Triple S!!! Speed, Systemd and Selinux (#272)

This commit is contained in:
Tom Gamull 2020-06-30 12:59:53 -04:00 committed by GitHub
parent f3c8bd2b70
commit 7e6a7f0397
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 370 additions and 111 deletions

View File

@ -223,4 +223,6 @@ Author Information
[Grzegorz Dzien](https://github.com/gdzien)
[Tom Gamull](https://github.com/magicalyak)
© [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020

View File

@ -94,3 +94,18 @@ nginx_cleanup_config_path:
- directory:
- /etc/nginx/conf.d
recurse: false
# Set selinux enforcing for nginx (Centos/Redhat only) - you may need to open ports on your own
nginx_selinux: false
# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true)
nginx_selinux_enforcing: true
# List of TCP ports to add to http_port_t type (80 and 443 have this type already)
# nginx_selinux_tcp_ports:
# - 80
# - 443
# List of UDP ports to add to http_port_t type
# nginx_selinux_udp_ports:
# - 80
# - 443
# Temporary directory to hold selinux modules
nginx_tempdir: /tmp

43
defaults/main/systemd.yml Normal file
View File

@ -0,0 +1,43 @@
---
# Enable systemd modifications
# ** ALL of the following variables are ignored unless this is set to true **
nginx_service_modify: false
# Remove the override file completely
nginx_service_clean: false
# Override the systemd directory
# Default is /etc/systemd/system/nginx.service.d
nginx_service_overridepath: /etc/systemd/system/nginx.service.d
# Override the systemd filename
# Default is override.conf
nginx_service_overridefilename: override.conf
# Set service timeout for systemd systems in seconds (default: 90)
# [Service]
# TimeoutStopSec=90
# Default is to comment this out
# nginx_service_timeoutstopsec: 90
# Set the restart policy for systemd systems
# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always
# [Service]
# Restart=on-failure
# Default is to comment this out
# nginx_service_restart: on-failure
# Set the restart timer in seconds
# [Service]
# RestartSec=5s
# Default is to comment this out
# nginx_service_restartsec: 5s
# Enable a custom systemd override file
# ** This could break the service **
# Setting this to true disables custom values above
nginx_service_custom: false
# Filename and path for systemd override file
# Setting this will overwrite existing override file
nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf"

View File

@ -0,0 +1,2 @@
[Service]
TimeoutStopSec=90

View File

@ -1,4 +1,14 @@
---
# handlers file for ansible-role-nginx
- name: "(Handler: All OSs) Check NGINX"
command: "nginx -t"
changed_when: false
- name: "(Handler: All OSs) systemd daemon-reload"
systemd:
daemon_reload: yes
notify: "(Handler: All OSs) Start NGINX"
- name: "(Handler: All OSs) Run NGINX"
block:
@ -33,7 +43,3 @@
name: unitd
state: started
enabled: yes
- name: "(Handler: All OSs) Check NGINX"
command: "nginx -t"
changed_when: false

View File

@ -25,7 +25,10 @@
- role: ansible-role-nginx
vars:
nginx_debug_output: true
nginx_selinux: true
nginx_selinux_tcp_ports:
- 80
- 443
nginx_version: "{{ version }}"
nginx_logrotate_conf_enable: true
nginx_logrotate_conf:

View File

@ -6,6 +6,13 @@
vars:
nginx_debug_output: true
nginx_service_modify: true
nginx_service_timeout: 95
nginx_selinux: true
nginx_selinux_tcp_ports:
- 80
- 443
nginx_cleanup_config: true
nginx_cleanup_config_path:
- directory:

View File

@ -6,6 +6,13 @@
vars:
nginx_debug_output: true
nginx_service_modify: true
nginx_service_timeout: 95
nginx_selinux: true
nginx_selinux_tcp_ports:
- 80
- 443
nginx_main_template_enable: true
nginx_main_template:
template_file: nginx.conf.j2

View File

@ -1,9 +1,8 @@
---
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_os_family | lower }}.yml"
when:
- ansible_os_family == "Debian"
or ansible_os_family == "Redhat"
- name: "(Install: All OSs) Install NGINX Amplify Agent"
package:

