[opensuse-packaging] saving pidfiles
Hi, I'm downstream and upstream maintainer of a software which consists of many python modules, which are started individually and are non-root. Previously, we used /opt, but we'd like to drop this now and use LSB-paths. But I'm facing problems with the pidfiles, which should be saved under `/run/name/component.pid`*. But the unprivileged programs can't create the directory or change permissions, so root must do this. I now see these possibilities: 1) Use /opt/name/ - kind of fishy 2) Use /tmp - Better than the solution above and still simple. 3) Saved them somewhere in /var/lib/name, which is writable to the users. 4) Start all components as root, create /run/name if needed and then drop privileges. Has unnecessary complexity in the software, which I'd like to avoid 5) Allow the programs to create the directory /run/name via sudoers Are there other possibilites or best practices? Does systemd has a solution here? Note that units need the pidfiles, not services. I know that systemd can handle the pidfile of the latter. But then I'd again need root to create it. Any ideas are appreciated, Sebastian * as far as I understand non-existing guidelines. But it seems to be handled so by other progams. Some hints that this should be done, can be found here: https://en.opensuse.org/openSUSE:Systemd_services#dnscrypt https://en.opensuse.org/SDB:LXC#Populate_the_container_filesystem https://en.opensuse.org/openSUSE:Packaging_init_scripts#Status_Functions -- python programming - mail server - photo - video - https://sebix.at cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
On Fri, 23 Sep 2016 20:41, Sebastian wrote:
Hi,
I'm downstream and upstream maintainer of a software which consists of many python modules, which are started individually and are non-root. Previously, we used /opt, but we'd like to drop this now and use LSB-paths.
But I'm facing problems with the pidfiles, which should be saved under `/run/name/component.pid`*. But the unprivileged programs can't create the directory or change permissions, so root must do this. I now see these possibilities: 1) Use /opt/name/ - kind of fishy 2) Use /tmp - Better than the solution above and still simple. 3) Saved them somewhere in /var/lib/name, which is writable to the users. 4) Start all components as root, create /run/name if needed and then drop privileges. Has unnecessary complexity in the software, which I'd like to avoid 5) Allow the programs to create the directory /run/name via sudoers
Are there other possibilites or best practices? Does systemd has a solution here? Note that units need the pidfiles, not services. I know that systemd can handle the pidfile of the latter. But then I'd again need root to create it.
Any ideas are appreciated, Sebastian
* as far as I understand non-existing guidelines. But it seems to be handled so by other progams. Some hints that this should be done, can be found here: https://en.opensuse.org/openSUSE:Systemd_services#dnscrypt https://en.opensuse.org/SDB:LXC#Populate_the_container_filesystem https://en.opensuse.org/openSUSE:Packaging_init_scripts#Status_Functions
AFAIK, you can create the needed dirs with the needed (user writeable) permissions by dropping a snippet in /etc/tmpdirs.d/ (for files use /etc/tmpfiles.d/) and they will be created after boot by systemd-tmpfiles-setup.service. Docu: man:tmpfiles.d(5) man:systemd-tmpfiles(8) This /could/ be what you want (use /run/name/blah.pid) without forceing extra tricks. Otherwise using /var/lib/name/blah.pid would also be a valid, traceable, accountable, and comprehensible solution. Please make note of the why and how of the solution in the man-page / readme / docu of your program, that spares many headaches later. - Yamaban. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi, On 09/23/2016 09:26 PM, Yamaban wrote:
AFAIK, you can create the needed dirs with the needed (user writeable) permissions by dropping a snippet in /etc/tmpdirs.d/ (for files use /etc/tmpfiles.d/) and they will be created after boot by systemd-tmpfiles-setup.service.
Docu: man:tmpfiles.d(5) man:systemd-tmpfiles(8)
This /could/ be what you want (use /run/name/blah.pid) without forceing extra tricks. Yes, this seems to be very good!
