airavata-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus Christie (JIRA)" <>
Subject [jira] [Commented] (AIRAVATA-2581) Manually deploy Django version of dev seagrid
Date Wed, 18 Jul 2018 19:43:00 GMT


Marcus Christie commented on AIRAVATA-2581:

Setting up another Django portal:
As PGA user:
1002	 cd portals/
1004	 mkdir django-simvascular
1005	 cd django-simvascular/
1009	 git clone
1010	 python3 -m venv venv
1011	 source venv/bin/activate
1012	 pip install -r airavata-django-portal/requirements.txt 
1014	 cd airavata-django-portal/
1015	 cp ../../django-seagrid/django-airavata-gateway/django_airavata/ django_airavata/
1016	 vim django_airavata/
1018	 mkdir ../static
1019	 ./ 
1031	 python collectstatic -i node_modules

As centos user:
834	 cd /etc/httpd/conf.d/
835	 ls
836	 cp django-seagrid.conf django-simvascular.conf
837	 sudo cp django-seagrid.conf django-simvascular.conf
838	 ls -la
839	 sudo vim django-simvascular.conf 
840	 sudo certbot --apache certonly -d
841	 sudo vim django-simvascular.conf 
842	 sudo certbot --apache certonly -d
843	 ls /etc/letsencrypt/
844	 sudo su -
845	 mv django-simvascular.conf django-simvascular.conf.bak
846	 sudo mv django-simvascular.conf django-simvascular.conf.bak
847	 sudo certbot --apache certonly -d
848	 sudo mv django-simvascular.conf.bak django-simvascular.conf
849	 sudo vim django-simvascular.conf 
850	 sudo apachectl graceful
851	 service httpd restart
852	 sudo service httpd restart
853	 sudo systemctl status httpd
854	 sudo sealert -a /var/log/audit/audit.log


# 403 Forbidden

sudo sealert -a /var/log/audit/audit.log

* SELinux is preventing /usr/sbin/httpd from read access on the file pyvenv.cfg.
* SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/www/portals/django-simvascular/airavata-django-portal/django_airavata/

If you want to allow httpd to have getattr access on the file
Then you need to change the label on /var/www/portals/django-simvascular/airavata-django-portal/django_airavata/
# semanage fcontext -a -t FILE_TYPE '/var/www/portals/django-simvascular/airavata-django-portal/django_airavata/'

As PGA user
touch db.sqlite3
python migrate
python load_simvascular_data

As root user
558	 semanage fcontext -a -t httpd_sys_content_t "/var/www/portals/django-simvascular/venv(/.*)?"
559	 semanage fcontext -a -t httpd_sys_rw_content_t /var/www/portals/django-simvascular/airavata-django-portal/db.sqlite3
573	 semanage fcontext -a -t httpd_sys_content_t "/var/www/portals/django-simvascular/airavata-django-portal(/.*)?"
574	 restorecon -R /var/www/portals/django-simvascular/airavata-django-portal
575	 systemctl restart httpd

Need to order the rw of db.sqlite3 after the read only access:

/var/www/portals/django-simvascular/venv(/.*)?    system_u:object_r:httpd_sys_content_t:s0

/var/www/portals/django-simvascular/airavata-django-portal(/.*)?    system_u:object_r:httpd_sys_content_t:s0

/var/www/portals/django-simvascular/airavata-django-portal/db.sqlite3    system_u:object_r:httpd_sys_rw_content_t:s0

Funny enough, running the WSGIDaemonProcess with `user=pga group=pga` doesn't solve the db.sqlite3
problem by itself.

I ultimately went with this SELinux file configuration:
/var/www/portals/django-simvascular/venv(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www/portals/django-simvascular/airavata-django-portal(/.*)?    system_u:object_r:httpd_sys_rw_content_t:s0

Because of the pycache directories that get created, httpd also needs write access on airavata-django-portal.

vconf file:

<VirtualHost *:80>

    ## Redirect all http traffic to https
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

<VirtualHost *:443>

    Alias /robots.txt /var/www/portals/django-simvascular/static/robots.txt
    Alias /favicon.ico /var/www/portals/django-simvascular/static/favicon.ico

    Alias /static/ /var/www/portals/django-simvascular/static/

    <Directory /var/www/portals/django-simvascular/static>
    Require all granted
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

    WSGIDaemonProcess display-name=%{GROUP} python-home=/var/www/portals/django-simvascular/venv
python-path=/var/www/portals/django-simvascular/airavata-django-portal processes=2 user=pga

    WSGIScriptAlias / /var/www/portals/django-simvascular/airavata-django-portal/django_airavata/

    <Directory /var/www/portals/django-simvascular/airavata-django-portal/django_airavata>
        Require all granted

    ErrorLog /var/log/httpd/django-simvascular.error.log
    CustomLog /var/log/httpd/django-simvascular.requests.log combined

    SSLEngine on
    # Disable SSLv3 which is vulnerable to the POODLE attack
    SSLProtocol All -SSLv2 -SSLv3
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateChainFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

> Manually deploy Django version of dev seagrid
> ---------------------------------------------
>                 Key: AIRAVATA-2581
>                 URL:
>             Project: Airavata
>          Issue Type: Sub-task
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major

This message was sent by Atlassian JIRA

View raw message