[rOCCI-server] Initial import (#1149407).
František Dvořák
valtri at fedoraproject.org
Fri Jan 2 05:34:03 UTC 2015
commit fb177bd8fe53cfee0f25ea34b12c3f55b8fc9687
Author: František Dvořák <valtri at civ.zcu.cz>
Date: Fri Jan 2 06:33:29 2015 +0100
Initial import (#1149407).
.gitignore | 1 +
README.Fedora | 41 +++++
rOCCI-server.logrotate | 5 +
rOCCI-server.spec | 309 ++++++++++++++++++++++++++++++++++++++
rocci-server-1.0.x-unbundle.diff | 47 ++++++
rocci_server.fc | 3 +
rocci_server.te | 87 +++++++++++
sources | 1 +
8 files changed, 494 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..e7ebd46 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/rOCCI-server-aa036b71edcffd0e531a3ceba5b7113d40577977.tar.gz
diff --git a/README.Fedora b/README.Fedora
new file mode 100644
index 0000000..aed0bcc
--- /dev/null
+++ b/README.Fedora
@@ -0,0 +1,41 @@
+Installation
+============
+
+Machine certificate is required in /etc/grid-security.
+
+Start and enable required daemons:
+ service memcached start
+ # need to be restarted if already running
+ service httpd restart
+
+ systemctl enable httpd
+ systemctl enable memcached
+
+Now, you can access rOCCI server on port 11443.
+
+By default only dummy backend is activated. For more information visit:
+
+ https://github.com/EGI-FCTF/rOCCI-server/wiki/rOCCI-Server-Admin-Guide
+
+
+Testing
+=======
+
+Requirements:
+
+ rOCCI-server-tests
+ rubygem(guard-test) # not in Fedora (2014)
+
+Launch:
+
+ cd /usr/share/rOCCI-server
+
+ # use Gemfile needed for tests
+ export BUNDLE_GEMFILE=Gemfile.tests
+
+ # use local versions of all gems
+ rm -f Gemfile.lock
+ bundle install --local
+
+ # launch the tests using bundler
+ bundle exec rspec -Ilib spec --require spec_helper
diff --git a/rOCCI-server.logrotate b/rOCCI-server.logrotate
new file mode 100644
index 0000000..eff9d04
--- /dev/null
+++ b/rOCCI-server.logrotate
@@ -0,0 +1,5 @@
+/var/log/rocci-server/*.log {
+ weekly
+ rotate 4
+ missingok
+}
diff --git a/rOCCI-server.spec b/rOCCI-server.spec
new file mode 100644
index 0000000..07017dd
--- /dev/null
+++ b/rOCCI-server.spec
@@ -0,0 +1,309 @@
+%global gem_name occi-server
+%global app_root %{_datadir}/%{name}
+%global semodule_name rocci_server
+
+%global commit aa036b71edcffd0e531a3ceba5b7113d40577977
+
+%if 0%{?fedora} && 0%{?fedora} <= 20 || 0%{?rhel} && 0%{?rhel} <= 7
+%global openssl_cms openssl_cms_2_0_0
+%else
+%global openssl_cms openssl_cms_2_1
+%endif
+
+Name: rOCCI-server
+Version: 1.0.5
+Release: 3%{?dist}
+Summary: Ruby OCCI Server
+
+License: ASL 2.0
+URL: https://github.com/EGI-FCTF/rOCCI-server
+Source0: https://github.com/EGI-FCTF/%{name}/archive/%{commit}/%{name}-%{commit}.tar.gz
+Source1: %{semodule_name}.te
+Source2: %{semodule_name}.fc
+Source3: %{name}.logrotate
+Source4: README.Fedora
+# kill the bundler
+# (not intended for upstream)
+Patch0: rocci-server-1.0.x-unbundle.diff
+
+BuildArch: noarch
+BuildRequires: checkpolicy
+BuildRequires: policycoreutils-python
+BuildRequires: ruby(release) >= 1.9.3
+BuildRequires: rubygems-devel
+BuildRequires: rubygem(rdoc)
+Requires(pre): shadow-utils
+Requires(post): policycoreutils-python
+Requires(preun): policycoreutils-python
+Requires(postun): policycoreutils
+Requires: logrotate
+Requires: memcached
+Requires: mod_passenger
+Requires: mod_ssl
+Requires: rubygem(dalli)
+Requires: rubygem(hashie)
+Requires: rubygem(ice_nine)
+Requires: rubygem(jbuilder)
+Requires: rubygem(kgio)
+Requires: rubygem(logstasher)
+Requires: rubygem(rails) >= 4.0.0
+Requires: rubygem(rails) < 4.2
+Requires: rubygem(rails-api)
+Requires: rubygem(occi-core) >= 4.2.15
+Requires: rubygem(rack-cors)
+Requires: rubygem(warden) >= 1.2.3
+Requires: rubygem(%{openssl_cms})
+Requires: selinux-policy
+%if 0%{?fedora} && 0%{?fedora} <= 20 || 0%{?rhel} && 0%{?rhel} <= 7
+Requires: ruby(release)
+Requires: ruby(rubygems)
+Provides: rubygem(%{gem_name}) = %{version}
+%endif
+
+%description
+OCCI (the Open Cloud Computing Interface) is a standard by the Open Grid Forum,
+specifying a protocol and API to perform various remote management tasks in
+clouds. The rOCCI-server extends cloud managers, which are not OCCI-compliant
+natively, with its own OCCI interface. It is based on the rOCCI (Ruby OCCI)
+Framework.
