/bin/ +%{app_root}/config/ +%{app_root}/db/ +%{app_root}/examples/ +%{app_root}/lib/ +%{app_root}/public/ +%{app_root}/vendor/ +%{app_root}/etc +%{app_root}/log +%{app_root}/Capfile +%{app_root}/Gemfile +%{app_root}/config.ru +%attr(-,rocci,rocci) %{app_root}/Gemfile.lock +%attr(-,rocci,rocci) %{_localstatedir}/log/rocci-server/ +%{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp +%exclude %{app_root}/.rspec +%exclude %{app_root}/.travis.yml +%exclude %{app_root}/Guardfile +%exclude %{_pkgdocdir}/ + +%files doc +%{_pkgdocdir}/ +%{app_root}/spec/ +%{app_root}/test/ +%{app_root}/Gemfile.lock.upstream +%{app_root}/README.md +%{app_root}/Rakefile + + +%changelog +* Mon Sep 08 2014 František Dvořák - 1.0.5-1.20140830gite142d83 +- Initial package +- Still in /opt diff --git a/rocci-server-gemfile.diff b/rocci-server-gemfile.diff new file mode 100644 index 0000000..bc40721 --- /dev/null +++ b/rocci-server-gemfile.diff @@ -0,0 +1,100 @@ +Author: František Dvořák +Date: Mon Sep 8 00:03:35 2014 +0200 + + Helper patch when using rOCCI server with bundler: + - relax dependencies for Fedora + - remove all development-only dependencies explicitly + +diff --git a/Gemfile b/Gemfile +index fda0f03..1c8e9c8 100644 +--- a/Gemfile ++++ b/Gemfile +@@ -1,74 +1,26 @@ + source 'https://rubygems.org' + + # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' +-gem 'rails', '~> 4.0.8' +-gem 'rails-api', '~> 0.2.0' ++gem 'rails', '~> 4.0.0' ++gem 'rails-api', '>= 0.1.0' + + # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder +-gem 'jbuilder', '~> 2.1.0' ++gem 'jbuilder', '~> 1.5.0' + + # Stuff for working with CORS in Rack + gem 'rack-cors', :require => 'rack/cors' + +-group :doc do +- # bundle exec rake doc:rails generates the API under doc/api. +- gem 'sdoc', require: false +-end +- + # Use ActiveModel has_secure_password + # gem 'bcrypt-ruby', '~> 3.0.0' + +-# Use Capistrano for deployment +-gem 'capistrano', group: :development +-gem 'rvm-capistrano', group: :development +- +-# Use debugger +-gem 'debugger', group: [:development, :test] +- + # Use whenever for scheduled jobs + gem 'whenever', require: false + + # Use passenger for deployment (standalone or in Apache2) +-gem 'passenger', '~> 4.0.48' +- +-# Use simplecov for coverage reports +-gem 'simplecov', group: [:development, :test] ++gem 'passenger', '~> 4.0.18' + + # Use RSpec for unit tests +-gem 'rspec-rails', '~> 2.99.0', group: [:development, :test] +-gem 'fuubar', group: [:development, :test] +- +-# Use Pry for debugging +-gem 'pry-rails', group: [:development, :test] +-gem 'pry-rescue', group: [:development, :test] +-gem 'pry-stack_explorer', group: [:development, :test] +- +-# Use guard to speed-up devel process +-gem 'guard-bundler', group: :development +-gem 'guard-test', group: :development +-gem 'guard-rails', group: :development +- +-# Use notification libs to integrate guard with pop-ups +-gem 'rb-inotify', require: false, group: :development +-gem 'libnotify', group: :development +- +-# Use YARD for documentation +-gem 'yard', group: :development +-gem 'redcarpet', group: :development +- +-# Use bond+hirb to extend irb +-# +-# Add the following to your ~/.irbrc: +-# +-# require 'bond' +-# require 'hirb' +-# +-# Bond.start +-# Hirb.enable +-# +-# Or type it in the current irb session. +-gem 'bond', group: :development +-gem 'hirb', group: :development ++gem 'rspec-rails', '>= 2.14.0', group: [:development, :test] + + # Caching stuff + gem 'dalli' +@@ -78,7 +30,7 @@ gem 'kgio', group: :stuff_breaking_travis_ci + gem 'warden', '~> 1.2.3' + + # Sensible logging with LogStash support +-gem 