Friday, March 30, 2018

Wildfly file upload and download with Primefaces

Sample application available here https://github.com/vernetto/pffile

https://www.primefaces.org/docs/api/6.2/org/primefaces/model/UploadedFile.html


https://stackoverflow.com/a/8880083/651288 read BalusC comments


in pom.xml add this:
<dependency>
 <groupId>commons-fileupload</groupId>
 <artifactId>commons-fileupload</artifactId>
 <version>1.3</version>
</dependency>
<dependency>
 <groupId>commons-io</groupId>
 <artifactId>commons-io</artifactId>
 <version>2.2</version>
</dependency>

in web.xml add this:

<filter>
    <filter-name>PrimeFaces FileUpload Filter</filter-name>
    <filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>PrimeFaces FileUpload Filter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>



If you get this error:

io.undertow.server.RequestTooBigException: UT000020: Connection terminated as request was larger than 10485760

change the max-post-size parameter:

Configuration: Subsystems Subsystem: Web/HTTP - Undertow Settings: HTTP


<subsystem xmlns="urn:jboss:domain:undertow:5.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-post-size="1000000000" redirect-socket="https" enable-http2="true"/>


Missing features: enable streaming for large files, show progress bar




Wednesday, March 28, 2018

Nexus 3 as a Docker GROUP around a proxy and 2 hosted repos

We want to provide this setup:

dockergroup repository, "covering" a dockerproxy repo (proxy to docker hub) and 2 hosted repos

Each repo will have its own http port!

1) create these blob stores dockergroup, dockerproxy, dockerhosted1, dockerhosted2 (it's better to have a separate blob store per repo.... beware, the dockergroup blobstore will always stay empty, all the actual store is done in the proxy and hosted repos)

2) create repo dockerproxy,format docker, HTTP port 8084, HTTPS 8484, Enable Docker V1 API, remote storage https://registry-1.docker.io , Docker Index "User Docker Hub"

3) create repo dockerhosted1 (blob dockerhosted1, port http 8082 https 8482) and dockerhosted2 (blob dockerhosted2 port http 8083 https 8483)

4) create repo dockergroup (blob dockergroup, http 8085 https 8485) with members dockerproxy, dockerhosted1, dockerhosted2


Now when you want to PULL images, you should login into dockergroup (8085) or into dockerproxy (8084).
To PUSH images to your HOSTED, you have to login directly into the dockerhosted1 (8082) or dockerhosted2 (8083). PUSHing to the dockergroup will not work, he has no means to ROUTE the image to dockerhosted1 or dockerhosted2 based on some rule.... This is quite a pity indeed, it would be nice if a group had some routing facilities.



Nexus repository administration automation

On the whole, it doesn't seem Sonatype is taking it very seriously. As usual, documentation is scattered everywhere, some automation tools exist but who knows if they are even supported. I think most users simply do everything manually in the Nexus web console :o((((

http://localhost:8081/swagger-ui was working in 3.5 , now in 3.9 you must enter http://localhost:8081/swagger-ui/#/ (see https://issues.sonatype.org/browse/NEXUS-13948 )

If you want to automate the creation of repositories, swagger exposes you only "list repos" http://localhost:8081/swagger-ui/#!/repositories/getRepositories

Interesting articles :

https://dzone.com/articles/automated-setup-of-a-repository-manager

https://help.sonatype.com/repomanager3/rest-and-integration-api

Generic nexus-cli to manage Nexus in Groovy scripts https://github.com/RiotGamesMinions/nexus_cli

Interesting nexus-cli to manage Docker images in Nexus https://github.com/mlabouardy/nexus-cli



Sunday, March 25, 2018

h2 remote

./h2.sh -tcpAllowOthers -webAllowOthers


Web Console server running at http://localhost:8082 (others can connect)
Failed to start a browser to open the URL http://localhost:8082: Browser detection failed and system property h2.browser not set
TCP server running at tcp://localhost:9092 (others can connect)
PG server running at pg://localhost:5435 (only local connections)


At this point you can connect remotely to the console (even if it says "localhost") and you can specify a remote tcp url in your datasource:

jdbc:h2:tcp://YOURIP:9092/~/YOURDB;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE

When using h2, don't forget to use

<property name="hibernate.dialect" value="org.hibernate.dialect.H2Dialect"/>

in your persistence.xml
(see http://www.mastertheboss.com/jboss-server/jboss-datasource/h2-database-tutorial )


VirtualBox Centos7 high CPU for VBoxClient process

The issue is reported here https://forums.virtualbox.org/viewtopic.php?f=6&t=83507

Occasionally the VBoxClient eats 100% CPU forever - which affects greatly also the host performance - and the only way to stop it is to shut down the VM.

