On 06/16/2011 10:58 AM, Igor GaliÄ wrote:
----- Original Message -----
On 06/16/2011 06:04 AM, Jan-Frode Myklebust wrote:
On Wed, Jun 15, 2011 at 05:08:49PM -0430, Marcos Ortiz wrote:
Regards to all the list
I was wondering if any of you have deployed Traffic Server under
SELinux Âs policies?
If itÂs true, Where I can find the work? I don't know if it's been
done, but I intend to build a policy
for it together with the fedora/EPEL package, and try to push it
upstream to the reference policy.
-jf Dominick Grift ( domg472@xxxxxxxxx ) and me will want to
help to this development, precisely under Fedora. Can you
explain to us the basic workflow of TS?
Thanks a lot
I don't think it'll be that straightforward to create such a policy
for TS, because it's got quite a complex work-flow.
igalic@pheme ~ % ps -cafe | grep -i traffic[_]
root 311 1 TS 19 Jun06 ? 00:00:59 /usr/bin/traffic_cop
nobody 750 311 TS 19 Jun06 ? 00:10:17 /usr/bin/traffic_manager
nobody 961 750 TS 19 Jun06 ? 05:29:24 /usr/bin/traffic_server -M -A,7:X
igalic@pheme ~ % getpcaps 311 750 961
Capabilities for `311': =ep
Capabilities for `750': =p cap_net_bind_service,cap_net_admin,cap_ipc_lock+e
Capabilities for `961': = cap_net_bind_service,cap_net_admin,cap_ipc_lock+ep
igalic@pheme ~ %
* traffic_cop is started as root
* it creates /var/trafficserver/run/cop.lock and writes its PID inside
* it attempts to start traffic_manager
* traffic_manager is started as "nobody" but inherits the Capabilities from the parent
* it creates /var/trafficserver/run/manager.lock and writes its PID inside
* it binds to port 80 and 443, then drops privileges (see above.)
* it creates /var/trafficserver/logs/manager.log and /var/trafficserver/logs/traffic.out
* it creates several sockets in /var/trafficserver/run/
* it attempts to start traffic_server
* traffic_server is started as "nobody"
* it opens /var/trafficserver/run/server.lock and writes its PID inside
* it opens /var/trafficserver/logs/{diags,error}.log and /var/trafficserver/logs/squid.blog
* it opens /var/trafficserver/cache/host.db
* depending on your storage.config it will then open the index, in my case these are
- the disk devices /dev/vde and /dev/vdf
This is a simple startup of a single node. It should look the same in both,
forward proxy and reverse proxy mode.
If you enable clustering, you'll also have to consider this in your firewall
configuration, allowing multi-cast on the local network.
I hope that gets you started.
--
Marcos LuÃs OrtÃz Valmaseda
Software Engineer (UCI) http://marcosluis2186.posterous.com
http://twitter.com/marcosluis2186
So long,
i
Well, Dominick, I think that the first thing to
do is to build
the .rpm package under correct packaging rules.
Init scripts under:
/usr/sbin
/etc/init.d/ (compatible with the chkconfig tool)
pids under:
/var/run
libraries under:
/usr/lib/trafficserver
docs under:
/usr/share/docs/trafficserver
log files under:
/var/log/trafficserver
and locks under:
/var/locks/trafficserver
It's this correct, Dominick?
Where I can find the spec file for TrafficServer?
Regards
--
Marcos LuÃs OrtÃz Valmaseda
Software Engineer (UCI)
http://marcosluis2186.posterous.com
http://twitter.com/marcosluis2186
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