16
tasks/keys/setup-keys.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: "(Setup: Keys) Alpine"
include_tasks: "{{ role_path }}/tasks/keys/apk-key.yml"
when: ansible_os_family == "Alpine"
tags: nginx_apkkey
- name: "(Setup: Keys) Debian"
include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml"
when: ansible_os_family == "Debian"
tags: nginx_aptkey
- name: "(Setup: Keys) RedHat/Suse"
include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml"
when: ansible_os_family == "RedHat"
or ansible_os_family == "Suse"
tags: nginx_rpmkey

View File

@ -1,44 +1,36 @@
---
- import_tasks: prerequisites/install-prerequisites.yml
- name: "(Setup: Prerequisites)"
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-{{ ansible_os_family | lower }}.yml"
tags: nginx_prerequisites
- import_tasks: keys/apt-key.yml
- name: "(Setup: Keys)"
import_tasks: keys/setup-keys.yml
when:
- ansible_os_family == "Debian"
- nginx_install_from == "nginx_repository"
or nginx_amplify_enable
or nginx_unit_enable
tags: nginx_aptkey
- import_tasks: keys/rpm-key.yml
when:
- ansible_os_family == "RedHat"
- ansible_os_family == "Alpine"
or ansible_os_family == "Debian"
or ansible_os_family == "RedHat"
or ansible_os_family == "Suse"
- nginx_install_from == "nginx_repository"
or nginx_amplify_enable
or nginx_unit_enable
tags: nginx_rpmkey
- import_tasks: keys/apk-key.yml
when: ansible_os_family == "Alpine"
tags: nginx_apkkey
tags: nginx_key
- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX"
block:
- import_tasks: opensource/install-oss.yml
- include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml"
when: nginx_type == "opensource"
tags: nginx_install_oss
- import_tasks: plus/install-plus.yml
- include_tasks: "{{ role_path }}/tasks/plus/install-plus.yml"
when: nginx_type == "plus"
tags: nginx_install_plus
- import_tasks: conf/cleanup-config.yml
- include_tasks: "{{ role_path }}/tasks/conf/cleanup-config.yml"
when: nginx_cleanup_config | bool
tags: nginx_cleanup_config
- import_tasks: conf/upload-config.yml
- include_tasks: "{{ role_path }}/tasks/conf/upload-config.yml"
when: nginx_main_upload_enable
or nginx_http_upload_enable
or nginx_stream_upload_enable
@ -46,26 +38,26 @@
or nginx_ssl_upload_enable
tags: nginx_upload_config
- import_tasks: conf/template-config.yml
- include_tasks: "{{ role_path }}/tasks/conf/template-config.yml"
when: nginx_main_template_enable
or nginx_http_template_enable
or nginx_stream_template_enable
or nginx_rest_api_enable
tags: nginx_template_config
- import_tasks: conf/setup-status.yml
- include_tasks: "{{ role_path }}/tasks/conf/setup-status.yml"
when: nginx_status_enable | bool
tags: nginx_setup_status
- import_tasks: modules/install-modules.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml"
when: true in nginx_modules.values()
tags: nginx_install_modules
- import_tasks: conf/debug-output.yml
- include_tasks: "{{ role_path }}/tasks/conf/debug-output.yml"
when: nginx_debug_output | bool
tags: nginx_debug_output
- import_tasks: plus/delete-license.yml
- include_tasks: "{{ role_path }}/tasks/plus/delete-license.yml"
when:
- nginx_type == "plus"
- nginx_delete_license
@ -73,17 +65,17 @@
when: nginx_enable | bool
- import_tasks: amplify/install-amplify.yml
- include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml"
when:
- nginx_amplify_enable | bool
- nginx_amplify_api_key is defined
- nginx_amplify_api_key | length > 0
tags: nginx_install_amplify
- import_tasks: unit/install-unit.yml
- include_tasks: "{{ role_path }}/tasks/unit/install-unit.yml"
when: nginx_unit_enable | bool
tags: nginx_install_unit
- import_tasks: conf/logrotate.yml
- include_tasks: "{{ role_path }}/tasks/conf/logrotate.yml"
when: nginx_logrotate_conf_enable | bool
tags: nginx_logrotate_config