I have: disabled drag-and-drop, disabled shared folder and simply "kill -9" the process - this seems to cause no side effects.



Installing Docker Java and Wildfly on DigitalOcean Centos7 droplet


https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-centos-7

https://devops.profitbricks.com/tutorials/how-to-install-and-configure-wildfly-application-server-on-centos-7/


Login as root

yum check-update
curl -fsSL https://get.docker.com/ | sh
sudo usermod -aG docker centos
sudo systemctl start docker
sudo systemctl status docker
sudo systemctl enable docker
#make sure that user centos exists
sudo su - centos // then exit
#download and copy here the jdk
tar -xzvf jdk-8u161-linux-x64.tar.gz -C /opt/
alternatives --install /usr/bin/java java /opt/jdk1.8.0_161/bin/java 2
alternatives --config java
alternatives --install /usr/bin/jar jar /opt/jdk1.8.0_161/bin/jar 2
alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_161/bin/javac 2
alternatives --set jar /opt/jdk1.8.0_161/bin/jar
alternatives --set javac /opt/jdk1.8.0_161/bin/javac
java -version

vi /etc/profile.d/java.sh

if ! echo ${PATH} | grep -q /opt/jdk1.8.0_161/bin ; then
   export PATH=/opt/jdk1.8.0_161/bin:${PATH}
fi
if ! echo ${PATH} | grep -q /opt/jdk1.8.0_161/jre/bin ; then
   export PATH=/opt/jdk1.8.0_161/jre/bin:${PATH}
fi
export JAVA_HOME=/opt/jdk1.8.0_161
export JRE_HOME=/opt/jdk1.8.0_161/jre
export CLASSPATH=.:/opt/jdk1.8.0_161/lib/tools.jar:/opt/jdk1.8.0_161/jre/lib/rt.jar

vi /etc/profile.d/java.csh

if ( "${path}" !~ */opt/jdk1.8.0_161/bin* ) then
   set path = ( /opt/jdk1.8.0_161/bin $path )
endif
if ( "${path}" !~ */opt/jdk1.8.0_161/jre/bin* ) then
    set path = ( /opt/jdk1.8.0_161/jre/bin $path )
endif
setenv JAVA_HOME /opt/jdk1.8.0_161
setenv JRE_HOME /opt/jdk1.8.0_161/jre
setenv CLASSPATH .:/opt/jdk1.8.0_161/lib/tools.jar:/opt/jdk1.8.0_161/jre/lib/rt.jar



chmod 755 /etc/profile.d/java.sh
chmod 755 /etc/profile.d/java.csh
curl -O http://download.jboss.org/wildfly/10.1.0.Final/wildfly-10.1.0.Final.zip
yum install unzip
unzip wildfly-10.1.0.Final.zip -d /opt/
#set JBOSS_HOME and JAVA_HOME
vi /opt/wildfly-10.1.0.Final/bin/standalone.conf
#set JBOSS_HOME and JAVA_HOME
vi /etc/profile
#set the right IP address
vi /opt/wildfly-10.1.0.Final/standalone/configuration/standalone.xml
cd /opt/wildfly-10.1.0.Final/bin/
./add-user.sh

chown -R centos:centos /opt/wildfly-10.1.0.Final/

su - centos
#start wildfly
cd /opt/wildfly-10.1.0.Final/bin
./standalone.sh



Create these entries in your /home/centos/.bash_profile

export WF_BIN=/opt/wildfly-10.1.0.Final/bin/
export WF_DEP=/opt/wildfly-10.1.0.Final/standalone/deployments/
export WF_TMP=/opt/wildfly-10.1.0.Final/standalone/tmp/
export WF_LOG=/opt/wildfly-10.1.0.Final/standalone/log/
alias STARTWF="cd $WF_BIN; nohup ./standalone.sh 2>&1 > standalone.log &"








Saturday, March 24, 2018

Maven/Eclipse Horror Show

I have updated recently my Maven binaries, of course I forgot to change The "User Settings" property in Eclipse to point to the new location of the settings.xml.