+
+
+%package doc
+Summary: Documentation for %{name}
+BuildArch: noarch
+Requires: %{name} = %{version}-%{release}
+
+%description doc
+Documentation for %{name}.
+
+
+%package tests
+Summary: Tests for %{name}
+BuildArch: noarch
+Requires: rubygem(bundler)
+#Requires: rubygem(guard-test)
+Requires: rubygem(rspec-rails) >= 2.14.0
+Requires: rubygem(rspec-rails) < 3
+Requires: rubygem(simplecov)
+Requires: %{name}-opennebula = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
+
+%description tests
+OCCI (the Open Cloud Computing Interface) is a standard by the Open Grid Forum,
+specifying a protocol and API to perform various remote management tasks in
+clouds. The rOCCI-server extends cloud managers, which are not OCCI-compliant
+natively, with its own OCCI interface. It is based on the rOCCI (Ruby OCCI)
+Framework.
+
+This package contains tests for OCCI server. See README.Fedora how to launch
+them.
+
+
+%package opennebula
+Summary: Opennebula backend for %{gem_name}
+BuildArch: noarch
+Requires: rubygem(erubis)
+Requires: rubygem(opennebula) >= 4.4.0
+Requires: %{name} = %{version}-%{release}
+
+%description opennebula
+OCCI (the Open Cloud Computing Interface) is a standard by the Open Grid Forum,
+specifying a protocol and API to perform various remote management tasks in
+clouds. The rOCCI-server extends cloud managers, which are not OCCI-compliant
+natively, with its own OCCI interface. It is based on the rOCCI (Ruby OCCI)
+Framework.
+
+This package provides Opennebula backend for OCCI server.
+
+
+%prep
+%setup -q -n %{name}-%{commit}
+
+# kill bundler
+%patch0 -p1
+
+# updates to keep bundler working (for tests)
+mv Gemfile.lock Gemfile.upstream.lock
+cp -p Gemfile Gemfile.upstream
+cp -p lib/authentication_strategies/bundles/Gemfile.keystone Gemfile.keystone.upstream
+cp -p lib/backends/bundles/Gemfile.opennebula Gemfile.opennebula.upstream
+# relax upstream requirements
+while read name ver file; do
+ file=${file:-'Gemfile'}
+ sed -i "s/^\(\s*gem ['\"]$name['\"]\).*/\1, '>= $ver'/" $file
+done << EOF
+jbuilder 1.5.0
+rails 4.0.0
+rails-api 0.1.0
+rspec-rails 2.14.0
+occi-core 4.2.15
+opennebula 4.4.0 lib/backends/bundles/Gemfile.opennebula
+EOF
+# gems not needed for tests
+for p in sdoc capistrano rvm-capistrano debugger whenever passenger fuubar pry-rails pry-rescue pry-stack_explorer guard-bundler guard-rails rb-inotify libnotify yard redcarpet bond hirb; do
+ sed -i "s/^\(\s*gem ['\"]$p['\"].*\)/#disabled: \1/" Gemfile
+done
+# logstasher and openssl_cms not from git
+sed -i "s/, git:.*//" Gemfile
+echo 'gem "%{openssl_cms}"' > lib/authentication_strategies/bundles/Gemfile.keystone
+
+# but move away the prepared Gemfile
+mv Gemfile Gemfile.tests
+
+# apache >= 2.4 syntax, applicaton prefix
+sed -i examples/etc/apache2/sites-available/occi-ssl \
+ -e 's/Allow from all/Require all granted/i' \
+ -e 's,/opt/rOCCI-server,%{app_root},g'
+
+# fix interpreter
+sed -i examples/usr/local/bin/check_occi_compute_create \
+ -e '1s,#!/opt/occi-cli/embedded/bin/ruby,#!/usr/bin/env ruby,'
+
+
+%build
