From: Danny Al-Gaaf <danny.al-gaaf@bisect.de>
To: Sage Weil <sweil@redhat.com>
Cc: kdreyer@redhat.com, ceph-devel@vger.kernel.org,
ceph-maintainers@ceph.com
Subject: Re: running daemons as user/group ceph
Date: Sat, 25 Apr 2015 09:22:30 +0200 [thread overview]
Message-ID: <553B40B6.9010700@bisect.de> (raw)
In-Reply-To: <alpine.DEB.2.00.1504241349570.5458@cobra.newdream.net>
Am 24.04.2015 um 22:52 schrieb Sage Weil:
> On Fri, 24 Apr 2015, Danny Al-Gaaf wrote:
>> Am 24.04.2015 um 19:37 schrieb Sage Weil:
>> [...]
>>> -- systemd --
>>>
>>> Most of the daemons can just get the User=ceph and Group=cpeh lines in the
>>> unit files. The OSD is tricky, though, since we want the prestart script
>>> to run as root so that it can chown the disk contents if necessary. We
>>> have two options, I think:
>>>
>>> 1) run prestart and ceph-osd as root, and add a ceph daemon arg to drop
>>> privileges and setuid.
>>>
>>> 2) add a sudo rule so that the ceph user can run the chown command from
>>> prestart. (This seems more dangerous.)
>>>
>>> Thoughts?
>>
>> Do we need to change the start scripts for SysV init? Or is this
>> something we should ignore because the most distros will use systemd in
>> the future.
>
> We could, but I wonder if not touching upstart or sysvinit will be an
> easy way to handle migration/compat issues.
>
> One other thing Greg brought up today was that we should allow an admin to
> configure daemons to run as root if they want. They can do that by
> editing the unit files; I'm not sure if we want to do something more
> friendly than that? (FWIW I think this is basically what Leannart
> suggests.)
The alternative would be to drop the privileges within the code of the
daemons (as soon as possible) and use a config/cmdline option to check
if we want to start the daemons as root or under the ceph user.
Danny
next prev parent reply other threads:[~2015-04-25 7:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-24 17:37 running daemons as user/group ceph Sage Weil
2015-04-24 20:16 ` Danny Al-Gaaf
2015-04-24 20:52 ` Sage Weil
2015-04-24 21:05 ` Robert LeBlanc
2015-04-25 7:22 ` Danny Al-Gaaf [this message]
2015-04-24 21:04 ` Ken Dreyer
2015-04-24 21:13 ` Sage Weil
2015-04-24 22:29 ` [Ceph-maintainers] " Sage Weil
2015-04-24 22:30 ` Ken Dreyer
2015-04-24 23:34 ` Sage Weil
2015-04-25 7:35 ` Danny Al-Gaaf
2015-04-25 17:26 ` Sage Weil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=553B40B6.9010700@bisect.de \
--to=danny.al-gaaf@bisect.de \
--cc=ceph-devel@vger.kernel.org \
--cc=ceph-maintainers@ceph.com \
--cc=kdreyer@redhat.com \
--cc=sweil@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.