Merge commit '9802495704223a4f08f40641a73f24ad7e6d1b73' into 7-2-stable

Jacob Vosmaer
2 parents 4343fe3e 98024957
Showing 12 changed files with 124 additions and 1 deletions Show diff stats
CHANGELOG
README.md
config/projects/gitlab.rb
config/software/gitlab-selinux.rb
files/gitlab-cookbooks/gitlab/recipes/default.rb
files/gitlab-cookbooks/gitlab/recipes/selinux.rb
files/gitlab-cookbooks/runit/files/default/gitlab-runsvdir.service
files/gitlab-cookbooks/runit/recipes/default.rb
files/gitlab-cookbooks/runit/recipes/systemd.rb
files/gitlab-selinux/README.md
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.pp
files/gitlab-selinux/rhel/7/gitlab-7.2.0-ssh-keygen.te
@@ -3,6 +3,10 @@
 The latest version of this file can be found at the master branch of the
 omnibus-gitlab repository.
+7.3.0
+- Add systemd support for Centos 7
+- Add a Centos 7 SELinux module for ssh-keygen permissions
+
 7.2.0
 - Pass environment variables to Unicorn and Sidekiq (Chris Portman)
 - Add openssl_verify_mode to SMTP email configuration (Dionysius Marquis)
@@ -572,6 +572,10 @@ The correct operation of Git access via SSH depends on the labeling of
 `/var/opt/gitlab/.ssh`. If needed you can restore this labeling by running
 `sudo gitlab-ctl reconfigure`.
+Depending on your platform, `gitlab-ctl reconfigure` will install SELinux
+modules required to make GitLab work. These modules are listed in
+[files/gitlab-selinux/README.md](files/gitlab-selinux/README.md).
+
 ## Logs
 ### Tail logs in a console on the server
@@ -43,6 +43,7 @@ dependency &quot;gitlab-rails&quot;
 dependency "gitlab-shell"
 dependency "gitlab-ctl"
 dependency "gitlab-cookbooks"
+dependency "gitlab-selinux"
 # version manifest file
 dependency "version-manifest"
@@ -0,0 +1,29 @@
+#
+# Copyright:: Copyright (c) 2014 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name "gitlab-selinux"
+
+dependency "rsync"
+
+always_build true
+
+source :path => File.expand_path("files/gitlab-selinux", Config.project_root)
+
+build do
+  command "mkdir -p #{install_dir}/embedded/selinux"
+  command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/"
+end
@@ -48,6 +48,7 @@ end
 include_recipe "gitlab::users"
 include_recipe "gitlab::gitlab-shell"
 include_recipe "gitlab::gitlab-rails"
+include_recipe "gitlab::selinux"
 # Create dummy unicorn and sidekiq services to receive notifications, in case
 # the corresponding service recipe is not loaded below.
@@ -0,0 +1,23 @@
+#
+# Copyright:: Copyright (c) 2014 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./
+  ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
+  execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
+    not_if "semodule -l | grep '^#{ssh_keygen_module}\\s'"
+  end
+end
@@ -0,0 +1,6 @@
+[Unit]
+Description=GitLab Runit supervision process
+
+[Service]
+ExecStart=/opt/gitlab/embedded/bin/runsvdir-start
+Restart=always
@@ -33,8 +33,10 @@ when &quot;rhel&quot;
   else
     if node['platform_version'] =~ /^5/
       include_recipe "runit::sysvinit"
-    else # >= 6.0
+    elsif node['platform_version'] =~ /^6/
       include_recipe "runit::upstart"
+    elsif node['platform_version'] =~ /^7/
+      include_recipe "runit::systemd"
     end
   end
 when "fedora"
@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: runit
+# Recipe:: systemd
+#
+# Copyright 2014 GitLab B.V.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+link "/etc/systemd/system/default.target.wants/gitlab-runsvdir.service" do
+  to "/opt/gitlab/embedded/cookbooks/runit/files/default/gitlab-runsvdir.service"
+  notifies :run, 'execute[systemctl daemon-reload]', :immediately
+  notifies :run, 'execute[systemctl start gitlab-runsvdir]', :immediately
+end
+
+execute "systemctl daemon-reload" do
+  action :nothing
+end
+
+execute "systemctl start gitlab-runsvdir" do
+  action :nothing
+end
@@ -0,0 +1,10 @@
+# SELinux modules for GitLab
+
+## RHEL / Centos 7
+
+rhel/7/gitlab-7.2.0-ssh-keygen.pp
+
+GitLab handles SSH public keys and we want to verify whether users input valid
+SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
+from standard input, we need to create a temporary file. This SELinux module
+gives ssh-keygen permission to read the temporary file we create for it.
