Task #7178


Recommended installation layout

Added by ekohl almost 4 years ago. Updated over 3 years ago.

Start date:
Due date:
% Done:


Estimated time:
(Total: 0:00 h)
Platform Release:
Sprint Candidate:
Dev Environment, Documentation, Katello, SELinux


While trying to address I was looking at the recommended layout. There are a few things I'd suggest to do different. suggests /var/lib/pulp with mode 750 and SELinux context var_lib_t. I disagree with all of these.

The directory should be its own directory (so /var/lib/pulp/media) because it means all files within it are owned by Pulpcore. This means you can use unreferenced_files from django-extensions without adjustment.

If the directory is /var/lib/pulp then mode 750 means Apache can't read files from the directory. This conflicts with Pulp 2 and serving assets directly via Apache. This is not a concern when /var/lib/pulp/media is used.

The SELinux context should be pulpcore_var_lib_t so Apache and other services are denied access to media files. Again, this can only be done when it's in a subdirectory.

Looking at there are various settings that are derived from MEDIA_ROOT, which is IMHO incorrect. states

Absolute filesystem path to the directory that will hold user-uploaded files

STATIC_ROOT should be part of MEDIA_ROOT. A common pattern is to introduce a setting (like ROOT_DIR or similar) and derive all locations based on that. Then in production mode you can set ROOT_DIR to /var/lib/pulp and automatically get all recommended directories correct.

Then there is the SELinux policy. As mentioned previously, it doesn't set the SELinux type for all the MEDIA_ROOT, but only the artifact directory. This is IMHO incorrect.

It also sets the SELinux type for assets (which is the default directory for STATIC_ROOT) to pulpcore_var_lib_t but Apache isn't allowed to serve that. However, it is the most efficient way to serve these files. Perhaps this could use the type httpd_sys_content_t but I don't know if that's appropriate. A more experience SELinux dev should weigh in on this.

Lastly there's the SELinux types for bin/gunicorn and bin/rq. In the Katello RPM packaging these live in /usr/bin and don't get a label. I don't think it's appropriate to label those files pulpcore_exec_t, but the result is that the Pulp services run unconfined in the Katello deployment. A common pattern is to use /usr/libexec to create wrappers. The systemd services could then call these wrappers with the correct context.

Sub-issues 1 (1 open0 closed)

Task #7482: pulp_installer change(s) for Recommended installation layoutNEW


Related issues

Has duplicate Pulp - Issue #7109: Changing MEDIA_ROOT does not propagate to STATIC_ROOT etcCLOSED - DUPLICATEActions

Also available in: Atom PDF