+checkmodule -M -m -o %{semodule_name}.mod %{SOURCE1}
+semodule_package -o %{semodule_name}.pp -m %{semodule_name}.mod -f %{SOURCE2}
+
+
+%install
+mkdir -p %{buildroot}%{app_root}
+mkdir -p %{buildroot}%{_sysconfdir}
+cp -a . %{buildroot}%{app_root}
+
+# unused files
+rm -f %{buildroot}%{app_root}/.gitignore
+find %{buildroot}%{app_root} -name .keep -delete
+
+# configuration files
+mv %{buildroot}%{app_root}/etc %{buildroot}%{_sysconfdir}/rocci-server
+ln -s %{_sysconfdir}/rocci-server %{buildroot}%{app_root}/etc
+
+# logs
+mkdir -p %{buildroot}%{_localstatedir}/log/rocci-server
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+rm -rf %{buildroot}/%{app_root}/log
+ln -s %{_localstatedir}/log/rocci-server %{buildroot}/%{app_root}/log
+install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+
+rdoc --op %{buildroot}%{_pkgdocdir}/rdoc lib app *.md
+# fix permissions (but it conflicts with COPR buildsystem for F21+)
+%if 0%{?fedora} && 0%{?fedora} <= 20 || 0%{?rhel} && 0%{?rhel} <= 7
+chmod -x %{buildroot}%{_pkgdocdir}/rdoc/images/*.png
+%endif
+
+# Fedora README
+install -p -m 0644 %{SOURCE4} %{buildroot}%{_pkgdocdir}
+
+# SELinux
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/%{name}
+install -m 0644 %{semodule_name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}
+rm -f %{buildroot}%{app_root}/%{semodule_name}.mod
+rm -f %{buildroot}%{app_root}/%{semodule_name}.pp
+
+# httpd configuration tweaks
+mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d
+install -p -m 0644 examples/etc/apache2/sites-available/occi-ssl %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-ssl.conf
+echo "Listen 11443" >> %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-listen.conf
+install -p -m 0644 examples/etc/apache2/conf.d/security %{buildroot}%{_sysconfdir}/httpd/conf.d/occi-security.conf
+
+
+# Testsuite requires running server
+#%%check
+
+
+%pre
+getent group rocci >/dev/null || groupadd -r rocci
+getent passwd rocci >/dev/null || \
+ useradd -r -g rocci -d %{app_root} -s /sbin/nologin -c "rOCCI user" rocci
+
+%post
+if [ "$1" -le "1" ] ; then # First install
+ semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || :
+ restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || :
+ semanage port -a -t http_port_t -p tcp 11443 2>/dev/null || :
+fi
+
+%preun
+if [ "$1" -lt "1" ] ; then # Final removal
+ semodule -r %{semodule_name} 2>/dev/null || :
+ restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || :
+ semanage port -d -t http_port_t -p tcp 11443 2>/dev/null || :
+fi
+
+%postun
+if [ "$1" -ge "1" ] ; then # Upgrade
+ semodule -i %{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp 2>/dev/null || :
+ restorecon -R %{app_root} %{_localstatedir}/log/rocci-server 2>/dev/null || :
+fi
+
+
+%files
+%license %{app_root}/LICENSE
+%{_pkgdocdir}/README.Fedora
+%config(noreplace) %{_sysconfdir}/rocci-server/
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-listen.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-security.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/occi-ssl.conf
