On 06/16/2011 10:58 AM, Igor Galić wrote:
----- Original Message -----
On 06/16/2011 06:04 AM, Jan-Frode Myklebust wrote:
On Wed, Jun 15, 2011 at 05:08:49PM -0430, Marcos Ortiz wrote:
Regards to all the list I was wondering if any of you have deployed Traffic Server under SELinux ´s policies? If it´s true, Where I can find the work? I don't know if it's been done, but I intend to build a policy for it together with the fedora/EPEL package, and try to push it upstream to the reference policy.
-jf Dominick Grift ( domg472@gmail.com ) and me will want to help to this development, precisely under Fedora. Can you explain to us the basic workflow of TS? Thanks a lot
I don't think it'll be that straightforward to create such a policy for TS, because it's got quite a complex work-flow.
igalic@pheme ~ % ps -cafe | grep -i traffic[_] root 311 1 TS 19 Jun06 ? 00:00:59 /usr/bin/traffic_cop nobody 750 311 TS 19 Jun06 ? 00:10:17 /usr/bin/traffic_manager nobody 961 750 TS 19 Jun06 ? 05:29:24 /usr/bin/traffic_server -M -A,7:X igalic@pheme ~ % getpcaps 311 750 961 Capabilities for `311': =ep Capabilities for `750': =p cap_net_bind_service,cap_net_admin,cap_ipc_lock+e Capabilities for `961': = cap_net_bind_service,cap_net_admin,cap_ipc_lock+ep igalic@pheme ~ %
traffic_cop is started as root
it creates /var/trafficserver/run/cop.lock and writes its PID inside
it attempts to start traffic_manager
traffic_manager is started as "nobody" but inherits the Capabilities from the parent
it creates /var/trafficserver/run/manager.lock and writes its PID inside
it binds to port 80 and 443, then drops privileges (see above.)
it creates /var/trafficserver/logs/manager.log and /var/trafficserver/logs/traffic.out
it creates several sockets in /var/trafficserver/run/
it attempts to start traffic_server
traffic_server is started as "nobody"
it opens /var/trafficserver/run/server.lock and writes its PID inside
it opens /var/trafficserver/logs/{diags,error}.log and /var/trafficserver/logs/squid.blog
it opens /var/trafficserver/cache/host.db
depending on your storage.config it will then open the index, in my case these are
- the disk devices /dev/vde and /dev/vdf
This is a simple startup of a single node. It should look the same in both, forward proxy and reverse proxy mode.
If you enable clustering, you'll also have to consider this in your firewall configuration, allowing multi-cast on the local network.
I hope that gets you started.
-- Marcos Luís Ortíz Valmaseda Software Engineer (UCI) http://marcosluis2186.posterous.com http://twitter.com/marcosluis2186
So long, i
Well, Dominick, I think that the first thing to do is to build the .rpm package under correct packaging rules. Init scripts under: /usr/sbin /etc/init.d/ (compatible with the chkconfig tool) pids under: /var/run
libraries under: /usr/lib/trafficserver
docs under: /usr/share/docs/trafficserver
log files under: /var/log/trafficserver
and locks under: /var/locks/trafficserver
It's this correct, Dominick? Where I can find the spec file for TrafficServer?
Regards
On Thu, 2011-06-16 at 11:58 -0430, Marcos Ortiz wrote:
Well, Dominick, I think that the first thing to do is to build the .rpm package under correct packaging rules.
Agreed
It's this correct, Dominick?
Almost but whoever is able to maintain this package will probably be aware of the rules.
Where I can find the spec file for TrafficServer?
I do not know
Regards
selinux@lists.fedoraproject.org