View File

@ -1,28 +1,28 @@
---
- import_tasks: install-njs.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-njs.yml"
when: nginx_modules.njs | default(false)
- import_tasks: install-perl.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-perl.yml"
when: nginx_modules.perl | default(false)
- import_tasks: install-geoip.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-geoip.yml"
when:
- nginx_modules.geoip | default(false)
- ansible_os_family != "RedHat"
- ansible_distribution_major_version != "8"
- import_tasks: install-image-filter.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-image-filter.yml"
when: nginx_modules.image_filter | default(false)
- import_tasks: install-rtmp.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-rtmp.yml"
when:
- nginx_modules.rtmp | default(false)
- nginx_type == "plus"
- import_tasks: install-xslt.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-xslt.yml"
when: nginx_modules.xslt | default(false)
- import_tasks: install-waf.yml
- include_tasks: "{{ role_path }}/tasks/modules/install-waf.yml"
when:
- nginx_modules.waf | default(false)
- nginx_type == "plus"

View File

@ -1,23 +1,21 @@
---
- name: "(Install: Linux) Configure NGINX repo"
block:
include_tasks: "{{ role_path }}/tasks/opensource/setup-{{ ansible_os_family | lower }}.yml"
when:
- ansible_os_family == "Alpine"
or ansible_os_family == "Debian"
or ansible_os_family == "RedHat"
or ansible_os_family == "Suse"
- nginx_install_from == "nginx_repository"
- import_tasks: setup-alpine.yml
when: ansible_os_family == "Alpine"
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: setup-suse.yml
when: ansible_os_family == "Suse"
when: nginx_install_from == "nginx_repository"
- name: "(Install: Linux) Modify Service for Systemd"
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
when:
- ansible_service_mgr == "systemd"
- nginx_service_modify
- name: "(Install: Linux) Install NGINX from source"
import_tasks: setup-source.yml
include_tasks: "{{ role_path }}/tasks/opensource/setup-source.yml"
when: nginx_install_from == "source"
- name: "(Install: Linux) Install NGINX package"

View File

@ -1,8 +1,8 @@
---
- name: "(Install: OSS Linux)"
import_tasks: install-oss-linux.yml
include_tasks: "{{ role_path }}/tasks/opensource/install-oss-linux.yml"
when: ansible_os_family in nginx_linux_families
- name: "(Install: OSS BSD)"
import_tasks: install-oss-bsd.yml
include_tasks: "{{ role_path }}/tasks/opensource/install-oss-bsd.yml"
when: ansible_system in nginx_bsd_systems

View File

@ -18,17 +18,10 @@
- /etc/apk/cert.pem
when: ansible_distribution == "Alpine"
- import_tasks: setup-alpine.yml
when: ansible_os_family == "Alpine"
- import_tasks: setup-bsd.yml
when: ansible_os_family == "FreeBSD"
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: setup-suse.yml
when: ansible_os_family == "Suse"
- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
when:
- ansible_os_family == "Alpine"
or ansible_os_family == "FreeBSD"
or ansible_os_family == "Debian"
or ansible_os_family == "RedHat"
or ansible_os_family == "Suse"

View File

@ -1,5 +1,5 @@
---
- import_tasks: setup-bsd.yml
- include_tasks: "{{ role_path }}/tasks/plus/setup-bsd.yml"
when: ansible_os_family == "FreeBSD"
- name: "(Install: FreeBSD) Install NGINX Plus"

View File

@ -1,15 +1,16 @@
---
- import_tasks: setup-alpine.yml
when: ansible_os_family == "Alpine"
- include_tasks: "{{ role_path }}/tasks/plus/setup-{{ ansible_os_family | lower }}.yml"
when:
- ansible_os_family == "Alpine"
or ansible_os_family == "Debian"
or ansible_os_family == "RedHat"
or ansible_os_family == "Suse"
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: setup-suse.yml
when: ansible_os_family == "Suse"
- name: "(Install: Linux) Modify Service for Systemd"
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-systemd.yml"
when:
- ansible_service_mgr == "systemd"
- nginx_service_modify
- name: "(Install: Linux) Install NGINX Plus"
package:

View File

@ -1,11 +1,11 @@
---
- name: "(Install: All OSs) Setup license"
import_tasks: setup-license.yml
include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml"
- name: "(Install: Linux) Install NGINX Plus"
import_tasks: install-plus-linux.yml
include_tasks: "{{ role_path }}/tasks/plus/install-plus-linux.yml"
when: ansible_os_family in nginx_plus_linux_families
- name: "(Install: FreeBSD) Install NGINX Plus"
import_tasks: install-plus-bsd.yml
include_tasks: "{{ role_path }}/tasks/plus/install-plus-bsd.yml"
when: ansible_system in nginx_plus_bsd_systems

View File

@ -1,8 +0,0 @@
---
- name: "(Setup: Debian/Ubuntu) Install Prerequisites"
import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- name: "(Setup: FreeBSD) Install Prerequisites"
import_tasks: setup-freebsd.yml
when: ansible_system == "FreeBSD"

View File

@ -0,0 +1 @@
---

View File

@ -1,5 +1,5 @@
---
- name: "(Install: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
- name: "(Setup: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies"
apt:
name:
- apt-transport-https

View File

@ -1,14 +1,14 @@
---
- name: "(Install: FreeBSD) Install Required Dependencies"
- name: "(Setup: FreeBSD) Install Required Dependencies"
block:
- name: "(Install: FreeBSD) Install Extra Package(s)"
- name: "(Setup: FreeBSD) Install Extra Package(s)"
pkgng:
name: "{{ nginx_freebsd_extra_packages }}"
state: present
when: nginx_bsd_install_packages|bool
- name: "(Install: FreeBSD) Install Extra Port(s)"
- name: "(Setup: FreeBSD) Install Extra Port(s)"
portinstall:
name: "{{ item }}"
use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}"

View File

@ -0,0 +1,6 @@
---
- name: "(Setup: RedHat/CentOS) Setup SELinux"
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
when:
- nginx_selinux
- ansible_selinux.mode is defined

View File

@ -0,0 +1,105 @@
---
- name: "(Setup: SELinux) Install Required CentOS Dependencies"
package:
name: policycoreutils-python, setools
state: present
when:
- not ansible_os_family == "RedHat"
- not ansible_distribution_major_version == "8"
- name: "(Setup: SELinux) Install Required RHEL8 Dependencies"
package:
name:
- selinux-policy-targeted
- libselinux-utils
- policycoreutils
state: present
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- name: "(Setup: SELinux) Check for SELinux enabled"
debug:
msg: "You need to enable selinux, if it was disabled you need to reboot"
when: ansible_selinux is undefined
- name: "(Setup: SELinux) Permissive SELinux"
selinux:
state: permissive
policy: targeted
changed_when: false
when: ansible_selinux.mode == "enforcing"
- name: "(Setup: SELinux: Booleans) Allow HTTP network connection"
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
- name: "(Setup: SELinux: Booleans) Allow HTTP relay connection"
seboolean:
name: httpd_can_network_relay
state: yes
persistent: yes
- name: "(Setup: SELinux: Ports) Allow status ports"
seport:
ports: "{{ nginx_status_port }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_status_port is defined
- name: "(Setup: SELinux: Ports) Allow Rest API ports"
seport:
ports: "{{ nginx_rest_api_port }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_rest_api_port is defined"
- name: "(Setup: SELinux: Ports) Allow Specific TCP Ports"
seport:
ports: "{{ nginx_selinux_tcp_ports }}"
proto: tcp
setype: http_port_t
state: present
when: nginx_selinux_tcp_ports is defined
- name: "(Setup: SELinux: Ports) Allow Specific UDP Ports"
seport:
ports: "{{ nginx_selinux_udp_ports }}"
proto: udp
setype: http_port_t
state: present
when: nginx_selinux_udp_ports is defined
- name: "(Setup: SELinux: Module) Create NGINX Plus Module"
template:
src: "{{ role_path }}/templates/selinux/nginx-plus-module.te.j2"
dest: "{{ nginx_tempdir }}/nginx-plus-module.te"
register: nginx_selinux_module
- name: "(Setup: SELinux: Module) Check NGINX Plus Module"
command: "checkmodule -M -m -o {{ nginx_tempdir }}/nginx-plus-module.mod {{ nginx_tempdir }}/nginx-plus-module.te"
args:
creates: "{{ nginx_tempdir }}/nginx-plus-module.mod"
changed_when: false
- name: "(Setup: SELinux: Module) Compile NGINX Plus Module"
command: "semodule_package -o {{ nginx_tempdir }}/nginx-plus-module.pp -m {{ nginx_tempdir }}/nginx-plus-module.mod"
args:
creates: "{{ nginx_tempdir }}/nginx-plus-module.pp"
changed_when: false
- name: "(Setup: SELinux: Module) Import NGINX Plus Module" # noqa 503
command: "semodule -i {{ nginx_tempdir }}/nginx-plus-module.pp"
changed_when: false
when: nginx_selinux_module.changed
- name: "(Setup: SELinux) Enforce SELinux"
selinux:
state: enforcing
policy: targeted
changed_when: false
when: nginx_selinux_enforcing and ansible_selinux.mode == "permissive"

