https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Bug ID: 1075806 Summary: Review Request: fcgiwrap - Simple FastCGI wrapper for CGI scripts Product: Fedora Version: rawhide Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: fedora@dyroff.org QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org
Spec URL: http://dyroff.org/fcgiwrap.spec SRPM URL: http://dyroff.org/fcgiwrap-1.1.0-1.fc20.src.rpm Description: Fcgiwrap is a simple server for running CGI applications over FastCGI. It hopes to provide clean CGI support to Nginx (and other web servers that may need it). Fedora Account System Username: sdyroff
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |cickumqt@gmail.com Assignee|nobody@fedoraproject.org |cickumqt@gmail.com
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #1 from Christopher Meng cickumqt@gmail.com --- 1. No systemd unit file, please write one.
2. %_sbindir/* %_datadir/man/man8/*
%_sbindir --> %{_sbindir} %_datadir/man/man8 --> %{_mandir}/man8
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |fedora-review?
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Christopher Meng cickumqt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora@dyroff.org Flags| |needinfo?(fedora@dyroff.org | |)
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Justin Zhang schnell18@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |schnell18@gmail.com Flags|needinfo?(fedora@dyroff.org | |) |
--- Comment #2 from Justin Zhang schnell18@gmail.com --- Hi Christopher, What a coincidence, I just made the spec file for fcgiwrap around April 20.
Mine version include the systems unit files. And the %file section is specified using the right style as you requested. It also builds the RPM correctly on non-systemd OS. The location of SRPM: https://github.com/schnell18/packaging/blob/master/fcgiwrap/fcgiwrap-1.1.0-1...
The spec file: https://raw.githubusercontent.com/schnell18/packaging/master/fcgiwrap/fcgiwr...
Since Sebastian Dyroff does not look active, can you look at my work? My work passed the koji build against both f20(http://koji.fedoraproject.org/koji/taskinfo?taskID=6787143) and f21(http://koji.fedoraproject.org/koji/taskinfo?taskID=6787147).
Thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #3 from Christopher Meng cickumqt@gmail.com --- (In reply to Justin Zhang from comment #2)
No. Your spec doesn't match the guideline.
Thank you anyway.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #4 from Justin Zhang schnell18@gmail.com --- Hi Christopher, Thanks for quickly response!
This is my first attempt to submit an RPM spec file to Fedora. Do you wish I fix the spec or just wait for Sebastian Dyroff's response?
Thank you!
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #5 from Christopher Meng cickumqt@gmail.com --- (In reply to Justin Zhang from comment #4)
This is my first attempt to submit an RPM spec file to Fedora. Do you wish I fix the spec or just wait for Sebastian Dyroff's response?
I have no interests of reviewing anything except from the submitter, and my suggestion is that do not reinvent the wheel unless it's a dire need, save your time.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #6 from Justin Zhang schnell18@gmail.com --- Hi Christopher, It's not re-inventing the wheel. It's just trying to contribute to help move this issue forward. I think this is beneficial to the fedora project.
Maybe let's contact Sebastian Dyroff to see if he can expedite the fix and if he would accept some of ideas of my implementation.
Thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #7 from Christopher Meng cickumqt@gmail.com --- (In reply to Justin Zhang from comment #6)
Hi Christopher, It's not re-inventing the wheel. It's just trying to contribute to help move this issue forward. I think this is beneficial to the fedora project.
Maybe let's contact Sebastian Dyroff to see if he can expedite the fix and if he would accept some of ideas of my implementation.
Thanks!
We have many bugs like this, not stalled tickets, but the reporter is busy or because of something else.
Please don't ask me to do anything here anymore.
Thanks.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #8 from Sebastian Dyroff fedora@dyroff.org --- Hi,
sorry I was busy with other work. I will take a look at the issues this evening. Any suggestions about what user should run fcgi-wrap? Personally I am using spawn-fcgi to spawn the fcgi-wrap service.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #9 from Justin Zhang schnell18@gmail.com --- Hi Sebastian, The spawn-fcgi is no longer necessary on Fedora. The systemd socket activation is a good replacement for spawn-fcgi. The upstream already has the right unit files included under the systemd sub directory. You need package these files to make it included in the RPM. The upstream build script already copes the unit files into %{build root}. You can package simply by list them in the %file like:
%{_unitdir}/*.service %{_unitdir}/*.socket
Regarding the user to run fcgiwrap, the default user is 'http' from upstream. Probably 'nobody' is a better choice as it is a pre-defined user on Fedora. But I think the administrators is in better position to determine the right user to run fcgiwrap. And they can customize it by coping the /lib/systemd/system/fcgiwrap.service to /etc/systemd/system/ and changing "User" and "Group" as they see fit.
My personal experience is to run fcgiwrap using 'git' on a server that hosts our company's Git repositories. This significantly simplifies the permission setup of Git repository.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #10 from Justin Zhang schnell18@gmail.com --- Hi Sebastian, The spawn-fcgi is no longer necessary on Fedora. The systemd socket activation is a good replacement for spawn-fcgi. The upstream already has the right unit files included under the systemd sub directory. You need package these files to make it included in the RPM. The upstream build script already copes the unit files into %{build root}. You can package simply by list them in the %file like:
%{_unitdir}/*.service %{_unitdir}/*.socket
Regarding the user to run fcgiwrap, the default user is 'http' from upstream. Probably 'nobody' is a better choice as it is a pre-defined user on Fedora. But I think the administrators is in better position to determine the right user to run fcgiwrap. And they can customize it by coping the /lib/systemd/system/fcgiwrap.service to /etc/systemd/system/ and changing "User" and "Group" as they see fit.
