Project

General

Profile

Task #8687

Adjust django-hosting to run on Alpine Linux

Added by Nico Schottelius 6 months ago. Updated 6 months ago.

Status:
In Progress
Priority:
Normal
Target version:
-
Start date:
12/05/2020
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

Currently testing with ula.ungleich.ch.

  • nginx start missing
  • app user is locked by default (shadow entry with !)
  • deprecated ssl configuration directive
  • uwsgi configuration seems not to be loaded -> needs permission change

History

#1

Updated by Nico Schottelius 6 months ago

  • nginx is not automatically started -> certbot gives an error
INFO: [12802]: ula-v6.ungleich.ch: Processing __letsencrypt_cert/ula.ungleich.ch
ERROR: [12802]: ula-v6.ungleich.ch: ssh -o User=root -o ControlPath=/tmp/tmp5nw515hq/s -o ControlMaster=auto -o ControlPersist=2h ula-v6.ungleich.ch /bin/sh -c ' export __object=/var/lib/cdist/object/__letsencrypt_cert/ula.ungleich.ch/.cdist-9l5oxy1o;  export __object_id=ula.ungleich.ch;/bin/sh -e /var/lib/cdist/object/__letsencrypt_cert/ula.ungleich.ch/.cdist-9l5oxy1o/code-remote': ['ssh', '-o', 'User=root', '-o', 'ControlPath=/tmp/tmp5nw515hq/s', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=2h', 'ula-v6.ungleich.ch', "/bin/sh -c ' export __object=/var/lib/cdist/object/__letsencrypt_cert/ula.ungleich.ch/.cdist-9l5oxy1o;  export __object_id=ula.ungleich.ch;/bin/sh -e /var/lib/cdist/object/__letsencrypt_cert/ula.ungleich.ch/.cdist-9l5oxy1o/code-remote'"]

Error processing object '__letsencrypt_cert/ula.ungleich.ch'
============================================================
name: __letsencrypt_cert/ula.ungleich.ch
path: /tmp/tmprc1zhcj0/a2937c96337251ad011edfc78d9d26a3/data/object/__letsencrypt_cert/ula.ungleich.ch/.cdist-9l5oxy1o
source: /tmp/tmprc1zhcj0/a2937c96337251ad011edfc78d9d26a3/data/conf/type/__ungleich_django_microservice/manifest
type: /home/nico/vcs/cdist/cdist/conf/type/__letsencrypt_cert

code-remote:stderr
------------------
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py", line 488, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1663, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 361, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 377, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.8/site-packages/urllib3/contrib/pyopenssl.py", line 494, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(104, 'ECONNRESET')")))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(104, 'ECONNRESET')")))
Please see the logfiles in /var/log/letsencrypt for more details.

VERBOSE: [12802]: config: Total processing time for 1 host(s): 144.5763819217682
#2

Updated by Nico Schottelius 6 months ago

  • Description updated (diff)
#3

Updated by Nico Schottelius 6 months ago

  • Description updated (diff)
2020/12/05 11:03:50 [warn] 3251#3251: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/https-ula.ungleich.ch:13
2020/12/05 11:03:50 [warn] 3254#3254: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/https-ula.ungleich.ch:13
#4

Updated by Nico Schottelius 6 months ago

  • Description updated (diff)
[11:06] ula-v6:/var/log/uwsgi# less uwsgi.log 

[emperor-tyrant] invalid permissions for vassal app.ini

[11:08] ula-v6:/var/log/uwsgi# cat /etc/uwsgi/conf.d/readme.emperor 
drop your uwsgi config files inside this directory uwsgi will automatically
load them (Emperor mode) and start a vassal.
uwsgi will run the vassal using the UID/GID of the vassal configuration file.
see: http://uwsgi-docs.readthedocs.io/en/latest/Emperor.html
make sure your webserver belongs to the uwsgi group to access the socket.
[11:08] ula-v6:/var/log/uwsgi# chown app:app /etc/uwsgi/
conf.d/    uwsgi.ini
[11:08] ula-v6:/var/log/uwsgi# chown app:app /etc/uwsgi/
conf.d/    uwsgi.ini
[11:08] ula-v6:/var/log/uwsgi# chown app:app /etc/uwsgi/conf.d/app.ini 

