Use systemd'd git-daemon on Centos7

Centos7 is a bit more opinionated on how git-daemon should run. In particular with selinux the git_system_t context does not have permissions to the git_port_t port(s) because systemd is expected to do socket activation for git-daemon. Fix this by not fighting systemd and embracing it. Use it for socket activation with the git-daemon process and potentially add the git daemon port to git_port_t label if necessary. Change-Id: Id3fadfa74261649d158f4f31879f74f83d5856a8
2015-08-27 15:49:55 -07:00 · 2015-08-27 15:49:55 -07:00 · dc7e58943d
parent 0ae79e0106
commit dc7e58943d
4 changed files with 62 additions and 12 deletions
--- a/files/git-daemon.service
+++ b/files/git-daemon.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Git Repositories Server Daemon
+Documentation=man:git-daemon(1)
+Wants=git-daemon.socket
+
+[Service]
+User=nobody
+ExecStart=-/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --export-all --syslog --inetd --verbose /var/lib/git
+StandardInput=socket
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -91,10 +91,6 @@ class cgit(

  include ::httpd

-  if ($::osfamily == 'RedHat') {
-    include ::cgit::selinux
-  }
-
  package { [
      'cgit',
      'git-daemon',
@ -195,18 +191,44 @@ class cgit(
    require => File[$cgitdir],
  }

-  file { '/etc/init.d/git-daemon':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0755',
-    content => template('cgit/git-daemon.init.erb'),
+  if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
+    $git_daemon_service_name = 'git-daemon.socket'
+    file { '/usr/lib/systemd/system/git-daemon.socket':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template('cgit/git-daemon.socket.erb'),
+    }
+    file { 'git-daemon-init-script':
+      ensure    => present,
+      path      => '/usr/lib/systemd/system/git-daemon@.service',
+      owner     => 'root',
+      group     => 'root',
+      mode      => '0644',
+      source    => 'puppet:///modules/cgit/git-daemon.service',
+      subscribe => File['/usr/lib/systemd/system/git-daemon.socket'],
+    }
+  } else {
+    $git_daemon_service_name = 'git-daemon'
+    file { 'git-daemon-init-script':
+      ensure  => present,
+      path    => '/etc/init.d/git-daemon',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+      content => template('cgit/git-daemon.init.erb'),
+    }
  }

-  service { 'git-daemon':
+  service { $git_daemon_service_name:
    ensure    => running,
    enable    => true,
-    subscribe => File['/etc/init.d/git-daemon'],
+    subscribe => File['git-daemon-init-script'],
+  }
+
+  if ($::osfamily == 'RedHat') {
+    include ::cgit::selinux
  }

  if $ssl_cert_file_contents != undef {
--- a/manifests/selinux.pp
+++ b/manifests/selinux.pp
@ -45,5 +45,15 @@ class cgit::selinux {
    subscribe   => File['/etc/httpd/conf.d/ssl.conf'],
    refreshonly => true,
  }
+
+  exec { 'cgit_allow_git_daemon_port':
+    # If we cannot add the rule modify the existing rule.
+    onlyif      => "bash -c \'! semanage port -a -t git_port_t -p tcp ${::cgit::daemon_port}\'",
+    command     => "semanage port -m -t git_port_t -p tcp ${::cgit::daemon_port}",
+    path        => '/bin:/usr/sbin',
+    before      => Service[$::cgit::git_daemon_service_name],
+    subscribe   => File['git-daemon-init-script'],
+    refreshonly => true,
+  }
 }

--- a/templates/git-daemon.socket.erb
+++ b/templates/git-daemon.socket.erb
@ -0,0 +1,9 @@
+[Unit]
+Description=Git Activation Socket
+
+[Socket]
+ListenStream=<%= scope.lookupvar("cgit::daemon_port") %>
+Accept=true
+
+[Install]
+WantedBy=sockets.target