+%dir %{_datadir}/selinux/packages/%{name}/
+%dir %{app_root}/
+%dir %{app_root}/lib/
+%dir %{app_root}/lib/backends/
+%{app_root}/app/
+%{app_root}/config/
+%{app_root}/db/
+%{app_root}/lib/assets/
+%{app_root}/lib/authentication_strategies
+%{app_root}/lib/backends/dummy/
+%{app_root}/lib/backends/errors/
+%{app_root}/lib/backends/helpers/
+%{app_root}/lib/backends/dummy_backend.rb
+%{app_root}/lib/errors/
+%{app_root}/lib/hooks/
+%{app_root}/lib/request_parsers/
+%{app_root}/lib/tasks
+%{app_root}/public/
+%{app_root}/vendor/
+%{app_root}/etc
+%{app_root}/log
+%{app_root}/config.ru
+%attr(-,rocci,rocci) %{_localstatedir}/log/rocci-server/
+%{_datadir}/selinux/packages/%{name}/%{semodule_name}.pp
+%exclude %{app_root}/bin/
+%exclude %{app_root}/.bundle/
+%exclude %{app_root}/.rspec
+%exclude %{app_root}/.travis.yml
+%exclude %{app_root}/Guardfile
+
+%files doc
+%{_pkgdocdir}/rdoc/
+%{app_root}/examples/
+%{app_root}/Capfile
+%{app_root}/README.md
+%{app_root}/Rakefile
+
+%files tests
+%{app_root}/lib/backends/bundles/
+%{app_root}/spec/
+%{app_root}/test/
+%{app_root}/Gemfile*
+
+%files opennebula
+%{app_root}/lib/backends/opennebula/
+%{app_root}/lib/backends/opennebula_backend.rb
+
+
+%changelog
+* Wed Dec 31 2014 František Dvořák <valtri at civ.zcu.cz> - 1.0.5-3
+- No shell for rocci user
+- SELinux cleanups: rules for Fedora 22, dependencies, context after uninstall
+- Update README.Fedora
+- Examples to doc subpackage
+
+* Tue Dec 30 2014 František Dvořák <valtri at civ.zcu.cz> - 1.0.5-2
+- Tests into a subpackage
+- Relax occi-core dependency
+- License file only in %%{app_root}
+
+* Thu Oct 09 2014 František Dvořák <valtri at civ.zcu.cz> - 1.0.5-1
+- Initial package
diff --git a/rocci-server-1.0.x-unbundle.diff b/rocci-server-1.0.x-unbundle.diff
new file mode 100644
index 0000000..a503fcd
--- /dev/null
+++ b/rocci-server-1.0.x-unbundle.diff
@@ -0,0 +1,47 @@
+commit f1a70411dc804b9861593632e13142feac4d244d
+Author: František Dvořák <valtri at civ.zcu.cz>
+Date: Thu Sep 18 22:36:18 2014 +0200
+
+ Remove the bundler (branch 1.0.x).
+
+diff --git a/config/application.rb b/config/application.rb
+index 6f37af1..72c497e 100644
+--- a/config/application.rb
++++ b/config/application.rb
+@@ -8,9 +8,24 @@ require 'action_controller/railtie'
+ require 'rails/test_unit/railtie'
+ # require 'sprockets/railtie'
+
+-# Require the gems listed in Gemfile, including any gems
+-# you've limited to :test, :development, or :production.
+-Bundler.require(:default, Rails.env)
++# Gemfile requires
++require 'rails'
++require 'rails-api'
++require 'jbuilder'
++require 'rack/cors'
++require 'dalli'
++require 'kgio'
++require 'warden'
++require 'logstasher'
++require 'hashie'
++require 'ice_nine'
++require 'occi-core'
++# opennebula backend
++begin
++ require 'opennebula'
++ require 'erubis'
++rescue LoadError
++end
+
+ # Extend Object with #deep_freeze
+ require 'ice_nine/core_ext/object'
+diff --git a/config/boot.rb b/config/boot.rb
+index 3596736..e69de29 100644
+--- a/config/boot.rb
++++ b/config/boot.rb
+@@ -1,4 +0,0 @@
+-# Set up gems listed in the Gemfile.