But I found out that /etc/tmpdirs.d has been obsoleted by /etc/tmpfiles.d[1] The tmpdirs.d directory exists on tumbleweed (at least here, may be not a fresh install) but is not read anymore by systemd-tmpfiles. This caused me some headache to find out. Also, the filename has to end with .conf, this is not mentioned on older blog posts (e.g. from 2010)
Otherwise using /var/lib/name/blah.pid would also be a valid, traceable, accountable, and comprehensible solution. Okay, I will use this on other/older platforms where the above method is not available.
Thanks for your advice! Sebastian [1]: https://en.opensuse.org/openSUSE:Systemd_status#Short_list_of_differences_wi... -- python programming - mail server - photo - video - https://sebix.at cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
On samedi, 24 septembre 2016 09.58:12 h CEST Sebastian wrote:
Hi,
On 09/23/2016 09:26 PM, Yamaban wrote:
AFAIK, you can create the needed dirs with the needed (user writeable) permissions by dropping a snippet in /etc/tmpdirs.d/ (for files use /etc/tmpfiles.d/) and they will be created after boot by systemd-tmpfiles-setup.service.
Docu: man:tmpfiles.d(5) man:systemd-tmpfiles(8)
This /could/ be what you want (use /run/name/blah.pid) without forceing extra tricks.
Yes, this seems to be very good!
But I found out that /etc/tmpdirs.d has been obsoleted by /etc/tmpfiles.d[1] The tmpdirs.d directory exists on tumbleweed (at least here, may be not a fresh install) but is not read anymore by systemd-tmpfiles. This caused me some headache to find out. Also, the filename has to end with .conf, this is not mentioned on older blog posts (e.g. from 2010)
Otherwise using /var/lib/name/blah.pid would also be a valid, traceable, accountable, and comprehensible solution.
Okay, I will use this on other/older platforms where the above method is not available.
Thanks for your advice! Sebastian
[1]: https://en.opensuse.org/openSUSE:Systemd_status#Short_list_of_differences_wi th_integration_of_systemd_compared_to_SysVinit
And better if you package it make that droplet in /usr/lib/tempfiles.d Making administrator able to overrides your defaults by their on specific systems. ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 09/24/2016 10:03 AM, Bruno Friedmann wrote
And better if you package it make that droplet in /usr/lib/tempfiles.d Making administrator able to overrides your defaults by their on specific systems. Yes, that's even clearly mentioned in the manpage :) And I also found out about %{_tmpfilesdir} by just trying if it exists, and it does!
Sebastian -- python programming - mail server - photo - video - https://sebix.at cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
On Saturday 2016-09-24 09:58, Sebastian wrote:
On 09/23/2016 09:26 PM, Yamaban wrote:
AFAIK, you can create the needed dirs with the needed (user writeable) permissions by dropping a snippet in /etc/tmpdirs.d/ (for files use /etc/tmpfiles.d/) and they will be created after boot by systemd-tmpfiles-setup.service. Otherwise using /var/lib/name/blah.pid would also be a valid, traceable, accountable, and comprehensible solution. Okay, I will use this on other/older platforms where the above method is not available.
If your service is of the Type=simple, then pidfiles will be ignored altogether because they are not needed, which means you need not bother trying to put it in any particular spot. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On 09/24/2016 10:07 AM, Jan Engelhardt wrote:
If your service is of the Type=simple, then pidfiles will be ignored altogether because they are not needed, which means you need not bother trying to put it in any particular spot. Thanks for this hint, I will keep it in mind for future releases!
-- python programming - mail server - photo - video - https://sebix.at cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
On Fri, Sep 23, 2016 at 3:41 PM, Sebastian <sebix@sebix.at> wrote:
Are there other possibilites or best practices? Does systemd has a solution here? Note that units need the pidfiles, not services. I know that systemd can handle the pidfile of the latter. But then I'd again need root to create it.
Your options are: - Do not use pidfiles, This is the suggested way forward.. - if you do want to continue using them ensure that they are created as explained in daemon(7). pay attention to the "race free" part. - Store them only in a directory under /run .. i.e /run/yourmainprogram/component.pid. to create the directory, use a tmpfiles.d snippet. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (5)
-
Bruno Friedmann -
Cristian Rodríguez -
Jan Engelhardt -
Sebastian -
Yamaban