Add startup scripts and apparmor templates

Change-Id: Ie4b9d507b16c0969d29eac5b5e8e49921de31bd7
2014-09-08 19:09:40 +01:00 · 2014-09-08 19:09:40 +01:00 · a2cccbe4e9
parent 4af7493380
commit a2cccbe4e9
4 changed files with 109 additions and 0 deletions
--- a/bin/ephemeral_ca_debug
+++ b/bin/ephemeral_ca_debug
@ -0,0 +1,6 @@
+#!/bin/sh
+VENV=$1
+
+[ -n "$VENV" ] || ( echo "provide virtual env path as parameter" && exit 1 )
+
+"$VENV/bin/pecan" serve --reload config.py
--- a/bin/ephemeral_ca_production
+++ b/bin/ephemeral_ca_production
@ -0,0 +1,6 @@
+#!/bin/sh
+VENV=$1
+
+[ -n "$VENV" ] || ( echo "provide virtual env path as parameter" && exit 1 )
+
+"$VENV/bin/uwsgi" --http-socket :5000 --venv "$VENV" --pecan config.py -p 4
--- a/tools/apparmor.ephemeral_ca_debug
+++ b/tools/apparmor.ephemeral_ca_debug
@ -0,0 +1,48 @@
+#include <tunables/global>
+
+@{ECA_BASE}="/replace/with/path/to/ephemeral-ca"
+@{ECA_VENV}="@{ECA_BASE}/.venv"
+@{ECA_CA_DIR}="@{ECA_BASE}/CA"
+@{ECA_CERTS_DIR}="@{ECA_BASE}/certs"
+
+/replace/with/path/to/ephemeral-ca/bin/ephemeral_ca_debug {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+
+  /bin/dash ix,
+  @{ECA_BASE}/ r,
+  @{ECA_BASE}/bin/ephemeral_ca_debug mixr,
+
+  @{ECA_VENV}/bin/pecan cix,
+
+  profile /replace/with/path/to/bin/pecan {
+    #include <abstractions/base>
+    #include <abstractions/python>
+    #include <abstractions/bash>
+    #include <abstractions/nameservice>
+    #include <abstractions/user-tmp>
+
+    network inet  stream,
+
+    /bin/dash ix,
+    /bin/uname ix,
+    /etc/mime.types r,
+
+    /sbin/ldconfig mUxr,
+
+    @{ECA_CA_DIR}/* r,
+    @{ECA_CERTS_DIR}/{,*.crt} w,
+
+    @{ECA_BASE}/ r,
+    @{ECA_BASE}/ephemeral_ca/**.py{,c} r,
+    @{ECA_BASE}/ephemeral_ca/{,**/} r,
+    @{ECA_BASE}/config.py r,
+
+    @{ECA_VENV}/bin/python mixr,
+    @{ECA_VENV}/bin/pecan mixr,
+    @{ECA_VENV}/bin/ r,
+    @{ECA_VENV}/lib/python2.7/ r,
+    @{ECA_VENV}/lib/python2.7/** r,
+    @{ECA_VENV}/lib/python2.7/**/*.so m,
+  }
+}
--- a/tools/apparmor.ephemeral_ca_production
+++ b/tools/apparmor.ephemeral_ca_production
@ -0,0 +1,49 @@
+#include <tunables/global>
+
+@{ECA_BASE}="/path/to/ephemeral-ca"
+@{ECA_VENV}="@{ECA_BASE}/.venv"
+@{ECA_CA_DIR}="@{ECA_BASE}/CA"
+@{ECA_CERTS_DIR}="@{ECA_BASE}/certs"
+
+/path/to/ephemeral-ca/bin/ephemeral_ca_production {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+
+  /bin/dash ix,
+  @{ECA_BASE}/ r,
+  @{ECA_BASE}/bin/ephemeral_ca_production mixr,
+
+  @{ECA_VENV}/bin/uwsgi cix,
+
+  profile /path/to/ephemeral-ca/.venv/bin/uwsgi {
+    #include <abstractions/base>
+    #include <abstractions/python>
+    #include <abstractions/bash>
+    #include <abstractions/nameservice>
+    #include <abstractions/user-tmp>
+
+    network inet  stream,
+
+    /bin/dash ix,
+    /bin/uname ix,
+    /etc/mime.types r,
+    /sbin/ldconfig mUxr,
+
+    @{PROC}/sys/net/core/somaxconn r,
+
+    @{ECA_CA_DIR}/* r,
+    @{ECA_CERTS_DIR}/{,*.crt} w,
+
+    @{ECA_BASE}/ r,
+    @{ECA_BASE}/ephemeral_ca/**.py{,c} r,
+    @{ECA_BASE}/ephemeral_ca/{,**/} r,
+    @{ECA_BASE}/config.py r,
+
+    @{ECA_VENV}/bin/python mixr,
+    @{ECA_VENV}/bin/uwsgi mixr,
+    @{ECA_VENV}/bin/ r,
+    @{ECA_VENV}/lib/python2.7/ r,
+    @{ECA_VENV}/lib/python2.7/** r,
+    @{ECA_VENV}/lib/python2.7/**/*.so m,
+  }
+}