Bug 1075806 - Review Request: fcgiwrap - Simple FastCGI wrapper for CGI scripts
Review Request: fcgiwrap - Simple FastCGI wrapper for CGI scripts
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Meng
Fedora Extras Quality Assurance
:
Depends On: 1197886
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-12 16:54 EDT by Sebastian Dyroff
Modified: 2016-08-03 17:03 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
i: fedora‑review?


Attachments (Terms of Use)

  None (edit)
Description Sebastian Dyroff 2014-03-12 16:54:05 EDT
Spec URL: http://dyroff.org/fcgiwrap.spec
SRPM URL: http://dyroff.org/fcgiwrap-1.1.0-1.fc20.src.rpm
Description: Fcgiwrap is a simple server for running CGI applications over FastCGI. It hopes
to provide clean CGI support to Nginx (and other web servers that may need it).
Fedora Account System Username: sdyroff
Comment 1 Christopher Meng 2014-03-21 05:44:30 EDT
1. No systemd unit file, please write one.

2. %_sbindir/*
%_datadir/man/man8/*

%_sbindir --> %{_sbindir}
%_datadir/man/man8 --> %{_mandir}/man8
Comment 2 Justin Zhang 2014-04-27 11:27:11 EDT
Hi Christopher,
  What a coincidence, I just made the spec file for fcgiwrap around April 20.

  Mine version include the systems unit files. And the %file section is specified using the right style as you requested. It also builds the RPM correctly on non-systemd OS.
  The location of SRPM: https://github.com/schnell18/packaging/blob/master/fcgiwrap/fcgiwrap-1.1.0-1.fc20.src.rpm

  The spec file: https://raw.githubusercontent.com/schnell18/packaging/master/fcgiwrap/fcgiwrap.spec

  Since Sebastian Dyroff does not look active, can you look at my work? My work passed the koji build against both f20(http://koji.fedoraproject.org/koji/taskinfo?taskID=6787143) and f21(http://koji.fedoraproject.org/koji/taskinfo?taskID=6787147). 

  Thanks!
Comment 3 Christopher Meng 2014-04-27 11:41:33 EDT
(In reply to Justin Zhang from comment #2)

No. Your spec doesn't match the guideline.

Thank you anyway.
Comment 4 Justin Zhang 2014-04-27 11:49:43 EDT
Hi Christopher,
  Thanks for quickly response!

  This is my first attempt to submit an RPM spec file to Fedora.
  Do you wish I fix the spec or just wait for Sebastian Dyroff's response?

  Thank you!
Comment 5 Christopher Meng 2014-04-27 21:34:47 EDT
(In reply to Justin Zhang from comment #4)
>   This is my first attempt to submit an RPM spec file to Fedora.
>   Do you wish I fix the spec or just wait for Sebastian Dyroff's response?

I have no interests of reviewing anything except from the submitter, and my suggestion is that do not reinvent the wheel unless it's a dire need, save your time.
Comment 6 Justin Zhang 2014-04-28 00:24:52 EDT
Hi Christopher,
  It's not re-inventing the wheel. It's just trying to contribute to help move this issue forward. I think this is beneficial to the fedora project.

  Maybe let's contact Sebastian Dyroff to see if he can expedite the fix and if he would accept some of ideas of my implementation.

  Thanks!
Comment 7 Christopher Meng 2014-04-28 06:59:09 EDT
(In reply to Justin Zhang from comment #6)
> Hi Christopher,
>   It's not re-inventing the wheel. It's just trying to contribute to help
> move this issue forward. I think this is beneficial to the fedora project.
> 
>   Maybe let's contact Sebastian Dyroff to see if he can expedite the fix and
> if he would accept some of ideas of my implementation.
> 
>   Thanks!

We have many bugs like this, not stalled tickets, but the reporter is busy or because of something else.

Please don't ask me to do anything here anymore. 

Thanks.
Comment 8 Sebastian Dyroff 2014-04-29 03:36:03 EDT
Hi,

sorry I was busy with other work. I will take a look at the issues this evening. Any suggestions about what user should run fcgi-wrap? Personally I am using spawn-fcgi to spawn the fcgi-wrap service.
Comment 9 Justin Zhang 2014-04-29 09:17:24 EDT
Hi Sebastian,
  The spawn-fcgi is no longer necessary on Fedora. The systemd socket activation is a good replacement for spawn-fcgi. The upstream already has the right unit files included under the systemd sub directory. You need package these files to make it included in the RPM.
The upstream build script already copes the unit files into %{build root}. You can package simply by list them in the %file like:

    %{_unitdir}/*.service
    %{_unitdir}/*.socket

  Regarding the user to run fcgiwrap, the default user is 'http' from upstream. Probably 'nobody' is a better choice as it is a pre-defined user on Fedora. But I think the administrators is in better position to determine the right user to run fcgiwrap. And they can customize it by coping the /lib/systemd/system/fcgiwrap.service to /etc/systemd/system/ and changing "User" and "Group" as they see fit.

