devguide icon indicating copy to clipboard operation
devguide copied to clipboard

Published 20 hours ago verified publisher icon python

Add info for systemd based distros

Open stratakis opened this issue 5 years ago • 10 comments

Provide examples for managing the buildbot-worker service through systemd unit files for systemd based distributions.

stratakis avatar May 15 '20 16:05 stratakis

Note I have just removed the Netlify integration, since we're using readthedocs preview build now.

Mariatta avatar May 15 '20 16:05 Mariatta

I see. SELinux and systemd both treat /home as a privileged and restricted area. System services are generally not allowed to access /home tos prevents daemons from stealing ssh private keys, personal emails, or your cat pictures.

I know of four options to deal with this problem

  • move buildbot out of /home. For example deploy buildbot code to /opt/buildbot and use systemd RuntimeDirectory, StateDirectory, and LogsDirectory (/run, /var/log, ... see man systemd.exec)
  • run buildbot as systemd user service. You have to put the service file to /home/buildbot/.config/systemd/user/buildbot.service, enable lingering with loginctl enable-linger buildbot, and start the service from a buildbot login shell (not su/sudo!) as systemctl --user enable --now buildbot.service.
  • create a custom SELinux policy, types, and file contexts for buildbot.
  • make the init_t SELinux type permissive semanage permissive -a init_t

tiran avatar May 21 '20 15:05 tiran

I see. SELinux and systemd both treat /home as a privileged and restricted area. System services are generally not allowed to access /home tos prevents daemons from stealing ssh private keys, personal emails, or your cat pictures.

I know of four options to deal with this problem

* move buildbot out of `/home`. For example deploy buildbot code to `/opt/buildbot` and use systemd `RuntimeDirectory`, `StateDirectory`, and `LogsDirectory` (/run, /var/log, ... see man systemd.exec)

That would go against the current guidelines of setting up a buildbot worker (or requiring a bigger overhaul) so I wouldn't go with that option.

* run buildbot as systemd user service. You have to put the service file to `/home/buildbot/.config/systemd/user/buildbot.service`, enable lingering with `loginctl enable-linger buildbot`, and start the service from a buildbot login shell (not su/sudo!) as `systemctl --user enable --now buildbot.service`.

This solution I liked the most, however the systemctl --user option is not available in RHEL7.

* create a custom SELinux policy, types, and file contexts for buildbot.

Maybe that would be the best way then. Any pointers on how to work with that?

* make the init_t SELinux type permissive `semanage permissive -a init_t`

Not sure I would like to change init_t

stratakis avatar Jun 09 '20 22:06 stratakis

If this PR is still relevant, it should be updated after the devguide reorganization, reviewed, and merged.

ezio-melotti avatar Jul 12 '22 01:07 ezio-melotti

If this PR is still relevant, it should be updated after the devguide reorganization, reviewed, and merged.

Thanks for the reminder. Is there an ETA for the devguide reorganization?

stratakis avatar Jul 18 '22 13:07 stratakis

The devguide reorganization is done already, and there is now a conflict on the PR that must be resolved.

ezio-melotti avatar Jul 19 '22 21:07 ezio-melotti

@stratakis can you merge main into your branch and resolve the conflict?

ezio-melotti avatar Oct 07 '22 05:10 ezio-melotti

Rebased.

stratakis avatar Oct 10 '22 15:10 stratakis

Thanks! @methane / @zware, can you (re-)review?

ezio-melotti avatar Oct 11 '22 11:10 ezio-melotti