Of course Eclipse silently fails to report the issue (unless you go and open the Maven tab in Preferences)

And all of a sudden nothing works and when I open my pom.xml I get this:

Project build error: Non-resolvable parent POM for org.wildfly.quickstarts:quickstart-parent:13.0.0-SNAPSHOT: Could not transfer artifact org.jboss:jboss-parent:pom:25 from/to jboss-enterprise-maven-repository (https://maven.repository.redhat.com/ga/): NullPointerException and 'parent.relativePath' points at no local POM


Working with Maven and Eclipse I feel young again.... it feels like the 1985 - actually my Pascal compiler on Apple II was far more sophisticated that these modern products.




Thursday, March 22, 2018

WinSCP plugin for Far Manager no longer supported

I love Far Manager for its very quick, keyboard driven interface. It has been my favorite workhorse for at least 15 years.

Now unfortunately I can no longer use it to connect to a Centos VB with WinSCP plugin, I keep getting:

"expected key exchange group packet from server"

I discovered that now it's replaced by NetBox plugin:

https://github.com/michaellukashov/Far-NetBox/releases/download/v2.4.3.512/FarNetBox-2.4.3_Far3_x64.7z


Just do F11 (Plugin) , Netbox and you connect on port 2222 (forwarding of port 22 in VirtualBox) with centos/centos

Excellent!


Using Nexus 3 as a Docker registry Proxy

http://books.sonatype.com/nexus-book/3.0/reference/docker.html#docker-proxy


If you are behind a firewall, you need to open :

https://registry-1.docker.io
https://index.docker.io/


As explained here https://hub.docker.com/r/sonatype/nexus3/ I run

docker run -d -p 8081:8081 -p 8082:8082 --name nexus sonatype/nexus3

You can open http://localhost:8081/ and login as admin/admin123

At this point, Docker is still not setup in Nexus:

In Nexus console, create a new Docker Proxy repo name "dockerproxy" , URL "https://registry-1.docker.io", Docker index "use docker hub". Also, "enable docker v1 api" checkbox. Choose port HTTP 8082 (it will accept logins only on port 8082, not on 8081!)

You should be able to see its (empty for now) index here http://localhost:8081/service/rest/repository/browse/dockerproxy/

To configure your docker engine to communicate to the registry:

sudo vi /etc/docker/daemon.json

Add this line:

{"insecure-registries" : [ "localhost:8081", "localhost:8082" ]}

Restart Docker Daemon:

sudo systemctl daemon-reload

sudo systemctl restart docker



WRONG:
docker login localhost:8081

Username: admin
Password:
Error response from daemon: login attempt to http://localhost:8081/v2/ failed with status: 404 Not Found


RIGHT:
docker login localhost:8082

Username: admin
Password:
Login Succeeded







Tag and push your first image:

#check your local images

docker images

#log into nexus registry

docker --debug=true login localhost:8082 -u admin -p admin123

sudo docker run localhost:8082/hello-world


You can also create a hosted Docker repository, better if you create a user pippo/pippo and give it access to the Repository,

then "docker login localhost:8082 -u pippo -p pippo" and to push something
docker tag <image>:<tag> localhost:8082/<image>:<tag> #example: docker tag service:1.2 localhost:8082/service:1.2

#push your tagged image to nexus
docker push localhost:8082/service:1.2

Troubleshooting:

Check what happens in nexus, in request.log (in /nexus-data/log) I see all HTTP requests issued by docker:

172.17.0.1 - - [21/Mar/2018:10:28:19 +0000] "GET /v2/ HTTP/1.1" 404 1783 8 "docker/18.03.0-ce-rc4 go/go1.9.4 git-commit/fbedb97 kernel/3.10.0-693.21.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/18.03.0-ce-rc4 \(linux\))"




Wednesday, March 21, 2018

Downgrade from Docker 18 to Docker 1.12

sudo yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
yum list installed | grep docker

THIS IS NOT WORKING (it installs Docker 18 !!!)

sudo yum -y update
sudo yum -y install yum-utils
sudo yum-config-manager --add-repo https://yum.dockerproject.org/repo/main/centos/7
sudo yum -y update
# yum search --showduplicates docker-engine
sudo yum -y --nogpgcheck install docker-engine-1.12.6-1.el7.centos.x86_64
sudo systemctl enable docker
sudo systemctl start docker
yum list installed | grep docker
docker version



THIS IS WORKING
sudo yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
yum list installed | grep docker
sudo yum install -y libtool-ltdl libseccomp
mkdir docker
cd docker
wget https://yum.dockerproject.org/repo/main/centos/7/Packages/docker-engine-1.12.6-1.el7.centos.x86_64.rpm https://yum.dockerproject.org/repo/main/centos/7/Packages/docker-engine-selinux-1.12.6-1.el7.centos.noarch.rpm
wget https://yum.dockerproject.org/repo/main/centos/7/Packages/docker-engine-1.12.6-1.el7.centos.x86_64.rpm \
sudo rpm -ivh docker-engine-1.12.6-1.el7.centos.x86_64.rpm docker-engine-selinux-1.12.6-1.el7.centos.noarch.rpm
yum list installed | grep docker
sudo systemctl start docker
sudo systemctl enable docker
docker version




