From: Ken Dreyer <kdreyer@redhat.com>
To: Sage Weil <sweil@redhat.com>, danny.al-gaaf@bisect.de
Cc: ceph-devel@vger.kernel.org, ceph-maintainers@ceph.com
Subject: Re: running daemons as user/group ceph
Date: Fri, 24 Apr 2015 15:04:59 -0600 [thread overview]
Message-ID: <553AAFFB.4070808@redhat.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1504241037370.5458@cobra.newdream.net>
On 04/24/2015 11:37 AM, Sage Weil wrote:
> -- Logs --
>
One other thing in addition to the log directory is the socket directory
permissions (/var/run/ceph). The ceph UID will need to write there, right?
In newer distros with systemd, /var/run is on tmpfs so we use this
tmpfiles.d snippet to be sure the directory is there in /var/tmpfs after
every boot:
https://github.com/ceph/ceph/blob/master/systemd/ceph.tmpfiles.d
The snippet currently creates the directory as root-owned, and I imagine
we'd want to change that to the ceph UID instead?
> -- systemd --
>
> Most of the daemons can just get the User=ceph and Group=cpeh lines in the
> unit files. The OSD is tricky, though, since we want the prestart script
> to run as root so that it can chown the disk contents if necessary. We
> have two options, I think:
>
> 1) run prestart and ceph-osd as root, and add a ceph daemon arg to drop
> privileges and setuid.
>
> 2) add a sudo rule so that the ceph user can run the chown command from
> prestart. (This seems more dangerous.)
I agree sudo sounds more dangerous, and it'll also be more complex to
implement in the packaging.
Would it be possible to use Apache's model, where it does the bare
minimum set of things it needs as root (binding to port 80, etc), and
then drops privileges thereafter?
If the OSD had this ability built-in, then it could run in minimal
environments like containers where sudo is not present, etc.
- Ken
next prev parent reply other threads:[~2015-04-24 21:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-24 17:37 running daemons as user/group ceph Sage Weil
2015-04-24 20:16 ` Danny Al-Gaaf
2015-04-24 20:52 ` Sage Weil
2015-04-24 21:05 ` Robert LeBlanc
2015-04-25 7:22 ` Danny Al-Gaaf
2015-04-24 21:04 ` Ken Dreyer [this message]
2015-04-24 21:13 ` Sage Weil
2015-04-24 22:29 ` [Ceph-maintainers] " Sage Weil
2015-04-24 22:30 ` Ken Dreyer
2015-04-24 23:34 ` Sage Weil
2015-04-25 7:35 ` Danny Al-Gaaf
2015-04-25 17:26 ` Sage Weil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=553AAFFB.4070808@redhat.com \
--to=kdreyer@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=ceph-maintainers@ceph.com \
--cc=danny.al-gaaf@bisect.de \
--cc=sweil@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.