#5

Updated by Nico Schottelius 6 months ago

  • Description updated (diff)

Jin-Guk, can you checkout above problems, fix them in cdist, create a new test instance

#6

Updated by Jin-Guk Kwon 6 months ago

- set new instance (ipv6only, alpine3.12)

- when i ran cdist. there is no error message

......
INFO: [1589]: test-ula-v6.lab.ungleich.ch: Processing __package_apk/certbot
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running object __package/certbot
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running object __letsencrypt_cert/test-ula.lab.ungleich.ch
INFO: [31477]: test-ula-v6.lab.ungleich.ch: Processing __letsencrypt_cert/test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Preparing object __ungleich_dynamicweb_nginx/test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running manifest and explorers for __ungleich_dynamicweb_nginx/test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running type explorers for <CdistType __ungleich_dynamicweb_nginx>
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running type manifest /tmp/tmpdufukk_x/c4efb3c7713cc19b9938cc55b79bc0ee/data/conf/type/__ungleich_dynamicweb_nginx/manifest for object __ungleich_dynamicweb_nginx/test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Preparing object __file/etc/nginx/conf.d/https-test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running manifest and explorers for __file/etc/nginx/conf.d/https-test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running type explorers for <CdistType __file>
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running object __file/etc/nginx/conf.d/https-test-ula.lab.ungleich.ch
INFO: [31477]: test-ula-v6.lab.ungleich.ch: Processing __file/etc/nginx/conf.d/https-test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running object __ungleich_dynamicweb_nginx/test-ula.lab.ungleich.ch
VERBOSE: [31477]: test-ula-v6.lab.ungleich.ch: Running object __ungleich_django_microservice/
INFO: [31477]: test-ula-v6.lab.ungleich.ch: Finished successful run in 166.01 seconds
VERBOSE: [31477]: config: Total processing time for 1 host(s): 166.22307467460632
control%
#7

Updated by Jin-Guk Kwon 6 months ago

- nginx status

[11:12] test-ula-v6:/etc/nginx/conf.d# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5170/nginx.conf
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4046/sshd [listener
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      4743/postgres
tcp        0      0 :::80                   :::*                    LISTEN      5170/nginx.conf
tcp        0      0 :::22                   :::*                    LISTEN      4046/sshd [listener
tcp        0      0 ::1:5432                :::*                    LISTEN      4743/postgres
[11:13] test-ula-v6:/etc/nginx/conf.d# service nginx status
 * status: started
[11:13] test-ula-v6:/etc/nginx/conf.d#
[11:13] test-ula-v6:/etc/nginx/conf.d# service nginx restart
 * Stopping nginx ...                                                                                                                              [ ok ]
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/https-test-ula.lab.ungleich.ch:13
 * Starting nginx ...
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/https-test-ula.lab.ungleich.ch:13 [ ok ]
[11:14] test-ula-v6:/etc/nginx/conf.d# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5443/nginx.conf
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4046/sshd [listener
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      4743/postgres
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5443/nginx.conf
tcp        0      0 :::80                   :::*                    LISTEN      5443/nginx.conf
tcp        0      0 :::22                   :::*                    LISTEN      4046/sshd [listener
tcp        0      0 ::1:5432                :::*                    LISTEN      4743/postgres
tcp        0      0 :::443                  :::*                    LISTEN      5443/nginx.conf
[11:14] test-ula-v6:/etc/nginx/conf.d#
#8

Updated by Jin-Guk Kwon 6 months ago

[11:19] test-ula-v6:/etc/nginx/conf.d# nginx -v
nginx version: nginx/1.18.0
[11:32] test-ula-v6:/etc/nginx/conf.d#

The ssl parameter of the listen directive should be used instead
http://nginx.org/en/docs/http/ngx_http_ssl_module.html

[11:16] test-ula-v6:/etc/nginx/conf.d# vi https-test-ula.lab.ungleich.ch
......
listen 443 ssl;
listen [::]:443 ssl;
......
#ssl on;
......
[11:18] test-ula-v6:/etc/nginx/conf.d# service nginx restart
 * Stopping nginx ...                                                                                                                              [ ok ]
 * Starting nginx ...                                                                                                                              [ ok ]
[11:18] test-ula-v6:/etc/nginx/conf.d#

Also available in: Atom PDF