+-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+-
+-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
diff --git a/rocci_server.fc b/rocci_server.fc
new file mode 100644
index 0000000..e480abf
--- /dev/null
+++ b/rocci_server.fc
@@ -0,0 +1,3 @@
+/var/log/rocci-server(/.*)? system_u:object_r:passenger_log_t:s0
+/usr/share/rOCCI-server/lib(/.*)? system_u:object_r:passenger_var_lib_t:s0
+/usr/share/rOCCI-server/Gemfile.lock system_u:object_r:passenger_tmp_t:s0
diff --git a/rocci_server.te b/rocci_server.te
new file mode 100644
index 0000000..875249a
--- /dev/null
+++ b/rocci_server.te
@@ -0,0 +1,87 @@
+module rocci_server 1.0.1;
+
+require {
+ type anon_inodefs_t;
+ type home_root_t;
+ type httpd_t;
+ type hwdata_t;
+ type lib_t;
+ type locale_t;
+ type memcache_port_t;
+ type passenger_t;
+ type passenger_log_t;
+ type passenger_var_lib_t;
+ type passenger_tmp_t;
+ type passenger_var_run_t;
+ type pki_ocsp_port_t;
+ type sysfs_t;
+ type var_log_t;
+ type man_t;
+
+ class capability { fowner fsetid sys_resource sys_ptrace };
+ class capability2 block_suspend;
+ class dir { add_name open read search write };
+ class file { create execute execute_no_trans getattr open read write };
+ class lnk_file read;
+ class sock_file write;
+ class tcp_socket { name_bind name_connect listen };
+ class unix_stream_socket { getattr read write };
+ class process { getsession signull };
+}
+
+#============= httpd_t ==============
+allow httpd_t passenger_tmp_t:sock_file write;
+
+# Fedora >= 22
+allow httpd_t pki_ocsp_port_t:tcp_socket name_bind;
+allow httpd_t passenger_log_t:dir add_name;
+allow httpd_t passenger_log_t:dir write;
+allow httpd_t passenger_log_t:file create;
+allow httpd_t passenger_log_t:file open;
+# This avc can be allowed using the boolean 'httpd_run_stickshift' (if anybody
+# knows what that boolean does :-))
+allow httpd_t passenger_var_lib_t:dir read;
+# This avc can be allowed using one of the these booleans:
+# httpd_run_stickshift, httpd_setrlimit
+allow httpd_t self:capability { fowner sys_resource };
+# This avc can be allowed using the boolean 'httpd_run_stickshift'
+allow httpd_t self:capability fsetid;
+# This avc can be allowed using one of the these booleans:
+# httpd_can_network_relay, httpd_can_network_memcache, httpd_can_network_connect
+allow httpd_t memcache_port_t:tcp_socket name_connect;
+allow httpd_t self:capability sys_ptrace;
+
+
+#============= passenger_t ==============
+allow passenger_t anon_inodefs_t:file { write read };
+allow passenger_t home_root_t:dir search;
+allow passenger_t httpd_t:unix_stream_socket getattr;
+allow passenger_t lib_t:file execute_no_trans;
+allow passenger_t locale_t:file { read getattr open };
+allow passenger_t man_t:dir { read open };
+# there exists httpd_can_network_memcache boolean, but that's not intended for passenger
+allow passenger_t memcache_port_t:tcp_socket name_connect;
+allow passenger_t self:process { getsession signull };
+allow passenger_t self:tcp_socket listen;
+allow passenger_t var_log_t:lnk_file read;
+
+# compiling and using passenger_native_support.so
+# (not needed for rOCCI-server package in Fedora/EPEL)
+allow passenger_t passenger_var_run_t:file execute;
+
+# not audited rules :-(
+# needed for #1029132
+# fixed since selinux-policy-3.12.1-183.fc20
+allow passenger_t httpd_t:unix_stream_socket { read write };
+
+# handling exceptions
+allow passenger_t hwdata_t:dir search;
+allow passenger_t hwdata_t:file getattr;
+allow passenger_t hwdata_t:file open;
+allow passenger_t hwdata_t:file read;
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t sysfs_t:dir read;
+allow passenger_t sysfs_t:file getattr;
+allow passenger_t sysfs_t:file open;
+allow passenger_t sysfs_t:file read;
+allow passenger_t sysfs_t:lnk_file read;
diff --git a/sources b/sources
index e69de29..1d87ff5 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+55bb0c22b6d6409aca5944e7c08ede13 rOCCI-server-aa036b71edcffd0e531a3ceba5b7113d40577977.tar.gz
More information about the scm-commits
mailing list