switch redmine to use a unix socket instead of TCP #1885
Description
In #1883 we deployed redmine with Puma using a TCP socket.
From past experience (with Foreman) we know that using an Unix Socket is better performance wise.
To achieve that we need to
- deploy the systemd socket as a unix socket
- make apache use it
In theory, all this can be achieved by the following patch:
diff --git puppet/modules/redmine/files/redmine.socket puppet/modules/redmine/files/redmine.socket
index 63eb431f..504e4336 100644
--- puppet/modules/redmine/files/redmine.socket
+++ puppet/modules/redmine/files/redmine.socket
@@ -5,7 +5,9 @@
Description=redmine socket
[Socket]
-ListenStream=3000
+ListenStream=/run/apache-redmine.sock
+SocketUser=apache
+SocketMode=0600
[Install]
WantedBy=sockets.target
diff --git puppet/modules/redmine/manifests/init.pp puppet/modules/redmine/manifests/init.pp
index e968d780..0f88eac7 100644
--- puppet/modules/redmine/manifests/init.pp
+++ puppet/modules/redmine/manifests/init.pp
@@ -182,7 +182,7 @@ class redmine (
'/server-status', '/help', '/images', '/javascripts', '/plugin_assets', '/stylesheets', '/themes', '/favicon.ico',
],
'path' => '/',
- 'url' => 'http://127.0.0.1:3000/',
+ 'url' => 'unix:///run/apache-redmine.sock|http://%{HTTP_HOST}/',
},
}
However, when we tried to deploy that, SELinux would prevent access. First because the socket in /run was labeled var_run_t, but that we fixed by using the apache- prefix, which makes the kernel automatically label it at httpd_var_run_t. Then because Apache is not allowed to connect to an unconfined service (behind that socket):
type=AVC msg=audit(1693980504.181:4437): avc: denied { connectto } for pid=62541 comm="httpd" path="/run/apache-redmine.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
[root@redmine ~]# ps auxZ |grep puma
system_u:system_r:unconfined_service_t:s0 redmine 62615 3.3 8.4 555808 170152 ? Ssl 06:10 0:02 puma 6.3.1 (unix:///run/apache-redmine.sock) [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62621 0.1 8.6 758724 173848 ? Sl 06:10 0:00 puma: cluster worker 0: 62615 [redmine]
system_u:system_r:unconfined_service_t:s0 redmine 62622 0.0 8.1 623492 162284 ? Sl 06:10 0:00 puma: cluster worker 1: 62615 [redmine]
We gotta label the service correctly (systemd has the SELinuxContext= directive for that), but we don't know yet which label would fit best.