'logstasher', git: "git://github.com/arax/logstasher.git", branch: "master" ++gem 'logstasher' + + # Use Hashie::Mash to simplify hash-related stuff + gem 'hashie' diff --git a/rocci-server-unbundle.diff b/rocci-server-unbundle.diff new file mode 100644 index 0000000..7cf08f0 --- /dev/null +++ b/rocci-server-unbundle.diff @@ -0,0 +1,20 @@ +--- ./config/application.rb.orig 2014-08-13 20:47:29.000000000 +0200 ++++ ./config/application.rb 2014-08-20 20:22:35.635715445 +0200 +@@ -8,10 +8,6 @@ require 'action_controller/railtie' + require 'rails/test_unit/railtie' + # require 'sprockets/railtie' + +-# Require the gems listed in Gemfile, including any gems +-# you've limited to :test, :development, or :production. +-Bundler.require(:default, Rails.env) +- + # Extend Object with #deep_freeze + require 'ice_nine/core_ext/object' + +--- ./config/boot.rb.orig 2014-08-13 20:47:29.000000000 +0200 ++++ ./config/boot.rb 2014-08-20 20:22:05.051097805 +0200 +@@ -1,4 +0,0 @@ +-# Set up gems listed in the Gemfile. +-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) +- +-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE']) diff --git a/rocci_server.fc b/rocci_server.fc new file mode 100644 index 0000000..ea858c9 --- /dev/null +++ b/rocci_server.fc @@ -0,0 +1,3 @@ +/var/log/rocci-server(/.*)? system_u:object_r:passenger_log_t:s0 +/opt/rOCCI-server/lib(/.*)? system_u:object_r:passenger_var_lib_t:s0 +/opt/rOCCI-server/Gemfile.lock system_u:object_r:passenger_tmp_t:s0 diff --git a/rocci_server.te b/rocci_server.te new file mode 100644 index 0000000..71e46ed --- /dev/null +++ b/rocci_server.te @@ -0,0 +1,60 @@ +module rocci_server 1.0; + +require { + type anon_inodefs_t; + type home_root_t; + type httpd_t; + type hwdata_t; + type lib_t; + type locale_t; + type memcache_port_t; + type passenger_t; + type passenger_tmp_t; + type passenger_var_run_t; + type sysfs_t; + type var_log_t; + type man_t; + class capability2 block_suspend; + class dir { open read search }; + class file { execute execute_no_trans getattr open read write }; + class lnk_file read; + class sock_file write; + class tcp_socket { name_connect listen }; + class unix_stream_socket { getattr read write }; + class process { getsession signull }; +} + +#============= httpd_t ============== +allow httpd_t passenger_tmp_t:sock_file write; + +#============= passenger_t ============== +allow passenger_t anon_inodefs_t:file { write read }; +allow passenger_t home_root_t:dir search; +allow passenger_t httpd_t:unix_stream_socket getattr; +allow passenger_t lib_t:file execute_no_trans; +allow passenger_t locale_t:file { read getattr open }; +allow passenger_t man_t:dir { read open }; +# there exists httpd_can_network_memcache boolean, but that's not intended for passenger +allow passenger_t memcache_port_t:tcp_socket name_connect; +allow passenger_t self:process { getsession signull }; +allow passenger_t self:tcp_socket listen; +allow passenger_t var_log_t:lnk_file read; + +# passenger_native_support.so +allow passenger_t passenger_var_run_t:file execute; + +# not audited rules :-( +# needed for #1029132 +# fixed since selinux-policy-3.12.1-183.fc20 +allow passenger_t httpd_t:unix_stream_socket { read write }; + +# handling exceptions +allow passenger_t hwdata_t:dir search; +allow passenger_t hwdata_t:file getattr; +allow passenger_t hwdata_t:file open; +allow passenger_t self:capability2 block_suspend; +allow passenger_t sysfs_t:dir read; +allow passenger_t sysfs_t:file getattr; +allow passenger_t sysfs_t:file open; +allow passenger_t sysfs_t:file read; +allow passenger_t sysfs_t:lnk_file read; -- 1.8.2.3