My personal experience is to run fcgiwrap using 'git' on a server that hosts our company's Git repositories. This significantly simplifies the permission setup of Git repository.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Christopher Meng i@cicku.me changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fedora@dyroff.org | |)
--- Comment #11 from Christopher Meng i@cicku.me --- ping.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Sebastian Dyroff fedora@dyroff.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fedora@dyroff.org | |) |
--- Comment #12 from Sebastian Dyroff fedora@dyroff.org --- Sorry for the long delay. I am still working on this. I couldn't get socket activation working for the systemd unit file, so I have to look deeper into this.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Sebastian Dyroff fedora@dyroff.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fedora@dyroff.org | |)
--- Comment #13 from Sebastian Dyroff fedora@dyroff.org --- Sorry for removing the needinfo flag...
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Sebastian Dyroff fedora@dyroff.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fedora@dyroff.org | |) |
--- Comment #14 from Sebastian Dyroff fedora@dyroff.org --- Hey just a short info. I am still working on it, when I have time. The systemd unit files are now included, but it is neccessary to write an selinux module to use the systemd socket by any webserver. While creating the module, I stumbled over the following behaviour https://bugzilla.redhat.com/show_bug.cgi?id=1197886. I will continue, if this issue is resolved.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Sebastian Dyroff fedora@dyroff.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1197886
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1197886 [Bug 1197886] Selinux context of new sockets
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #15 from Juan Orti j.orti.alcaine@gmail.com --- Hi, could you publish your spec file again? the link is dead and I'd like to build it.
Thank you.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #16 from Juan Orti j.orti.alcaine@gmail.com --- (In reply to Sebastian Dyroff from comment #14)
Hey just a short info. I am still working on it, when I have time. The systemd unit files are now included, but it is neccessary to write an selinux module to use the systemd socket by any webserver. While creating the module, I stumbled over the following behaviour https://bugzilla.redhat.com/show_bug.cgi?id=1197886. I will continue, if this issue is resolved.
I've build fcgiwrap on my own, and it's working fine using systemd socket activation. Maybe the problem you comment is already solved. Are you still interested in pushing this forward? I can help comaintaining if you wish.
This is my version of the spec file and a copr with it: https://jorti.fedorapeople.org/fcgiwrap/ https://copr.fedoraproject.org/coprs/jorti/fcgiwrap/
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #17 from Sebastian Dyroff fedora@dyroff.org --- First of all, I really appreciate any help to get this done. Sorry, I am very busy with non fedora related things.
I tested your version, and it did not work for me. The fcgiwrap.service file requires a user http that does not exist on a system without apache installed and fails to start. Also I did not see any selinux rules. By default, the selinux policy forbids the webserver to connect to the fcgiwrap socket(I could not test this step with your version, because it didn't start on the cloud image).
Steps I did for installing:
- Used a fedora 21 cloud base image (Sorry do not have a 22 for now) - installed your copr repo with dnf - installed your fcgiwrap package with dnf - started the fcgiwrap socket with systemctl - started the fcgiwrap service with systemctl
log output was:
$ sudo systemctl status fcgiwrap ● fcgiwrap.service - Simple CGI Server Loaded: loaded (/usr/lib/systemd/system/fcgiwrap.service; static) Active: failed (Result: exit-code) since Sun 2015-05-31 19:49:22 UTC; 8min ago Process: 1003 ExecStart=/usr/sbin/fcgiwrap (code=exited, status=217/USER) Main PID: 1003 (code=exited, status=217/USER)
May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Starting Simple CGI Server... May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Started Simple CGI Server. May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: fcgiwrap.service: main process exited, code=exited, status=217/USER May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Unit fcgiwrap.service entered failed state. May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: fcgiwrap.service failed.
I uploaded my intermediate version of the spec file here: http://www.dyroff.net/fedora/fcgiwrap.tar.bz2
If you want to continue working on my spec file, we should setup a git repo to cordinate and bring it in shape.
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
--- Comment #18 from Juan Orti j.orti.alcaine@gmail.com --- I have no SELinux problems with the units shown below, just write the socket to /run/nginx or elsewhere already covered by the policy.
Anyway, I agree that we should patch the provided units to work out of the box.
# /etc/systemd/system/gitweb.socket [Unit] Description=GitWeb socket
[Socket] SocketMode=0600 SocketUser=nginx SocketGroup=nginx ListenStream=/run/nginx/gitweb.sock
[Install] WantedBy=sockets.target
# /etc/systemd/system/gitweb.service [Unit] Description=GitWeb service
[Service] ExecStart=/usr/sbin/fcgiwrap User=apache Group=apache
https://bugzilla.redhat.com/show_bug.cgi?id=1075806 Bug 1075806 depends on bug 1197886, which changed state.
Bug 1197886 Summary: Selinux context of new sockets https://bugzilla.redhat.com/show_bug.cgi?id=1197886
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1075806 Bug 1075806 depends on bug 1197886, which changed state.
Bug 1197886 Summary: Selinux context of new sockets https://bugzilla.redhat.com/show_bug.cgi?id=1197886
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|WONTFIX |---
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Andrew Bauer zonexpertconsulting@outlook.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |zonexpertconsulting@outlook | |.com
--- Comment #19 from Andrew Bauer zonexpertconsulting@outlook.com --- Well this is interesting. I was about to create a review request for an fcgiwrap package I put together, when I found this request from 2014.
Since the activity in this review appears to have died out, is anyone opposed to closing this request and allowing me to create a new review request?
https://bugzilla.redhat.com/show_bug.cgi?id=1075806
Neal Gompa ngompa13@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution|--- |EOL Assignee|i@cicku.me |nobody@fedoraproject.org Flags|fedora-review? | Last Closed| |2018-11-03 19:24:53
--- Comment #20 from Neal Gompa ngompa13@gmail.com --- Go for it.
package-review@lists.fedoraproject.org