View File

@ -0,0 +1,6 @@
---
- name: "(Setup: Suse) Setup SELinux"
include_tasks: "{{ role_path }}/tasks/prerequisites/setup-selinux.yml"
when:
- nginx_selinux
- ansible_selinux.mode is defined

View File

@ -0,0 +1,38 @@
---
- name: "(Setup: Linux) Create override directory for NGINX systemd Service"
file:
path: "{{ nginx_service_overridepath }}"
state: directory
mode: '0755'
- name: "(Setup: Linux) Create override for NGINX systemd Service"
template:
src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2"
dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
owner: root
group: root
mode: '0644'
notify: "(Handler: All OSs) systemd daemon-reload"
when:
- not nginx_service_custom
- not nginx_service_clean
- name: "(Setup: Linux) Customize override for NGINX systemd Service"
copy:
src: "{{ nginx_service_custom_file }}"
dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}"
owner: root
group: root
mode: '0644'
notify: "(Handler: All OSs) systemd daemon-reload"
when:
- nginx_service_custom
- not nginx_service_clean
- name: "(Setup: Linux) Remove override for NGINX systemd Service"
file:
path: "{{ nginx_service_overridepath }}"
state: absent
notify: "(Handler: All OSs) systemd daemon-reload"
when:
- nginx_service_clean

View File

@ -1,12 +1,9 @@
---
- import_tasks: setup-debian.yml
when: ansible_os_family == "Debian"
- import_tasks: setup-redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: setup-freebsd.yml
when: ansible_os_family == "FreeBSD"
- include_tasks: "{{ role_path }}/tasks/unit/setup-{{ ansible_os_family | lower }}.yml"
when:
- ansible_os_family == "Debian"
or ansible_os_family == "RedHat"
or ansible_os_family == "FreeBSD"
- name: "(Install: Debian/Ubuntu/CentOS/RedHat) Install NGINX Unit"
package:
@ -22,5 +19,5 @@
when: ansible_os_family == "FreeBSD"
notify: "(Handler: FreeBSD) Start NGINX Unit"
- import_tasks: install-modules.yml
- include_tasks: "{{ role_path }}/tasks/unit/install-modules.yml"
when: nginx_unit_modules is defined and nginx_unit_modules

View File

@ -0,0 +1,20 @@
module nginx-plus-module 1.0;
require {
type httpd_t;
type usr_t;
type initrc_t;
type http_cache_port_t;
class sock_file write;
class unix_stream_socket connectto;
class file { create write };
class tcp_socket name_connect;
}
#============= httpd_t ==============
allow httpd_t http_cache_port_t:tcp_socket name_connect;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t usr_t:file { create write };
allow httpd_t usr_t:sock_file write;

View File

@ -0,0 +1,10 @@
[Service]
{% if nginx_service_timeoutstopsec is defined %}
TimeoutStopSec={{ nginx_service_timeoutstopsec | default(90) }}
{% endif %}
{% if nginx_service_restartonfailure is defined %}
Restart=on-failure
{% endif %}
{% if nginx_service_restartsec is defined %}
RestartSec={{ nginx_service_restartsec }}
{% endif %}