during work on the SELinux policy changes, I’ve noticed that Puma listens on 3000 tcp by default. This port is already assigned to ntop_port_t for application ntop. It is also used by few other apps [1] and it appears to be the default Rails development port.
Since there is still some time to change this, I would like to open up discussion about picking a different higher-range port that is not used officially, unofficially or even assigned in SELinux base policy. The only reason I have is that reusing SELinux port assignments can bring huge pains when these get reassigned in the base policy. @packaging
My preference would actually be to use a unix socket instead of a TCP port. The benefit is that we can enforce that only Apache can talk to it. This takes away the risk where anyone who can talk to localhost:3000 can impersonate any client (by spoofing headers). It’s been on my wish list but didn’t manage to get to it in time. If it makes the SELinux policy easier, it’s a good reason to push it into 2.1 rather than 2.2.
As much as I would love to see UNIX domain socket, I would not like to be the reason why something gets delayed. Let me know if you manage it to squeeze it. If not, I am adding port 3000 for now. Or if we agree here I can create a new SELinux port reservation for a particular number we choose.
Is there a reason why we spawn rails helper instead of puma directly?
It looks like currently something in the stack calls shell, therefore in our new SELinux policy I need to allow shell spawning which is sub-ideal. I am hoping that it’s Rails spawning Puma so eliminating this in the chain could simplify the SELinux policy.
This way I got it all to work, including socket activation but I’ll admit I’m not sure what the exact difference is between rails server and puma other than that rails server provides some wrappers as well.
It can also be in SCL helpers. From my Foreman 2.0 install:
That is a generated wrapper from scl enable, we have no control over that. We might be able to call things using /usr/bin/tfm-ruby like we did with puma.
It is a separate service, but needs to run with the Rails code loaded. All our jobs assume the Foreman application is loaded. See systemctl status dynflow-sidekiq@*
No, it was the result of
To get socket activation to work, I needed to get rid of the additional forking that the SCL helper introduced. An additional benefit is fewer processes running. As I mentioned, my server is on 2.0.
I have another issue explained above: Ruby on Rails (puma) process creates UNIX sockets that I don’t know what are for. Puma devs already confirmed and I have tested with “Hello World” puma application that it’s not Puma. It must be some gem: https://github.com/puma/puma/issues/2272