[Kimchi-devel] [PATCH 0/4] Github #329: "YOU SHALL NOT ... run as root!"
Daniel Barboza
danielhb at linux.vnet.ibm.com
Mon Apr 7 19:55:35 UTC 2014
From: Daniel Henrique Barboza <danielhb at linux.vnet.ibm.com>
This patch series revamps the launch architecture to allow kimchi
to not run as root while being exposed at an open http/https port.
The solution adopted is using a reverse http proxy (nginx) to make
the 'bridge' between two distinct cherrypy processes, one running
as frontend as a regular user and another running as backend, as root.
The communication with the outside will be done through nginx, running
as a regular user too.
The changes were heavy in the kimchid script, but the startup and
usage options still the same. User-wise, there shouldn't be any
functional change in the way kimchi works after applying this change.
Refer to https://github.com/kimchi-project/kimchi/issues/329 for
further information in all the other approaches considered and why
they didn't work out.
Daniel Henrique Barboza (4):
Github #329: kimchid script changes
Github #329: new launch script and proxy template
Github #329: server, root and utils changes
Github #329: config.py.in, spec, readme and makefile changes
.gitignore | 2 +
contrib/kimchi.spec.fedora.in | 5 +-
contrib/kimchi.spec.suse.in | 3 +
docs/README.md | 4 +-
src/Makefile.am | 9 +-
src/kimchi/config.py.in | 9 +-
src/kimchi/root.py | 6 +-
src/kimchi/server.py | 100 ++++++++++++---------
src/kimchi/utils.py | 42 ++++++++-
src/kimchid.in | 202 ++++++++++++++++++++++++++++++++++++------
src/kimchid_server.in | 45 ++++++++++
src/nginx.conf.in | 69 +++++++++++++++
12 files changed, 418 insertions(+), 78 deletions(-)
create mode 100644 src/kimchid_server.in
create mode 100644 src/nginx.conf.in
--
1.8.3.1
More information about the Kimchi-devel
mailing list