@@ -0,0 +1,11 @@
+
+module gitlab-7.2.0-ssh-keygen 1.0;
+
+require {
+	type ssh_keygen_t;
+	type init_tmp_t;
+	class file open;
+}
+
+#============= ssh_keygen_t ==============
+allow ssh_keygen_t init_tmp_t:file open;
	@@ -43,6 +43,7 @@ dependency "gitlab-rails"		@@ -43,6 +43,7 @@ dependency "gitlab-rails"
43	dependency "gitlab-shell"	43	dependency "gitlab-shell"
44	dependency "gitlab-ctl"	44	dependency "gitlab-ctl"
45	dependency "gitlab-cookbooks"	45	dependency "gitlab-cookbooks"
		46	+dependency "gitlab-selinux"
46		47
47	# version manifest file	48	# version manifest file
48	dependency "version-manifest"	49	dependency "version-manifest"
@@ -0,0 +1,29 @@		@@ -0,0 +1,29 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2014 GitLab B.V.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+name "gitlab-selinux"
	19	+
	20	+dependency "rsync"
	21	+
	22	+always_build true
	23	+
	24	+source :path => File.expand_path("files/gitlab-selinux", Config.project_root)
	25	+
	26	+build do
	27	+ command "mkdir -p #{install_dir}/embedded/selinux"
	28	+ command "#{install_dir}/embedded/bin/rsync --delete -a ./ #{install_dir}/embedded/selinux/"
	29	+end
	@@ -48,6 +48,7 @@ end		@@ -48,6 +48,7 @@ end
48	include_recipe "gitlab::users"	48	include_recipe "gitlab::users"
49	include_recipe "gitlab::gitlab-shell"	49	include_recipe "gitlab::gitlab-shell"
50	include_recipe "gitlab::gitlab-rails"	50	include_recipe "gitlab::gitlab-rails"
		51	+include_recipe "gitlab::selinux"
51		52
52	# Create dummy unicorn and sidekiq services to receive notifications, in case	53	# Create dummy unicorn and sidekiq services to receive notifications, in case
53	# the corresponding service recipe is not loaded below.	54	# the corresponding service recipe is not loaded below.
@@ -0,0 +1,23 @@		@@ -0,0 +1,23 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2014 GitLab B.V.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+if node["platform_family"] == "rhel" && node["platform_version"] =~ /7\./
	19	+ ssh_keygen_module = 'gitlab-7.2.0-ssh-keygen'
	20	+ execute "semodule -i /opt/gitlab/embedded/selinux/rhel/7/#{ssh_keygen_module}.pp" do
	21	+ not_if "semodule -l \| grep '^#{ssh_keygen_module}\\s'"
	22	+ end
	23	+end
@@ -0,0 +1,6 @@		@@ -0,0 +1,6 @@
	1	+[Unit]
	2	+Description=GitLab Runit supervision process
	3	+
	4	+[Service]
	5	+ExecStart=/opt/gitlab/embedded/bin/runsvdir-start
	6	+Restart=always
@@ -0,0 +1,32 @@		@@ -0,0 +1,32 @@
	1	+#
	2	+# Cookbook Name:: runit
	3	+# Recipe:: systemd
	4	+#
	5	+# Copyright 2014 GitLab B.V.
	6	+#
	7	+# Licensed under the Apache License, Version 2.0 (the "License");
	8	+# you may not use this file except in compliance with the License.
	9	+# You may obtain a copy of the License at
	10	+#
	11	+# http://www.apache.org/licenses/LICENSE-2.0
	12	+#
	13	+# Unless required by applicable law or agreed to in writing, software
	14	+# distributed under the License is distributed on an "AS IS" BASIS,
	15	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	16	+# See the License for the specific language governing permissions and
	17	+# limitations under the License.
	18	+#
	19	+
	20	+link "/etc/systemd/system/default.target.wants/gitlab-runsvdir.service" do
	21	+ to "/opt/gitlab/embedded/cookbooks/runit/files/default/gitlab-runsvdir.service"
	22	+ notifies :run, 'execute[systemctl daemon-reload]', :immediately
	23	+ notifies :run, 'execute[systemctl start gitlab-runsvdir]', :immediately
	24	+end
	25	+
	26	+execute "systemctl daemon-reload" do
	27	+ action :nothing
	28	+end
	29	+
	30	+execute "systemctl start gitlab-runsvdir" do
	31	+ action :nothing
	32	+end
@@ -0,0 +1,10 @@		@@ -0,0 +1,10 @@
	1	+# SELinux modules for GitLab
	2	+
	3	+## RHEL / Centos 7
	4	+
	5	+rhel/7/gitlab-7.2.0-ssh-keygen.pp
	6	+
	7	+GitLab handles SSH public keys and we want to verify whether users input valid
	8	+SSH keys using the ssh-keygen utility. Because ssh-keygen does not accept input
	9	+from standard input, we need to create a temporary file. This SELinux module
	10	+gives ssh-keygen permission to read the temporary file we create for it.
@@ -0,0 +1,11 @@		@@ -0,0 +1,11 @@
	1	+
	2	+module gitlab-7.2.0-ssh-keygen 1.0;
	3	+
	4	+require {
	5	+ type ssh_keygen_t;
	6	+ type init_tmp_t;
	7	+ class file open;
	8	+}
	9	+
	10	+#============= ssh_keygen_t ==============
	11	+allow ssh_keygen_t init_tmp_t:file open;