My personal experience is to run fcgiwrap using 'git' on a server that hosts our company's Git repositories. This significantly simplifies the permission setup of Git repository.
Comment 10 Justin Zhang 2014-04-29 09:17:54 EDT
Hi Sebastian,
  The spawn-fcgi is no longer necessary on Fedora. The systemd socket activation is a good replacement for spawn-fcgi. The upstream already has the right unit files included under the systemd sub directory. You need package these files to make it included in the RPM.
The upstream build script already copes the unit files into %{build root}. You can package simply by list them in the %file like:

    %{_unitdir}/*.service
    %{_unitdir}/*.socket

  Regarding the user to run fcgiwrap, the default user is 'http' from upstream. Probably 'nobody' is a better choice as it is a pre-defined user on Fedora. But I think the administrators is in better position to determine the right user to run fcgiwrap. And they can customize it by coping the /lib/systemd/system/fcgiwrap.service to /etc/systemd/system/ and changing "User" and "Group" as they see fit.

My personal experience is to run fcgiwrap using 'git' on a server that hosts our company's Git repositories. This significantly simplifies the permission setup of Git repository.
Comment 11 Christopher Meng 2014-08-04 05:46:12 EDT
ping.
Comment 12 Sebastian Dyroff 2014-08-05 03:17:56 EDT
Sorry for the long delay. I am still working on this. I couldn't get socket activation working for the systemd unit file, so I have to look deeper into this.
Comment 13 Sebastian Dyroff 2014-08-05 03:18:46 EDT
Sorry for removing the needinfo flag...
Comment 14 Sebastian Dyroff 2015-03-03 06:18:46 EST
Hey just a short info. I am still working on it, when I have time. The systemd unit files are now included, but it is neccessary to write an selinux module to use the systemd socket by any webserver. While creating the module, I stumbled over the following behaviour https://bugzilla.redhat.com/show_bug.cgi?id=1197886. I will continue, if this issue is resolved.
Comment 15 Juan Orti 2015-05-30 12:17:59 EDT
Hi, could you publish your spec file again? the link is dead and I'd like to build it.

Thank you.
Comment 16 Juan Orti 2015-05-31 13:56:08 EDT
(In reply to Sebastian Dyroff from comment #14)
> Hey just a short info. I am still working on it, when I have time. The
> systemd unit files are now included, but it is neccessary to write an
> selinux module to use the systemd socket by any webserver. While creating
> the module, I stumbled over the following behaviour
> https://bugzilla.redhat.com/show_bug.cgi?id=1197886. I will continue, if
> this issue is resolved.

I've build fcgiwrap on my own, and it's working fine using systemd socket activation. Maybe the problem you comment is already solved.
Are you still interested in pushing this forward? I can help comaintaining if you wish.

This is my version of the spec file and a copr with it:
https://jorti.fedorapeople.org/fcgiwrap/
https://copr.fedoraproject.org/coprs/jorti/fcgiwrap/
Comment 17 Sebastian Dyroff 2015-05-31 16:22:16 EDT
First of all, I really appreciate any help to get this done. Sorry, I am very busy with non fedora related things.

I tested your version, and it did not work for me. The fcgiwrap.service file requires a user http that does not exist on a system without apache installed and fails to start. Also I did not see any selinux rules. By default, the selinux policy forbids the webserver to connect to the fcgiwrap socket(I could not test this step with your version, because it didn't start on the cloud image).

Steps I did for installing:

- Used a fedora 21 cloud base image (Sorry do not have a 22 for now) 
- installed your copr repo with dnf
- installed your fcgiwrap package with dnf
- started the fcgiwrap socket with systemctl
- started the fcgiwrap service with systemctl

log output was:

$ sudo systemctl status fcgiwrap
● fcgiwrap.service - Simple CGI Server
   Loaded: loaded (/usr/lib/systemd/system/fcgiwrap.service; static)
   Active: failed (Result: exit-code) since Sun 2015-05-31 19:49:22 UTC; 8min ago
  Process: 1003 ExecStart=/usr/sbin/fcgiwrap (code=exited, status=217/USER)
 Main PID: 1003 (code=exited, status=217/USER)

May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Starting Simple CGI Server...
May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Started Simple CGI Server.
May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: fcgiwrap.service: main process exited, code=exited, status=217/USER
May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: Unit fcgiwrap.service entered failed state.
May 31 19:49:22 fcgiwrap-test.localdomain systemd[1]: fcgiwrap.service failed.

I uploaded my intermediate version of the spec file here:
http://www.dyroff.net/fedora/fcgiwrap.tar.bz2

If you want to continue working on my spec file, we should setup a git repo to cordinate and bring it in shape.
Comment 18 Juan Orti 2015-06-01 06:00:16 EDT
I have no SELinux problems with the units shown below, just write the socket to /run/nginx or elsewhere already covered by the policy.

Anyway, I agree that we should patch the provided units to work out of the box.

# /etc/systemd/system/gitweb.socket
[Unit]
Description=GitWeb socket

[Socket]
SocketMode=0600
SocketUser=nginx
SocketGroup=nginx
ListenStream=/run/nginx/gitweb.sock

[Install]
WantedBy=sockets.target

# /etc/systemd/system/gitweb.service
[Unit]
Description=GitWeb service

[Service]
ExecStart=/usr/sbin/fcgiwrap
User=apache
Group=apache

Note You need to log in before you can comment on or make changes to this bug.