Upgrade docker to version 18 on Centos

For stability love I was sticking to docker 1.12....
Several new features are interesting, so I am upgrading...
This link https://docs.docker.com/install/linux/docker-ce/centos/#set-up-the-repository
is really useful

This is what I have done:

docker version
sudo yum remove docker docker-common docker-selinux docker-engine
sudo yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum-config-manager --enable docker-ce-edge
sudo yum-config-manager --enable docker-ce-test
sudo yum install docker-ce
docker version




Client:
Version: 18.03.0-ce-rc4
API version: 1.37
Go version: go1.9.4
Git commit: fbedb97
Built: Thu Mar 15 07:40:24 2018
OS/Arch: linux/amd64
Experimental: false
Orchestrator: swarm
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?



oops I forgot to start and enable:

sudo systemctl start docker
sudo systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.


docker version

Client:
Version: 18.03.0-ce-rc4
API version: 1.37
Go version: go1.9.4
Git commit: fbedb97
Built: Thu Mar 15 07:40:24 2018
OS/Arch: linux/amd64
Experimental: false
Orchestrator: swarm

Server:
Engine:
Version: 18.03.0-ce-rc4
API version: 1.37 (minimum version 1.12)
Go version: go1.9.4
Git commit: fbedb97
Built: Thu Mar 15 07:44:03 2018
OS/Arch: linux/amd64
Experimental: false



sudo systemctl status docker

[sudo] password for centos:
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-03-21 09:58:07 CET; 1h 25min ago
Docs: https://docs.docker.com
Main PID: 19616 (dockerd)
Tasks: 47
Memory: 55.7M
CGroup: /system.slice/docker.service
├─19616 /usr/bin/dockerd
├─19631 docker-containerd --config /var/run/docker/containerd/containerd.toml
├─20235 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.17.0.2 -container-port 8081
└─20241 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/d510b3bfdff1a6ff247d08f101c463fa2c496ea52ff6f822c5cc8736b8d04b81 -addre...

Mar 21 09:58:04 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:04.569448393+01:00" level=info msg="[graphdriver] using prior storage driver: devicemapper"
Mar 21 09:58:05 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:05.554399630+01:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"
Mar 21 09:58:05 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:05.559942092+01:00" level=info msg="Loading containers: start."
Mar 21 09:58:06 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:06.971793300+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon opti...d IP address"
Mar 21 09:58:07 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:07.568225034+01:00" level=info msg="Loading containers: done."
Mar 21 09:58:07 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:07.634962555+01:00" level=info msg="Docker daemon" commit=fbedb97 graphdriver(s)=devicemapper version=18.03.0-ce-rc4
Mar 21 09:58:07 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:07.635202601+01:00" level=info msg="Daemon has completed initialization"
Mar 21 09:58:07 localhost.localdomain dockerd[19616]: time="2018-03-21T09:58:07.682479847+01:00" level=info msg="API listen on /var/run/docker.sock"
Mar 21 09:58:07 localhost.localdomain systemd[1]: Started Docker Application Container Engine.
Mar 21 10:04:44 localhost.localdomain dockerd[19616]: time="2018-03-21T10:04:44+01:00" level=info msg="shim docker-containerd-shim started" address="/containerd-shim/moby/d510b3bfdff1a6ff247d08f1...ks" pid=20241
Hint: Some lines were ellipsized, use -l to show in full.






Friday, March 16, 2018

Jenkins pipelines

https://www.youtube.com/watch?v=TsWkZLLU-s4&t=1188s


https://github.com/abayer/dec-jam-declarative-demos

http://www.mdoninger.de/2011/11/07/write-groovy-scripts-for-jenkins-with-code-completion.html Jenkins code completion in Eclipse (doh! Who would have thought of using a IDE to write code! The new frontier is write pipeline code in a browser on a github tab.... next they will ask you to write pcode in hex format... then we will eat bananas on trees again)


picture 1: Jenkins developers discussing the use of Notepad to improve coding experience



picture 2: Jenkins developers celebrate their first successful Scripted pipeline


picture 3: Jenkins developers discover IDE

Thursday, March 15, 2018

/var/run/docker.sock

ls -ltra /var/run/docker.sock
srw-rw----. 1 root docker 0 Feb 12 15:49 /var/run/docker.sock



https://www.gnu.org/software/coreutils/manual/html_node/What-information-is-listed.html#What-information-is-listed "s" stands for Unix socket

