debs run redishappy as root by default

mdevilliers / redishappy

Redis Sentinel high availabillity daemon

Apache License 2.0

114 stars 23 forks source link

debs run redishappy as root by default #31

Closed dominics closed 9 years ago

dominics commented 9 years ago

If you're only supporting upstart >= 1.4, you can use setuid/setgid. Otherwise, you could be using start-stop-daemon to switch to a less privileged user.

(I'm replacing the upstart script post-deb-install via Puppet, so not blocking me.)

mdevilliers commented 9 years ago

Hey

It is only the redishappy-haproxy application that runs as root.

We found it needed to run as root to interact with haproxy specifically rewrite the haproxy config file and also to reload the config.

It is possible to run HAProxy as a non root account - I believe the only proviso is not being able to bind to lower range ports. However I was unable to get this to work but it sounds like you are able to do it

If this is something you can help with I would really appreciate it?

Mark

dominics commented 9 years ago

I'm using redishappy-consul, so no issues with low-numbered ports there (it uses 8300-8600 roughly), and it doesn't need root to flip the Consul data.

Happy to help, but it might take a little while until I get around to it. At this stage, it looks like the hard bit will be convincing FPM to generate packages that create a system user (e.g. https://github.com/jordansissel/fpm/issues/831). Editing the upstart script is easy enough, but I don't think we should run as any of the built-in system users.

dominics commented 9 years ago

Wow, OK, so the pre-install already ensures the user is there? Should just be adding the setuid/setgid for the redishappy-consul upstart service, and then making sure the log/lib dir is writable by that user.

dominics commented 9 years ago

Code attached :+1:

mdevilliers commented 9 years ago

Coolio - I've merged this in and tweaked the username. I've tested it using the vagrant build and it looks like it works.

If you could give it the once over and confirm I'll close of the ticket.

Thanks again for your help,

Mark

dominics commented 9 years ago

Looks good to me. If we're going with a redishappy group as well, we should tweak the setgid to be redishappy (currently still haproxy): https://github.com/mdevilliers/redishappy/blob/master/build/deb_upstart/redishappy-consul-service#L11

Otherwise, cool to close.

mdevilliers commented 9 years ago

All done.

It would be cool if in the future you could give us some feedback on any production issues you find - we are still at the stage of "it works for us" but it would be great to find out if it is generally useful.

Feel free to email me - markdevilliers at gmail dot com.

Thanks again,

Mark