Communication between a Docker container and Docker daemon can happen via this socket (see Portainer and "docker in docker"


https://medium.com/lucjuggery/about-var-run-docker-sock-3bfd276e12fd
excellent explanation of the /var/run/docker.sock


This REST call via /var/run/docker.sock will create a cointainer:

docker pull nginx:latest
curl -H "Content-Type: application/json" -X POST --unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' http://localhost/containers/create

amazing!


This PRICELESS command, run on the host, can trace all the events handled by the docker daemon:

curl --unix-socket /var/run/docker.sock http://localhost/events



Jenkins console

interesting presentation (skip first 9 minutes)



Scripts:

println "I hacked you"
new File('/etc/passwd').text


println "${Jenkins.instance.root}"

"ls -ltr /".execute().text

Jenkins.getInstance().metaClass.methods*.name.sort().unique()


on Jenkins CLI https://wiki.jenkins.io/display/JENKINS/Jenkins+CLI

the scripts by Sam https://github.com/samrocketman/jenkins-script-console-scripts

https://github.com/jenkinsci/jenkins-scripts


http://groovy-lang.org/learn.html

https://wiki.jenkins.io/display/JENKINS/Jenkins+Script+Console

Sunday, March 11, 2018

dind docker in docker , permission denied on /var/run/docker.sock



Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.33/version: dial unix /var/run/docker.sock: connect: permission denied

ls -alh /var/run/docker.sock
srw-rw----. 1 root docker 0 Mar 11 15:45 /var/run/docker.sock


doing "chmod 777 /var/run/docker.sock" doesn't help


on the host:

docker version
Client:
Version: 1.12.6
API version: 1.24


in the container:

docker version
Client:
Version: 17.10.0-ce
API version: 1.33



The problem went away by installing on the host the latest docker version as per https://docs.docker.com/install/linux/docker-ce/centos/#install-using-the-convenience-script

Thursday, March 1, 2018

SELinux

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-introduction#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux


Priceless wiki https://wiki.centos.org/HowTos/SELinux

#disable DAC (must be root), will only log rule violations
setenforce 0
#enable it
setenforce 1
#check
getenforce

#display info
sestatus
cat /etc/selinux/config

DAC and MAC (discretionary and mandatory access control). First DAC is applied, then MAC (if DAC succeeds).
#list user, role, type, level
ls -Z myfile


Access Vector Cache (AVC)

#view SELinux-Linux user mappings
semanage login -l

#view the SELinux context for processes
ps -eZ


#view SELinux context associated to your user
id -Z

#label a file with a type (transient)
chcon -t

#permanent relabeling of file
semanage

#restore default context for process
restorecon


In Apache, if you get this:

[Tue Feb 27 14:11:52.105495 2018] [core:error] [pid 41356] (13)Permission denied: [client 1.2.3.4:55713] AH00035: access to /index.html denied (filesystem path '/path/to/home') because search permissions are missing on a component of the path

try

ps -efZ | grep http


and check the httpd process, on which TYPE (httpd_t) it's running:

system_u:system_r:httpd_t:s0 root 37203 1 0 Feb28 ? 00:00:03 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0 apache 37206 37203 0 Feb28 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND


then you have to change the type of your file to be served

ls -Z /path/to/index.html
-rw-r--r--. admrun admrun unconfined_u:object_r:default_t:s0 /path/to/index.html

then you do

chcon -t httpd_t /path/to/index.html

if you get

chcon: failed to change context of "/path/to/myfile" to "˜unconfined_u:object_r:httpd_t:s": Permission denied

it's because httpd_t is a PROCESS type, not a FILE type ( see http://danwalsh.livejournal.com/54803.html )


see here https://linux.die.net/man/8/httpd_selinux complete documentation of types


However it's better to change the context for the folder rather than for the individual files:


# semanage fcontext -a -t httpd_sys_content_t "/path/to(/.*)?"
# restorecon -R -v /path/to




see also "man semanage-fcontext" and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-selinux_contexts_labeling_files-persistent_changes_semanage_fcontext


in Puppet (pueah) you can use https://github.com/voxpupuli/puppet-selinux and a clause like:


selinux::fcontext { '/path/to':
path => '/path/to(/.*)?',
setype => 'httpd_sys_content_t',
}